harbor-operator/README.md

# harbor-operator

## Background

This operator is higly opinionated way to deploy Harbor in a Kubernetes cluster:

* Only one Harbor instance per Kubernetes cluster
* Nearly all components deployed in HA fashion
* Automates Harbor project creation via `ClusterHarborProject` CRD
  * Create per user projects with quotas and password protection
  * Create proxy cache projects with quotas and password protection
* Designed to work in conjunction with
  [https://git.k-space.ee/k-space/sandbox-dashboard](sandbox-dashboard):
  * Sandbox template repository contains `HarborCredential` definitions
  * Sandbox dashboard adds `ClusterUser` resources when user logs in
* Automate push/pull credential provisioning using HarborCredential CRD-s,
  to simplify working with Skaffold
* [WIP] Pod admission mutation webhook to rewrite Pod images to use
  proxy caches defined via `ClusterHarborProject` definitions with `cache: true`.


## Instantiating Harbor projects

To instantiate proxy cache project:

```
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborRegistry
metadata:
  name: quay.io
spec:
  type: quay
  endpoint: https://quay.io
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborRegistry
metadata:
  name: docker.io
spec:
  type: docker-hub
  endpoint: https://docker.io
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborProject
metadata:
  name: docker.io
spec:
  cache: true
  public: true
  quota: 10737418240
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborProject
metadata:
  name: quay.io
spec:
  cache: true
  public: true
  quota: 10737418240
```


## Deploying push/pull secrets into namespaces

Once everything is running you can easily provision Harbor project
push and pull secrets into namespaces:

```
---
apiVersion: codemowers.io/v1alpha1
kind: HarborCredential
metadata:
  name: kaniko
spec:
  project: foobar
  key: config.json
  permissions:
    - resource: repository
      action: pull
    - resource: tag
      action: create
    - resource: repository
      action: push
---
apiVersion: codemowers.io/v1alpha1
kind: HarborCredential
metadata:
  name: regcred
spec:
  project: foobar
  type: kubernetes.io/dockerconfigjson
  key: .dockerconfigjson
  permissions:
    - resource: repository
      action: pull
```

## Uninstalling

The finalizers will likely block deletion of resources:

```
for j in $(
    kubectl get harborcredentials -o name;
    kubectl get clusterharborprojectmembers -o name;
    kubectl get clusterharborprojects -o name;
    kubectl get clusterharborregistries -o name ); do
  echo "Removing $j"
  kubectl patch $j --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'
  kubectl delete $j
done
```
Initial commit 2022-11-14 19:08:45 +00:00			`# harbor-operator`

			`## Background`

			`This operator is higly opinionated way to deploy Harbor in a Kubernetes cluster:`

			`* Only one Harbor instance per Kubernetes cluster`
			`* Nearly all components deployed in HA fashion`
			* Automates Harbor project creation via `ClusterHarborProject` CRD
			`* Create per user projects with quotas and password protection`
			`* Create proxy cache projects with quotas and password protection`
			`* Designed to work in conjunction with`
			`[https://git.k-space.ee/k-space/sandbox-dashboard](sandbox-dashboard):`
			* Sandbox template repository contains `HarborCredential` definitions
			* Sandbox dashboard adds `ClusterUser` resources when user logs in
			`* Automate push/pull credential provisioning using HarborCredential CRD-s,`
			`to simplify working with Skaffold`
			`* [WIP] Pod admission mutation webhook to rewrite Pod images to use`
			proxy caches defined via `ClusterHarborProject` definitions with `cache: true`.


			`## Instantiating Harbor projects`

			`To instantiate proxy cache project:`

			```
			`---`
			`apiVersion: codemowers.io/v1alpha1`
			`kind: ClusterHarborRegistry`
			`metadata:`
			`name: quay.io`
			`spec:`
			`type: quay`
			`endpoint: https://quay.io`
			`---`
			`apiVersion: codemowers.io/v1alpha1`
			`kind: ClusterHarborRegistry`
			`metadata:`
			`name: docker.io`
			`spec:`
			`type: docker-hub`
			`endpoint: https://docker.io`
			`---`
			`apiVersion: codemowers.io/v1alpha1`
			`kind: ClusterHarborProject`
			`metadata:`
			`name: docker.io`
			`spec:`
			`cache: true`
			`public: true`
			`quota: 10737418240`
			`---`
			`apiVersion: codemowers.io/v1alpha1`
			`kind: ClusterHarborProject`
			`metadata:`
			`name: quay.io`
			`spec:`
			`cache: true`
			`public: true`
			`quota: 10737418240`
			```


			`## Deploying push/pull secrets into namespaces`

			`Once everything is running you can easily provision Harbor project`
			`push and pull secrets into namespaces:`

			```
			`---`
			`apiVersion: codemowers.io/v1alpha1`
			`kind: HarborCredential`
			`metadata:`
			`name: kaniko`
			`spec:`
			`project: foobar`
			`key: config.json`
			`permissions:`
			`- resource: repository`
			`action: pull`
			`- resource: tag`
			`action: create`
			`- resource: repository`
			`action: push`
			`---`
			`apiVersion: codemowers.io/v1alpha1`
			`kind: HarborCredential`
			`metadata:`
			`name: regcred`
			`spec:`
			`project: foobar`
			`type: kubernetes.io/dockerconfigjson`
			`key: .dockerconfigjson`
			`permissions:`
			`- resource: repository`
			`action: pull`
			```

			`## Uninstalling`

			`The finalizers will likely block deletion of resources:`

			```
			`for j in $(`
			`kubectl get harborcredentials -o name;`
			`kubectl get clusterharborprojectmembers -o name;`
			`kubectl get clusterharborprojects -o name;`
			`kubectl get clusterharborregistries -o name ); do`
			`echo "Removing $j"`
			`kubectl patch $j --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'`
			`kubectl delete $j`
			`done`
			```