app | ||
crds | ||
templates | ||
.drone.yml | ||
.gitignore | ||
Chart.yaml | ||
Dockerfile | ||
README.md | ||
values.yaml |
harbor-operator
Background
This operator is higly opinionated way to deploy Harbor in a Kubernetes cluster:
- Only one Harbor instance per Kubernetes cluster
- Nearly all components deployed in HA fashion
- Automates Harbor project creation via
ClusterHarborProject
CRD- Create per user projects with quotas and password protection
- Create proxy cache projects with quotas and password protection
- Designed to work in conjunction with
https://git.k-space.ee/k-space/sandbox-dashboard:
- Sandbox template repository contains
HarborCredential
definitions - Sandbox dashboard adds
ClusterUser
resources when user logs in
- Sandbox template repository contains
- Automate push/pull credential provisioning using HarborCredential CRD-s, to simplify working with Skaffold
- [WIP] Pod admission mutation webhook to rewrite Pod images to use
proxy caches defined via
ClusterHarborProject
definitions withcache: true
.
Instantiating Harbor projects
To instantiate proxy cache project:
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborRegistry
metadata:
name: quay.io
spec:
type: quay
endpoint: https://quay.io
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborRegistry
metadata:
name: docker.io
spec:
type: docker-hub
endpoint: https://docker.io
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborProject
metadata:
name: docker.io
spec:
cache: true
public: true
quota: 10737418240
---
apiVersion: codemowers.io/v1alpha1
kind: ClusterHarborProject
metadata:
name: quay.io
spec:
cache: true
public: true
quota: 10737418240
Deploying push/pull secrets into namespaces
Once everything is running you can easily provision Harbor project push and pull secrets into namespaces:
---
apiVersion: codemowers.io/v1alpha1
kind: HarborCredential
metadata:
name: kaniko
spec:
project: foobar
key: config.json
permissions:
- resource: repository
action: pull
- resource: tag
action: create
- resource: repository
action: push
---
apiVersion: codemowers.io/v1alpha1
kind: HarborCredential
metadata:
name: regcred
spec:
project: foobar
type: kubernetes.io/dockerconfigjson
key: .dockerconfigjson
permissions:
- resource: repository
action: pull
Uninstalling
The finalizers will likely block deletion of resources:
for j in $(
kubectl get harborcredentials -o name;
kubectl get clusterharborprojectmembers -o name;
kubectl get clusterharborprojects -o name;
kubectl get clusterharborregistries -o name ); do
echo "Removing $j"
kubectl patch $j --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'
kubectl delete $j
done