harbor

package module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 18, 2022 License: MIT Imports: 15 Imported by: 0

README

Vault Plugin: Harbor robot account

GitHub license Release Lint Integration Test Security scanning Go Report Card Maintainability Test Coverage

Vault plugin for (Go)Harbor robot account dynamic generating

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works. Otherwise, first read this guide on how to get started with Vault.

Install plugin

  • Download plugin from release page

  • Unarchive and copy to Vault's plugins dir

    $ tar xzf vault-plugin-harbor_linux-amd64.tar.gz
$ rsync/cp vault-plugin-harbor <vault-installed-path>/plugins

  • Get plugin's SHA256 checksum

    SHA256=$(sha256sum vault-plugin-harbor | cut -d ' ' -f1)

  • Register plugin to Vault secret engine

    • Vault production mode (install with TLS)

      # vault plugin register \
-sha256=$SHA256 \
-command="vault-plugin-harbor \
-ca-cert=<server-ca-cert-path> \
-client-cert=<server-client-cert-path> \
-client-key=<server-client-cert-key-path>" \
secret harbor
# Example:
vault plugin register \
-sha256=$SHA256 \
-command="vault-plugin-harbor \
-ca-cert=/opt/vault/etc/certs/ca.pem \
-client-cert=/opt/vault/etc/certs/vault-infra.pem \
-client-key=/opt/vault/etc/certs/vault-infra-key.pem" \
secret harbor

    • Vault dev mode (local test without TLS - not recommend in production)

      vault plugin register -sha256=$SHA256 -command="vault-plugin-harbor" secrets harbor
Upgrade plugin version

  • Download and install/register with above steps

  • Reload plugin

    vault plugin reload -scope=global -plugin harbor

Usage

  • Mount harbor plugin

    # vault secrets enable -path <mount-path> harbor
# Example:
$ vault secrets enable -path harbor harbor

  • Write harbor config

    # vault write <mount-path>/config url=<harbor-url> username=<harbor-admin-username> password=<harbor-admin-password>
# Example:
$ vault write harbor/config url="https://harbor.internal.domain" username="admin" password="aStronggPw123"

  • Create role for robot account

    • Create a json file for role permissions definition Details

      Example: role-permissions.json

      [
  {
    "namespace": "project-a",
    "kind": "project",
    "access": [
      {
        "action": "pull",
        "resource": "repository"
      },
      {
        "action": "push",
        "resource": "repository"
      },
      {
        "action": "create",
        "resource": "tag"
      },
      {
        "action": "delete",
        "resource": "tag"
      }
    ]
  },
  {
    "namespace": "project-b",
    "kind": "project",
    "access": [
      {
        "action": "pull",
        "resource": "repository"
      }
    ]
  }
]

    • Write role (create if not existed/ upgrade if existed)

      # vault write <mount-path>/roles/<role-name> ttl=<time-to-live> max_ttl=<max-time-to-live> permissions=@<role-permissions-json-file>
# Example:
$ vault write habor/roles/test-role ttl=60s max_ttl=10m permissions=@role-permissions.json

  • Get robot account (and it's secret/credential) from created role

    # vault read <mount-path>/creds/<role-name>
# Example:
$ vault read harbor/creds/test-role

Key                         Value
---                         -----
lease_id                    harbor/creds/test-roles/Wxidlpz1tVrb18XL7Zg4vPZM
lease_duration              1m
lease_renewable             true
robot_account_auth_token    cm9ib3QkdmF1bHQudGVzdC1yb2xlcy5yb290LjE2NTc5NjQ0NjkwNjkyODkzOTE6RE93bXNnN2pEVEZmVlJoWWFwM3BMY0FJdjJIYkJycFg=
robot_account_id            415963
robot_account_name          robot$vault.test-roles.root.1657964469069289391
robot_account_secret        DOwmsg7jDTFfVRhYap3pLcAIv2HbBrpX

    Credential output struct explaining

Role definition

  • Each role contains a list of Harbor robot account's permission Permission struct

  • Robot permission format

    {
    "namespace": "<harbor-project>",
    "kind": "project",
    "access": [
        {
            "action:" "<action>",
            "resource": "<resource>"
        }
    ]
}

  • access in robot permission is a list of Access struct

    • Format 
      {
    "action": "<action>",
    "resource": "<resource>"
}
    • action/resource mapping table
      Resource Action Description
      repository pull/push allow pull/push from/to repository
      tag create/delete allow create/delete actifact's tag
      actifact delete allow delete actifacts
      helm-chart read allow read Helm chart
      helm-chart-version read/delete allow read/delete Helm chart version
      actifact-label create allow create artifact's label
      scan create allow create scan
Robot account credential output struct
Key Name Description
lease_id Vault lease ID (with full path)
lease_duration Vault lease duration
lease_renewable As it's name
robot_account_id Robot account ID generated from Harbor API
robot_account_name Robot account name generated from Harbor API
robot_account_secret Robot account secret (password) generated from Harbor API
robot_account_auth_token Robot account base64 token, combined from above robot_account_name and robot_account_secret

Is this useful to you?

Buy Me a Coffee at ko-fi.com Buy Me a Coffee at buymeacoffee.com

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory configures and returns Harbor secrets backends.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
cmd
vault-plugin-harbor

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.