Vault plugin for (Go)Harbor robot account dynamic generating
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works. Otherwise, first read this guide on how to get started with Vault.
-
Download plugin from release page
-
Unarchive and copy to Vault's plugins dir
$ tar xzf vault-plugin-harbor_linux-amd64.tar.gz $ rsync/cp vault-plugin-harbor <vault-installed-path>/plugins
-
Get plugin's SHA256 checksum
SHA256=$(sha256sum vault-plugin-harbor | cut -d ' ' -f1)
-
Register plugin to Vault secret engine
-
Vault production mode (install with TLS)
# vault plugin register \ -sha256=$SHA256 \ -command="vault-plugin-harbor \ -ca-cert=<server-ca-cert-path> \ -client-cert=<server-client-cert-path> \ -client-key=<server-client-cert-key-path>" \ secret harbor # Example: vault plugin register \ -sha256=$SHA256 \ -command="vault-plugin-harbor \ -ca-cert=/opt/vault/etc/certs/ca.pem \ -client-cert=/opt/vault/etc/certs/vault-infra.pem \ -client-key=/opt/vault/etc/certs/vault-infra-key.pem" \ secret harbor
-
Vault dev mode (local test without TLS - not recommend in production)
vault plugin register -sha256=$SHA256 -command="vault-plugin-harbor" secret harbor
-
-
Download and install/register with above steps
-
Reload plugin
vault plugin reload -scope=global -plugin harbor
-
Mount harbor plugin
# vault secrets enable -path <mount-path> harbor # Example: $ vault secrets enable -path harbor harbor
-
Write harbor config
# vault write <mount-path>/config url=<harbor-url> username=<harbor-admin-username> password=<harbor-admin-password> # Example: $ vault write harbor/config url="https://harbor.internal.domain" username="admin" password="aStronggPw123"
-
Create role for robot account
-
Create a json file for role permissions definition Details
Example:
role-permissions.json
[ { "namespace": "project-a", "kind": "project", "access": [ { "action": "pull", "resource": "repository" }, { "action": "push", "resource": "repository" }, { "action": "create", "resource": "tag" }, { "action": "delete", "resource": "tag" } ] }, { "namespace": "project-b", "kind": "project", "access": [ { "action": "pull", "resource": "repository" } ] } ]
-
Write role (create if not existed/ upgrade if existed)
# vault write <mount-path>/roles/<role-name> ttl=<time-to-live> max_ttl=<max-time-to-live> permissions=@<role-permissions-json-file> # Example: $ vault write harbor/roles/test-role ttl=60s max_ttl=10m [email protected]
-
-
Get robot account (and it's secret/credential) from created role
# vault read <mount-path>/creds/<role-name> # Example: $ vault read harbor/creds/test-role Key Value --- ----- lease_id harbor/creds/test-roles/Wxidlpz1tVrb18XL7Zg4vPZM lease_duration 1m lease_renewable true robot_account_auth_token cm9ib3QkdmF1bHQudGVzdC1yb2xlcy5yb290LjE2NTc5NjQ0NjkwNjkyODkzOTE6RE93bXNnN2pEVEZmVlJoWWFwM3BMY0FJdjJIYkJycFg= robot_account_id 415963 robot_account_name robot$vault.test-roles.root.1657964469069289391 robot_account_secret DOwmsg7jDTFfVRhYap3pLcAIv2HbBrpX
-
Each role contains a list of Harbor robot account's permission Permission struct
-
Robot permission format
{ "namespace": "<harbor-project>", "kind": "project", "access": [ { "action:" "<action>", "resource": "<resource>" } ] }
-
access
in robot permission is a list of Access struct- Format
{ "action": "<action>", "resource": "<resource>" }
action/resource
mapping tableResource Action Description repository
pull/push
allow pull/push
from/to repositorytag
create/delete
allow create/delete
artifact's tagartifact
delete
allow delete
artifactshelm-chart
read
allow read
Helm charthelm-chart-version
read/delete
allow read/delete
Helm chart versionartifact-label
create
allow create
artifact's labelscan
create
allow create
scan
- Format
Key Name | Description |
---|---|
lease_id |
Vault lease ID (with full path) |
lease_duration |
Vault lease duration |
lease_renewable |
As it's name |
robot_account_id |
Robot account ID generated from Harbor API |
robot_account_name |
Robot account name generated from Harbor API |
robot_account_secret |
Robot account secret (password) generated from Harbor API |
robot_account_auth_token |
Robot account base64 token, combined from above robot_account_name and robot_account_secret |