Initial movement of the day2 code (#807)

* Inital movement of the day2 code

Signed-off-by: lubronzhan <lzhan@vmware.com>

Fix commit

Signed-off-by: lubronzhan <lzhan@vmware.com>

Fix diff

Signed-off-by: lubronzhan <lzhan@vmware.com>

Fix md-lint

Signed-off-by: lubronzhan <lzhan@vmware.com>

Try add role for psb and hsc

Signed-off-by: lubronzhan <lzhan@vmware.com>

Fix the group name

Signed-off-by: lubronzhan <lzhan@vmware.com>

add namespace controller and psb controller

Signed-off-by: lubronzhan <lzhan@vmware.com>

Add webhook

Signed-off-by: lubronzhan <lzhan@vmware.com>

Add harbor-day2-webhook-configuration label to namespace

Signed-off-by: lubronzhan <lzhan@vmware.com>

Debug:

Signed-off-by: lubronzhan <lzhan@vmware.com>

Refactor

Signed-off-by: lubronzhan <lzhan@vmware.com>

Remove harbor sdk

Signed-off-by: lubronzhan <lzhan@vmware.com>

Update API to use the go-client

* Refactor based on new harbor go-client

Signed-off-by: lubronzhan <lzhan@vmware.com>

* Revert the webhook logic to by default not include namespace:

Signed-off-by: lubronzhan <lzhan@vmware.com>

* Add missing namespaceSelector to the chart manifest. Update readme

Signed-off-by: lubronzhan <lzhan@vmware.com>

.github/workflows/tests.yml

@@ -261,6 +261,7 @@ jobs:
           kubectl -n cluster-sample-ns get all -o wide
           kubectl get harbor -n cluster-sample-ns -o wide
           kubectl get harborcluster -n cluster-sample-ns -o wide
+          kubectl get all -n ${operatorNamespace}
         fi
         free -h
         df -h

PROJECT

@@ -67,5 +67,11 @@ resources:
   version: v1beta1
 - group: goharbor
   kind: HarborCluster
-  version: v1beta1  
+  version: v1beta1
+- group: goharbor
+  kind: HarborServerConfiguration
+  version: v1alpha1
+- group: goharbor
+  kind: PullSecretBinding
+  version: v1alpha1
 version: "2"

README.md

@@ -43,7 +43,7 @@ Harbor deployment stack is controlled by a custom Harbor resource `HarborCluster
   * [ ] [gcs](https://cloud.google.com/storage): A driver storing objects in a Google Cloud Storage bucket.
 * Supports updating the deployed Harbor cluster
   * Remove the optional Harbor components
-* More day2 operations (see [PoC project](https://github.com/szlabs/harbor-automation-4k8s))
+* More day2 operations (see [PoC project](https://github.com/goharbor/harbor-operator))
   * Auto mapping Kubernetes namespaces and Harbor project
   * Pull secrets injections
   * Container image path rewriting

apis/goharbor.io/v1beta1/harborserverconfiguration_types.go

@@ -0,0 +1,116 @@
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// HarborServerConfigurationSpec defines the desired state of HarborServerConfiguration.
+type HarborServerConfigurationSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern="(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)+([A-Za-z]|[A-Za-z][A-Za-z0-9\\-]*[A-Za-z0-9])"
+	ServerURL string `json:"serverURL"`
+
+	// Indicate if the Harbor server is an insecure registry
+	// +kubebuilder:validation:Optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// Default indicates the harbor configuration manages namespaces.
+	// Value in goharbor.io/harbor annotation will be considered with high priority.
+	// At most, one HarborServerConfiguration can be the default, multiple defaults will be rejected.
+	// +kubebuilder:validation:Required
+	Default bool `json:"default,omitempty"`
+
+	// +kubebuilder:validation:Required
+	AccessCredential *AccessCredential `json:"accessCredential"`
+
+	// The version of the Harbor server
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern="(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?"
+	Version string `json:"version"`
+
+	// Rules configures the container image rewrite rules for transparent proxy caching with Harbor.
+	// +kubebuilder:validation:Optional
+	Rules []string `json:"rules,omitempty"`
+
+	// NamespaceSelector decides whether to apply the HSC on a namespace based
+	// on whether the namespace matches the selector.
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
+
+// AccessCredential is a namespaced credential to keep the access key and secret for the harbor server configuration.
+type AccessCredential struct {
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern="[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*"
+	Namespace string `json:"namespace"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern="[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*"
+	AccessSecretRef string `json:"accessSecretRef"`
+}
+
+// HarborServerConfigurationStatusType defines the status type of configuration.
+type HarborServerConfigurationStatusType string
+
+const (
+	// HarborServerConfigurationStatusReady represents ready status.
+	HarborServerConfigurationStatusReady HarborServerConfigurationStatusType = "Success"
+	// HarborServerConfigurationStatusFail represents fail status.
+	HarborServerConfigurationStatusFail HarborServerConfigurationStatusType = "Fail"
+	// HarborServerConfigurationStatusUnknown represents unknown status.
+	HarborServerConfigurationStatusUnknown HarborServerConfigurationStatusType = "Unknown"
+)
+
+// HarborConfigurationStatus defines the status of HarborServerConfiguration.
+type HarborServerConfigurationStatus struct {
+	// Status represents harbor configuration status.
+	// +kubebuilder:validation:Optional
+	Status HarborServerConfigurationStatusType `json:"status,omitempty"`
+	// Reason represents status reason.
+	// +kubebuilder:validation:Optional
+	Reason string `json:"reason,omitempty"`
+	// Message provides human-readable message.
+	// +kubebuilder:validation:Optional
+	Message string `json:"message,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +k8s:openapi-gen=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:categories="goharbor",shortName="hsc",scope="Cluster"
+// +kubebuilder:printcolumn:name="Harbor Server",type=string,JSONPath=`.spec.serverURL`,description="The public URL to the Harbor server",priority=0
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`,description="The status of the Harbor server",priority=0
+// +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`,description="The version of the Harbor server",priority=5
+// HarborServerConfiguration is the Schema for the harborserverconfigurations API.
+type HarborServerConfiguration struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   HarborServerConfigurationSpec   `json:"spec,omitempty"`
+	Status HarborServerConfigurationStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// HarborServerConfigurationList contains a list of HarborServerConfiguration.
+type HarborServerConfigurationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []HarborServerConfiguration `json:"items"`
+}
+
+func init() { // nolint:gochecknoinits
+	SchemeBuilder.Register(&HarborServerConfiguration{}, &HarborServerConfigurationList{})
+}

apis/goharbor.io/v1beta1/pullsecretbinding_types.go

@@ -0,0 +1,85 @@
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// PullSecretBindingSpec defines the desired state of PullSecretBinding.
+type PullSecretBindingSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// RobotID points to the robot account id used for secret binding
+	// +kubebuilder:validation:Required
+	RobotID string `json:"robotId"`
+
+	// ProjectID points to the project associated with the secret binding
+	// +kubebuilder:validation:Required
+	ProjectID string `json:"projectId"`
+
+	// Indicate which harbor server configuration is referred
+	HarborServerConfig string `json:"harborServerConfig"`
+
+	// Indicate which service account binds the pull secret
+	ServiceAccount string `json:"serviceAccount"`
+}
+
+// PullSecretBindingStatusType defines the status type of configuration.
+type PullSecretBindingStatusType string
+
+const (
+	// PullSecretBindingStatusBinding represents ready status.
+	PullSecretBindingStatusBinding PullSecretBindingStatusType = "Binding"
+	// PullSecretBindingStatusBound represents fail status.
+	PullSecretBindingStatusBound PullSecretBindingStatusType = "Bound"
+	// PullSecretBindingStatusUnknown represents unknown status.
+	PullSecretBindingStatusUnknown PullSecretBindingStatusType = "Unknown"
+)
+
+// PullSecretBindingStatus defines the observed state of PullSecretBinding.
+type PullSecretBindingStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+	// Indicate the status of binding: `binding`, `bound` and `unknown`
+	Status PullSecretBindingStatusType `json:"status"`
+	// Reason represents status reason.
+	// +kubebuilder:validation:Optional
+	Reason string `json:"reason,omitempty"`
+	// Message provides human-readable message.
+	// +kubebuilder:validation:Optional
+	Message string `json:"message,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +k8s:openapi-gen=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:categories="goharbor",shortName="psb"
+// +kubebuilder:printcolumn:name="Harbor Server",type=string,JSONPath=`.spec.harborServerConfig`,description="The Harbor server configuration CR reference",priority=0
+// +kubebuilder:printcolumn:name="Service Account",type=string,JSONPath=`.spec.serviceAccount`,description="The service account binding the pull secret",priority=0
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`,description="The status of the Harbor server",priority=0
+
+// PullSecretBinding is the Schema for the pullsecretbindings API.
+type PullSecretBinding struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PullSecretBindingSpec   `json:"spec,omitempty"`
+	Status PullSecretBindingStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PullSecretBindingList contains a list of PullSecretBinding.
+type PullSecretBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PullSecretBinding `json:"items"`
+}
+
+func init() { // nolint:gochecknoinits
+	SchemeBuilder.Register(&PullSecretBinding{}, &PullSecretBindingList{})
+}