New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial movement of the day2 code #807
Conversation
5847953
to
457f64d
Compare
2a3b9b7
to
ac6cda2
Compare
ffb864c
to
3867ec2
Compare
54817ea
to
67a321b
Compare
for compile issue
|
551e1f8
to
57752fc
Compare
Signed-off-by: lubronzhan <lzhan@vmware.com> Fix commit Signed-off-by: lubronzhan <lzhan@vmware.com> Fix diff Signed-off-by: lubronzhan <lzhan@vmware.com> Fix md-lint Signed-off-by: lubronzhan <lzhan@vmware.com> Try add role for psb and hsc Signed-off-by: lubronzhan <lzhan@vmware.com> Fix the group name Signed-off-by: lubronzhan <lzhan@vmware.com> add namespace controller and psb controller Signed-off-by: lubronzhan <lzhan@vmware.com> Add webhook Signed-off-by: lubronzhan <lzhan@vmware.com> Add harbor-day2-webhook-configuration label to namespace Signed-off-by: lubronzhan <lzhan@vmware.com> Debug: Signed-off-by: lubronzhan <lzhan@vmware.com> Refactor Signed-off-by: lubronzhan <lzhan@vmware.com> Remove harbor sdk Signed-off-by: lubronzhan <lzhan@vmware.com> Update API to use the go-client
57752fc
to
0a71595
Compare
Signed-off-by: lubronzhan <lzhan@vmware.com>
0a71595
to
24eda8d
Compare
@lubronzhan we also can't install harbor using chart with this PR locally. |
namespaceSelector: | ||
matchExpressions: | ||
- key: harbor-day2-webhook-configuration | ||
operator: NotIn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using NotIn
may cause kube-system
to be included
.github/workflows/tests.yml
Outdated
@@ -633,6 +634,8 @@ jobs: | |||
sed -i "s/core.harbor.domain/$CORE_HOST/g" config/samples/harborcluster-standard/*.yaml | |||
sed -i "s/notary.harbor.domain/$NOTARY_HOST/g" config/samples/harborcluster-standard/*.yaml | |||
|
|||
kubectl label ns default harbor-day2-webhook-configuration=disabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubectl label ns default harbor-day2-webhook-configuration=disabled | |
kubectl label ns ${operatorNamespace} harbor-day2-webhook-configuration=disabled |
Signed-off-by: lubronzhan <lzhan@vmware.com>
9852f5a
to
4801307
Compare
@@ -28,3 +28,24 @@ webhooks: | |||
resources: | |||
- harborclusters | |||
sideEffects: None | |||
- admissionReviewVersions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch about namespace was not added
Signed-off-by: lubronzhan <lzhan@vmware.com>
bb7a107
to
6f8d736
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approved
@@ -43,7 +43,7 @@ Harbor deployment stack is controlled by a custom Harbor resource `HarborCluster | |||
* [ ] [gcs](https://cloud.google.com/storage): A driver storing objects in a Google Cloud Storage bucket. | |||
* Supports updating the deployed Harbor cluster | |||
* Remove the optional Harbor components | |||
* More day2 operations (see [PoC project](https://github.com/szlabs/harbor-automation-4k8s)) | |||
* More day2 operations (see [PoC project](https://github.com/goharbor/harbor-operator)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The link now can be removed.
@@ -1,88 +1,323 @@ | |||
# Day2 configurations | |||
# Day2 Operation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Filename should also be renamed.
Depends on #812
Major changes:
apis
. Added two types,harborserverconfiguration
andpullsecretbinding
.assets
. The swagger spec for harbor v1 and v2config/default/webhook_namespaceselector_patch.yaml
. It will skip mutating image path if namespace is labeled withharbor-day2-webhook-configuration=disabled
controllers
harborserverconfiguration
pullsecretbinding
namespace
pkg
setup
. Set upharborserverconfiguration
andmutate-image-path
webhook separately.http
. An insecure https client that used to talk to Harbor serverRegistry
. Used to encode harbor credentials for http request userest
. Client wrapper for v1 and v2 server.rule
. Rule type used for image rewrite.sdk
. Swagger generated client code.utils
consts
. Storing all annotation of harbor day2 operatorsdk_client
. Wrapper client forwebhooks
harborserverconfiguration
pod
. Has image path mutator.Feature:
Image rewrite:
Image rewrite will rewrite the original image paths to the specified Harbor projects by following the pre-defined rewriting rules via Kubernetes admission control webhook.
A cluster scoped Kubernetes CR named
HarborServerConfiguration
is designed to keep the Harbor server access info by providing the accesshost and access key & secret (key and secret should be wrapped into a kubernetes secret) for future referring.
Rewriting rule is a k-v pair to specify images from which repo should be redirected to which harbor project:
e.g.:
Here we should pay attention is the key "*" means images from any repo are redirected to harbor project "harborproejct2".
Rewriting rules will be defined as a rule list like:
Definition location:
The rewriting rules can be defined into two places, one is in the HSC spec and another is in a configMap.
Rules in HSC spec are for the whole cluster scope. The rules will be applied to the namespaces selected by the namespace selector of HSC.
The rules defined in the configMap are only visible to the namespace where the configMap is living. Use annotation of namespace
goharbor.io/image-rewrite
(rename togoharbor.io/rewriting-rules
) to link the rule configMap.The priority:
Rules in configMap > rules in HSC referenced by ConfigMap > default HSC > "*" rule
For example. images from
docker.io
will be rewritten to 'harborproject1' and images fromquay.io
will be rewritten to 'harborproejct3'. The images fromgcr.io
orghcr.io
will both be rewritten to 'harborproejct2' by following the "*" rule.Assumptions:
Only 1 HSC as default. (ctrl has to make sure this constraint)
Default HSC is appliable for all namespaces as the default behavior (except its namespace selector is configured).
HSC can have a namespace selector to specify its influencing scope.
Namespace selector is optional. The empty selector means adapting all.
Namespace admin can create a configMap to customize image rewriting for the specified namespace:
Content of configMap
Add annotation
goharbor.io/rewriting-rules=configMapName
to the namespace to enable the rewriting.Merging rules: rules defined in configMap has higher priority if conflicts happened.
Project mapping and secret injection:
When doing project mapping and secret injection, an annotation
goharbor.io/project
MUST be added to the specified namespace ( ifgoharbor.io/project
is not set, that means the mapping/injection function is not enabled).A CR
PullSecretBinding
is created to keep the relationship between Kubernetes resources and Harbor resources.the mapping project is recorded in annotation
annotation:goharbor.io/project
of the CRPullSecretBinding
.the linked robot account is recorded in annotation
annotation:goharbor.io/robot
of the CRPullSecretBinding
.make sure the linked robot account is wrapped as a Kubernetes secret and bind with the service account that is
specified in the annotation
annotation:goharbor.io/service-account
of the namespace.If
goharbor.io/project
=*, then check whether annotationgoharbor.io/secret-issuer
(it should be renamed togoharbor.io/harbor
) which is pointing to an HSC (It should be provided by the cluster-admin) is set or not. If it is not set, then back off to the default HSC. If there is no default HSC, then an error should be raised. When HSC is ready, create a Harbor project with the same name of the namespace in that HSC and also create a robot account in the newly created Harbor project. After the robot account is created, the identity of the created robot account should be recorded into the annotationgoharbro.io/robot
(it should be renamed togoharbor.io/robot-account
).If
goharbor.io/project
=, then the annotationgoharbor.io/robot
=<robot_ID> MUST also be set to a valid robot account that is living in the project representing by the annotationgoharbor.io/project
. The controller has to make sure the robot specified in the annotation can be used to access the project (by accessing API with that robot account).Then a PSB can be created to track the relationship and bind pull secret to the service account:
goharbor.io/service-account
(this is optional, if it is not set, then use the default service account under the namespace)