Vault plugin for (Go)Harbor robot account dynamic generating
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works. Otherwise, first read this guide on how to get started with Vault.
-
Download plugin from release page
-
Unarchive and copy to the plugins dir on all Vault servers
$ tar xzf vault-plugin-harbor_<version>_<os>_<arch>.tar.gz $ rsync/cp vault-plugin-harbor <vault-installed-path>/plugins
-
Get plugin's SHA256 checksum
SHA256=$(sha256sum vault-plugin-harbor | cut -d ' ' -f1)
-
Register plugin to Vault secret engine
$ vault plugin register \ -sha256=$SHA256 \ -command=vault-plugin-harbor \ secret harbor # Example: $ vault plugin register \ -sha256=$SHA256 \ -command=vault-plugin-harbor \ secret harbor
-
Download and install/register a new version of this plugin with the above installation steps
-
Tune the existing mount to configure it to use the newly registered version
$ vault secrets tune -plugin-version=v<new-version> <mount-path> # Example: $ vault secrets tune -plugin-version=v1.0.1 harbor/
-
Reload plugin
$ vault plugin reload -plugin harbor
-
Mount harbor plugin
$ vault secrets enable -path <mount-path> harbor # Example: $ vault secrets enable -path harbor/ harbor
-
Write harbor config
$ vault write \ <mount-path>/config url=<harbor-url> \ username=<harbor-admin-username> \ password=<harbor-admin-password> # Example: $ vault write \ harbor/config url="https://harbor.internal.domain" \ username="admin" \ password="aStronggPw123"
-
Create a role for robot account
-
Create a json file for role permissions definition Details
Example:
role-permissions.json
[ { "namespace": "project-a", "kind": "project", "access": [ { "action": "pull", "resource": "repository" }, { "action": "push", "resource": "repository" }, { "action": "create", "resource": "tag" }, { "action": "delete", "resource": "tag" } ] }, { "namespace": "project-b", "kind": "project", "access": [ { "action": "pull", "resource": "repository" } ] } ]
-
Write role (create if not existed/ upgrade if existed)
$ vault write \ <mount-path>/roles/<role-name> \ ttl=<time-to-live> \ max_ttl=<max-time-to-live> \ permissions=@<role-permissions-json-file> # Example: $ vault write \ harbor/roles/test-role \ ttl=60s \ max_ttl=10m \ [email protected]
-
-
Get robot account (and its secret/credential) from the created role
$ vault read <mount-path>/creds/<role-name> # Example: $ vault read harbor/creds/test-role Key Value --- ----- lease_id harbor/creds/test-roles/Wxidlpz1tVrb18XL7Zg4vPZM lease_duration 1m lease_renewable true robot_account_auth_token cm9ib3QkdmF1bHQudGVzdC1yb2xlcy5yb290LjE2NTc5NjQ0NjkwNjkyODkzOTE6RE93bXNnN2pEVEZmVlJoWWFwM3BMY0FJdjJIYkJycFg= robot_account_id 415963 robot_account_name robot$vault.test-roles.root.1657964469069289391 robot_account_secret DOwmsg7jDTFfVRhYap3pLcAIv2HbBrpX
-
Each role contains a list of Harbor robot account's permissions
-
Robot permission struct (source)
{ "namespace": "<namespace>", "kind": "<kind>", "access": "[<access>]" }
Attribute Type Value Description kind
string system
|project
scope of permission namespace
string /
|*
|<project-name>
when kind=system
, this field must be/
only; whenkind=project
,*
means all projectsaccess
list of access struct access list -
access
struct (source){ "action": "<action>", "resource": "<resource>", "effect": "<effect>" }
Attribute Type Value Description action
string possible values action name, *
means all actionsresource
string possible values resource name, *
means all resourceseffect
string allow
|deny
effect of the access (allow or deny)
Note
The resource
and action
mapping is depended on what kind of permission (system
or project
),
view more detailed mappings at: system, project
Key Name | Description |
---|---|
lease_id |
Vault lease ID (with full path) |
lease_duration |
Vault lease duration |
lease_renewable |
As its name |
robot_account_id |
Robot account ID generated from Harbor API |
robot_account_name |
Robot account name generated from Harbor API |
robot_account_secret |
Robot account secret (password) generated from Harbor API |
robot_account_auth_token |
Robot account base64 token, combined from above robot_account_name and robot_account_secret (base64(robot_account_name:robot_account_secret)) |