Skip to content

manhtukhang/vault-plugin-harbor

Repository files navigation

Vault Plugin: Harbor robot account

GitHub license Release Lint Integration Test Security scanning Go Report Card Maintainability Test Coverage

Vault plugin for (Go)Harbor robot account dynamic generating

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works. Otherwise, first read this guide on how to get started with Vault.

Install plugin

  • Download plugin from release page

  • Unarchive and copy to the plugins dir on all Vault servers

    $ tar xzf vault-plugin-harbor_<version>_<os>_<arch>.tar.gz
    $ rsync/cp vault-plugin-harbor <vault-installed-path>/plugins
  • Get plugin's SHA256 checksum

    SHA256=$(sha256sum vault-plugin-harbor | cut -d ' ' -f1)
  • Register plugin to Vault secret engine

    $ vault plugin register \
          -sha256=$SHA256 \
          -command=vault-plugin-harbor \
          secret harbor
    # Example:
    $ vault plugin register \
          -sha256=$SHA256 \
          -command=vault-plugin-harbor \
          secret harbor

Upgrade plugin version

  • Download and install/register a new version of this plugin with the above installation steps

  • Tune the existing mount to configure it to use the newly registered version

    $ vault secrets tune -plugin-version=v<new-version> <mount-path>
    # Example:
    $ vault secrets tune -plugin-version=v1.0.1 harbor/
  • Reload plugin

    $ vault plugin reload -plugin harbor

Usage

  • Mount harbor plugin

    $ vault secrets enable -path <mount-path> harbor
    # Example:
    $ vault secrets enable -path harbor/ harbor
  • Write harbor config

    $ vault write \
          <mount-path>/config url=<harbor-url> \
          username=<harbor-admin-username> \
          password=<harbor-admin-password>
    # Example:
    $ vault write \
          harbor/config url="https://harbor.internal.domain" \
          username="admin" \
          password="aStronggPw123"
  • Create a role for robot account

    • Create a json file for role permissions definition Details

      Example: role-permissions.json

      [
        {
          "namespace": "project-a",
          "kind": "project",
          "access": [
            {
              "action": "pull",
              "resource": "repository"
            },
            {
              "action": "push",
              "resource": "repository"
            },
            {
              "action": "create",
              "resource": "tag"
            },
            {
              "action": "delete",
              "resource": "tag"
            }
          ]
        },
        {
          "namespace": "project-b",
          "kind": "project",
          "access": [
            {
              "action": "pull",
              "resource": "repository"
            }
          ]
        }
      ]
    • Write role (create if not existed/ upgrade if existed)

      $ vault write \
              <mount-path>/roles/<role-name> \
              ttl=<time-to-live> \
              max_ttl=<max-time-to-live> \
              permissions=@<role-permissions-json-file>
      # Example:
      $ vault write \
              harbor/roles/test-role \
              ttl=60s \
              max_ttl=10m \
              [email protected]
  • Get robot account (and its secret/credential) from the created role

    $ vault read <mount-path>/creds/<role-name>
    # Example:
    $ vault read harbor/creds/test-role
    
    Key                         Value
    ---                         -----
    lease_id                    harbor/creds/test-roles/Wxidlpz1tVrb18XL7Zg4vPZM
    lease_duration              1m
    lease_renewable             true
    robot_account_auth_token    cm9ib3QkdmF1bHQudGVzdC1yb2xlcy5yb290LjE2NTc5NjQ0NjkwNjkyODkzOTE6RE93bXNnN2pEVEZmVlJoWWFwM3BMY0FJdjJIYkJycFg=
    robot_account_id            415963
    robot_account_name          robot$vault.test-roles.root.1657964469069289391
    robot_account_secret        DOwmsg7jDTFfVRhYap3pLcAIv2HbBrpX

    Credential output struct explaining

Role definition

  • Each role contains a list of Harbor robot account's permissions

  • Robot permission struct (source)

    {
        "namespace": "<namespace>",
        "kind": "<kind>",
        "access": "[<access>]"
    }
    Attribute Type Value Description
    kind string system|project scope of permission
    namespace string /|*|<project-name> when kind=system, this field must be / only; when kind=project, * means all projects
    access list of access struct access list
  • access struct (source)

    {
        "action": "<action>",
        "resource": "<resource>",
        "effect": "<effect>"
    }
    Attribute Type Value Description
    action string possible values action name, * means all actions
    resource string possible values resource name, * means all resources
    effect string allow|deny effect of the access (allow or deny)

Note

The resource and action mapping is depended on what kind of permission (system or project), view more detailed mappings at: system, project

Robot account credential output struct

Key Name Description
lease_id Vault lease ID (with full path)
lease_duration Vault lease duration
lease_renewable As its name
robot_account_id Robot account ID generated from Harbor API
robot_account_name Robot account name generated from Harbor API
robot_account_secret Robot account secret (password) generated from Harbor API
robot_account_auth_token Robot account base64 token, combined from above robot_account_name and robot_account_secret (base64(robot_account_name:robot_account_secret))

Is this useful to you?

Buy Me a Coffee at ko-fi.com Buy Me a Coffee at buymeacoffee.com