Vault Plugin: Harbor robot account

Vault plugin for (Go)Harbor robot account dynamic generating

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works. Otherwise, first read this guide on how to get started with Vault.

Install plugin

• Download plugin from release page

• Unarchive and copy to the plugins dir on all Vault servers

  $ tar xzf vault-plugin-harbor_<version>_<os>_<arch>.tar.gz
  $ rsync/cp vault-plugin-harbor <vault-installed-path>/plugins

• Get plugin's SHA256 checksum

  SHA256=$(sha256sum vault-plugin-harbor | cut -d ' ' -f1)

• Register plugin to Vault secret engine

  $ vault plugin register \
        -sha256=$SHA256 \
        -command=vault-plugin-harbor \
        secret harbor
  # Example:
  $ vault plugin register \
        -sha256=$SHA256 \
        -command=vault-plugin-harbor \
        secret harbor

Note

Please follow the official docs here!

Upgrade plugin version

• Download and install/register a new version of this plugin with the above installation steps

• Tune the existing mount to configure it to use the newly registered version

  $ vault secrets tune -plugin-version=v<new-version> <mount-path>
  # Example:
  $ vault secrets tune -plugin-version=v1.0.1 harbor/

• Reload plugin

  $ vault plugin reload -plugin harbor

Note

Please follow the official docs here!

Usage

• Mount harbor plugin

  $ vault secrets enable -path <mount-path> harbor
  # Example:
  $ vault secrets enable -path harbor/ harbor

• Write harbor config

  $ vault write \
        <mount-path>/config url=<harbor-url> \
        username=<harbor-admin-username> \
        password=<harbor-admin-password>
  # Example:
  $ vault write \
        harbor/config url="https://harbor.internal.domain" \
        username="admin" \
        password="aStronggPw123"

• Create a role for robot account

  • Create a json file for role permissions definition Details

    Example: role-permissions.json

    [
      {
        "namespace": "project-a",
        "kind": "project",
        "access": [
          {
            "action": "pull",
            "resource": "repository"
          },
          {
            "action": "push",
            "resource": "repository"
          },
          {
            "action": "create",
            "resource": "tag"
          },
          {
            "action": "delete",
            "resource": "tag"
          }
        ]
      },
      {
        "namespace": "project-b",
        "kind": "project",
        "access": [
          {
            "action": "pull",
            "resource": "repository"
          }
        ]
      }
    ]

  • Write role (create if not existed/ upgrade if existed)

    $ vault write \
            <mount-path>/roles/<role-name> \
            ttl=<time-to-live> \
            max_ttl=<max-time-to-live> \
            permissions=@<role-permissions-json-file>
    # Example:
    $ vault write \
            harbor/roles/test-role \
            ttl=60s \
            max_ttl=10m \
            permissions=@role-permissions.json

• Get robot account (and its secret/credential) from the created role

  $ vault read <mount-path>/creds/<role-name>
  # Example:
  $ vault read harbor/creds/test-role
  
  Key                         Value
  ---                         -----
  lease_id                    harbor/creds/test-roles/Wxidlpz1tVrb18XL7Zg4vPZM
  lease_duration              1m
  lease_renewable             true
  robot_account_auth_token    cm9ib3QkdmF1bHQudGVzdC1yb2xlcy5yb290LjE2NTc5NjQ0NjkwNjkyODkzOTE6RE93bXNnN2pEVEZmVlJoWWFwM3BMY0FJdjJIYkJycFg=
  robot_account_id            415963
  robot_account_name          robot$vault.test-roles.root.1657964469069289391
  robot_account_secret        DOwmsg7jDTFfVRhYap3pLcAIv2HbBrpX

  Credential output struct explaining

Role definition

• Each role contains a list of Harbor robot account's permissions

• Robot permission struct (source)

  {
      "namespace": "<namespace>",
      "kind": "<kind>",
      "access": "[<access>]"
  }

  Attribute	Type	Value	Description
  kind	string	system|project	scope of permission
  namespace	string	/|*|<project-name>	when kind=system, this field must be / only; when kind=project, * means all projects
  access	list of access struct		access list

• access struct (source)

  {
      "action": "<action>",
      "resource": "<resource>",
      "effect": "<effect>"
  }

  Attribute	Type	Value	Description
  action	string	possible values	action name, * means all actions
  resource	string	possible values	resource name, * means all resources
  effect	string	allow|deny	effect of the access (allow or deny)

Note

The resource and action mapping is depended on what kind of permission (system or project), view more detailed mappings at: system, project

Robot account credential output struct

Key Name	Description
lease_id	Vault lease ID (with full path)
lease_duration	Vault lease duration
lease_renewable	As its name
robot_account_id	Robot account ID generated from Harbor API
robot_account_name	Robot account name generated from Harbor API
robot_account_secret	Robot account secret (password) generated from Harbor API
robot_account_auth_token	Robot account base64 token, combined from above robot_account_name and robot_account_secret (base64(robot_account_name:robot_account_secret))

Is this useful to you?