Separate Harbor from backup and logging credentials

[cristiklein]

Is your feature request related to a problem? Please describe.

Various regulations require protection of logging and backup information. To this end, we recommend creating write-only credentials for backup and logging purposes, which is supported by some cloud providers. Unfortunately, we cannot take advantage of this, since Harbor uses the same credentials.

Describe the solution you'd like

Harbor credentials should be separated, so that Harbor can have read-write access to buckets containing container images, while logging and backup should use write-only credentials.

Additional context

• ISO 27001, A.12.3.1 Information Backup
• ISO 27001, A.12.4.2 Protection of Log Information
• HSLF-FS 2016:50, "Säkerhetskopiering 12 §"

Definition of done:

• I can configure different S3 credentials for Harbor, on one side, and logging and backup, on the other side.
• I can enable/disable Harbor, logging and backup separately, e.g., Harbor disabled but backup enabled; Harbor enabled but backup disabled.
• Documentation is update, in particular:
  • https://compliantkubernetes.io/operator-manual/exoscale/#create-s3-buckets
  • https://compliantkubernetes.io/operator-manual/credentials/

[tordsson]

We should generalize to other services as well. However, some backup solutions rely on RW access to backups. Investigate which services that actually can work with write-only backups.

[tordsson]

Aim to implement use of unique credentials for each service as a starting point. For supported clouds, aim to limit backup bucket access, whenever feasible...

[cristiklein]

Closing. "Object lock" and immutable S3-compatible object storage is the "correct" solution here.