search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.25k stars 4.77k forks source link

Harbor Image Replication with AWS ECR using Vault-injected Kubernetes Secrets #21064

Open rmrj opened 1 month ago

rmrj commented 1 month ago

Hi,

I'm setting up image replication between AWS ECR and a Harbor registry (v2.9.1-5cbb1b01) deployed via Helm charts.

Instead of using the Harbor UI for proxy caching, I want to leverage Vault for secure management and injection of ECR credentials through Kubernetes secrets.

Here's the plan:

  1. Store ECR credentials securely in Vault.
  2. Dynamically fetch these credentials from Vault at runtime.
  3. Make the fetched credentials available as Kubernetes secrets.
  4. Configure Harbor to use these secrets for image replication with AWS ECR.
  5. My question:

How can I configure Harbor to work with this setup?

I've reviewed the Harbor Helm chart code (https://github.com/kubeshop/helm-charts) but haven't found a way to define AWS ECR registry details.

Guidance Needed:

Can Harbor be configured to consume credentials from Kubernetes secrets for image replication? Are there any alternative approaches to achieve this scenario using Helm charts?

Thanks, Rama

ianseyer commented 1 month ago

I would setup your external registry and replication jobs via terraform: https://registry.terraform.io/providers/goharbor/harbor/latest/docs/resources/registry