We need a way to create the harbor projects for the users to be able to push their images to them.
This can be done beforehand or on-demand. Some ideas:
On-demand
Creating it when the first run is triggered, from the webservice cli
Advantages:
- Only created when it's actually needed
Disadvantages:
- Needs credentials to create the project, as it currently is, the cli will need access to those.
Creating it from the validation hook
Advantages:
- Only created when it's actually needed
- Secrets remain in the validation hook
Disadvantages:
- Hand to debug/troubleshoot
- Delay-sesitive part of the process
Creating it from another (new) service
Advantages:
- Only created when it's actually needed
- Secrets remain in the admin side of things
- This might be the way things should go (thinning the cli and moving to a service)
Disadvantages:
- New service to maintain (even if it's small)
Beforehand
maintain-kubeusers script [1]:
Advantages:
- It does not slow down any of the user processes
Disadvantages:
- It might not have run yet when the user tries to run a build
- It will create all the projects at once, when most of them might not be needed
- Might be long and heavy (listing and checking all projects, creating all projects, ~3k tools)
Our own cronjob
Advantages:
- Clearer separation
Disadvantages:
- Not reusing mainainkubeusers (not sure how much we can reuse though)
Decision
We decided to go with the dedicated cronjob, as it's the simplest, clearest and does not require exposing any credentials to users.
This entails:
- Creating the dedicated toolforge tool (maintain-harbor)
- Create the robot account with "powers" to create the namespaces
- Create the script to pull the tools list from ldap and create the namespaces
- Set up a toolforge job that runs that script
- Add the entry to the toolhub list https://toolhub.wikimedia.org/lists/192
[1] https://gerrit.wikimedia.org/r/plugins/gitiles/labs/tools/maintain-kubeusers/