Add the following functionality to maintain-harbor:
| Title | Reference | Author | Source Branch | Dest Branch | |
|---|---|---|---|---|---|
| jobs: add job for managing harbor quotas | repos/cloud/toolforge/maintain-harbor!22 | sstefanova | slavina/manage-project-quotas | main |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| In Progress | None | T351092 [harbor,docs] Improve Harbor quota handling and docs | |||
| Open | Slst2020 | T352417 [maintain-harbor] Manage project quotas via maintain-harbor | |||
| Resolved | Slst2020 | T354270 [harbor] Investigate new robot account permissions in Harbor 2.10.0 | |||
| Open | Slst2020 | T361698 [maintain-harbor] Have maintain-harbor use a robot account | |||
| Resolved | Slst2020 | T354507 [harbor] upgrade to 2.10.1 |
note: lowering a project's quota below the amount of storage it currently uses does not break anything
sstefanova opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-harbor/-/merge_requests/22
jobs: add job for managing harbor quotas
tested in prod: there's unfortunately no way to get/set the default quota without giving the maintain-harbor user system admin permissions.
From irc:
3:09 PM <blancadesal> Slavina S dcaro: for the maintain-harbor quota job to work, the maintain-harbor user needs to be admin (currently isn't). Do you see any issue with this? 3:10 PM <dcaro> David Caro hmm... my main concern is that the script is doing cleanups and removing projects and such, so a bug might remove the `toolforge` project that has all our infra images 3:10 PM if the account is not able to remove things from there, then a bug would just make it fail if it tries 3:11 PM iirc the permissions settings were rather limited, can we add an account that does not have permissions on the toolforge project? 3:12 PM <blancadesal> Slavina S not sure, the actual bits it needs system admin permissions for is getting/setting the default project quota 3:12 PM for individual quotas, it's enough that it is a project admin (which is already the case) 3:13 PM <dcaro> David Caro hmpf 3:13 PM <blancadesal> Slavina S yeah that's annoying 3:14 PM agree it's dangerous for the jobs to run as system admin 3:14 PM <dcaro> David Caro hmm, what if we don't change the default quota? 3:14 PM just the per-project quotas? 3:14 PM (that we have to do anyhow if the default ever changes) 3:15 PM <blancadesal> Slavina S indeed 3:15 PM sounds good to me
Turns out accessing the GET /quotas endpoint also requires the user to have system admin rights. Pausing this task while investigating if the revamped robot account permissions in harbor 2.10 can help with this. Alternatively, we might have to create an admin user other than maintain-harbor for this specific job, although that's a less desirable option.
Results are in: robot accounts in 2.10 can still not manage quotas. I've asked in the cncf harbor slack channel if I'm missing something and there's a better option than using a god-level user for this; hopefully yes.
Turns out they were planning to add read permission on quota in 2.10, but somehow forgot. Issue here: https://github.com/goharbor/harbor/issues/19792
This has been solved now, haven't tested it yet though. Will have to wait for the next release too. https://github.com/goharbor/harbor/pull/19799