Harbor to Store AI Training Containers with GPU Support

Question

Pulumi · Accepted Answer

To set up Harbor as a container registry that can store AI training containers, you can use the `harbor` package in Pulumi. These containers could be built with GPU support by including the necessary libraries and drivers, but configuring GPU support is typically done at the Kubernetes cluster level and not within Harbor itself. Harbor simply stores and serves the container images, which can be GPU-enabled if they're built properly beforehand.

Below is a Pulumi Python program that will create Harbor resources to facilitate storing and organizing your AI training containers. This setup will include:

- A Harbor project where you can push your container images.
- User management for access control.
- Configuration of a registry to link an external registry if needed.
- Robot accounts to allow automated systems to push and pull images from the project.
  
For demonstration purposes, the program assumes all required external systems are in place, such as Kubernetes clusters that Harbor will interact with, and that Pulumi is already configured to connect to your cloud and Harbor instances.

```python
import pulumi
import pulumi_harbor as harbor

# Create a new Harbor project called "ai-training".
ai_training_project = harbor.Project("ai-training-project",
    # Setting the project name
    name="ai-training",
    # Setting this to a public project (change to `false` if you want it private)
    public="public",
    # Dummy integer for registryId just for illustration purposes
    registry_id=1,
)

# Create a Harbor user that will have permissions to manage the project.
admin_user = harbor.User("admin-user",
    username="ai_admin",
    email="ai_admin@example.com",
    password=pulumi.Config("harbor").require("ai_admin_password"),  # You should set the password in a secure way
    admin=True,
)

# Define the registry information which corresponds to an external registry.
# For example, you might link a registry where GPU-enabled base images are stored.
external_registry = harbor.Registry("external-registry",
    name="External Registry",
    endpoint_url="https://your-external-registry.com",
    provider_name="docker-hub",  # This could be 'aws-ecr', 'azure-acr', 'gcp-gar', etc.
    access_id="ACCESS_ID",
    access_secret=pulumi.Config("harbor").require_secret("external_registry_access_secret")
)

# Create a Robot account that CI/CD pipelines can use for pushing/pulling images.
ci_cd_robot_account = harbor.RobotAccount("ci-cd-robot-account",
    name="robot$ciCdSystem",
    level="project",
    description="Robot account for CI/CD",
    permissions=[
        {
            "kind": "project",
            "namespace": ai_training_project.name,
            "access": [
                {"resource": "repository", "action": "push"},
                {"resource": "repository", "action": "pull"},
            ],
        },
    ],
)

# Export the robot account token for CI/CD pipeline use.
pulumi.export("ci_cd_robot_account_token", ci_cd_robot_account.secret)

# Create other resources as needed, such as replication policies, if you're mirroring images across registries, etc.
```

In this program, we have:

- Set up a `Project` in Harbor to store your AI training containers. A Harbor project is like a namespace to group related repositories.
- Created a user with admin privileges within Harbor to manage the project and its repositories.
- Configured a `Registry` which allows Harbor to proxy cache or replicate images from an external registry.
- Generated a `Robot Account` which is useful for automation scripts, like those in continuous integration and continuous delivery (CI/CD) pipelines, to interact with Harbor without using a user's credentials.

Remember that Harbor is just a container registry and doesn't deal with the execution of containers. GPU support must be configured where you run the containers, such as Kubernetes clusters with nodes that have GPU resources.

To use this program, you'll replace placeholder values like `your-external-registry.com`, and `ACCESS_ID` with actual information from your environment. Also, make sure to manage secrets like passwords and access tokens securely, for instance by using `pulumi.Config` and storing the actual secrets in a secure store, such as Pulumi's secrets provider.

The `pulumi.export` statement at the end is used to output the robot account token so that it can be securely used by CI/CD pipelines to interact with the Harbor project.

To use this program, you would typically run `pulumi up` in the same directory as the program, assuming you have already logged in to Pulumi and selected or created an appropriate stack. The Pulumi CLI would then execute the program, communicate with the cloud provider and the Harbor instance, and set up the resources as described by the code.