1. Private Harbor Repositories for Secure AI Development Workflows


    Creating private repositories in Harbor is essential for managing container images and Helm charts with fine-grained access control, which is particularly important in secure AI development workflows. To set up a private Harbor repository, you would use Pulumi's infrastructure as code framework to define and deploy Harbor projects that store your repositories, configure robot accounts for authenticating CI/CD pipelines, and set up security settings such as vulnerability scanning and content trust.

    Below is an example of how to use Pulumi to create a private Harbor project, set up a robot account for automation, and configure various security settings to ensure the integrity and confidentiality of your development workflows. We will be using the Harbor provider for Pulumi, which allows us to programmatically manage Harbor resources.

    Here's what each part of the code does:

    1. Imports and initialization: The required Pulumi libraries are imported, including the Harbor provider needed to interact with the Harbor API.

    2. Create a Harbor Project: A new project is created within Harbor. This project will serve as a container for our repositories, where we can push and pull images and charts.

    3. Create a Harbor Robot Account: A robot account is a way to authenticate automated processes, such as CI/CD pipelines.

    4. Configure Security Features: We define various security-related settings for the project, such as enabling content trust and vulnerability scanning, which ensures that images are signed and inspected for vulnerabilities before being stored.

    5. Exports: At the end of the script, we export the Harbor project name and robot account name so that they can be easily referenced.

    Let's look at the Pulumi code:

    import pulumi import pulumi_harbor as harbor # Create a Harbor project called "ai-development" which is private. ai_development_project = harbor.Project( "ai-development", name="ai-development", public=False, # Set to False for a private project. registry_id=1, # The ID for the default Harbor registry. storage_quota=10 * 1024 * 1024 * 1024, # e.g., 10 GB vulnerability_scanning=True, # Enables vulnerability scanning on push to this project. enable_content_trust=True, # Enables Docker Content Trust for the project. ) # Creates a robot account for automated tools to use when pushing/pulling from the project. ai_development_robot_account = harbor.RobotAccount( "ai-development-robot-account", name="ai-development-robot-account", level="project", disable=False, # Set to False so the robot account is active. duration=-1, # '-1' means the robot account won't expire. permissions=[{ "kind": "project", "namespace": ai_development_project.name, "accesses": [{ "resource": "repository", # Provides access to the repository "action": "push/pull", # Allow both push and pull actions }], }] ) # Export the Harbor project name and robot account name for use in other processes or output. pulumi.export('ai_dev_project_name', ai_development_project.name) pulumi.export('ai_dev_robot_account_name', ai_development_robot_account.name)

    In this code, we create a private Harbor project, which serves as a namespace for related repositories. It's marked as private to ensure that only authenticated users or systems with correct permissions can access it. We allocate a storage quota to limit the amount of storage the project can consume and enable features such as vulnerability scanning and content trust to increase security.

    The Harbor robot account is created to allow CI/CD systems to authenticate against Harbor without the need for a user’s credentials. The access permissions are configured to allow the robot account to push and pull images from the Harbor project's repositories.

    After running this Pulumi program, you will have a new private project in Harbor with a robot account that can be used for automated workflows. This setup helps secure your AI development process by ensuring that images and charts are safely stored and only accessible via authenticated means.