📚 Sync docs from alaudadevops/connectors-operator on d00cb15366dc704098e0860f056012b27c423cce

Source: feat(connectors): add ConnectorsHarbor component support (#417)
Author: kycheng
Ref: refs/heads/main
Commit: d00cb15366dc704098e0860f056012b27c423cce

This commit automatically syncs documentation changes from the source-docs repository.

🔗 View source commit: https://github.com/alaudadevops/connectors-operator/commit/d00cb15366dc704098e0860f056012b27c423cce
🤖 Synced on 2025-12-11 04:58:03 UTC

Author: edge-katanomi-app2[bot]

.github/SYNC_INFO.md

@@ -1,10 +1,10 @@
 # Documentation Sync Information
 
-- **Last synced**: 2025-12-10 11:07:31 UTC
+- **Last synced**: 2025-12-11 04:58:03 UTC
 - **Source repository**: alaudadevops/connectors-operator
-- **Source commit**: [e964585fe4cabafec837c233582b9eed151c434f](https://github.com/alaudadevops/connectors-operator/commit/e964585fe4cabafec837c233582b9eed151c434f)
+- **Source commit**: [d00cb15366dc704098e0860f056012b27c423cce](https://github.com/alaudadevops/connectors-operator/commit/d00cb15366dc704098e0860f056012b27c423cce)
 - **Triggered by**: edge-katanomi-app2[bot]
-- **Workflow run**: [#58](https://github.com/alaudadevops/connectors-operator/actions/runs/20096482907)
+- **Workflow run**: [#59](https://github.com/alaudadevops/connectors-operator/actions/runs/20122467163)
 
 ## Files synced:
 - docs/

docs/en/apis/kubernetes_apis/operator/operator.connectors.alauda.io_connectorsharbors.mdx

@@ -0,0 +1,7 @@
+---
+weight: 10
+---
+
+# ConnectorsHarbor [operator.connectors.alauda.io/v1alpha1]
+
+<K8sCrd name="connectorsharbors.operator.connectors.alauda.io" />

docs/en/connectors-harbor/concepts/harbor_connectorclass.mdx

@@ -0,0 +1,197 @@
+---
+weight: 20
+---
+
+# Harbor Connector
+
+The Harbor connector is a platform-agnostic connector that you can use to connect to any Harbor registry.
+
+You can use the Harbor Connector to securely perform container image operations in CICD pipelines, or use it in kubernetes workloads to perform image operations without credentials.
+
+Additionally, you can centralize the management of Harbor access configurations across namespaces, avoiding the need to repeat the Harbor credentials in each namespace.
+
+## Overview
+
+This document covers:
+
+- **Integration Requirements**: Prerequisites for target Harbor registries
+- **Creating Harbor connector**
+- **Advanced Features**: Proxy capabilities and configuration capabilities about Harbor connector
+
+## Integration Requirements
+
+**Harbor Registries Prerequisites**
+
+- Supports Harbor 2.x versions
+
+## Creating a simple Harbor connector
+
+Here's how to create a basic Harbor Connector:
+
+```yaml
+# Harbor Connector
+apiVersion: connectors.alauda.io/v1alpha1
+kind: Connector
+metadata:
+  name: harbor-connector
+spec:
+  connectorClassName: harbor
+  address: https://harbor.example.com
+```
+
+## Fields Reference
+
+**spec.connectorClassName**:
+
+`harbor` (constant), specifies the ConnectorClass name for Harbor integration.
+
+**spec.address**:
+
+Target Harbor registry address, for example: `https://harbor.example.com`.
+
+**spec.auth(optional)**:
+
+specifies the authentication method of the Harbor registry
+
+- `spec.auth.name`: should be `basicAuth` for Harbor connector.
+
+- `spec.auth.secretRef`: specifies the secret that contains the authentication information of the Harbor registry, the secret should be created in the same namespace as the connector. If your Harbor registry does not require authentication, you can omit this field. secret type must be `kubernetes.io/basic-auth`.
+
+**Optional Metadata fields**:
+
+- `cpaas.io/description`: Description information for the Harbor connector, for example:
+
+  ```yaml
+  apiVersion: connectors.alauda.io/v1alpha1
+  kind: Connector
+  metadata:
+    name: harbor-connector
+    annotations:
+      cpaas.io/description: "Connect to team development Harbor registry"
+  ```
+
+## Connector Capabilities
+
+### Authentication Methods
+
+The Harbor Connector supports the following authentication methods:
+
+- **Basic Authentication**: Username and password authentication, secret type must be `kubernetes.io/basic-auth`.
+
+if your Harbor registry does not require authentication, you can omit this field.
+
+#### Token Permissions Required \{#token_permissions_required}
+
+The required permissions for the configured credential depend on how you intend to use it in your Pods/Pipelines.
+
+For example:
+- **Image pull and push operations**: If you need to pull and push images using this connector, the credentials must have both read and write permissions for the target Harbor registry.
+- **API operations**: Configure permissions based on the operations you need to perform. When configuring credentials, ensure the account has permission to access user information (/users/current).
+
+For security best practices, we recommend creating credentials with minimal required permissions. When additional privileges are needed, create separate Connectors with more privileged secret and use namespace isolation to control which users can access each Connector.
+
+### Proxy and Configuration Capabilities
+
+The Harbor Connector provides proxy capabilities to enable secure access to Harbor registries.
+
+To enable clients to access Harbor registries without directly handling credentials, the Harbor ConnectorClass provides a proxy server that automatically injects authentication information.
+
+Clients with access to the connector can use this proxy server to access Harbor registries without needing to configure credentials on the client side.
+
+#### Proxy Address
+
+When creating a Harbor connector, the system will automatically create a Service for proxying access to the Harbor registry.
+
+The system will record the proxy address in the `status.proxy.httpAddress` field.
+
+For example:
+
+```yaml
+apiVersion: connectors.alauda.io/v1alpha1
+kind: Connector
+metadata:
+  name: harbor-connector
+spec:
+  # . . .
+status:
+  conditions:
+  # . . .
+  proxy:
+    httpAddress:
+      url: http://c-harbor-connector.default.svc.cluster.local
+```
+
+#### Forward Proxy
+
+You can mount proxy information into Pods using CSI, and then use the proxy information through environment variables or configuration files.
+
+```yaml
+volumes:
+- name: proxyconfig
+  csi:
+    readOnly: true
+    driver: connectors-csi
+    volumeAttributes:
+      connector.name: "harbor"
+```
+
+Then, before executing container operations, use the proxy information through environment variables or configuration files.
+
+```bash
+export http_proxy=$(cat /{mount-path}/http.proxy)
+export https_proxy=$(cat /{mount-path}/https.proxy)
+export HTTP_PROXY=$http_proxy
+export HTTPS_PROXY=$https_proxy
+export no_proxy=localhost,127.0.0.1
+export NO_PROXY=$no_proxy
+echo "Using proxy: http_proxy=$http_proxy, https_proxy=$https_proxy, no_proxy=$no_proxy"
+```
+
+#### Reverse Proxy
+
+When using a reverse proxy, you need to modify the target image address to the proxy address.
+
+Example:
+harbor.example.com/test/abc:v1 → c-harbor-connector.default.svc.cluster.local/namespaces/harbor-connector-demo/connectors/harbor-connector/test/abc:v1
+
+Additionally, you need to mount the configuration files into the Pod and configure the proxy address in `insecure-registries`. The default configuration files `buildkitd.toml` and `config.json` are provided.
+
+The OCI Connector created based on the OCI Connector type provides the following configurations:
+
+**config**: Configuration information required by Docker CLI.
+
+- Provides the `config.json` configuration file.
+- Contains the authentication information required to access the proxy.
+
+For example:
+
+```json
+// config.json
+
+{
+  "auths": {
+      "<proxy address of the connector>": {
+          "auth": "<authentication information required to access the connector proxy>"
+      }
+  }
+}
+```
+
+**buildkitd**: Configuration information required by the BuildKit Daemon.
+
+- Provides the `buildkitd.toml` configuration file.
+- In the configuration file, the current connector will be set as `insecure-registries` by default.
+
+For example:
+
+```yaml
+insecure-entitlements = [ "network.host", "security.insecure" ]
+[registry."<proxy address of the connector>"]
+  http = true
+```
+
+
+## Further Reading
+
+- [Harbor Connector Quick Start](../quick_start)
+- [Harbor Connector How To Guides](../how_to)

docs/en/connectors-harbor/concepts/index.mdx

@@ -0,0 +1,11 @@
+---
+weight: 40
+i18n:
+  title:
+    en: Concepts
+title: Concepts
+---
+
+# Harbor Connector
+
+<Overview />

docs/en/connectors-harbor/how_to/index.mdx

@@ -0,0 +1,11 @@
+---
+weight: 60
+i18n:
+  title:
+    en: How To
+title: How To
+---
+
+# Harbor Connector
+
+<Overview />

docs/en/connectors-harbor/how_to/using_harbor_connector_in_k8s.mdx

@@ -0,0 +1,117 @@
+---
+weight: 20
+sourceSHA: 9127ed46c690502a00565477f7c29eee7941b32f59f83faf3498b5bb9097e080
+---
+
+# Using the Harbor Connector Proxy in K8S Workload
+
+In a Kubernetes cluster, when using container registry clients to access the Harbor Registry, it is often necessary to configure the Registry authentication information for the client. This requires distributing the authentication information to the workload orchestrators, thereby increasing the risk of credential leakage.
+
+The Harbor Connector provides a `secretless` way to access the Registry through its proxy capability, allowing ordinary users to access the Registry without having contact with authentication information, thus maximizing credential security.
+
+Currently, there are various container registry clients available in the community for accessing the `Harbor Registry`. This document will introduce how to utilize the proxy capabilities of the `Harbor Connector` in Kubernetes workloads and explain its general configuration logic.
+
+If you already have a preliminary understanding, you can directly refer to more specific cases:
+
+- [Using Harbor Connector to Build Images in K8S Job](./using_harbor_connector_in_k8s_job.mdx)
+- [Using Harbor Connector to Build Images in Tekton Pipeline](./using_harbor_connector_forward_proxy_in_tekton_pipeline.mdx)
+
+## Utilizing Harbor Connector Proxy Capability
+
+Currently, there are two proxy modes supported:
+- Forward Proxy
+- Reverse Proxy
+
+### Forward Proxy
+
+- Configure the forward proxy for the Harbor Connector, such as `http_proxy`, `https_proxy`, `no_proxy`, etc.
+
+The `Harbor ConnectorClass` provides an out-of-the-box configuration that can be mounted through connector-csi.
+
+```yaml
+volumes:
+- name: proxyconfig
+  csi:
+    readOnly: true
+    driver: connectors-csi
+    volumeAttributes:
+      connector.name: "harbor"
+```
+
+> Note: The configuration name don't need support, it will be mounted as `http.proxy` and `https.proxy`.
+
+Before using, configure the proxy according to different container registry clients. Most container registry clients support directly reading the HTTP_PROXY, HTTPS_PROXY, NO_PROXY, http_proxy, https_proxy, no_proxy environment variables.
+
+```bash
+export http_proxy=$(cat /{mount-path}/http.proxy)
+export https_proxy=$(cat /{mount-path}/https.proxy)
+export HTTP_PROXY=$http_proxy
+export HTTPS_PROXY=$https_proxy
+export no_proxy=localhost,127.0.0.1
+export NO_PROXY=$no_proxy
+```
+
+Some clients need to specify the proxy in the software configuration file, the configuration method needs to refer to the specific documentation of the client.
+
+
+### Reverse Proxy
+
+Using the Harbor Connector proxy capability mainly involves the following three aspects:
+
+- Modifying the target image address to the proxied image repository address
+- Configuring the authentication information required to access the proxy
+- Configuring the client CLI to support pushing to insecure registries
+
+Next, we will elaborate on the specific meaning of each item.
+
+1. Modifying the target image address to the proxied image repository address
+
+Example:
+harbor.example.com/test/abc:v1 → c-harbor-connector.default.svc.local/namespaces/harbor-connector-ns/connectors/harbor-connector-name/test/abc:v1
+
+2. Configuring the authentication information required to access the proxy
+
+The authentication information required to access the proxy can be configured through the `config.json` file.
+
+The `Harbor ConnectorClass` provides an out-of-the-box configuration that can be mounted through connector-csi.
+
+```yaml
+volumes:
+- name: docker-config
+  csi:
+    readOnly: true
+    driver: connectors-csi
+    volumeAttributes:
+      connector.name: "harbor"
+      configuration.names: "config"
+```
+
+> For the configuration information of the Harbor ConnectorClass, please refer to [Harbor ConnectorClass Configuration](../concepts/harbor_connectorclass.mdx#configuration).
+
+3. Configuring the client CLI to support pushing to insecure registries
+
+Since the proxy service provided by the connector uses HTTP protocol, it is necessary to configure `insecure-registries` on the client. Different clients have different configuration methods:
+
+`buildkitd` can specify this through `buildkitd.toml`. The Harbor ConnectorClass provides an out-of-the-box configuration for `buildkitd`, which can be mounted through connector-csi.
+
+```yaml
+- name: buildkitd-config
+  csi:
+    readOnly: true
+    driver: connectors-csi
+    volumeAttributes:
+      connector.name: "harbor"
+      configuration.names: "buildkitd"
+```
+
+Certain tools may support specifying directly in the command line, in which case the corresponding parameters can be fixed in the script.
+
+For example:
+
+- `buildah` specifies `--tls-verify=false` in the command line to support insecure registry.
+- `ko` specifies `--insecure-registry` in the command line to support insecure registry.
+
+## More
+
+- [Using Harbor Connector to Build Images in K8S Job](./using_harbor_connector_in_k8s_job.mdx)
+- [Using Harbor Connector to Build Images in Tekton Pipeline](./using_harbor_connector_in_tekton_pipeline.mdx)