docs: K3s + Harbor Satellite end-to-end reference guide and architecture

[Aloui-Ikram]

Fixes: #345

The document covers:

• Network topology and reference architecture (Cloud/Edge planes)
• SPIFFE/SPIRE security model with Zero-Touch Registration (ZTR)
• Connectivity model and bandwidth optimization
• Step-by-step setup guide , Method 1: Network-Based Registry Mirror
• Step-by-step setup guide , Method 2: Automated Air-Gap via Direct Delivery
• Enterprise use cases (Retail, Industrial IoT, Energy/Telecom, Smart Agriculture)
• SUSE ecosystem alignment (K3s, SLE Micro, Rancher Fleet, Elemental)

Summary by CodeRabbit

• Documentation
  • Added a comprehensive K3s + Harbor Satellite reference guide covering deployment topologies (cloud/datacenter vs edge), component placement, image synchronization and local delivery flows, SPIFFE/SPIRE zero‑touch identity and mTLS credential management with rotation, connectivity and WAN‑outage behavior, two setup procedures for networked mirror and automated air‑gap delivery with validation steps, and enterprise use cases plus further reading.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new end-to-end reference guide for deploying Harbor Satellite with K3s, covering architecture, component placement, SPIFFE/SPIRE zero-touch security, image synchronization/delivery flows, two setup methods (registry mirror and direct delivery), connectivity/partition semantics, and example enterprise use cases.

Changes

Cohort / File(s)

Summary

K3s Reference Architecture Guide docs/guides/k3s-reference-architecture.md

Adds a comprehensive documentation page describing Cloud vs Edge operational planes, component placement (Central Harbor, Ground Control, SPIRE Server/Agents, Harbor Satellite, K3s/containerd), image sync and delivery flows (mTLS layer pulls into Zot, containerd mirror to 127.0.0.1:5050, direct-delivery into K3s auto-import), SPIFFE/SPIRE zero-touch registration and attestation options, scheduler/telemetry/replication loops, WAN-partition behavior, two setup/validation procedures (network registry mirror + SPIRE ZTR; automated air-gap/direct delivery), use cases, SUSE/K3s ecosystem alignment, and further-reading links.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Docs : update quickstart.md, add examples and add architecture docs #183 — Adds related Harbor Satellite architecture and deployment documentation that this K3s-specific guide complements.

Suggested reviewers

• bupd

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change—adding a comprehensive end-to-end reference guide for K3s and Harbor Satellite architecture.
Description check	✅ Passed	The description covers all required sections (Fixes issue reference, comprehensive Description listing key guide topics). All template sections are present and adequately filled.
Linked Issues check	✅ Passed	The PR fully addresses all coding/documentation objectives from issue #345: reference architecture definition, connectivity model, SPIFFE/SPIRE security integration with ZTR, end-to-end setup guides (both methods), enterprise use cases, and SUSE ecosystem alignment.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #345 requirements. The single new documentation file adds the reference guide with no tangential modifications or unrelated updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/k3s-reference-architecture

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

docs/guides/k3s-reference-architecture.md (1)

157-159: Make “Method 1/2” subheadings under each setup guide section.

Current structure uses two consecutive H2 headings per method block, which makes section hierarchy flatter than intended and can make TOC anchors less clear. Consider keeping ## 5. Setup Guide / ## 6. Setup Guide and moving method titles to H3.

Suggested structure adjustment

-## 5. Setup Guide 
-## Method 1: Network-Based Registry Mirror
+## 5. Setup Guide
+### Method 1: Network-Based Registry Mirror

-## 6. Setup Guide 
-## Method 2: Absolute Air-Gap via Disk Auto-Import
+## 6. Setup Guide
+### Method 2: Absolute Air-Gap via Disk Auto-Import

Also applies to: 328-330

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/guides/k3s-reference-architecture.md` around lines 157 - 159, The
document uses consecutive H2 headings ("## 5. Setup Guide" and "## Method 1:
Network-Based Registry Mirror") which flattens the TOC; change the method titles
(e.g. "Method 1: Network-Based Registry Mirror" and "Method 2: ...") from H2 to
H3 (###) so they become subsections under the existing "## 5. Setup Guide" and
"## 6. Setup Guide" headings; apply the same conversion for the similar
occurrence referenced later (the block around the other Method headings) so all
method titles are H3-level subsections.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Line 4: The heading "End-to-End Reference Guide and Architecture" is currently
using "###" immediately after an H1 which breaks MD001; change that heading's
markdown level from "###" to "##" (i.e., use an H2) so heading progression is
correct and MD001 is satisfied, updating the line containing "End-to-End
Reference Guide and Architecture".
- Around line 185-186: Replace the live variable usage that exposes secrets with
a safe, hardcoded example value: change the docker login command that uses `-p
<HARBOR_PASSWORD>` to use an example password like `Harbor12345` (e.g., `docker
login -u admin -p Harbor12345 <CENTRAL_HARBOR_IP>:80`) and update the inline
JSON payload sections (the JSON body around the Harbor credential examples) to
use the same example credential value instead of `<HARBOR_PASSWORD>` or other
live placeholders so readers can copy/paste without passing real secrets on the
command line or in shell history.

---

Nitpick comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Around line 157-159: The document uses consecutive H2 headings ("## 5. Setup
Guide" and "## Method 1: Network-Based Registry Mirror") which flattens the TOC;
change the method titles (e.g. "Method 1: Network-Based Registry Mirror" and
"Method 2: ...") from H2 to H3 (###) so they become subsections under the
existing "## 5. Setup Guide" and "## 6. Setup Guide" headings; apply the same
conversion for the similar occurrence referenced later (the block around the
other Method headings) so all method titles are H3-level subsections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2bad6950-15ac-40f4-b561-1881027a1710

📥 Commits

Reviewing files that changed from the base of the PR and between f85832a and d95b6be.

⛔ Files ignored due to path filters (2)

• docs/images/architecture-overview.png is excluded by !**/*.png
• docs/images/spiffe-security-model.png is excluded by !**/*.png

📒 Files selected for processing (1)

• docs/guides/k3s-reference-architecture.md

[cubic-dev-ai]

2 issues found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/guides/k3s-reference-architecture.md">

<violation number="1" location="docs/guides/k3s-reference-architecture.md:185">
P2: These Harbor push commands will fail on a default Docker setup unless the plain-HTTP registry is added as an insecure registry or the example uses HTTPS.</violation>

<violation number="2" location="docs/guides/k3s-reference-architecture.md:203">
P1: This heredoc won't write to `/etc/rancher/k3s/registries.yaml` as root because the shell redirection happens before `sudo`. Use `sudo tee` here.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

docs/guides/k3s-reference-architecture.md (1)

4-4: ⚠️ Potential issue | 🟡 Minor

Fix heading level progression at Line 4.

### directly after an H1 breaks markdown heading increment rules; make this an H2.

Minimal fix

-### End-to-End Reference Guide and Architecture
+## End-to-End Reference Guide and Architecture

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/guides/k3s-reference-architecture.md` at line 4, The heading "End-to-End
Reference Guide and Architecture" currently uses an H3 (###) immediately after
the document H1; change its level to H2 (##) so the heading progression is H1 ->
H2; update the line with "### End-to-End Reference Guide and Architecture" to
"## End-to-End Reference Guide and Architecture".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Line 377: Rename the duplicate markdown heading "### Prerequisites" at the
location shown to a method-specific title to avoid lint warnings and improve
navigation; locate the second occurrence of the exact heading string "###
Prerequisites" and change it to something descriptive for that section (for
example "### Prerequisites — k3s cluster setup" or "### Prerequisites for
setting up nodes") so it is unique and context-specific.

---

Duplicate comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Line 4: The heading "End-to-End Reference Guide and Architecture" currently
uses an H3 (###) immediately after the document H1; change its level to H2 (##)
so the heading progression is H1 -> H2; update the line with "### End-to-End
Reference Guide and Architecture" to "## End-to-End Reference Guide and
Architecture".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0ad4129e-ea0c-40db-9e5b-0b8008ed86c4

📥 Commits

Reviewing files that changed from the base of the PR and between d95b6be and b34d517.

📒 Files selected for processing (1)

• docs/guides/k3s-reference-architecture.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

docs/guides/k3s-reference-architecture.md (3)

4-4: ⚠️ Potential issue | 🟡 Minor

Heading level jump still violates MD001.

Line 4 uses ### directly after an H1; it should be H2 for valid heading progression.

Minimal fix

-### End-to-End Reference Guide and Architecture
+## End-to-End Reference Guide and Architecture

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/guides/k3s-reference-architecture.md` at line 4, The heading "End-to-End
Reference Guide and Architecture" currently uses H3 (###) after an H1 which
violates MD001; change that heading to H2 (##) so it follows the top-level H1
and restores valid heading progression.

---

377-377: ⚠️ Potential issue | 🟡 Minor

Duplicate section title hurts navigation/linting.

Line 377 repeats ### Prerequisites; make this method-specific to avoid duplicate-heading warnings.

Minimal fix

-### Prerequisites
+### Method 2 Prerequisites

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/guides/k3s-reference-architecture.md` at line 377, The duplicate heading
"### Prerequisites" should be made method-specific to avoid duplicate-heading
lint warnings: locate the second occurrence of the heading text "###
Prerequisites" in the K3s reference architecture section and rename it to
something unique and descriptive (for example "### Prerequisites — K3s reference
architecture" or "### Prerequisites (installation steps)") so the heading text
is no longer identical to the earlier "### Prerequisites".

---

204-205: ⚠️ Potential issue | 🟠 Major

Avoid exposing credentials in command arguments.

These snippets use docker login -p ... and curl -u "user:pass" patterns, which leak secrets via process args/history. Please switch to safer examples (--password-stdin for Docker and --netrc-file or token-based auth for curl).

Safer example pattern

- docker login -u admin -p <HARBOR_PASSWORD> <CENTRAL_HARBOR_IP>:80
+ printf '%s\n' '<HARBOR_PASSWORD>' | docker login -u admin --password-stdin <CENTRAL_HARBOR_IP>:80

- DIGEST=$(curl -sk -u "admin:<HARBOR_PASSWORD>" "http://<CENTRAL_HARBOR_IP>/api/v2.0/projects/library/repositories/nginx/artifacts?q=tags%3Dalpine&page_size=1" | grep -m1 '"digest":' | cut -d'"' -f4)
+ cat > /tmp/harbor.netrc <<EOF
+ machine <CENTRAL_HARBOR_IP>
+ login admin
+ password <HARBOR_PASSWORD>
+ EOF
+ chmod 600 /tmp/harbor.netrc
+ DIGEST=$(curl -sk --netrc-file /tmp/harbor.netrc "http://<CENTRAL_HARBOR_IP>/api/v2.0/projects/library/repositories/nginx/artifacts?q=tags%3Dalpine&page_size=1" | grep -m1 '"digest":' | cut -d'"' -f4)
+ rm -f /tmp/harbor.netrc

Also applies to: 291-295, 423-427

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/guides/k3s-reference-architecture.md` around lines 204 - 205, Replace
any uses of plaintext credentials in command arguments such as "docker login -u
admin -p <HARBOR_PASSWORD>" and "curl -u \"user:pass\"" with secure patterns:
for Docker change to piping the password into --password-stdin (e.g., echo
"<HARBOR_PASSWORD>" | docker login -u admin --password-stdin
<CENTRAL_HARBOR_IP>:80) and for curl replace -u with --netrc-file or token-based
auth (or use --header "Authorization: Bearer <TOKEN>" with a securely stored
token), and update the corresponding push example "docker push
<CENTRAL_HARBOR_IP>:80/library/nginx:alpine" to reference the safer login flow;
apply the same replacements for the other occurrences noted (the curl and docker
login snippets).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Line 113: Remove the extra blank line immediately preceding the subsection
heading in docs/guides/k3s-reference-architecture.md so there is only a single
blank line (or none) before the heading; edit the file to delete the redundant
empty line that appears directly before the subsection heading to satisfy the
Markdown spacing lint rule.

---

Duplicate comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Line 4: The heading "End-to-End Reference Guide and Architecture" currently
uses H3 (###) after an H1 which violates MD001; change that heading to H2 (##)
so it follows the top-level H1 and restores valid heading progression.
- Line 377: The duplicate heading "### Prerequisites" should be made
method-specific to avoid duplicate-heading lint warnings: locate the second
occurrence of the heading text "### Prerequisites" in the K3s reference
architecture section and rename it to something unique and descriptive (for
example "### Prerequisites — K3s reference architecture" or "### Prerequisites
(installation steps)") so the heading text is no longer identical to the earlier
"### Prerequisites".
- Around line 204-205: Replace any uses of plaintext credentials in command
arguments such as "docker login -u admin -p <HARBOR_PASSWORD>" and "curl -u
\"user:pass\"" with secure patterns: for Docker change to piping the password
into --password-stdin (e.g., echo "<HARBOR_PASSWORD>" | docker login -u admin
--password-stdin <CENTRAL_HARBOR_IP>:80) and for curl replace -u with
--netrc-file or token-based auth (or use --header "Authorization: Bearer
<TOKEN>" with a securely stored token), and update the corresponding push
example "docker push <CENTRAL_HARBOR_IP>:80/library/nginx:alpine" to reference
the safer login flow; apply the same replacements for the other occurrences
noted (the curl and docker login snippets).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e5876502-3ffc-4297-94a4-263bbf1c59e1

📥 Commits

Reviewing files that changed from the base of the PR and between b34d517 and 083423d.

📒 Files selected for processing (1)

• docs/guides/k3s-reference-architecture.md

[maishivamhoo123]

Hi @Aloui-Ikram , I’ve opened PR #357 related to this PR. I discussed it with @bupd and made the changes accordingly. Could you please review it.

[bupd]

looks like DCO and the ci is failing - Please fix the ci

And also resolve the ai bots conversations / comments.

[codacy-production]

Not up to standards ⛔

🔴 Issues 44 minor

Alerts:
⚠ 44 issues (≤ 0 issues of at least minor severity)

Results:
44 new issues

Category	Results
BestPractice	3 minor
CodeStyle	41 minor

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Around line 112-113: The ordered list directly follows the heading "### 3.1
Zero-Touch Registration (ZTR) Provisioning Flow" without a separating blank
line, which can fail Markdown lint rules; insert a single blank line between
that heading and the start of the ordered list (before "1. **Token
Generation:**...") so the list is properly separated from the heading.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: dbb94423-0409-4e35-a92f-29cbbae08784

📥 Commits

Reviewing files that changed from the base of the PR and between 083423d and 9d062f8.

⛔ Files ignored due to path filters (2)

• docs/images/architecture-overview.png is excluded by !**/*.png
• docs/images/spiffe-security-model.png is excluded by !**/*.png

📒 Files selected for processing (1)

• docs/guides/k3s-reference-architecture.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/guides/k3s-reference-architecture.md`:
- Around line 446-451: The docs currently run "sudo k3s crictl rmi --prune"
immediately before verifying Direct Delivery, which can delete imported
artifacts and cause the subsequent "sudo k3s crictl images | grep
'<CENTRAL_HARBOR_IP>:80/library/nginx'" check to fail; update the section to
remove the prune step (or move it before triggering sync) and instead run only
the images/grep verification, or add a clear note that pruning may remove
imported images if retained — reference the commands "sudo k3s crictl rmi
--prune" and "sudo k3s crictl images | grep ..." when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9eb0541f-64ec-4af8-857d-93d7c801f06d

📥 Commits

Reviewing files that changed from the base of the PR and between 9d062f8 and a48a629.

📒 Files selected for processing (1)

• docs/guides/k3s-reference-architecture.md