k8s-agent-skills 1.2.0

package/skills/harbor-terraform/SKILL.md

@@ -0,0 +1,233 @@
+---
+name: harbor-terraform
+description: Use when managing Harbor infrastructure as code with Terraform — projects, robot accounts, registries, replication rules, retention policies, webhooks, users, groups, system config, and the goharbor/terraform-provider-harbor.
+---
+
+# Harbor Terraform Provider
+
+Provider: `goharbor/harbor`. Latest: **v3.12.0** (Jun 4, 2026). Registry: `v3.11.6` (Apr 22, 2026). Source: `github.com/goharbor/terraform-provider-harbor`.
+
+Tested against: Harbor 2.13–2.15, Terraform 1.12–1.14.
+
+## Provider Config
+
+```hcl
+terraform {
+  required_providers {
+    harbor = {
+      source  = "goharbor/harbor"
+      version = "~> 3.11"
+    }
+  }
+}
+
+provider "harbor" {
+  url       = "https://harbor.example.com"
+  username  = "admin"
+  password  = var.harbor_password
+  insecure  = false    # Verify TLS (default: true — must explicitly set false)
+}
+```
+
+### Auth Methods
+| Method | Fields | Env Var |
+|--------|--------|---------|
+| Basic | `username` + `password` | `HARBOR_USERNAME`, `HARBOR_PASSWORD` |
+| Bearer Token | `bearer_token` | — |
+| OIDC Session | `session_id` | `HARBOR_SESSION_ID` |
+
+`api_version` (default: 2) — use 1 for Harbor pre-2.0. `robot_prefix` — auto-detected via admin API unless explicitly set.
+
+## Resources (20)
+
+### Projects
+
+```hcl
+resource "harbor_project" "myapp" {
+  name                   = "myapp"
+  public                 = false
+  vulnerability_scanning = true
+  vulnerability_scanner  = "Trivy"             # v3.11.6+: per-project scanner override
+  enable_content_trust   = true                # Notary
+  enable_content_trust_cosign = false          # Cosign signatures
+  auto_sbom_generation   = true                # Harbor 2.11+ SBOM on push
+  storage_quota          = 100                 # GB
+  deployment_security    = "high"              # Block images >= this severity
+  cve_allowlist          = ["CVE-1234"]
+  force_destroy          = false               # Allow destroy even with repos
+}
+
+# Proxy cache project
+resource "harbor_registry" "dockerhub" {
+  provider_name = "docker-hub"
+  name          = "dockerhub-proxy"
+  endpoint_url  = "https://hub.docker.com"
+}
+
+resource "harbor_project" "proxy" {
+  name                           = "docker-proxy"
+  registry_id                    = harbor_registry.dockerhub.registry_id
+  proxy_speed_kb                 = -1
+  proxy_cache_local_on_not_found = true   # Harbor 2.15.1+
+}
+```
+
+### Robot Accounts
+
+```hcl
+# System-level
+resource "harbor_robot_account" "system" {
+  name        = "ci-system"
+  description = "System-level CI robot"
+  level       = "system"
+  secret      = random_password.robot.result
+  permissions {
+    kind      = "project"
+    namespace = "*"    # All projects
+    access {
+      resource = "repository"
+      action   = "pull"
+    }
+  }
+}
+
+# Project-level
+resource "harbor_robot_account" "deploy" {
+  name        = "ci-deploy"
+  description = "Deploy robot for myapp"
+  level       = "project"
+  permissions {
+    kind      = "project"
+    namespace = harbor_project.myapp.name
+    access {
+      resource = "repository"
+      action   = "pull"
+    }
+    access {
+      resource = "repository"
+      action   = "push"
+    }
+  }
+}
+```
+
+### Replication
+
+```hcl
+resource "harbor_replication" "backup" {
+  name        = "replicate-to-dr"
+  description = "Replicate myapp to DR site"
+  registry_id = harbor_registry.dr.registry_id
+  destination = "harbor"
+  filters {
+    name_filter = "myapp/**"
+    resource    = "image"
+  }
+  trigger {
+    type          = "event_based"
+    override      = true
+    target_events = ["imageUpload", "imageDelete"]
+  }
+  enabled = true
+}
+```
+
+### Retention Policies
+
+```hcl
+resource "harbor_retention_policy" "main" {
+  scope = harbor_project.myapp.id
+  rule {
+    tag_selectors {
+      kind       = "doublestar"
+      decoration = "matches"
+      pattern    = "**"
+      extras     = jsonencode({untagged: true})
+    }
+    scope_selectors {
+      kind       = "project"
+      decoration = "repoMatches"
+      pattern    = "**"
+    }
+    action    = "retain"
+    template  = "always"
+    params    = jsonencode({num_latest_per_artifact: 10})
+  }
+}
+```
+
+### System Configuration
+
+```hcl
+resource "harbor_config_system" "cfg" {
+  project_creation_restriction = "adminonly"
+  robot_token_expiration       = 30
+  robot_name_prefix            = "harbor@"
+  storage_per_project          = 100
+  notification_enable          = true
+  banner_notification          = "Production Harbor - no test data"
+}
+
+resource "harbor_config_auth" "auth" {
+  auth_mode          = "oidc_auth"
+  oidc_name          = "dex"
+  oidc_endpoint      = "https://dex.example.com"
+  oidc_client_id     = "harbor"
+  oidc_client_secret = var.oidc_secret
+  oidc_scope         = "openid,profile,email,groups"
+  oidc_verify_cert   = true
+}
+
+resource "harbor_config_security" "sec" {
+  cve_allowlist = ["CVE-2024-1234", "CVE-2025-5678"]
+  expires_at    = "1893456000"
+}
+```
+
+### Other Resources
+
+| Resource | Purpose |
+|----------|---------|
+| `harbor_garbage_collection` | GC schedule, workers, untagged deletion |
+| `harbor_group` | User groups (LDAP/internal/OIDC) |
+| `harbor_immutable_tag_rule` | Immutable tag rules per repo/project |
+| `harbor_interrogation_services` | Default scanner config (Trivy/Clair) |
+| `harbor_label` | Labels (global or project-scoped) |
+| `harbor_preheat_instance` | P2P preheat instances |
+| `harbor_project_member_group` | Group membership with role |
+| `harbor_project_member_user` | User membership with role |
+| `harbor_project_webhook` | Webhook policies |
+| `harbor_purge_audit_log` | Audit log purge schedule |
+| `harbor_tasks` | Scan policy schedule |
+| `harbor_user` | Internal users |
+
+## Data Sources (8)
+
+| Data Source | Purpose |
+|-------------|---------|
+| `harbor_groups` | Look up groups by name/LDAP DN |
+| `harbor_project` | Look up single project |
+| `harbor_projects` | Look up multiple projects |
+| `harbor_project_member_groups` | List member groups |
+| `harbor_project_member_users` | List member users |
+| `harbor_registry` | Look up registry by name |
+| `harbor_robot_accounts` | List/filter robot accounts |
+| `harbor_users` | Look up users |
+
+## Importing Existing Resources
+
+```hcl
+terraform import harbor_project.main /projects/1
+terraform import harbor_robot_account.system /robots/123
+terraform import harbor_label.main /labels/1
+terraform import harbor_user.main /users/42
+```
+
+## Common Mistakes
+
+- **Robot secret not stored in state** — `secret` is sensitive. Use `random_password` resource and `secret = resource.random_password.robot.result`.
+- **`force_destroy` required for non-empty projects** — Set to `true` to delete projects that still contain repos.
+- **OIDC session_id is experimental** — Will be deprecated when Harbor provides a better auth method. Prefer `bearer_token` or basic auth.
+- **Robot prefix auto-detection** — Requires admin API access. Without it, set `robot_prefix` explicitly in provider config.
+- **`registry_id` vs `id`** — The `harbor_registry` resources expose `.registry_id` (int), not `.id`. Use `.registry_id` when referencing in projects.
+- **v3.12.0 not on registry yet** — Latest on Terraform Registry is v3.11.6. Use `source = "goharbor/harbor"` + version constraint if depending on v3.12.0 features (per-project scanner, proxy cache local-on-not-found).

package/skills/higress/SKILL.md

@@ -0,0 +1,27 @@
+# Higress — Skill Router
+
+Pick the right sub-skill.
+
+## Which Sub-Skill?
+
+| User wants to... | Load skill |
+|---|---|
+| Manage CRDs (WasmPlugin, Http2Rpc, McpBridge), configure Wasm plugins, AI Gateway, service discovery | `higress-operator` |
+| Deploy, configure, upgrade Higress via Helm | `higress-helm` |
+
+## Quick Map
+
+| Task | Skill |
+|---|---|
+| "Deploy a WasmPlugin for AI proxy" | `higress-operator` |
+| "Configure Http2Rpc for Dubbo service" | `higress-operator` |
+| "Set up Nacos service discovery with McpBridge" | `higress-operator` |
+| "Deploy Higress on Kubernetes with Helm" | `higress-helm` |
+| "Configure AI Gateway with OpenAI provider" | `higress-operator` |
+| "Set up Gateway API support" | `higress-helm` |
+| "Enable Redis for AI caching" | `higress-helm` |
+| "Configure OIDC/OAuth via Wasm plugin" | `higress-operator` |
+| "Set up Prometheus monitoring" | `higress-helm` |
+| "Create a rate-limiting WasmPlugin" | `higress-operator` |
+| "Connect to ZooKeeper registry" | `higress-operator` |
+| "Enable Wasm plugin server" | `higress-helm` |

package/skills/higress-helm/SKILL.md

@@ -0,0 +1,328 @@
+# Higress — Helm Chart
+
+**Repo:** `https://higress.io/helm-charts`  
+**Charts:** `higress`, `higress-core`, `higress-console`  
+**Latest:** 2.2.2  
+**Images:** `higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/` (hub)
+
+## Quick Install
+
+```bash
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+
+helm install higress higress.io/higress \
+  -n higress-system --create-namespace
+```
+
+### Minimal Gateway-Only
+
+```bash
+helm install higress higress.io/higress -n higress-system \
+  --create-namespace \
+  --set global.o11y.enabled=false \
+  --set controller.replicas=1 \
+  --set gateway.replicas=2
+```
+
+## Charts Overview
+
+### `higress` (umbrella)
+
+Deploys everything: `higress-core` + `higress-console` + optional o11y stack.
+
+| Sub-component | Chart | Enabled by default |
+|--------------|-------|-------------------|
+| Gateway + Controller + Pilot | `higress-core` | ✅ |
+| Web UI Console | `higress-console` | ✅ |
+| Redis (AI caching, rate limiting) | included | ❌ (`global.enableRedis`) |
+| Grafana + Prometheus + Loki | included | ❌ (`global.o11y.enabled`) |
+| Plugin Server | included | ❌ (`global.enablePluginServer`) |
+
+### `higress-core`
+
+Core engine only: controller, gateway, pilot, optional Redis.
+
+### `higress-console`
+
+Web UI dashboard only (requires `higress-core` for backend).
+
+## Global Configuration
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `global.hub` | `higress-registry.cn-hangzhou.cr.aliyuncs.com` | Image registry |
+| `global.imagePullPolicy` | `""` | Image pull policy |
+| `global.imagePullSecrets` | `[]` | Image pull secrets |
+| `global.ingressClass` | `higress` | IngressClass to watch |
+| `global.watchNamespace` | `""` | Restrict to single namespace |
+| `global.enableH3` | `false` | Enable HTTP/3 (QUIC) |
+| `global.enableIPv6` | `false` | Enable IPv6 |
+| `global.enableProxyProtocol` | `false` | Proxy protocol |
+| `global.enableRedis` | `false` | Deploy Redis for AI caching |
+| `global.enablePluginServer` | `false` | Deploy Wasm plugin server |
+| `global.enableIstioAPI` | `true` | Watch Istio CRDs |
+| `global.enableGatewayAPI` | `true` | Watch Gateway API CRDs |
+| `global.enableInferenceExtension` | `false` | Gateway API Inference Extension |
+| `global.enableStatus` | `true` | Update Ingress status field |
+| `global.local` | `false` | Local/kind cluster mode |
+| `global.o11y.enabled` | `false` | Deploy observability stack |
+| `global.logging.level` | `default:info` | Log level |
+| `global.defaultResources` | `{cpu: 10m}` | Default resource requests |
+| `global.priorityClassName` | `""` | Priority class |
+| `global.multiCluster.enabled` | `true` | Multi-cluster support |
+| `global.multiCluster.clusterName` | `""` | Cluster name |
+
+## Gateway
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `gateway.name` | `higress-gateway` | Gateway deployment name |
+| `gateway.replicas` | `2` | Pod count |
+| `gateway.kind` | `Deployment` | `Deployment` or `DaemonSet` |
+| `gateway.image` | `gateway` | Image name (hub/gateway) |
+| `gateway.tag` | `""` (chart appVersion) | Image tag |
+| `gateway.httpPort` | `80` | HTTP port |
+| `gateway.httpsPort` | `443` | HTTPS port |
+| `gateway.hostNetwork` | `false` | Host networking |
+| `gateway.service.type` | `LoadBalancer` | Service type (`None` disables) |
+| `gateway.service.loadBalancerIP` | `""` | Static LB IP |
+| `gateway.service.loadBalancerClass` | `""` | LB class |
+| `gateway.service.loadBalancerSourceRanges` | `[]` | LB source ranges |
+| `gateway.service.externalTrafficPolicy` | `""` | External traffic policy |
+| `gateway.autoscaling.enabled` | `false` | HPA |
+| `gateway.autoscaling.minReplicas` | `1` | HPA min |
+| `gateway.autoscaling.maxReplicas` | `5` | HPA max |
+| `gateway.resources` | `{cpu: 2, mem: 2Gi}` | Container resources |
+| `gateway.metrics.enabled` | `false` | PodMonitor/VMPodScrape |
+| `gateway.metrics.provider` | `monitoring.coreos.com` | CRD provider |
+| `gateway.metrics.podMonitorSelector` | `{release: kube-prome}` | PodMonitor selector |
+| `gateway.rollingMaxSurge` | `100%` | Rolling update max surge |
+| `gateway.rollingMaxUnavailable` | `25%` | Rolling update max unavailable |
+| `gateway.nodeSelector` | `{}` | Node selector |
+| `gateway.tolerations` | `[]` | Tolerations |
+| `gateway.affinity` | `{}` | Affinity |
+| `gateway.topologySpreadConstraints` | `[]` | Topology spread |
+| `gateway.automaticHttps.enabled` | `true` | Let's Encrypt auto HTTPS |
+| `gateway.automaticHttps.email` | `""` | Let's Encrypt email |
+
+## Controller
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `controller.name` | `higress-controller` | Controller deployment name |
+| `controller.replicas` | `1` | Pod count |
+| `controller.image` | `higress` | Image name (hub/higress) |
+| `controller.tag` | `""` | Image tag |
+| `controller.service.type` | `ClusterIP` | Service type |
+| `controller.resources` | `{cpu: 500m/1, mem: 2Gi}` | Resource requests/limits |
+| `controller.autoscaling.enabled` | `false` | HPA |
+| `controller.autoscaling.minReplicas` | `1` | HPA min |
+| `controller.autoscaling.maxReplicas` | `5` | HPA max |
+| `controller.automaticHttps.enabled` | `true` | Auto HTTPS |
+| `controller.automaticHttps.email` | `""` | Let's Encrypt email |
+| `controller.nodeSelector` | `{}` | Node selector |
+| `controller.tolerations` | `[]` | Tolerations |
+| `controller.affinity` | `{}` | Affinity |
+
+## Pilot (Istiod)
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `pilot.image` | `pilot` | Image name (hub/pilot) |
+| `pilot.tag` | `""` | Image tag |
+| `pilot.traceSampling` | `1.0` | Trace sampling rate |
+| `pilot.resources` | `{cpu: 500m, mem: 2Gi}` | Resources |
+| `pilot.env.PILOT_ENABLE_METADATA_EXCHANGE` | `false` | Disable metadata exchange |
+| `pilot.keepaliveMaxServerConnectionAge` | `30m` | xDS max connection age |
+
+## Redis (Optional)
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `redis.redis.name` | `redis-stack-server` | Redis deployment |
+| `redis.redis.image` | `redis-stack-server` | Image name |
+| `redis.redis.tag` | `7.4.0-v3` | Image tag |
+| `redis.redis.replicas` | `1` | Replicas |
+| `redis.redis.password` | `""` | Password (empty = none) |
+| `redis.redis.service.port` | `6379` | Service port |
+| `redis.redis.persistence.enabled` | `false` | Enable PVC |
+| `redis.redis.persistence.size` | `1Gi` | PVC size |
+
+## Plugin Server (Optional)
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `pluginServer.name` | `higress-plugin-server` | Plugin server name |
+| `pluginServer.replicas` | `2` | Pod count |
+| `pluginServer.image` | `plugin-server` | Image name |
+| `pluginServer.tag` | `""` | Image tag |
+| `pluginServer.service.port` | `80` | Service port |
+| `pluginServer.resources` | `{cpu: 200m/500m, mem: 128Mi/256Mi}` | Resources |
+
+## Console (UI)
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `image.repository` | `higress/console` | Console image |
+| `image.tag` | `""` | Image tag |
+| `replicaCount` | `1` | Replicas |
+| `service.port` | `8080` | Service port |
+| `ingress.enabled` | `false` | Expose via Ingress |
+| `ingress.domain` | `console.higress.io` | Console domain |
+| `ingress.tlsSecretName` | `""` | TLS secret |
+| `admin.username` | `admin` | Admin user |
+| `admin.password` | `""` | Admin password |
+| `chat.enabled` | `false` | AI chat in console |
+| `chat.endpoint` | `""` | Chat API endpoint |
+
+## O11y (Observability)
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `global.o11y.enabled` | `false` | Enable all o11y |
+| `global.o11y.grafana.replicas` | `1` | Grafana replicas |
+| `global.o11y.grafana.storage` | `1Gi` | Grafana PVC |
+| `global.o11y.prometheus.replicas` | `1` | Prometheus replicas |
+| `global.o11y.prometheus.storage` | `1Gi` | Prometheus PVC |
+| `global.o11y.loki.replicas` | `1` | Loki replicas |
+| `global.o11y.loki.storage` | `1Gi` | Loki PVC |
+
+## Production Values Example
+
+```yaml
+global:
+  ingressClass: higress
+  enableGatewayAPI: true
+  enableIstioAPI: true
+  enableRedis: true
+  enablePluginServer: true
+  o11y:
+    enabled: true
+  priorityClassName: system-cluster-critical
+
+gateway:
+  replicas: 3
+  kind: Deployment
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+  resources:
+    requests:
+      cpu: 2
+      memory: 2Gi
+    limits:
+      cpu: 4
+      memory: 4Gi
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 80
+  metrics:
+    enabled: true
+    provider: monitoring.coreos.com
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+              - key: app
+                operator: In
+                values:
+                  - higress-gateway
+          topologyKey: kubernetes.io/hostname
+
+controller:
+  replicas: 2
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 2
+      memory: 4Gi
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 5
+
+redis:
+  redis:
+    persistence:
+      enabled: true
+      size: 10Gi
+      storageClass: ssd
+```
+
+## IngressClass Configuration
+
+```yaml
+global:
+  ingressClass: higress  # default
+
+  # Special: watch nginx Ingress resources (migration mode)
+  # ingressClass: nginx
+  # - watches both "nginx" class AND no-class Ingress resources
+  # - enables smooth migration from ingress-nginx
+
+  # Special: watch all Ingress resources
+  # ingressClass: ""
+```
+
+## Gateway API Integration
+
+```bash
+helm install higress higress.io/higress -n higress-system \
+  --set global.enableGatewayAPI=true
+```
+
+Requires Gateway API CRDs installed:
+```bash
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+```
+
+## AI Gateway + Redis
+
+```bash
+helm install higress higress.io/higress -n higress-system \
+  --set global.enableRedis=true \
+  --set global.enablePluginServer=true
+```
+
+## Upgrading
+
+```bash
+helm repo update
+helm upgrade higress higress.io/higress -n higress-system \
+  --values values.yaml \
+  --version 2.2.2
+```
+
+## Uninstalling
+
+```bash
+helm uninstall higress -n higress-system
+kubectl delete namespace higress-system
+```
+
+**Note:** CRDs persist after uninstall. Remove manually:
+```bash
+kubectl delete crd wasmplugins.extensions.higress.io
+kubectl delete crd http2rpcs.networking.higress.io
+kubectl delete crd mcpbridges.networking.higress.io
+```
+
+## Common Mistakes
+
+- **Hub region** — Default hub is in China (`cn-hangzhou`). Use `us-west-1.cr.aliyuncs.com` for NA, `ap-southeast-7.cr.aliyuncs.com` for SEA. Set `global.hub` before install.
+- **Gateway API CRDs missing** — Setting `global.enableGatewayAPI=true` without installing Gateway API CRDs causes controller errors.
+- **IngressClass == nginx** — Setting `ingressClass: nginx` makes Higress watch nginx-class Ingresses. Remove or change to `higress` after migration.
+- **Redis for AI features** — AI caching, token rate limiting, and quota require `global.enableRedis=true`. Without Redis, these plugins fail.
+- **Plugin Server for OCI plugins** — If using `url: oci://...` in WasmPlugin, ensure `global.enablePluginServer=true` or have direct OCI registry access.
+- **Standalone console ingress** — `higress-console` needs `ingress.enabled=true` and a domain for external access. Default is ClusterIP only.
+- **Gateway metrics** — `gateway.metrics.enabled=true` creates PodMonitor. Requires prometheus-operator or VictoriaMetrics operator CRDs.
+- **Controller readiness** — Controller uses `/ready` on port 8888. Ensure network policies allow this.
+- **HostNetwork gateway** — `gateway.hostNetwork=true` binds host ports 80/443. Requires host port availability and potential security implications.
+- **autoscaling/v2 API** — `global.autoscalingv2API` (default: true) uses `autoscaling/v2`. If your cluster is older, set to false.
+- **alpn h2** — `global.disableAlpnH2: false` (default) enables HTTP/2 ALPN. Set true if clients don't support HTTP/2.