feat(BA-145): Implement CRUD API for managing Harbor per-project Quota

changes/3090.feature.md

@@ -0,0 +1 @@
+Implement CRUD API for managing Harbor per-project Quota.

docs/manager/graphql-reference/schema.graphql

@@ -719,6 +719,9 @@
   """Added in 24.03.7."""
   container_registry: JSONString
   scaling_groups: [String]
+
+  """Added in 25.2.0."""
+  registry_quota: BigInt
   user_nodes(filter: String, order: String, offset: Int, before: String, after: String, first: Int, last: Int): UserConnection
 }
 
@@ -1980,6 +1983,15 @@
   """Added in 25.1.0."""
   delete_endpoint_auto_scaling_rule_node(id: String!): DeleteEndpointAutoScalingRuleNode
 
+  """Added in 25.2.0."""
+  create_container_registry_quota(quota: BigInt!, scope_id: ScopeField!): CreateContainerRegistryQuota
+
+  """Added in 25.2.0."""
+  update_container_registry_quota(quota: BigInt!, scope_id: ScopeField!): UpdateContainerRegistryQuota
+
+  """Added in 25.2.0."""
+  delete_container_registry_quota(scope_id: ScopeField!): DeleteContainerRegistryQuota
+
   """Deprecated since 24.09.0. use `CreateContainerRegistryNode` instead"""
   create_container_registry(hostname: String!, props: CreateContainerRegistryInput!): CreateContainerRegistry
 
@@ -2864,6 +2876,24 @@
   msg: String
 }
 
+"""Added in 25.2.0."""
+type CreateContainerRegistryQuota {
+  ok: Boolean
+  msg: String
+}
+
+"""Added in 25.2.0."""
+type UpdateContainerRegistryQuota {
+  ok: Boolean
+  msg: String
+}
+
+"""Added in 25.2.0."""
+type DeleteContainerRegistryQuota {
+  ok: Boolean
+  msg: String
+}
+
 """Deprecated since 24.09.0. use `CreateContainerRegistryNode` instead"""
 type CreateContainerRegistry {
   container_registry: ContainerRegistry

docs/manager/rest-reference/openapi.json

@@ -8491,6 +8491,142 @@
         "description": "\n**Preconditions:**\n* Admin privilege required.\n* Manager status required: one of FROZEN, RUNNING\n"
       }
     },
+    "/group/registry-quota": {
+      "post": {
+        "operationId": "group.create_registry_quota",
+        "tags": [
+          "group"
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful response"
+          }
+        },
+        "security": [
+          {
+            "TokenAuth": []
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "group_id": {
+                    "type": "string"
+                  },
+                  "quota": {
+                    "type": "integer"
+                  }
+                },
+                "required": [
+                  "group_id",
+                  "quota"
+                ]
+              },
+              "examples": {}
+            }
+          }
+        },
+        "parameters": [],
+        "description": "\n**Preconditions:**\n* Superadmin privilege required.\n* Manager status required: one of FROZEN, RUNNING\n"
+      },
+      "get": {
+        "operationId": "group.read_registry_quota",
+        "tags": [
+          "group"
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful response"
+          }
+        },
+        "security": [
+          {
+            "TokenAuth": []
+          }
+        ],
+        "parameters": [
+          {
+            "name": "group_id",
+            "schema": {
+              "type": "string"
+            },
+            "required": true,
+            "in": "query"
+          }
+        ],
+        "description": "\n**Preconditions:**\n* Superadmin privilege required.\n* Manager status required: one of FROZEN, RUNNING\n"
+      },
+      "patch": {
+        "operationId": "group.update_registry_quota",
+        "tags": [
+          "group"
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful response"
+          }
+        },
+        "security": [
+          {
+            "TokenAuth": []
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "group_id": {
+                    "type": "string"
+                  },
+                  "quota": {
+                    "type": "integer"
+                  }
+                },
+                "required": [
+                  "group_id",
+                  "quota"
+                ]
+              },
+              "examples": {}
+            }
+          }
+        },
+        "parameters": [],
+        "description": "\n**Preconditions:**\n* Superadmin privilege required.\n* Manager status required: one of FROZEN, RUNNING\n"
+      },
+      "delete": {
+        "operationId": "group.delete_registry_quota",
+        "tags": [
+          "group"
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful response"
+          }
+        },
+        "security": [
+          {
+            "TokenAuth": []
+          }
+        ],
+        "parameters": [
+          {
+            "name": "group_id",
+            "schema": {
+              "type": "string"
+            },
+            "required": true,
+            "in": "query"
+          }
+        ],
+        "description": "\n**Preconditions:**\n* Superadmin privilege required.\n* Manager status required: one of FROZEN, RUNNING\n"
+      }
+    },
     "/group-config/dotfiles": {
       "post": {
         "operationId": "group-config.create",

src/ai/backend/client/func/group.py

@@ -1,7 +1,9 @@
+import textwrap
 from typing import Any, Iterable, Optional, Sequence
 
 from ai.backend.client.output.fields import group_fields
 from ai.backend.client.output.types import FieldSpec
+from ai.backend.common.utils import b64encode
 
 from ...cli.types import Undefined, undefined
 from ..session import api_session
@@ -293,3 +295,101 @@ async def remove_users(
         }
         data = await api_session.get().Admin._query(query, variables)
         return data["modify_group"]
+
+    @api_function
+    @classmethod
+    async def get_container_registry_quota(cls, group_id: str) -> int:
+        """
+        Get Quota Limit for the group's container registry.
+        Currently only HarborV2 registry is supported.
+
+        You need an admin privilege for this operation.
+        """
+        query = textwrap.dedent(
+            """\
+            query($id: String!) {
+                group_node(id: $id) {
+                    registry_quota
+                }
+            }
+        """
+        )
+
+        variables = {"id": b64encode(f"group_node:{group_id}")}
+        data = await api_session.get().Admin._query(query, variables)
+        return data["group_node"]["registry_quota"]
+
+    @api_function
+    @classmethod
+    async def create_container_registry_quota(cls, group_id: str, quota: int) -> dict:
+        """
+        Create Quota Limit for the group's container registry.
+        Currently only HarborV2 registry is supported.
+
+        You need an admin privilege for this operation.
+        """
+        query = textwrap.dedent(
+            """\
+            mutation($scope_id: ScopeField!, $quota: Int!) {
+                create_container_registry_quota(
+                        scope_id: $scope_id, quota: $quota) {
+                    ok msg
+                }
+            }
+        """
+        )
+
+        scope_id = f"project:{group_id}"
+        variables = {"scope_id": scope_id, "quota": quota}
+        data = await api_session.get().Admin._query(query, variables)
+        return data["create_container_registry_quota"]
+
+    @api_function
+    @classmethod
+    async def update_container_registry_quota(cls, group_id: str, quota: int) -> dict:
+        """
+        Update Quota Limit for the group's container registry.
+        Currently only HarborV2 registry is supported.
+
+        You need an admin privilege for this operation.
+        """
+        query = textwrap.dedent(
+            """\
+            mutation($scope_id: ScopeField!, $quota: Int!) {
+                update_container_registry_quota(
+                        scope_id: $scope_id, quota: $quota) {
+                    ok msg
+                }
+            }
+        """
+        )
+
+        scope_id = f"project:{group_id}"
+        variables = {"scope_id": scope_id, "quota": quota}
+        data = await api_session.get().Admin._query(query, variables)
+        return data["update_container_registry_quota"]
+
+    @api_function
+    @classmethod
+    async def delete_container_registry_quota(cls, group_id: str) -> dict:
+        """
+        Delete Quota Limit for the group's container registry.
+        Currently only HarborV2 registry is supported.
+
+        You need an admin privilege for this operation.
+        """
+        query = textwrap.dedent(
+            """\
+            mutation($scope_id: ScopeField!) {
+                delete_container_registry_quota(
+                        scope_id: $scope_id) {
+                    ok msg
+                }
+            }
+        """
+        )
+
+        scope_id = f"project:{group_id}"
+        variables = {"scope_id": scope_id}
+        data = await api_session.get().Admin._query(query, variables)
+        return data["delete_container_registry_quota"]

src/ai/backend/common/utils.py

@@ -425,3 +425,12 @@ def join_non_empty(*args: Optional[str], sep: str) -> str:
     """
     filtered_args = [arg for arg in args if arg]
     return sep.join(filtered_args)
+
+
+def b64encode(s: str) -> str:
+    """
+    base64 encoding method of graphql_relay.
+    Use it in components where the graphql_relay package is unavailable.
+    """
+    b: bytes = s.encode("utf-8") if isinstance(s, str) else s
+    return base64.b64encode(b).decode("ascii")

src/ai/backend/manager/api/admin.py

@@ -85,6 +85,7 @@ async def _handle_gql_common(request: web.Request, params: Any) -> ExecutionResu
         manager_status=manager_status,
         known_slot_types=known_slot_types,
         background_task_manager=root_ctx.background_task_manager,
+        services_ctx=root_ctx.services_ctx,
         storage_manager=root_ctx.storage_manager,
         registry=root_ctx.registry,
         idle_checker_host=root_ctx.idle_checker_host,

src/ai/backend/manager/api/container_registry.py

@@ -39,7 +39,7 @@ async def patch_container_registry(
     request: web.Request, params: PatchContainerRegistryRequestModel
 ) -> PatchContainerRegistryResponseModel:
     registry_id = uuid.UUID(request.match_info["registry_id"])
-    log.info("PATCH_CONTAINER_REGISTRY (cr:{})", registry_id)
+    log.info("PATCH_CONTAINER_REGISTRY (registry:{})", registry_id)
     root_ctx: RootContext = request.app["_root.context"]
     registry_row_updates = params.model_dump(exclude={"allowed_groups"}, exclude_none=True)
 

src/ai/backend/manager/api/context.py

@@ -6,6 +6,7 @@
 
 from ai.backend.common.metrics.metric import CommonMetricRegistry
 from ai.backend.manager.plugin.network import NetworkPluginContext
+from ai.backend.manager.service.base import ServicesContext
 
 if TYPE_CHECKING:
     from ai.backend.common.bgtask import BackgroundTaskManager
@@ -50,6 +51,7 @@ class RootContext(BaseContext):
     storage_manager: StorageSessionManager
     hook_plugin_ctx: HookPluginContext
     network_plugin_ctx: NetworkPluginContext
+    services_ctx: ServicesContext
 
     registry: AgentRegistry
     agent_cache: AgentRPCCache