Added docs for config and encryption here from website (#487)

* Added docs for config and encryption here from website

Signed-off-by: Patrick Eschenbach <[email protected]>

* Added more clear info to encryption docs about ci/cd and production environments

Signed-off-by: Patrick Eschenbach <[email protected]>

* This index for the harborcli docs also has to live here

Signed-off-by: Patrick Eschenbach <[email protected]>

---------

Signed-off-by: Patrick Eschenbach <[email protected]>

Author: qcserestipy

doc/_index.md

@@ -0,0 +1,20 @@
+---
+title: Harbor CLI Documentation
+---
+
+Welcome to the Harbor CLI documentation. This provides detailed documentation for the Harbor CLI.
+
+## Harbor CLI Documentation
+
+This section describes the comprehensive set of commands provided by the Harbor CLI, which enables you to efficiently manage and interact with your Harbor registry.
+
+- `harbor` - Configure the Harbor CLI and set global flags to customize your experience.
+- `harbor artifact` - Manage artifacts in Harbor Repository
+- `harbor project` - Manage projects and assign resources to them
+- `harbor registry` - Manage registries in Harbor
+- `harbor repo` - Manage repositories in Harbor context
+- `harbor user` - Administer users in Harbor, including creating, updating, and managing user accounts
+
+## Access the Documentation Source Files
+
+The source files for this documentation set are located in the [Harbor CLI repository on Github](https://github.com/goharbor/harbor-cli/tree/main/doc/cli-docs).

doc/cli-config/_index.md

@@ -0,0 +1,110 @@
+---
+title: Harbor CLI Config Management
+weight: 25
+---
+
+# Harbor CLI Configuration Management
+
+> **Note**  
+> The Harbor CLI follows the [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html) for configuration and data storage by default.
+
+## Introduction
+Harbor CLI is a flexible command-line tool that lets you manage various Harbor environments with different credentials. Whether you need a production-ready setup or quick testing configurations, the CLI's hierarchical structure and XDG support help keep things organized.
+
+
+## Understanding the Configuration Structure
+The Harbor CLI can manage multiple credentials and keep track of which credential is currently active. This setup allows you to maintain separate contexts for different Harbor instances or user accounts without having to rewrite configuration files manually. While the Harbor CLI configuration file manages your credentials, passwords themselves are never stored in plain text. Instead, they are secured using the AES-GCM encryption described in the [Harbor CLI Encryption documentation](../cli-config).
+
+### Example Configuration File
+Below is a simplified example of a typical Harbor CLI configuration file:
+```yaml
+current-credential-name: example@demo-harbor
+credentials:
+  - name: example@demo-harbor
+    username: example-user
+    password: example-password
+    serveraddress: https://demo.goharbor.io
+```
+
+In this configuration:
+- **current-credential-name** references the active credential by name.  
+- **credentials** holds one or more sets of user credentials, each following the same structure.
+
+## Managing Multiple Credentials
+If you need to work with multiple sets of credentials—such as development, staging, or production — Harbor CLI makes it easy to create and switch between them.
+
+> **Note**: For more login command details please refer to the [login command reference](../cli-docs/harbor-login.md).
+### Creating a New Credentials Entry
+Use the `harbor login` command with the required arguments to store new credentials:
+```bash
+harbor login --name my-new-credential \
+  --username myuser \
+  --password mypass \
+  https://my-harbor-instance.com
+```
+This adds a new entry to your credentials list, allowing you to manage different Harbor accounts from the same CLI.
+
+### Switching Between Credentials
+To switch to another credential set, run:
+```bash
+harbor login --name <name-of-credential>
+```
+The CLI will then set the specified credential as the active one, eliminating the need to manually edit your configuration files. This will overwrite the `current-credential-name`.
+
+
+## Configuration Hierarchy (Highest to Lowest Priority)
+
+1. **Explicit Config Flag**  
+   Provide a custom config file at runtime using `--config`:
+   ```bash
+   harbor --config /path/to/custom/config.yaml artifact list
+   ```
+
+2. **Environment Variable**  
+   Set a persistent configuration through the `HARBOR_CLI_CONFIG` environment variable:
+   ```bash
+   export HARBOR_CLI_CONFIG="$HOME/.custom/harbor-config.yaml"
+   harbor artifact list  # Uses the environment-specified config
+   ```
+
+3. **XDG Default Paths**  
+   Automatically discover configuration in the following order:
+   ```bash
+   ${XDG_CONFIG_HOME}/harbor-cli/config.yaml  # If XDG_CONFIG_HOME is set
+   ~/.config/harbor-cli/config.yaml           # Fallback default
+   ```
+
+## Data Storage Management
+### Data File Location
+
+- **Primary Path**: `$XDG_DATA_HOME/harbor-cli/data.yaml`
+- **Fallback Path**: `$HOME/.local/share/harbor-cli/data.yaml`
+
+> **Important**  
+> The data file automatically tracks the last-used configuration file path
+
+## Configuration Precedence Summary
+| Priority | Method                     | Example                               |
+|----------|----------------------------|---------------------------------------|
+| 1        | --config flag             | harbor --config ./test.yaml ...       |
+| 2        | HARBOR_CLI_CONFIG env var | export HARBOR_CLI_CONFIG=...          |
+| 3        | XDG Default Locations     | ~/.config/harbor-cli/config.yaml      |
+
+## Practical Usage Examples
+### Scenario 1: Temporary Config Override
+```bash
+harbor --config ./experimental.yaml project create "new-project"
+```
+
+### Scenario 2: Persistent Environment-based Config
+```bash
+echo 'export HARBOR_CLI_CONFIG="$HOME/work/configs/prod-harbor.yaml"' >> ~/.zshrc
+source ~/.zshrc
+harbor config list  # Uses production config
+```
+
+### Scenario 3: Reset to Default Configuration
+```bash
+unset HARBOR_CLI_CONFIG
+harbor config delete --current  # Deletes current context
+```

doc/cli-encryption/_index.md

@@ -0,0 +1,73 @@
+---
+title: Harbor CLI Encryption
+weight: 25
+---
+
+# Harbor CLI Encryption Guide
+
+This document provides an overview of how Harbor CLI encrypts sensitive data and offers recommendations for different runtime environments. While the Harbor CLI configuration file manages your credentials, passwords themselves are never stored in plain text. Instead, they are secured using the AES-GCM encryption described below. For details on how to configure and manage these credentials, please refer to the [Harbor CLI Config Management documentation](../cli-config).
+
+## Overview of Encryption
+Harbor CLI secures credentials using AES-GCM encryption. An encryption key is automatically generated and stored in one of several keyring backends, depending on your environment:
+
+1. **Environment-based Keyring**  
+2. **System Keyring**  
+3. **File-based Keyring (Fallback)**
+
+### How It Works
+1. **Key Retrieval**  
+    The CLI checks if an encryption key already exists.  
+    If not present, Harbor CLI generates a new 32-byte key.
+2. **Encrypt**  
+    Harbor CLI uses AES-GCM to encrypt credentials with a random nonce.  
+    The CLI stores ciphertext as a Base64-encoded string.
+3. **Decrypt**  
+    Harbor CLI decodes and decrypts the stored ciphertext whenever credentials are needed.
+
+## Recommended Backends
+### Desktop Environments
+**Use the system keyring** if available. This is the most secure method, as most desktop operating systems keep secrets confidentially within their native keyring service.
+
+### Docker, Kubernetes or CI/CD Environments
+**Use the environment-based keyring** in production. System keyrings typically aren’t available in containerized environments. Supplying encryption keys as environment variables or secrets is straightforward. In the following subsections we summarize a few examples how to inject the encryption key as environment variables and how to store the secret securely for production environments.
+
+#### Example: Running Harbor CLI in Docker
+Use a randomly generated key as an environment variable. This can be generated by tool such as `openssl`:
+```bash
+docker run -it --rm \
+  -e HARBOR_ENCRYPTION_KEY="$(openssl rand -base64 32)" \
+  registry.goharbor.io/harbor-cli/harbor-cli \
+  login https://demo.goharbor.io -u username -p password
+```
+
+#### Example: Running Harbor CLI in Kubernetes
+Use a randomly generated key / strong password and store in a kubernetes secret. Pass the secret content as an environment variable to the deployment pod:
+```yaml
+# secrets.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: harbor-cli-secrets
+type: Opaque
+data:
+  HARBOR_ENCRYPTION_KEY: "<base64-encoded-key>"
+
+# deployment.yaml
+spec:
+  containers:
+  - name: harbor-cli
+    image: registry.goharbor.io/harbor-cli/harbor-cli
+    envFrom:
+    - secretRef:
+        name: harbor-cli-secrets
+```
+
+#### Example: CI/CD Pipeline
+In case you want to use the Harbor CLI in a CI/CD workflow make sure to store your encryption key in a repository secret or similar secret vaults that are provided by your CI/CD provider. In case of GitHub or GitLab the encryption key could be stored in repository secrets and retrieved in either the github actions workflow or GitLab CI pipeline. See the following links for more info on using secrets in [GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions) and [GitLab CI](https://docs.gitlab.com/ci/variables/). 
+
+#### Example: Third-Party Secret Vault
+Another recommended method to store production encryption secrets are external secret vaults such as AWS Secrets Manager, GCP Secrets Manager, Azure Key Vault or HashiCorp Vault.
+
+### File-based Keyring (Fallback)
+
+In environments where neither a system keyring nor environment-based keyring is available, Harbor CLI can store the encryption key in a file. By default, this file-based keyring is located at `~/.harbor/keyring`. The stored key is protected by file permissions set to allow only the owner to read or write the file. However, **this approach is less secure** and is **not recommended for production**.