Harbor: [VIC] Downloading the harbor certs from UI is unavailable for Developers and Project Admins

Created on 25 Aug 2017  ·  11Comments  ·  Source: goharbor/harbor

Currently the Certificate download link is available only for Cloud Admins, because they are the only ones seeing the Administration > Configuration section, see:

cloudadmin

But according to https://github.com/vmware/admiral/issues/159#issuecomment-323383691 the same link should be available to Developers and Project Admins, which means that most probably the link needs to be added somehow to the following component:

developer

cc @steven-zou @reasonerjt @karthik-narayan @martin-borisov @andrewtchin @angel-ivanov @shadjiiski @lweitzman

UX areui enhancement prioritlow
Source
picture sergiosagu

All 11 comments

Thanks @sergiosagu but sys-admin can download ca cert is the design for previous releases.
And I believe there's some discussion ongoing between Steven and Louie from UX perspective.

reasonerjt picture reasonerjt on 25 Aug 2017
👍1

Yes, I'm discussing the link placement with @lweitzman .

steven-zou picture steven-zou on 25 Aug 2017

@karthik-narayan downloading CA is restricted to sys admin since v1.0, I don't think we have plan to change it for 1.2.
So this is not a bug, if needed we can work on it in future.

reasonerjt picture reasonerjt on 25 Aug 2017

i think that a separate button on the project repositories page seems reasonable.
but i think it should be a separate action button just to the left of the “Push Image” action.

lweitzman picture lweitzman on 25 Aug 2017

@reasonerjt Can you walk me through the workflow where a developer needs to push an image into a Harbor instance deployed as a part of vSphere Integrated Containers? Assume that they are using self-signed certs and it becomes apparent that the developer needs access to the certs.

Now that we do have a place to download the certs, I'm okay with deferring it. That said, I expect a number of people to hit this issue.

karthik-narayan picture karthik-narayan on 25 Aug 2017

@karthik-narayan
We discussed it in VIC 1.0, the sys admin will distribute the CA to different users.
I don't have preference in regards who will have permission to download it. My concern is solely for effort and time.
Making it a stretch goal for 1.2. If the effort is minimal we'll make the update.

reasonerjt picture reasonerjt on 29 Aug 2017

After discussion with Matt, for meeting the GA date. defer this issue.

reasonerjt picture reasonerjt on 29 Aug 2017

Having just documented this, it looks really silly that we tell DevOps and Developers that they must ask the Cloud admin for the Registry CA cert. This should be made available to all roles from Developer upwards.

stuclem picture stuclem on 15 Sep 2017
👍1

There should be a public URL on the server that can be used to download this CA so these can be fetched via automation. These CA certs are public keys that are completely safe to distribute and used to authoritatively identify the server. There's no reason for CA public keys to be restricted or behind any portal or authentication, you actively want parties using your server to be able to validate they are using the right server.

demarkle picture demarkle on 9 May 2018
👍1

Updated mockup to show link to download registry root certificate on project repositories page
https://vmware.invisionapp.com/share/ZVF75AZAW#/271907735_Projects_-_Repositories_-_List_V1-4

screen shot 2018-05-09 at 3 01 01 pm

lweitzman picture lweitzman on 9 May 2018

Please refer to : system-setting-component.html

zhoumeina picture zhoumeina on 17 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Hotege picture Hotege  ·  3Comments
cedvan picture cedvan  ·  3Comments
cten picture cten  ·  3Comments
xiaosadexiaohai picture xiaosadexiaohai  ·  3Comments
levchik picture levchik  ·  4Comments