Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Instead of providing certs to core to act as a token generator, it would be great to be able to point the registry at some other jwt token generator. For example, many people use Vault which has a jwt login auth method which I believe would satisfy the registry's needs. This would also alleviate the need to either have very long lived cert or deal with renewing it manually every 90 days which requires either a rolling update or delete of the pod.
cten
All 3 comments
@cten I'm not familiar with Vault, are you referring to its ability to act as some kind of ca that can generate short-lived certs. I'm not sure what value there is for the kind of internal certs that the harbor components use. Or are you running into issues with the currents certs Harbor use and need to interact with external certs for your applications somewhere? Please follow up with @reasonerjt or @ninjadq on this. Btw how is vault deployed. Does it itself need to be deployed in HA mode and with https configured. I ask because a full enterprise grade Harbor HA is being developed right now, so just want to make sure we capture any additional pieces.
xaleeks
on 2 Mar 2020
@cten The jwt also has claims about user's permission. How does Vault has such information?
BTW, currently in 2.0 we simplified the auth flow in registry so it will no longer need token to do docker push/pull
reasonerjt
on 9 Mar 2020
BTW, currently in 2.0 we simplified the auth flow in registry so it will no longer need token to do docker push/pull
Hi, @reasonerjt
Is there any issue or doc about the feature here? I am not sure why we do not need token since Docker always requires a token to auth.
gaocegege
on 21 Jul 2020
Related issues
slietz
路
4Comments
a-kinder
路
3Comments
adomenech73
路
3Comments
problame
路
3Comments
reasonerjt
路
3Comments