search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.88k stars 4.74k forks source link

OpenID Connect based tokenless authentication for clients #17520

Open captn3m0 opened 2 years ago

captn3m0 commented 2 years ago

Is your feature request related to a problem? Please describe. Harbor does not support short-lived identity driven tokens. I'm always frustrated when I have to create long-lived robot accounts and tokens to authenticate to Harbor to enable publishing workflows on GitHub.

Describe the solution you'd like Harbor should support OpenID Connect based publishing workflows, specifically supporting GItHub Actions, so that GitHub Actions can (without the need of a secret) request Harbor for a short-lived access token by providing an identity attestation.

Describe the main design/architecture of your solution This screenshot is from the GitHub OIDC Docs:

Legend:

  1. Harbor Server
  2. GitHub Actions Runner executing a CI workflow that needs access to Harbor

Steps:

  1. On the Harbor side, we create an OIDC trust between a harbor robot account and your GitHub workflow(s) that need access to the cloud. This would typically be as simple as a repo name + workflow + branch combination that needs access to the robot account.
  2. Every time your job runs, GitHub's OIDC Provider auto-generates an OIDC token. This token contains multiple claims to establish a security-hardened and verifiable identity about the specific workflow that is trying to authenticate.
  3. You could include a step or action in your job to request this token from GitHub's OIDC provider, and present it to Harbor. This API (on the Harbor side) takes the attestation, validates it against the policy (repo/workflow/branch combination required) linked to the Robot Account.
  4. Once Harbor successfully validates the claims presented in the token, it then provides a short-lived cloud access token that is available only for the duration of the job. This token is linked to the robot account, so it has the same access levels.

Describe the development plan you've considered I don't have a development plan.

Additional context GitHub OIDC based authentication is already supported by Azure, AWS, Hashicorp Vault, and GCP. As a result, in the OCI registry ecosystem, AWS ECR Registry, and Azure/GCP Container Registries already support this feature. If the container image is published to the same repo in GitHub Packages, the existing short-lived GitHub Token already supports this as well.

This is already on the Docker Hub Registry Roadmap

Other similar package providers are already working on similar usecases, such as:

woodruffw commented 2 years ago

Very cool! Hopefully our design and implementation on PyPI can serve as a reference here.