Open slietz opened 7 years ago
What kind of configuration or passwords/Credentails that you are looking to be rotated? Could you be more specifiic? @slietz
Some stacks require passwords, ssh keys, pem files, and other secrets that are good to rotate. It looks like the practice within Harbor is hard coding these items and we're wondering if they could instead be pulled from Vault or some other Secret Store.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
One particular use case this feature would be most helpful with is robot account tokens. Having these managed and rolled via Hashicorp Vault would be a great feature.
I came here with thoughts along the same lines as @donovanmuller.
Jenkins jobs have access to credentials. In order for Jenkinsfile
s to be able to push to Harbor, they need credentials for robot accounts. This means that a malicious commit to a Jenkinsfile
could steal these robot credentials use them for malicious purposes indefinitely, because the robot account changes infrequently.
If Vault could create one-time use robot accounts, then Jenkins can:
There are multiple strategies for rotating passwords, one time passwords etc.
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
Hi @slietz @pmorch @donovanmuller,
I just created a Vault plugin for Harbor robot account dynamic generation, I hope it will be helpful to you! :D https://github.com/manhtukhang/vault-plugin-harbor
Is it possible to integrate with secrets management services/tools such as Vault in order to 1) provide for continuous deployment patterns that require frequent configuration rotations and 2) protect passwords/credentials?