New Feature Request: Integration Options for Secrets Management

[slietz]

Is it possible to integrate with secrets management services/tools such as Vault in order to 1) provide for continuous deployment patterns that require frequent configuration rotations and 2) protect passwords/credentials?

[hainingzhang]

What kind of configuration or passwords/Credentails that you are looking to be rotated? Could you be more specifiic? @slietz

[slietz]

Some stacks require passwords, ssh keys, pem files, and other secrets that are good to rotate. It looks like the practice within Harbor is hard coding these items and we're wondering if they could instead be pulled from Vault or some other Secret Store.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[donovanmuller]

One particular use case this feature would be most helpful with is robot account tokens. Having these managed and rolled via Hashicorp Vault would be a great feature.

[pmorch]

I came here with thoughts along the same lines as @donovanmuller.

Jenkins jobs have access to credentials. In order for Jenkinsfiles to be able to push to Harbor, they need credentials for robot accounts. This means that a malicious commit to a Jenkinsfile could steal these robot credentials use them for malicious purposes indefinitely, because the robot account changes infrequently.

If Vault could create one-time use robot accounts, then Jenkins can:

• Ask vault for a one-time Vault password to provide as a credential for each Jenkins job using the HashiCorp Vault | Jenkins plugin
• The Jenkinsfile uses the one-time vault password to create a one-time use robot account via a new vault Harbor secrets engine (here is the one for MySQL to illustrate what it is)
  • (or, less ideal, the robot credentials expire after, say, 10 seconds)
• The Jenkinsfile uses the robot credentials to push a docker image as intended
• The Vault password and robot accounts are now useless since they have been used
  • (or, less ideal, the window to use the robot credentials malicious purposes is very narrow)

There are multiple strategies for rotating passwords, one time passwords etc.

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[manhtukhang]

Hi @slietz @pmorch @donovanmuller,

I just created a Vault plugin for Harbor robot account dynamic generation, I hope it will be helpful to you! :D https://github.com/manhtukhang/vault-plugin-harbor