Allow a user to create and submit their own CLI secret

[michmike]

in an OIDC scenario, allow a user to create and submit their own CLI secret. this is useful if you have multiple Harbor instances and you want to share the same users across multiple Harbor instances. the Harbor instances may be geographically distributed and behind a load balancer. if a failover occurs, the user can re-authenticate with harbor using the exact same credentials

requirements

1. Allow the user to provide their own CLI secret, conformant to security guidelines for password strength
2. Allow the Harbor administrator to enforce a cli secret rotation schedule forcing users to update their passwords (whether the passwords are auto generated or user-supplied)

JPMC has scenarios around load balancing and I think this may solve their issues.

[jsharpe]

Why limit CLI secrets to OIDC contexts? Passwords from LDAP are sensitive and as such a breach of a password from docker login credentials would require the user to change their LDAP password, which may be valid for a wider range of services. Allowing CLI secrets for LDAP contexts as well would restrict the scope of the credentials being used to ldap and thus being more secure in preventing lateral movement.

[michmike]

cc @xaleeks for feature review

[reasonerjt]

@xaleeks

It seems the comment https://github.com/goharbor/harbor/issues/7932#issuecomment-505011118 justifies another issue?

I'm assuming this issue only tracks CLI secret for OIDC

[stuclem]

Created https://github.com/goharbor/harbor/issues/9577 to track the doc update, so removing doc-impact from this one.

[reasonerjt]

Closing as this is delivered in master branch