harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Ability to sync robot accounts between replicated Harbor instances

Open tmojlupo opened this issue 5 years ago • 8 comments

We are using replication between two Harbor instances to provide geo-availability between data centers. We have a wide IP that points to both instances, but cannot use robot accounts because we do not have a mechanism to sync robot account tokens between instances. Wide IP prevents end user from knowing which site they are authenticating against so they will not be able to tell which token to use. Having the same token in both sites would be optimal.

tmojlupo avatar Jan 15 '20 19:01 tmojlupo

I have the same scenario. And also replication of other projects options could be good like labels, tag retention, tag imutability, etc etc

If the robot account replication is not possible, maybe something to allow us to customize the token during the robot creation, thus we can use the same token for our other harbors servers.

vzanlnx avatar Jan 23 '20 20:01 vzanlnx

We are facing a similar issue. This request and @vzanlnx's comments is most likely what we are looking for.

fivezerosix avatar Mar 26 '20 00:03 fivezerosix

I know exactly what you are talking about but the current proprietary token service in Harbor does not allow for that, a robot at its highest degree of freedom will be scoped to the instance. For this requirement, we need to expose the token auth service somehow. The project name will probably have to be the same as well maybe? @reasonerjt @wy65701436 please correct me if I'm wrong

@vzanlnx @fivezerosix your requirements already tracked as part of the following https://github.com/goharbor/harbor/issues/8709 https://github.com/goharbor/harbor/issues/8207

xaleeks avatar May 05 '20 07:05 xaleeks

a robot at its highest degree of freedom will be scoped to the instance. For this requirement, we need to expose the token auth service somehow. The project name will probably have to be the same as well maybe?

As far as I looked in how robo accounts work then token auth service won't be greatest problem - separate instances can be used as long as JWK keys match ( at least in theory). main problem is robo account token mapping to projects - as robo tokens (v2.1.1) contain project ID which could differ between harbor instances

kautkata avatar Dec 12 '20 15:12 kautkata

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 07 '22 09:07 github-actions[bot]

This would be fantastic for all the reasons mentioned above. Or at least an admin being able to create and set a robot key manually. Right now our DR plan is going to be to update the key in our deployments with one from our secondary instance, but that's less than ideal since it's something manual that would have to be done in an already stressful situation.

ecooke-macu avatar Jul 21 '23 19:07 ecooke-macu

That will great to have this ability.

kingnarmer avatar Mar 21 '24 18:03 kingnarmer

I agree with the above - would be good to have a way to sync robot accounts so that these don't have to be separately managed for our deployments.

clp01 avatar Apr 16 '24 12:04 clp01