Project Harbor Community, 16 Dec 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Harbor Community Meeting - Dec 16, 2020

Description

CNCF Harbor's Community Zoom Meeting

A

So, um hey everyone welcome to the harper community meeting. So today one of our maintainers will present the system level. Robot accounts, let's all hand it over to volume or should you.

A

So well yeah, do you want to take it over.

B

I should shoot you will do to the demo.

C

Okay, hello, uh this is suji. Can you help me.

A

Yes, I can hear you.

C

um And I will share my screen.

C

And today I will share a full time of robot account with you, and my demo has two parts for part. One part one and I will show you show you how I show all the crud operations on hardware ui for robot account and for part two, and I will show you a small user case to tell you how to use a robot account to create a tag for artifact and, let's start with part one, and for this part you need to log in with a system or the main account, and then click click.

C

This button and- and you will see this page and as you can see in this page, um it will list all the system robot account and in my hardware it has two two robot accounts and uh these are- and there are some important uh property of the robot account um and I will introduce uh the two uh uh most important uh property for you and uh before that, uh let's pay some attention to two important items: uh the robot name prefix and the rope the token expiration.

C

um Of course, we can change this value to whatever you.

C

Want and click save to save the change and let's go back to the list page and for the first important property name. Property is a consists of two parts, as you can see, the the name prefix and the second part, the robot name.

C

This part is stored in database. So when you want to search your robot account.

C

You should not input the prefix but adjust the ropes name.

C

And see you you'll find this robot too.

C

And the second important property is projects it tells you which projects are covered by this rover account and for robes 2. It covers all the projects with 5 permission.

C

All projects means all the existing projects and the future projects, and in my harbor I I have 10 projects now, if I created, if I create a new project, and this project will also be covered by this project and for a rope three, it has three projects and each projects have different permissions, and then I will show you how to create a new robot account.

C

There are some fields you need to import and the first one is name. You should input a fanny, the robot name.

C

And this name should not be used and for the second uh property expiration time and by default it has a value which we set on, confer configuration page now, of course, you can change it to whatever you want or you want.

C

um If you want, if you want to set setup, set it to be never experienced, expired, usually in food matters. What and for description property you can input whatever.

C

Whatever you want.

C

Or you can just leave it alone and then you can click this checkbox to cover all the projects and then you can change the you can select the permissions you want. Currently we have 10 permissions and all the permissions are selected by default.

C

You can kick out some permissions if you want and then you can click add button to save this robot account party viewer. If you don't want to cover all project, you can select, select the project you want and you can also set the select the properties the permissions you want.

C

Go on and then you can click edit button, and here are some here are two buttons for bench for bench operation, for example. If you have a lot of projects uh projects in your harbor, so it's not convenient for you to connect one by one. So you can click select all to to check all the pro checks, and this is a and this is different from cover or when you click select, or it only covers existing projects.

C

And here is a filter and it is a fuzzy filter.

C

If you want to cover uh projects about test, you can test to fill to to find out to final projects or the product projects about test, and then you can. Click save.

A

Call okay, so so um cover all.

D

A

All existing and all future.

C

A

C

A

All subsequent projects created.

D

uh One question about the filter: if I you know input the keyword like you use the test. If there are more than you know, uh if the number of the matched projects is it's larger than your page size, so the selector will also select all the matched projects. Yes,.

C

Not the job, the cart page, yes in this this grid and it will load all the projects. As you can see, all nine projects are loaded here. So you, when you filter test.

C

You you can you can you can see, there's there are six test projects and when you click select, all and all the sixth project will be selected, and then you can click add to save this pro to to save this global account and when, when created successfully and the backend will return the cigarette of this robot account and- and here in this page, you can click this button to copy copy the cigarette or you can download download this cigarette to your computer.

C

A

There's still no way to um to retrieve it afterwards right. That's that's the only point where you can get the secret.

C

Yes, yes, if you forget this cigarette and don't worry and under the action drop draw button and we have four other functions and the first one is refresh cigarette and just choose and select one robot account and then click this button. You will see this page and then you can directly click this button. It will generate a new cigarette randomly, as you can see, a new cigarette here. Okay and uh if you want, if you want to set a if you want a specific new cigarette, all right, you can enable.

A

C

Item and input whatever you want, for example, I I input the hardware one two, three, four five.

E

Okay, so this means that um it's not the jwt tokens anymore.

B

Yeah, it's just a coi secret. You can see.

E

Sorry, I just I didn't follow it at the beginning.

C

And then click refresh button to save to save it.

A

um We might want to change that it might, I should say, confirm, right or save or something else, besides refresh refresh it's kind of confusing, but anyway.

C

Yeah, maybe we I can make some change for this, and the second function is edit.

C

You can change change whatever you want, except for the name.

C

Properly extend the expiration time or add a new project to this robot account.

C

And also you can disable, you can disable the robot account and then enable.

C

Nice for for deleting function, you can select more than one project.

C

And that's that's all for for system level, project on hardware ui, and then I will show you uh how to create the new pro. A new robot account new system, new project robot account.

C

And this page is mostly the same to the same with the system robo account, but there is, there are some different points and the and, as you can see- and there is a next neighbor on this robot account- it means uh this robot account was created in private previous harbour version, and this robot count is is still useful.

A

C

Those are group.

A

Accounts before this version right so when they upgrade from the existing version, yeah.

C

Their current robot.

A

Accounts become legacy.

C

And for this, and for this kind of robot account, you can refresh cigarette and you can edit, you can just disable disable it or label it.

A

Right so this is still using a jwt in the background right.

C

Yeah and uh this and this and these four uh robot accounts are normal, a normal projector, a robot account and uh for its name property it has. It has three parts and the the prefix and then and the project name and the a plus mark and the robot company and uh there's no project properly, because this pro and this robot account are only cover library project. So there's no need to add a project properly here and.

C

When you add a new we'll want to create a new robot account and there's no project to to.

C

huh uh This product is, is the same with uh system robo account, so I will leave a load. You call this part. Okay. I think this all the crud operations for road account and let's go to part 2 and for part 2. I will show you. I will show you a use case. I will use this robot. This robot account to create a tag for artifact and, as you can see uh in in my project library, it has artifacts named hello hollywood and now it has just the two texts test and latest and.

C

And in in harbor api center, you can find the api with this one, and this is the which can create a tag. So I will use you. I will use this robot to call to call this api to create a new tag for for this. For this artifact.

A

So that's one of the 10 permissions that we were talking.

C

A

Right writing creating tags.

C

Yes, yes, as you can see this robot, this robot account has two permissions and it contains contains create attack, okay and it.

A

Should also be sorry, there should also be a a skin retrieve scan report right.

B

So, do you mean you want to rubblecom to get the sky report or.

A

Right, that's one of the things that we had talked about right.

B

Okay, have you added? uh I did later.

A

Okay, great, thank you.

C

And now I copy this robot account name and.

C

C

I will set harbor12345 to this robot.

C

C

And input hover one two three four five um here and then the body I change the name to demo number one and then click send.

C

I'm using postman sorry.

C

Can you see my screen.

A

C

Yeah- and you can see the ropes name you here and the cigarette harbor one two, three, four: five and body name, the new name, demo, one and then click send. So you mean.

B

C

Because I I clicked, uh I have already clicked this button so.

B

You can choose another name in the body request.

C

B

Yeah, so this url is to create a new type for hollow word. Use yes,.

C

Yes, yes, you can see this letters created successfully and then we go go back to to tag list and then click refresh.

C

You can see dm1 and demo. 2 was added to to this artifact, and this is us. This is all the order.

C

This is all the demo. I want to show you. Thank you.

B

As you know, do you want to show the show us the the result in harbor website uh we can see, we can see the number.

A

I think he's stuck on the cli again. Oh.

C

C

Here here is my harbor, as you can see demo one and demo 2 was added to hollywood.

A

Very cool awesome awesome.

D

Actually, I have a question: can you back to the system level robot account, and can you open a editor wizard.

D

Like in the operation time similar, the drop down is.

C

D

Right, I can't do regular slack than never right.

C

D

So when you select, whenever you can hide the you know, manners one number yeah yeah. You can directly hide that.

C

Yeah, maybe I can, I can improve the ui.

D

Yeah for another, uh I'm not sure if it's a is a good solution, maybe you know no, we can use the uh we can select multiple projects or the cover all projects or select all button right, yeah yeah, maybe it's a little better to you know to show the number of the all the selected projects close here.

D

D

A little it's not so obvious, I think you have the data, maybe you can show it close to the button.

D

F

Total selected, something to.

C

I think this is the default behavior of clarity component, so you do.

D

C

Know easily to modify.

D

But we have this, we can add that number to anywhere right, for example,.

G

D

Yeah yeah, I can show it in the button. Oh I can you, uh you know, create a new label to show it close to the bot. Maybe yeah you know a little bigger.

D

So what about when? I click the cover off? For example, there is a 20 projects.

C

Cover and and they and this part will become useless and will be disabled so.

D

How many products, so I I I wonder how many projects you know should I I should know how many projects, no power means.

C

All the existing.

D

C

Future projects yeah.

D

I don't know always, maybe there may be the it's a number right. There will be a number. Maybe is, moreover, so you know more useful.

D

Oh, I know always all the existing, but how many 20 40 50. no.

B

It's it's also cover all the future projects. So what about the the meaning that we we put a number here right. I think.

A

D

With that yeah, actually, I think we can put a one level right show any just show. The select no matter is through the cover all through the select open, all right.

A

Yeah, we can think about that um yeah. It could.

B

Be you know something like that.

A

Curran's current um selected projects, or something like that yeah it's.

D

Yeah, it's it's! It's smart for the yeah. I think it's a robot. It's it's coming very close as the previous version. No, it's a powerful feature and the ui is very beautiful that previous.

C

Thanks thanks any other question.

A

uh Yeah, so are we going to keep um a legacy? How long you're going to keep legacy for.

B

Were one or two releases.

A

Okay, and so what's the behavior after say 2.4, um are they going to go away or.

B

uh User can now see the lexi roberts from ui and the lexi roberts cannot be authenticated.

A

Got it so they're they're effectively deleted right, because I mean that code base is gone so yeah we have to write some documentation um in the 2.2 release telling users you know hey it's. You know.

B

You're the bother too.

A

There's a legacy right, there's.

E

A period um yeah actually for us this. This would be a big issue because we have like hundreds or even thousands of robot accounts in our setup, and this would require every customer to create a new robot account and update it in every of their systems and that's going to be a huge mess.

E

So isn't there a way to maybe convert one of the legacy robot accounts into a new one? um I.

A

Think the back end, um we looked at it before. First of all, it was difficult um second of.

D

A

The secret is, you know previously, using the jar token. Now it's using a secret, it's gonna break either.

E

I mean the secret is hashed in the database. I guess salt and hashed right.

B

No, the I mean for the lexi robot. We do not stop the gw token into harper's database so so that we have no way to convert the lexi.

H

B

H

Well, actually, um actually, there is a chance uh in the first successful verification of the legacy over the count. There's a chance, you transform it. Yes, yes,.

B

We can we can do the transformation at the time on on for the authentication, but I think it's it's kind of weird behavior.

B

But it has to be defined by the pm and I mean alex had two different behavior. Whatever you want.

H

Yeah yeah that will end up some legacy, become the new one or some legacy that the user haven't tried to use. They remain legacy and will be removed.

H

So that will be more messy. I think from our side. It will be hard to you know, maintain or do um you know.

A

Yeah so right now we're thinking about just giving users a grace period um agrees like a release or two for them to convert. um I don't know I do understand the concern around. You know deprecating a lot of these robot accounts and having to reconstruct them and re-put them into your ci cds. So.

E

Yeah, so if there's any option to maybe do it on the fly when the user authenticates and because then we already have all the information we need to convert a legacy system into a new legacy. Robot account into a new one.

D

E

Guess so for for our organization, I would have to write the functionality anyhow, because I cannot convince hundreds of developers to uh to do that. That's that, for us at least this will be a deal breaker. Then, in the version where we deprecate this or where harvard decides to deprecate this, um it's gonna be a huge mess and I think for every other, bigger organization. This is also gonna, be a big issue.

B

Right, but if we decide to migrate the lexi robbers we we do have notified user to update their password because uh the after the transfer information, um the the password has to be updated to the new new format or password. Inside of token.

H

And the name right, you have the new pattern of name.

B

Yeah as well as name so, this is uh actually create a new one. Is that robot for the luxury.

E

Yeah, I I I understand the issue. uh Maybe we can also take this offline and put it into a discussion in github, but I I just see that for bigger organizations with hundreds and even thousands of robot accounts, this is this is going to be a mess.

E

Will it not not be possible to use the jwt token as a password as a secret then later on, because we can, when the user validates or signs in, we can validate his token and if the token is correct,.

F

Yeah, that's possible correct ring.

E

And use this secret, so this means the user don't have to set a new password.

B

H

Yeah that's a way to handle the password, but as for the name of the robot, because we have the pattern to avoid duplication. So I see that would still be an issue.

B

So another option is that just keep the legacy robots for.

A

Forever, that's not a good approach.

E

Yeah yeah, but but also for for the prefix I mean uh robot account. Usernames have to be unique anyhow right now in the system. No.

B

And it's the within uh project you have to. You: have a unique name for your robot within the project, but.

E

Okay, no longer system-wide. Here I see.

B

Yeah, that's because we add the namespace library into the prefix of our existing replica.

E

Okay, then, then, I will just uh see how what comes to mind that I will put some comments in in the current discussion threads about this on github.

B

Okay, thank you. Yeah.

E

Thanks very much for the discussion.

A

A

Great thanks um any other questions related to this new system. Our robot accounts.

E

um I have a question regarding the permissions: um can I what permissions are there? There's like the rest, api permission and we've seen that with the tagging create tag creator, but there is no yet and rest api uh permission or something.

B

Yeah, it's a question.

B

A

Of the rest, apis right that we've opened up.

B

That means that you can use the robocon in your ci secret to create a new time for your docker image or chat files.

E

Would it maybe be an option to to open this up for for the system operator to decide what possible api routes this uh uh robot account can access or what options are given to the user to select uh um these two? This uh these ten permissions are predefined.

B

In hardware that you can think about that, it's hardcore it's hard coded in right, he's.

A

Asking about maybe the system admin can.

B

Define the set of permissions.

A

That you can delegate to robot accounts in his organization.

E

Exactly because right now we have a workaround where we just inject users by hand or by some automated process into the hardware database and then connect them to the oedc metadata. So they can log in using the oec identity provider, but would of course, be nice to have this natively supported, and these robot accounts look like great option to do that.

A

Yeah, so we didn't want to open up too much access right. We didn't want to give robots. You know system on permissions, yeah of any kind, because it's not it's only necessarily supposed to be just for you know, automation and improving your cv. So you know people are asking about. Can I use a robot to create a robot account? Can I get you know ap access to that.

F

A

um I think you know, at least within this set of functionalities right what you're suggesting could work right um on a certain heartburn, since maybe the system only wants to give the ability to push or pull or to only pull even without push access, but with a different set of permissions on different instances.

E

Of course it's a great it's a great um uh set of permissions for the first release, but maybe if the community comes comes back and and sees that there are has to be more permissions that are commonly used inside ci cd pipelines right.

A

Right absolutely, this is just the first iteration you know, there's a long discussion on the on the github ticket about.

E

A

E

That yeah bill.

A

Is you know right at the first release? So definitely you know, please add your comments um and we'll take into consideration for the next iteration.

B

Yeah from the the new design, I mean the robot version 2 it has the ability to expand any information into a robot like a system, operation, yeah.

E

That that's great, that's that's uh scalable cool.

H

Yeah- and I also suggest you, you know- participate in the community meeting more often to you know in the early discussion you may have a bigger chance. We changed the design, but now we have to go to fc so.

A

Yeah all right, I just wanna, you know um I see daniel- is on here um daniel from aqua.

A

I don't know if you have any thoughts about this.

G

Yeah definitely this looks cool. uh I will have to play a little bit. Is this built available or is all the code is already meshed on the master, uh because I'm interested in particularly this permissions on these? For the plugable scanners and this deployment security checker all right, we had some.

E

G

G

Yeah, uh it looks you know cool. As I said, I just need to play a little bit more and and then, if I have some feedback, maybe I will reuse the discussion, but overall uh it's it's really great and a great demo, and I think uh I understand the scalability problems that you have just discussed, but you know for the permission standpoint to what we need for the plugable scanners. um This. This is enough.

A

Okay, yeah, uh I don't know if this is merged master, but it will get a bill to you for sure.

G

Yeah either you know like a commit id or a branch, or if you have already a build, that would be great uh yeah.

B

I'll be happy to do so.

G

All right, great thanks cool.

A

um Yeah, that's all we have applying for the demo portion. um I wanted to mention that we are deprecating claire on the 2.2, so um you know you only you're only going to be able to install with trivia as a default scanner, but you can still install claire as in you know, third-party scanner through our plugable interrogation services framework, so deploy it pair it through the plugable integration service, um configuration page within harper, and then you can still use it that way.

A

But you know installing it as an argument: we're only going to have aqua trivia as an option, so.

H

Yeah, I just want to tell as maybe we should start talking about deprecating the charm museum in the next three I mean.

A

Right um we were looking at deputy charm museum in 2.3, because there's some performance issues right and it's not worth you know investing into solving that. Basically because we already have that functionality through our oci registry, and it's just it's not. You know worth it to maintain two separate um to have. You know two to be able to post your charts into different places um and the functionalities are not a parody right. You have much more.

A

There are a lot more functionalities available to home charts managed as oci artifacts, just like docker images. So um I think we were looking at deprecating it, maybe in 213.4 we're going for 2.3 now because of some of the complications.

A

um So if you know you're still going to be using charts, please start to invest from using charm museum and just use um helm3 to push directly to our ocr registry right. There's a lot of documentation on that on the harper website.

A

Good decision piece psa.

A

Any other questions or comments.

G

uh Alex uh this is diane from aqua again uh just to follow up on this announcement. That claire is gonna, be not gonna, be a default uh or pre-installed uh scanner, uh but also I'm wondering you know we. We still have the scanner adapter for clear right which, as far as I remember, is only compatible with clear version. 2..

G

I've recently seen that there is a clear version 4.. So what's the plan for maintaining the adapter? Do we still, even though it's not like? Let's say it won't be installed with hardware right? uh Do we still uh want to maintain or keep it up to date, or uh would it be more responsibility for the vendor, which is currently red, hat or ibm? I I lost, uh who is maintaining clear now but yeah. I hope you get my point right.

G

I think some people might ask that, for example, we are not supporting the latest and greatest clear and we need to find right.

A

G

Have a plan for that.

A

Yep yeah, there are two different issues. um I haven't really thought about it. I haven't looked at the latest claire, but I know that they made something they made some major improvements to the ladies claire, and so um we're probably going to keep supporting it and look to you know, keep up with maintaining the the um clear adapter.

A

So I don't have a more definitive answer for you, but it's something we'll look into.

G

Yeah good, so that's that's good information, so yeah, because I thought that we there was kind of an agreement with the maintainers that maybe they will want to host it and integrate, because this is usually how the from my standpoint should look like that, like the vendor would like to integrate. On the other hand, we should we should also book some time and- and you know, do the spike see how how or if there is any difference in the api.

G

Maybe it's just you know version bump and we don't have to change anything, but I I think you know they're bumped up. I think they skipped version three there's a version two and version four of claire. uh Well, maybe that's something uh I I can. I can look into uh to see how it differs and what is you know? uh What's the effort to uh to keep it right, because other than that uh we should clearly state which version of glare.

G

We support right, because I can imagine people installing claire the latest version with a pretty old adapter and then um we'll have to address those problems.

A

Yep, that's a good point. um I don't think we.

A

We stayed anywhere on the on github or in our website, exactly which version we support. It is a pretty old version, so I should make that distinction.

A

um If you can help take a look.

F

A

Be even better thanks.

F

Yeah thanks daniel, if you can take a look and see what's an effort and we can discuss it uh in our next meeting.

G

Yeah, uh so I'll do the spike and share what I found in in slack channel. So everyone can see okay,.

A

A

Any other questions.

A

I think all the questions in chat were answered.

A

All right: well, you know thanks for joining for the demo, thanks everyone for attending. If there are no questions, we can give in 12 minutes back.

A

All right, thanks guys, have a good one.

C