►
From YouTube: Harbor Community Meeting - Jan 27, 2021
Description
CNCF Harbor's Community Zoom Meeting
B
Awesome,
thank
you
alex,
so
let
me
share
my
screen
first.
So
thank
you
for
joining
this
community
meeting,
so
I'm
going
to
share
to
you
a
new
way
of
interacting
with
harper,
so
my
name
is
hin
lam,
I'm
the
advisory
platform
architect
from
vmware
base
in
hong
kong.
So
I
belong
to
a
team
called
application
platform,
architect
apa
team,
which
is
a
non-rnd
and
non-product
team.
So
so
this
is.
This
is
the
reason
why
this
harbour
cli
is
an
unofficial
one.
B
So,
but
before
that,
let
me
introduce
like
some
details,
like
I
typically
work
with
various
area
in
kubernetes,
in
operations
in
like
machine
learning,
infrastructure
and
and
co,
if
you,
if
you're
interested,
feel
free
to
keep
contact
with
me.
So
with
that
without
further
ado,
there
is
a
unofficial
harvard
cli
that
you
can.
B
The
right
hand
side
you
download
the
release
from
the
release.
You
can
download
the
cri,
which,
interestingly
it
is.
This
cli
is
written
in
java
and
I
will
go
a
little
bit
in
deep
into
how
this
harbour
cli
was
built
and
the
process
to
generate
that.
So
well.
Well,
maybe
you're
interested
in
downloading
that
maybe
I
should
jump
into
why
harvard
cri.
So
hubba
has
a
very
nice
nicely
designed
ui
nicely
designed
web
interfaces
and
it
has
a
plenty
of
a
restful
api.
B
So
so
our
team,
the
apa
team,
actually
working
on
some
def
setups
initiative
which
require
us
to
integrate
hub
into
the
whole
cicd
pipeline,
which
means
that
when
we
do
the,
when
we
build
the
crc
city
pipeline,
we
have
to
interact
with
a
harbor
with
the
rest
api,
which
proven
to
be
quite
a
lot
of
moving
parts
for
us.
So
so
think
about
a
different
api
call.
B
You
do
the
login,
you
get
the
bailout
token,
and
then
you
do
the
actions
and
then
you
build
the
json
respond
request
and
respond
from
there.
That
will
take
a
bunch
of
energy
from
us.
So
that's
why?
The
the
reason
why
I
create
that
is,
we
have
a
solid
use
case
to
make
sure
that
our
our
def
set
of
spotlight
can
be
easily
integrated
with
harbor
using
minimum
effort,
and
that's
why
we
create.
B
I
created
this
harbor
cri
initiative
and
obviously
it's
a
benefit
to
do
automation
and
repeatability,
because
we
have
many
use
cases
that
we
we
can
tear
down
the
harbor
itself
and
then
re-establish
their
all
the
user.
All
the
project
using
the
same
sets
of
shell
script,
and
it
is
super
easy
to
understand
for
human,
like
how
do
you
create
a
project?
How
do
you
list
a
project,
so
I
have
a
like
a
record
some
of
the
interactions
of
the
harbor
command
line
itself.
B
So
when
you,
when
you
don't
know
already
download
the
hubba
cli
from
the
release,
you
create
an
alias
to
tell
hey.
I
want
to
use
a
hub.
Maybe
I
should
re
restart
this
demo,
so
this
recording,
so
we
just
create
an
alias
for
you
to
easy
consume.
It's
actually
behind
that.
It's
just
a
java
dash
jar
running
that,
so
the
command
line
itself
is
a
fat
jar.
So
it
is
a
self-contained.
B
Obviously,
in
future
we
could
compile
it
down
to
binary
file,
but
at
this
moment
we
we
are
asking
for
contributor
to
help
us
to
do
that,
and
then
you
can
see
the
hardware
command
is
just
harbor
and
then
the
the
api.
You
want
to
call
like
project
in
this
case
and
then
you
do
the
create
itself
or
you
can
list
out
everything.
So
you
can
see
the
interaction
here.
Is
you
you
tell
the
harbor
command
to
do
action?
B
B
So
that's
why
I
I
show
I
will
show
you
a
live
demo,
so
the
features
that
we
have
in
this
command
line
is:
when
you
do
harbor
command,
you
can
actually
use
the
help
command
to
see
hey
what
kind
of
sub
command
I
have.
So
these
commands
are
dynamically
generated.
I
didn't
hardcore
any
of
them.
It
actually
automatically
discovered
from
the
sdk
itself
I
will
come.
I
will
go
into
sdk
a
little
bit
more
later
on.
B
So
if
you
use
hardware
project,
so
this
is
the
api
exposed
by
harbor.
So
you
can
see
the
harbor
definitions
from
the
harbour
and
then
there
is
a
harbor
api
version
2.0
and
from
there
you
will
be
redirect
to
the
swagger
definitions,
open
api
definition
that
you
can
show
here.
So
I'm
actually
calling
project.
I'm
actually
calling
this
api
and
api
of
obviously
has
tons
of
endpoint.
B
So
that's
why,
in
the
project
I
use
a
help
command,
maybe
a
little
bit
small
on
the
screen
so
and
then
you
can
see
head
get
lock,
guest
summary
create
update
list.
It's
actually
mapped
to
everything
listed
here,
so
you
can
see
head
post,
get
get
log,
get
summary
delete,
everything's
here,
okay,
so
for
example,
I
do
a
list
a
list
command
here
I
will
be
able
to
connect
to
my
hub
which
to
prom
to
help
some
promotion.
B
We
have
like
a
demo
dot,
go
humber
dot
io,
which
is
a
pre-deployed
harbor
from
the
harbour
team.
For
you
to
use
that
to
to
try
our
hub,
obviously
it
is
a
temporary
one.
So
if
we
got
like
refreshed
every
few
days,
but
it's
a
good
idea
to
try
it
before
you
install
it
so
once
you
have
the
command
issue,
it
will
actually
make
api
call
to
harbor
and
obviously
because
you
you
actually
have
to
log
into
that
so
in
this
command.
It
also
has
a
log
in.
B
It
also
has
a
log
in
command
which
required
to
input
the
username
password
api
endpoint,
and
then
it
will
save
a
credential
into
your
local,
your
local
computer,
so
that
every
time
you
do
have
a
list
how
about
have
a
command?
It
will
just
re
refresh
the
we
will
fetch
the
local
fetch,
the
local
credential,
and
make
the
request
for
you,
so
that
you
don't
have
to
log
in
every
single
time
when
you
make
requests
okay,
so
is
it
also
a
json
output?
Probably
you
know
like.
B
Okay
and
then
we
also
have
parameter,
hints
and
help
message,
so
it
will
actually
show
you
if
I
want
a
project
create
what
kind
of
parameter
is
required
for
me
to
do
it
like
I
can
input
a
project.
I
can
specify
how
the
project
should
looks
like
in
this
case,
because
a
project
can
contain
a
lot
of
stuff,
like
the
name
you
can
see
below.
What
is
the
cv
allow
to
what
will
be
the?
What
will
be
the
is
it
public
is
it
like?
B
Is
it
like
cv
a
lot
less
there,
so
it
has
a
tons
of
types
inside.
So
that's
why
here
we
have
list.
If
you
have
this
kind
of
a
comma
parameter,
you
don't
need
to
specify
too
many
too
many
things
you
can
actually
specify
it
in
a
json
file.
In
this
case,
I
am
actually
specifying
the
project
should
call
a
hint
cli
and
it
should
not
be
a
public
project,
so
I
can
change
the
name
for
this.
B
One
like
cncf,
okay
and
now
I
can
use
harbor
project,
create
project
in
cli
project.json
and
it
will
make
a
request
and
then
submit
this
json
file
as
the
data
structure
to
the
hardware
command
line.
And
now
I
in
in
the
interface
I
should
see
a
new
project
created
programmatically
using
this
command.
B
B
So
I
will
show
you
much
more
detail
next,
okay,
so
the
interest
part
is
how
this
command
line
is
built,
so
for
harbor
it
has
like
over
a
hundred
eight
by
endpoints.
So
the
problem
is,
I
I
I
don't
have
that
much
time
to
type
in
every
single
command
in
harbor
and
then
make
the
signature
correct
and
enter
json
and
their
everything
submit
to
the
rest
for
api
correct.
So
I
I
use
a
way
to
generate.
B
First
of
all,
I
visit
harbor,
the
gold
hub
official
ripple,
which
it
contains
and
two
open
api
specifications,
and
then
I
use
open
api
generator
to
generate
a
client
java.
So
so
this
client
java
is
a
ripple
that
contains
all
the
as
a
wrapper
to
that
contains
all
the
api
requests
respond
model
in
it
and
then
for
the
hardware
cli.
It
use
a
java's
reflections,
so
it
actually,
it
actually
goes
to
the
java
client
to
say:
hey.
Do
you
have
that
api?
B
Do
you
have
that
parameter
how
how
the
request
respond
looks
like
and
then
it
will
add
it
into
the
cli
command
interface
using
a
library
called
pico,
cli
and
then
present
to
the
user
on
this
one.
So
that's
why
the
items
you
see
here,
none
of
them
is
hardcoded,
it's
actually
from
the
java
client,
which
was
generated
from
this
record.
B
Okay,
so
next
is
we
actually
got
two
cli.
The
first
one
is
called
well
swagger..
Well,
swagger.json,
it's
mainly
taking
care
of
the
new
new
part
of
the
of
the
open
api
from
harbor
is
like
project
preheat
artifact
and
the
legacy
api
is
taking
care
of
a
system
level
such
as
the
user
account
the
the
product
settings
the
global
settings.
B
So
therefore
there
there
are
two
harbor
client
because
of
this
so
as
well
as
I
know,
the
team
will
gradually
move
existing
legacy
api
to
the
newer
api
so
expect
in
the
future.
There
will
be
more
functionality
in
the
api,
but
at
the
same
time
you
can
download
both
you
can
see.
The
command
looks
different,
but
then
you
can
use
in
the
same
patterns
as
I
described
before.
B
B
And
download
that
is
a
blog
post
that
I
published
in
medium.
That
shows
exactly
how
the
steps
are
in
in
a
much
more
digestible
form
of
how
it's
made
and
why
we
make
some
desired
choice
for
that.
So,
although
this
is
an
official
api,
this
is
an
official
cli
that
hasn't
been
endowed
endorsed
by
the
official.
Well,
the
cncf
project
yet,
but
please
feel
free
to
contribute
and
give
us
feedback,
and
hopefully
one
day
it
has
a
quality
high
quality
enough
to
make
it
into
the
official
release.
B
B
B
A
B
B
B
A
A
D
E
A
F
F
F
E
Okay,
I
have
a
question
about
to
the
data.
Your
retainer,
you
mean
you.
Your
scanner
provides
some
extra
capability
like
written
some,
you
know
misconfigure
or
some.
You
know
some.
You
know
fair,
but
a
fair
mirror
right,
but
I
I
have
a
little
confusion
because
the
cve
you
know
it's,
you
know
from
some
upper
stream
database
right
and
you
return
that
the
fares
together
with
the
cv
that
will
increase
the
total
number
of
the
cve.
E
F
E
E
F
E
Have
yeah
the
reason
why
I
asked
you
this
question,
because
the
overall
severity
of
one
artifact
is
is
calculated
based
on
that
vulnerability
list
right.
So
if
your
data
influences
the
overall
vulnerability
list
that
maybe
may
influence
the
overall
severity
of
the
artifact
evaluation
right.
But
you
know
your
new
items
are
not
cve
right,
so
I
just
want
to
confirm
those
non-cve
items
have
no
any
severity
information
right.
F
F
H
E
Yeah,
that's
totally
based
on
the
severity
of
the
severity
of
the
vulnerability
items,
for
example,
if
there
is
more
than
one
critical,
the
overall
summary
will
be
marked
as
a
critical
right,
if
no
creating
more
than
one
hack.
That
will
be
marked
as
a
hat.
So
that's
you
know
one
by
one
step
by
step:
okay,.
H
So,
basically,
you're
not
accounting
how
many
items
in
in
the
list
right
yeah?
No,
so
we
don't
so
in
essence,
if
we,
if
we,
we
don't
want
to
kind
of
enforce
this
other
files
files
like
to
impact
the
overall
results,
then
we
just
tag
them
as
unknown
right
for
for
all
of
them
and
then
leave
all
the
cves
with
severity.
H
E
E
Okay,
yeah
actually
for
the
original
plot
of
original
design
of
the
plugable
scanner.
We
support
a
different
report
from
it.
Vulnerability
is
just
one
of
the
you
know
report
from
it,
so
in
future,
every
week,
if
you
know,
if
we
got
some,
you
know
new
for
me
to
report
from
different
scanners.
We
introduced
some
other
report.
E
E
E
E
G
E
H
E
H
E
D
A
C
C
E
E
A
Yeah
I
mean
the
whole
point
of
you
know.
Allowing
multiple
scanners
is
that
we
can
run
the
same
scan
or
we
can
run
the
scanner
different
scanners
on
the
same
set
of
artifacts
right
and
then
compare
the
results.
So
we
need
some
standardization
across
across
the
scoring
system
right
to
be
able
to
accurately
reflect
like
what
each
vendor
thinks
of
this
vulnerability.
A
A
E
Yeah
daniel
pecky
that
did
not
attend
this
meeting.
Actually
I
have
mentioned
this
requirement
to
to
him.
Actually,
maybe
in
future,
we
can
consider
some
further
enhancement
to
introduce.
You
know
support
a
more
different
report
from
it.
Like
some,
you
know,
vulnerabilities
some,
you
know
bomb
some
packing
defenses
like
like
this
yeah.
A
D
D
A
G
A
E
I
think
the
work
can
be
split
into
two
parts
for
introducing
a
new
memory
tab
to
support
a
new
report
from
h-
and
you
know,
introduce
some-
you
know
new
api
or
to
autolet
api
to
support
the
new
memory
type.
That's
the
word
part
the
the
another
one
is.
You
know
letters
the
front
end
to
support
that
api
right
to
render
the
new
data
for
meter
correctly.
So
I
think
there
are
no
tight
relationship
right
for
the
scanner
for
the
platform
scanner.
E
I
think
the
first
part
worker
is
oh,
it's
okay,
because
yeah
but
april,
if
you
want
to
run
it
to
introduce
the
enhancements
into
harvard
web
console,
that's
another
story:
yeah
doesn't
mean
they
really
on
different
release.
Template
as
that's
that's
my
understanding,
because
because
the
harbor
rapid
console
is
also
one
of
the
client
right
to
consume
the
scanner
api.
D
H
A
A
Okay
yeah,
so
you
know
watch
for
the
release
page
on
github
and
we're
planning
on
on
ga
the
2.2
after
chinese
new
year.
So
sometime
in
we
don't
have
the
exact
date,
but
before
the
end
of
february,
if
I'm
not
mistaken,
we
also
have
a
discussions
page
on
daniel.
Do
you
have
the
link
that
you
can
post
here
that.
A
C
Yeah,
if
you
click
the
second
item,
you
can
see
there's
a
discussion.
Hopefully
we
want
to
move
some
of
the
issues
to
the
discussion
area.
If
you
have
questions
or
some
open
topic
want
to
discuss
with
the
community
and
maintainers,
you
open
a
thread
in
the
discussion,
so
we
so
the
issues
can
be
focused
on
the
bugs
or
you
know,
changes
require
the
code
changes
or
rather
than
asking
questions,
but.
C
A
Okay,
so
I
gotta
bronze
2.3,
so
discussions
page
is
not
has
nothing
to
do
with
a
particular
release.
It's
just
a
place
to
like
I'm
trying
to
figure
out.
What
is
what
are
we
not
doing?
What
are
we
not
able
to
do
for
the
users
on
the
issues
page
that
we
have
to
have
a
discussions
page
like
what
is
the
difference
between
two.
A
Oh
okay,
thank
you,
yeah,
and
so
none
of
us
have
used
it
before.
Let's
give
it
a
try,
you
know
to
everyone
who's
interested.
Let's
look
at
how
you
know
what
how's
it
different
from
issues.
What
can
we
do
in
discussions
that
we
couldn't
do
in
issues
I'm
open
to
it
and
I
hope
everyone,
you
know,
feel
free
to
to
test
it
out
or
if
you
think,
if
you're
already,
if
you've
been
using
discussions
or
experience
with
how
that
works,
let's
give
it
a
shot.
So.
I
A
For
the
most
part,
you
know
we
encourage
everyone
to
submit
these
as
soon
as
possible
before
the
tip
under
release
actually
starts
so
before
end
of
february.
When
2.2
goes
out
it
doesn't
the
the
priority
is
constantly
shifting
right.
So
I
would
encourage
you
to
submit
it
any
time
if
we,
if
we
don't
make
it
into
2.3,
then
we
have
a
head
start
on
prioritizing
it
for
2.4
or
potentially
for
patch
release
of
2.3
right
it
doesn't
have
to
be
2.3.0.
A
I
D
I
A
So
I
think
yeah
don't
think
of
discussions
as
the
place
to
raise
2.3
issues.
It's
like
daniel
said
discussions
is
meant
for
something
else.
I
haven't
looked
into
the
point
of
discussions
on
github
yeah
I'll
look
into
it,
but
I
would-
and
I
would
encourage
everyone
else
to
do
the
same
and
figure
out
what
is
the
delineation
between
issues
and
discussions,
because
I
think
issues
for
the
most
part
can
cover
like
90
of
our
requirements.
Right
we've
had
some
really
good
discussions.
G
G
You
can
move
issues
to
discussions
as
well.
Discussions
are
are
very
useful
if
there's
like
long
long-form
discussions
that
you
want
to
have
about
a
certain
thing
that
might
not
necessarily
be
an
issue
per
se
and
I
believe
you
can
move
it
back
to
an
issue
as
well,
so
you
can
tie
them
together,
so
you
can
have
discussions
on
top
of
an
issue
without
making
the
issue
be
14
pages
long.
A
G
A
A
Exactly
yep,
so
2.3
is
also
going
to
be
around
three
months
we
want
to
have.
We
want
to
have
a
a
demo-able
build
around
the
next
kubicon,
but
the
actual
ga
could
be.
You
know
a
little
well
after
that
between
you
know,
fc
and
g8,
so
another
three
months,
the
harvard
team.
You
know
we
did
some
basic
retrospective
for
2020
and
yeah.