►
Description
Cosign demo in Harbor 2.5.0 with replication setup
A
Hello,
everyone,
my
name,
is
olympus
silver
and
I'm
the
community
manager
for
harvard
in
today's
session.
I
want
to
show
you
how
you
can
set
up
two
instances
of,
however,
in
that
I'm
going
to
use
gcp
and
I'm
going
to
set
up
two
of
the
smallest
instances
possible.
Then
we're
gonna
install
hardware
version,
two
five
on
instance,
one
and
instance.
Two
then
we're
gonna
create
a
replication
row,
from
instance,
one
to
instance,
two
and
then
we're
going
to
push
an
image
to
instance.
A
One
then
we're
going
to
sign
that
image,
in
instance
one
via
cosine
and
then
we're
going
to
trigger
the
replication
rule.
So
we
can
see
how
the
image
and
the
replication
and
the
signature
will
be
transferred,
to
instance,
two
and
then
we're
gonna
verify
the
signature
on
instance,
two
and
instance
one
and
see
that
they're
the
same
so
practically
you
can
use
that
model
to
promote
your
images
from
staging
to
production
and
to
keep
the
signature
the
same
all
right.
A
So,
as
a
first
step,
I'm
going
to
show
you
the
two
instances
in
gcp,
so
we
have
the
smallest
possible
instances
in
in
gcp
and
those
are
both
are
internet
facing.
So
I
can
access
them
through
http,
https
and
ssh
all
right
as
a
first
step,
we're
gonna
go
to
the
hardware
releases
and
we're
gonna
install
the
latest
one.
Two
five
we're
gonna
grab
the
offline
installer.
For
that.
For
that
demo,
then
we're
gonna
navigate
to
one
of
our
machines
and
that's
the
hybrid
one
instance.
A
A
So
with
that
I
can
run
the
installer
and
that
will
set
up
hardware
for
me.
So,
let's,
let's
search
for
this
one
install
and
for
the
purposes
of
this
demo,
I
was
playing
around
and
I
can.
I
can
install
it
even
with
the
notary
which
we
want
to
use,
but
we
want
to
see
the
options
for
for
selecting
the
the
enforcement
policy
and
I
want
to
have
a
trivia.
A
Okay,
the
process
of
installation
is
ready,
but
I
didn't
show
you.
One
very
crucial
step
in
my
setup
at
least,
is
to
actually
have
a
valid
ssl
certificate
for
the
demo
purposes.
I'm
using
let's
encrypt,
is
the
easiest
and
cheap
way
to
to
have
valid
service
certificates,
so
you
can
go
and
navigate
to
let's
encrypt
work
getting
started,
and
then
you
have
a
few
options
if
you
don't
have
access
to
show
access
to
the
machine
or
you
if
you
have
one.
In
my
case
I
have
one.
A
A
So
for
the
installation
you
need
the
snap
packet
manager,
so
you
have
to
ssh
to
the
server.
Then
you
have
to
install
snap
d.
There
are
all
the
steps
very
well
documented.
So
at
the
end,
when
you
follow
all
these
steps
practically
in
our
case,
we
don't
have
still
running.
However,
so
we
can
do
the
web
route
for
example,
or
standalone.
It
will
ask
you
a
few
questions.
A
So
you
have
in
the
keys,
we
have
the
distortbot
key
and
then,
if
we
go
back
to
the
to
harbor
and
can
harbor,
you
know,
let's
those
are
the
two
files
that
you're
interested
in
and
they'll
be
printed
out
in
the
end
of
the
process
of
requesting
this
certificate.
So
you
have
to
just
replace
them
in
your
harbor
dot
file
and
then
run
the
installation.
Okay.
We
have
our,
however,
installed
and
I'm
on
the
homepage
for
this
one
so
hardware1.org,
so
we
can
log
in
with
our
default
username
and
password.
A
Arbor
one
two:
three,
four:
five:
okay,
so
it's
empty,
very
clean
installation.
So
that's
the
first
step.
I
want
to
create
a
user,
so
we
go
on
user
new
user
and
I
want
my
user
to
be
called
cosine
demo.
Email
address
will
be
cosign,
cosign
com
last
name
and
phone
name.
We
don't
need
this
one
and
the
password.
A
A
A
So
that
means,
if
I
say
this
one
that
means
all
images
from
that
repository
that
are
not
signed,
won't
be
accessible
to
to
be
replicated,
for
example,
or
to
be
deployed,
which
means
won't
be
able
to
download
them.
So
I'm
gonna
save
that
setting
and
as
a
next
step,
I
want
to
go
on
the
hybrid
instance.
A
Same
thing,
I
want
to
say
that
I
want
to
have
deployment
security
and
only
consign
images
to
be
able
to
be
downloaded
from
it.
So
I
want
to
set
up
a
robot
account
which
will
allow
me
my
hardware
1
instance,
to
communicate
with
my
hybrid
2
instance.
So
when
something
comes
in
hybrid
1
instance
or
I
want
a
trigger
replication
rule,
I
can
do
that
from
harbor
one,
for
example,
so
new
robot
account
and
I'm
gonna
call
it
cosine,
for
example,
expiration
day.
No,
I
don't
want
to
have
expiration
days
and
yeah.
A
I
want
to
be
able
to
do
everything
with
that,
so
I'm
going
to
click,
add
and
my
my
robot
account
will
be
robot,
cosine,
cosine,
double
cosine,
I'm
going
to
copy
that
and
then
I'm
going
to
copy
the
the
secret
I'm
going
to
export
the
secret.
So
I
can
have
a
legit
backup
for
them
with
that.
Our
setup
on
the
hybrid
2
instance
is
done
and
we
can
navigate
to
hybrid1
instance
and
set
up
the
replication
to
do
that.
A
A
A
A
A
So
with
this
one
I
have
everything
set
up
in
place
right
now,
so
we
can
start
pushing
images.
So
we
have
the
application
rule,
we
can
click
replicate
and
that
should
succeed
because
we
don't
have
anything
right
now
in
our
registry.
So
as
a
next
step,
we're
going
to
push
images
to
hardware
one
instance
and
then
we're
gonna
assign
those
images
in
hardware
one
instance
and
then
we're
gonna
run
the
replication
rule
and
then
we're
going
to
verify
the
result
on
hierarchy.
Instance.
A
A
Okay,
so
we're
in,
and
then
I
want
to
push
image
this
one
harbor,
one
cosine
double
pools,
so
docker
push
one
right
that
will
push
the
image
to
the
registry,
but
when
you,
when
we
open
the
artifact,
it
says
cosine
node
sign,
so
next
step
will
be
to
design
that
image.
To
sign
that
image,
we
need
to
install
cosine
on
our
machine.
A
So
if
you
navigate
to
github
six
store
cosine,
you
can
follow
all
the
all
the
steps
for
your
your
operating
system,
install
cosign
and
then
there
are
a
few
examples:
how
you
can
sign
images
so
I'll
skip
the
installation
part
and
go
straight
to
the
process
of
signing.
So
as
a
first
step,
we
have
to
create
a
key
pair,
public
and
private
key,
which
will
be
used
to
to
sign
the
the
images
we
sign
with
the
private
key
and
we
verify
with
the
publicly
key
who
is
going
to
be
public
key
available.
A
A
A
Cosine
generate
keeper,
it's
gonna
ask
you
for
your
passphrase
for
your
keys,
okay,
so
we
we
have
the
we
have
the
keys
now.
So,
as
the
next
step,
we
is
going
to
be
to
sign
the
image
so
cosine
sign.
Then
you
have
to
specify
the
key
cosine
key
and
then
you
have
to
specify
the
the
image
we're
interested
in
this
one.
A
A
A
A
So
the
two
artifacts
are
our
image
and
our
signature,
as
you
see,
is
cosine
assigned,
but
if
we
dig
in
it
says
send
by
notary
it's
not
signed.
Why
not
already
so
that
means
we
have
the
only
the
cosine
signature
again
just
to
verify
that
we're
gonna
go
to
the
configuration
for
the
for
the
project
and
we
have
the
cosine
policy
as
a
next
step.
I'm
gonna
just
verify.
A
Okay
and
as
a
next
step,
we
have
to
verify
our
our
signature,
so
cosine
verify
key
cosine
pop
and
then
we're
gonna
specify
our
image.
In
that
case,
it's
first
on
hardware
one
instance
and
I'm
gonna
pipe
it
through
jq.
So
we
can
see
the
output
a
bit
more
readable.
So
that's
our
digest
and
that's
practically
the
signature.
If
we
change
that
to
harbor
two.
A
If
we
want
to
promote
these
images
or
not,
and
then
if
we
are
happy
with
the
results,
then
we
can
trigger
the
the
replication
rule
and
to
get
them
in
the
production
harvard
and
then
get
to
get
them
distributed
across
our
clusters.
Thank
you
very
much.
I
hope
you
find
this
helpful
and
see
you
on
the
next
one.