Set robot account expiration and recreate it when account is removed #11
Labels
feature
New feature or request
Comments
|
For reference, the robot account is set to never expire. params := products.NewPostProjectsProjectIDRobotsParamsWithContext(c.context).
WithTimeout(c.timeout).
WithHTTPClient(c.insecureClient).
WithProjectID(projectID).
WithRobot(&models.RobotAccountCreate{
Access: []*models.RobotAccountAccess{
{
Action: "push",
Resource: fmt.Sprintf("/project/%d/repository", projectID),
},
},
Description: "automated by harbor automation operator",
ExpiresAt: -1, // never
Name: utils.RandomName("4k8s"),
}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For a robot account, from a security standpoint, we should set an expiration for that account or at least rotate its credentials. As currently, we can't rotate robots' credentials/tokens in harbor itself, we should set an expiration date in the operator when creating the robot account as a future improvement. And by the nature of controller reconciliation logic, a new robot account should be created after the old one expires.
The text was updated successfully, but these errors were encountered: