Wiki source code of Harbor 2.7 CLI Credentials for Harbor users
Last modified by DevOps-as-a-Service Operator on 2025/02/05 11:33
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | A user can connect the harbor instance programmatically ONLY using generated CLI secret. The password used to log in to the DevOps toolchain will not work. The options to connect to: | ||
| 2 | |||
| 3 | * connect to the Docker Registry using the {{code language="none"}}docker {{/code}}command or any OCI client | ||
| 4 | * connect to the Helm chart repository using the {{code language="none"}}helm {{/code}}command | ||
| 5 | |||
| 6 | {{info title="**ℹ CI/CD**"}} | ||
| 7 | This page is about your personal account only. Do not use your personal CLI secret in a delivery pipeline. | ||
| 8 | |||
| 9 | The DevOps Portal will automatically create a Robot Account for each Project and inject the credentials automatically into Jenkins. See [[doc:Jenkins.Automatically provided Credentials.WebHome]] for more details. | ||
| 10 | {{/info}} | ||
| 11 | |||
| 12 | {{toc/}} | ||
| 13 | |||
| 14 | = Create CLI secret = | ||
| 15 | |||
| 16 | The CLI secret can be created by any user from the Harbor User Interface. At first, login to your harbor instance using Keycloak (**LOGIN VIA OIDC PROVIDER**): | ||
| 17 | |||
| 18 | [[image:attach:Screenshot 2024-02-27 180550.png||queryparams="effects=drop-shadow" height="342" width="375"]] | ||
| 19 | |||
| 20 | In the upper right corner, click on your username field and then click **User Profile**: | ||
| 21 | |||
| 22 | [[image:attach:Screenshot 2024-02-27 180805.png||queryparams="effects=drop-shadow" height="250" width="375"]] | ||
| 23 | |||
| 24 | You will be prompted to the profile overview, where the CLI Secret can be found: | ||
| 25 | |||
| 26 | [[image:attach:Screenshot 2024-02-27 181245.png||queryparams="effects=drop-shadow" height="288" width="375"]] | ||
| 27 | |||
| 28 | Description of the fields: | ||
| 29 | |||
| 30 | (% class="table-bordered" %) | ||
| 31 | (% class="active" %)|=((( | ||
| 32 | Field | ||
| 33 | )))|=((( | ||
| 34 | Remark | ||
| 35 | ))) | ||
| 36 | |((( | ||
| 37 | Username | ||
| 38 | )))|((( | ||
| 39 | The automatically setup username which will be used for docker login etc. | ||
| 40 | ))) | ||
| 41 | |((( | ||
| 42 | |||
| 43 | )))|((( | ||
| 44 | Your email. Can't be changed (even if it looks like you can, it won't) | ||
| 45 | ))) | ||
| 46 | |((( | ||
| 47 | CLI Secret | ||
| 48 | )))|((( | ||
| 49 | The automatically generated secret for command line interfaces. Used instead of password. | ||
| 50 | ))) | ||
| 51 | |||
| 52 | Use the copy icon on the right to copy the CLI secret and use it for authentication. | ||
| 53 | |||
| 54 | = Authenticate with a CLI Secret = | ||
| 55 | |||
| 56 | To use a secret in an automated process, use {{code language="none"}}docker login{{/code}} and provide the credentials like username and CLI secret (for password) before you issue additional commands like {{code language="none"}}docker pull{{/code}} or {{code language="none"}}docker push{{/code}}. | ||
| 57 | |||
| 58 | {{code}} | ||
| 59 | docker login registry-CUSTOMER.devops.t-systems.net | ||
| 60 | Username: <username> | ||
| 61 | Password: <cli_secret> | ||
| 62 | docker pull registry-CUSTOMER.devops.t-systems.net/PKEY/REPO:TAG | ||
| 63 | {{/code}} | ||
| 64 | |||
| 65 | See the following table to understand the structure of the arguments. | ||
| 66 | |||
| 67 | (% class="table-bordered" %) | ||
| 68 | (% class="active" %)|=((( | ||
| 69 | Placeholder | ||
| 70 | )))|=((( | ||
| 71 | Description | ||
| 72 | ))) | ||
| 73 | |((( | ||
| 74 | CUSTOMER | ||
| 75 | )))|((( | ||
| 76 | Name of your DevOps-as-a-Service instance | ||
| 77 | ))) | ||
| 78 | |((( | ||
| 79 | PKEY | ||
| 80 | )))|((( | ||
| 81 | Project Key of the Project like on the Portal | ||
| 82 | ))) | ||
| 83 | |((( | ||
| 84 | REPO | ||
| 85 | )))|((( | ||
| 86 | The image repository, e.g. | ||
| 87 | |||
| 88 | {{code language="none"}} | ||
| 89 | tomcat | ||
| 90 | {{/code}} | ||
| 91 | ))) | ||
| 92 | |((( | ||
| 93 | TAG | ||
| 94 | )))|((( | ||
| 95 | The tag of the image, e.g. | ||
| 96 | |||
| 97 | {{code language="none"}} | ||
| 98 | latest | ||
| 99 | {{/code}} | ||
| 100 | ))) | ||
| 101 | |||
| 102 | For pulling from a repository, you need at least a VIEWER role. For pushing, you require at least a DEVELOPER role for the affected project. | ||
| 103 | |||
| 104 | When done working, you can use {{code language="none"}}docker logout{{/code}} to remove cached credentials from the file-system where your docker commands are executed. | ||
| 105 | |||
| 106 | {{info title="**ℹ SECRET EXPIRATION**"}} | ||
| 107 | Your CLI secret in Harbor can expire if you don't log in to your account, due to the {{code language="none"}}offline_access{{/code}} idle time set by Keycloak, which is 30 days. When this happens, you can see '//unauthorized: authentication required//' message. This means you need to log in to Harbor at least once every 30 days to keep your CLI secret active. To avoid any disruptions, we recommend updating your CLI secret in your Harbor profile settings regularly. | ||
| 108 | {{/info}} | ||
| 109 | |||
| 110 | |||
| 111 | = Update/Set Custom CLI Secret = | ||
| 112 | |||
| 113 | You can refresh a CLI secret after it's created in the event that you need a new one. | ||
| 114 | |||
| 115 | For that you will need again go to your user profile and click the** three dots** on the right-hand side: | ||
| 116 | |||
| 117 | [[image:attach:Screenshot 2024-02-27 181748.png||queryparams="effects=drop-shadow" width="550"]] | ||
| 118 | |||
| 119 | You will be prompted to update interface: | ||
| 120 | |||
| 121 | [[image:attach:Screenshot 2024-02-29 173222.png||queryparams="effects=drop-shadow" width="550"]] | ||
| 122 | |||
| 123 | From here you can** GENERATE SECRET** and copy it or click **UPLOAD YOUR OWN SECRET **and use a predefined one: | ||
| 124 | |||
| 125 | [[image:attach:image-2024-2-29_17-39-21.png||queryparams="effects=drop-shadow" height="291" width="550"]] |