Container environments don't have access to system keychains (GNOME Keyring, KDE Wallet, etc.) which Harbor CLI currently requires for secure credential storage.
Proposed Solution
Add support for environment-variable based encryption keys that would:
- Check for a HARBOR_ENCRYPTION_KEY environment variable
- Use this key for encryption/decryption when present
- Fall back to other methods if not available
- This approach is perfectly suited for containers and Kubernetes where secrets are commonly passed via environment variables.
Benefits
- Container Compatibility: Harbor CLI becomes fully functional in Docker/Kubernetes
- Security Best Practices: Aligns with container security patterns (inject secrets as environment variables)
- Kubernetes Integration: Simple to use with Kubernetes secrets
- No Persistent Storage: Avoids writing sensitive keys to container filesystems
Example Usage
# Generate a secure 32-byte key for AES-256
export HARBOR_ENCRYPTION_KEY=$(openssl rand -base64 32)
# Run in Docker
docker run -e HARBOR_ENCRYPTION_KEY=$HARBOR_ENCRYPTION_KEY harbor-cli login ...
# Kubernetes manifest
apiVersion: v1
kind: Secret
metadata:
name: harbor-cli-secrets
type: Opaque
data:
# Base64-encoded encryption key
HARBOR_ENCRYPTION_KEY: "AbCdEfGhIjKlMnOpQrStUvWxYz123456789=="
Container environments don't have access to system keychains (GNOME Keyring, KDE Wallet, etc.) which Harbor CLI currently requires for secure credential storage.
Proposed Solution
Add support for environment-variable based encryption keys that would:
Benefits
Example Usage