search

goharbor / harbor-helm

The helm chart to deploy Harbor
Apache License 2.0
1.19k stars 760 forks source link

Keep getting invalid username or password on fresh install #565

Closed kratos81 closed 8 months ago

kratos81 commented 4 years ago

I have been trying to install harbor on AWS and GKE and each time , I am not able to login using the default password. Im not sure if this is a bug

version is v1.10.1

This is the log from the database

 k logs harbor-harbor-database-0 -f
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locales
  COLLATE:  en_US.UTF-8
  CTYPE:    en_US.UTF-8
  MESSAGES: C
  MONETARY: C
  NUMERIC:  C
  TIME:     C
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default timezone ... UTC
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

postgres
waiting for server to start....LOG:  database system was shut down at 2020-04-13 00:02:15 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
 done
server started
ALTER ROLE

/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/initial-notaryserver.sql
CREATE DATABASE
CREATE ROLE
ALTER ROLE
GRANT

/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/initial-notarysigner.sql
CREATE DATABASE
CREATE ROLE
ALTER ROLE
GRANT

/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/initial-registry.sql
CREATE DATABASE
You are now connected to database "registry" as user "postgres".
CREATE TABLE

LOG:  received fast shutdown request
LOG:  aborting any active transactions
LOG:  autovacuum launcher shutting down
LOG:  shutting down
waiting for server to shut down....LOG:  database system is shut down
 done
server stopped

PostgreSQL init process complete; ready for start up.

LOG:  database system was shut down at 2020-04-13 00:02:18 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
LOG:  incomplete startup packet
LOG:  incomplete startup packet
LOG:  incomplete startup packet

and this is the log from harbor core

2020/04/13 11:27:04.391 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.439127ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:06.151 [D] [server.go:2774]  |      10.12.3.1| 200 |   1.794044ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:14.390 [D] [server.go:2774]  |      10.12.3.1| 200 |   1.765733ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:16.152 [D] [server.go:2774]  |      10.12.3.1| 200 |   3.097014ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:24.391 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.563629ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:26.151 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.075882ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:34.391 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.815542ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:36.151 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.169644ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:44.390 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.221412ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:46.151 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.138759ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:54.390 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.411471ms|   match| GET      /api/ping   r:/api/ping
2020/04/13 11:27:56.151 [D] [server.go:2774]  |      10.12.3.1| 200 |   2.149488ms|   match| GET      /api/ping   r:/api/ping

This works when I use docker compose but not Kubernetes. Please advise

Thanks

dunxiii commented 4 years ago

The default username is admin and password is Harbor12345, while using these what does the log for harbor core say? The log output you posted are not relevant for the login process.

kratos81 commented 4 years ago

Hi

I used the default username and password.

This is the logs from harbor core 

k logs harbor-harbor-core-569d866bfd-8bhq4  | head -n30                         SIGPIPE(13)|0 ↵  11105  07:45:56
2020-04-16T09:52:09Z [INFO] [/replication/adapter/native/adapter.go:42]: the factory for adapter docker-registry registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/harbor/adapter.go:40]: the factory for adapter harbor registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/dockerhub/adapter.go:25]: Factory for adapter docker-hub registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/huawei/huawei_adapter.go:27]: the factory of Huawei adapter was registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/googlegcr/adapter.go:29]: the factory for adapter google-gcr registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/awsecr/adapter.go:47]: the factory for adapter aws-ecr registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/azurecr/adapter.go:15]: Factory for adapter azure-acr registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/aliacr/adapter.go:26]: the factory for adapter ali-acr registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/jfrog/adapter.go:30]: the factory of jfrog artifactory adapter was registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/quayio/adapter.go:34]: the factory of Quay.io adapter was registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/helmhub/adapter.go:30]: the factory for adapter helm-hub registered
2020-04-16T09:52:09Z [INFO] [/replication/adapter/gitlab/adapter.go:19]: the factory for adapter gitlab registered
2020-04-16T09:52:09Z [INFO] [/core/controllers/base.go:289]: Config path: /etc/core/app.conf
2020-04-16T09:52:09Z [INFO] [/core/main.go:177]: initializing configurations...
2020-04-16T09:52:09Z [INFO] [/core/config/config.go:100]: key path: /etc/core/key
2020-04-16T09:52:09Z [INFO] [/core/config/config.go:73]: init secret store
2020-04-16T09:52:09Z [INFO] [/core/config/config.go:76]: init project manager based on deploy mode
2020-04-16T09:52:09Z [INFO] [/core/config/config.go:145]: initializing the project manager based on local database...
2020-04-16T09:52:09Z [INFO] [/core/main.go:181]: configurations initialization completed
2020-04-16T09:52:09Z [INFO] [/common/dao/base.go:84]: Registering database: type-PostgreSQL host-harbor-harbor-database port-5432 databse-registry sslmode-"disable"
2020-04-16T09:52:10Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: i/o timeout
2020-04-16T09:52:14Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: i/o timeout
2020-04-16T09:52:18Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:21Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:24Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:27Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:30Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:33Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:36Z [ERROR] [/common/utils/utils.go:101]: failed to connect to tcp://harbor-harbor-database:5432, retry after 2 seconds :dial tcp 10.15.255.243:5432: connect: connection refused
2020-04-16T09:52:38Z [INFO] [/common/dao/base.go:89]: Register database completed
abdelhalimresu commented 4 years ago

I can confirm this issue, I installed the chart v1.3.2 with default username/password and I'm getting "Invalid user name or password." error

holoGDM commented 4 years ago

I can confirm it too. I installed with helm chart version with image: goharbor/harbor-core:v1.10.2 and can not login to Harbor with default password

reasonerjt commented 4 years ago

This error is security-related, so it's designed not to reveal too many details. Please check the log of harbor-core there should be more details.

user-name-is-taken commented 4 years ago

I found this article on resetting the harbor admin password from psql which might be helpful

brianasz commented 4 years ago

Removing the double quotes from harborAdminPassword: "Harbor12345" fixed the issue for me.

06kellyjac commented 4 years ago

Quotes in yaml are ignored You could check the initial password stored in the harbor-core secret to double check (remember to base64 decode)

06kellyjac commented 4 years ago

related: https://github.com/goharbor/harbor/issues/12423

I was able to log in when forwarding the main service but not when using the <name>-harbor-portal service even though they both successfuly display the login page

user-name-is-taken commented 4 years ago

I had this issue because I didn't add the protocol to externalURL

maxlim0 commented 3 years ago

Gosh, I spend a day fixing that password issue. It was really a problem with HTTPS under externalURL, I've changed to HTTP that fixed that. Because I'm using for testing DNS name only in my localhost hosts file.

YunSangJun commented 3 years ago

I had a same issue. It works after changing "externalURL". I install Harbor on GKE cluster and use "expose.type" as loadBalancer.

-Before
$ helm install \
  -n harbor \
  -f values.yaml \
  my-harbor harbor/harbor

-After
$ helm install \
  -n harbor \
  -f values.yaml \
  --set expose.loadBalancer.IP=x.x.x.x  \
  --set externalURL=http://x.x.x.x \
  my-harbor harbor/harbor
paullaffitte commented 3 years ago

I don't understand the relation between the admin password and the expose.type. I'm also getting this issue with harbor 2.3.0 chart 1.7.0.

shad2y commented 3 years ago

I also got the same issue with GKE installation. chart version: harbor-1.7.0 app version: 2.3.0

additional info:

kubectl get secrets -n harbor harbor-core -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 -d Harbor12345

cat terraform/modules/harbor/values.tf | egrep "externalURL|harborAdminPassword" externalURL: "http://harbor.mycompanyname.com" harborAdminPassword: "Harbor12345"

denisgmarques commented 3 years ago

Accessing harbor-core container and seeing the HARBOR_ADMIN_PASSWORD I saw the current admin password: bitnami

So try admin/bitnami

pcgeek86 commented 2 years ago

Same problem with Kubernetes 1.22.8 on Digital Ocean managed k8s. I installed the Helm chart for Harbor (not the Bitnami one), used kubectl port-forward to connect to the Harbor web front-end, and it won't let me login with admin / Harbor12345.

k0k commented 2 years ago

Ident problem, I deploy with helm and use a values.yaml with harborAdminPassword: d3vH8wt7hGQirPj, later to deploy and I get secret with:

kubectl get secrets -n harbor-system harbor-core -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 -d

OUTPUT: I get same value that harborAdminPassword so when try to connect via web I'm getting "Invalid user name or password." error.

jochumdev commented 2 years ago

Please check the logs of your browser, do you get a 405 Method not allowed?

I got that for the url https://registry.example.com/c/login

I fixed it by adding another Route to my Traefik IngressRoute:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: registry.example.com
  namespace: harbor
spec:
  routes:
  - kind: Rule
    match: Host(`registry.example.com`) && PathPrefix(`/`)
    priority: 1
    services:
      - kind: Service
        name: harbor-portal
        namespace: harbor
        port: 80
  - kind: Rule
    match: Host(`registry.example.com`) && PathPrefix(`/c/`)
    priority: 10
    services:
      - kind: Service
        name: harbor-core
        namespace: harbor
        port: 80
  - kind: Rule
    match: Host(`registry.example.com`) && PathPrefix(`/api/`)
    priority: 10
    services:
      - kind: Service
        name: harbor-core
        namespace: harbor
        port: 80
  - kind: Rule
    match: Host(`registry.example.com`) && PathPrefix(`/service/`)
    priority: 10
    services:
      - kind: Service
        name: harbor-core
        namespace: harbor
        port: 80
  - kind: Rule
    match: Host(`registry.example.com`) && PathPrefix(`/v2/`)
    priority: 10
    services:
      - kind: Service
        name: harbor-core
        namespace: harbor
        port: 80
  - kind: Rule
    match: Host(`registry.example.com`) && PathPrefix(`/chartrepo/`)
    priority: 10
    services:
      - kind: Service
        name: harbor-core
        namespace: harbor
        port: 80
  tls:
    certResolver: letsencrypt-prod
h2romero commented 2 years ago

The default username is admin and password is Harbor12345, while using these what does the log for harbor core say? The log output you posted are not relevant for the login process.

I was able to log back in with the default password by restarting Harbor ( via docker-compose down then up )

nguyenvulong commented 1 year ago

I was able to log back in with the default password by restarting Harbor ( via docker-compose down then up )

The error here happened on K8S (the OP mentioned AWS and GKE), not Docker. If using docker-compose it would be very straight-forward.

vangourd commented 1 year ago

Shoutout to https://github.com/goharbor/harbor-helm/issues/565#issuecomment-1238816325 for fixing this issue for me.

So it seems like Harbor is an SPA that tries to connect directly to harbor-core instead of proxying requests through portal. If you don't have Ingresses setup to direct those subdirectory requests to core it won't work correctly.

Maybe this should get added to the documentation for use with Helm charts?

syedammar111 commented 1 year ago

Shoutout to #565 (comment) for fixing this issue for me.

So it seems like Harbor is an SPA that tries to connect directly to harbor-core instead of proxying requests through portal. If you don't have Ingresses setup to direct those subdirectory requests to core it won't work correctly.

Maybe this should get added to the documentation for use with Helm charts?

Can you explain it to me I am trying to access the login page through port forwarding atleast to check if i am able to login. I deployed thorugh helm chart on managed kubernetes. my harbor-core page doesnt display anything (shows not 404 Page Not Found) and harbor portal page is never able to login with provided username password. Note i am trying to do with port-forwarding harbor-portal deployment. Ive spent days trying to fix it but nothing is working. please help

seab4ng commented 1 year ago

I had this issue because I didn't add the protocol to externalURL

hey, this works for me.... at the externalURL field replacing the value with internal/external IP or hostname of your loadbalancer (when you use 'proxy' conf). thank you!

tdeheurles commented 1 year ago

@darthguinea proposed to not go through port-forward which result in a 405 error. See here: https://github.com/goharbor/harbor-helm/issues/485

A quick summary for the one using helm chart on localhost: ⚠️ You need to access without port-forward ⚠️, so in my case I fixed by using service type loadbalancer. I didn't have to change externalURL.

Here is the helm configuration I used:

expose:
  type: loadBalancer
  ports:
    httpPort: 80
  tls:
    enabled: false

Then go to your http://localhost:80

Quick comment for the Harbor team, you guys could add a comment in your documentation for this issue ... spending a few hours to just enter the UI can be a bit a frustrating 😄

codestrong commented 1 year ago

I fixed it by adding another Route to my Traefik IngressRoute: Thank you, @jochumdev , this fixed it for me

oconnor17 commented 1 year ago

I was doing am on-premise install, where I had explicitly disabled TLS:

helm install harbor-test harbor/harbor -n harbor --create-namespace --set expose.type=loadBalancer --set expose.tls.enabled=false --set ipFamily.ipv6.enabled=false

My work-around was to update the "externalURL" setting and use the "http" protocol. This allowed me to login.

helm upgrade harbor-test harbor/harbor -n harbor --reuse-values --set externalURL=http://harbor-test.myorg.com

Hope this helps

github-actions[bot] commented 9 months ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] commented 8 months ago

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.