search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.8k stars 4.73k forks source link

Unable to add helm repo as robot account #11664

Closed devops-invivoo closed 4 years ago

devops-invivoo commented 4 years ago

Unable to add helm repo as robot account

Expected behavior

If add helm repo and use correct robot account credentials then add should succeed.

helm repo add mycharts https://harbor.my.domain.com/chartrepo/myproject --username "robot$project-technical-account" --password "secretpassword"
"mycharts" has been added to your repositories

Actual behavior

When trying to add helm repo with robot credentials, I get the following:

helm repo add mycharts https://harbor.my.domain.com/chartrepo/myproject --username "robot$project-technical-account" --password "secretpassword"
Error: looks like "https://harbor.my.domain.com/chartrepo/myproject" is not a valid chart repository or cannot be reached: failed to fetch https://harbor.my.domain.com/chartrepo/myproject/index.yaml : 401 Unauthorized

When trying the exact same command with admin user credentials

helm repo add mycharts https://harbor.my.domain.com/chartrepo/myproject --username "admin" --password "secretadminpassword"
"mycharts" has been added to your repositories

Versions

Additional context

I checked both push and pull checkboxes on the helm part when creating the robot account.

I deployed the chart using the values.yaml below. Basically, I just changed the service type to nodeport which I then put behind a reverse proxy. I also changed the default "fake" external url to match that of our domain and the storage bucket credentials to match our own.

expose:
    type: nodePort
    tls:
      enabled: false
      secretName: ""
      notarySecretName: ""
      commonName: ""
    ingress:
      hosts:
        core: core.harbor.xcomponent
        notary: notary.harbor.xcomponent
      controller: default
      annotations:
        ingress.kubernetes.io/ssl-redirect: "true"
        ingress.kubernetes.io/proxy-body-size: "0"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
        nginx.ingress.kubernetes.io/proxy-body-size: "0"
    clusterIP:
      name: harbor
      ports:
        httpPort: 80
        httpsPort: 443
        notaryPort: 4443
    nodePort:
      name: harbor
      ports:
        http:
          port: 80
          nodePort: mynodeport1
        https:
          port: 443
          nodePort: mynodeport2
        notary:
          port: 4443
          nodePort: mynodeport3
    loadBalancer:
      name: harbor
      IP: ""
      ports:
        httpPort: 80
        httpsPort: 443
        notaryPort: 4443
      annotations: {}
      sourceRanges: []

  externalURL: https://harbor.my.domain.com

  persistence:
    enabled: true
    resourcePolicy: "keep"
    persistentVolumeClaim:
      registry:
        existingClaim: ""
        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 8Gi
      chartmuseum:
        existingClaim: ""
        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 8Gi
      jobservice:
        existingClaim: ""
        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
      database:
        existingClaim: ""
        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
      redis:
        existingClaim: ""
        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
    imageChartStorage:
      disableredirect: false

      type: azure
      filesystem:
        rootdirectory: /storage
      azure:
        accountname: myazureaccount
        accountkey: myazurepassword
        container: myazurecontainer
      gcs:
        bucket: bucketname
        encodedkey: base64-encoded-json-key-file
      s3:
        region: us-west-1
        bucket: bucketname
      swift:
        authurl: https://storage.myprovider.com/v3/auth
        username: username
        password: password
        container: containername
      oss:
        accesskeyid: accesskeyid
        accesskeysecret: accesskeysecret
        region: regionname
        bucket: bucketname

  imagePullPolicy: IfNotPresent

  imagePullSecrets:

  updateStrategy:
    type: RollingUpdate

  logLevel: info

  harborAdminPassword: "myadminpassword"
  secretKey: "not-a-secure-key"

  proxy:
    httpProxy:
    httpsProxy:
    noProxy: 127.0.0.1,localhost,.local,.internal
    components:
      - core
      - jobservice
      - clair

  nginx:
    image:
      repository: goharbor/nginx-photon
      tag: v1.10.1
    replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}

  portal:
    image:
      repository: goharbor/harbor-portal
      tag: v1.10.1
    replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}

  core:
    image:
      repository: goharbor/harbor-core
      tag: v1.10.1
    replicas: 1
    livenessProbe:
      initialDelaySeconds: 300
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    secret: ""
    secretName: ""
    xsrfKey: ""

  jobservice:
    image:
      repository: goharbor/harbor-jobservice
      tag: v1.10.1
    replicas: 1
    maxJobWorkers: 10
    jobLogger: file
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    secret: ""

  registry:
    registry:
      image:
        repository: goharbor/registry-photon
        tag: v2.7.1-patch-2819-2553-v1.10.1

    controller:
      image:
        repository: goharbor/harbor-registryctl
        tag: v1.10.1

    replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    secret: ""
    relativeurls: true
    middleware:
      enabled: false
      type: cloudFront
      cloudFront:
        baseurl: example.cloudfront.net
        keypairid: KEYPAIRID
        duration: 3000s
        ipfilteredby: none
        privateKeySecret: "my-secret"

  chartmuseum:
    enabled: true
    absoluteUrl: false
    image:
      repository: goharbor/chartmuseum-photon
      tag: v0.9.0-v1.10.1
    replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}

  clair:
    enabled: true
    clair:
      image:
        repository: goharbor/clair-photon
        tag: v2.1.1-v1.10.1
    adapter:
      image:
        repository: goharbor/clair-adapter-photon
        tag: v1.0.1-v1.10.1
    replicas: 1
    updatersInterval: 12
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}

  notary:
    enabled: true
    server:
      image:
        repository: goharbor/notary-server-photon
        tag: v0.6.1-v1.10.1
      replicas: 1
    signer:
      image:
        repository: goharbor/notary-signer-photon
        tag: v0.6.1-v1.10.1
      replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    secretName: ""

  database:
    type: internal
    internal:
      image:
        repository: goharbor/harbor-db
        tag: v1.10.1
      initContainerImage:
        repository: busybox
        tag: latest
      password: "changeit"
      nodeSelector: {}
      tolerations: []
      affinity: {}
    external:
      host: "192.168.0.1"
      port: "5432"
      username: "user"
      password: "password"
      coreDatabase: "registry"
      clairDatabase: "clair"
      notaryServerDatabase: "notary_server"
      notarySignerDatabase: "notary_signer"
      sslmode: "disable"
    maxIdleConns: 50
    maxOpenConns: 100
    podAnnotations: {}

  redis:
    type: internal
    internal:
      image:
        repository: goharbor/redis-photon
        tag: v1.10.1
      nodeSelector: {}
      tolerations: []
      affinity: {}
    external:
      host: "192.168.0.2"
      port: "6379"
      coreDatabaseIndex: "0"
      jobserviceDatabaseIndex: "1"
      registryDatabaseIndex: "2"
      chartmuseumDatabaseIndex: "3"
      clairAdapterIndex: "4"
      password: ""
    podAnnotations: {}
wy65701436 commented 4 years ago

@devops-invivoo you have to use ' instead of " in the command.

helm repo add mycharts https://harbor.my.domain.com/chartrepo/myproject --username 'robot$project-technical-account' --password 'secretpassword'

It should work.

wy65701436 commented 4 years ago

@danfengliu we need a test case for helm v3 with robot account in CI.

xaleeks commented 4 years ago

seems this has been resolved

yizhishang commented 4 years ago

helm repo add harbor https://core.harbor.yizhishang.com/chartrepo/library --username "admin" --password "admin" Error: looks like "https://core.harbor.yizhishang.com/chartrepo/library" is not a valid chart repository or cannot be reached: Get "https://core.harbor.yizhishang.com/chartrepo/library/index.yaml": x509: certificate signed by unknown authority