Closed srveerla closed 1 year ago
Please kindly check your GAR registry endpoint and replication rule. ref: https://github.com/goharbor/harbor/issues/16973#issuecomment-1245938649
Endpoint URL configured in Registry: https://us-docker.pkg.dev (this is on us-central) Harbor replication rule: ${GCP_PROJECT_ID}/${AR_REPOSITORY_NAME}/**
Any help would be appreciated, we are getting the error "no resources needs to be replicated"
I read #16973 carefully and got push-replication working.
But pull-replication still "succeeds" with no resources needs to be replicated
.
My setup looks like this:
I would expect it to check if there are any images in <GOOGLE_PROJECT>/<REPO>
that are missing in my local gar
project and download them. But that's what i get:
Turns out it works when specifying the whole image path as resource filter. For example:
<GOOGLE_PROJECT>/<REPO>/<MY_IMAGE>
. Naturally this only replicates this single image.
So my guess is something with listing the remote images when using wildcard is the issue?
@mrbuk: What exact source filter did you test in #16973?
@norman-zon it should work with ${GCP_PROJECT_ID}/${AR_REPOSITORY_NAME}/**
or even with blank or **
.
If it does not work for you I have a suspicion: you are using a dedicated service account with only Artifact Registry permissions (e.g. Reader / Writer) and are missing the resourcemanager.projects.get permission. Typically this permission is something that basic roles like Viewer
have.
The way to validate my suspicion is to use the following command to validate that the /v2/_catalog
returns something.
export JSON_KEY_B64=$(base64 < my-secret-key.json)
curl -u _json_key_base64:$JSON_KEY_B64 https://europe-west3-docker.pkg.dev/v2/_catalog
So if the command returns: {"repositories":[]}
although you have repositories you are most likely missing the resourcemanager.projects.get permission. It is unfortunate that the API returns in that case a 200 OK but this might be in spec/desired behaviour.
If adding the resourcemanager.projects.get permission solves it for you as well let me know I will raise an issue with the Artifact Registry team to document this.
Thanks @mrbuk! Indeed giving the SA resourcemanager.projects.get permission fixed it. I would have expected it to be included in the Artifact Registry Service Agent Role, but it isn't.
Interesting that the API returns 200 in case the SA has no permission to actually list anything.
worked like a Charm....thanks @mrbuk
@srveerla which IAM role did you end up using?
Thanks for the hint about using the resourcemanager.projects.get
permission to be able to use wildcards in Harbor replication rule for Google Artifact Registry! Since I wanted minimal permission needed on my service account, I created a custom role for the permission and then assigned it to my service account:
gcloud iam roles create ProjectMetadataGetter \
--project=XXXXXXXXXXXX-cf3f4d7 \
--title="Project Metadata Getter" \
--description="Custom role with resourcemanager.projects.get permission. Used to list meta data of a project." \
--permissions="resourcemanager.projects.get" \
--stage="GA"
gcloud projects add-iam-policy-binding XXXXXXXXXXXX-cf3f4d7 \
--member="serviceAccount:YYYYYYYYY@XXXXXXXXXXXX-cf3f4d7.iam.gserviceaccount.com" \
--role="projects/XXXXXXXXXXXX-cf3f4d7/roles/ProjectMetadataGetter"
How can we help you?
we are looking for GAR replication (Push and Pull) over Harbor, used with GCR and connection was successful, however replication doesnot happen, no image to replicate is what it says.
Thanks, SRV