MinerYang
commented
1 year ago Please kindly check your GAR registry endpoint and replication rule. ref: https://github.com/goharbor/harbor/issues/16973#issuecomment-1245938649
Closed srveerla closed 1 year ago
MinerYang
commented
1 year ago Please kindly check your GAR registry endpoint and replication rule. ref: https://github.com/goharbor/harbor/issues/16973#issuecomment-1245938649
srveerla
commented
1 year ago Endpoint URL configured in Registry: https://us-docker.pkg.dev (this is on us-central) Harbor replication rule: ${GCP_PROJECT_ID}/${AR_REPOSITORY_NAME}/**
srveerla
commented
1 year ago Any help would be appreciated, we are getting the error "no resources needs to be replicated"
norman-zon
commented
1 year ago I read #16973 carefully and got push-replication working.
But pull-replication still "succeeds" with no resources needs to be replicated.
My setup looks like this:
I would expect it to check if there are any images in <GOOGLE_PROJECT>/<REPO> that are missing in my local gar project and download them. But that's what i get:
norman-zon
commented
1 year ago Turns out it works when specifying the whole image path as resource filter. For example:
<GOOGLE_PROJECT>/<REPO>/<MY_IMAGE>. Naturally this only replicates this single image.
So my guess is something with listing the remote images when using wildcard is the issue?
@mrbuk: What exact source filter did you test in #16973?
mrbuk
commented
1 year ago @norman-zon it should work with ${GCP_PROJECT_ID}/${AR_REPOSITORY_NAME}/** or even with blank or **.
If it does not work for you I have a suspicion: you are using a dedicated service account with only Artifact Registry permissions (e.g. Reader / Writer) and are missing the resourcemanager.projects.get permission. Typically this permission is something that basic roles like Viewer have.
The way to validate my suspicion is to use the following command to validate that the /v2/_catalog returns something.
export JSON_KEY_B64=$(base64 < my-secret-key.json)
curl -u _json_key_base64:$JSON_KEY_B64 https://europe-west3-docker.pkg.dev/v2/_catalogSo if the command returns: {"repositories":[]} although you have repositories you are most likely missing the resourcemanager.projects.get permission. It is unfortunate that the API returns in that case a 200 OK but this might be in spec/desired behaviour.
If adding the resourcemanager.projects.get permission solves it for you as well let me know I will raise an issue with the Artifact Registry team to document this.
norman-zon
commented
1 year ago Thanks @mrbuk! Indeed giving the SA resourcemanager.projects.get permission fixed it. I would have expected it to be included in the Artifact Registry Service Agent Role, but it isn't.
Interesting that the API returns 200 in case the SA has no permission to actually list anything.
srveerla
commented
1 year ago worked like a Charm....thanks @mrbuk
norman-zon
commented
1 year ago @srveerla which IAM role did you end up using?
schedin
commented
2 months ago Thanks for the hint about using the resourcemanager.projects.get permission to be able to use wildcards in Harbor replication rule for Google Artifact Registry! Since I wanted minimal permission needed on my service account, I created a custom role for the permission and then assigned it to my service account:
gcloud iam roles create ProjectMetadataGetter \
--project=XXXXXXXXXXXX-cf3f4d7 \
--title="Project Metadata Getter" \
--description="Custom role with resourcemanager.projects.get permission. Used to list meta data of a project." \
--permissions="resourcemanager.projects.get" \
--stage="GA"
gcloud projects add-iam-policy-binding XXXXXXXXXXXX-cf3f4d7 \
--member="serviceAccount:YYYYYYYYY@XXXXXXXXXXXX-cf3f4d7.iam.gserviceaccount.com" \
--role="projects/XXXXXXXXXXXX-cf3f4d7/roles/ProjectMetadataGetter"
How can we help you?
we are looking for GAR replication (Push and Pull) over Harbor, used with GCR and connection was successful, however replication doesnot happen, no image to replicate is what it says.
Thanks, SRV