goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.31k stars 4.77k forks source link

GAR Replication #18981

Closed srveerla closed 1 year ago

srveerla commented 1 year ago

How can we help you?

we are looking for GAR replication (Push and Pull) over Harbor, used with GCR and connection was successful, however replication doesnot happen, no image to replicate is what it says.

Thanks, SRV

MinerYang commented 1 year ago

Please kindly check your GAR registry endpoint and replication rule. ref: https://github.com/goharbor/harbor/issues/16973#issuecomment-1245938649

srveerla commented 1 year ago

Endpoint URL configured in Registry: https://us-docker.pkg.dev (this is on us-central) Harbor replication rule: ${GCP_PROJECT_ID}/${AR_REPOSITORY_NAME}/**

srveerla commented 1 year ago

Any help would be appreciated, we are getting the error "no resources needs to be replicated"

norman-zon commented 1 year ago

I read #16973 carefully and got push-replication working. But pull-replication still "succeeds" with no resources needs to be replicated.

My setup looks like this:

image image image

I would expect it to check if there are any images in <GOOGLE_PROJECT>/<REPO> that are missing in my local gar project and download them. But that's what i get:

image
norman-zon commented 1 year ago

Turns out it works when specifying the whole image path as resource filter. For example:

<GOOGLE_PROJECT>/<REPO>/<MY_IMAGE>. Naturally this only replicates this single image.

So my guess is something with listing the remote images when using wildcard is the issue?

@mrbuk: What exact source filter did you test in #16973?

mrbuk commented 1 year ago

@norman-zon it should work with ${GCP_PROJECT_ID}/${AR_REPOSITORY_NAME}/** or even with blank or **.

If it does not work for you I have a suspicion: you are using a dedicated service account with only Artifact Registry permissions (e.g. Reader / Writer) and are missing the resourcemanager.projects.get permission. Typically this permission is something that basic roles like Viewer have.

The way to validate my suspicion is to use the following command to validate that the /v2/_catalog returns something.

export JSON_KEY_B64=$(base64 < my-secret-key.json)
curl -u _json_key_base64:$JSON_KEY_B64 https://europe-west3-docker.pkg.dev/v2/_catalog

So if the command returns: {"repositories":[]} although you have repositories you are most likely missing the resourcemanager.projects.get permission. It is unfortunate that the API returns in that case a 200 OK but this might be in spec/desired behaviour.

If adding the resourcemanager.projects.get permission solves it for you as well let me know I will raise an issue with the Artifact Registry team to document this.

norman-zon commented 1 year ago

Thanks @mrbuk! Indeed giving the SA resourcemanager.projects.get permission fixed it. I would have expected it to be included in the Artifact Registry Service Agent Role, but it isn't.

Interesting that the API returns 200 in case the SA has no permission to actually list anything.

srveerla commented 1 year ago

worked like a Charm....thanks @mrbuk

norman-zon commented 1 year ago

@srveerla which IAM role did you end up using?

schedin commented 3 months ago

Thanks for the hint about using the resourcemanager.projects.get permission to be able to use wildcards in Harbor replication rule for Google Artifact Registry! Since I wanted minimal permission needed on my service account, I created a custom role for the permission and then assigned it to my service account:

gcloud iam roles create ProjectMetadataGetter \
  --project=XXXXXXXXXXXX-cf3f4d7 \
  --title="Project Metadata Getter" \
  --description="Custom role with resourcemanager.projects.get permission. Used to list meta data of a project." \
  --permissions="resourcemanager.projects.get" \
  --stage="GA"

gcloud projects add-iam-policy-binding XXXXXXXXXXXX-cf3f4d7 \
  --member="serviceAccount:YYYYYYYYY@XXXXXXXXXXXX-cf3f4d7.iam.gserviceaccount.com" \
  --role="projects/XXXXXXXXXXXX-cf3f4d7/roles/ProjectMetadataGetter"