search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.3k stars 4.77k forks source link

API handles all tags as immutable by default #20382

Closed sberlin closed 7 months ago

sberlin commented 7 months ago

Expected behavior: When having no immutability rules in a project configured, changing the tag from one artifact to another in the same repository should work.

Actual behavior: 409 conflict is returned and tag is not updated

The same is true for adding the same tag twice to an artifact.

Steps to reproduce the problem: POST to the same artifact twice or use the same tag for different artifacts of the repository:

curl -X POST -w '%{http_code}\n' https://harbor-registry.example.com/api/v2.0/projects/foo/repositories/bar/artifacts/sha256%3A01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b/tags -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Basic foobar=' -d '{"name":"latest"}'
201
curl -X POST -w '%{http_code}\n' https://harbor-registry.example.com/api/v2.0/projects/foo/repositories/bar/artifacts/sha256%3Ae130e6a11f8a3e3da0acf9752257ca2966246b6cf00c70f6117069d9e2a207b1/tags -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Basic foobar=' -d '{"name":"latest"}'
{"errors":[{"code":"CONFLICT","message":"tag latest already exists under the repository 111"}]}
409

Versions:

Additional context: The documented behavior on tag immutability defaults is only true for pushing, but surprisingly not for the REST API v2: https://goharbor.io/docs/2.10.0/working-with-projects/working-with-images/create-tag-immutability-rules/

The issue was already brought up in #14954, but not addressed.

I'm only a project admin without access to configs or logs.

MinerYang commented 7 months ago

Hi @sberlin , This is by design that a same tag is unique within the same repository, thus would avoid mismatch the identifier of an image/artifact when you are pulling by tag. If you pushing another image within the same repository with same tag, it will automatically been updated to the given new artifact.

sberlin commented 7 months ago

If you pushing another image within the same repository with same tag, it will automatically been updated to the given new artifact.

This feature was once also implemented on the v1 API and called retag. Is it possible to re-introduce it? Using the API would be easier for us than pushing with container tools.

MinerYang commented 7 months ago

Seems we don't have this so called retag function.