search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.17k stars 4.76k forks source link

webhooks: robot operator does not set resource's tag field (set digest instead) #20939

Open romain-rossi opened 1 month ago

romain-rossi commented 1 month ago

Expected behavior and actual behavior: On PUSH_ARTIFACT event by a robot account (from CI) the eventètype.resources.tag field is set with the image's digest instead of the actual tag

Steps to reproduce the problem:

  1. configure a webhook on a projet
  2. push an image to this project using a robot account and check the Webhooks payload: 
    {
"type": "PUSH_ARTIFACT",
"occur_at": 1726573473,
"operator": "robot$...",
"event_data": {
"resources": [
  {
    "digest": "sha256:4965673...",
    "tag": "sha256:4965673...",            <---- TAG NOT SET
    "resource_url": "..."
  }
],
"repository": {
  "date_created": 1726127341,
   ...
}
}
}
  3. push an image to the same repository with a user account: 
    {
"type": "PUSH_ARTIFACT",
"occur_at": 1726568391,
"operator": "...@....com",
"event_data": {
"resources": [
  {
    "digest": "sha256:00.",
    "tag": "latest", ,                     <---- TAG SET
    "resource_url": "..."
  }
],
"repository": {
  "date_created": 1671543862,
  ...
}
}
}

Versions:

chlins commented 1 month ago

Did you push the image on the same client by robot account and normal user? I've tried to push the same image with robot account and normal user, and got the correct tag when using robot account.

{
  "type": "PUSH_ARTIFACT",
  "occur_at": 1727084023,
  "operator": "robot$robot-user1",   <--- this is a robot user
  "event_data": {
    "resources": [
      {
        "digest": "sha256:01908c2ed615f2ce1d8de01375116d8542ede0daf8af5bb3854f9a32fcb0f2f4",
        "tag": "latest",    <--- got the tag correctly
        "resource_url": "harbor.local/library/hello-world:latest"
      }
    ],
    "repository": {
      "date_created": 1727084023,
      "name": "hello-world",
      "namespace": "library",
      "repo_full_name": "library/hello-world",
      "repo_type": "public"
    }
  }
}
romain-rossi commented 1 month ago

Hello @chlins,

Thank you for your test and answer.

The pushes were done by changing the authentication (user/robot) of the Woodpecker CI Buildx and by restarting the same build pipeline.

  1. Which Harbor version are you using for your test?
  2. How did you create (System/Project scope) and configured (Permissions) your robot account?

Thanks

chlins commented 1 month ago

Hello @chlins,

Thank you for your test and answer.

The pushes were done by changing the authentication (user/robot) of the Woodpecker CI Buildx and by restarting the same build pipeline.

  1. Which Harbor version are you using for your test?
  2. How did you create (System/Project scope) and configured (Permissions) your robot account?

Thanks

I'm using the v2.11 and create the system scope robot with selected all permissions.

romain-rossi commented 1 month ago

Thanks @chlins,

As soon we upgrade Harbor to the 2.11.1 version, I'll try the CI builds with a system scope robot with all permissions, see if it makes a difference.

We are using a project scope robot account with limited permissions.

romain-rossi commented 1 month ago

We did some more tests using a project robot as authentication with write/push permissions on the v2.11.1-6b7ecba1 Harbor version.

When the CI plugin (buildx) is pushing multiple tags for the same image (latest, x.y.z, x.y and x), only the first webhook has the tag name in the "tag" field (latest) and the following webhooks get the image digest specified in their "tag" fields.