Harbor as registry

[jahanson]

I am able to use Harbor as the registry for all of the steps in the installer part except the retrieval phase. It's able to create, cache, and push, but when it comes to retrieving the installer with the image factory redirect docker gives me the error:

Error response from daemon: unauthorized: authorize header needed to send HEAD to repository: authorize header needed to send HEAD to repository

I am able to retrieve the installer manually by pulling it with docker without credentials from the where image-factory places it in harbor but I can't get it to work with the redirect.

---

With further investigation and the utility skopeo I'm able to determine that a token needs to be retrieved and used but doesn't necessarily need to be retrieved with credentials, just an endpoint.

Image factory logs pulling from harbor, getting 401s

factory.hsn.dev - "HEAD /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/v1.6.0 HTTP/1.1" 200 0 "-" "go-containerregistry/v0.16.1" 0.017 0.016 .
factory.hsn.dev - "GET /v2/ HTTP/1.1" 401 76 "-" "Go-http-client/1.1" 0.001 0.001 .
factory.hsn.dev - "GET /service/token?scope=repository%3Asiderolabs%2Finstaller%2F2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b%3Apull&service=harbor-registry HTTP/1.1" 200 1040 "-" "go-containerregistry/v0.16.1" 0.020 0.021 .
factory.hsn.dev - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/sha256-d1f237bbfc5ee91e4d3fe1f77dbfbc90e679404db41f77bbe3e8f67ae6381b58.sig HTTP/1.1" 200 558 "-" "go-containerregistry/v0.16.1" 0.012 0.011 .
factory.hsn.dev - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/blobs/sha256:a9e39a8d3a390a6180f37e050bf226c1dde7c601bc9116294d9a4ba9ffc7f2f9 HTTP/1.1" 200 316 "-" "go-containerregistry/v0.16.1" 0.012 0.012 .
me - "HEAD /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/sha256:d1f237bbfc5ee91e4d3fe1f77dbfbc90e679404db41f77bbe3e8f67ae6381b58 HTTP/1.1" 401 0 "https://factory.hsn.dev/v2/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/v1.6.0" "docker/24.0.7 go/go1.20.10 git-commit/311b9ff kernel/6.6.2-201.fc39.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.7 \x5C(linux\x5C))" 0.002 0.002 .
factory.hsn.dev - "HEAD /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/v1.6.0 HTTP/1.1" 200 0 "-" "go-containerregistry/v0.16.1" 0.013 0.014 .
factory.hsn.dev - "GET /v2/ HTTP/1.1" 401 76 "-" "Go-http-client/1.1" 0.000 0.001 .
factory.hsn.dev - "GET /service/token?scope=repository%3Asiderolabs%2Finstaller%2F2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b%3Apull&service=harbor-registry HTTP/1.1" 200 1040 "-" "go-containerregistry/v0.16.1" 0.016 0.015 .
factory.hsn.dev - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/sha256-d1f237bbfc5ee91e4d3fe1f77dbfbc90e679404db41f77bbe3e8f67ae6381b58.sig HTTP/1.1" 200 558 "-" "go-containerregistry/v0.16.1" 0.017 0.017 .
factory.hsn.dev - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/blobs/sha256:a9e39a8d3a390a6180f37e050bf226c1dde7c601bc9116294d9a4ba9ffc7f2f9 HTTP/1.1" 200 316 "-" "go-containerregistry/v0.16.1" 0.010 0.010 .
me - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/sha256:d1f237bbfc5ee91e4d3fe1f77dbfbc90e679404db41f77bbe3e8f67ae6381b58 HTTP/1.1" 401 152 "https://factory.hsn.dev/v2/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/v1.6.0" "docker/24.0.7 go/go1.20.10 git-commit/311b9ff kernel/6.6.2-201.fc39.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.7 \x5C(linux\x5C))" 0.001 0.002 .

skopeo inspect, using the proper token method with 0 credentials used. skopeo inspect docker://harbor.hsn.dev/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b:v1.6.0

me - "GET /v2/ HTTP/1.1" 401 76 "-" "skopeo/1.14.0" 0.002 0.001 .
me - "GET /service/token?scope=repository%3Asiderolabs%2Finstaller%2F2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b%3Apull&service=harbor-registry HTTP/1.1" 200 1007 "-" "skopeo/1.14.0" 0.015 0.016 .
me - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/v1.6.0 HTTP/1.1" 200 511 "-" "skopeo/1.14.0" 0.011 0.012 .
me - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/manifests/sha256:2bfe5ef46fda9c166ae295d7756801b23e785c698cfae265f6e79e551c94ac5d HTTP/1.1" 200 593 "-" "skopeo/1.14.0" 0.010 0.009 .
me - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/blobs/sha256:3de39e1a576f947ee85f23ca4901a3a9d63fd4778547da33157a32268ffd3b18 HTTP/1.1" 200 611 "-" "skopeo/1.14.0" 0.013 0.012 .
me - "GET /v2/ HTTP/1.1" 401 76 "-" "skopeo/1.14.0" 0.001 0.002 .
me - "GET /service/token?scope=repository%3Asiderolabs%2Finstaller%2F2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b%3Apull&service=harbor-registry HTTP/1.1" 200 1007 "-" "skopeo/1.14.0" 0.016 0.017 .
me - "GET /v2/siderolabs/installer/2b1cad19c16f5095b412350bc49ca30e6c1b4d02d850c0717ba1eeef3b7ac88b/tags/list HTTP/1.1" 200 193 "-" "skopeo/1.14.0" 0.005 0.006 .

Any help would be greatly appreciated!

[smira]

You can't use a registry with authentication for that part, as Image Factory redirects. The only thing which works I believe is the Docker registry itself. I don't know if any other registry supports disabling auth.

It might be reimplemented not to redirect, but rather to proxy pass via Image Factory, but that's on the implementation side

[jahanson]

Ok, that sounds like a good idea for the future. For now I'll just use reverse proxy using nginx --> registry.