Harbor is an open-source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. As a CNCF graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud-native compute platforms like Kubernetes. (source: https://goharbor.io/)
Otomi runs the following automation tasks:
- Creating a project in Harbor for each team
- Creating a bot-account for each team
- Creating a Kubernetes pull secret in the team namespace to enable pulling of images out of the local registry
- Creating a Kubernetes push secret in the team namespace that can be downloaded (if enabled) by team members to push images to a private repo
Harbor integrates with Keycloak for OIDC.
Unfortunately Harbor has not yet delivered a user friendly mechanism for users to interface with their registry via docker cli. To use docker cli one has to login with the registry EVERY time before using the cli. At the same time this fails when one is not logged into the Harbor dashboard beforehand. In order to login without issues one has to follow these steps:
- ONLY ONCE: get the cli secret from the Harbor dashboard (via User Profile).
- refresh Harbor dashboard web view (this will refresh the OIDC auth token)
- docker login using the cli secret as password:
docker login harbor.<cluster-domain> -u < User_Name > -p <CLI secret>
- do your docker pull/push etc within the token TTL window (60 secs)
Usually this is not a problem as team users don't pull or push these images directly. We are working on solving this, and expect to have a fix soon.
OIDC: conflicting user
Error while logging in to harbor with OIDC:
Conflict, the user with same username or email has been onboarded..
By redeploing keycloak the same user gets a new
sub claim in
openid scope. Harbor uses
iss claims in order to match them to a user from its database (see:
subiss column at
oidc_user table in
registry database). If the same user identifies with a new sub then harbor tries to create a new entry in the
harbor_user database table and it fails on the username column uniqueness constraint.
Please check up on this link when this problem occurs, because a fix might already be released: goharbor/harbor#13674. If so, please create a PR to fix this in the otomi-core repo, or create an issue there. Otherwise continue:
Connect to the database service
kh exec harbor-database-0 -it -- psql -U postgres
Find out the
SELECT user_id FROM harbor_user WHERE username = '<user name>';
Remove the user from the database
DELETE FROM oidc_user WHERE user_id = <userid>;
DELETE FROM harbor_user WHERE user_id = <userid>;
Try to login once again and observe that you are asked to confirm your username.
Pod multi-attach error
Kubernetes cannot schedule the
Multi-Attach error occurs for persistent volumes that support only one writer at a time.
Delete an existing harbor registry replicaset. Note that this operation makes registry temporarely unavailable.