Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GitLab] Proxy Registry not working when behind proxy #21275

Open
adberger opened this issue Dec 3, 2024 · 2 comments
Open

[GitLab] Proxy Registry not working when behind proxy #21275

adberger opened this issue Dec 3, 2024 · 2 comments
Labels
area/replication help wanted The issues that is valid but needs help from community replication/adapters related to replication adapters

Comments

@adberger
Copy link

adberger commented Dec 3, 2024

Expected behavior and actual behavior:

According to https://docs.gitlab.com/ee/user/packages/container_registry/troubleshoot_container_registry.html#docker-login-command-fails-with-access-forbidden the Authorization header mustn't be stripped from requests:

To avoid this error, ensure the Authorization header is not stripped from the request.
For example, a proxy in front of GitLab might be redirecting to the /jwt/auth endpoint.

Currently we have such a registry, where the ping is failing:

2024-12-03T10:05:42+01:00 [ERROR] [/pkg/reg/adapter/native/adapter.go:126]:
failed to ping registry https://zzz.com: Get "https://xxx.yyy.com/jwt/auth?service=container_registry": Verbotene Seite:

A manual requests without a header set results in the same error:

curl -v https://zzz.com/v2/
...
< Www-Authenticate: Bearer realm="https://xxx.yyy.com/jwt/auth",service="container_registry"
...
<
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

A docker login works though:

docker login zzz.com
Authenticating with existing credentials...
Login Succeeded

The header should probably added everytime, at least for GitLab?

harbor/src/pkg/reg/util/util.go

Lines 36 to 53 in 29bd094

func Ping(registry *model.Registry) (string, string, error) {
client := &http.Client{
Transport: GetHTTPTransport(registry.Insecure),
}
resp, err := client.Get(registry.URL + "/v2/")
if err != nil {
return "", "", err
}
defer resp.Body.Close()
challenges := challenge.ResponseChallenges(resp)
for _, challenge := range challenges {
if challenge.Scheme == "bearer" {
return challenge.Parameters["realm"], challenge.Parameters["service"], nil
}
}
return "", "", errors.New(nil).WithCode(errors.ChallengesUnsupportedCode).WithMessagef("bearer auth scheme isn't supported: %v", challenges)
}

Versions:
Please specify the versions of following systems.

  • harbor version: v2.12.0-9da38ae
@stonezdj stonezdj added the help wanted The issues that is valid but needs help from community label Dec 9, 2024
@stonezdj
Copy link
Contributor

stonezdj commented Dec 9, 2024

We are looking for gitlab adapter contributor to fix this issue.

@Vad1mo Vad1mo added area/replication replication/adapters related to replication adapters labels Dec 9, 2024
@adberger
Copy link
Author

I would be open to try, but since I've got no feedback on #21144 I'm not sure how high the changes are, that it would get merged.
If I can help, please let me know :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/replication help wanted The issues that is valid but needs help from community replication/adapters related to replication adapters
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Vad1mo @stonezdj @adberger