-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use Flux OCI with Harbor robot accounts #5219
Comments
I am able to use robot accounts with kubeapps flux plug-in in a public OCI repo hosted on demo.goharbor.io without any issues. Can provide server-side log file if needed. A PR with an integration test to that effect is pending https://github.com/vmware-tanzu/kubeapps/pull/5246/files#. I think that supports Antonio's theory. Namely, there IS a way to configure things so that the use case works. If there is a harbor server out there where this fails, then it is more likely than not that the issue with the remote harbor server. I initially thought that the robot accounts that are given out do not have sufficient privileges for what kubeapps needs whether they be project-specific or not. So I narrowed down the permissions as much as possible to make the use case work. It turned out a single permission was sufficient on the project that contained the OCI repos to make the use case work:
but then any other single permission by itself (completely unrelated to listing of repositories) also worked such as:
so I am a bit confused about that right now. Will look into it some more tomorrow. |
…with Harbor robot accounts #5219 (#5246) * added flux integration tests for an artifact repository hosted on Google Cloud Platform * incremental * incremental * added flux integration tests for an artifact repository hosted on Google Cloud Platform * incremental * incremental * incremental * incremental * narrow down the list of permissions for harbor robot account
please feel free to re-open as you see fit |
Reopening due to:
|
Summary
I've been adding minor changes for the UI to also support the OCI registries with Flux (PR #5218), in doing so, I'm kind of unable to add one (harbor) and get the packages.
Background and rationale
It's important as in many Harbor deployments we don't have full admin access, but maybe admin permissions over a single project (not the whole harbor instance). Using robot accounts seems to be the preferred way to consume TAC/VAC, therefore, I guess it's important that we also support this way to enable VAC users to deploy their apps using kubeapps+flux.
Description
In the logs I see:
I assume that this is because the robot accounts are not privileged enough (see goharbor/harbor#8723 (comment)).
However, the following endpoint seems to work with robot accounts and does give me the list of artifacts inside the project I have access to:
https://harbor-repo.vmware.com/api/v2.0/projects/agamez/repositories
Acceptance criteria
Additional context
N/A
The text was updated successfully, but these errors were encountered: