Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

webhooks: robot operator does not set resource's tag field (set digest instead) #20939

Open
romain-rossi opened this issue Sep 17, 2024 · 4 comments
Open

webhooks: robot operator does not set resource's tag field (set digest instead) #20939

romain-rossi opened this issue Sep 17, 2024 · 4 comments
Assignees
@chlins
Labels
area/webhook kind/bug

Comments

@romain-rossi
Copy link

Expected behavior and actual behavior:
On PUSH_ARTIFACT event by a robot account (from CI) the eventètype.resources.tag field is set with the image's digest instead of the actual tag

Steps to reproduce the problem:

  1. configure a webhook on a projet
  2. push an image to this project using a robot account and check the Webhooks payload:
{
  "type": "PUSH_ARTIFACT",
  "occur_at": 1726573473,
  "operator": "robot$...",
  "event_data": {
    "resources": [
      {
        "digest": "sha256:4965673...",
        "tag": "sha256:4965673...",            <---- TAG NOT SET
        "resource_url": "..."
      }
    ],
    "repository": {
      "date_created": 1726127341,
       ...
    }
  }
}
  1. push an image to the same repository with a user account:
{
  "type": "PUSH_ARTIFACT",
  "occur_at": 1726568391,
  "operator": "[email protected]",
  "event_data": {
    "resources": [
      {
        "digest": "sha256:00.",
        "tag": "latest", ,                     <---- TAG SET
        "resource_url": "..."
      }
    ],
    "repository": {
      "date_created": 1671543862,
      ...
    }
  }
}

Versions:

  • harbor version: 2.11.0-70255684
  • docker engine version: 27.2.1
  • docker-compose version: 2.29.3
@chlins chlins self-assigned this Sep 20, 2024
@chlins
Copy link
Member

chlins commented Sep 23, 2024

Did you push the image on the same client by robot account and normal user? I've tried to push the same image with robot account and normal user, and got the correct tag when using robot account.

{
  "type": "PUSH_ARTIFACT",
  "occur_at": 1727084023,
  "operator": "robot$robot-user1",   <--- this is a robot user
  "event_data": {
    "resources": [
      {
        "digest": "sha256:01908c2ed615f2ce1d8de01375116d8542ede0daf8af5bb3854f9a32fcb0f2f4",
        "tag": "latest",    <--- got the tag correctly
        "resource_url": "harbor.local/library/hello-world:latest"
      }
    ],
    "repository": {
      "date_created": 1727084023,
      "name": "hello-world",
      "namespace": "library",
      "repo_full_name": "library/hello-world",
      "repo_type": "public"
    }
  }
}

@romain-rossi
Copy link
Author

Hello @chlins,

Thank you for your test and answer.

The pushes were done by changing the authentication (user/robot) of the Woodpecker CI Buildx and by restarting the same build pipeline.

  1. Which Harbor version are you using for your test?
  2. How did you create (System/Project scope) and configured (Permissions) your robot account?

Thanks

@chlins
Copy link
Member

chlins commented Sep 24, 2024

Hello @chlins,

Thank you for your test and answer.

The pushes were done by changing the authentication (user/robot) of the Woodpecker CI Buildx and by restarting the same build pipeline.

  1. Which Harbor version are you using for your test?
  2. How did you create (System/Project scope) and configured (Permissions) your robot account?

Thanks

I'm using the v2.11 and create the system scope robot with selected all permissions.

@romain-rossi
Copy link
Author

Thanks @chlins,

As soon we upgrade Harbor to the 2.11.1 version, I'll try the CI builds with a system scope robot with all permissions, see if it makes a difference.

We are using a project scope robot account with limited permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chlins chlins

Labels
area/webhook kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stonezdj @romain-rossi @chlins