Harbor: Add Gitlab Registry Support with harbor.

Here is the log for ui.log:

Aug 19 13:56:02 172.19.0.1 ui[1379]: 2016/08/19 05:56:02 #033[1;34m[router.go:829][D] | GET        | /jwt/auth                                | 752.197µs        | notmatch   | #033[0m
Aug 19 13:58:35 172.19.0.1 ui[1379]: 2016/08/19 05:58:35 #033[1;34m[router.go:829][D] | GET        | /jwt/auth                                | 826.155µs        | notmatch   | #033[0m

proxy.log:

Aug 19 13:56:02 172.19.0.1 proxy[1379]: 192.168.3.111 - - [19/Aug/2016:05:56:02 +0000] "GET /v2/ HTTP/1.1" 401 87 "-" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \x5C(linux\x5C))"
Aug 19 13:56:02 172.19.0.1 proxy[1379]: 192.168.3.111 - admin [19/Aug/2016:05:56:02 +0000] "GET /jwt/auth?account=admin&client_id=docker&offline_token=true&service=container_registry HTTP/1.1" 404 2000 "-" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \x5C(linux\x5C))"
Aug 19 13:58:35 172.19.0.1 proxy[1379]: 192.168.3.111 - - [19/Aug/2016:05:58:35 +0000] "\x16\x03\x01\x00w\x01\x00\x00s\x03\x03_-H5L\xE1\xD4Ld5g\xEFc\xE7\xB5\xBCNL\x02\x93q\xB9\x19`\xB1N#/\xD1\xA0V\xD2\x00\x00\x14\xC0,\xC00\xC0+\xC0/\xC0" 400 173 "-" "-"
Aug 19 13:58:35 172.19.0.1 proxy[1379]: 192.168.3.111 - - [19/Aug/2016:05:58:35 +0000] "GET /v2/ HTTP/1.1" 401 87 "-" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \x5C(linux\x5C))"
Aug 19 13:58:35 172.19.0.1 proxy[1379]: 192.168.3.111 - admin [19/Aug/2016:05:58:35 +0000] "GET /jwt/auth?account=admin&client_id=docker&offline_token=true&service=container_registry HTTP/1.1" 404 2000 "-" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \x5C(linux\x5C))"

it seems that the ui cant match the url.

First, we need to understand what's gitlab registry support means here, I don't have bandwidth to handle it recently but will check later.

the realm is the url for getting the token so when you update to : $ui_url/jwt/auth it gets 404, because the UI is not listening on the url.

• 1 for gitlab integration if it's possible.

Still looking for a way to do this.
Gitlab uses a registry to provide the ability for developers to push/pull image transparently in build pipelines.
Harbor provide lots of features (great UI, notary native support, garbage collection, replication, etc.) that we actually need for production images.

We basically need to be able tu push/pull to Harbor's registry from Gitlab.

I found several ways to do it, but there always are hacky workarounds. Like setting up the two registries (Harbor's and Gitlab's) using the same storage backend (NFS share for example).

I have done a deep investigation on this topic, the different auth backend between harbor and gitlab can be resolved by nginx rewrite. But gitlab also requires another important parameter: path per the doc

path | This should be the same directory like specified in Registry's rootdirectory. Read the storage configuration documentation. This path needs to be readable by the GitLab user, the web-server user and the Registry user. Read more in #container-registry-storage-path.

gitlab wants to access the shared registry storage path, this is impossible if the harbor is deployed under different machines with different storage backend such as glusterfs.

@hwangjr @It4lik Is it resolved now ?

Hey guys, is this still on roadmap?

@llozanos81 Not in the mid term I'm afraid.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

So, this issue will auto closed. But I think this is really a great feature as gitlab is so widely used for companies.

Hi all – I think this is a great idea. As @reasonerjt mentioned above our bandwidth to address this in the short term is rather limited, but we'd love a contribution to help get this working.

If someone is interested in picking this up and running with it to completion please chime in here and I'd be happy to help along the way.

I cannot +1 this enough

I was able to use Gitlab Token Auth in Harbor Registry and docker login using cli. But docker pull and Harbor UI is broken, as internal implementations still seem to use the wrong token issuer. #6666. And Gitlab UI is somewhat broken due to the same problem. screenshot

As a PoC I hardcoded the Gitlab Registry settings (issuer +service) and now I have Gitlab Registry support in Harbor. Hurray!

@CrystalMethod can you share the registry settings for this to work please?

@CrystalMethod can you share the registry settings for this to work please?

It does not work out of the box - there are several things to do:

1. the hardcoded Harbor specific identifiers need to be replaced by the Gitlab specific
   https://github.com/goharbor/harbor/blob/master/src/core/service/token/authutils.go#L36
   https://github.com/goharbor/harbor/blob/master/src/common/utils/registry/auth/util.go#L30
   https://github.com/goharbor/harbor/blob/master/src/core/service/token/creator.go#L40
   I know this is a hack but I have not yet fully understood the internals to work out a PR.
2. PEM/CRT files need to injected into Gitlab and Harbor images
3. since there are no conf variables in harbor.cfg yet you have to manually adjust common/config/registry/config.yml

auth:
  token:
    issuer: gitlab-issuer
    realm: https://gitlab.****.com/jwt/auth
    service: container_registry
    rootcertbundle: /etc/registry/root.crt

screenshot

I could try to publish the images built from my fork.

@CrystalMethod thank you!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Bumping this, as I would really love to be using harbor with gitlab's CI, but don't want to have to change files and build myself.

still using manually patched sources

I have this working with native 1.8.0. Added gitlab as docker-registry, created access token for my account on gitlab (personal instance), put username in access id and access token in secret. Setup replication rule with namespace 'user/*' and it pulled all images from gitlab for my user.

But you know, that Gitlab has access to all projects - no matter if you are member of that project. Otherwise your approach will only work in a very limited and personal setup. Because "pull" and "push" is always done using a registered user. And I'm pretty sure that you are not able to browse the registry within Gitlab (Project -> Registry), right? But I'm fine if this is ok for you.

+1 for this and use with gitlab

+1 for this and use with gitlab

+1 for gitlab

Hi there. Any plans on when the support would be made available - Would be great to have Harbor talking to GITLAB.

Hi this a coveted feature for Harbor team as well, does anyone have any interest in working on this?

Usage need Personal Access Tokens in input Access Secret

I'm also interested in connecting existing gitlab docker registry to Harbor UI or to connect gitlab app to Harbor's registry with tokens.

Any update on this?

Well, I was trying to configure this from Gitlab side, but I didn't fully succeed with that.

First I've checked existing config which Harbor using for running docker-registry in common/config/registry/config.yml:

version: 0.1
log:
  level: debug
  fields:
    service: registry
storage:
  cache:
    layerinfo: redis
  filesystem:
    rootdirectory: /storage
  maintenance:
    uploadpurging:
      enabled: false
  delete:
    enabled: true
redis:
  addr: redis:6379
  password:
  db: 1
http:
  addr: :5000
  secret: placeholder
  debug:
    addr: localhost:5001
auth:
  token:
    issuer: harbor-token-issuer
    realm: https://harbor.example.org/service/token
    rootcertbundle: /etc/registry/root.crt
    service: harbor-registry
validation:
  disabled: true
notifications:
  endpoints:
  - name: harbor
    disabled: false
    url: http://core:8080/service/notifications
    timeout: 3000ms
    threshold: 5
    backoff: 1s
compatibility:
  schema1:
    enabled: true

Then I found tiny project which allows to generate tokens using just the private key: docker-registry-token-genarator

Thus I have achieved the working tokens generation:

./docker-registry-token-genarator -issuer harbor-token-issuer -key /tmp/key -username kvaps -scope 'repository:some-project/some-repo:pull,push' -service "harbor-registry" 

The generated token can be simple checked as described here:

curl -i -k -H "Content-Type: application/json" -H "Authorization:  Bearer $TOKEN" -X GET https://harbor.example.org/v2/some-project/some-repo/manifests/latest

BTW, the generated token can be simple decrypted on jwt.io site.

Then I started configuring Gitlab using this guide

Thus I exported my harbor private key, using this command:

awk '{printf $0 "\\n"} END{printf"\n"}' /data/secret/core/private_key.pem

And updated my /etc/gitlab/gitlab.rbconfig file

Then I've specified few other options:

registry_external_url 'https://harbor.example.org'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_api_url'] = "https://harbor.example.org"
gitlab_rails['registry_issuer'] = "harbor-token-issuer"
registry['internal_key'] = "<private_key content>"
registry['registry_service'] = "harbor-registry"
registry['token_realm'] = "harbor.example.org/service/token"

I also modified /opt/gitlab/embedded/cookbooks/registry/templates/default/registry-config.yml.erb template to make registry_service working:

 auth:
   token:
-    realm: <%= @token_realm %>/jwt/auth
-    service: container_registry
+    realm: <%= @token_realm %>
+    service: <%= @registry_service %>
     issuer: <%= @registry_issuer %>
     rootcertbundle: <%= @rootcertbundle %>
     autoredirect: <%= @autoredirect %>

Finally I was run to reconfigure my Gitlab:

sudo gitlab-ctl reconfigure

Unfortunately it didn't make it working. I don't know why but Gitlab is still generating tokens like this:

CI_REGISTRY_USER=gitlab-ci-token
CI_REGISTRY_PASSWORD=QSzL2ZptbM6y8iKhQvCs

And when docker from the job trying to use these credentials harbor reports error authorizing context: insufficient scope error in /var/log/harbor/registry.log

I'll be glad for any help or guesses with that

related issue on Gitlab.com: https://gitlab.com/gitlab-org/gitlab/-/issues/25948#note_309241844

@CrystalMethod ping, any suggestions on this?

Wow, so many 👍
Okay I have something to please you
https://medium.com/@kvaps/connecting-gitlab-with-harbor-for-automated-token-issuing-6446f58269a7

From what I get from the conversation there are multiple ways that are tested... but not all working...

1/ same registry storage for GitLab and harbor: the hackity trick
2/ merge GitLab and harbor authentication endpoints: does not work because GitLab generates its own repository logins (CI_REGISTRY_USER and CI_REGISTRY_PASSWORD) so in the end, harbor should use the auth endpoint of GitLab

We are discussing the integration between GitLab and harbor.... and I was thinking we would need some automation to achieve this... webhook from GitLab on repository creation and have harbor create a robot account for them.... so kind of option 3: inform gitlab of harbor authentication.

Still pondering this option as it does require some automation...

Anything new on this one? Would be great to have GitLab as auth endpoint for Harbor...

Hey - GitLab PM here. I was wondering if there is anything I can do to help move this forward. We'd really like to provide a way for our shared customers to use both registries.