Harbor: robot account should not have $ (dollar sign) or any special character

This bit me recently. Using jenkins + kubernetes plugin the injected environment variable with the username kept adding an extra $. I think it is specifically something with the way groovy handles escaping special characters. Ended up just switching to using a service account in our LDAP group. Would be really nice if we could either specify the format of the robot names or change the $ to _ or -

+1

This is such a pain. It has to be escaped in 99% commands.

Or I want full control of the given account name, so that I can remove the dollar if I want to.

This would be great too!

This would be great!, I also requested this in #8744

I've also been bitten by this.

Particularly in the context of GitLab multi-project pipelines, even if I escape the $ in the parent job when it triggers the downstream job and the variables are evaluated again the $<username resolves to an empty string. In short, there is no escape pattern I can use that works in both jobs...

I appreciate that the decision was probably made to distinguish robot accounts from normal ones, but $ is a poor choice of separator due to its use in bash and the pervasive nature of bash in CI systems.

Got bitten as well by this one, took me a while to figure out the reason of these "401 Unauthorized" a K3D context using Harbor as an external registry...
robot-<name> would make much more sense as a default username. Also the possibility to rename it would be great.

We recently switched to using Harbor in production and it has caused a lot of work and support to go through scripts and escape the username properly. My vote is to drop the dollar sign and just prefix with robot. i.e. No special characters in the username.

Administrators should control the naming of service accounts so they can follow the naming conventions of the organization they are in. Forcing special characters in usernames is a bit callous towards developer experience.

I recently got bitten by this as well, when trying to push to Harbor's Chart Museum from within a TeamCity job. _Please_ get that $ out of the name!

Same here , using $ in username leads to problems down the line

Let's think about this in v2.2, there should be a better delimiter to help us distinguish a real user from a robot account without resorting to special chars. It's a small improvement that can really move the needle and help our users save time. I'm tagging this v2.2 @reasonerjt

@xaleeks

Something that has no significance in bash please.

+1

This should be resolved once the work proposed in https://github.com/goharbor/community/pull/148 is delivered.

@wy65701436 please dup this issue.

I had also a hard time to figure this out. There is a workaround for GitLab, which I found somewhere (I will be happy to add the credits if someone finds that again). You can put the robot account user name in a variable in Gitlab and use that one instead. Since the account contains a $ you cannot mask the variable though ... This works for me:

docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  variables:
    INTERNAL_HARBOR_USER: $HARBOR_USER
    INTERNAL_HARBOR_PASSWORD: $HARBOR_PASSWORD
    DOCKER_IMAGE_NAME: "registry.my.org/project-name/repository-name"
  before_script:
    - docker login -u $INTERNAL_HARBOR_USER -p $INTERNAL_HARBOR_PASSWORD registry.my.org
  script:
    - docker build --pull -t "$DOCKER_IMAGE_NAME:latest" .
    - docker push "$DOCKER_IMAGE_NAME:latest"