harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Proxy-cache Webhook incorrect tag

Open mdavid01 opened this issue 1 year ago • 7 comments

re: Harbor Version v2.7.1-6015b3ef When we pull proxy-cache images with a tag (e.g., ":latest" or ":jdk21-alpine") that result in a 'PUSH ARTIFACT' webhook message, the webhook message uses the sha-256 digest as the tag rather than the tag used in the PULL command. In the example below, the artifact was pulled with the tag "latest". However, the 'tag' field repeats the digest.

podman pull harbor.../ext.mcr.microsoft.com/vscode/devcontainers/javascript-node:latest

'{"type":"PUSH_ARTIFACT","occur_at":1707961109,"operator":"harbor#proxy-cache-service","event_data":{"resources":[{"digest":"sha256:4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac","tag":"sha256:4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac","resource_url":"harbor..../ext.mcr.microsoft.com/vscode/devcontainers/javascript-node@sha256:4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac"}],"repository":{"date_created":1707961108,"name":"vscode/devcontainers/javascript-node","namespace":"ext.mcr.microsoft.com","repo_full_name":"ext.mcr.microsoft.com/vscode/devcontainers/javascript-node","repo_type":"public"}}}'

Please advise how to ensure the that the intended tag is implemented in the proxy-cache webhook message or modify Harbor proxy-cache/webhook code as needed.

Thx. Michael D.

mdavid01 avatar Feb 15 '24 12:02 mdavid01

It depends on the client's behavior, because when pulling image like javascript-node:latest It usually send a HEAD request to the registry to get the digest of the javascript-node:latest Then it send the get request to the javascript-node@256: 4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac From the server side, it receives the Get request to javascript-node@256: 4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac That is why the webook payload only contains the digest.

stonezdj avatar Feb 18 '24 05:02 stonezdj

Thanks, DJ, for the quick response. We use what I believe to be the latest Podman and Docker clients. Are there clients known to pass the tag? Is there a way to address the problem on our side? Pls forward any ideas. I'll close the issue.

mdavid01 avatar Feb 19 '24 12:02 mdavid01

DJ: If I pull this image from proxy cache, the tag is always returned to harbor: podman image pull harbor.....global.lmco.com/ext.docker.elastic.co/logstash/logstash:6.8.24-8374da69-SNAPSHOT

Why would it be different for this repo or image?

mdavid01 avatar Feb 20 '24 12:02 mdavid01

I noticed that when an image disappears from the target repository that proxy-cache is set to cache, the image by TAG is no longer served, but the SAME image by SHA is still served, is this relevant? Why does this behavior happen?

Another weird thing is that on the local docker client machine that has the image before it was deleted from target repository, after it is deleted in the target repo, it would not use the local image from the machine, and would still try pulling it from proxy cache resulting in an image not found error. (Again SHA would still work)

Hapshanko avatar Mar 01 '24 22:03 Hapshanko

It depends on the client's behavior, because when pulling image like javascript-node:latest It usually send a HEAD request to the registry to get the digest of the javascript-node:latest Then it send the get request to the javascript-node@256: 4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac From the server side, it receives the Get request to javascript-node@256: 4637dee26a57c3781f5c23ffaf5a956b2ef9ed8ea5161e98fcfee446dd133cac That is why the webook payload only contains the digest.

Fair enough. IMO, sending an invalid tag is still not acceptable. Then no tag should be in the payload. Having a property called tag containing a digest, is not correct.

bluebrown avatar Apr 14 '24 20:04 bluebrown

I found the following. It will always set the tag to reference, even if its not a tag: https://github.com/goharbor/harbor/blob/7465a29919da8ed4fa132bdbc217806369e3bf38/src/controller/event/handler/webhook/artifact/artifact.go#L133

Then I also found this: https://github.com/goharbor/harbor/blob/7465a29919da8ed4fa132bdbc217806369e3bf38/src/controller/event/topic.go#L136

IMO, If an image is pushed by digest, then its tag shall be the default tag of the registry, which is usually latest.

This could be either fixed, last minute before sending the webhook notification, or perhaps somewhere around here: https://github.com/goharbor/harbor/blob/7465a29919da8ed4fa132bdbc217806369e3bf38/src/controller/event/metadata/artifact.go#L42

Although, this issue is regarding some proxy cache. As I understand, this swallows tags, so assuming latest may not be feasible.

I dont understand the code base and the proxy enough to evaluate the situation.

bluebrown avatar Apr 14 '24 21:04 bluebrown

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jun 14 '24 09:06 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Jul 14 '24 09:07 github-actions[bot]