goharbor
Harbor Proxy or Proxy Cache or Proxy Endpoint
Hi,
I'm a bit confused about how the Proxy Cache works for Harbor to Harbor use case. We have a central Harbor installation (Everything is installed, images, users, Authentication and Authorization). We want to use this harbor installation as a Hub installation, which means that many spokes (other network locations) should have access and pull images from it.
We do not want to open network flows from all the clients to the Harbor main installation (Main endpoint), instead we want to deploy cache locations on every site. We wan to achieve this:
- Client pull image from CacheLocation Endpoint
- The Cache Location pull the image from the central installation
Question: How the authentication works ? Will the cache location makes a passthrough authentication (The central Harbor installation will handle the Auth/Authorization phase) or we need to configure the Authorization (Users, RBAC...) on the cache harbor installation too.
Thanks
Could you please provide a simple repro? I’d like to tackle this.
Hi @hood,
Thanks for checking this issue. Yes sure. I did simplify code (https://api.github.com/user/emails was used to reproduce a 401). You can reproduce with this docker-compose. If you try to open traefik.localhost you should get the error (and so white page).
Please note that removing '--metrics.prometheus=true' arg does not reproduce the issue.
services:
traefik:
image: "traefik:v3.0.2"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
- '--accesslog=true'
- '--ping=true'
- '--metrics.prometheus=true'
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.localhost`) && PathPrefix(`/`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=testErrors@docker,testForwardAuth@docker"
- "traefik.http.middlewares.testForwardAuth.forwardauth.address=https://api.github.com/user/emails"
- "traefik.http.middlewares.testForwardAuth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.testForwardAuth.forwardauth.authResponseHeaders=Authorization"
- "traefik.http.middlewares.testErrors.errors.status=401-403"
- "traefik.http.middlewares.testErrors.errors.service=whoami"
- "traefik.http.middlewares.testErrors.errors.query=/?rd={url}"
whoami:
image: "traefik/whoami"
container_name: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
Hey folks,
Thanks for your feedback. If any community member can help us to move forward in fixing the issue, we would love the help.
Try setting
metrics.addInternalsto true in the Helm chart.
thanks, it seems to work
@rtribotte It seems it is not fixed with Traefik on Docker, as I might be getting the same issue. The service works few seconds after start of Traefik and then I am getting blank page and to make it work I needed to specify the service in each container. I am on Traefik 3.1.2 using on Docker and using @huttotw solution and setting metrics.addInternals to true fixes this error for me.
Hello @Maypul, the fix hasn't been released yet, but should be in v3.1.3 soon.