harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

setup proxy cache to Google Artifact registry is failing

Open vinay1203 opened this issue 1 year ago • 12 comments

I have installed harbor and setup ingress and added a proxy registry with Google GCR provider but with Artifact registry as the Endpoint URL(https://us-docker.pkg.dev/<GCP_PROJECT>).

But when i am trying to pull from the harbor endpoint, it is giving the below error. Error response from daemon: unknown: repository proxy-cache/prod-docker-us/hello-world not found

Docker login works and i am using the command in the format as below: docker pull <HARBOR_ENDPOINT>/<HARBOR_PROJECT_NAME>/<GAR_REPO_NAME>/hello-world:latest

And i was able to pull the image from GAR successfully using Google Artifact Registry endpoint.

After checking the harbor-core pod logs, i could see the below logs: 2024-07-01T19:43:19Z [ERROR] [/server/middleware/repoproxy/proxy.go:121]: failed to proxy manifest, fallback to local, request uri: /v2/proxy-cache/hello-world/manifests/latest, error: http status code: 405, body:

vinay1203 avatar Jul 01 '24 19:07 vinay1203

The google container registry (GCR) is different with the google artifact registry (GAR), you can not use the GCR provider for a GAR endpoint.

stonezdj avatar Jul 08 '24 07:07 stonezdj

So, GAR proxy is not currently supported by Harbor?

I used GCR provider with GAR endpoint with reference to the comment in the below PR. https://github.com/goharbor/harbor/issues/16973#issuecomment-1245674764

I also tried GAR endpoint with docker registry provider as well. It is also failing with the same error.

I am using harbor core image version of v2.10.2

vinay1203 avatar Jul 16 '24 06:07 vinay1203

Hello @Kenny1G

Thank you for your response. I did follow the same PR but while creating a registry and giving Endpoint URL as "https://us-docker.pkg.dev" it is not letting me create the registry stating "the registry is unhealthy".

Upon checking harbor core logs, i can see the below errors: 2024-07-16T17:58:52Z [ERROR] [/pkg/reg/adapter/native/adapter.go:126]: failed to ping registry https://us-docker.pkg.dev: http status code: 401, body: {"errors":[{"code":"UNAUTHORIZED","message":"authentication failed"}]}

But if i add my project at the end of the url like "https://us-docker.pkg.dev/<GCP_PROJECT>" then i am able to create the registry. That is the reason why i used Endpoint URL in that particular format ignoring the comment in the PR.

vinay1203 avatar Jul 16 '24 18:07 vinay1203

I was seeing this issue as well and switching the registry endpoint to just the base path https://us-docker.pkg.dev without the project path on it works for setting up the proxy cache

warroyo avatar Aug 01 '24 15:08 warroyo

when you set the endpoint to https://us-docker.pkg.dev/, the registry status might turn into unhealthy, then the proxy cache associate with this endpoint doesn’t work. (edited)

stonezdj avatar Aug 02 '24 08:08 stonezdj

is it officially supported or no ? I see no mention in official documentation, Harbor cannot skip one of the biggest registry out there

krab-skunk avatar Aug 21 '24 12:08 krab-skunk

@krab-skunk This is currently not supported, but it has been identified as a requirement. We are also seeking assistance from the community regarding support for GAR as a registry adapter in Harbor. This help may include developing and maintaining the adapter in the long term.

wy65701436 avatar Oct 30 '24 09:10 wy65701436

Has anyone gotten around this by standing up a standard docker registry as a proxy to GAR and connecting to it locally?

bfosberry avatar Mar 31 '25 19:03 bfosberry

Hi guys, Any idea whether GAR can be fully supported on Harbor?

igorrudyk avatar May 05 '25 07:05 igorrudyk

Hi guys, Any idea whether GAR can be fully supported on Harbor?

I am able to pull with this configuration:

Image

epark001 avatar May 16 '25 19:05 epark001

likewise, on harbor 2.13.1 setting up provider either as google or docker-registry and endpoint like https://europe-west3-docker.pkg.dev works for pulling. It was previously stated that google provider is only for gcr but it did pull successfuly when setup pointing to a GAR endpoint. Go figure..

What interestingly does not work, and I am unsure why it is even related under the hood - is when a rke2 cluster does rewriting of the source image registry to harbor proxy (ie. cluster wants to schedule europe-west3-docker.pkg.dev/my-project/my-image:latest and is rewritten for containerd to my-harbor.com/gcr/my-project/my-image:latest. harbor-core prints tons of errors like

harbor-core-68586f4f4b-6lkkq core 2025-06-10T11:43:53Z [ERROR] [/server/middleware/security/oidc_cli.go:68]: failed to get user model, username: _json_key, error: user _json_key not found
harbor-core-68586f4f4b-6lkkq core 2025-06-10T11:43:53Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="xxx" user agent="containerd/v1.7.21-k3s2"]: failed to authenticate user:_json_key, error:not supported

and a mystery is that once randomly it DID work..

dennislapchenko avatar Jun 10 '25 11:06 dennislapchenko

This PR adds support for GAR, would be great if it could be looked at 🙏: https://github.com/goharbor/harbor/pull/22091

Strainy avatar Jul 02 '25 04:07 Strainy

Hi guys, Any idea whether GAR can be fully supported on Harbor?

I am able to pull with this configuration:

Image

What did you do to auth the pull/replication with this?

gabriel-suela avatar Sep 15 '25 14:09 gabriel-suela