harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

Jobservice pod uses default user instead of username defined in URL for redis connection

Open winklermichael opened this issue 4 months ago • 7 comments

Expected behavior and actual behavior: Expected: The username defined in /etc/jobservice/config.yml -> worker_pool.redis_pool.redis_url should be used for connecting to redis (or valkey). Actual: Somehow the connection falls back to the default user and the username defined in the URL is not used.

Steps to reproduce the problem:

  1. Deploy harbor using the official harbor helm chart, using the following configuration in values.yaml:
  redis:
    type: external
    external:
      addr: "valkey-0.valkey-headless.valkey.svc.cluster.local:26379,valkey-1.valkey-headless.valkey.svc.cluster.local:26379,valkey-2.valkey-headless.valkey.svc.cluster.local:26379"
      username: "harbor"
      sentinelMasterSet: "valkeyha"
      coreDatabaseIndex: "10"
      jobserviceDatabaseIndex: "11"
      registryDatabaseIndex: "12"
      trivyAdapterIndex: "15"
      harborDatabaseIndex: "10"
      cacheLayerDatabaseIndex: "10"
      existingSecret: "harbor-external-secret" # key must be 'REDIS_PASSWORD'
  1. Patch all created configmaps and secrets to include a custom username (in this case harbor). This has to be done because the helm chart does not support this currently (See https://github.com/goharbor/harbor-helm/issues/2228)

See the chapter on harbor config files for the resulting config in the jobservice pod!

Versions: Please specify the versions of following systems.

  • harbor version: 2.13.1
  • helm chart version: 1.17.1
  • kubernetes cluster version: 1.33.2
  • containerd version: 1.7.27

Additional context:

  • Harbor config files:

Environment: _REDIS_URL_CACHE_LAYER=redis+sentinel://harbor:[email protected]:26379,valkey-1.valkey-headless.valkey.svc.cluster.local:26379,valkey-2.valkey-headless.valkey.svc.cluster.local:26379/valkeyha/10?idle_timeout_seconds=30

/etc/jobservice/config.yml:

#Server listening port
protocol: "http"
port: 8080
worker_pool:
  workers: 10
  backend: "redis"
  redis_pool:
    redis_url: "redis+sentinel://harbor:[email protected]:26379,valkey-1.valkey-h
eadless.valkey.svc.cluster.local:26379,valkey-2.valkey-headless.valkey.svc.cluster.local:26379/valkeyha/11"
    namespace: "harbor_job_service_namespace"
    idle_timeout_second: 3600
job_loggers:
  - name: "FILE"
    level: INFO
    settings: # Customized settings of logger
      base_dir: "/var/log/jobs"
    sweeper:
      duration: 14 #days
      settings: # Customized settings of sweeper
        work_dir: "/var/log/jobs"
metric:
  enabled: true
  path: /metrics
  port: 8001
#Loggers for the job service
loggers:
  - name: "STD_OUTPUT"
    level: INFO
reaper:
  # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to
 run, default value is 24
  max_update_hours: 24
  # the max time for execution in running state without new task created
  max_dangling_hours: 168
  • Log files:

jobservice pod log:

2025-09-01T13:57:36Z [ERROR] [/jobservice/runtime/bootstrap.go:135]: read schema version failed: WRONGPASS invalid username-password pair or user is disabled.
2025-09-01T13:59:11Z [FATAL] [/jobservice/main.go:96]: load and run worker error: connect to redis server timeout: WRONGPASS invalid username-password pair or user is disabled.

valkey ACL log:

     1) "count"
     2) (integer) 2
     3) "reason"
     4) "auth"
     5) "context"
     6) "toplevel"
     7) "object"
     8) "AUTH"
     9) "username"
    10) "default"
    11) "age-seconds"
    12) "564.077"
    13) "client-info"
    14) "id=56133 addr=100.64.179.50:43720 laddr=100.64.106.126:6379 fd=46 name= age=0 idle=0 flags=N capa= db=0 sub=0 psub=0 ssub=0 multi=-1 watch=0 qbuf=0 qbuf-free=0 argv-mem=36 multi-mem=0 rbs=16384 rbp=16384 obl=0 oll=0 omem=0 tot-mem=17076 events=r cmd=auth user=default redir=-1 resp=2 lib-name= lib-ver= tot-net-in=53 tot-net-out=0 tot-cmds=0"
    15) "entry-id"
    16) (integer) 9
    17) "timestamp-created"
    18) (integer) 1756735056211
    19) "timestamp-last-updated"
    20) (integer) 1756735056219

(timestamp-created converts to Mon Sep 01 2025 13:57:36 GMT+0000)

winklermichael avatar Sep 02 '25 10:09 winklermichael

Hi @winklermichael ,

Thanks for providing all these details. May I know is your redis ACL(username-password) mode only enable at master side Or both enabled for master and sentinel? And if it is the latter situation, are these consume same users/password config?

Best, Miner

MinerYang avatar Sep 02 '25 13:09 MinerYang

Hi @MinerYang the sentinel has no ACL configuration set up (it uses the default user with no password). ACL is only configured on the redis (master) nodes themselves. Please also note that the redis connection does work with the same URLs on all other pods that the helm chart deploys (except jobservice).

winklermichael avatar Sep 02 '25 13:09 winklermichael

Thanks @winklermichael for these details, it is an known issue for jobservice using redis sentinel+acl mode. Will have a fix later.

Best, Miner

MinerYang avatar Sep 03 '25 07:09 MinerYang

Hi @MinerYang to clarify once more: This is a known issue for the following setup: Sentinel without ACL, Redis with ACL

Thanks

winklermichael avatar Sep 03 '25 08:09 winklermichael

We have to defer to v2.15 due to time constraint.

reasonerjt avatar Sep 23 '25 09:09 reasonerjt

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Nov 23 '25 09:11 github-actions[bot]

bump

winklermichael avatar Dec 01 '25 12:12 winklermichael