405 error when logging into portal #485
Comments
|
I also get this same issue after deploying it to k8s, and I've tried multiple versions, any ideas what I am missing or where I can look? |
|
OK; after further investigation I think that this issue actually might be partly due to kubectl proxy not handling http patch requests. If you expose a public IP address and use that you can log in successfully. Can you add an option to sign in using kproxy? |
|
I don't think when you login via portal it issues Could you let me know what version you are using? |
|
Same issue :) |
|
Same Issue as well. This is something that has many hours of my life figuring out. Any help would be much appreciated. |
What I can say is that it happens with |
|
I figured it out. So the Registry does not tell you that the nginx server is the place that you need to connect to. I saw no nginx pods in the harbor namespace. But all I had to do is port-forward the service and everything worked like a charm. 👍 You cannot connect straight to the portal as this will not work. |
|
Same issue :) |
still not understand how you solve the problem |
|
Same issue here |
|
Hi, The last one will handle the login function and if no specific path is configured then it will try on the portal service who does not know how to handle it. (But it could respond with a 404 it would be better). To correct it, you should always but a reverse proxy before your UI : a simple ingress or a list of mappings for ambassador or you can try with another product like ory oathkeeper. |
|
I've been on this for a few hours now, until I noticed this DEBUG message kept appearing in the the above is clearly wrong, since the path should be https://www.getambassador.io/docs/latest/topics/using/rewrites/#rewrite indeed I had two Mappings:
the problem is with the Core mapping, since Ambassador automatically rewrites the matching prefix to The answer was hidden in the docs: So changing the core mapping to below solved the problem: Not sure what kind of setup other folks here have, but sure looks like a similar issue to me. |
405 Not Allowed如果 portal 规则在最前面, 则所有请求都匹配到 portal 上, 因此出现 405 Error。 修改 Ingress rule 顺序, 将 portal 放在最后。
how to solve http:
paths:
- backend:
serviceName: harbor-harbor-core
servicePort: 80
path: /api/
pathType: ImplementationSpecific
# ... some other rules
- backend:
serviceName: harbor-harbor-portal
servicePort: 80
path: /
pathType: ImplementationSpecific
I solve this with istio-ingress : https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPMatchRequest |
|
Still same issue. I tried on EKS and minikube. Worst first user experience! Cannot login at all. Still get the 405 error. on EKS: All pods are running but cannot login with default login admin/Harbor12345 `NAME READY STATUS RESTARTS AGE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE NAME READY UP-TO-DATE AVAILABLE AGE NAME DESIRED CURRENT READY AGE NAME READY AGE |
|
Note: You must change the Network to use "ClusterIP". This will then allow you to have a service created called harbor. This service will then work like a Reverse Proxy that will connect to the portal. You will set your endpoint; either ingress controller or api gateway to this server. |
|
The default is "ClusterIP" and that does not work either. I tried NodePort and LoadBalancer which works but at the UI the default username/password doesn't work. Can you elaborate on the steps you took to get this working? Did you use nginx ingress controller? |
|
The default is not ClusterIP. I installed using Helm and change the values for type of ClusterIP. This will set up a service. |
Do a kubectl get services and you will see the NGINX service used as a reverse proxy. This is what you tie your endpoint to. |
|
Where did you change the network to use ClusterIP? I do not see a "harbor service" running on my cluster. I did install with Helm - helm install harbor harbor/harbor |
|
You have to change it via the values.yml file when you run helm |
|
Did the install with values.yaml and I now see the "harbor" service. I did a port-forward to this service and I get the UI but the default username/password still does not work. |
|
You set the default password in the values. Should be admin and then Harbor12345 |
|
Correct. I see that in values.yaml but does not work with admin/Harbor12345. I'm doing the port-forward - kubectl port-forward service/harbor 8080:80. Getting a 403 error!
|
|
Will not work on port forward as you need to come from the domain name specified in values when you ran the Helm package. |
|
我开始也是403,后来使用下面的参数,30005是nodeport关联nginx的pod |
|
I solved the login problem by the following steps: # helm repo add harbor https://helm.goharbor.io
# helm fetch harbor/harbor --untar
# cd harbor
# sed -i 's/ type: ingress/ type: clusterIP/g' values.yaml
# sed -i 's/ commonName: ""/ commonName: "harbor"/g' values.yaml
# kubectl create ns harbor
# helm install harbor . -n harborThen get harbor service clusterIP by # kubectl get svc -n harbor harbor
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
harbor ClusterIP 10.96.42.70 <none> 80/TCP,443/TCP,4443/TCP 15mUse a browser to access the ClusterIP( |
|
This happens to me on chart versions 1.6.3 and 1.7.0 on EKS. Here're my values: externalUrl: https://harbor.my.url.com
expose:
type: ingress
tls:
enabled: true
certSource: none
ingress:
hosts:
core: harbor.my.url.com
notary: notary.my.url.com
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/security-groups: sg1, sg2
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
persistence:
resourcePolicy: ""
persistentVolumeClaim:
registry:
storageClass: st1
size: 128Gi
updateStrategy:
type: Recreate
secretKey: super-secret-key |
|
@evindunn so what is your issue? The nginx server is what your ingress should be connecting to as it works as a reverse proxy. |
|
I get a 405 when the attempting to log in with the default credentials (when the login page POSTs to /c/login). Are you saying that only clusterIP, the reverse proxy service, will work, and I shouldn't be using ingress? |
|
Hey @evindunn, the chart To make it work you need to:
Sorry I haven't got an example my works on another system I can't copy and paste from. |
|
Had the exact same issue on a fresh cluster (v1.22.1) for testing purposes and this answer helped me thank you! Just note that in my case I needed another step: using Chrome/Firefox instead of safari. Hope this helps someone |
|
Had the same issue with a fresh cluster on Kubernetes 1.21.5 and harbor helm chart version 1.7.4. It is a config issue at the ingress resource. IMHO there are two possible workarounds: Move the config for the In my setup, unlike most others, an istio-ingressgateway (envoy) is used instead of the nginx-ingress. Perhaps this helps someone :) |
|
If someone just tries it out and wants to run it locally and port-forward then the following externalURL: https://127.0.0.1:8443
expose:
type: clusterIP
tls:
auto:
commonName: harborThen |
According to the ingress specification [1], the longest matching path should be used. But for Istio, "The first rule matching an incoming request is used" [2,3]. [1]: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches [2]: https://istio.io/latest/docs/reference/config/networking/virtual-service/#VirtualService [3]: istio/istio#35033 Fixes: goharbor#485 Signed-off-by: Mathieu Parent <[email protected]>
|
Proposed fix in #1132 (at least for Istio). |
|
I bumped into the same issue, but it was mostly due to not reading default values properly. # wrong, as it has to be nginx/proxy container instead ("harbor" service):
kubectl port-forward -n harbor svc/harbor-portal 8080:80All the "fixes" already mentioned above, to summarize: harborAdminPassword: "initialPasswordHere"
expose:
type: clusterIP
tls:
enabled: falsehelm upgrade --install --create-namespace -n harbor harbor harbor/harbor -f values.yaml
kubectl port-forward -n harbor svc/harbor 8080:80this's only for local, quick, non-secure deployments - better use Ingress and TLS for non-local deployments. |
@Victorion Had a quick try with this values.yaml file and helm install is failing with the below errors: Error: INSTALLATION FAILED: template: harbor/templates/trivy/trivy-tls.yaml:1:18: executing "harbor/templates/trivy/trivy-tls.yaml" at <.Values.trivy.enabled>: nil pointer evaluating interface {}.enabled Anything else is missing in values.yaml file? |
|
@darthguinea thank you, your answer about not using port-forward and 405 error was the trick. So a quick summary for the one using helm chart on localhost: Here is the helm configuration I used: expose:
type: loadBalancer
ports:
httpPort: 80
tls:
enabled: falseThen go to your Quick comment for the Harbor team, you guys could add a comment in your documentation for this issue ... spending a few hours to just enter the UI can be a bit a frustrating 😄 |
|
My usecase was for nodePort. I was getting error 403, method not allowed, I updated the externalURL with http instead of https and it worked. Error was gone
|
|
Exposing harbor with NodePort installs an additional nginx reverse proxy that route the path to the correct services. This configuration permits to understand how to configure the ingress. In my case: Take care about not stripping the path in your httproutes when matching the paths and specify the externalurl. When using ingress, it's probably easier to route all the traffic to a custom nginx reverse proxy like the one used to expose harbor via NodePort. It permits to keep a simple logic in the httproute/gateway Lionel. |
and others
I've deployed to microk8s and cannot log in at all, there doesn't appear to be much useful in the logfiles, any ideas as to what can be causing this issue:
portal logfile:
curling from the box:
plz help!
The text was updated successfully, but these errors were encountered: