harbor: robot account should not have $ (dollar sign) or any special character

We can close it as the robot prefix configuration is introduced in v2.2, just try with https://github.com/goharbor/harbor/releases/tag/v2.2.0-rc1.

Let’s think about this in v2.2, there should be a better delimiter to help us distinguish a real user from a robot account without resorting to special chars. It’s a small improvement that can really move the needle and help our users save time. I’m tagging this v2.2 @reasonerjt

This bit me recently. Using jenkins + kubernetes plugin the injected environment variable with the username kept adding an extra $. I think it is specifically something with the way groovy handles escaping special characters. Ended up just switching to using a service account in our LDAP group. Would be really nice if we could either specify the format of the robot names or change the $ to _ or -

@nbon12 you should be able to just provide your username as a single-quote-wrapped string:

--docker-username='robot$this_part_stays_untouched'

@xaleeks

Something that has no significance in bash please.

In case anyone is looking for a workaround until they upgrade to v2.2 (or there exists a similar problem in the future) you can escape the $ in GitLab CI by making it a double $$. For example CI_HARBOR_USER='robot$$myrobotaccount'

Reference: https://stackoverflow.com/questions/48870664/escape-char-in-gitlab-secret-variables

Got bitten as well by this one, took me a while to figure out the reason of these “401 Unauthorized” a K3D context using Harbor as an external registry… robot-<name> would make much more sense as a default username. Also the possibility to rename it would be great.

That I do not know - just know it is available in the UI… and be careful - this will automatically change all existing robot accounts!

I had also a hard time to figure this out. There is a workaround for GitLab, which I found somewhere (I will be happy to add the credits if someone finds that again). You can put the robot account user name in a variable in Gitlab and use that one instead. Since the account contains a $ you cannot mask the variable though … This works for me:

docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  variables:
    INTERNAL_HARBOR_USER: $HARBOR_USER
    INTERNAL_HARBOR_PASSWORD: $HARBOR_PASSWORD
    DOCKER_IMAGE_NAME: "registry.my.org/project-name/repository-name"
  before_script:
    - docker login -u $INTERNAL_HARBOR_USER -p $INTERNAL_HARBOR_PASSWORD registry.my.org
  script:
    - docker build --pull -t "$DOCKER_IMAGE_NAME:latest" .
    - docker push "$DOCKER_IMAGE_NAME:latest"

I recently got bitten by this as well, when trying to push to Harbor’s Chart Museum from within a TeamCity job. Please get that $ out of the name!

I’ve also been bitten by this.

Particularly in the context of GitLab multi-project pipelines, even if I escape the $ in the parent job when it triggers the downstream job and the variables are evaluated again the $<username resolves to an empty string. In short, there is no escape pattern I can use that works in both jobs…

I appreciate that the decision was probably made to distinguish robot accounts from normal ones, but $ is a poor choice of separator due to its use in bash and the pervasive nature of bash in CI systems.