robot account should not have $ (dollar sign) or any special character

[maxfunke]

The user name of a robot account currently looks like robot$account_name.
the $ (dollar sign) leads to escape hell if you want to build some script for authentication with those robot accounts. At least in sh/bash.

Could we have robot accounts without well known special characters in shells like % $ & | ( [ { etc ?

Or I want full control of the given account name, so that I can remove the dollar if I want to.

[Kryan90]

This bit me recently. Using jenkins + kubernetes plugin the injected environment variable with the username kept adding an extra $. I think it is specifically something with the way groovy handles escaping special characters. Ended up just switching to using a service account in our LDAP group. Would be really nice if we could either specify the format of the robot names or change the $ to _ or -

[rejamong]

+1

[lukasmrtvy]

This is such a pain. It has to be escaped in 99% commands.

[zilmarr]

Or I want full control of the given account name, so that I can remove the dollar if I want to.

This would be great too!

[ruiztulio]

This would be great!, I also requested this in #8744

[mkjpryor-stfc]

I've also been bitten by this.

Particularly in the context of GitLab multi-project pipelines, even if I escape the $ in the parent job when it triggers the downstream job and the variables are evaluated again the $<username resolves to an empty string. In short, there is no escape pattern I can use that works in both jobs...

I appreciate that the decision was probably made to distinguish robot accounts from normal ones, but $ is a poor choice of separator due to its use in bash and the pervasive nature of bash in CI systems.

[fabricev]

Got bitten as well by this one, took me a while to figure out the reason of these "401 Unauthorized" a K3D context using Harbor as an external registry...
robot-<name> would make much more sense as a default username. Also the possibility to rename it would be great.

[wsams]

We recently switched to using Harbor in production and it has caused a lot of work and support to go through scripts and escape the username properly. My vote is to drop the dollar sign and just prefix with robot. i.e. No special characters in the username.

[bryan-taylor]

Administrators should control the naming of service accounts so they can follow the naming conventions of the organization they are in. Forcing special characters in usernames is a bit callous towards developer experience.

[pbar1]

I recently got bitten by this as well, when trying to push to Harbor's Chart Museum from within a TeamCity job. Please get that $ out of the name!

[junaid18183]

Same here , using $ in username leads to problems down the line

[xaleeks]

Let's think about this in v2.2, there should be a better delimiter to help us distinguish a real user from a robot account without resorting to special chars. It's a small improvement that can really move the needle and help our users save time. I'm tagging this v2.2 @reasonerjt

[mkjpryor-stfc]

@xaleeks

Something that has no significance in bash please.

[alexbrand]

+1

[reasonerjt]

This should be resolved once the work proposed in goharbor/community#148 is delivered.

@wy65701436 please dup this issue.

[stranljip]

I had also a hard time to figure this out. There is a workaround for GitLab, which I found somewhere (I will be happy to add the credits if someone finds that again). You can put the robot account user name in a variable in Gitlab and use that one instead. Since the account contains a $ you cannot mask the variable though ... This works for me:

docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  variables:
    INTERNAL_HARBOR_USER: $HARBOR_USER
    INTERNAL_HARBOR_PASSWORD: $HARBOR_PASSWORD
    DOCKER_IMAGE_NAME: "registry.my.org/project-name/repository-name"
  before_script:
    - docker login -u $INTERNAL_HARBOR_USER -p $INTERNAL_HARBOR_PASSWORD registry.my.org
  script:
    - docker build --pull -t "$DOCKER_IMAGE_NAME:latest" .
    - docker push "$DOCKER_IMAGE_NAME:latest"

[wy65701436]

We can close it as the robot prefix configuration is introduced in v2.2, just try with https://github.com/goharbor/harbor/releases/tag/v2.2.0-rc1.

[jgallucci32]

In case anyone is looking for a workaround until they upgrade to v2.2 (or there exists a similar problem in the future) you can escape the $ in GitLab CI by making it a double $$. For example CI_HARBOR_USER='robot$$myrobotaccount'

Reference: https://stackoverflow.com/questions/48870664/escape-char-in-gitlab-secret-variables

[nbon12]

how do we escape this when creating Kubernetes secrets?
for example: kubectl create secret regcred --docker-username=robot$this_part_turns_into_whitespace

[OscardR]

@nbon12 you should be able to just provide your username as a single-quote-wrapped string:

--docker-username='robot$this_part_stays_untouched'

[bitva77]

Running harbor v2.6.1-2903d593 and $'s are still being used in the robot names.

With kubectl, you can escape the $ with a \ when using kubectl regcred.

[Martin-Weiss]

But - there is now a configuration option available in Harbor where you can change the prefix for Robot accounts in Harbor from "$" to something else like "-".

[bitva77]

@Martin-Weiss aahhh I missed that config option! Thanks!

Is that configurable in the API? Looking at swagger and I don't see an option. trying to avoid having to manually configure this on every instance...

[Martin-Weiss]

That I do not know - just know it is available in the UI.. and be careful - this will automatically change all existing robot accounts!