Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8879

Image Updater: Incorrect Harbor webhook authentication mechanism

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • ImageUpdater
    • None
    • GitOps Tangerine Sprint 28

      Description of Problem

      Current implementation of the Harbor Webhook using HMAC validation signature is incorrect. Harbor is not using it instead of simple string comparison like it is implemented in ie. kargo project harbor webhook.

      To Reproduce

      1. Create secret
      2. Configure the same secret in ArgoCD Image Updater and in Harbor Webhook as an option Auth Header
      3. Generate webhook request
      4. The response from ArgoCD Image Updater:

      webhook request
       {{POST /webhook?type=harbor HTTP/1.1
      Host: argocd-image-updater-webhook
      User-Agent: Go-http-client/1.1
      Content-Length: 405
      Authorization: <secret>
      Content-Type: application/json
      Accept-Encoding: gzip}}
       
      response
       {{HTTP/1.1 400 Bad Request
      Content-Type: text/plain; charset=utf-8
      X-Content-Type-Options: nosniff
      Date: Tue, 16 Dec 2025 08:15:23 GMT
      Content-Length: 26

      invalid webhook signature}}
       
      Expected behavior
      Simple string comparison should be implemented.

      Version
      ArgoCD Image Updater 1.0.1
      Harbor 2.14.1

              dkarpele@redhat.com Denis Karpelevich
              dkarpele@redhat.com Denis Karpelevich
              Tangerine
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: