Unauthorized error when Harbor redirects to official Docker Hub images

[sberlin]

Environment:

• Jib version: 3.4.1
• Build tool: Apache Maven 3.9.4
• OS: Fedora

Description of the issue:
Unauthorized error when Harbor redirects to official Docker Hub images. Auth <from> and <to> are set correctly.

Expected behavior:
Jib adds previous authentication to redirected location or starts new auth flow.

Steps to reproduce:

1. Use Harbor v2.10.0-6abb4eab on harbor.example.com with Docker Hub project configured as proxy
2. Use Maven project with base image harbor.example.com/docker_hub/eclipse-temurin:17-jre-alpine
3. Issue mvn jib:dockerBuild --debug -Djava.util.logging.config.file=logging.properties -Djib.serialize=true with properties from docs

jib-maven-plugin Configuration:

            <plugin>
                <groupId>com.google.cloud.tools</groupId>
                <artifactId>jib-maven-plugin</artifactId>
                <version>3.4.1</version>
                <configuration>
                    <from>
                        <image>harbor.example.com/docker_hub/eclipse-temurin:17-jre-alpine</image>
                        <auth>
                            <username>${env.IMAGE_REGISTRY_USERNAME}</username>
                            <password>${env.IMAGE_REGISTRY_PASSWORD}</password>
                        </auth>
                    </from>
                </configuration>
            </plugin>

Log output:

Mar 19, 2024 2:04:56 PM com.google.api.client.http.HttpRequest execute
CONFIG: curl -v --compressed -H 'Accept: application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json' -H 'Accept-Encoding: gzip' -H 'Authorization: <Not Logged>' -H 'User-Agent: jib 3.4.1 jib-maven-plugin Google-HTTP-Java-Client/1.42.2 (gzip)' -- 'https://harbor.example.com/v2/docker_hub/eclipse-temurin/manifests/17-jre-alpine'
Mar 19, 2024 2:04:56 PM com.google.api.client.http.HttpResponse <init>
CONFIG: -------------- RESPONSE --------------
HTTP/1.1 301 Moved Permanently
Content-Length: 97
Content-Type: text/html; charset=utf-8
Date: Tue, 19 Mar 2024 13:04:56 GMT
Location: /v2/docker_hub/library/eclipse-temurin/manifests/17-jre-alpine
Set-Cookie: sid=a6...; Path=/; HttpOnly
X-Request-Id: f4cc267a-f1ef-45ad-825d-b59eeb795e0f

Mar 19, 2024 2:04:56 PM com.google.api.client.http.HttpRequest execute
CONFIG: -------------- REQUEST  --------------
GET https://harbor.example.com/v2/docker_hub/library/eclipse-temurin/manifests/17-jre-alpine
Accept: application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Accept-Encoding: gzip
User-Agent: jib 3.4.1 jib-maven-plugin Google-HTTP-Java-Client/1.42.2 (gzip)

Mar 19, 2024 2:04:56 PM com.google.api.client.http.HttpRequest execute
CONFIG: curl -v --compressed -H 'Accept: application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json' -H 'Accept-Encoding: gzip' -H 'User-Agent: jib 3.4.1 jib-maven-plugin Google-HTTP-Java-Client/1.42.2 (gzip)' -- 'https://harbor.example.com/v2/docker_hub/library/eclipse-temurin/manifests/17-jre-alpine'
Mar 19, 2024 2:04:56 PM com.google.api.client.http.HttpResponse <init>
CONFIG: -------------- RESPONSE --------------
HTTP/1.1 401 Unauthorized
Content-Length: 152
Content-Type: application/json; charset=utf-8
Date: Tue, 19 Mar 2024 13:04:56 GMT
Docker-Distribution-Api-Version: registry/2.0
Set-Cookie: _gorilla_csrf=MT...; Path=/; Expires=Wed, 20 Mar 2024 01:04:56 GMT; Max-Age=43200; HttpOnly; Secure; SameSite=Strict
Vary: Cookie
Www-Authenticate: Bearer realm="https://harbor.example.com/service/token",service="harbor-registry",scope="repository:docker_hub/library/eclipse-temurin:pull"
X-Harbor-Csrf-Token: aO...
X-Request-Id: 10a9a4dc-f9c1-4db1-b20f-b3f4b2e0f2ee

Mar 19, 2024 2:04:56 PM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: Total: 152 bytes
Mar 19, 2024 2:04:56 PM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: {"errors":[{"code":"UNAUTHORIZED","message":"authorize header needed to send HEAD to repository: authorize header needed to send HEAD to repository"}]}

Additional Information:
Note the missing Authorization header after the redirect.

Workaround: include library/ in image name.

[chanseokoh]

What if you set <image>harbor.example.com/docker_hub/library/eclipse-temurin:17-jre-alpine<image> (library added)?

[sberlin]

Then it works, as described in the last line. That's of course valid, but I thought it's not obvious what the error is. If jib is able to handle the redirect, it should also apply the authorization. I wouldn't have needed to debug the requests, if jib just said 404 for official proxied images.