imgpkg copy between harbor projects fails with auth error

[cjnosal]

What steps did you take:
1 docker login my-harbor.registry # creds have rw access to both project1 and project2
2.a imgpkg copy -b my-harbor.registry/project1/repo --to-repo my-harbor.registry/project2/repo
or
2.b

imgpkg copy -b my-harbor.registry/project1/repo --to-tar mytar
imgpkg copy --tar mytar --to-repo my-harbor.registry/project2/repo

What happened:
Failed with unauthorized error.
/v2/project2/repo/blobs/uploads/?from=project1%2frepo&mount=sha256:...&origin=my-harbor.registry

What did you expect:

1. imgpkg copy to succeed by falling back to less efficient copy if the optimized mount approach fails
2. imgpkg copy --from-tar should not require access to the location the tar originated from

Anything else you would like to add:
Harbor projects are a permissions boundary which might be blocking the cross-project mount

Environment:

• imgpkg version (use imgpkg --version): v0.35.0
• Docker registry used (e.g. Docker HUB): Harbor Version v2.3.3-a0a9ed8a
• OS (e.g. from /etc/os-release): ubuntu 20.04.5

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[joaopapereira]

This looks like a behavior that needs to be changed at ggcr level.

Because if this fails we will return here with an error and mounted == false. Which means that in here we will return an error

[joaopapereira]

Waiting on feedback from google/go-containerregistry#1609