Harbor not properly sharing CSRF tokens/sessions across scaled deployment in k8s

[ianseyer]

When using the UI, I will sporadically see "CSRF token invalid" errors when performing actions when harbor-core is scaled to >1.

1. Scale up harbor-core to 3 replicas
2. Create several projects
3. attempt to delete them one by one
4. you will see "CSRF token invalid" errors sporadically

This was confirmed by scaling harbor-core down to 1, and then deletions worked consistently without issue.

On Harbor 2.11.0

[MinerYang]

Hi @ianseyer ,

Could your check following settings?

• Please verify that env CSRF_KEY in each of the core pod are the same
• Please check if each of the node that running harbor-core pod are with same machine time
• Please kindly check if there's any debug logs you could provide while error happened.

[ianseyer]

So, interestingly, I am seeing:

harbor-staging-core-d5d6cb4b-qbvx2 2024-10-21T16:17:03Z [WARNING] [/server/middleware/csrf/csrf.go:71]: Invalid CSRF
 key from environment: 8Yl=jR?eF@n[...]faPs, generating random key...

Should I be ensuring that the csrf key follows some particular form, or is exclusively alphanumeric?

EDIT: I now see - the length must be 32: https://github.com/goharbor/harbor/blob/main/src/server/middleware/csrf/csrf.go#L70

[MinerYang]

True, you need to make sure the key be 32 characters otherwise harbor would randomly generate a key for use and only work for core replicas=1, otherwise it would failed. So if you specified yourself xsrfkey in harbor-helm values.yaml, please make sure it is legit.
And we will add more comments and validations while harbor instance pre-installed.