From 0fb1028a4984932fbe39a1f0a62cb8df5a5c3379 Mon Sep 17 00:00:00 2001 From: chris Date: Fri, 21 Oct 2022 09:54:11 +0200 Subject: [PATCH] Update harbor to 2.6. --- harbor/common.sh | 24 +++-- harbor/common/config/core/env | 13 +-- harbor/common/config/jobservice/env | 9 +- harbor/common/config/nginx/nginx.conf | 2 +- harbor/common/config/nginx/nginx.conf~ | 130 ------------------------- harbor/common/config/registry/passwd | 2 +- harbor/common/config/registryctl/env | 4 +- harbor/common/config/trivy-adapter/env | 2 +- harbor/docker-compose.yml | 16 +-- harbor/harbor.yml.tmpl | 17 +++- harbor/install.sh | 27 ++++- harbor/prepare | 2 +- 12 files changed, 79 insertions(+), 169 deletions(-) delete mode 100644 harbor/common/config/nginx/nginx.conf~ diff --git a/harbor/common.sh b/harbor/common.sh index 0db96f0..505f393 100644 --- a/harbor/common.sh +++ b/harbor/common.sh @@ -103,28 +103,34 @@ function check_docker { } function check_dockercompose { - if ! docker compose version &> /dev/null + if [! docker compose version] &> /dev/null || [! docker-compose --version] &> /dev/null then - error "Need to install docker compose(1.18.0+) by yourself first and run this script again." + error "Need to install docker-compose(1.18.0+) or a docker-compose-plugin (https://docs.docker.com/compose/)by yourself first and run this script again." exit 1 fi - # docker compose has been installed, check its version - if [[ $(docker compose version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]] + # either docker compose plugin has been installed + if docker compose version &> /dev/null + then + note "$(docker compose version)" + DOCKER_COMPOSE="docker compose" + + # or docker-compose has been installed, check its version + elif [[ $(docker-compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]] then docker_compose_version=${BASH_REMATCH[1]} docker_compose_version_part1=${BASH_REMATCH[2]} docker_compose_version_part2=${BASH_REMATCH[3]} - note "docker compose version: $docker_compose_version" - # the version of docker compose does not meet the requirement + note "docker-compose version: $docker_compose_version" + # the version of docker-compose does not meet the requirement if [ "$docker_compose_version_part1" -lt 1 ] || ([ "$docker_compose_version_part1" -eq 1 ] && [ "$docker_compose_version_part2" -lt 18 ]) then - error "Need to upgrade docker compose package to 1.18.0+." + error "Need to upgrade docker-compose package to 1.18.0+." exit 1 fi else - error "Failed to parse docker compose version." + error "Failed to parse docker-compose version." exit 1 fi -} +} \ No newline at end of file diff --git a/harbor/common/config/core/env b/harbor/common/config/core/env index e7a14b4..823f156 100644 --- a/harbor/common/config/core/env +++ b/harbor/common/config/core/env @@ -21,8 +21,8 @@ PORTAL_URL=http://portal:8080 TOKEN_SERVICE_URL=http://core:8080/service/token HARBOR_ADMIN_PASSWORD=j2Q2gRX@zpGYGsUZwJ@ynvnU3gw6Y* MAX_JOB_WORKERS=10 -CORE_SECRET=Q1kOSJ2hbw3qs2Uh -JOBSERVICE_SECRET=LURd3ymSGca6nuB5 +CORE_SECRET=2WyVPYUlCIRDPCv2 +JOBSERVICE_SECRET=a1XRgtkNICmX2Gl4 WITH_NOTARY=False WITH_TRIVY=True CORE_URL=http://core:8080 @@ -37,14 +37,15 @@ CHART_REPOSITORY_URL=http://chartmuseum:9999 REGISTRY_CONTROLLER_URL=http://registryctl:8080 WITH_CHARTMUSEUM=False REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user -REGISTRY_CREDENTIAL_PASSWORD=nTDpudVQRYA4rPGrDvmLvHskdd5gPcUU -CSRF_KEY=dtP7zBtDmaQR9fhuxuy5fNpbCVZfFSD4 -PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry +REGISTRY_CREDENTIAL_PASSWORD=RvC6BuQM4kFianaQ81mMxGuDHdNEQ5Yp +CSRF_KEY=hPD1uJIjELdXLCH2Z6zFWS6JDT0JGRHc +PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr HTTP_PROXY= HTTPS_PROXY= -NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql +NO_PROXY=localhost,log,.internal,exporter,db,.local,portal,redis,127.0.0.1,registryctl,nginx,core,jobservice,chartmuseum,notary-signer,trivy-adapter,registry,postgresql,notary-server PORT=8080 + diff --git a/harbor/common/config/jobservice/env b/harbor/common/config/jobservice/env index f1564f6..120d97c 100644 --- a/harbor/common/config/jobservice/env +++ b/harbor/common/config/jobservice/env @@ -1,6 +1,6 @@ -CORE_SECRET=Q1kOSJ2hbw3qs2Uh +CORE_SECRET=2WyVPYUlCIRDPCv2 REGISTRY_URL=http://registry:5000 -JOBSERVICE_SECRET=LURd3ymSGca6nuB5 +JOBSERVICE_SECRET=a1XRgtkNICmX2Gl4 CORE_URL=http://core:8080 REGISTRY_CONTROLLER_URL=http://registryctl:8080 JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10 @@ -8,8 +8,9 @@ JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10 HTTP_PROXY= HTTPS_PROXY= -NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql +NO_PROXY=localhost,log,.internal,exporter,db,.local,portal,redis,127.0.0.1,registryctl,nginx,core,jobservice,chartmuseum,notary-signer,trivy-adapter,registry,postgresql,notary-server REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user -REGISTRY_CREDENTIAL_PASSWORD=nTDpudVQRYA4rPGrDvmLvHskdd5gPcUU +REGISTRY_CREDENTIAL_PASSWORD=RvC6BuQM4kFianaQ81mMxGuDHdNEQ5Yp + diff --git a/harbor/common/config/nginx/nginx.conf b/harbor/common/config/nginx/nginx.conf index a9ab535..e6f2ab8 100644 --- a/harbor/common/config/nginx/nginx.conf +++ b/harbor/common/config/nginx/nginx.conf @@ -127,4 +127,4 @@ http { return 404; } } -} +} \ No newline at end of file diff --git a/harbor/common/config/nginx/nginx.conf~ b/harbor/common/config/nginx/nginx.conf~ deleted file mode 100644 index e6f2ab8..0000000 --- a/harbor/common/config/nginx/nginx.conf~ +++ /dev/null @@ -1,130 +0,0 @@ -worker_processes auto; -pid /tmp/nginx.pid; - -events { - worker_connections 3096; - use epoll; - multi_accept on; -} - -http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server core:8080; - } - - upstream portal { - server portal:8080; - } - - log_format timed_combined '$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - map $http_x_forwarded_proto $x_forwarded_proto { - default $http_x_forwarded_proto; - "" $scheme; - } - - server { - listen 8080; - server_tokens off; - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # Add extra headers - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - # customized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf - include /etc/nginx/conf.d/harbor.http.*.conf; - - location / { - proxy_pass http://portal/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass http://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass http://core/api/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass http://core/chartrepo/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass http://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - proxy_buffering off; - proxy_request_buffering off; - - proxy_send_timeout 900; - proxy_read_timeout 900; - } - - location /service/ { - proxy_pass http://core/service/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } -} \ No newline at end of file diff --git a/harbor/common/config/registry/passwd b/harbor/common/config/registry/passwd index b482bfa..6c0eee4 100644 --- a/harbor/common/config/registry/passwd +++ b/harbor/common/config/registry/passwd @@ -1 +1 @@ -harbor_registry_user:$2y$05$ZZgSSdASjscjf4QfvkaEHus/y62rx0h2qPoLeb/MsoG5FvUmrPfI. +harbor_registry_user:$2y$05$paAwVLgr1maxYnL9fud8q.u7SiU/75K/ra2aeEcYNJt22ro/st4qe diff --git a/harbor/common/config/registryctl/env b/harbor/common/config/registryctl/env index 046a573..1464b62 100644 --- a/harbor/common/config/registryctl/env +++ b/harbor/common/config/registryctl/env @@ -1,2 +1,2 @@ -CORE_SECRET=Q1kOSJ2hbw3qs2Uh -JOBSERVICE_SECRET=LURd3ymSGca6nuB5 +CORE_SECRET=2WyVPYUlCIRDPCv2 +JOBSERVICE_SECRET=a1XRgtkNICmX2Gl4 diff --git a/harbor/common/config/trivy-adapter/env b/harbor/common/config/trivy-adapter/env index cf97f05..df41a14 100644 --- a/harbor/common/config/trivy-adapter/env +++ b/harbor/common/config/trivy-adapter/env @@ -16,4 +16,4 @@ SCANNER_TRIVY_INSECURE=False SCANNER_TRIVY_TIMEOUT=5m0s HTTP_PROXY= HTTPS_PROXY= -NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql +NO_PROXY=localhost,log,.internal,exporter,db,.local,portal,redis,127.0.0.1,registryctl,nginx,core,jobservice,chartmuseum,notary-signer,trivy-adapter,registry,postgresql,notary-server diff --git a/harbor/docker-compose.yml b/harbor/docker-compose.yml index 0fe98b7..c3913ad 100644 --- a/harbor/docker-compose.yml +++ b/harbor/docker-compose.yml @@ -95,7 +95,7 @@ services: volumes: - /data/database:/var/lib/postgresql/data:z networks: - - harbor + harbor: env_file: - ./common/config/db/env depends_on: @@ -108,7 +108,7 @@ services: shm_size: '1gb' core: image: goharbor/harbor-core:v2.6.1 - container_name: core + container_name: harbor-core env_file: - ./common/config/core/env restart: always @@ -134,12 +134,12 @@ services: source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - - harbor + harbor: depends_on: - log - registry - redis - - harbor-db + - postgresql logging: driver: "syslog" options: @@ -147,7 +147,7 @@ services: tag: "core" portal: image: goharbor/harbor-portal:v2.6.1 - container_name: portal + container_name: harbor-portal restart: always cap_drop: - ALL @@ -172,7 +172,7 @@ services: jobservice: image: goharbor/harbor-jobservice:v2.6.1 - container_name: jobservice + container_name: harbor-jobservice env_file: - ./common/config/jobservice/env restart: always @@ -184,6 +184,7 @@ services: - SETUID volumes: - /data/job_logs:/var/log/jobs:z + - /data/scandata_exports:/var/scandata_exports:z - type: bind source: ./common/config/jobservice/config.yml target: /etc/jobservice/config.yml @@ -212,7 +213,7 @@ services: volumes: - /data/redis:/var/lib/redis networks: - - harbor + harbor: depends_on: - log logging: @@ -294,6 +295,5 @@ services: networks: harbor: external: false - name: harbor proxy: external: true diff --git a/harbor/harbor.yml.tmpl b/harbor/harbor.yml.tmpl index 123d9ff..c0563b7 100644 --- a/harbor/harbor.yml.tmpl +++ b/harbor/harbor.yml.tmpl @@ -137,7 +137,7 @@ log: # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! -_version: 2.5.0 +_version: 2.6.0 # Uncomment external_database if using external database. # external_database: @@ -245,3 +245,18 @@ upload_purging: # the interval of the purge operations interval: 24h dryrun: false + +# cache layer configurations +# If this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which can especially help to improve the performance of high concurrent +# manifest pulling. +# NOTICE +# If you are deploying Harbor in HA mode, make sure that all the harbor +# instances have the same behaviour, all with caching enabled or disabled, +# otherwise it can lead to potential data inconsistency. +cache: + # not enabled by default + enabled: false + # keep cache for one day by default + expire_hours: 24 diff --git a/harbor/install.sh b/harbor/install.sh index 1cc2070..2bdf8c8 100755 --- a/harbor/install.sh +++ b/harbor/install.sh @@ -22,6 +22,9 @@ with_trivy=$false # chartmuseum is not enabled by default with_chartmuseum=$false +# flag to using docker compose v1 or v2, default would using v1 docker-compose +DOCKER_COMPOSE=docker-compose + while [ $# -gt 0 ]; do case $1 in --help) @@ -88,14 +91,28 @@ fi ./prepare $prepare_para echo "" -if [ -n "$(docker-compose ps -q)" ] -then - note "stopping existing Harbor instance ..." - docker-compose down -v +if [ -n "$DOCKER_COMPOSE ps -q" ] + then + note "stopping existing Harbor instance ..." + $DOCKER_COMPOSE down -v fi echo "" h2 "[Step $item]: starting Harbor ..." -docker-compose up -d +if [ $with_chartmuseum ] +then + warn " + Chartmusuem will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later. + Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/15057" +fi +if [ $with_notary ] +then + warn " + Notary will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later. + You can use cosign for signature instead since Harbor v2.5.0. + Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/16612" +fi + +$DOCKER_COMPOSE up -d success $"----Harbor has been installed and started successfully.----" diff --git a/harbor/prepare b/harbor/prepare index ccc1bc3..2a8940b 100755 --- a/harbor/prepare +++ b/harbor/prepare @@ -57,7 +57,7 @@ docker run --rm -v $input_dir:/input \ -v $config_dir:/config \ -v /:/hostfs \ --privileged \ - goharbor/prepare:v2.5.1 prepare $@ + goharbor/prepare:v2.6.1 prepare $@ echo "Clean up the input dir" # Clean up input dir