Update harbor to 2.6.

2022-10-21 09:54:11 +02:00
parent 76b061dd83
commit 0fb1028a49
12 changed files with 79 additions and 169 deletions
--- a/harbor/common.sh
+++ b/harbor/common.sh
@@ -103,28 +103,34 @@ function check_docker {
 }

 function check_dockercompose {
-	if ! docker compose version &> /dev/null
+	if [! docker compose version] &> /dev/null || [! docker-compose --version] &> /dev/null
 	then
-		error "Need to install docker compose(1.18.0+) by yourself first and run this script again."
+		error "Need to install docker-compose(1.18.0+) or a docker-compose-plugin (https://docs.docker.com/compose/)by yourself first and run this script again."
 		exit 1
 	fi

-	# docker compose has been installed, check its version
-	if [[ $(docker compose version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
+	# either docker compose plugin has been installed
+	if docker compose version &> /dev/null
+	then
+		note "$(docker compose version)"
+		DOCKER_COMPOSE="docker compose"
+
+	# or docker-compose has been installed, check its version
+	elif [[ $(docker-compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
 	then
 		docker_compose_version=${BASH_REMATCH[1]}
 		docker_compose_version_part1=${BASH_REMATCH[2]}
 		docker_compose_version_part2=${BASH_REMATCH[3]}

-		note "docker compose version: $docker_compose_version"
-		# the version of docker compose does not meet the requirement
+		note "docker-compose version: $docker_compose_version"
+		# the version of docker-compose does not meet the requirement
 		if [ "$docker_compose_version_part1" -lt 1 ] || ([ "$docker_compose_version_part1" -eq 1 ] && [ "$docker_compose_version_part2" -lt 18 ])
 		then
-			error "Need to upgrade docker compose package to 1.18.0+."
+			error "Need to upgrade docker-compose package to 1.18.0+."
 			exit 1
 		fi
 	else
-		error "Failed to parse docker compose version."
+		error "Failed to parse docker-compose version."
 		exit 1
 	fi
 }
--- a/harbor/common/config/core/env
+++ b/harbor/common/config/core/env
@@ -21,8 +21,8 @@ PORTAL_URL=http://portal:8080
 TOKEN_SERVICE_URL=http://core:8080/service/token
 HARBOR_ADMIN_PASSWORD=j2Q2gRX@zpGYGsUZwJ@ynvnU3gw6Y*
 MAX_JOB_WORKERS=10
-CORE_SECRET=Q1kOSJ2hbw3qs2Uh
-JOBSERVICE_SECRET=LURd3ymSGca6nuB5
+CORE_SECRET=2WyVPYUlCIRDPCv2
+JOBSERVICE_SECRET=a1XRgtkNICmX2Gl4
 WITH_NOTARY=False
 WITH_TRIVY=True
 CORE_URL=http://core:8080
@@ -37,14 +37,15 @@ CHART_REPOSITORY_URL=http://chartmuseum:9999
 REGISTRY_CONTROLLER_URL=http://registryctl:8080
 WITH_CHARTMUSEUM=False
 REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
-REGISTRY_CREDENTIAL_PASSWORD=nTDpudVQRYA4rPGrDvmLvHskdd5gPcUU
-CSRF_KEY=dtP7zBtDmaQR9fhuxuy5fNpbCVZfFSD4
-PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry
+REGISTRY_CREDENTIAL_PASSWORD=RvC6BuQM4kFianaQ81mMxGuDHdNEQ5Yp
+CSRF_KEY=hPD1uJIjELdXLCH2Z6zFWS6JDT0JGRHc
+PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr

 HTTP_PROXY=
 HTTPS_PROXY=
-NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql
+NO_PROXY=localhost,log,.internal,exporter,db,.local,portal,redis,127.0.0.1,registryctl,nginx,core,jobservice,chartmuseum,notary-signer,trivy-adapter,registry,postgresql,notary-server

 PORT=8080


+
--- a/harbor/common/config/jobservice/env
+++ b/harbor/common/config/jobservice/env
@@ -1,6 +1,6 @@
-CORE_SECRET=Q1kOSJ2hbw3qs2Uh
+CORE_SECRET=2WyVPYUlCIRDPCv2
 REGISTRY_URL=http://registry:5000
-JOBSERVICE_SECRET=LURd3ymSGca6nuB5
+JOBSERVICE_SECRET=a1XRgtkNICmX2Gl4
 CORE_URL=http://core:8080
 REGISTRY_CONTROLLER_URL=http://registryctl:8080
 JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10
@@ -8,8 +8,9 @@ JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10

 HTTP_PROXY=
 HTTPS_PROXY=
-NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql
+NO_PROXY=localhost,log,.internal,exporter,db,.local,portal,redis,127.0.0.1,registryctl,nginx,core,jobservice,chartmuseum,notary-signer,trivy-adapter,registry,postgresql,notary-server
 REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
-REGISTRY_CREDENTIAL_PASSWORD=nTDpudVQRYA4rPGrDvmLvHskdd5gPcUU
+REGISTRY_CREDENTIAL_PASSWORD=RvC6BuQM4kFianaQ81mMxGuDHdNEQ5Yp
+


--- a/harbor/common/config/nginx/nginx.conf~
+++ b/harbor/common/config/nginx/nginx.conf~
@@ -1,130 +0,0 @@
-worker_processes auto;
-pid /tmp/nginx.pid;
-
-events {
-  worker_connections 3096;
-  use epoll;
-  multi_accept on;
-}
-
-http {
-  client_body_temp_path /tmp/client_body_temp;
-  proxy_temp_path /tmp/proxy_temp;
-  fastcgi_temp_path /tmp/fastcgi_temp;
-  uwsgi_temp_path /tmp/uwsgi_temp;
-  scgi_temp_path /tmp/scgi_temp;
-  tcp_nodelay on;
-
-  # this is necessary for us to be able to disable request buffering in all cases
-  proxy_http_version 1.1;
-
-  upstream core {
-    server core:8080;
-  }
-
-  upstream portal {
-    server portal:8080;
-  }
-
-  log_format timed_combined '$remote_addr - '
-    '"$request" $status $body_bytes_sent '
-    '"$http_referer" "$http_user_agent" '
-    '$request_time $upstream_response_time $pipe';
-
-  access_log /dev/stdout timed_combined;
-
-  map $http_x_forwarded_proto $x_forwarded_proto {
-    default $http_x_forwarded_proto;
-    ""      $scheme;
-  }
-
-  server {
-    listen 8080;
-    server_tokens off;
-    # disable any limits to avoid HTTP 413 for large image uploads
-    client_max_body_size 0;
-
-    # Add extra headers
-    add_header X-Frame-Options DENY;
-    add_header Content-Security-Policy "frame-ancestors 'none'";
-
-    # customized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf
-    include /etc/nginx/conf.d/harbor.http.*.conf;
-
-    location / {
-      proxy_pass http://portal/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
-
-      proxy_buffering off;
-      proxy_request_buffering off;
-    }
-
-    location /c/ {
-      proxy_pass http://core/c/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
-
-      proxy_buffering off;
-      proxy_request_buffering off;
-    }
-
-    location /api/ {
-      proxy_pass http://core/api/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
-
-      proxy_buffering off;
-      proxy_request_buffering off;
-    }
-
-    location /chartrepo/ {
-      proxy_pass http://core/chartrepo/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
-
-      proxy_buffering off;
-      proxy_request_buffering off;
-    }
-
-    location /v1/ {
-      return 404;
-    }
-
-    location /v2/ {
-      proxy_pass http://core/v2/;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
-      proxy_buffering off;
-      proxy_request_buffering off;
-
-      proxy_send_timeout 900;
-      proxy_read_timeout 900;
-    }
-
-    location /service/ {
-      proxy_pass http://core/service/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
-
-      proxy_buffering off;
-      proxy_request_buffering off;
-    }
-
-    location /service/notifications {
-      return 404;
-    }
-  }
-}
--- a/harbor/common/config/registry/passwd
+++ b/harbor/common/config/registry/passwd
@@ -1 +1 @@
-harbor_registry_user:$2y$05$ZZgSSdASjscjf4QfvkaEHus/y62rx0h2qPoLeb/MsoG5FvUmrPfI.
+harbor_registry_user:$2y$05$paAwVLgr1maxYnL9fud8q.u7SiU/75K/ra2aeEcYNJt22ro/st4qe
--- a/harbor/common/config/registryctl/env
+++ b/harbor/common/config/registryctl/env
@@ -1,2 +1,2 @@
-CORE_SECRET=Q1kOSJ2hbw3qs2Uh
-JOBSERVICE_SECRET=LURd3ymSGca6nuB5
+CORE_SECRET=2WyVPYUlCIRDPCv2
+JOBSERVICE_SECRET=a1XRgtkNICmX2Gl4
--- a/harbor/common/config/trivy-adapter/env
+++ b/harbor/common/config/trivy-adapter/env
@@ -16,4 +16,4 @@ SCANNER_TRIVY_INSECURE=False
 SCANNER_TRIVY_TIMEOUT=5m0s
 HTTP_PROXY=
 HTTPS_PROXY=
-NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql
+NO_PROXY=localhost,log,.internal,exporter,db,.local,portal,redis,127.0.0.1,registryctl,nginx,core,jobservice,chartmuseum,notary-signer,trivy-adapter,registry,postgresql,notary-server
--- a/harbor/docker-compose.yml
+++ b/harbor/docker-compose.yml
@@ -95,7 +95,7 @@ services:
    volumes:
      - /data/database:/var/lib/postgresql/data:z
    networks:
-      - harbor
+      harbor:
    env_file:
      - ./common/config/db/env
    depends_on:
@@ -108,7 +108,7 @@ services:
    shm_size: '1gb'
  core:
    image: goharbor/harbor-core:v2.6.1
-    container_name: core
+    container_name: harbor-core
    env_file:
      - ./common/config/core/env
    restart: always
@@ -134,12 +134,12 @@ services:
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
    networks:
-      - harbor
+      harbor:
    depends_on:
      - log
      - registry
      - redis
-      - harbor-db
+      - postgresql
    logging:
      driver: "syslog"
      options:
@@ -147,7 +147,7 @@ services:
        tag: "core"
  portal:
    image: goharbor/harbor-portal:v2.6.1
-    container_name: portal
+    container_name: harbor-portal
    restart: always
    cap_drop:
      - ALL
@@ -172,7 +172,7 @@ services:

  jobservice:
    image: goharbor/harbor-jobservice:v2.6.1
-    container_name: jobservice
+    container_name: harbor-jobservice
    env_file:
      - ./common/config/jobservice/env
    restart: always
@@ -184,6 +184,7 @@ services:
      - SETUID
    volumes:
      - /data/job_logs:/var/log/jobs:z
+      - /data/scandata_exports:/var/scandata_exports:z
      - type: bind
        source: ./common/config/jobservice/config.yml
        target: /etc/jobservice/config.yml
@@ -212,7 +213,7 @@ services:
    volumes:
      - /data/redis:/var/lib/redis
    networks:
-      - harbor
+      harbor:
    depends_on:
      - log
    logging:
@@ -294,6 +295,5 @@ services:
 networks:
  harbor:
    external: false
-    name: harbor
  proxy:
    external: true
--- a/harbor/harbor.yml.tmpl
+++ b/harbor/harbor.yml.tmpl
@@ -137,7 +137,7 @@ log:
  #   port: 5140

 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
-_version: 2.5.0
+_version: 2.6.0

 # Uncomment external_database if using external database.
 # external_database:
@@ -245,3 +245,18 @@ upload_purging:
  # the interval of the purge operations
  interval: 24h
  dryrun: false
+
+# cache layer configurations
+# If this feature enabled, harbor will cache the resource
+# `project/project_metadata/repository/artifact/manifest` in the redis
+# which can especially help to improve the performance of high concurrent
+# manifest pulling.
+# NOTICE
+# If you are deploying Harbor in HA mode, make sure that all the harbor
+# instances have the same behaviour, all with caching enabled or disabled,
+# otherwise it can lead to potential data inconsistency.
+cache:
+  # not enabled by default
+  enabled: false
+  # keep cache for one day by default
+  expire_hours: 24
--- a/harbor/install.sh
+++ b/harbor/install.sh
@@ -22,6 +22,9 @@ with_trivy=$false
 # chartmuseum is not enabled by default
 with_chartmuseum=$false

+# flag to using docker compose v1 or v2, default would using v1 docker-compose
+DOCKER_COMPOSE=docker-compose
+
 while [ $# -gt 0 ]; do
        case $1 in
            --help)
@@ -88,14 +91,28 @@ fi
 ./prepare $prepare_para
 echo ""

-if [ -n "$(docker-compose ps -q)"  ]
-then
-    note "stopping existing Harbor instance ..." 
-    docker-compose down -v
+if [ -n "$DOCKER_COMPOSE ps -q"  ]
+    then
+        note "stopping existing Harbor instance ..." 
+        $DOCKER_COMPOSE down -v
 fi
 echo ""

 h2 "[Step $item]: starting Harbor ..."
-docker-compose up -d
+if [ $with_chartmuseum ]
+then
+    warn "
+    Chartmusuem will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
+    Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/15057"
+fi
+if [ $with_notary ]
+then
+    warn "
+    Notary will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
+    You can use cosign for signature instead since Harbor v2.5.0.
+    Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/16612"
+fi
+
+$DOCKER_COMPOSE up -d

 success $"----Harbor has been installed and started successfully.----"
--- a/harbor/prepare
+++ b/harbor/prepare
@@ -57,7 +57,7 @@ docker run --rm -v $input_dir:/input \
                    -v $config_dir:/config \
                    -v /:/hostfs \
                    --privileged \
-                    goharbor/prepare:v2.5.1 prepare $@
+                    goharbor/prepare:v2.6.1 prepare $@

 echo "Clean up the input dir"
 # Clean up input dir