Update harbor (now with certs)

This commit is contained in:
Tobias Reisinger 2023-06-03 03:33:22 +02:00
parent a6f4d6fef9
commit 0e26052058
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
9 changed files with 153 additions and 75 deletions

2
.gitignore vendored
View file

@ -1,4 +1,6 @@
*.secret.env
.lego/
serguzim.net.png
diagram_assets/

View file

@ -1,5 +1,12 @@
registry.serguzim.me {
import default
reverse_proxy /metrics host.docker.internal:3029
reverse_proxy host.docker.internal:3021
reverse_proxy /metrics host.docker.internal:3059
reverse_proxy host.docker.internal:3051 {
transport http {
tls
tls_server_name registry.serguzim.me
}
}
#reverse_proxy /metrics https://registry.serguzim.me:3059
#reverse_proxy https://registry.serguzim.me:3051
}

1
harbor/.gitignore vendored
View file

@ -1,3 +1,4 @@
common/
data/
docker-compose.yml
harbor.yml

View file

@ -103,14 +103,20 @@ function check_docker {
}
function check_dockercompose {
if ! docker-compose --version &> /dev/null
if [! docker compose version] &> /dev/null || [! docker-compose --version] &> /dev/null
then
error "Need to install docker-compose(1.18.0+) by yourself first and run this script again."
error "Need to install docker-compose(1.18.0+) or a docker-compose-plugin (https://docs.docker.com/compose/)by yourself first and run this script again."
exit 1
fi
# docker-compose has been installed, check its version
if [[ $(docker-compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
# either docker compose plugin has been installed
if docker compose version &> /dev/null
then
note "$(docker compose version)"
DOCKER_COMPOSE="docker compose"
# or docker-compose has been installed, check its version
elif [[ $(docker-compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
then
docker_compose_version=${BASH_REMATCH[1]}
docker_compose_version_part1=${BASH_REMATCH[2]}

View file

@ -7,15 +7,15 @@ hostname: registry.serguzim.me
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 3021
port: 3050
# https related config
#https:
https:
# # https port for harbor, default is 443
# port: 3022
port: 3051
# # The path of cert and key files for nginx
# certificate: /data/cert/registry.serguzim.me.crt
# private_key: /data/cert/registry.serguzim.me.key
certificate: /opt/services/.lego/certificates/registry.serguzim.me.crt
private_key: /opt/services/.lego/certificates/registry.serguzim.me.key
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
@ -33,18 +33,24 @@ external_url: https://registry.serguzim.me
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# # Harbor DB configuration
# database:
# # The password for the root user of Harbor DB. Change this before any production use.
# password: root123
# # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
# max_idle_conns: 50
# # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# # Note: the default number of connections is 1024 for postgres of harbor.
# max_open_conns: 1000
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
conn_max_lifetime: 5m
# The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
conn_max_idle_time: 0
# The default data volume
data_volume: /var/lib/harbor
data_volume: /opt/services/harbor/data/
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
@ -76,6 +82,17 @@ trivy:
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# The offline_scan option prevents Trivy from sending API requests to identify dependencies.
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
# exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
# It would work if all the dependencies are in local.
# This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
offline_scan: false
#
# Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
security_check: vuln
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
@ -93,14 +110,14 @@ trivy:
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
# The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
logger_sweeper_duration: 1 #days
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
webhook_job_max_retry: 3
# HTTP client timeout for webhook job
webhook_job_http_client_timeout: 3 #seconds
# Log configurations
log:
@ -127,7 +144,7 @@ log:
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.2.0
_version: 2.8.0
# Uncomment external_database if using external database.
external_database:
@ -140,35 +157,36 @@ external_database:
ssl_mode: verify-full
max_idle_conns: 2
max_open_conns: 0
notary_signer:
host: db.serguzim.me
port: 5432
db_name: harbor_notary_signer
username: harbor
password: ${HARBOR_DATABASE_PASSWORD}
ssl_mode: verify-full
notary_server:
host: db.serguzim.me
port: 5432
db_name: harbor_notary_server
username: harbor
password: ${HARBOR_DATABASE_PASSWORD}
ssl_mode: verify-full
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# # Uncomment external_redis if using external Redis server
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: localhost:6379
# host: redis:6379
# password:
# # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
# # username:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# idle_timeout_seconds: 30
@ -195,5 +213,58 @@ proxy:
metric:
enabled: enabled
port: 3029
port: 3059
path: /metrics
# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
# enabled: true
# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
# sample_rate: 1
# # # namespace used to differenciate different harbor services
# # namespace:
# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
# # attributes:
# # application: harbor
# # # jaeger should be 1.26 or newer.
# # jaeger:
# # endpoint: http://hostname:14268/api/traces
# # username:
# # password:
# # agent_host: hostname
# # # export trace data by jaeger.thrift in compact mode
# # agent_port: 6831
# # otel:
# # endpoint: hostname:4318
# # url_path: /v1/traces
# # compression: false
# # insecure: true
# # timeout: 10s
# Enable purge _upload directories
upload_purging:
enabled: true
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: false
# Cache layer configurations
# If this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which can especially help to improve the performance of high concurrent
# manifest pulling.
# NOTICE
# If you are deploying Harbor in HA mode, make sure that all the harbor
# instances have the same behaviour, all with caching enabled or disabled,
# otherwise it can lead to potential data inconsistency.
cache:
# not enabled by default
enabled: false
# keep cache for one day by default
expire_hours: 24

View file

@ -9,8 +9,8 @@ set +o noglob
usage=$'Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-trivy if needs enable Trivy in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor'
Please set --with-trivy if needs enable Trivy in Harbor.
Please do NOT set --with-chartmuseum, as chartmusuem has been deprecated and removed.'
item=0
# notary is not enabled by default
@ -19,8 +19,9 @@ with_notary=$false
with_clair=$false
# trivy is not enabled by default
with_trivy=$false
# chartmuseum is not enabled by default
with_chartmuseum=$false
# flag to using docker compose v1 or v2, default would using v1 docker-compose
DOCKER_COMPOSE=docker-compose
while [ $# -gt 0 ]; do
case $1 in
@ -33,8 +34,6 @@ while [ $# -gt 0 ]; do
with_clair=true;;
--with-trivy)
with_trivy=true;;
--with-chartmuseum)
with_chartmuseum=true;;
*)
note "$usage"
exit 1;;
@ -80,22 +79,26 @@ if [ $with_trivy ]
then
prepare_para="${prepare_para} --with-trivy"
fi
if [ $with_chartmuseum ]
then
prepare_para="${prepare_para} --with-chartmuseum"
fi
./prepare $prepare_para
echo ""
if [ -n "$(docker-compose ps -q)" ]
then
if [ -n "$DOCKER_COMPOSE ps -q" ]
then
note "stopping existing Harbor instance ..."
docker-compose down -v
$DOCKER_COMPOSE down -v
fi
echo ""
h2 "[Step $item]: starting Harbor ..."
docker-compose up -d
if [ $with_notary ]
then
warn "
Notary will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
You can use cosign for signature instead since Harbor v2.5.0.
Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/16612"
fi
$DOCKER_COMPOSE up -d
success $"----Harbor has been installed and started successfully.----"

View file

@ -57,7 +57,7 @@ docker run --rm -v $input_dir:/input \
-v $config_dir:/config \
-v /:/hostfs \
--privileged \
goharbor/prepare:v2.4.2 prepare $@
goharbor/prepare:v2.8.1 prepare $@
echo "Clean up the input dir"
# Clean up input dir

View file

@ -1,12 +0,0 @@
#!/usr/bin/sh
. ./.secret.env
envsubst < harbor.template.yml > harbor.yml
docker-compose down -v
./prepare --with-trivy --with-chartmuseum
sed -i "s/^.*proxy_set_header X-Forwarded-Proto.*$//g" ./common/config/nginx/nginx.conf
docker-compose up -d

View file

@ -33,7 +33,7 @@ check_url "hook.serguzim.me"
check_url "mail.serguzim.me"
check_url "msrg.cc"
check_url "prometheus.serguzim.me/-/healthy"
check_url "registry.serguzim.me"
check_url "registry.serguzim.me/account/sign-in"
check_url "rss.serguzim.me"
check_url "serguzim.me"
check_url "tick.serguzim.me"