Update harbor (now with certs)

.gitignore

@@ -1,4 +1,6 @@
 *.secret.env
 
+.lego/
+
 serguzim.net.png
 diagram_assets/

caddy/config/conf.002.d/registry.serguzim.me.conf

@@ -1,5 +1,12 @@
 registry.serguzim.me {
 	import default
-	reverse_proxy /metrics host.docker.internal:3029
-	reverse_proxy host.docker.internal:3021
+	reverse_proxy /metrics host.docker.internal:3059
+	reverse_proxy host.docker.internal:3051 {
+		transport http {
+			tls
+			tls_server_name registry.serguzim.me
+		}
+	}
+	#reverse_proxy /metrics https://registry.serguzim.me:3059
+	#reverse_proxy https://registry.serguzim.me:3051
 }

harbor/.gitignore

@@ -1,3 +1,4 @@
 common/
+data/
 docker-compose.yml
 harbor.yml

harbor/common.sh

@@ -103,14 +103,20 @@ function check_docker {
 }
 
 function check_dockercompose {
-	if ! docker-compose --version &> /dev/null
+	if [! docker compose version] &> /dev/null || [! docker-compose --version] &> /dev/null
 	then
-		error "Need to install docker-compose(1.18.0+) by yourself first and run this script again."
+		error "Need to install docker-compose(1.18.0+) or a docker-compose-plugin (https://docs.docker.com/compose/)by yourself first and run this script again."
 		exit 1
 	fi
 
-	# docker-compose has been installed, check its version
-	if [[ $(docker-compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
+	# either docker compose plugin has been installed
+	if docker compose version &> /dev/null
+	then
+		note "$(docker compose version)"
+		DOCKER_COMPOSE="docker compose"
+
+	# or docker-compose has been installed, check its version
+	elif [[ $(docker-compose --version) =~ (([0-9]+)\.([0-9]+)([\.0-9]*)) ]]
 	then
 		docker_compose_version=${BASH_REMATCH[1]}
 		docker_compose_version_part1=${BASH_REMATCH[2]}

harbor/harbor.template.yml

@@ -7,15 +7,15 @@ hostname: registry.serguzim.me
 # http related config
 http:
   # port for http, default is 80. If https enabled, this port will redirect to https port
-  port: 3021
+  port: 3050
 
 # https related config
-#https:
+https:
 #  # https port for harbor, default is 443
-#  port: 3022
+  port: 3051
 #  # The path of cert and key files for nginx
-#  certificate: /data/cert/registry.serguzim.me.crt
-#  private_key: /data/cert/registry.serguzim.me.key
+  certificate: /opt/services/.lego/certificates/registry.serguzim.me.crt
+  private_key: /opt/services/.lego/certificates/registry.serguzim.me.key
 
 # # Uncomment following will enable tls communication between all harbor components
 # internal_tls:
@@ -33,18 +33,24 @@ external_url: https://registry.serguzim.me
 # Remember Change the admin password from UI after launching Harbor.
 harbor_admin_password: Harbor12345
 
-# # Harbor DB configuration
-# database:
-#   # The password for the root user of Harbor DB. Change this before any production use.
-#   password: root123
-#   # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
-#   max_idle_conns: 50
-#   # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
-#   # Note: the default number of connections is 1024 for postgres of harbor.
-#   max_open_conns: 1000
+# Harbor DB configuration
+database:
+  # The password for the root user of Harbor DB. Change this before any production use.
+  password: root123
+  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
+  max_idle_conns: 100
+  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
+  # Note: the default number of connections is 1024 for postgres of harbor.
+  max_open_conns: 900
+  # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
+  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+  conn_max_lifetime: 5m
+  # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
+  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+  conn_max_idle_time: 0
 
 # The default data volume
-data_volume: /var/lib/harbor
+data_volume: /opt/services/harbor/data/
 
 # Harbor Storage settings by default is using /data dir on local filesystem
 # Uncomment storage_service setting If you want to using external storage
@@ -76,6 +82,17 @@ trivy:
   # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
   skip_update: false
   #
+  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
+  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
+  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
+  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
+  # It would work if all the dependencies are in local.
+  # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
+  offline_scan: false
+  #
+  # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
+  security_check: vuln
+  #
   # insecure The flag to skip verifying registry certificate
   insecure: false
   # github_token The GitHub access token to download Trivy DB
@@ -93,14 +110,14 @@ trivy:
 jobservice:
   # Maximum number of job workers in job service
   max_job_workers: 10
+  # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
+  logger_sweeper_duration: 1 #days
 
 notification:
   # Maximum retry count for webhook job
-  webhook_job_max_retry: 10
-
-chart:
-  # Change the value of absolute_url to enabled can enable absolute url in chart
-  absolute_url: disabled
+  webhook_job_max_retry: 3
+  # HTTP client timeout for webhook job
+  webhook_job_http_client_timeout: 3 #seconds
 
 # Log configurations
 log:
@@ -127,7 +144,7 @@ log:
   #   port: 5140
 
 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
-_version: 2.2.0
+_version: 2.8.0
 
 # Uncomment external_database if using external database.
 external_database:
@@ -140,35 +157,36 @@ external_database:
     ssl_mode: verify-full
     max_idle_conns: 2
     max_open_conns: 0
-  notary_signer:
-    host: db.serguzim.me
-    port: 5432
-    db_name: harbor_notary_signer
-    username: harbor
-    password: ${HARBOR_DATABASE_PASSWORD}
-    ssl_mode: verify-full
-  notary_server:
-    host: db.serguzim.me
-    port: 5432
-    db_name: harbor_notary_server
-    username: harbor
-    password: ${HARBOR_DATABASE_PASSWORD}
-    ssl_mode: verify-full
+#   notary_signer:
+#     host: notary_signer_db_host
+#     port: notary_signer_db_port
+#     db_name: notary_signer_db_name
+#     username: notary_signer_db_username
+#     password: notary_signer_db_password
+#     ssl_mode: disable
+#   notary_server:
+#     host: notary_server_db_host
+#     port: notary_server_db_port
+#     db_name: notary_server_db_name
+#     username: notary_server_db_username
+#     password: notary_server_db_password
+#     ssl_mode: disable
 
-# # Uncomment external_redis if using external Redis server
+# Uncomment external_redis if using external Redis server
 # external_redis:
 #   # support redis, redis+sentinel
 #   # host for redis: <host_redis>:<port_redis>
 #   # host for redis+sentinel:
 #   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
-#   host: localhost:6379
+#   host: redis:6379
 #   password: 
+#   # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
+#   # username:
 #   # sentinel_master_set must be set to support redis+sentinel
 #   #sentinel_master_set:
 #   # db_index 0 is for core, it's unchangeable
 #   registry_db_index: 1
 #   jobservice_db_index: 2
-#   chartmuseum_db_index: 3
 #   trivy_db_index: 5
 #   idle_timeout_seconds: 30
 
@@ -195,5 +213,58 @@ proxy:
 
 metric:
   enabled: enabled
-  port: 3029
+  port: 3059
   path: /metrics
+
+# Trace related config
+# only can enable one trace provider(jaeger or otel) at the same time,
+# and when using jaeger as provider, can only enable it with agent mode or collector mode.
+# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
+# if using jaeger agetn mode uncomment agent_host and agent_port
+# trace:
+#   enabled: true
+#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
+#   sample_rate: 1
+#   # # namespace used to differenciate different harbor services
+#   # namespace:
+#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
+#   # attributes:
+#   #   application: harbor
+#   # # jaeger should be 1.26 or newer.
+#   # jaeger:
+#   #   endpoint: http://hostname:14268/api/traces
+#   #   username:
+#   #   password:
+#   #   agent_host: hostname
+#   #   # export trace data by jaeger.thrift in compact mode
+#   #   agent_port: 6831
+#   # otel:
+#   #   endpoint: hostname:4318
+#   #   url_path: /v1/traces
+#   #   compression: false
+#   #   insecure: true
+#   #   timeout: 10s
+
+# Enable purge _upload directories
+upload_purging:
+  enabled: true
+  # remove files in _upload directories which exist for a period of time, default is one week.
+  age: 168h
+  # the interval of the purge operations
+  interval: 24h
+  dryrun: false
+
+# Cache layer configurations
+# If this feature enabled, harbor will cache the resource
+# `project/project_metadata/repository/artifact/manifest` in the redis
+# which can especially help to improve the performance of high concurrent
+# manifest pulling.
+# NOTICE
+# If you are deploying Harbor in HA mode, make sure that all the harbor
+# instances have the same behaviour, all with caching enabled or disabled,
+# otherwise it can lead to potential data inconsistency.
+cache:
+  # not enabled by default
+  enabled: false
+  # keep cache for one day by default
+  expire_hours: 24

harbor/install.sh

@@ -9,8 +9,8 @@ set +o noglob
 
 usage=$'Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
 Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. 
-Please set --with-trivy if needs enable Trivy in Harbor
-Please set --with-chartmuseum if needs enable Chartmuseum in Harbor'
+Please set --with-trivy if needs enable Trivy in Harbor.
+Please do NOT set --with-chartmuseum, as chartmusuem has been deprecated and removed.'
 item=0
 
 # notary is not enabled by default
@@ -19,8 +19,9 @@ with_notary=$false
 with_clair=$false
 # trivy is not enabled by default
 with_trivy=$false
-# chartmuseum is not enabled by default
-with_chartmuseum=$false
+
+# flag to using docker compose v1 or v2, default would using v1 docker-compose
+DOCKER_COMPOSE=docker-compose
 
 while [ $# -gt 0 ]; do
         case $1 in
@@ -33,8 +34,6 @@ while [ $# -gt 0 ]; do
             with_clair=true;;
             --with-trivy)
             with_trivy=true;;
-            --with-chartmuseum)
-            with_chartmuseum=true;;
             *)
             note "$usage"
             exit 1;;
@@ -80,22 +79,26 @@ if [ $with_trivy ]
 then
     prepare_para="${prepare_para} --with-trivy"
 fi
-if [ $with_chartmuseum ]
-then
-    prepare_para="${prepare_para} --with-chartmuseum"
-fi
 
 ./prepare $prepare_para
 echo ""
 
-if [ -n "$(docker-compose ps -q)"  ]
-then
-    note "stopping existing Harbor instance ..." 
-    docker-compose down -v
+if [ -n "$DOCKER_COMPOSE ps -q"  ]
+    then
+        note "stopping existing Harbor instance ..." 
+        $DOCKER_COMPOSE down -v
 fi
 echo ""
 
 h2 "[Step $item]: starting Harbor ..."
-docker-compose up -d
+if [ $with_notary ]
+then
+    warn "
+    Notary will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
+    You can use cosign for signature instead since Harbor v2.5.0.
+    Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/16612"
+fi
+
+$DOCKER_COMPOSE up -d
 
 success $"----Harbor has been installed and started successfully.----"

harbor/prepare

@@ -57,7 +57,7 @@ docker run --rm -v $input_dir:/input \
                     -v $config_dir:/config \
                     -v /:/hostfs \
                     --privileged \
-                    goharbor/prepare:v2.4.2 prepare $@
+                    goharbor/prepare:v2.8.1 prepare $@
 
 echo "Clean up the input dir"
 # Clean up input dir

harbor/restart

@@ -1,12 +0,0 @@
-#!/usr/bin/sh
-
-. ./.secret.env
-envsubst < harbor.template.yml > harbor.yml
-
-docker-compose down -v
-
-./prepare --with-trivy --with-chartmuseum
-
-sed -i "s/^.*proxy_set_header X-Forwarded-Proto.*$//g" ./common/config/nginx/nginx.conf 
-
-docker-compose up -d

healthcheck/data/http

@@ -33,7 +33,7 @@ check_url "hook.serguzim.me"
 check_url "mail.serguzim.me"
 check_url "msrg.cc"
 check_url "prometheus.serguzim.me/-/healthy"
-check_url "registry.serguzim.me"
+check_url "registry.serguzim.me/account/sign-in"
 check_url "rss.serguzim.me"
 check_url "serguzim.me"
 check_url "tick.serguzim.me"