Fixes#14932
Harbor recompiles the notary v0.6.1 with go 1.15 from v2.2.0, which introduces an break change that leads to notary key not found after migration.
[Root cause]
Notary v0.6.1 consumed an old version dvsekhvalnov/jose2, which is not compatible with go 1.15.
[References]
https://github.com/dvsekhvalnov/jose2go/issues/26https://github.com/golang/go/issues/41089
[Resolve]
To resolve this issue, we have to roll back go vesrion to v1.14 for notary v0.6.1 binary and keep it until upstream have a patch release to support go 1.15 or above.
[Break change]
If you pushed and signed image using Harbor v2.2.0 ~ v2.2.2 and created new repository key in notary, you will encouter the same issue after migrate to v2.2.3(or above) or v2.3.1(or above) because of the go version downgrade. We will have a FAQ to help you to resovle this particular scenario.
The influence path of the particular case:
Harbor v2.1.0(or lower) --> [v2.2.0 ~ v2.2.2] --> v2.2.3(or above)
Harbor v2.1.0(or lower) --> v2.3.0 --> v2.3.1(or above)
The non influence path of the paticular case:
Harbor v2.1.0(or lower) --> v2.2.3(or above)
Harbor v2.1.0(or lower) --> v2.3.1(or above)
[Fix in Version]
Harbor v2.2.3 or above
Harbor v2.3.1 or above
[Note]
If you're a heavy user of notary, avoid using v2.2.0, v2.2.1, v2.2.2 and v2.3.0, and use the fixed version for instead.
Signed-off-by: Wang Yan <wangyan@vmware.com>
The transaction will be aborted when get errors during the execution which causes the following sqls report error.
This commit moves the re-getting artifact logic out of the second transaction to avoid the concurrent pushing issue
Signed-off-by: Wenkai Yin <yinw@vmware.com>
Remove build base executable in Makefile by replacing it as an input parameter.
Add add more input parameters for controlling docker pull/push to make
build base process flexible for users.
Signed-off-by: danfengliu <danfengl@vmware.com>
Improve the performance of artifact related APIs by adding indexes and refactoring sql logic
Closes#13890#14813#14814
Signed-off-by: Wenkai Yin <yinw@vmware.com>
Fixes#14822
When upstream registry not working, but status might stay healthy because the health check interval is 5 minutes, if a pull request comes before registry status turns to unhealthy, the proxy cache middleware might proxy the request to the upstream registry and get a 401 error and this 401 error might translate to a http 500 error to the client eventually.
To solve this issue, it fall back all error to local registry when proxying manifest except the NotFoundError from the local registry.
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit enhances the v2auth middleware, such that any un-recognized
request sent to /v2/ will be blocked.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
There are code in the core component to conditionally execute code based
on the pattern of url path, and different ingress controller or reverse
proxy may handle the dup slashes in the url path differently.
This commit merge dup slashes in the url paths to make things more
consistent.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
perf: cache the metadata of the scanner
1. Cache the metadata of scanner 30s.
2. Change the scanner client request timeout to 5s.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
DB transaction failure may break the loop query of the artifacts, the
result is that not all artifacts are scanned in one scan all job. Using
a new DB connection to call the Scan method of the controller to avoid
this problem.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
When the core service cannot response the checkin request in time, duplicated execution records may be created, this commit introduces the revision column to make sure there is only one record for one schedule trigger
Signed-off-by: Wenkai Yin <yinw@vmware.com>
1. Limit API qps for the adapter.
2. Allow set qps via env.
3. Fix Tencnet SDK pagenation.
4. Fix resource filter.
Signed-off-by: fanjiankong <fanjiankong@tencent.com>
1. Add manifest and CNAB replication tests;
2. Duplicate ORAS and sigularity tests from API test to nightly common
tests;
3. Optimize get dns code in CI;
4. Optimize E2E dockerfile;
5. Sample image size should be cover requirement for large size like 512M.
Signed-off-by: danfengliu <danfengl@vmware.com>
1. Add build base image step in build package git action workflow;
2. Add build base step to UT test in CI, base image used by UI test should be built before building harbor image in the same runtime;
3. In build package workflow, trigger build base image step in condition of changing both in
Dockerfile.base and VERSION;
4. Add tag for setup nightly test.
Signed-off-by: danfengliu <danfengl@vmware.com>
If authenticator does not support searching user/group, wraps it as a
not found error, such that the API will return 404 rather than confusing
500.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit adds the attribute "http_authproxy_admin_usernames", which
is string that contains usernames separated by comma, when a user logs
in and the username in the tokenreview status matches the setting of
this attribute, the user will have administrator permission.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>