chore: upgrade harbor to v2.14.1 #121
Conversation
chore: [DEVOPS-40213] specify golang version for registry chore: [DEVOPS-40213] specify golang version for registry chore: [DEVOPS-40213] bump swagger to v0.33.1 chore: [DEVOPS-40213] remove useless codes chore: [DEVOPS-40213] remove gen-apis in compile_core
|
/all-in-one |
|
/test harbor-integration-test |
| TRIVY_VERSION=v0.62.2-alauda-25 | ||
| TRIVY_VERSION=v0.66.1-alauda-1 | ||
| # renovate: datasource=github-releases depName=harbor-scanner-trivy packageName=AlaudaDevops/harbor-scanner-trivy | ||
| TRIVY_ADAPTER_VERSION=v0.33.2-alauda-16 | ||
| TRIVY_ADAPTER_VERSION=v0.34.2-alauda-1 |
There was a problem hiding this comment.
依照 harbor v2.14 依赖矩阵,本次升级为咱们的 fork 仓库添加对应的新版本:
- trivy v0.66.0,fork 仓库:https://github.com/AlaudaDevops/trivy/tree/alauda-v0.66.0
- trivy-adapter v0.34.1,fork 仓库:https://github.com/AlaudaDevops/harbor-scanner-trivy/tree/alauda-v0.34.1
| sed -i 's/node:16.18.0/docker-mirrors.alauda.cn\/library\/node:16.18.0/' $1"/"$file | ||
|
|
||
| echo $1"/"$file | ||
| elif [[ $file == "docker-healthcheck.sh" ]] | ||
| then | ||
| sed -i '/host=/ s/$/\nhost="${host%%[[:space:]]*}"/' $1"/"$file | ||
| fi | ||
| done | ||
| } | ||
|
|
||
| change_base_image "make/photon" | ||
|
|
||
| # swagger | ||
|
|
||
| # renovate: datasource=golang-version depName=go | ||
| export GOLANG_IMAGE_VERSION=1.25.5 | ||
|
|
||
| sed -i 's/node:16.18.0/docker-mirrors.alauda.cn\/library\/node:16.18.0/' "Makefile" |
There was a problem hiding this comment.
harbor v2.14 的 node 镜像调整到 Makefile 中维护
| sed -i 's/BUILDBIN=true/BUILDBIN=false/g' "Makefile" | ||
| sed -i 's/BUILDREG=true/BUILDREG=false/g' "Makefile" | ||
| sed -i 's/BUILDTRIVYADP=true/BUILDTRIVYADP=false/g' "Makefile" |
There was a problem hiding this comment.
harbor v2.14 将 registry 和 trivy-adapter 是否构建拆分为两个变量来控制
| "sync" | ||
|
|
||
| "github.com/gorilla/csrf" | ||
| csrf "filippo.io/csrf/gorilla" |
There was a problem hiding this comment.
github.com/gorilla/csrf 存在未修复的漏洞,golang 官方建议是替换为 filippo.io/csrf/gorilla
此前将这一问题反馈给社区了,并给社区提了 PR,社区反馈会再等等看 github.com/gorilla/csrf 是否会迭代新版本来解决。截至目前,社区仍未修复该问题(在 issue 里咨询了下最新进展,暂未收到回复):
- PR:fix: replace github.com/gorilla/csrf v1.7.2 to filippo.io/csrf v0.2.1 goharbor/harbor#22313
- issue:Mitigate CVE-2025-24358 and CVE-2025-47909 by migrating from github.com/gorilla/csrf to filippo.io/csrf/gorilla goharbor/harbor#22312
之前我们自行在 v2.12.4 中替换了这个依赖,这次 v2.14.1 也继续替换该依赖,后续再关注下社区进展
|
|
||
| Get Harbor Version | ||
| ${rc} ${output}= Run And Return Rc And Output curl -k -X GET --header 'Accept: application/json' '${protocol}://${ip}/api/v2.0/systeminfo'|grep -i harbor_version | ||
| ${rc} ${output}= Run And Return Rc And Output curl -k -X GET -u admin:%{HARBOR_PASSWORD} --header 'Accept: application/json' '${protocol}://${ip}/api/v2.0/systeminfo'|grep -i harbor_version |
There was a problem hiding this comment.
harbor 的 /api/v2.0/systeminfo API 中,有部分字段是要求登录才可访问的
在 v2.14 版本中,该 API 中的 harbor_version 字段也被划入了登录才可访问的保护范围内
- issue:Not allow unregistered user to read the "about" information from the Harbor UI goharbor/harbor#21152
- PR:remove version info for anonymous users goharbor/harbor#21672
这一改动可能会影响 v3 ares 测试脚本,具体是否会对 v3 功能造成影响,需要后续分析:https://jira.alauda.cn/browse/DEVOPS-43068
| @$(MAKEPATH)/$(CHECKENVCMD) | ||
|
|
||
| compile_core: lint_apis gen_apis | ||
| compile_core: |
There was a problem hiding this comment.
harbor 里的部分代码是通过 gen_apis 自动生成的,导致 renovate 在修复漏洞时执行 go mod tidy 会报错。为了解决这一问题,之前直接把代码生成好并提交到代码仓库里了。
所以,编译 core 时可以移除生成代码的步骤,提升镜像构建效率
|
|
/test harbor-integration-test |
|
/ready |
edge-katanomi-app2
bot
merged commit 8c580c7
into
AlaudaDevops:alauda-1.18
|
🎉 PR Successfully Merged! Merge details:
Approvers:
Thank you to all reviewers! 🙏 |
3 participants
本次升级涉及: