harbor-boshrelease icon indicating copy to clipboard operation
harbor-boshrelease copied to clipboard

Published 20 hours ago verified publisher icon vmware

Disable redirect for S3 storage backend

Open supp429 opened this issue 7 years ago • 10 comments

We ran into an issue while deploying the harbor container registry using s3 as the storage backend. Our S3 buckets are locked down to allow only authorized sts/iam profiles to connect to them. To make it work, we need to disable redirect for the storage backend as documented here https://docs.docker.com/registry/configuration/#redirect

Issue:

While pushing an image using docker push, it fails with an EOF error.

Temporary workaround:

Manually updating the /var/vcap/jobs/harbor/packages/harbor-app/common/templates/registry/config.yml file as shown below and restarting the harbor job allows pushing images to the registry.

storage:
  cache:
    layerinfo: inmemory
  s3:
    region:  *****
    bucket: **********
    encrypt: true
    secure: true
    chunksize: 5242880
    rootdirectory: /harbor-container-registry
  maintenance:
    uploadpurging:
      enabled: false
  delete:
    enabled: true
  redirect:
    disable: true

Is this something that can be implemented by just updating the bosh release or require changes to the harbor package itself?

supp429 avatar Jun 26 '18 15:06 supp429

Hey @jessehu - just wondering if the above could be implemented in the harbor bosh release? or if it would require an update on the actual harbor package?

Thanks

robbo10 avatar Jul 04 '18 09:07 robbo10

Thanks @suppalapati13 @robbo10 for reporting this issue. Sorry for the late response. The harbor binary does not expose the config for 'redirect: disable: true' in harbor.cfg. For now I think we can add a config (e.g. registry_storage_provider.s3.redirect.disable) in the harbor job spec, and in 'pre-start.erb' do a 'sed' for /var/vcap/jobs/harbor/packages/harbor-app/common/templates/registry/config.yml to add 'redirect: disable: true' into it. Does it make sense?

jessehu avatar Jul 04 '18 10:07 jessehu

@jessehu That makes sense thanks, we can look into making that change.

robbo10 avatar Jul 05 '18 09:07 robbo10

Thanks! Any contribution to this project are appreciated.

jessehu avatar Jul 05 '18 09:07 jessehu

@jessehu - We have submitted a PR to correct the above issue 👍

robbo10 avatar Jul 06 '18 12:07 robbo10

@robbo10 Added a comment to the PR. Thanks very much for the contribution.

jessehu avatar Jul 07 '18 08:07 jessehu

@jessehu - would it be possible to merge the PR?

Thanks

robbo10 avatar Jul 09 '18 09:07 robbo10

@robbo10 Almost. please take a look at the comments on the PR.

jessehu avatar Jul 09 '18 10:07 jessehu

@jessehu - regarding the license agreement? this has been signed 😄

robbo10 avatar Jul 09 '18 11:07 robbo10

@robbo10 please check https://github.com/vmware/harbor-boshrelease/pull/16#pullrequestreview-135197707. Looks like I didn't click 'Submit Review' :)

jessehu avatar Jul 09 '18 14:07 jessehu