diff --git a/.github/workflows/netlify.yml b/.github/workflows/netlify.yml deleted file mode 100644 index bc4b13fe0..000000000 --- a/.github/workflows/netlify.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: Build and Deploy to Netlify -on: - push: - paths: - - 'docs/**' - branches: - - master -jobs: - build: - runs-on: ubuntu-18.04 - steps: - - name: Deploy new-site to Netlify - run: curl -X POST -d {} ${{ secrets.NETLIFY_BUILD_HOOK }} diff --git a/ADOPTERS.md b/ADOPTERS.md index fcb8b98f3..08ba5da0b 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -1,4 +1,5 @@ # Harbor Adopters + Below is a list of adopters of Harbor in **production environments** that have publicly shared the details of their usage as well as the benefits provided by Harbor that their business relies on. There are some unreferenceable users that @@ -8,34 +9,35 @@ publicly at this time. There are many additional adopters of Harbor in the evaluating phase that will be added to this list as they transition to production deployments. -JD.com      -trendmicro        -DataYes        -axatp       

-360 Total Security      -talkingdata        -BoerSmart        -OpenEdutainment        -iFRE       

-BOCOIT        -wise2c        -HYDSoft        -CloudStar        -BeyondSoft        -ChinaMobile        -CaiCloud        -Rancher        -TenxCloud        -BingoCloud        +JD.com      +trendmicro        +DataYes        +axatp       

+360 Total Security      +talkingdata        +BoerSmart        +OpenEdutainment        +iFRE       

+BOCOIT        +wise2c        +HYDSoft        +CloudStar        +BeyondSoft        +ChinaMobile        +CaiCloud        +Rancher        +TenxCloud        +BingoCloud       

-SlamTec        -CloudChef        -Pivotal        -Netease Cloud        -Yanrongyun        -Anchore        +SlamTec        +CloudChef        +Pivotal        +Netease Cloud        +Yanrongyun        +Anchore        ## Success Stories + **JD.com:** Harbor is the registry service of JD.com’s JDOS platform. Harbor has been used for over 2 years in production with tens of thousands of nodes and managing millions of container images. @@ -82,5 +84,6 @@ feature within Harbor before deploying images into production. and scan customized container images for different business applications, like ELK stack, as part of their CI/CD pipeline. -# Adding a logo -If you would like to add your logo to the `Users and Partners of Harbor` section of the website, add a PNG version of your logo to the docs/img/adopters directory in this repo and submit a pull request with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). We will follow up and make the change in the goharbor.io website as well. +## Adding your logo + +If you would like to add your logo here and to the `Users and Partners of Harbor` section of the website, add a PNG or SVG version of your logo to the [adopters](https://github.com/goharbor/website/tree/master/docs/img/adopters) directory of the [website](https://github.com/goharbor/website) and submit a pull request with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). We will follow up and make the change in the goharbor.io website as well. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b86187f1e..755fddf8f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -43,7 +43,7 @@ git fetch $USER ``` **NOTES:** Note that GOPATH can be any directory, the example above uses $HOME/go. Change $USER above to your own GitHub username. -To build the project, please refer the [build](docs/build-customize-contribute/compile-guide.md) guideline. +To build the project, please refer the [build](https://goharbor.io/docs/2.0.0/build-customize-contribute/compile-guide/) guideline. ### Repository Structure @@ -52,7 +52,6 @@ Here is the basic structure of the harbor code base. Some of the key folders / f . ... ├── contrib # Contain documents, scripts, and other helpful things which are contributed by the community -├── docs # Keep documents here ├── make # Resource for building and setting up Harbor environment ... ├── src # Source code folder @@ -170,8 +169,7 @@ cd $REPO_DIR/src/portal/lib npm install ``` - -To run the code, please refer to the [build](docs/compile_guide.md) guideline. +To run the code, please refer to the [build](https://goharbor.io/docs/2.0.0/build-customize-contribute/compile-guide/) guideline. ## Contribute Workflow @@ -181,9 +179,6 @@ Please submit a PR broken down into small changes bit by bit. A PR consisting of Note: If you split your pull request to small changes, please make sure any of the changes goes to master will not break anything. Otherwise, it can not be merged until this feature complete. -The graphic shown below describes the overall workflow about how to contribute code to Harbor repository. -![contribute workflow](docs/img/workflow.png) - ### Fork and clone Fork the Harbor repository and clone the code to your local workspace. Per Go's [workspace instructions](https://golang.org/doc/code.html#Workspaces), place Harbor's code on your `GOPATH`. Refer to section [Fork Repository](#fork-repository) for details. @@ -252,7 +247,7 @@ Run UI library test cases: npm run test ``` -To build the code, please refer to [build](docs/build-customize-contribute/compile-guide.md) guideline. +To build the code, please refer to [build](https://goharbor.io/docs/2.0.0/build-customize-contribute/compile-guide/) guideline. ### Keep sync with upstream @@ -336,9 +331,9 @@ Be sure to include the steps to reproduce the problem if applicable. It can help Update the documentation if you are creating or changing features. Good documentation is as important as the code itself. -The main location for the document is the `docs/` folder. The images referred in documents can be placed in `docs/img`. +The main location for the documentation is the [website repository](https://github.com/goharbor/website). The images referred to in documents can be placed in `docs/img` in that repo. -Documents are written with Markdown text. See [Writing on GitHub](https://help.github.com/categories/writing-on-github/) for more details. +Documents are written with Markdown. See [Writing on GitHub](https://help.github.com/categories/writing-on-github/) for more details. ## Design new features diff --git a/README.md b/README.md index 30b118367..cc871ff1c 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ ![CONFORMANCE_TEST](https://github.com/goharbor/harbor/workflows/CONFORMANCE_TEST/badge.svg)
-|![notification](docs/img/readme/bell-outline-badged.svg)Community Meeting| +|![notification](https://raw.githubusercontent.com/goharbor/website/master/docs/img/readme/bell-outline-badged.svg)Community Meeting| |------------------| |The Harbor Project holds bi-weekly community calls in two different timezones. To join the community calls or to watch previous meeting notes and recordings, please visit the [meeting schedule](https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md).| @@ -19,7 +19,7 @@ **Note**: The `master` branch may be in an *unstable or even broken state* during development. Please use [releases](https://github.com/vmware/harbor/releases) instead of the `master` branch in order to get a stable set of binaries. -Harbor +Harbor Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing. @@ -39,7 +39,7 @@ Harbor is hosted by the [Cloud Native Computing Foundation](https://cncf.io) (CN * **Graphical user portal**: User can easily browse, search repositories and manage projects. * **Auditing**: All the operations to the repositories are tracked through logs. * **RESTful API**: RESTful APIs are provided to facilitate administrative operations, and are easy to use for integration with external systems. An embedded Swagger UI is available for exploring and testing the API. -* **Easy deployment**: Harbor can be deployed via Docker compose as well Helm Chart. A Harbor Operator was added recently as well - https://goharbor.io/docs/1.10/build-customize-contribute/e2e_api_python_based_scripting_guide/ +* **Easy deployment**: Harbor can be deployed via Docker compose as well Helm Chart. A Harbor Operator was added recently as well - https://goharbor.io/docs/2.0.0/build-customize-contribute/e2e_api_python_based_scripting_guide/ ## Architecture @@ -57,11 +57,11 @@ For learning the architecture design of Harbor, check the document [Architecture **On a Linux host:** docker 17.06.0-ce+ and docker-compose 1.18.0+ . -Download binaries of **[Harbor release ](https://github.com/vmware/harbor/releases)** and follow **[Installation & Configuration Guide](docs/install-config/_index.md)** to install Harbor. +Download binaries of **[Harbor release ](https://github.com/vmware/harbor/releases)** and follow **[Installation & Configuration Guide](https://goharbor.io/docs/2.0.0/install-config/)** to install Harbor. If you want to deploy Harbor on Kubernetes, please use the **[Harbor chart](https://github.com/goharbor/harbor-helm)**. -Refer to **[User Guide](docs/user_guide.md)** for more details on how to use Harbor. +Refer to the **[documentation](https://goharbor.io/docs/)** for more details on how to use Harbor. ## OCI Distribution Conformance Tests @@ -69,11 +69,11 @@ Check the OCI distribution conformance tests [report](https://storage.googleapis ## Compatibility -The [compatibility list](./docs/install-config/harbor-compatibility-list.md) document provides compatibility information for the Harbor components. +The [compatibility list](https://goharbor.io/docs/2.0.0/install-config/harbor-compatibility-list/) document provides compatibility information for the Harbor components. -* [Replication adapters](./docs/install-config/harbor-compatibility-list.md#Replication-Adapters) -* [OIDC adapters](./docs/install-config/harbor-compatibility-list.md#OIDC-Adapters) -* [Scanner adapters](./docs/install-config/harbor-compatibility-list.md#Scanner-Adapters) +* [Replication adapters](https://goharbor.io/docs/2.0.0/install-config/harbor-compatibility-list/#replication-adapters) +* [OIDC adapters](https://goharbor.io/docs/2.0.0/install-config/harbor-compatibility-list/#oidc-adapters) +* [Scanner adapters](https://goharbor.io/docs/2.0.0/install-config/harbor-compatibility-list/#scanner-adapters) ## Community @@ -84,7 +84,7 @@ The [compatibility list](./docs/install-config/harbor-compatibility-list.md) doc ## Demos -* **[Live Demo](https://demo.goharbor.io)** - A demo environment with the latest Harbor stable build installed. For additional information please refer to [this page](docs/demo_server.md). +* **[Live Demo](https://demo.goharbor.io)** - A demo environment with the latest Harbor stable build installed. For additional information please refer to [this page](https://goharbor.io/docs/2.0.0/install-config/demo-server/). * **[Video Demos](https://github.com/goharbor/harbor/wiki/Video-demos-for-Harbor)** - Demos for Harbor features and continuously updated. ## Partners and Users @@ -95,7 +95,7 @@ For a list of users, please refer to [ADOPTERS.md](ADOPTERS.md). ### Security Audit -A third party security audit was performed by Cure53 in October of 2019. You can see the full report [here](docs/security/Harbor_Security_Audit_Oct2019.pdf). +A third party security audit was performed by Cure53 in October of 2019. You can see the full report [here](https://goharbor.io/docs/2.0.0/security/Harbor_Security_Audit_Oct2019.pdf). ### Reporting security vulnerabilities diff --git a/docs/.installation_guide.md.swp b/docs/.installation_guide.md.swp deleted file mode 100644 index cb280f3dc..000000000 Binary files a/docs/.installation_guide.md.swp and /dev/null differ diff --git a/docs/1.10/.README.md.swp b/docs/1.10/.README.md.swp deleted file mode 100644 index f59005c00..000000000 Binary files a/docs/1.10/.README.md.swp and /dev/null differ diff --git a/docs/README.md b/docs/README.md index 308d60084..66bca50dd 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,90 +1,5 @@ -Harbor Documentation +# Harbor Documentation -This is the main table of contents for the Harbor 1.10.x documentation. +All Harbor documentation is presented on [goharbor.io/docs](https://goharbor.io/docs). -## Harbor Installation and Configuration - -This section describes how to install Harbor and perform the required initial configurations. These day 1 operations are performed by the Harbor Administrator. - -- [Introduction](install-config/_index.md) -- [Test Harbor with the Demo Server](install-config/demo-server.md) -- [Harbor Compatibility List](install-config/harbor-compatibility-list.md) -- [Harbor Installation Prerequisites](install-config/installation-prereqs.md) -- [Download the Harbor Installer](install-config/download-installer.md) -- [Configure HTTPS Access to Harbor](install-config/configure-https.md) -- [Configure the Harbor YML File](install-config/configure-yml-file.md) -- [Run the Installer Script](install-config/run-installer-script.md) -- [Deploying Harbor with High Availability via Helm](install-config/harbor-ha-helm.md) -- [Deploy Harbor with the Quick Installation Script](install-config/quick-install-script.md) -- [Troubleshooting Harbor Installation](install-config/troubleshoot-installation.md) -- [Reconfigure Harbor and Manage the Harbor Lifecycle](install-config/reconfigure-manage-lifecycle.md) -- [Customize the Harbor Token Service](install-config/customize-token-service.md) -- [Configure Harbor User Settings at the Command Line](install-config/configure-user-settings-cli.md) - -## Harbor Administration - -This section describes how to use and maintain Harbor after deployment. These day 2 operations are performed by the Harbor Administrator. - -- [Introduction](administration/_index.md) -- [Configuring Authentication](administration/configure-authentication/_index.md) - - [Configure Database Authentication](administration/configure-authentication/db-auth.md) - - [Configure LDAP/Active Directory Authentication](administration/configure-authentication/ldap-auth.md) - - [Configure OIDC Provider Authentication](administration/configure-authentication/oidc-auth.md) -- [Managing Users](administration/managing-users/_index.md) - - [User Permissions By Role](administration/managing-users/user-permissions-by-role.md) - - [Create User Accounts in Database Mode](administration/managing-users/create-users-db.md) -- [Configure Global Settings](administration/general-settings/_index.md) -- [Configure Project Quotas](administration/configure-project-quotas/_index.md) -- [Configuring Replication](administration/configuring-replication/_index.md) - - [Create Replication Endpoints](administration/configuring-replication/create-replication-endpoints.md) - - [Create Replication Rules](administration/configuring-replication/create-replication-rules.md) - - [Manage Replications](administration/configuring-replication/manage-replications.md) -- [Vulnerability Scanning](administration/vulnerability-scanning/_index.md) - - [Connect Harbor to Additional Vulnerability Scanners](administration/vulnerability-scanning/pluggable-scanners.md) - - [Scan Individual Images](administration/vulnerability-scanning/scan-individual-image.md) - - [Scan All Images](administration/vulnerability-scanning/scan-all-images.md) - - [Schedule Scans](administration/vulnerability-scanning/schedule-scans.md) - - [Import Vulnerability Data to an Offline Harbor instance](administration/vulnerability-scanning/import-vulnerability-data.md) - - [Configure System-Wide CVE Allowlists](administration/vulnerability-scanning/configure-system-allowlist.md) -- [Garbage Collection](administration/garbage-collection/_index.md) -- [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade-migrate-data.md) - - [Upgrading Harbor Deployed with Helm](administration/upgrade/helm-upgrade.md) - - [Roll Back an Upgrade](administration/upgrade/roll-back-upgrade.md) - - [Test Harbor Upgrade](administration/upgrade/upgrade-test.md) - -## Working with Harbor Projects - -This section describes how users with the developer, master, and project administrator roles manage and participate in Harbor projects. - -- [Introduction](working-with-projects/_index.md) -- [Create Projects](working-with-projects/create-projects/_index.md) - - [Assign Users to a Project](working-with-projects/add-users.md) -- [Project Configuration](working-with-projects/project-configuration/_index.md) - - [Access and Search Project Logs](working-with-projects/access-project-logs.md) - - [Create Robot Accounts](working-with-projects/create-robot-accounts.md) - - [Configure Webhook Notifications](working-with-projects/configure-webhooks.md) - - [Configure a Per-Project CVE Allowlist](working-with-projects/configure-project-allowlist.md) - - [Implementing Content Trust](working-with-projects/implementing-content-trust.md) -- [Working with Images, Tags, and Helm Charts](working-with-projects/working-with-images.md) - - [Pulling and Pushing Images](working-with-projects/pulling-pushing-images.md) - - [Create Labels](working-with-projects/create-labels.md) - - [Retag Images](working-with-projects/retagging-images.md) - - [Create Tag Retention Rules](working-with-projects/create-tag-retention-rules.md) - - [Create Tag Immutability Rules](working-with-projects/create-tag-immutability-rules.md) - - [Manage Kubernetes Packages with Helm Charts](working-with-projects/managing-helm-charts.md) -- [Using API Explorer](working-with-projects/using-api-explorer/_index.md) - -## Build, Customize, and Contribute to Harbor - -This section describes how developers can build from Harbor source code, customize their deployments, and contribute to the open-source Harbor project. - -- [Build Harbor from Source Code](build-customize-contribute/compile-guide.md) -- [Developing the Harbor Frontend](build-customize-contribute/ui-contribution-get-started.md) -- [Customize the Harbor Look & Feel ](build-customize-contribute/customize-look-feel.md) -- [Developing for Internationalization](build-customize-contribute/developer-guide-i18n.md) -- [Using Make](build-customize-contribute/use-make.md) -- [View and test Harbor REST API via Swagger](build-customize-contribute/configure-swagger.md) -- [Registry Landscape](build-customize-contribute/registry-landscape.md) -- [E2E Test Scripting Guide](build-customize-contribute/e2e_api_python_based_scripting_guide.md) - -See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community). +To contribute to the documentation, please head over to the [website repository](https://github.com/goharbor/website). diff --git a/docs/_index.md b/docs/_index.md deleted file mode 100644 index d979a463f..000000000 --- a/docs/_index.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Harbor 2.0 Documentation ---- - -Welcome to the Harbor 2.0.x documentation. This documentation includes all of the information that you need to install, configure, and use Harbor. - -## Harbor Installation and Configuration - -This section describes how to install Harbor and perform the required initial configuration. These day 1 operations are performed by the Harbor Administrator. [Read more](install-config/_index.md) - -## Harbor Administration - -This section describes how to use and maintain your Harbor registry instance after deployment. These day 2 operations are performed by the Harbor Administrator. [Read more](administration/_index.md) - -## Working with Harbor Projects - -This section describes how users with the developer, master, and project administrator roles manage users, and create, configure, and participate in Harbor projects. [Read more](working-with-projects/_index.md) - -## Building, Customizing, and Contributing to Harbor - -This section describes how developers can build from Harbor source code, customize their deployments, and contribute to the open-source Harbor project. [Read more](build-customize-contribute/_index.md) - -## Access the Documentation Source Files - -The source files for this documentation set are located in the [Harbor repository on Github](https://github.com/goharbor/harbor/tree/release-2.0.0/docs). - -For versions of the docs before 2.0.x, go to the [`docs` folder in the Github repository](https://github.com/goharbor/harbor/tree/master/docs) and select the appropriate `release-1.xx.x` branch. \ No newline at end of file diff --git a/docs/administration/_index.md b/docs/administration/_index.md deleted file mode 100644 index 71c670c1a..000000000 --- a/docs/administration/_index.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Harbor Administration -weight: 10 ---- - -This section describes how to configure and maintain Harbor after deployment. These operations are performed by the Harbor system administrator. The Harbor system administrator performs global configuration operations that apply to the whole Harbor instance. - -The operations that are performed by the Harbor system administrator are the following. - -- Select database, LDAP/Active Directory, or OIDC based authentication. For information, see [Configuring Authentication](configure-authentication). -- Add users in database authentication mode and assign the system administrator role to other users. For information, see [Managing Users](managing-users). -- Configure global settings, such as configuring an email server, setting the registry to read-only mode, and restriction who can create projects. For information, see [Configure Global Settings](general-settings). -- Apply resource quotas to projects. For information, see [Configure Project Quotas](configure-project-quotas). -- Set up replication of images between Harbor and another Harbor instance or a 3rd party replication target. For information, see [Configuring Replication](configuring-replication). -- Set up vulnerability scanners to check the images in the registry for CVE vulnerabilities. For information, see [Vulnerability Scanning](vulnerability-scanning). -- Perform garbage collection, to remove unnecessary data from Harbor. For information, see [Garbage Collection](garbage-collection). -- Upgrade Harbor when a new version becomes available. For information, see [Upgrading Harbor](upgrade/upgrade-migrate-data.md). diff --git a/docs/administration/configure-authentication/_index.md b/docs/administration/configure-authentication/_index.md deleted file mode 100644 index 161b748ee..000000000 --- a/docs/administration/configure-authentication/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Configuring Authentication -weight: 10 ---- - -Harbor supports different modes for authenticating users and managing user accounts. You should select an authentication mode as soon as you deploy Harbor. - -{{< important >}} -If you create user accounts in the Harbor database, Harbor is locked in database mode. You cannot change to a different authentication mode after you have created local users. -{{< /important >}} - -- [Database Authentication](db-auth.md): You create and manage user accounts directly in Harbor. The user accounts are stored in the Harbor database. -- [LDAP/Active Directory Authentication](ldap-auth.md): You connect Harbor to an external LDAP/Active Directory server. The user accounts are created and managed by your LDAP/AD provider. -- [OIDC Provider Authentication](oidc-auth.md): You connect Harbor to an external OIDC provider. The user accounts are created and managed by your OIDC provider. - -The Harbor interface offers an option to configure UAA authentication. This authentication mode is not recommended and is not documented in this guide. diff --git a/docs/administration/configure-authentication/db-auth.md b/docs/administration/configure-authentication/db-auth.md deleted file mode 100644 index eb6e4a2e1..000000000 --- a/docs/administration/configure-authentication/db-auth.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Configure Database Authentication -weight: 15 ---- - -In database authentication mode, user accounts are stored in the local database. By default, only the Harbor system administrator can create user accounts to add users to Harbor. You can optionally configure Harbor to allow self-registration. - -{{< important >}} -If you create users in the database, Harbor is locked in database mode. You cannot change to a different authentication mode after you have created local users. -{{< /important >}} - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Under **Administration**, go to **Configuration** and select the **Authentication** tab. -1. Leave **Auth Mode** set to the default **Database** option. - - ![Database authentication](../../../img/db-auth.png) - -1. Optionally select the **Allow Self-Registration** check box. - - ![Enable self-registration](../../../img/new-self-reg.png) - - If you enable the self registration option, users can register themselves in Harbor. Self-registration is disabled by default. If you enable self-registration, unregistered users can sign up for a Harbor account by clicking **Sign up for an account** in the Harbor log in page. - - ![Enable self-registration](../../../img/self-registration-login.png) - -## What to Do Next - -For information about how to create users in database authentication mode, see [Create User Accounts in Database Mode](../managing-users/create-users-db.md). diff --git a/docs/administration/configure-authentication/ldap-auth.md b/docs/administration/configure-authentication/ldap-auth.md deleted file mode 100644 index 3ef91f5e4..000000000 --- a/docs/administration/configure-authentication/ldap-auth.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Configure LDAP/Active Directory Authentication -weight: 20 ---- - -If you select LDAP/AD authentication, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. In this case, you do not create user accounts in Harbor. - -{{< important >}} -You can change the authentication mode from database to LDAP only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode. -{{< /important >}} - -Because the users are managed by LDAP or AD, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in LDAP/AD authentication mode. - -If you want to manage user authentication by using LDAP groups, you must enable the `memberof` feature on the LDAP/AD server. With the `memberof` feature, the LDAP/AD user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an LDAP/AD user from the LDAP/AD group. This feature is enabled by default in Active Directory. For information about how to enable and verify `memberof` overlay in OpenLDAP, see [this technical note](https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay). - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Under **Administration**, go to **Configuration** and select the **Authentication** tab. -1. Use the **Auth Mode** drop-down menu to select **LDAP**. - - ![LDAP authentication](../../../img/select-ldap-auth.png) -1. Enter the address of your LDAP server, for example `ldaps://10.162.16.194`. -1. Enter information about your LDAP server. - - - **LDAP Search DN** and **LDAP Search Password**: When a user logs in to Harbor with their LDAP username and password, Harbor uses these values to bind to the LDAP/AD server. For example, `cn=admin,dc=example.com`. - - **LDAP Base DN**: Harbor looks up the user under the LDAP Base DN entry, including the subtree. For example, `dc=example.com`. - - **LDAP Filter**: The filter to search for LDAP/AD users. For example, `objectclass=user`. - - **LDAP UID**: An attribute, for example `uid`, or `cn`, that is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server. - - **LDAP Scope**: The scope to search for LDAP/AD users. Select from **Subtree**, **Base**, and **OneLevel**. - - ![Basic LDAP configuration](../../../img/ldap-auth.png) -1. If you want to manage user authentication with LDAP groups, configure the group settings. - - **LDAP Group Base DN**: The base DN from which to lookup a group in LDAP/AD. For example, `ou=groups,dc=example,dc=com`. - - **LDAP Group Filter**: The filter to search for LDAP/AD groups. For example, `objectclass=groupOfNames`. - - **LDAP Group GID**: The attribute used to name an LDAP/AD group. For example, `cn`. - - **LDAP Group Admin DN**: All LDAP/AD users in this group DN have Harbor system administrator privileges. - - **LDAP Group Membership**: The user attribute usd to identify a user as a member of a group. By default this is `memberof`. - - **LDAP Scope**: The scope to search for LDAP/AD groups. Select from **Subtree**, **Base**, and **OneLevel**. - - ![LDAP group configuration](../../../img/ldap-groups.png) -1. Uncheck **LDAP Verify Cert** if the LDAP/AD server uses a self-signed or untrusted certificate. - - ![LDAP certificate verification](../../../img/ldap-cert-test.png) -1. Click **Test LDAP Server** to make sure that your configuration is correct. -1. Click **Save** to complete the configuration. diff --git a/docs/administration/configure-authentication/oidc-auth.md b/docs/administration/configure-authentication/oidc-auth.md deleted file mode 100644 index 95a7f630f..000000000 --- a/docs/administration/configure-authentication/oidc-auth.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Configure OIDC Provider Authentication -weight: 25 ---- - -If you select OpenID Connect (OIDC) authentication, users log in to the Harbor interface via an OIDC single sign-on (SSO) provider, such as Okta, KeyCloak, or dex. In this case, you do not create user accounts in Harbor. - -{{< important >}} -You can change the authentication mode from database to OIDC only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode. -{{< /important >}} - -Because the users are managed by the OIDC provider, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in OIDC authentication mode. - -### Configure Your OIDC Provider - -You must configure your OIDC provider so that you can use it with Harbor. For precise information about how to perform these configurations, see the documentation for your OIDC provider. - -- Set up the users and groups that will use the OIDC provider to log in to Harbor. You do not need to assign any specific OIDC roles to users or groups as these do not get mapped to Harbor roles. -- The URL of the OIDC provider endpoint, known as the Authorization Server in OAuth terminology, must service the well-known URI for its configuration document. For more information about the configuration document, see the [OpenID documentation](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest). -- To manage users by using OIDC groups, create a custom group claim that contains all of the user groups that you want to register in Harbor. The group claim must be mapped in the ID token that is sent to Harbor when users log in. You can enable the `memberof` feature on the OIDC provider. With the `memberof` feature, the OIDC user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an OIDC user from the OIDC group. -- Register Harbor as a client application with the OIDC provider. Associate Harbor's callback URI to the client application as a `redirectURI`. This is the address to which the OIDC provider sends ID tokens. - -### Configure an OIDC Provider in Harbor - -Before configuring an OIDC provider in Harbor, make sure that your provider is configured correctly according to the preceding section. - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Under **Administration**, go to **Configuration** and select the **Authentication** tab. -1. Use the **Auth Mode** drop-down menu to select **OIDC**. - - ![LDAP authentication](../../../img/select-oidc-auth.png) -1. Enter information about your OIDC provider. - - - **OIDC Provider Name**: The name of the OIDC provider. - - **OIDC Provider Endpoint**: The URL of the endpoint of the OIDC provider. - - **OIDC Client ID**: The client ID with which Harbor is registered as client application with the OIDC provider. - - **OIDC Client Secret**: The secret for the Harbor client application. - - **Group Claim Name**: The name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harbor. - - **OIDC Scope**: A comma-separated string listing the scopes to be used during authentication. - - The OIDC scope must contain `openid` and usually also contains `profile` and `email`. To obtain refresh tokens it should also contain `offline_access`. If you are using OIDC groups, a scope must identify the group claim. Check with your OIDC provider administrator for precise details of how to identify the group claim scope, as this differs from vendor to vendor. - - ![OIDC settings](../../../img/oidc-auth-setting.png) -1. Uncheck **Verify Certificate** if the OIDC Provider uses a self-signed or untrusted certificate. -1. Verify that the Redirect URI that you configured in your OIDC provider is the same as the one displayed at the bottom of the page. - - ![OIDC certificate verification, URI, and test ](../../../img/oidc-cert-verification.png) -1. Click **Test OIDC Server** to make sure that your configuration is correct. -1. Click **Save** to complete the configuration. - -### Log In to Harbor via an OIDC Provider - -When the Harbor system administrator has configured Harbor to authenticate via OIDC a **Login via OIDC Provider** button appears on the Harbor login page. - -![oidc_login](../../../img/oidc-login.png) - -**NOTE:** When Harbor is configured authentication via OIDC, the **Username** and **Password** fields are reserved for the local Harbor system administrator to log in. - -1. As a Harbor user, click the **Login via OIDC Provider** button. - - This redirects you to the OIDC Provider for authentication. -1. If this is the first time that you are logging in to Harbor with OIDC, specify a user name for Harbor to associate with your OIDC username. - - ![Specify Harbor username for OIDC](../../../img/oidc-onboard-dlg.png) - - This is the user name by which you are identified in Harbor, which is used when adding you to projects, assigning roles, and so on. If the username is already taken, you are prompted to choose another one. -1. After the OIDC provider has authenticated you, you are redirected back to Harbor. - -### Using OIDC from the Docker or Helm CLI - -After you have authenticated via OIDC and logged into the Harbor interface for the first time, you can use the Docker or Helm CLI to access Harbor. - -The Docker and Helm CLIs cannot handle redirection for OIDC, so Harbor provides a CLI secret for use when logging in from Docker or Helm. This is only available when Harbor uses OIDC authentication. - -1. Log in to Harbor with an OIDC user account. -1. Click your username at the top of the screen and select **User Profile**. - - ![Access user profile](../../../img/user-profile.png) -1. Click the clipboard icon to copy the CLI secret associated with your account. - - ![Copy CLI secret](../../../img/profile-dlg.png) -1. Optionally click the **...** icon in your user profile to display buttons for automatically generating or manually creating a new CLI secret. - - ![Copy CLI secret](../../../img/generate-create-new-secret.png) - - A user can only have one CLI secret, so when a new secret is generated or create, the old one becomes invalid. -1. If you generated a new CLI secret, click the clipboard icon to copy it. - -You can now use your CLI secret as the password when logging in to Harbor from the Docker or Helm CLI. - -
-docker login -u testuser -p cli_secret jt-test.local.goharbor.io
-
- -{{< note >}} -The CLI secret is associated with the OIDC ID token. Harbor will try to refresh the token, so the CLI secret will be valid after the ID token expires. However, if the OIDC Provider does not provide a refresh token or the refresh fails, the CLI secret becomes invalid. In this case, log out and log back in to Harbor via your OIDC provider so that Harbor can get a new ID token. The CLI secret will then work again. -{{< /note >}} diff --git a/docs/administration/configure-project-quotas/_index.md b/docs/administration/configure-project-quotas/_index.md deleted file mode 100644 index 5d9853072..000000000 --- a/docs/administration/configure-project-quotas/_index.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Configure Project Quotas -weight: 25 ---- - -To exercise control over resource use, as a Harbor system administrator you can set quotas on projects. You can limit the amount of storage capacity that a project can consume. You can set default quotas that apply to all projects globally. - -{{< note >}} -Default quotas apply to projects that are created after you set or change the default quota. The default quota is not applied to projects that already existed before you set it. -{{< /note >}} - -You can also set quotas on individual projects. If you set a global default quota and you set different quotas on individual projects, the per-project quotas are applied. - -By default, all projects have unlimited quotas for storage use. - -1. Select the **Project Quotas** view. - - ![Project quotas](../../img/project-quota1.png) -1. To set global default quotas on all projects, click **Edit**. - - ![Project quotas](../../img/project-quota2.png) - - 1. For **Default storage consumption**, enter the maximum quantity of storage that any project can consume, selecting `MB`, `GB`, or `TB` from the drop-down menu, or enter `-1` to set the default to unlimited. - ![Project quotas](../../img/project-quota3.png) - - 1. Click **OK**. -1. To set quotas on an individual project, select the project and then click **Edit**. - ![Project quotas](../../img/project-quota4.png) - 1. For **Default storage consumption**, enter the maximum quantity of storage that this individual project can consume, selecting `MB`, `GB`, or `TB` from the drop-down menu. - -After you set quotas, you can see how much of their quotas each project has consumed. - -![Project quotas](../../img/project-quota5.png) - -### How Harbor Calculates Resource Usage - -When setting project quotas, it is useful to know how Harbor calculates storage use, especially in relation to image pushing, retagging, and garbage collection. - -- Harbor computes image size when blobs and manifests are pushed from the Docker client. - - {{< note >}} - When users push an image, the manifest is pushed last, after all of the associated blobs have been pushed successfully to the registry. If several images are pushed concurrently and if there is an insufficient number of tags left in the quota for all of them, images are accepted in the order that their manifests arrive. Consequently, an attempt to push an image might not be immediately rejected for exceeding the quota. This is because there was availability in the tag quota when the push was initiated, but by the time the manifest arrived the quota had been exhausted. - {{< /note >}} -- Shared blobs are only computed once per project. In Docker, blob sharing is defined globally. In Harbor, blob sharing is defined at the project level. As a consequence, overall storage usage can be greater than the actual disk capacity. -- Retagging images reserves and releases resources: - - If you retag an image within a project, the storage usage does not change because there are no new blobs or manifests. - - If you retag an image from one project to another, the storage usage will increase. -- During garbage collection, Harbor frees the storage used by untagged blobs in the project. -- Helm chart size is not calculated. diff --git a/docs/administration/configuring-replication/_index.md b/docs/administration/configuring-replication/_index.md deleted file mode 100644 index 6b849a827..000000000 --- a/docs/administration/configuring-replication/_index.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Configuring Replication -weight: 30 ---- - -Replication allows users to replicate resources, namely images and charts, between Harbor and non-Harbor registries, in both pull or push mode. - -When the Harbor system administrator has set a replication rule, all resources that match the defined filter patterns are replicated to the destination registry when the triggering condition is met. Each resource that is replicated starts a replication task. If the namespace does not exist in the destination registry, a new namespace is created automatically. If it already exists and the user account that is configured in the replication policy does not have write privileges in it, the process fails. Member information is not replicated. - -There might be some delay during replication based on the condition of the network. If a replication task fails, it is re-scheduled for a few minutes later and retried several times. - -{{< note >}} -Due to API changes, replication between different versions of Harbor is not supported. -{{< /note >}} \ No newline at end of file diff --git a/docs/administration/configuring-replication/create-replication-endpoints.md b/docs/administration/configuring-replication/create-replication-endpoints.md deleted file mode 100644 index 7ba2d9e1e..000000000 --- a/docs/administration/configuring-replication/create-replication-endpoints.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Creating Replication Endpoints -weight: 20 ---- - -To replicate image repositories from one instance of Harbor to another Harbor or non-Harbor registry, you first create replication endpoints. - -1. Go to **Registries** and click the **+ New Endpoint** button. - - ![New replication endpoint](../../../img/replication-endpoint1.png) - -1. For **Provider**, use the drop-down menu to select the type of registry to set up as a replication endpoint. - - The endpoint can be another Harbor instance, or a non-Harbor registry. Currently, the following non-Harbor registries are supported: - - - Docker Hub - - Docker registry - - AWS Elastic Container Registry - - Azure Container Registry - - Ali Cloud Container Registry - - Google Container Registry - - Huawei SWR - - Helm Hub - - Gitlab - - Quay.io - - Jfrog Artifactory - - ![Replication providers](../../../img/replication-endpoint2.png) - -1. Enter a suitable name and description for the new replication endpoint. -1. Enter the full URL of the registry to set up as a replication endpoint. - - For example, to replicate to another Harbor instance, enter https://harbor_instance_address:443. The registry must exist and be running before you create the endpoint. - -1. Enter the Access ID and Access Secret for the endpoint registry instance. - - Use an account that has the appropriate privileges on that registry, or an account that has write permission on the corresponding project in a Harbor registry. - - {{< note >}} - - AWS ECR adapters should use access keys, not a username and password. The access key should have sufficient permissions, such as storage permission. - - Google GCR adapters should use the entire JSON key generated in the service account. The namespace should start with the project ID. - {{< /note >}} - -1. Optionally, select the **Verify Remote Cert** check box. - - Deselect the check box if the remote registry uses a self-signed or untrusted certificate. - -1. Click **Test Connection**. -1. When you have successfully tested the connection, click **OK**. - -## Managing Registries - -You can list, add, edit and delete registries under **Administration** -> **Registries**. Only registries which are not referenced by any rules can be deleted. - -![browse project](../../../img/manage-registry.png) - -## What to Do Next - -After you configure replication endpoints, see [Creating a Replication Rule](create-replication-rules.md). diff --git a/docs/administration/configuring-replication/create-replication-rules.md b/docs/administration/configuring-replication/create-replication-rules.md deleted file mode 100644 index 8d3d2b7b0..000000000 --- a/docs/administration/configuring-replication/create-replication-rules.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Creating a Replication Rule -weight: 25 ---- - -A replication endpoint must exist before you create a replication rule. To create an endpoint, follow the instructions in [Creating Replication Endpoints](create-replication-endpoints.md). - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Expand **Administration**, and select **Replications**. - - ![Add a replication rule](../../../img/replication-rule1.png) -1. Click **New Replication Rule**. -1. Provide a name and description for the replication rule. -1. Select **Push-based** or **Pull-based** replication, depending on whether you want to replicate artifacts to or from the remote registry. - - ![Replication mode](../../../img/replication-rule2.png) -1. For **Source resource filter**, identify the artifacts to replicate. - - ![Replication filters](../../../img/replication-rule3.png) - - * **Name**: Replicate resources with a given name by entering an artifact name or fragment. - * **Tag**: Replicate resources with a given tag by entering a tag name or fragment. - * **Label**: Replicate resources with a given label by using the drop-down menu to select from the available labels. - * **Resource**: Replicate artifacts, charts, or both. - - The name filter and tag filters support the following patterns: - - * **\***: Matches any sequence of non-separator characters `/`. - * **\*\***: Matches any sequence of characters, including path separators `/`. Note that the doublestar must appear as a path component by itself. A pattern such as /path\*\* is invalid and will be treated the same as /path*, but /path\*/\*\* should achieve the desired result. - * **?**: Matches any single non-separator character `/`. - * **{alt1,...}**: Matches a sequence of characters if one of the comma-separated alternatives matches. - - **NOTE:** You must add `library` if you want to replicate the official artifacts of Docker Hub. For example, `library/hello-world` matches the official hello-world artifacts. - - Pattern | String(Match or not) - ---------- | ------- - `library/*` | `library/hello-world`(Y)
`library/my/hello-world`(N) - `library/**` | `library/hello-world`(Y)
`library/my/hello-world`(Y) - `{library,goharbor}/**` | `library/hello-world`(Y)
`goharbor/harbor-core`(Y)
`google/hello-world`(N) - `1.?` | `1.0`(Y)
`1.01`(N) -1. Use the **Destination Registry** drop-down menu to select from the configured replication endpoints. -1. Enter the name of the namespace in which to replicate resources in the **Destination namespace** text box. - - If you do not enter a namespace, resources are placed in the same namespace as in the source registry. - - ![Destination and namespaces](../../../img/replication-rule4.png) - - **NOTE:** Because of major API changes in the v2.0 release to support [OCI](https://github.com/opencontainers/distribution-spec). - You **can not** replicate from harbor 1.x to 2.0, and you **can not** replicate artifacts with **manifest list** from 2.0 to 1.x. - -1. Use the Trigger Mode drop-down menu to select how and when to run the rule. - * **Manual**: Replicate the resources manually when needed. **Note**: Deletion operations are not replicated. - * **Scheduled**: Replicate the resources periodically by defining a cron job. **Note**: Deletion operations are not replicated. - * **Event Based**: When a new resource is pushed to the project, or an artifact is retagged, it is replicated to the remote registry immediately. If you select the **Delete remote resources when locally deleted**, if you delete an artifact, it is automatically deleted from the replication target. - - {{< note >}} - You can filter artifacts for replication based on the labels that are applied to the artifacts. However, changing a label on an artifact does not trigger replication. Event-based replication is limited to pushing, retagging, and deleting artifacts. - {{< /note >}} - - ![Trigger mode](../../../img/replication-rule5.png) - -1. Optionally select the Override checkbox to force replicated resources to replace resources at the destination with the same name. -1. Click **Save** to create the replication rule. - -## What to Do Next - -After you create a replication rule, see [Running Replication Manually](manage-replications.md). diff --git a/docs/administration/configuring-replication/manage-replications.md b/docs/administration/configuring-replication/manage-replications.md deleted file mode 100644 index 26ccd59a0..000000000 --- a/docs/administration/configuring-replication/manage-replications.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Running Replication Manually -weight: 30 ---- - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Expand **Administration**, and select **Replications**. -1. Select a replication rule and click **Replicate**. - - ![Add a replication rule](../../../img/replication-rule6.png) - - The resources to which the rule is applied start to replicate from the source registry to the destination immediately. -1. Click the rule to see its execution status. -1. Click the **ID** of the execution to see the details of the replication and the task list. The count of `IN PROGRESS` status in the summary includes both `Pending` and `In Progress` tasks. -1. Optionally click **STOP** to stop the replication. -1. Click the log icon to see detailed information about the replication task. - - ![View replication task](../../../img/list-tasks.png) - -To edit or delete a replication rule, select the replication rule in the **Replications** view and click **Edit** or **Delete**. Only rules which have no executions in progress can be edited deleted. - -![Delete or edit rule](../../../img/replication-rule6.png) diff --git a/docs/administration/garbage-collection/_index.md b/docs/administration/garbage-collection/_index.md deleted file mode 100644 index d8d796ab4..000000000 --- a/docs/administration/garbage-collection/_index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Garbage Collection -weight: 40 ---- - -When you delete images from Harbor, space is not automatically freed up. You must run garbage collection to free up space by removing blobs that are no longer referenced by a manifest from the file system. - -## Run Garbage Collection - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Expand **Administration**, and select **Garbage Collection**. -1. Select the **'Garbage Collection'** tab. - - ![Garbage collection](../../img/garbage-collection.png) - -1. To delete untagged artifacts, select the check box **Delete Untagged Artifacts**. -1. To run garbage collection immediately, click **GC Now**. - -When you run garbage collection, Harbor goes into read-only mode. All modifications to the registry are prohibited. - -To avoid triggering the garbage collection process too frequently, the availability of the **GC Now** button is restricted. Garbage collection can be only run once per minute. - -## Schedule Garbage Collection - -1. Expand **Administration**, and select **Garbage Collection**. -1. Select the **'Garbage Collection'** tab. -1. Use the drop down-menu to select how often to run garbage collection. - - ![Schedule garbage collection](../../img/gc-policy.png) - - * **None**: No garbage collection is scheduled. - * **Hourly**: Run garbage collection at the beginning of every hour. - * **Daily**: Run garbage collection at midnight every day. - * **Weekly**: Run garbage collection at midnight every Saturday. - * **Custom**: Run garbage collection according to a `cron` job. - -1. To delete untagged artifacts, select the check box **Delete Untagged Artifacts**. -1. Click **Save**. -1. Select the **History** tab to view records of the 10 most recent garbage collection runs. - - ![Garbage collection history](../../img/gc-history.png) - -1. Click on the **Logs** link to view the related logs. diff --git a/docs/administration/general-settings/_index.md b/docs/administration/general-settings/_index.md deleted file mode 100644 index a54de4f67..000000000 --- a/docs/administration/general-settings/_index.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Configure Global Settings -weight: 20 ---- - -You can configure Harbor to connect to an email server, set the registry in read-only mode, and configure Harbor so that only system administrators can create projects. - -## Configure an Email Server - -You can configure Harbor to connect to an email server. The email server is only used to send out responses to users who request to reset their password. - -![browse project](../../img/new-config-email.png) - -## Make the Registry Read Only - -You can set Harbor to read-only mode. In read-only mode, Harbor allows `docker pull` but prevents `docker push` and the deletion of repositories and tags. - -![Read-only mode](../../img/read-only.png) - -If it set to true, deleting repositories, tags and pushing images are not permitted. - -![browse project](../../img/read-only-enable.png) - -```sh -docker push 10.117.169.182/demo/ubuntu:14.04 -The push refers to a repository [10.117.169.182/demo/ubuntu] -0271b8eebde3: Preparing -denied: The system is in read only mode. Any modification is prohibited. -``` - -## Set Who Can Create Projects - -Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Harbor system administrator role to create projects. - -![browse project](../../img/new-proj-create.png) diff --git a/docs/administration/managing-users/_index.md b/docs/administration/managing-users/_index.md deleted file mode 100644 index 76815c204..000000000 --- a/docs/administration/managing-users/_index.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Managing Users -weight: 15 ---- - -Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them. - -![RBAC](../../img/rbac.png) - -* **Limited Guest**: A Limited Guest does not have full read privileges for a project. They can pull images but cannot push, and they cannot see logs or the other members of a project. For example, you can create limited guests for users from different organizations who share access to a project. -* **Guest**: Guest has read-only privilege for a specified project. They can pull and retag images, but cannot push. -* **Developer**: Developer has read and write privileges for a project. -* **Master**: Master has elevated permissions beyond those of 'Developer' including the ability to scan images, view replications jobs, and delete images and helm charts. -* **ProjectAdmin**: When creating a new project, you will be assigned the "ProjectAdmin" role to the project. Besides read-write privileges, the "ProjectAdmin" also has some management privileges, such as adding and removing members, starting a vulnerability scan. - -Besides the above roles, there are two system-level roles: - -* **Harbor system administrator**: "Harbor system administrator" has the most privileges. In addition to the privileges mentioned above, "Harbor system administrator" can also list all projects, set an ordinary user as administrator, delete users and set vulnerability scan policy for all images. The public project "library" is also owned by the administrator. -* **Anonymous**: When a user is not logged in, the user is considered as an "Anonymous" user. An anonymous user has no access to private projects and has read-only access to public projects. - -For full details of the permissions of the different roles, see [User Permissions By Role](user-permissions-by-role.md). - -If you run Harbor in database authentication mode, you create user accounts directly in the Harbor interface. For information about how to create local user accounts, see [Create User Accounts in Database Mode](create-users-db.md). - -If you run Harbor in LDAP/AD or OIDC authentication mode, you create and manage user accounts in your LDAP/AD or OIDC provider. Harbor obtains the users from the LDAP/AD or OIDC server and displays them in the **Users** tab of the Harbor interface. - -## Assigning the Harbor System Administrator Role - -Harbor system administrators can assign the Harbor system administrator role to other users by selecting usernames and clicking **Set as Administrator** in the **Users** tab. - -![browse project](../../img/new-set-admin-remove-user.png) - -To delete users, select a user and click `DELETE`. Deleting users is only supported under database authentication mode. diff --git a/docs/administration/managing-users/create-users-db.md b/docs/administration/managing-users/create-users-db.md deleted file mode 100644 index 8aadb0056..000000000 --- a/docs/administration/managing-users/create-users-db.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Create User Accounts in Database Mode -weight: 25 ---- - -In database authentication mode, the Harbor system administrator creates user accounts manually. - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Under **Administration**, go to **Users**. - - ![Create user account](../../../img/create-user.png) -1. Click **New User**. -1. Enter information about the new user. - - ![Provide user information](../../../img/new-user.png) - - - The username must be unique in the Harbor system - - The email address is used for password recovery - - The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character - -If users forget their password, there is a **Forgot Password** in the Harbor log in page. To use this feature, you must [configure an email server](../general-settings/_index.md). diff --git a/docs/administration/managing-users/user-permissions-by-role.md b/docs/administration/managing-users/user-permissions-by-role.md deleted file mode 100644 index c2201d808..000000000 --- a/docs/administration/managing-users/user-permissions-by-role.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: User Permissions By Role -weight: 20 ---- - -Users have different abilities depending on the role they in a project. - -On public projects all users will be able to see the list of repositories, images, image vulnerabilities, helm charts and helm chart versions, pull images, retag images (need push permission for destination image), download helm charts, download helm chart versions. - -System admin have all permissions for the project. - -## Project members permissions - -The following table depicts the various user permission levels in a project. - -| Action | Limited Guest | Guest | Developer | Master | Project Admin | -| --------------------------------------- | ------------- | ----- | --------- | ------ | ------------- | -| See the project configurations | ✓ | ✓ | ✓ | ✓ | ✓ | -| Edit the project configurations | | | | | ✓ | -| See a list of project members | | ✓ | ✓ | ✓ | ✓ | -| Create/edit/delete project members | | | | | ✓ | -| See a list of project logs | | ✓ | ✓ | ✓ | ✓ | -| See a list of project replications | | | | ✓ | ✓ | -| See a list of project replication jobs | | | | | ✓ | -| See a list of project labels | | | | ✓ | ✓ | -| Create/edit/delete project labels | | | | ✓ | ✓ | -| See a list of repositories | ✓ | ✓ | ✓ | ✓ | ✓ | -| Create repositories | | | ✓ | ✓ | ✓ | -| Edit/delete repositories | | | | ✓ | ✓ | -| See a list of images | ✓ | ✓ | ✓ | ✓ | ✓ | -| Retag image | | ✓ | ✓ | ✓ | ✓ | -| Pull image | ✓ | ✓ | ✓ | ✓ | ✓ | -| Push image | | | ✓ | ✓ | ✓ | -| Scan/delete image | | | | ✓ | ✓ | -| Add scanners to Harbor | | | | | | -| Edit scanners in projects | | | | | ✓ | -| See a list of image vulnerabilities | ✓ | ✓ | ✓ | ✓ | ✓ | -| See image build history | ✓ | ✓ | ✓ | ✓ | ✓ | -| Add/Remove labels of image | | | ✓ | ✓ | ✓ | -| See a list of helm charts | ✓ | ✓ | ✓ | ✓ | ✓ | -| Download helm charts | ✓ | ✓ | ✓ | ✓ | ✓ | -| Upload helm charts | | | ✓ | ✓ | ✓ | -| Delete helm charts | | | | ✓ | ✓ | -| See a list of helm chart versions | ✓ | ✓ | ✓ | ✓ | ✓ | -| Download helm chart versions | ✓ | ✓ | ✓ | ✓ | ✓ | -| Upload helm chart versions | | | ✓ | ✓ | ✓ | -| Delete helm chart versions | | | | ✓ | ✓ | -| Add/Remove labels of helm chart version | | | ✓ | ✓ | ✓ | -| See a list of project robots | | | | ✓ | ✓ | -| Create/edit/delete project robots | | | | | ✓ | -| See configured CVE allowlist | ✓ | ✓ | ✓ | ✓ | ✓ | -| Create/edit/remove CVE allowlist | | | | | ✓ | -| View webhook events | | | | ✓ | ✓ | -| Add new webhook events | | | | | ✓ | -| Enable/disable webhooks | | | | | ✓ | -| Create/delete tag retention rules | | | ✓ | ✓ | ✓ | -| Enable/disable tag retention rules | | | ✓ | ✓ | ✓ | -| Create/delete tag immutability rules | | | | | ✓ | -| Enable/disable tag immutability rules | | | | | ✓ | -| See project quotas | ✓ | ✓ | ✓ | ✓ | ✓ | -| Edit project quotas * | | | | | | - -* Only the Harbor system administrator can edit project quotas and add new scanners. diff --git a/docs/administration/upgrade/_index.md b/docs/administration/upgrade/_index.md deleted file mode 100644 index 5e01af27a..000000000 --- a/docs/administration/upgrade/_index.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Upgrade Harbor and Migrate Data -weight: 45 ---- - -This guide covers upgrade and migration to version 2.0.0. This guide only covers migration from v1.9.x and later to the current version. If you are upgrading from an earlier version, refer to the migration guide in the `release-1.9.0` branch to upgrade to v1.9.x first, then follow this guide to perform the migration to this version. - -If you are upgrading a Harbor instance that you deployed with Helm, see [Upgrading Harbor Deployed with Helm](helm-upgrade.md). - -When upgrading an existing Harbor instance to a newer version, you might need to migrate the settings in `harbor.yml`. -Since the migration might alter the database schema and the settings of `harbor.yml`, you should **always** back up your data before any migration. - -## Notes - -- Again, you must back up your data before any data migration. -- In version 1.9.0, some containers are started by `non-root`. This does not pose problems if you are upgrading an officially released version of Harbor, but if you have deployed a customized instance of Harbor, you might encounter permission issues. -- In previous releases, user roles took precedence over group roles in a project. In this version, user roles and group roles are combined so that the user has whichever set of permissions is highest. This might cause the roles of certain users to change during upgrade. -- With the introduction of storage and artifact quotas in version 1.9.0, migration from 1.8.x might take a few minutes. This is because the `core` walks through all blobs in the registry and populates the database with information about the layers and artifacts in projects. -- With the introduction of storage and artifact quotas in version 1.9.0, replication between version 1.9.0 and a previous version of Harbor does not work. You must upgrade all Harbor nodes to 1.9.0 if you have configured replication between them. - -## Upgrading Harbor and Migrating Data - -1. Log in to the Harbor host and, if it is still running, stop and remove the existing Harbor instance. - - ```sh - cd harbor - docker-compose down - ``` - -1. Back up Harbor's current files so that you can roll back to the current version if necessary. - - ```sh - mv harbor /my_backup_dir/harbor - ``` - -1. Back up the database, which by default is in the directory `/data/database`. - - ```sh - cp -r /data/database /my_backup_dir/ - ``` - -1. Get the latest Harbor release package from [https://github.com/goharbor/harbor/releases](https://github.com/goharbor/harbor/releases). -1. Before upgrading Harbor, perform migration. - - The migration tool is in harbor-prepare tools delivered as a docker image. You can pull the image from docker hub. in the following command: - - ```sh - docker pull goharbor/prepare:[tag] - ``` - - Alternatively, if you are using an offline installer package, you can load it from the image tarball that is included in the offline installer package. Replace [tag] with the new Harbor version, for example v1.10.0, in the following command: - - ```sh - tar zxf - docker image load -i harbor/harbor.[version].tar.gz - ``` - -1. Copy the `harbor.yml.tmp` to `harbor.yml` and upgrade it. - - ```sh - docker run -it --rm -v /:/hostfs goharbor/prepare:[tag] migrate -i ${path to harbor.yml} - ``` - - **NOTE:** The schema upgrade and data migration of the database is performed by core when Harbor starts. If the migration fails, check the core log to debug. - -3. In the `./harbor` directory, run the `./install.sh` script to install the new Harbor instance. - - To install Harbor with components such as Notary, Clair, and chartmuseum, see [Run the Installer Script](../../install-config/run-installer-script.md) for more information. - -If you need to roll back to the previous version of Harbor, see [Roll Back from an Upgrade](roll-back-upgrade.md). diff --git a/docs/administration/upgrade/helm-upgrade.md b/docs/administration/upgrade/helm-upgrade.md deleted file mode 100644 index 5f36eb035..000000000 --- a/docs/administration/upgrade/helm-upgrade.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Upgrading Harbor Deployed with Helm -weight: 40 ---- - -This guide is used to upgrade Harbor deployed by chart since version 0.3.0. - -## Notes - -- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid -- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported - -## Upgrade - -### 1. Backup database - -Backup the database used by Harbor in case the upgrade process fails. - -### 2. Download new chart - -Download the latest version of Harbor chart. - -### 3. Configure new chart - -Configure the new chart to make sure that the configuration items have the same values with the old one. - -> Note: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate: - -1. Get the secret name which certificate is stored in: - - ```bash - kubectl get secret - ``` - - Find the secret whose name ends with `-harbor-ingress` (expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`) - -2. Export the secret as yaml file: - - - ```bash - kubectl get secret -o yaml > secret.yaml - ``` - -3. Rename the secret by setting `metadata.name` in `secret.yaml` - -4. Create a new secret: - - ```bash - kubectl create -f secret.yaml - ``` - -5. Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step **3** - -### 4. Upgrade - -Run upgrade command: - -```bash -helm upgrade release-name --force . -``` - -{{< note >}} -The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30). -{{< /note >}} - -## Known issues - -- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0. diff --git a/docs/administration/upgrade/roll-back-upgrade.md b/docs/administration/upgrade/roll-back-upgrade.md deleted file mode 100644 index c84c3d7ad..000000000 --- a/docs/administration/upgrade/roll-back-upgrade.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Roll Back from an Upgrade -weight: 45 ---- - -If, for any reason, you need to roll back to the previous version of Harbor, perform the following steps. - -{{< note >}} -To roll back from an upgrade, you must have backed up the previous version of Harbor. For information about backing up Harbor before an upgrade, see [Upgrade Harbor and Migrate Data](_index.md). -{{< /note >}} - -1. Stop and remove the current Harbor service if it is still running. - - ```sh - cd harbor - docker-compose down - ``` - -2. Remove current Harbor instance. - - ```sh - rm -rf harbor - ``` - -3. Restore the older version of Harbor. - - ```sh - mv /my_backup_dir/harbor harbor - ``` - -4. To restore the database, copy the data files from the backup directory to your data volume, which by default is `/data/database`. - -5. Restart the Harbor service using the previous configuration. - - If the previous version of Harbor was installed by a release build: - - ```sh - cd harbor - ./install.sh - ``` - -{{< note >}} -While you can roll back an upgrade to the state before you started the upgrade, Harbor does not support downgrades. -{{< /note >}} diff --git a/docs/administration/upgrade/upgrade-test.md b/docs/administration/upgrade/upgrade-test.md deleted file mode 100644 index 6079d9b3c..000000000 --- a/docs/administration/upgrade/upgrade-test.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Test Harbor Upgrade -weight: 50 ---- - -## Prepare data -1. Add user usera userb userc userd usere, set usera userb as system admin. -2. Create project projecta projectc as private, create projectb as public. -3. Add usera as projecta's admin, userc as developer, and userd as guest. Do the same to projectb and projectc. -4. Login harbor as usera, push an unsigned image into projecta, then push a signed image to projecta. -5. Login harbor as userc, push an unsigned image into projecta, then push a signed image to projeca. -6. Login harbor as userd, push each image one time. -7. Repeat 4 5 6 to projectb and projectc. -8. Add one endpoint to harbor. -9. Add an immediate replication rule to projeca, a schedule rule to projectb, a manual rule to projectc, trigger each rule one time. -10. Add 5 system label syslabel1 to syslabel5 and tag syslabel1 and syslabel2 to all unsigned image. -11. In each project add 5 project label projlabela to projlabele, add projlabela projlabelb and projlabelc to signed image. -12. Trigger one scan all job to scan all images.(For clair enabled instance) -13. Update project publicly, content trust, severity and scanning settings. -14. Update Harbor email, token expire read only and scan settings. -15. Update repository info. -**NOTE**: Create user step is not needed if auth mode is LDAP. - -# Upgrade - -## Follow the upgrade guide -1. Run db migrator image to backup database. -2. Run db migrator image to migrate database. -3. Install new version harbor. - -# After upgrade - -1. Confirm users are exist and available(No need for VIC and LDAP Mode). -2. Confirm users have the correct role. -3. Confirm labels are existing and labeled correct.(No need for VIC) -4. Confirm notary signature correct. -5. Confirm endpoint exist. -6. Confirm replication rule exist and works well. -7. Confirm project level settings(publicly, content trust, scan) same as before. -8. Confirm system level settings(email token expire scan) same as before. -9. Confirm scan result the same as before upgrade. -10. Confirm access log the same as before upgrade. -11. Confirm repository info the same as before. -12. Confirm other image metadata(e.g. author, size) the same as before. \ No newline at end of file diff --git a/docs/administration/vulnerability-scanning/_index.md b/docs/administration/vulnerability-scanning/_index.md deleted file mode 100644 index a3c4ff5c2..000000000 --- a/docs/administration/vulnerability-scanning/_index.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Vulnerability Scanning -weight: 35 ---- - -Harbor provides static analysis of vulnerabilities in images through the open source projects [Trivy](https://github.com/aquasecurity/trivy) and [Clair](https://github.com/coreos/clair). To be able to use Trivy, Clair or both you must have enabled Trivy, Clair or both when you installed your Harbor instance (by appending installation options `--with-trivy`, `--with-clair` or both). - -{{< important >}} -Currently, Harbor supports only one system default scanner. The following principles will be applied to determine the system default scanner among the default installed scanners. - -For a brand new installation: - -If no scanner is installed, no system default scanner will be set then; - -If only one scanner (either Trivy or Clair) is installed, the installed one will become the system default scanner automatically; - -If both Trivy and Clair are installed, Trivy will be the system default scanner then. - -For upgrades: - -If the upgrading path is from the version that is >=V1.10 to current version (V2.0) and there was an existing system default scanner “ABC” is set in the previous version, that scanner "ABC" will be kept as system default scanner; - -Otherwise, Harbor will do the similar operation to the above brand new installation case. -{{< /important >}} - -You can also connect Harbor to your own instance of Trivy/Clair or to other additional vulnerability scanners through Harbor's embedded interrogation service. These scanners can be configured in the Harbor UI at any time after installation. For the list of additional scanners that are currently supported, see the [Harbor Compatibility List](../../install-config/harbor-compatibility-list.md#scanner-adapters). - -It might be necessary to connect Harbor to other scanners for corporate compliance reasons, or because your organization already uses a particular scanner. Different scanners also use different vulnerability databases, capture different CVE sets, and apply different severity thresholds. By connecting Harbor to more than one vulnerability scanner, you broaden the scope of your protection against vulnerabilities. - -For information about installing Harbor with Clair, see the [Run the Installer Script](../../install-config/run-installer-script.md). - -You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to automatically scan all of the images at specific intervals. diff --git a/docs/administration/vulnerability-scanning/configure-system-allowlist.md b/docs/administration/vulnerability-scanning/configure-system-allowlist.md deleted file mode 100644 index 03a97b26b..000000000 --- a/docs/administration/vulnerability-scanning/configure-system-allowlist.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Configure System-Wide CVE Allowlists -weight: 50 ---- - -When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create allowlists of CVEs to ignore during vulnerability scanning. - -You can set a system-wide CVE allowlist or you can set CVE allowlists on a per-project basis. For information about per-project CVE allowlists, see [Configure a Per-Project CVE Allowlist](../../working-with-projects/project-configuration/configure-project-allowlist.md). - -System-wide CVE allowlists apply to all of the projects in a Harbor instance. - -1. Go to **Configuration** > **System Settings**. -1. Under **Deployment security**, click **Add**. - ![System-wide CVE allowlist](../../../img/cve-allowlist1.png) -1. Enter the list of CVE IDs to ignore during vulnerability scanning. - ![Add system CVE allowlist](../../../img/cve-allowlist2.png) - - Either use a comma-separated list or newlines to add multiple CVE IDs to the list. -1. Click **Add** at the bottom of the window to add the list. -1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist. - ![Add system CVEs](../../../img/cve-allowlist3.png) -1. Click **Save** at the bottom of the page to save your settings. - -After you have created a system allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system allowlist. - -![Add and remove system CVEs](../../../img/cve-allowlist4.png) diff --git a/docs/administration/vulnerability-scanning/deployment-security.md b/docs/administration/vulnerability-scanning/deployment-security.md deleted file mode 100644 index 70322a4b1..000000000 --- a/docs/administration/vulnerability-scanning/deployment-security.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Deployment security -weight: 31 ---- - -Starting in version 2.0, Harbor has added capabilities to check for supported artifact types in the pluggable scanners. It will use the **consumes_mime_types** metadata of the scanner to decide whether a requested artifact is supported by this scanner. For example, helm charts cannot be scanned for vulnerabilities by any of the supported scanners like Clair or Aqua Trivy. - -Harbor v2.0 now supports OCI image index, which is a higher-level manifest which points to specific image manifests, ideal for one or more platform. Scanning for OCI image index is also supported, with the scan result of the index being an aggregation of the scan results of the artifacts referenced within. - -Harbor has ‘deployment security’ which can prevent artifacts from being pulled if vulnerabilities are discovered. For pulling indexes, ‘deployment security’ will skip this policy checking for the index artifact itself and will only apply policy checking on the referenced artifacts and at the individual artifact level and not on the index as a whole. This means when pulling Redis for ARM for example, it only checks to see if whether Redis for ARM has vulnerabilities and not impacted by whether amd64 has CVEs. This applies to CNABs as well. \ No newline at end of file diff --git a/docs/administration/vulnerability-scanning/import-vulnerability-data.md b/docs/administration/vulnerability-scanning/import-vulnerability-data.md deleted file mode 100644 index 370f5a00e..000000000 --- a/docs/administration/vulnerability-scanning/import-vulnerability-data.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Import Vulnerability Data to an Offline Harbor instance -weight: 45 ---- - -If Harbor is installed in an environment without an internet connection, Clair cannot fetch data from the public vulnerability database. In this case, the Harbor administrator must update the Clair database manually. - -## Preparation - -- You have an instance of Clair that has an internet connection. If you have another instance of Harbor that has internet access, this also works. -- Check whether your Clair instance has already updated its vulnerability database to the latest version. - - 1. Use `docker ps` to find out the container ID of the Clair service. - 1. Run `docker logs ` to check the log of the Clair container. If you are using Harbor you can find the latest Clair logs under `/var/log/harbor/2017-xx-xx/clair.log`. - 1. Look for logs that look like the following: - - ``` - Jul 3 20:40:45 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:45.890364","updater name":"rhel"} - Jul 3 20:40:46 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:46.768924","updater name":"alpine"} - Jul 3 20:40:47 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:47.190982","updater name":"oracle"} - Jul 3 20:41:07 172.18.0.1 clair[3516]: {"Event":"Debian buster is not mapped to any version number (eg. Jessie-\u003e8). Please update me.","Level":"warning","Location":"debian.go:128","Time":"2017-07-04 03:41:07.833720"} - Jul 3 20:41:07 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:41:07.833975","updater name":"debian"} - Jul 4 00:26:17 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 07:26:17.596986","updater name":"ubuntu"} - Jul 4 00:26:18 172.18.0.1 clair[3516]: {"Event":"adding metadata to vulnerabilities","Level":"info","Location":"updater.go:253","Time":"2017-07-04 07:26:18.060810"} - Jul 4 00:38:05 172.18.0.1 clair[3516]: {"Event":"update finished","Level":"info","Location":"updater.go:198","Time":"2017-07-04 07:38:05.251580"} - ``` -The phrase `finished fetching` indicates that Clair has finished a round of vulnerability updates from an endpoint. Make sure all of the `rhel`, `alpine`, `oracle`, `debian`, and `ubuntu` endpoints are updated correctly. If they have not, wait for Clair to get the data. - -## Dump Vulnerability Data - -1. Log in to the host, that is connected to Internet, on which the Postgres Clair database is running. -1. Dump Clair's vulnerability database by running the following commands. - - {{< note >}} - The container name `clair-db` is a placeholder for the database container used by the internet-connected instance of Clair. - {{< /note >}} - - ```shell - $ docker exec clair-db /bin/sh -c "pg_dump -U postgres -a -t feature -t keyvalue -t namespace -t schema_migrations -t vulnerability -t vulnerability_fixedin_feature" > vulnerability.sql - $ docker exec clair-db /bin/sh -c "pg_dump -U postgres -c -s" > clear.sql - ``` - -The files `vulnerability.sql` and `clear.sql` are generated. - -## Back Up the Harbor Clair Database - -Before importing the data, it is strongly recommended to back up the Clair database in Harbor. - -```shell -docker exec harbor-db /bin/sh -c "pg_dump -U postgres -c" > all.sql -``` - -## Update the Harbor Clair Database - -1. Copy the `vulnerability.sql` and `clear.sql` files to the host on which Harbor is running. -1. Run the following commands to import the data to the Harbor Clair database: - - ```shell - docker exec -i harbor-db psql -U postgres < clear.sql - docker exec -i harbor-db psql -U postgres < vulnerability.sql - ``` - -## Rescan the Images - -After importing the data, trigger the scanning process in the Harbor interface. For information about running a scan, see [Scan All Images](scan-all-images.md). diff --git a/docs/administration/vulnerability-scanning/pluggable-scanners.md b/docs/administration/vulnerability-scanning/pluggable-scanners.md deleted file mode 100644 index 68593f1cd..000000000 --- a/docs/administration/vulnerability-scanning/pluggable-scanners.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Connect Harbor to Additional Vulnerability Scanners -weight: 25 ---- - -To connect Harbor to additional vulnerability scanners, you must install and configure an instance of the additional scanner according to the scanner vendor's requirements. The scanner must expose an API endpoint to allow Harbor to trigger the scan process or get reports. You can deploy multiple different scanners, and multiple instances of the same type of scanner. - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Expand **Administration**, and select **Interrogation Services**. - ![Interrogation Services](../../../img/interrogation-services.png) -1. Click the **New Scanner** button. -1. Enter the information to identify the scanner. - - A unique name for this scanner instance, to display in the Harbor interface. - - An optional description of this scanner instance. - - The address of the API endpoint that the scanner exposes to Harbor. - ![Add scanner](../../../img/add-scanner.png) -1. Select how to connect to the scanner from the **Authorization** drop-down menu. - ![Select scanner authentication method](../../../img/scanner-auth.png) - - **None**: The scanner allows all connections without any security. - - **Basic**: Enter a username and password for an account that can connect to the scanner. - - **Bearer**: Paste the contents of a bearer token in the **Token** text box. - - **APIKey**: Paste the contents of an API key for the scanner in the **APIKey** text box. -1. Optionally select **Skip certificate verification** if the scanner uses a self-signed or untrusted certificate. -1. Optionally select **Use internal registry address** if the scanner should connect to Harbor using an internal network address rather than its external URL. - - **NOTE**: To use this option, the scanner must be deployed in a network that allows the scanner to reach Harbor via Harbor's internal network. -1. Click **Test Connection** to make sure that Harbor can connect successfully to the scanner. - ![Test scanner connection](../../../img/test-scanner-connection.png) -1. Click **Add** to connect Harbor to the scanner. -1. Optionally repeat the procedure to add more scanners. -1. If you configure multiple scanners, select one and click **Set as Default** to designate it as the default scanner. - -## Vulnerability Metadata - -Vulnerability scanners depend on the vulnerability metadata to complete the analysis process. After the first initial installation, the vulnerability scanner automatically starts to update the metadata database from different vulnerability repositories. The database update might take a while, based on the data size and network connection. - -Depending on the scanner that you use, once the database is ready, the timestamp of the last update is shown in the **Interrogation Services** > **Vulnerability** tab. Currently, only Clair and Anchore provide timestamp information. -![browse project](../../../img/clair-ready.png) - -Until the database has been fully populated, the timestamp is replaced by a warning symbol. When the database is ready, you can scan images individually or scan all images across all projects. - -If your Harbor instance is not connected to the external internet, you must manually update the vulnerability metadata. For information about how to update Clair manually, see [Import Vulnerability Data to an Offline Harbor instance](import-vulnerability-data.md). diff --git a/docs/administration/vulnerability-scanning/scan-all-artifacts.md b/docs/administration/vulnerability-scanning/scan-all-artifacts.md deleted file mode 100644 index aace8c362..000000000 --- a/docs/administration/vulnerability-scanning/scan-all-artifacts.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Scan All Artifacts -weight: 35 ---- - -In addition to scanning individual artifacts in projects, you can run global scans on all of the artifacts in a Harbor instance, across all projects. - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Expand **Administration**, and select **Interrogation Services**. -1. Select the **Vulnerability** tab and click **Scan Now** to scan all of the artifacts in all projects. - - ![Scan all artifacts](../../../img/scan-all.png) - -Scanning requires intensive resource consumption. If scanning is in progress, the **Scan Now** button is unavailable. diff --git a/docs/administration/vulnerability-scanning/scan-individual-artifact.md b/docs/administration/vulnerability-scanning/scan-individual-artifact.md deleted file mode 100644 index 0947c9f81..000000000 --- a/docs/administration/vulnerability-scanning/scan-individual-artifact.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Scan Individual Artifacts -weight: 30 ---- - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects** and select a project. -1. Select the **Scanner** tab. - - The **Scanner** tab shows the details of the scanner that is currently set as the scanner to use for this project. - - ![Project scanner tab](../../../img/project-scanners.png) - -1. Click **Edit** to select a different scanner from the list of scanners that are connected to this Harbor instance, and click **OK**. - - ![Project scanner tab](../../../img/select-scanner.png) - - {{< note >}} - If you have selected the **Prevent vulnerable images from running** option in the project **Configuration** tab, the prevention of pulling vulnerable artifacts is determined by the scanner that is set in the project, or by the global default scanner if no scanner is configured specifically for the project. Different scanners might apply different levels of severity to artifact vulnerabilities. - {{< /note >}} - -1. Select the **Repositories** tab and select a repository. - - For each artifact in the repository, the **Vulnerabilities** column displays the vulnerability scanning status and related information. - - ![Artifact vulnerability status](../../../img/artifact-vulnerability-status.png) - -1. Select a artifact, or use the check box at the top to select all artifacts in the repository, and click the **Scan** button to run the vulnerability scan on this artifact. - - ![Scan an artifact](../../../img/scan-artifact.png) - - **NOTE**: You can start a scan at any time, unless the status is **Queued** or **Scanning**. If the database has not been fully populated, you should not run a scan. The following statuses are displayed in the **Vulnerabilities** column: - - * **Not Scanned:** The artifact has never been scanned. - * **Unsupported:** The artifact is not supported by the scanner. - * **Queued:** The scanning task is scheduled but has not run yet. - * **Scanning:** The scanning task is in progress and a progress bar is displayed. - * **View log:** The scanning task failed to complete. Click **View Log** link to view the related logs. - * **Complete:** The scanning task completed successfully. - - If the process completes successfully, the result indicates the overall severity level, with the total number of vulnerabilities found for each severity level, and the number of fixable vulnerabilities. - - ![Scan result](../../../img/scan-result.png) - - * **Red:** At least one critical vulnerability found - * **Orange:** At least one high level vulnerability found - * **Yellow:** At least one medium level vulnerability found - * **Blue:** At least one low level vulnerability found - * **Green:** No vulnerabilities found - * **Grey:** Unknown vulnerabilities - -1. Hover over the number of fixable vulnerabilities to see a summary of the vulnerability report. - - ![Vulnerability summary](../../../img/vulnerability-summary.png) - -1. Click on the artifact digest to see a detailed vulnerability report. - - ![Vulnerability report](../../../img/artifact-detail.png) - - In addition to information about the artifact, all of the vulnerabilities found in the last scan are listed. You can order or filter the list by the different columns. You can also click **Scan** in the report page to run a scan on this artifact. - - -## Vulnerability scanning for OCI image index - -When scanning an OCI image index, Harbor will send scan requests for each of the referenced artifact which is supported by the scanner to the scanner. If the image scanning status of any referenced image is **Scanning**, the status for the OCI image index as a whole will also be **Scanning**. The scan for the index is considered successful only if all referenced images are successfully scanned. It is considered limited successful when not all referenced images are successfully scanned but at least one of referenced image is successfully scanned, otherwise it is considered failed. - -![Limited successful](../../../img/limited-successful-status.png) - - -When an OCI image index is successfully scanned, the summary of the vulnerability report for the OCI image index is aggregated from the individual scan results of the the artifacts referenced by the index. The vulnerability report will show both sets of statistics. diff --git a/docs/administration/vulnerability-scanning/schedule-scans.md b/docs/administration/vulnerability-scanning/schedule-scans.md deleted file mode 100644 index 51b755ee6..000000000 --- a/docs/administration/vulnerability-scanning/schedule-scans.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Schedule Scans -weight: 40 ---- - -You can set policies to control when vulnerability scanning should run. - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Expand **Administration**, and select **Interrogation Services**. -1. Select the **Vulnerability** tab and click the **Edit** button next to **Schedule to scan all**. -1. Use the drop down-menu to select how often to run scans. - - ![browse project](../../../img/scan-policy.png) - - * **None**: No scans are scheduled. - * **Hourly**: Run a scan at the beginning of every hour. - * **Daily**: Run a scan at midnight every day. - * **Weekly**: Run a scan at midnight every Saturday. - * **Custom**: Run a scan according to a `cron` job. -1. Click **Save**. diff --git a/docs/build-customize-contribute/_index.md b/docs/build-customize-contribute/_index.md deleted file mode 100644 index 329bd6c68..000000000 --- a/docs/build-customize-contribute/_index.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -title: Building, Customizing, and Contributing to Harbor -weight: 20 ---- - -This section describes how developers can build from Harbor source code, customize their deployments, and contribute to the open-source Harbor project. - -See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community). diff --git a/docs/build-customize-contribute/compile-guide.md b/docs/build-customize-contribute/compile-guide.md deleted file mode 100644 index c3ec04557..000000000 --- a/docs/build-customize-contribute/compile-guide.md +++ /dev/null @@ -1,179 +0,0 @@ ---- -title: Build Harbor from Source Code ---- - -This guide provides instructions for developers to build and run Harbor from source code. - -## Step 1: Prepare for a build environment for Harbor - -Harbor is deployed as several Docker containers and most of the code is written in Go language. The build environment requires Docker, Docker Compose and golang development environment. Please install the below prerequisites: - -| Software | Required Version | -| -------------- | ---------------- | -| docker | 17.05 + | -| docker-compose | 1.18.0 + | -| python | 2.7 + | -| git | 1.9.1 + | -| make | 3.81 + | -| golang\* | 1.7.3 + | - -\*optional, required only if you use your own Golang environment. - -## Step 2: Getting the source code - -```sh -git clone https://github.com/goharbor/harbor -``` - -## Step 3: Building and installing Harbor - -### Configuration - -Copy the file **make/harbor.yml.tmp** to **make/harbor.yml**, and make necessary configuration changes such as hostname, admin password and mail server. Refer to [Harbor Installation and Configuration](../install-config/_index.md) for more info. - -```sh -cd harbor -vi make/harbor.yml -``` - -### Compiling and Running - -You can compile the code by one of the three approaches: - -#### I. Build with official Golang image - -- Get official Golang image from docker hub: - - ```sh - docker pull golang:1.12.5 - ``` - -- Build, install and bring up Harbor without Notary: - - ```sh - make install GOBUILDIMAGE=golang:1.12.5 COMPILETAG=compile_golangimage - ``` - -- Build, install and bring up Harbor with Notary: - - ```sh - make install GOBUILDIMAGE=golang:1.12.5 COMPILETAG=compile_golangimage NOTARYFLAG=true - ``` - -- Build, install and bring up Harbor with Clair: - - ```sh - make install GOBUILDIMAGE=golang:1.12.5 COMPILETAG=compile_golangimage CLAIRFLAG=true - ``` - -#### II. Compile code with your own Golang environment, then build Harbor - -- Move source code to `$GOPATH` - - ```sh - mkdir $GOPATH/src/github.com/goharbor/ - cd .. - mv harbor $GOPATH/src/github.com/goharbor/. - ``` - -- Build, install and run Harbor without Notary and Clair: - - ```sh - cd $GOPATH/src/github.com/goharbor/harbor - $ make install - ``` - -- Build, install and run Harbor with Notary and Clair: - - ```sh - cd $GOPATH/src/github.com/goharbor/harbor - make install -e NOTARYFLAG=true CLAIRFLAG=true - ``` - -### Verify your installation - -If everything worked properly, you will see this message: - -```sh -... -Start complete. You can visit harbor now. -``` - -Refer to [Reconfigure Harbor and Manage the Harbor Lifecycle](../install-config/reconfigure-manage-lifecycle.md) for more information about managing your Harbor instance. - -## Appendix - -- Using the Makefile - -The `Makefile` contains these configurable parameters: - -| Variable | Description | -| ------------------- | ---------------------------------------------------------------- | -| BASEIMAGE | Container base image, default: photon | -| DEVFLAG | Build model flag, default: dev | -| COMPILETAG | Compile model flag, default: compile_normal (local golang build) | -| NOTARYFLAG | Notary mode flag, default: false | -| CLAIRFLAG | Clair mode flag, default: false | -| TRIVYFLAG | Trivy mode flag, default: false | -| HTTPPROXY | NPM http proxy for Clarity UI builder | -| REGISTRYSERVER | Remote registry server IP address | -| REGISTRYUSER | Remote registry server user name | -| REGISTRYPASSWORD | Remote registry server user password | -| REGISTRYPROJECTNAME | Project name on remote registry server | -| VERSIONTAG | Harbor images tag, default: dev | -| PKGVERSIONTAG | Harbor online and offline version tag, default:dev | - -- Predefined targets: - -| Target | Description | -| ---------------------- | --------------------------------------------------------------------------------------------------------------------------- | -| all | prepare env, compile binaries, build images and install images | -| prepare | prepare env | -| compile | compile ui and jobservice code | -| compile_portal | compile portal code | -| compile_ui | compile ui binary | -| compile_jobservice | compile jobservice binary | -| build | build Harbor docker images (default: using build_photon) | -| build_photon | build Harbor docker images from Photon OS base image | -| install | compile binaries, build images, prepare specific version of compose file and startup Harbor instance | -| start | startup Harbor instance (set NOTARYFLAG=true when with Notary) | -| down | shutdown Harbor instance (set NOTARYFLAG=true when with Notary) | -| package_online | prepare online install package | -| package_offline | prepare offline install package | -| pushimage | push Harbor images to specific registry server | -| clean all | remove binary, Harbor images, specific version docker-compose file, specific version tag and online/offline install package | -| cleanbinary | remove ui and jobservice binary | -| cleanimage | remove Harbor images | -| cleandockercomposefile | remove specific version docker-compose | -| cleanversiontag | remove specific version tag | -| cleanpackage | remove online/offline install package | - -#### EXAMPLE: - -#### Push Harbor images to specific registry server - -```sh -make pushimage -e DEVFLAG=false REGISTRYSERVER=[$SERVERADDRESS] REGISTRYUSER=[$USERNAME] REGISTRYPASSWORD=[$PASSWORD] REGISTRYPROJECTNAME=[$PROJECTNAME] -``` - -**Note**: need add "/" on end of REGISTRYSERVER. If REGISTRYSERVER is not set, images will be pushed directly to Docker Hub. - -```sh -make pushimage -e DEVFLAG=false REGISTRYUSER=[$USERNAME] REGISTRYPASSWORD=[$PASSWORD] REGISTRYPROJECTNAME=[$PROJECTNAME] -``` - -#### Clean up binaries and images of a specific version - -```sh -make clean -e VERSIONTAG=[TAG] -``` - -{{< note >}} -If new code has been added to Github, the git commit TAG will change. Better use this command to clean up images and files of previous TAG. -{{< /note >}} - -#### By default, the make process create a development build. To create a release build of Harbor, set the below flag to false. - -```sh -make XXXX -e DEVFLAG=false -``` diff --git a/docs/build-customize-contribute/configure-swagger.md b/docs/build-customize-contribute/configure-swagger.md deleted file mode 100644 index 8b2e8d78b..000000000 --- a/docs/build-customize-contribute/configure-swagger.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: View and Test the Harbor REST API via Swagger ---- - -A Swagger file is provided for viewing and testing Harbor REST API. - -## Viewing Harbor REST API - -* Open the file **swagger.yaml** under the _docs_ directory in Harbor project -* Paste all its content into the online Swagger Editor at http://editor.swagger.io. The descriptions of Harbor API will be shown on the right pane of the page. - -![Swagger Editor](../../img/swagger-editor.png) - -## Testing Harbor REST API -From time to time, you may need to mannually test Harbor REST API. You can deploy the Swagger file into Harbor's service node. Suppose you install Harbor through online or offline installer, you should have a Harbor directory after you un-tar the installer, such as `~/harbor`. - - {{< danger >}} - When using Swagger to send REST requests to Harbor, you may alter the data of Harbor accidentally. For this reason, we do **not** recommended using Swagger against a production Harbor instance. - {{< /danger >}} - -* Download `prepare-swagger.sh` and `swagger.yaml` under the `docs` directory to your local Harbor directory, e.g. `~/harbor`. - - ```sh - wget https://raw.githubusercontent.com/goharbor/harbor/master/docs/prepare-swagger.sh https://raw.githubusercontent.com/goharbor/harbor/master/docs/swagger.yaml - ``` - -* Edit the script file `prepare-swagger.sh`. - - ```sh - vi prepare-swagger.sh - ``` - -* Change the SCHEME to the protocol scheme of your Harbor server. - - ```sh - SCHEME= - ``` - -* Change the `SERVER_IP` to the IP address of your Harbor server. - - ```sh - SERVER_IP= - ``` - -* Change the file mode. - - ```sh - chmod +x prepare-swagger.sh - ``` - -* Run the shell script. It downloads a Swagger package and extracts files into the `../static` directory. - - ```sh - ./prepare-swagger.sh - ``` - -* Edit the `docker-compose.yml` file under your local Harbor directory. - - ```sh - vi docker-compose.yml - ``` - -* Add two lines to the file `docker-compose.yml` under the section `ui.volumes`. - - ```yaml - # ... - ui: - # ... - volumes: - - ./common/config/ui/app.conf:/etc/core/app.conf:z - - ./common/config/ui/private_key.pem:/etc/core/private_key.pem:z - - /data/secretkey:/etc/core/key:z - - /data/ca_download/:/etc/core/ca/:z - ## add two lines as below ## - - ../src/ui/static/vendors/swagger-ui-2.1.4/dist:/harbor/static/vendors/swagger - - ../src/ui/static/resources/yaml/swagger.yaml:/harbor/static/resources/yaml/swagger.yaml - # ... - ``` - -* Recreate Harbor containers - - ```docker - docker-compose down -v && docker-compose up -d - ``` - -* Because a session ID is usually required by Harbor API, **you should log in first from a browser.** -* Open another tab in the same browser so that the session is shared between tabs. -* Enter the URL of the Swagger page in Harbor as below. The `````` should be replaced by the IP address or the hostname of the Harbor server. - - ```text - http:///static/vendors/swagger/index.html - ``` - -* You should see a Swagger UI page with Harbor API _swagger.yaml_ file loaded in the same domain, **be aware that your REST request submitted by Swagger may change the data of Harbor**. - - ![Harbor API](../../img/rendered-swagger.png) diff --git a/docs/build-customize-contribute/customize-look-feel.md b/docs/build-customize-contribute/customize-look-feel.md deleted file mode 100644 index 45f822bbb..000000000 --- a/docs/build-customize-contribute/customize-look-feel.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Customize the Look and Feel of Harbor ---- - -The primary look & feel of Harbor supports to be customized with several simple steps. All the relevant customization in configurations are saved in the `setting.json` file under `$HARBOR_DIR/src/portal/src` folder with `json` format and will be loaded when Harbor is launched. - -## Configure - -Open the `setting.json` file, you'll see the default content as shown below: - -```json -{ - "headerBgColor": "#004a70", - "headerLogo": "", - "loginBgImg": "", - "appTitle": "", - "product": { - "name": "Harbor", - "introduction": { - "zh-cn": "", - "es-es": "", - "en-us": "" - } - } -} -``` - -Change the values of configuration if you want to override the default style to your own. Here are references: - -* **headerBgColor**: Background color of the page header, support either HEX or RGB value. e.g: `#004a70` and `rgb(210,110,235)`. -* **headerLogo**: Name path of the logo image in the header, e.g: 'logo.png'. The image file should be put in the `images` folder. -* **loginBgImg**: Name path of the background image displayed in the login page, e.g: 'login_bg.png'. The image file should be put in the `images` folder. Suggest the size of this image should be bigger than 800px*600px. -* **Product**: Contain metadata / description of the product. - - **title**: The full product title displayed in the login page. - - **company**: Name of the company publishing the product. - - **name**: Name of the product. - - **introductions**: The introduction about the product with different languages, which are displayed in the `About` dialog. - -## Build - -Once the `setting.json` configurations has been updated, re-[build](#configure) your product to apply the new changes. diff --git a/docs/build-customize-contribute/developer-guide-i18n.md b/docs/build-customize-contribute/developer-guide-i18n.md deleted file mode 100644 index 2263f780c..000000000 --- a/docs/build-customize-contribute/developer-guide-i18n.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Developing for Internationalization ---- - -{{< note >}} -All the files you created should use UTF-8 encoding. -{{< /note >}} - -Steps to localize the UI in your language - -1. In the folder `src/portal/src/i18n/lang`, copy json file `en-us-lang.json` to a new file and rename it to `--lang.json` . - - The file contains a JSON object including all the key-value pairs of UI strings: - - ```javascript - { - "APP_TITLE": { - "VMW_HARBOR": "Harbor", - "HARBOR": "Harbor", - // ... - }, - // ... - } - ``` - - In the file `--lang.json`, translate all the values into your language. Do not change any keys. - -2. After creating your language file, you should add it to the language supporting list. - - Locate the file `src/portal/src/app/shared/shared.const.ts`. - - Append `-` to the language supporting list: - - ```typescript - export const supportedLangs = ['en-us', 'zh-cn', '-']; - ``` - - Define the language display name and append it to the name list: - - ```typescript - export const languageNames = { - "en-us": "English", - "zh-cn": "中文简体", - "-": "" - }; - ``` - - {{< note >}} - Don't miss the comma before the new key-value item you've added. - {{< /note >}} - -3. Enable the new language in the view. - - Locate the file `src/portal/src/app/base/navigator/navigator.component.html` and then find the following code piece: - - ```html -
- English - 中文简体 -
- ``` - - Add a new menu item for your language: - - ```html -
- English - 中文简体 - DISPLAY_NAME -
- ``` - -4. Next, refer to [Build Harbor from Source Code](compile-guide.md) to rebuild and restart Harbor. diff --git a/docs/build-customize-contribute/e2e-api-python-based-scripting-guide.md b/docs/build-customize-contribute/e2e-api-python-based-scripting-guide.md deleted file mode 100644 index 3c4597aa6..000000000 --- a/docs/build-customize-contribute/e2e-api-python-based-scripting-guide.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: E2E (API) Python Based Test Scripting Guide -draft: true ---- - -#### Preparation #### - -After getting Harbor source code (git clone https://github.com/goharbor/harbor.git), Harbor E2E API test scripts can be found in tests/apitests/python directory. - -Before scripting, please make sure swagger client has been made by "make swagger_client", then archive "harborclient" will be made - -1. `git clone https://github.com/goharbor/harbor.git` - -2. `cd harbor` - -3. `make swagger_client` - -4. `cd harborclient/` - - -We use $HARBORCLIENT_PATH represent the path of "harborclient" you've made by "make swagger_client". - -Deploy Harbor instance for testing, and we will use $HARBOR_IP_ADDR to represent the deployed Harbor in this document. - -Harbor E2E API test scripts will import python library under archive "harborclient", please set OS environment variant for Harbor E2E API test scripts: - - -1. `export HARBOR_HOST=$HARBOR_IP_ADDR` -2. `export SWAGGER_CLIENT_PATH=$HARBORCLIENT_PATH` - -Until now, we have all preparation work done. - -#### Scripting #### - -As you can see, we will use python library made by "make swagger_client", in this library, we have all API functions and models, but for more convenience we encapsulate one more level in archive "library", so the script structure is as bellow: - - -library/ - - -test_project_level_policy_content_trust.py - - -test_project_quota.py - - -test_retention.py - - -... - -You can add both library code and script code, since not all APIs have been encapsulated. - - -#### Manual Execution Example #### - -root@harbor:/harbor/code/harbor# `python ./tests/apitests/python/test_add_sys_label_to_tag.py` - -2020-03-11 13:40:07,269 DEBUG Starting new HTTPS connection (1): 1.1.1.1:443 -send: 'POST /api/v2.0/users HTTP/1.1\r\nHost: 1.1.1.1\r\nAccept-Encoding: identity\r\nContent-Length: 156\r\nContent-Type: application/json\r\nAccept: application/json\r\nAuthorization: Basic YWRtaW46SGFyYm9yMTIzNDU=\r\nUser-Agent: Swagger-Codegen/1.0.0/python\r\n\r\n{"username": "user-1583934007059", "role_id": 0, "password": "xxxxxxxx", "email": "realname-1583934007059@vmware.com", "realname": "realname-1583934007059"}' -reply: 'HTTP/1.1 201 Created\r\n' -header: Server: nginx -header: Date: Wed, 11 Mar 2020 13:40:07 GMT -header: Content-Length: 0 -header: Connection: keep-alive -header: Location: /api/v2.0/users/9 -header: Set-Cookie: sid=2e05f902f345b855ec33221ade1c6d09; Path=/; Secure; HttpOnly -header: X-Request-Id: 9ba11b26-2cdb-432f-878e-3fed04fa61b1 -header: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload -header: X-Frame-Options: DENY -header: Content-Security-Policy: frame-ancestors 'none' -2020-03-11 13:40:07,482 DEBUG https://1.1.1.1:443 "POST /api/v2.0/users HTTP/1.1" 201 0 -2020-03-11 13:40:07,483 DEBUG response body: - -...... - -...... - -...... - -#### How To Trigger Script In CI #### - -If you like to have your scripts running in CI which is for verification of pull requests, please add your scripts into *https://github.com/goharbor/harbor/blob/master/tests/robot-cases/Group0-BAT/API_DB.robot* file, then scripts can be triggered once there is a pull request. - - - diff --git a/docs/build-customize-contribute/prepare-swagger.sh b/docs/build-customize-contribute/prepare-swagger.sh deleted file mode 100644 index 41b9c8a95..000000000 --- a/docs/build-customize-contribute/prepare-swagger.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -SCHEME=http -SERVER_IP=reg.mydomain.com -set -e -echo "Doing some clean up..." -rm -f *.tar.gz -echo "Downloading Swagger UI release package..." -wget https://github.com/swagger-api/swagger-ui/archive/v2.1.4.tar.gz -O swagger.tar.gz -echo "Untarring Swagger UI package to the static file path..." -mkdir -p ../src/ui/static/vendors -tar -C ../src/ui/static/vendors -zxf swagger.tar.gz swagger-ui-2.1.4/dist -echo "Executing some processes..." -sed -i.bak 's/http:\/\/petstore\.swagger\.io\/v2\/swagger\.json/'$SCHEME':\/\/'$SERVER_IP'\/static\/resources\/yaml\/swagger\.yaml/g' \ -../src/ui/static/vendors/swagger-ui-2.1.4/dist/index.html -sed -i.bak '/jsonEditor: false,/a\ validatorUrl: null,' ../src/ui/static/vendors/swagger-ui-2.1.4/dist/index.html -mkdir -p ../src/ui/static/resources/yaml -cp swagger.yaml ../src/ui/static/resources/yaml -sed -i.bak 's/host: localhost/host: '$SERVER_IP'/g' ../src/ui/static/resources/yaml/swagger.yaml -sed -i.bak 's/ \- http$/ \- '$SCHEME'/g' ../src/ui/static/resources/yaml/swagger.yaml -echo "Finish preparation for the Swagger UI." diff --git a/docs/build-customize-contribute/registry-landscape.md b/docs/build-customize-contribute/registry-landscape.md deleted file mode 100644 index 7f7620483..000000000 --- a/docs/build-customize-contribute/registry-landscape.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Registry Landscape ---- - -The cloud native ecosystem is moving rapidly—registries and their feature sets are no exception. We've made our best effort to survey the container registry landscape and compare to our core feature set. - -If you find something outdated or outright erroneous, please submit a PR and we'll fix it right away. - -Table updated on 10/21/2019 against Harbor 1.9. - -| Feature | Harbor | Docker Trusted Registry | Quay | Cloud Providers (GCP, AWS, Azure) | Docker Distribution | Artifactory | GitLab | -| -------------: | :----: | :---------------------: | :-----: | :-------------------------------: | :-----------------: | :---------: | :------: | -| Ability to Determine Version of Binaries in Containers | ✓ | ✓ | ✓ | ✗ | ✗ | ? | ? | -| Artifact Repository (rpms, git, jar, etc) | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | partial | -| Audit Logs | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | -| Content Trust and Validation | ✓ | ✓ | ✗ | ✗ | partial | partial | ✗ | -| Custom TLS Certificates | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | -| Helm Chart Repository Manager | ✓ | ✗ | partial | ✗ | ✗ | ✓ | ✗ | -| LDAP-based Auth | ✓ | ✓ | ✓ | partial | ✗ | ✓ | ✓ | -| Local Auth | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | -| Multi-Tenancy (projects, teams, namespaces, etc) | ✓ | ✓ | ✓ | partial | ✗ | ✓ | ✓ | -| Open Source | ✓ | partial | ✗ | ✗ | ✓ | partial | partial | -| Project Quotas (by image count & storage consumption) | ✓ | ✗ | ✗ | partial | ✗ | ✗ | ✗ | -| Replication between instances | ✓ | ✓ | ✓ | n/a | ✗ | ✓ | ✗ | -| Replication between non-instances | ✓ | ✗ | ✓ | n/a | ✗ | ✗ | ✗ | -| Robot Accounts for Helm Charts | ✓ | ✗ | ✗ | ? | ✗ | ✗ | ✗ | -| Robot Accounts for Images | ✓ | ? | ✓ | ? | ✗ | ? | ? | -| Role-Based Access Control | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ | -| Single Sign On (OIDC) | ✓ | ✓ | ✓ | ✓ | ✗ | partial | ✗ | -| Tag Retention Policy | ✓ | ✗ | partial | ✗ | ✗ | ✗ | ✗ | -| Upstream Registry Proxy Cache | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | -| Vulnerability Scanning & Monitoring | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | partial | -| Vulnerability Scanning Plugin Framework | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Vulnerability Allowlisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Webhooks | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | diff --git a/docs/build-customize-contribute/swagger.yaml b/docs/build-customize-contribute/swagger.yaml deleted file mode 100644 index 54dd695dd..000000000 --- a/docs/build-customize-contribute/swagger.yaml +++ /dev/null @@ -1,6406 +0,0 @@ -swagger: '2.0' -info: - title: Harbor API - description: These APIs provide services for manipulating Harbor project. - version: 1.9.0 -host: localhost -schemes: - - http - - https -basePath: /api -produces: - - application/json - - text/plain -consumes: - - application/json -securityDefinitions: - basicAuth: - type: basic -security: - - basicAuth: [] -paths: - /health: - get: - summary: 'Health check API' - description: | - The endpoint returns the health stauts of the system. - tags: - - Products - responses: - '200': - description: The system health status. - schema: - $ref: '#/definitions/OverallHealthStatus' - /search: - get: - summary: 'Search for projects, repositories and helm charts' - description: | - The Search endpoint returns information about the projects ,repositories and helm charts offered at public status or related to the current logged in user. The response includes the project, repository list and charts in a proper display order. - parameters: - - name: q - in: query - description: Search parameter for project and repository name. - required: true - type: string - tags: - - Products - responses: - '200': - description: An array of search results - schema: - type: array - items: - $ref: '#/definitions/Search' - '500': - description: Unexpected internal errors. - /projects: - get: - summary: List projects - description: | - This endpoint returns all projects created by Harbor, and can be filtered by project name. - parameters: - - name: name - in: query - description: The name of project. - required: false - type: string - - name: public - in: query - description: The project is public or private. - required: false - type: boolean - format: int32 - - name: owner - in: query - description: The name of project owner. - required: false - type: string - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: 'The size of per page, default is 10, maximum is 100.' - tags: - - Products - responses: - '200': - description: Return all matched projects. - schema: - type: array - items: - $ref: '#/definitions/Project' - headers: - X-Total-Count: - description: The total count of projects - type: integer - Link: - description: Link refers to the previous page and next page - type: string - '401': - description: User need to log in first. - '500': - description: Internal errors. - head: - summary: Check if the project name user provided already exists. - description: | - This endpoint is used to check if the project name user provided already exist. - parameters: - - name: project_name - in: query - description: Project name for checking exists. - required: true - type: string - tags: - - Products - responses: - '200': - description: Project name exists. - '404': - description: Project name does not exist. - '500': - description: Unexpected internal errors. - post: - summary: Create a new project. - description: | - This endpoint is for user to create a new project. - parameters: - - name: project - in: body - description: New created project. - required: true - schema: - $ref: '#/definitions/ProjectReq' - tags: - - Products - responses: - '201': - description: Project created successfully. - '400': - description: Unsatisfied with constraints of the project creation. - '401': - description: User need to log in first. - '409': - description: Project name already exists. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - '/projects/{project_id}': - get: - summary: Return specific project detail information - description: | - This endpoint returns specific project information by project ID. - parameters: - - name: project_id - in: path - description: Project ID for filtering results. - required: true - type: integer - format: int64 - tags: - - Products - responses: - '200': - description: Return matched project information. - schema: - $ref: '#/definitions/Project' - '401': - description: User need to log in first. - '500': - description: Internal errors. - put: - summary: Update properties for a selected project. - description: | - This endpoint is aimed to update the properties of a project. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Selected project ID. - - name: project - in: body - required: true - schema: - $ref: '#/definitions/ProjectReq' - description: Updates of project. - tags: - - Products - responses: - '200': - description: Updated project properties successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User does not have permission to the project. - '404': - description: Project ID does not exist. - '500': - description: Unexpected internal errors. - delete: - summary: Delete project by projectID - description: | - This endpoint is aimed to delete project by project ID. - parameters: - - name: project_id - in: path - description: Project ID of project which will be deleted. - required: true - type: integer - format: int64 - tags: - - Products - responses: - '200': - description: Project is deleted successfully. - '400': - description: Invalid project id. - '403': - description: User need to log in first. - '404': - description: Project does not exist. - '412': - description: 'Project contains policies, can not be deleted.' - '500': - description: Internal errors. - '/projects/{project_id}/logs': - get: - summary: Get access logs accompany with a relevant project. - description: | - This endpoint let user search access logs filtered by operations and date time ranges. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID - - name: username - in: query - type: string - required: false - description: Username of the operator. - - name: repository - in: query - type: string - required: false - description: The name of repository - - name: tag - in: query - type: string - required: false - description: The name of tag - - name: operation - in: query - type: string - required: false - description: The operation - - name: begin_timestamp - in: query - type: string - required: false - description: The begin timestamp - - name: end_timestamp - in: query - type: string - required: false - description: The end timestamp - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: 'The size of per page, default is 10, maximum is 100.' - tags: - - Products - responses: - '200': - description: Get access log successfully. - schema: - type: array - items: - $ref: '#/definitions/AccessLog' - headers: - X-Total-Count: - description: The total count of access logs - type: integer - Link: - description: Link refers to the previous page and next page - type: string - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/summary': - get: - summary: Get summary of the project. - description: Get summary of the project. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID - tags: - - Products - responses: - '200': - description: Get summary of the project successfully. - schema: - $ref: '#/definitions/ProjectSummary' - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User does not have permission to get summary of the project. - '404': - description: Project ID does not exist. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/metadatas': - get: - summary: Get project metadata. - description: | - This endpoint returns metadata of the project specified by project ID. - parameters: - - name: project_id - in: path - description: The ID of project. - required: true - type: integer - format: int64 - tags: - - Products - responses: - '200': - description: Get metadata successfully. - schema: - $ref: '#/definitions/ProjectMetadata' - '401': - description: User need to login first. - '500': - description: Internal server errors. - post: - summary: Add metadata for the project. - description: | - This endpoint is aimed to add metadata of a project. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Selected project ID. - - name: metadata - in: body - required: true - schema: - $ref: '#/definitions/ProjectMetadata' - description: The metadata of project. - tags: - - Products - responses: - '200': - description: Add metadata successfully. - '400': - description: Invalid request. - '401': - description: User need to log in first. - '403': - description: User does not have permission to the project. - '404': - description: Project ID does not exist. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Internal server errors. - '/projects/{project_id}/metadatas/{meta_name}': - get: - summary: Get project metadata - description: | - This endpoint returns specified metadata of a project. - parameters: - - name: project_id - in: path - description: Project ID for filtering results. - required: true - type: integer - format: int64 - - name: meta_name - in: path - description: The name of metadat. - required: true - type: string - tags: - - Products - responses: - '200': - description: Get metadata successfully. - schema: - $ref: '#/definitions/ProjectMetadata' - '401': - description: User need to log in first. - '500': - description: Internal server errors. - put: - summary: Update metadata of a project. - description: | - This endpoint is aimed to update the metadata of a project. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: The ID of project. - - name: meta_name - in: path - description: The name of metadat. - required: true - type: string - tags: - - Products - responses: - '200': - description: Updated metadata successfully. - '400': - description: Invalid request. - '401': - description: User need to log in first. - '403': - description: User does not have permission to the project. - '404': - description: Project or metadata does not exist. - '500': - description: Internal server errors. - delete: - summary: Delete metadata of a project - description: | - This endpoint is aimed to delete metadata of a project. - parameters: - - name: project_id - in: path - description: The ID of project. - required: true - type: integer - format: int64 - - name: meta_name - in: path - description: The name of metadat. - required: true - type: string - tags: - - Products - responses: - '200': - description: Metadata is deleted successfully. - '400': - description: Invalid requst. - '403': - description: User need to log in first. - '404': - description: Project or metadata does not exist. - '500': - description: Internal server errors. - '/projects/{project_id}/members': - get: - summary: Get all project member information - description: Get all project member information - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: entityname - in: query - type: string - description: The entity name to search. - tags: - - Products - responses: - '200': - description: Get project members successfully. - schema: - type: array - items: - $ref: '#/definitions/ProjectMemberEntity' - '400': - description: The project id is invalid. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '404': - description: Project ID does not exist. - '500': - description: Unexpected internal errors. - post: - summary: Create project member - description: 'Create project member relationship, the member can be one of the user_member and group_member, The user_member need to specify user_id or username. If the user already exist in harbor DB, specify the user_id, If does not exist in harbor DB, it will SearchAndOnBoard the user. The group_member need to specify id or ldap_group_dn. If the group already exist in harbor DB. specify the user group''s id, If does not exist, it will SearchAndOnBoard the group. ' - tags: - - Products - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: project_member - in: body - schema: - $ref: '#/definitions/ProjectMember' - responses: - '201': - description: Project member created successfully. - '400': - description: 'Illegal format of project member or project id is invalid, or LDAP DN is invalid.' - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '409': - description: A user group with same group name already exist or an LDAP user group with same DN already exist. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/members/{mid}': - get: - summary: Get the project member information - description: Get the project member information - tags: - - Products - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: mid - in: path - type: integer - format: int64 - required: true - description: The member ID - responses: - '200': - description: Project member retrieved successfully. - schema: - $ref: '#/definitions/ProjectMemberEntity' - '400': - description: 'Illegal format of project member or invalid project id, member id.' - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '404': - description: Project or projet member does not exist. - '500': - description: Unexpected internal errors. - put: - summary: Update project member - description: Update project member relationship - tags: - - Products - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: mid - in: path - type: integer - format: int64 - required: true - description: Member ID. - - name: role - in: body - schema: - $ref: '#/definitions/RoleRequest' - responses: - '200': - description: Project member updated successfully. - '400': - description: 'Invalid role id, it should be 1,2 or 3, or invalid project id, or invalid member id.' - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '404': - description: project or project member does not exist. - '500': - description: Unexpected internal errors. - delete: - summary: Delete project member - tags: - - Products - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: mid - in: path - type: integer - format: int64 - required: true - description: Member ID. - responses: - '200': - description: Project member deleted successfully. - '400': - description: The project id or project member id is invalid. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '500': - description: Unexpected internal errors. - /statistics: - get: - summary: Get projects number and repositories number relevant to the user - description: | - This endpoint is aimed to statistic all of the projects number and repositories number relevant to the logined user, also the public projects number and repositories number. If the user is admin, he can also get total projects number and total repositories number. - tags: - - Products - responses: - '200': - description: Get the projects number and repositories number relevant to the user successfully. - schema: - $ref: '#/definitions/StatisticMap' - '401': - description: User need to log in first. - '500': - description: Unexpected internal errors. - /users: - get: - summary: Get registered users of Harbor. - description: | - This endpoint is for user to search registered users, support for filtering results with username.Notice, by now this operation is only for administrator. - parameters: - - name: username - in: query - type: string - required: false - description: Username for filtering results. - - name: email - in: query - type: string - required: false - description: Email for filtering results. - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: The size of per page. - tags: - - Products - responses: - '200': - description: Searched for users of Harbor successfully. - schema: - type: array - items: - $ref: '#/definitions/User' - '400': - description: Invalid user ID. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - post: - summary: Creates a new user account. - description: | - This endpoint is to create a user if the user does not already exist. - parameters: - - name: user - in: body - description: New created user. - required: true - schema: - $ref: '#/definitions/User' - tags: - - Products - responses: - '201': - description: User created successfully. - '400': - description: Unsatisfied with constraints of the user creation. - '403': - description: User registration can only be used by admin role user when self-registration is off. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /users/current: - get: - summary: Get current user info. - description: | - This endpoint is to get the current user information. - tags: - - Products - responses: - '200': - description: Get current user information successfully. - schema: - $ref: '#/definitions/User' - '401': - description: User need to log in first. - /users/current/permissions: - get: - summary: Get current user permissions. - description: | - This endpoint is to get the current user permissions. - parameters: - - name: scope - in: query - type: string - required: false - description: Get permissions of the scope - - name: relative - in: query - type: boolean - required: false - description: | - If true, the resources in the response are relative to the scope, - eg for resource '/project/1/repository' if relative is 'true' then the resource in response will be 'repository'. - tags: - - Products - responses: - '200': - description: Get current user permission successfully. - schema: - type: array - items: - $ref: '#/definitions/Permission' - '401': - description: User need to log in first. - '500': - description: Internal errors. - /users/search: - get: - summary: Search users by username - description: | - This endpoint is to search the users by username. - parameters: - - name: username - in: query - type: string - required: true - description: Username for filtering results. - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: The size of per page. - tags: - - Products - responses: - '200': - description: Search users by username, email successfully. - schema: - type: array - items: - $ref: '#/definitions/UserSearch' - '500': - description: Unexpected internal errors. - '/users/{user_id}': - get: - summary: Get a user's profile. - description: | - Get user's profile with user id. - parameters: - - name: user_id - in: path - type: integer - format: int - required: true - description: Registered user ID - tags: - - Products - responses: - '200': - description: Get user's profile successfully. - schema: - $ref: '#/definitions/User' - '400': - description: Invalid user ID. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '404': - description: User ID does not exist. - '500': - description: Unexpected internal errors. - put: - summary: Update a registered user to change his profile. - description: | - This endpoint let a registered user change his profile. - parameters: - - name: user_id - in: path - type: integer - format: int - required: true - description: Registered user ID - - name: profile - in: body - description: 'Only email, realname and comment can be modified.' - required: true - schema: - $ref: '#/definitions/UserProfile' - tags: - - Products - responses: - '200': - description: Updated user's profile successfully. - '400': - description: Invalid user ID. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '404': - description: User ID does not exist. - '500': - description: Unexpected internal errors. - delete: - summary: Mark a registered user as be removed. - description: | - This endpoint let administrator of Harbor mark a registered user as - be removed.It actually won't be deleted from DB. - parameters: - - name: user_id - in: path - type: integer - format: int - required: true - description: User ID for marking as to be removed. - tags: - - Products - responses: - '200': - description: Marked user as be removed successfully. - '400': - description: Invalid user ID. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '404': - description: User ID does not exist. - '500': - description: Unexpected internal errors. - '/users/{user_id}/password': - put: - summary: Change the password on a user that already exists. - description: | - This endpoint is for user to update password. Users with the admin role can change any user's password. Guest users can change only their own password. - parameters: - - name: user_id - in: path - type: integer - format: int - required: true - description: Registered user ID. - - name: password - in: body - description: Password to be updated, the attribute 'old_password' is optional when the API is called by the system administrator. - required: true - schema: - $ref: '#/definitions/Password' - tags: - - Products - responses: - '200': - description: Updated password successfully. - '400': - description: Invalid user ID; Old password is blank; New password is blank. - '401': - description: Don't have authority to change password. Please check login status. - '403': - description: The caller does not have permission to update the password of the user with given ID, or the old password in request body is not correct. - '500': - description: Unexpected internal errors. - '/users/{user_id}/sysadmin': - put: - summary: Update a registered user to change to be an administrator of Harbor. - description: | - This endpoint let a registered user change to be an administrator - of Harbor. - parameters: - - name: user_id - in: path - type: integer - format: int - required: true - description: Registered user ID - - name: has_admin_role - in: body - description: Toggle a user to admin or not. - required: true - schema: - $ref: '#/definitions/HasAdminRole' - tags: - - Products - responses: - '200': - description: Updated user's admin role successfully. - '400': - description: Invalid user ID. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '404': - description: User ID does not exist. - '500': - description: Unexpected internal errors. - '/users/{user_id}/cli_secret': - put: - summary: Set CLI secret for a user. - description: | - This endpoint let user generate a new CLI secret for himself. This API only works when auth mode is set to 'OIDC'. - Once this API returns with successful status, the old secret will be invalid, as there will be only one CLI secret - for a user. - parameters: - - name: user_id - in: path - type: integer - format: int - required: true - description: User ID - - name: input_secret - in: body - description: JSON object that includes the new secret - required: true - schema: - type: object - properties: - secret: - type: string - description: The new secret - tags: - - Products - responses: - '200': - description: The secret is successfully updated - '400': - description: Invalid user ID. Or user is not onboarded via OIDC authentication. Or the secret does not meet the standard. - '401': - description: User need to log in first. - '403': - description: Non-admin user can only generate the cli secret of himself. - '404': - description: User ID does not exist. - '412': - description: The auth mode of the system is not "oidc_auth", or the user is not onboarded via OIDC AuthN. - '500': - description: Unexpected internal errors. - - /repositories: - get: - summary: Get repositories accompany with relevant project and repo name. - description: | - This endpoint lets user search repositories accompanying with relevant project ID and repo name. Repositories can be sorted by repo name, creation_time, update_time in either ascending or descending order. - parameters: - - name: project_id - in: query - type: integer - format: int32 - required: true - description: Relevant project ID. - - name: q - in: query - type: string - required: false - description: Repo name for filtering results. - - name: sort - in: query - type: string - required: false - description: | - Sort method, valid values include: 'name', '-name', 'creation_time', '-creation_time', 'update_time', '-update_time'. Here '-' stands for descending order. - - name: label_id - in: query - type: integer - required: false - description: The ID of label used to filter the result. - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: 'The size of per page, default is 10, maximum is 100.' - tags: - - Products - responses: - '200': - description: Get repositories successfully. - schema: - type: array - items: - $ref: '#/definitions/Repository' - headers: - X-Total-Count: - description: The total count of repositories - type: integer - Link: - description: Link refers to the previous page and next page - type: string - '400': - description: Invalid project ID. - '403': - description: Project is not public or current user is irrelevant to the repository. - '404': - description: Project ID does not exist. - '500': - description: Unexpected internal errors. - '/repositories/{repo_name}': - delete: - summary: Delete a repository. - description: | - This endpoint let user delete a repository with name. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository which will be deleted. - tags: - - Products - responses: - '200': - description: Delete successfully. - '400': - description: Invalid repo_name. - '401': - description: Unauthorized. - '403': - description: Forbidden. - '404': - description: Repository not found. - put: - summary: Update description of the repository. - description: | - This endpoint is used to update description of the repository. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository which will be deleted. - - name: description - in: body - description: The description of the repository. - required: true - schema: - $ref: '#/definitions/RepositoryDescription' - tags: - - Products - responses: - '200': - description: Update successfully. - '401': - description: Unauthorized. - '403': - description: Forbidden. - '404': - description: Repository not found. - '/repositories/{repo_name}/labels': - get: - summary: Get labels of a repository. - description: | - Get labels of a repository specified by the repo_name. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository. - tags: - - Products - responses: - '200': - description: Successfully. - schema: - type: array - items: - $ref: '#/definitions/Label' - '401': - description: Unauthorized. - '403': - description: Forbidden. User should have read permisson for the repository to perform the action. - '404': - description: Repository not found. - post: - summary: Add a label to the repository. - description: | - Add a label to the repository. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository. - - name: label - in: body - description: Only the ID property is required. - required: true - schema: - $ref: '#/definitions/Label' - tags: - - Products - responses: - '200': - description: Successfully. - '401': - description: Unauthorized. - '403': - description: Forbidden. User should have write permisson for the repository to perform the action. - '404': - description: Resource not found. - '/repositories/{repo_name}/labels/{label_id}': - delete: - summary: Delete label from the repository. - description: | - Delete the label from the repository specified by the repo_name. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository. - - name: label_id - in: path - type: integer - required: true - description: The ID of label. - tags: - - Products - responses: - '200': - description: Successfully. - '401': - description: Unauthorized. - '403': - description: Forbidden. User should have write permisson for the repository to perform the action. - '404': - description: Resource not found. - '/repositories/{repo_name}/tags/{tag}': - get: - summary: Get the tag of the repository. - description: | - This endpoint aims to retrieve the tag of the repository. If deployed with Notary, the signature property of response represents whether the image is singed or not. If the property is null, the image is unsigned. - parameters: - - name: repo_name - in: path - type: string - required: true - description: Relevant repository name. - - name: tag - in: path - type: string - required: true - description: Tag of the repository. - tags: - - Products - responses: - '200': - description: Get tag successfully. - schema: - $ref: '#/definitions/DetailedTag' - '500': - description: Unexpected internal errors. - delete: - summary: Delete a tag in a repository. - description: | - This endpoint let user delete tags with repo name and tag. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository which will be deleted. - - name: tag - in: path - type: string - required: true - description: Tag of a repository. - tags: - - Products - responses: - '200': - description: Delete tag successfully. - '400': - description: Invalid repo_name. - '401': - description: Unauthorized. - '403': - description: Forbidden. - '404': - description: Repository or tag not found. - '/repositories/{repo_name}/tags': - get: - summary: Get tags of a relevant repository. - description: | - This endpoint aims to retrieve tags from a relevant repository. If deployed with Notary, the signature property of response represents whether the image is singed or not. If the property is null, the image is unsigned. - parameters: - - name: repo_name - in: path - type: string - required: true - description: Relevant repository name. - - name: label_id - in: query - type: string - required: false - description: A label ID. - - name: detail - in: query - type: boolean - required: false - description: Bool value indicating whether return detailed information of the tag, such as vulnerability scan info, if set to false, only tag name is returned. - tags: - - Products - responses: - '200': - description: Get tags successfully. - schema: - type: array - items: - $ref: '#/definitions/DetailedTag' - '500': - description: Unexpected internal errors. - post: - summary: Retag an image - description: > - This endpoint tags an existing image with another tag in this repo, source images - can be in different repos or projects. - parameters: - - name: repo_name - in: path - type: string - required: true - description: Relevant repository name. - - name: request - in: body - description: Request to give source image and target tag. - required: true - schema: - $ref: '#/definitions/RetagReq' - tags: - - Products - responses: - '200': - description: Image retag successfully. - '400': - description: Invalid image values provided. - '401': - description: User has no permission to the source project or destination project. - '403': - description: Forbiden as quota exceeded. - '404': - description: Project or repository not found. - '409': - description: Target tag already exists. - '500': - description: Unexpected internal errors. - '/repositories/{repo_name}/tags/{tag}/labels': - get: - summary: Get labels of an image. - description: | - Get labels of an image specified by the repo_name and tag. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository. - - name: tag - in: path - type: string - required: true - description: The tag of the image. - tags: - - Products - responses: - '200': - description: Successfully. - schema: - type: array - items: - $ref: '#/definitions/Label' - '401': - description: Unauthorized. - '403': - description: Forbidden. User should have read permisson for the image to perform the action. - '404': - description: Resource not found. - post: - summary: Add a label to image. - description: | - Add a label to the image. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository. - - name: tag - in: path - type: string - required: true - description: The tag of the image. - - name: label - in: body - description: Only the ID property is required. - required: true - schema: - $ref: '#/definitions/Label' - tags: - - Products - responses: - '200': - description: Successfully. - '401': - description: Unauthorized. - '403': - description: Forbidden. User should have write permisson for the image to perform the action. - '404': - description: Resource not found. - '/repositories/{repo_name}/tags/{tag}/labels/{label_id}': - delete: - summary: Delete label from the image. - description: | - Delete the label from the image specified by the repo_name and tag. - parameters: - - name: repo_name - in: path - type: string - required: true - description: The name of repository. - - name: tag - in: path - type: string - required: true - description: The tag of the image. - - name: label_id - in: path - type: integer - required: true - description: The ID of label. - tags: - - Products - responses: - '200': - description: Successfully. - '401': - description: Unauthorized. - '403': - description: Forbidden. User should have write permisson for the image to perform the action. - '404': - description: Resource not found. - '/repositories/{repo_name}/tags/{tag}/manifest': - get: - summary: Get manifests of a relevant repository. - description: | - This endpoint aims to retreive manifests from a relevant repository. - parameters: - - name: repo_name - in: path - type: string - required: true - description: Repository name - - name: tag - in: path - type: string - required: true - description: Tag name - - name: version - in: query - type: string - required: false - description: 'The version of manifest, valid value are "v1" and "v2", default is "v2"' - tags: - - Products - responses: - '200': - description: Retrieved manifests from a relevant repository successfully. - schema: - $ref: '#/definitions/Manifest' - '404': - description: Retrieved manifests from a relevant repository not found. - '500': - description: Unexpected internal errors. - '/repositories/{repo_name}/tags/{tag}/scan': - post: - summary: Scan the image. - description: | - Trigger jobservice to call Clair API to scan the image identified by the repo_name and tag. Only project admins have permission to scan images under the project. - parameters: - - name: repo_name - in: path - type: string - required: true - description: Repository name - - name: tag - in: path - type: string - required: true - description: Tag name - tags: - - Products - responses: - '200': - description: Successfully created the job to scan image. - '401': - description: User needs to login or call the API with correct credentials. - '403': - description: User doesn't have permission to perform the action. - '404': - description: The image does not exist in Harbor. - '415': - $ref: '#/responses/UnsupportedMediaType' - '503': - description: Harbor is not deployed with Clair. - '/repositories/{repo_name}/tags/{tag}/vulnerability/details': - get: - summary: Get vulnerability details of the image. - description: | - Call Clair API to get the vulnerability based on the previous successful scan. - parameters: - - name: repo_name - in: path - type: string - required: true - description: Repository name - - name: tag - in: path - type: string - required: true - description: Tag name - tags: - - Products - responses: - '200': - description: Successfully retrieved the vulnerabilities. - schema: - type: array - items: - $ref: '#/definitions/VulnerabilityItem' - '401': - description: User needs to login or call the API with correct credentials. - '403': - description: User doesn't have permission to perform the action. - '404': - description: The image does not exist in Harbor. - '503': - description: Harbor is not deployed with Clair. - '/repositories/{repo_name}/signatures': - get: - summary: Get signature information of a repository - description: | - This endpoint aims to retrieve signature information of a repository, the data is - from the nested notary instance of Harbor. - If the repository does not have any signature information in notary, this API will - return an empty list with response code 200, instead of 404 - parameters: - - name: repo_name - in: path - type: string - required: true - description: repository name. - tags: - - Products - responses: - '200': - description: Retrieved signatures. - schema: - type: array - items: - $ref: '#/definitions/RepoSignature' - '500': - description: Server side error. - /repositories/top: - get: - summary: Get public repositories which are accessed most. - description: | - This endpoint aims to let users see the most popular public repositories - parameters: - - name: count - in: query - type: integer - format: int32 - required: false - description: 'The number of the requested public repositories, default is 10 if not provided.' - tags: - - Products - responses: - '200': - description: Get popular repositories successfully. - schema: - type: array - items: - $ref: '#/definitions/Repository' - '400': - description: Bad request because of invalid count. - '500': - description: Unexpected internal errors. - /logs: - get: - summary: Get recent logs of the projects which the user is a member of - description: | - This endpoint let user see the recent operation logs of the projects which he is member of - parameters: - - name: username - in: query - type: string - required: false - description: Username of the operator. - - name: repository - in: query - type: string - required: false - description: The name of repository - - name: tag - in: query - type: string - required: false - description: The name of tag - - name: operation - in: query - type: string - required: false - description: The operation - - name: begin_timestamp - in: query - type: string - required: false - description: The begin timestamp - - name: end_timestamp - in: query - type: string - required: false - description: The end timestamp - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: 'The size of per page, default is 10, maximum is 100.' - tags: - - Products - responses: - '200': - description: Get the required logs successfully. - schema: - type: array - items: - $ref: '#/definitions/AccessLog' - '400': - description: Bad request because of invalid parameters. - '401': - description: User need to login first. - '500': - description: Unexpected internal errors. - /replication/executions: - get: - summary: List replication executions. - description: | - This endpoint let user list replication executions. - parameters: - - name: policy_id - in: query - type: integer - required: false - description: The policy ID. - - name: status - in: query - type: string - required: false - description: The execution status. - - name: trigger - in: query - type: string - required: false - description: The trigger mode. - - name: page - in: query - type: integer - required: false - description: The page. - - name: page_size - in: query - type: integer - required: false - description: The page size. - tags: - - Products - responses: - '200': - description: Success - schema: - type: array - items: - $ref: '#/definitions/ReplicationExecution' - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '500': - description: Unexpected internal errors. - post: - summary: Start one execution of the replication. - description: | - This endpoint is for user to start one execution of the replication. - parameters: - - name: execution - in: body - description: The execution that needs to be started, only the property "policy_id" is needed. - required: true - schema: - $ref: '#/definitions/ReplicationExecution' - tags: - - Products - responses: - '201': - description: Success. - '400': - description: Bad request. - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /replication/executions/{id}: - get: - summary: Get the execution of the replication. - description: | - This endpoint is for user to get one execution of the replication. - parameters: - - name: id - in: path - type: integer - format: int64 - description: The execution ID. - required: true - tags: - - Products - responses: - '200': - description: Success. - schema: - $ref: '#/definitions/ReplicationExecution' - '400': - description: Bad request. - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '404': - description: Resource requested does not exist. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - put: - summary: Stop the execution of the replication. - description: | - This endpoint is for user to stop one execution of the replication. - parameters: - - name: id - in: path - type: integer - format: int64 - description: The execution ID. - required: true - tags: - - Products - responses: - '200': - description: Success. - '400': - description: Bad request. - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '404': - description: Resource requested does not exist. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /replication/executions/{id}/tasks: - get: - summary: Get the task list of one execution. - description: | - This endpoint is for user to get the task list of one execution. - parameters: - - name: id - in: path - type: integer - format: int64 - description: The execution ID. - required: true - tags: - - Products - responses: - '200': - description: Success. - schema: - type: array - items: - $ref: '#/definitions/ReplicationTask' - '400': - description: Bad request. - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '404': - description: Resource requested does not exist. - '500': - description: Unexpected internal errors. - /replication/executions/{id}/tasks/{task_id}/log: - get: - summary: Get the log of one task. - description: | - This endpoint is for user to get the log of one task. - parameters: - - name: id - in: path - type: integer - format: int64 - description: The execution ID. - required: true - - name: task_id - in: path - type: integer - format: int64 - description: The task ID. - required: true - tags: - - Products - responses: - '200': - description: Success. - '400': - description: Bad request. - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '404': - description: Resource requested does not exist. - '500': - description: Unexpected internal errors. - /replication/policies: - get: - summary: List replication policies - description: | - This endpoint let user list replication policies - parameters: - - name: name - in: query - type: string - required: false - description: The replication policy name. - - name: page - in: query - type: integer - format: int32 - required: false - description: The page nubmer. - - name: page_size - in: query - type: integer - format: int32 - required: false - description: The size of per page. - tags: - - Products - responses: - '200': - description: Get policy successfully. - schema: - type: array - items: - $ref: '#/definitions/ReplicationPolicy' - '400': - $ref: '#/responses/BadRequest' - '401': - $ref: '#/responses/Unauthorized' - '403': - $ref: '#/responses/Forbidden' - '500': - $ref: '#/responses/InternalServerError' - post: - summary: Create a replication policy - description: | - This endpoint let user create a replication policy - parameters: - - name: policy - in: body - description: The policy model. - required: true - schema: - $ref: '#/definitions/ReplicationPolicy' - tags: - - Products - responses: - '201': - $ref: '#/responses/Created' - '400': - $ref: '#/responses/BadRequest' - '401': - $ref: '#/responses/Unauthorized' - '403': - $ref: '#/responses/Forbidden' - '409': - $ref: '#/responses/Conflict' - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - $ref: '#/responses/InternalServerError' - '/replication/policies/{id}': - get: - summary: Get replication policy. - description: | - This endpoint let user get replication policy by specific ID. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: policy ID - tags: - - Products - responses: - '200': - description: Get the replication policy successfully. - schema: - $ref: '#/definitions/ReplicationPolicy' - '400': - $ref: '#/responses/BadRequest' - '401': - $ref: '#/responses/Unauthorized' - '403': - $ref: '#/responses/Forbidden' - '404': - $ref: '#/responses/NotFound' - '500': - $ref: '#/responses/InternalServerError' - put: - summary: Update the replication policy - description: | - This endpoint let user update policy. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: policy ID - - name: policy - in: body - description: The replication policy model. - required: true - schema: - $ref: '#/definitions/ReplicationPolicy' - tags: - - Products - responses: - '200': - $ref: '#/responses/OK' - '400': - $ref: '#/responses/BadRequest' - '401': - $ref: '#/responses/Unauthorized' - '403': - $ref: '#/responses/Forbidden' - '404': - $ref: '#/responses/NotFound' - '409': - $ref: '#/responses/Conflict' - '500': - $ref: '#/responses/InternalServerError' - delete: - summary: Delete the replication policy specified by ID. - description: | - Delete the replication policy specified by ID. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Replication policy ID - tags: - - Products - responses: - '200': - $ref: '#/responses/OK' - '400': - $ref: '#/responses/BadRequest' - '401': - $ref: '#/responses/Unauthorized' - '403': - $ref: '#/responses/Forbidden' - '404': - $ref: '#/responses/NotFound' - '412': - $ref: '#/responses/PreconditionFailed' - '500': - $ref: '#/responses/InternalServerError' - /labels: - get: - summary: List labels according to the query strings. - description: | - This endpoint let user list labels by name, scope and project_id - parameters: - - name: name - in: query - type: string - required: false - description: The label name. - - name: scope - in: query - type: string - required: true - description: The label scope. Valid values are g and p. g for global labels and p for project labels. - - name: project_id - in: query - type: integer - format: int64 - required: false - description: 'Relevant project ID, required when scope is p.' - - name: page - in: query - type: integer - format: int32 - required: false - description: The page nubmer. - - name: page_size - in: query - type: integer - format: int32 - required: false - description: The size of per page. - tags: - - Products - responses: - '200': - description: Get successfully. - schema: - type: array - items: - $ref: '#/definitions/Label' - '400': - description: Invalid parameters. - '401': - description: User need to log in first. - '500': - description: Unexpected internal errors. - post: - summary: Post creates a label - description: | - This endpoint let user creates a label. - parameters: - - name: label - in: body - description: The json object of label. - required: true - schema: - $ref: '#/definitions/Label' - tags: - - Products - responses: - '201': - description: Create successfully. - '400': - description: Invalid parameters. - '401': - description: User need to log in first. - '409': - description: Label with the same name and same scope already exists. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - '/labels/{id}': - get: - summary: Get the label specified by ID. - description: | - This endpoint let user get the label by specific ID. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Label ID - tags: - - Products - responses: - '200': - description: Get successfully. - schema: - $ref: '#/definitions/Label' - '401': - description: User need to log in first. - '404': - description: The resource does not exist. - '500': - description: Unexpected internal errors. - put: - summary: Update the label properties. - description: | - This endpoint let user update label properties. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Label ID - - name: label - in: body - description: The updated label json object. - required: true - schema: - $ref: '#/definitions/Label' - tags: - - Products - responses: - '200': - description: Update successfully. - '400': - description: Invalid parameters. - '401': - description: User need to log in first. - '404': - description: The resource does not exist. - '409': - description: The label with the same name already exists. - '500': - description: Unexpected internal errors. - delete: - summary: Delete the label specified by ID. - description: | - Delete the label specified by ID. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Label ID - tags: - - Products - responses: - '200': - description: Delete successfully. - '400': - description: Invalid parameters. - '401': - description: User need to log in first. - '404': - description: The resource does not exist. - '500': - description: Unexpected internal errors. - '/labels/{id}/resources': - get: - summary: Get the resources that the label is referenced by. - description: | - This endpoint let user get the resources that the label is referenced by. Only the replication policies are returned for now. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Label ID - tags: - - Products - responses: - '200': - description: Get successfully. - schema: - $ref: '#/definitions/Resource' - '401': - description: User need to log in first. - '403': - description: Forbidden. - '404': - description: The resource does not exist. - '500': - description: Unexpected internal errors. - /replication/adapters: - get: - summary: List supported adapters. - description: | - This endpoint let user list supported adapters. - tags: - - Products - responses: - '200': - description: Success. - schema: - type: array - items: - type: string - '401': - description: Unauthorized. - '403': - description: Forbidden. - '500': - description: Unexpected internal errors. - /registries: - get: - summary: List registries. - description: | - This endpoint let user list filtered registries by name, if name is nil, list returns all registries. - parameters: - - name: name - in: query - type: string - required: false - description: Registry's name. - tags: - - Products - responses: - '200': - description: List registries successfully. - schema: - type: array - items: - $ref: '#/definitions/Registry' - '401': - description: User need to log in first. - '500': - description: Unexpected internal errors. - post: - summary: Create a new registry. - description: | - This endpoint is for user to create a new registry. - parameters: - - name: registry - in: body - description: New created registry. - required: true - schema: - $ref: '#/definitions/Registry' - tags: - - Products - responses: - '201': - description: Registry created successfully. - '400': - description: Unsatisfied with constraints of the registry creation. - '401': - description: User need to log in first. - '409': - description: Registry name already exists. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /registries/ping: - post: - summary: Ping status of a registry. - description: | - This endpoint checks status of a registry, the registry can be given by ID or URL (together with credential) - parameters: - - name: registry - in: body - description: Registry to ping. - required: true - schema: - $ref: '#/definitions/Registry' - tags: - - Products - responses: - '200': - description: Registry is healthy. - '400': - description: No proper registry information provided. - '401': - description: User need to log in first. - '404': - description: Registry not found (when registry is provided by ID). - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - '/registries/{id}': - put: - summary: Update a given registry. - description: | - This endpoint is for update a given registry. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: The registry's ID. - - name: repo_target - in: body - required: true - schema: - $ref: '#/definitions/PutRegistry' - description: Updates registry. - tags: - - Products - responses: - '200': - description: Updated registry successfully. - '400': - description: The registry is associated with policy which is enabled. - '401': - description: User need to log in first. - '404': - description: Registry does not exist. - '409': - description: Registry name is already used. - '500': - description: Unexpected internal errors. - get: - summary: Get registry. - description: This endpoint is for get specific registry. - tags: - - Products - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: The registry ID. - responses: - '200': - description: Get registry successfully. - schema: - $ref: '#/definitions/Registry' - '401': - description: User need to log in first. - '404': - description: Registry not found - '500': - description: Unexpected internal errors. - delete: - summary: Delete specific registry. - description: | - This endpoint is for to delete specific registry. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: The registry's ID. - tags: - - Products - responses: - '200': - description: Registry deleted successfully. - '400': - description: Registry's ID is invalid or the registry is used by policies. - '401': - description: Only admin has this authority. - '404': - description: Registry does not exist. - '500': - description: Unexpected internal errors. - '/registries/{id}/info': - get: - summary: Get registry info. - description: Get the info of one specific registry. - tags: - - Products - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: The registry ID. - responses: - '200': - description: Get registry successfully. - schema: - $ref: '#/definitions/RegistryInfo' - '401': - description: User need to log in first. - '404': - description: Registry not found - '500': - description: Unexpected internal errors. - /registries/{id}/namespace: - get: - summary: List namespaces of registry - description: | - This endpoint let user list namespaces of registry according to query. - parameters: - - name: id - in: path - type: integer - required: true - description: The registry ID. - - name: name - in: query - type: string - required: false - description: The name of namespace. - tags: - - Products - responses: - '200': - description: Success - schema: - type: array - items: - $ref: '#/definitions/Namespace' - '401': - description: User need to login first. - '403': - description: User has no privilege for the operation. - '404': - description: No registry found. - '500': - description: Unexpected internal errors. - /internal/syncregistry: - post: - summary: Sync repositories from registry to DB. - description: | - This endpoint is for syncing all repositories of registry with database. - tags: - - Products - responses: - '200': - description: Sync repositories successfully. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /internal/syncquota: - post: - summary: Sync quota from registry/chart to DB. - description: | - This endpoint is for syncing quota usage of registry/chart with database. - tags: - - Products - responses: - '200': - description: Sync repositories successfully. - '401': - description: User need to log in first. - '403': - description: User does not have permission of system admin role. - /internal/switchquota: - put: - summary: Enable or disable quota. - description: | - This endpoint is for enable/disable quota. When quota is disabled, no resource require/release in image/chart push and delete. - tags: - - Products - parameters: - - name: switcher - in: body - required: true - schema: - $ref: '#/definitions/QuotaSwitcher' - responses: - '200': - description: Enable/Disable quota successfully. - '401': - description: User need to log in first. - '403': - description: User does not have permission of system admin role. - '500': - description: Unexpected internal errors. - /systeminfo: - get: - summary: Get general system info - description: | - This API is for retrieving general system info, this can be called by anonymous request. - tags: - - Products - responses: - '200': - description: Get general info successfully. - schema: - $ref: '#/definitions/GeneralInfo' - '500': - description: Unexpected internal error. - /systeminfo/volumes: - get: - summary: Get system volume info (total/free size). - description: | - This endpoint is for retrieving system volume info that only provides for admin user. - tags: - - Products - responses: - '200': - description: Get system volumes successfully. - schema: - $ref: '#/definitions/SystemInfo' - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - /systeminfo/getcert: - get: - summary: Get default root certificate. - description: | - This endpoint is for downloading a default root certificate. - tags: - - Products - responses: - '200': - description: Get default root certificate successfully. - '404': - description: Not found the default root certificate. - '500': - description: Unexpected internal errors. - /ldap/ping: - post: - summary: Ping available ldap service. - description: | - This endpoint ping the available ldap service for test related configuration parameters. - parameters: - - name: ldapconf - in: body - description: 'ldap configuration. support input ldap service configuration. If it''s a empty request, will load current configuration from the system.' - required: false - schema: - $ref: '#/definitions/LdapConf' - tags: - - Products - responses: - '200': - description: Ping ldap service successfully. - '400': - description: Inviald ldap configuration parameters. - '401': - description: User need to login first. - '403': - description: Only admin has this authority. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /ldap/groups/search: - get: - summary: Search available ldap groups. - description: | - This endpoint searches the available ldap groups based on related configuration parameters. support to search by groupname or groupdn. - parameters: - - name: groupname - in: query - type: string - required: false - description: Ldap group name - - name: groupdn - in: query - type: string - required: false - description: The LDAP group DN - tags: - - Products - responses: - '200': - description: Search ldap group successfully. - schema: - type: array - items: - $ref: '#/definitions/UserGroup' - '400': - description: The Ldap group DN is invalid. - '404': - description: No ldap group found. - '500': - description: Unexpected internal errors. - /ldap/users/search: - get: - summary: Search available ldap users. - description: | - This endpoint searches the available ldap users based on related configuration parameters. Support searched by input ladp configuration, load configuration from the system and specific filter. - parameters: - - name: username - in: query - type: string - required: false - description: Registered user ID - tags: - - Products - responses: - '200': - description: Search ldap users successfully. - schema: - type: array - items: - $ref: '#/definitions/LdapUsers' - '401': - description: User need to login first. - '403': - description: Only admin has this authority. - '500': - description: Unexpected internal errors. - /ldap/users/import: - post: - summary: Import selected available ldap users. - description: | - This endpoint adds the selected available ldap users to harbor based on related configuration parameters from the system. System will try to guess the user email address and realname, add to harbor user information. - If have errors when import user, will return the list of importing failed uid and the failed reason. - parameters: - - name: uid_list - in: body - description: The uid listed for importing. This list will check users validity of ldap service based on configuration from the system. - required: true - schema: - $ref: '#/definitions/LdapImportUsers' - tags: - - Products - responses: - '200': - description: Add ldap users successfully. - '401': - description: User need to login first. - '403': - description: Only admin has this authority. - '404': - description: Failed import some users. - schema: - type: array - items: - $ref: '#/definitions/LdapFailedImportUsers' - '415': - $ref: '#/responses/UnsupportedMediaType' - /usergroups: - get: - summary: Get all user groups information - description: Get all user groups information - tags: - - Products - responses: - '200': - description: Get user group successfully. - schema: - type: array - items: - $ref: '#/definitions/UserGroup' - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the user group. - '500': - description: Unexpected internal errors. - post: - summary: Create user group - description: Create user group information - tags: - - Products - parameters: - - name: usergroup - in: body - schema: - $ref: '#/definitions/UserGroup' - responses: - '201': - description: User group created successfully. - '400': - description: Invalid LDAP group DN. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the user group. - '409': - description: A user group with same group name already exist, or an LDAP user group with same DN already exist. - '500': - description: Unexpected internal errors. - '/usergroups/{group_id}': - get: - summary: Get user group information - description: Get user group information - tags: - - Products - parameters: - - name: group_id - in: path - type: integer - format: int64 - required: true - description: Group ID - responses: - '200': - description: User group get successfully. - schema: - $ref: '#/definitions/UserGroup' - '400': - description: The user group id is invalid. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the user group. - '404': - description: User group does not exist. - '500': - description: Unexpected internal errors. - put: - summary: Update group information - description: Update user group information - tags: - - Products - parameters: - - name: group_id - in: path - type: integer - format: int64 - required: true - description: Group ID - - name: usergroup - in: body - required: false - schema: - $ref: '#/definitions/UserGroup' - responses: - '200': - description: User group updated successfully. - '400': - description: The user group id is invalid. - '401': - description: User need to log in first. - '403': - description: Only admin has this authority. - '404': - description: User group does not exist. - '500': - description: Unexpected internal errors. - delete: - summary: Delete user group - description: Delete user group - tags: - - Products - parameters: - - name: group_id - type: integer - in: path - required: true - responses: - '200': - description: User group deleted successfully. - '400': - description: The user group id is invalid. - '401': - description: User need to log in first. - '403': - description: Only admin has this authority. - '500': - description: Unexpected internal errors. - /system/gc: - get: - summary: Get gc results. - description: This endpoint let user get latest ten gc results. - tags: - - Products - responses: - '200': - description: Get gc results successfully. - schema: - type: array - items: - $ref: '#/definitions/GCResult' - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - '/system/gc/{id}': - get: - summary: Get gc status. - description: This endpoint let user get gc status filtered by specific ID. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Relevant job ID - tags: - - Products - responses: - '200': - description: Get gc results successfully. - schema: - $ref: '#/definitions/GCResult' - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - '/system/gc/{id}/log': - get: - summary: Get gc job log. - description: This endpoint let user get gc job logs filtered by specific ID. - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Relevant job ID - tags: - - Products - responses: - '200': - description: Get successfully. - schema: - type: string - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '404': - description: The specific gc ID's log does not exist. - '500': - description: Unexpected internal errors. - /system/gc/schedule: - get: - summary: Get gc's schedule. - description: This endpoint is for get schedule of gc job. - tags: - - Products - responses: - '200': - description: Get gc's schedule. - schema: - $ref: '#/definitions/AdminJobSchedule' - '401': - description: User need to log in first. - '403': - description: Only admin has this authority. - '500': - description: Unexpected internal errors. - put: - summary: Update gc's schedule. - description: | - This endpoint is for update gc schedule. - parameters: - - name: schedule - in: body - required: true - schema: - $ref: '#/definitions/AdminJobSchedule' - description: Updates of gc's schedule. - tags: - - Products - responses: - '200': - description: Updated gc's schedule successfully. - '400': - description: Invalid schedule type. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - post: - summary: Create a gc schedule. - description: | - This endpoint is for update gc schedule. - parameters: - - name: schedule - in: body - required: true - schema: - $ref: '#/definitions/AdminJobSchedule' - description: Updates of gc's schedule. - tags: - - Products - responses: - '200': - description: GC schedule successfully. - '400': - description: Invalid schedule type. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '409': - description: There is a "gc" job in progress, so the request cannot be served. - '500': - description: Unexpected internal errors. - /system/scanAll/schedule: - get: - summary: Get scan_all's schedule. - description: This endpoint is for getting a schedule for the scan all job, which scans all of images in Harbor. - tags: - - Products - responses: - '200': - description: Get a schedule for the scan all job, which scans all of images in Harbor. - schema: - $ref: '#/definitions/AdminJobSchedule' - '401': - description: User need to log in first. - '403': - description: Only admin has this authority. - '500': - description: Unexpected internal errors. - put: - summary: Update scan all's schedule. - description: | - This endpoint is for updating the schedule of scan all job, which scans all of images in Harbor. - parameters: - - name: schedule - in: body - required: true - schema: - $ref: '#/definitions/AdminJobSchedule' - description: Updates the schedule of scan all job, which scans all of images in Harbor. - tags: - - Products - responses: - '200': - description: Updated scan_all's schedule successfully. - '400': - description: Invalid schedule type. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - post: - summary: Create a schedule or a manual trigger for the scan all job. - description: | - This endpoint is for creating a schedule or a manual trigger for the scan all job, which scans all of images in Harbor. - parameters: - - name: schedule - in: body - required: true - schema: - $ref: '#/definitions/AdminJobSchedule' - description: Create a schedule or a manual trigger for the scan all job. - tags: - - Products - responses: - '200': - description: Updated scan_all's schedule successfully. - '400': - description: Invalid schedule type. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '409': - description: There is a "scanall" job in progress, so the request cannot be served. - '500': - description: Unexpected internal errors. - '503': - description: Harbor is not deployed with Clair. - /configurations: - get: - summary: Get system configurations. - description: | - This endpoint is for retrieving system configurations that only provides for admin user. - tags: - - Products - responses: - '200': - description: Get system configurations successfully. The response body is a map. - schema: - $ref: '#/definitions/ConfigurationsResponse' - '401': - description: User need to log in first.ß - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - put: - summary: Modify system configurations. - description: | - This endpoint is for modifying system configurations that only provides for admin user. - tags: - - Products - parameters: - - name: configurations - in: body - required: true - schema: - $ref: '#/definitions/Configurations' - description: 'The configuration map can contain a subset of the attributes of the schema, which are to be updated.' - responses: - '200': - description: Modify system configurations successfully. - '401': - description: User need to log in first. - '403': - description: User does not have permission of admin role. - '500': - description: Unexpected internal errors. - /email/ping: - post: - summary: Test connection and authentication with email server. - description: | - Test connection and authentication with email server. - parameters: - - name: settings - in: body - description: 'Email server settings, if some of the settings are not assigned, they will be read from system configuration.' - required: false - schema: - $ref: '#/definitions/EmailServerSetting' - tags: - - Products - responses: - '200': - description: Ping email server successfully. - '400': - description: Inviald email server settings. - '401': - description: User need to login first. - '403': - description: Only admin has this authority. - '415': - $ref: '#/responses/UnsupportedMediaType' - '500': - description: Unexpected internal errors. - /chartrepo/health: - get: - summary: Check the health of chart repository service. - description: Check the health of chart repository service. - tags: - - Products - - Chart Repository - responses: - '200': - description: Health status of chart repository service is returned. - schema: - type: object - properties: - healthy: - type: boolean - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - /chartrepo/{repo}/charts: - get: - summary: Get all the charts under the specified project - description: Get all the charts under the specified project - tags: - - Products - - Chart Repository - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - responses: - '200': - description: Searched for charts of project in Harbor successfully. - schema: - type: array - items: - $ref: '#/definitions/ChartInfoEntry' - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - post: - summary: Upload a chart file to the specified project. - description: 'Upload a chart file to the specified project. With this API, the corresponding provance file can be uploaded together with chart file at once.' - tags: - - Products - - Chart Repository - consumes: - - multipart/form-data - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: chart - in: formData - type: file - required: true - description: The chart file - - name: prov - in: formData - type: file - required: false - description: The provance file - responses: - '201': - description: The specified chart is successfully uploaded. - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - '507': - $ref: '#/definitions/InsufficientStorageChartAPIError' - /chartrepo/{repo}/charts/{name}: - get: - summary: Get all the versions of the specified chart - description: Get all the versions of the specified chart - tags: - - Products - - Chart Repository - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - responses: - '200': - description: Retrieved all versions of the specified chart - schema: - $ref: '#/definitions/ChartVersions' - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '404': - $ref: '#/definitions/NotFoundChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - delete: - summary: Delete all the versions of the specified chart - description: Delete all the versions of the specified chart - tags: - - Products - - Chart Repository - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - responses: - '200': - description: The specified chart entry is successfully deleted. - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - /chartrepo/{repo}/charts/{name}/{version}: - get: - summary: Get the specified chart version - description: Get the specified chart version - tags: - - Products - - Chart Repository - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - - name: version - in: path - type: string - required: true - description: The chart version - responses: - '200': - description: Successfully retrieved the chart version - schema: - $ref: '#/definitions/ChartVersionDetails' - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '404': - $ref: '#/definitions/NotFoundChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - delete: - summary: Delete the specified chart version - description: Delete the specified chart version - tags: - - Products - - Chart Repository - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - - name: version - in: path - type: string - required: true - description: The chart version - responses: - '200': - description: The specified chart entry is successfully deleted. - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '404': - $ref: '#/definitions/NotFoundChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - /chartrepo/{repo}/prov: - post: - summary: Upload a provance file to the specified project. - description: Upload a provance file to the specified project. The provance file should be targeted for an existing chart file. - tags: - - Products - - Chart Repository - consumes: - - multipart/form-data - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: prov - in: formData - type: file - required: true - description: The provance file - responses: - '201': - description: The provance file is successfully uploaded. - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - '507': - $ref: '#/definitions/InsufficientStorageChartAPIError' - /chartrepo/charts: - post: - summary: Upload a chart file to the defult 'library' project. - description: Upload a chart file to the default 'library' project. Uploading together with the prov file at the same time is also supported. - tags: - - Products - - Chart Repository - consumes: - - multipart/form-data - parameters: - - name: chart - in: formData - type: file - required: true - description: The chart file - - name: prov - in: formData - type: file - required: false - description: The provance file - responses: - '201': - description: The specified chart is successfully uploaded. - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - '507': - $ref: '#/definitions/InsufficientStorageChartAPIError' - /chartrepo/{repo}/charts/{name}/{version}/labels: - get: - summary: Return the attahced labels of chart. - description: Return the attahced labels of the specified chart version. - tags: - - Products - - Chart Repository - - Label - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - - name: version - in: path - type: string - required: true - description: The chart version - responses: - '200': - $ref: '#/definitions/Labels' - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '404': - $ref: '#/definitions/NotFoundChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - post: - summary: Mark label to chart. - description: Mark label to the specified chart version. - tags: - - Products - - Chart Repository - - Label - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - - name: version - in: path - type: string - required: true - description: The chart version - - name: label - in: body - required: true - schema: - $ref: '#/definitions/Label' - description: 'The label being marked to the chart version' - responses: - '200': - description: The label is successfully marked to the chart version. - '400': - $ref: '#/definitions/BadRequestFormatedError' - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '404': - $ref: '#/definitions/NotFoundChartAPIError' - '409': - $ref: '#/definitions/ConflictFormatedError' - '500': - $ref: '#/definitions/InternalChartAPIError' - /chartrepo/{repo}/charts/{name}/{version}/labels/{id}: - delete: - summary: Remove label from chart. - description: Remove label from the specified chart version. - tags: - - Products - - Chart Repository - - Label - parameters: - - name: repo - in: path - type: string - required: true - description: The project name - - name: name - in: path - type: string - required: true - description: The chart name - - name: version - in: path - type: string - required: true - description: The chart version - - name: id - in: path - type: integer - required: true - description: The label ID - responses: - '200': - description: The label is successfully unmarked from the chart version. - '400': - $ref: '#/definitions/BadRequestFormatedError' - '401': - $ref: '#/definitions/UnauthorizedChartAPIError' - '403': - $ref: '#/definitions/ForbiddenChartAPIError' - '404': - $ref: '#/definitions/NotFoundChartAPIError' - '500': - $ref: '#/definitions/InternalChartAPIError' - '/projects/{project_id}/robots': - get: - summary: Get all robot accounts of specified project - description: Get all robot accounts of specified project - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - tags: - - Products - - Robot Account - responses: - '200': - description: Get project robot accounts successfully. - schema: - type: array - items: - $ref: '#/definitions/RobotAccount' - '400': - description: The project id is invalid. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '404': - description: Project ID does not exist. - '500': - description: Unexpected internal errors. - post: - summary: Create a robot account for project - description: Create a robot account for project - tags: - - Products - - Robot Account - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: robot - in: body - description: Request body of creating a robot account. - required: true - schema: - $ref: '#/definitions/RobotAccountCreate' - responses: - '201': - description: Project member created successfully. - schema: - $ref: '#/definitions/RobotAccountPostRep' - '400': - description: Project id is not valid. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '409': - description: An robot account with same name already exist in the project. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/robots/{robot_id}': - get: - summary: Return the infor of the specified robot account. - description: Return the infor of the specified robot account. - tags: - - Products - - Robot Account - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: robot_id - in: path - type: integer - format: int64 - required: true - description: The ID of robot account. - responses: - '200': - description: Robot account information. - schema: - $ref: '#/definitions/RobotAccount' - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '404': - description: The robot account is not found. - '500': - description: Unexpected internal errors. - put: - summary: Update status of robot account. - description: Used to disable/enable a specified robot account. - tags: - - Products - - Robot Account - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: robot_id - in: path - type: integer - format: int64 - required: true - description: The ID of robot account. - - name: robot - in: body - description: Request body of enable/disable a robot account. - required: true - schema: - $ref: '#/definitions/RobotAccountUpdate' - responses: - '200': - description: Robot account has been modified success. - '500': - description: Unexpected internal errors. - delete: - summary: Delete the specified robot account - description: Delete the specified robot account - tags: - - Products - - Robot Account - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: robot_id - in: path - type: integer - format: int64 - required: true - description: The ID of robot account. - responses: - '200': - description: The specified robot account is successfully deleted. - '401': - description: User need to log in first. - '403': - description: User in session does not have permission to the project. - '404': - description: The robot account is not found. - '500': - description: Unexpected internal errors. - '/system/oidc/ping': - post: - summary: Test the OIDC endpoint. - description: Test the OIDC endpoint, the setting of the endpoint is provided in the request. This API can only - be called by system admin. - tags: - - Products - - System - parameters: - - name: endpoint - in: body - description: Request body for OIDC endpoint to be tested. - required: true - schema: - type: object - properties: - url: - type: string - description: The URL of OIDC endpoint to be tested. - verify_cert: - type: boolean - description: Whether the certificate should be verified - responses: - '200': - description: Ping succeeded. The OIDC endpoint is valid. - '400': - description: The ping failed - '401': - description: User need to log in first. - '403': - description: User does not have permission to call this API - '/system/CVEAllowlist': - get: - summary: Get the system level allowlist of CVE. - description: Get the system level allowlist of CVE. This API can be called by all authenticated users. - tags: - - Products - - System - responses: - '200': - description: Successfully retrieved the CVE allowlist. - schema: - $ref: "#/definitions/CVEAllowlist" - '401': - description: User is not authenticated. - '500': - description: Unexpected internal errors. - put: - summary: Update the system level allowlist of CVE. - description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin - has permission to call this API. - tags: - - Products - - System - parameters: - - in: body - name: allowlist - description: The allowlist with new content - schema: - $ref: "#/definitions/CVEAllowlist" - responses: - '200': - description: Successfully updated the CVE allowlist. - '401': - description: User is not authenticated. - '403': - description: User does not have permission to call this API. - '500': - description: Unexpected internal errors. - '/quotas': - get: - summary: List quotas - description: List quotas - tags: - - Products - parameters: - - name: reference - in: query - description: The reference type of quota. - required: false - type: string - - name: reference_id - in: query - description: The reference id of quota. - required: false - type: string - - name: sort - in: query - type: string - required: false - description: | - Sort method, valid values include: - 'hard.resource_name', '-hard.resource_name', 'used.resource_name', '-used.resource_name'. - Here '-' stands for descending order, resource_name should be the real resource name of the quota. - - name: page - in: query - type: integer - format: int32 - required: false - description: 'The page number, default is 1.' - - name: page_size - in: query - type: integer - format: int32 - required: false - description: 'The size of per page, default is 10, maximum is 100.' - responses: - '200': - description: Successfully retrieved the quotas. - schema: - type: array - items: - $ref: '#/definitions/Quota' - headers: - X-Total-Count: - description: The total count of access logs - type: integer - Link: - description: Link refers to the previous page and next page - type: string - '401': - description: User is not authenticated. - '403': - description: User does not have permission to call this API. - '500': - description: Unexpected internal errors. - '/quotas/{id}': - get: - summary: Get the specified quota - description: Get the specified quota - tags: - - Products - - Quota - parameters: - - name: id - in: path - type: integer - required: true - description: Quota ID - responses: - '200': - description: Successfully retrieved the quota. - schema: - $ref: '#/definitions/Quota' - '401': - description: User need to log in first. - '403': - description: User does not have permission to call this API - '404': - description: Quota does not exist. - '500': - description: Unexpected internal errors. - put: - summary: Update the specified quota - description: Update hard limits of the specified quota - tags: - - Products - - Quota - parameters: - - name: id - in: path - type: integer - required: true - description: Quota ID - - name: hard - in: body - required: true - description: The new hard limits for the quota - schema: - $ref: '#/definitions/QuotaUpdateReq' - responses: - '200': - description: Updated quota hard limits successfully. - '400': - description: Illegal format of quota update request. - '401': - description: User need to log in first. - '403': - description: User does not have permission to the quota. - '404': - description: Quota ID does not exist. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/webhook/policies': - get: - summary: List project webhook policies. - description: | - This endpoint returns webhook policies of a project. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - tags: - - Products - responses: - '200': - description: List project webhook policies successfully. - schema: - type: array - items: - $ref: '#/definitions/WebhookPolicy' - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to list webhook policies of the project. - '500': - description: Unexpected internal errors. - post: - summary: Create project webhook policy. - description: | - This endpoint create a webhook policy if the project does not have one. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID - - name: policy - in: body - description: Properties "targets" and "event_types" needed. - required: true - schema: - $ref: '#/definitions/WebhookPolicy' - tags: - - Products - responses: - '201': - description: Project webhook policy create successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to create webhook policy of the project. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/webhook/policies/{policy_id}': - get: - summary: Get project webhook policy - description: | - This endpoint returns specified webhook policy of a project. - parameters: - - name: project_id - in: path - description: Relevant project ID. - required: true - type: integer - format: int64 - - name: policy_id - in: path - description: The id of webhook policy. - required: true - type: integer - format: int64 - tags: - - Products - responses: - '200': - description: Get webhook policy successfully. - schema: - $ref: '#/definitions/WebhookPolicy' - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to get webhook policy of the project. - '404': - description: Webhook policy ID does not exist. - '500': - description: Internal server errors. - put: - summary: Update webhook policy of a project. - description: | - This endpoint is aimed to update the webhook policy of a project. - parameters: - - name: project_id - in: path - description: Relevant project ID. - required: true - type: integer - format: int64 - - name: policy_id - in: path - description: The id of webhook policy. - required: true - type: integer - format: int64 - - name: policy - in: body - description: All properties needed except "id", "project_id", "creation_time", "update_time". - required: true - schema: - $ref: '#/definitions/WebhookPolicy' - tags: - - Products - responses: - '200': - description: Update webhook policy successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to update webhook policy of the project. - '404': - description: Webhook policy ID does not exist. - '500': - description: Internal server errors. - delete: - summary: Delete webhook policy of a project - description: | - This endpoint is aimed to delete webhookpolicy of a project. - parameters: - - name: project_id - in: path - description: Relevant project ID. - required: true - type: integer - format: int64 - - name: policy_id - in: path - description: The id of webhook policy. - required: true - type: integer - format: int64 - tags: - - Products - responses: - '200': - description: Delete webhook policy successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to delete webhook policy of the project. - '404': - description: Webhook policy ID does not exist. - '500': - description: Internal server errors. - '/projects/{project_id}/webhook/policies/test': - post: - summary: Test project webhook connection - description: | - This endpoint tests webhook connection of a project. - parameters: - - name: project_id - in: path - description: Relevant project ID. - required: true - type: integer - format: int64 - - name: policy - in: body - description: Only property "targets" needed. - required: true - schema: - $ref: '#/definitions/WebhookPolicy' - tags: - - Products - responses: - '200': - description: Test webhook connection successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to get webhook policy of the project. - '500': - description: Internal server errors. - '/projects/{project_id}/webhook/lasttrigger': - get: - summary: Get project webhook policy last trigger info - description: | - This endpoint returns last trigger information of project webhook policy. - parameters: - - name: project_id - in: path - description: Relevant project ID. - required: true - type: integer - format: int64 - tags: - - Products - responses: - '200': - description: Test webhook connection successfully. - schema: - type: array - items: - $ref: '#/definitions/WebhookLastTrigger' - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to get webhook policy of the project. - '500': - description: Internal server errors. - '/projects/{project_id}/webhook/jobs': - get: - summary: List project webhook jobs - description: | - This endpoint returns webhook jobs of a project. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: policy_id - in: query - type: integer - format: int64 - required: true - description: The policy ID. - tags: - - Products - responses: - '200': - description: List project webhook jobs successfully. - schema: - type: array - items: - $ref: '#/definitions/WebhookJob' - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to list webhook jobs of the project. - '500': - description: Unexpected internal errors. - '/projects/{project_id}/immutabletagrules': - get: - summary: List all immutable tag rules of current project - description: | - This endpoint returns the immutable tag rules of a project - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - tags: - - Products - responses: - '200': - description: List project immutable tag rules successfully. - schema: - type: array - items: - $ref: '#/definitions/ImmutableTagRule' - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to list immutable tag rules of the project. - '500': - description: Unexpected internal errors. - post: - summary: Add an immutable tag rule to current project - description: | - This endpoint add an immutable tag rule to the project - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: immutabletagrule - in: body - schema: - $ref: '#/definitions/ImmutableTagRule' - tags: - - Products - responses: - '200': - description: Add the immutable tag rule successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to get immutable tag rule of the project. - '500': - description: Internal server errors. - '/projects/{project_id}/immutabletagrules/{id}': - put: - summary: Update the immutable tag rule or enable or disable the rule - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: id - in: path - type: integer - format: int64 - required: true - description: Immutable tag rule ID. - - name: immutabletagrule - in: body - schema: - $ref: '#/definitions/ImmutableTagRule' - tags: - - Products - responses: - '200': - description: Update the immutable tag rule successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to update the immutable tag rule of the project. - '500': - description: Internal server errors. - delete: - summary: Delete the immutable tag rule. - parameters: - - name: project_id - in: path - type: integer - format: int64 - required: true - description: Relevant project ID. - - name: id - in: path - type: integer - format: int64 - required: true - description: Immutable tag rule ID. - tags: - - Products - responses: - '200': - description: Delete the immutable tag rule successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission to delete immutable tags of the project. - '500': - description: Internal server errors. - '/retentions/metadatas': - get: - summary: Get Retention Metadatas - description: Get Retention Metadatas. - tags: - - Products - - Retention - responses: - '200': - description: Get Retention Metadatas successfully. - schema: - type: object - $ref: '#/definitions/RetentionMetadata' - - '/retentions': - post: - summary: Create Retention Policy - description: | - Create Retention Policy, you can reference metadatas API for the policy model. - You can check project metadatas to find whether a retention policy is already binded. - This method should only be called when no retention policy binded to project yet. - tags: - - Products - - Retention - parameters: - - name: policy - in: body - description: Create Retention Policy successfully. - required: true - schema: - $ref: '#/definitions/RetentionPolicy' - responses: - '201': - description: Project created successfully. - '400': - description: Illegal format of provided ID value. - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - - '/retentions/{id}': - get: - summary: Get Retention Policy - description: Get Retention Policy. - tags: - - Products - - Retention - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - responses: - '200': - description: Get Retention Policy successfully. - schema: - type: object - $ref: '#/definitions/RetentionPolicy' - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - put: - summary: Update Retention Policy - description: | - Update Retention Policy, you can reference metadatas API for the policy model. - You can check project metadatas to find whether a retention policy is already binded. - This method should only be called when retention policy has already binded to project. - tags: - - Products - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - - name: policy - in: body - required: true - schema: - $ref: '#/definitions/RetentionPolicy' - responses: - '200': - description: Update Retention Policy successfully. - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - - '/retentions/{id}/executions': - post: - summary: Trigger a Retention job - description: Trigger a Retention job, if dry_run is True, nothing would be deleted actually. - tags: - - Products - - Retention - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - - name: action - in: body - required: true - schema: - type: object - properties: - dry_run: - type: boolean - responses: - '200': - description: Trigger a Retention job successfully. - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - get: - summary: Get a Retention job - description: Get a Retention job, job status may be delayed before job service schedule it up. - tags: - - Products - - Retention - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - responses: - '200': - description: Get a Retention job successfully. - schema: - type: array - items: - type: object - $ref: '#/definitions/RetentionExecution' - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - - '/retentions/{id}/executions/{eid}': - patch: - summary: Stop a Retention job - description: Stop a Retention job, only support "stop" action now. - tags: - - Products - - Retention - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - - name: eid - in: path - type: integer - format: int64 - required: true - description: Retention execution ID. - - name: action - in: body - description: The action, only support "stop" now. - required: true - schema: - type: object - properties: - action: - type: string - responses: - '200': - description: Stop a Retention job successfully. - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - - '/retentions/{id}/executions/{eid}/tasks': - get: - summary: Get Retention job tasks - description: Get Retention job tasks, each repository as a task. - tags: - - Products - - Retention - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - - name: eid - in: path - type: integer - format: int64 - required: true - description: Retention execution ID. - responses: - '200': - description: Get Retention job tasks successfully. - schema: - type: array - items: - type: object - $ref: '#/definitions/RetentionExecutionTask' - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - - '/retentions/{id}/executions/{eid}/tasks/{tid}': - get: - summary: Get Retention job task log - description: Get Retention job task log, tags ratain or deletion detail will be shown in a table. - tags: - - Products - - Retention - parameters: - - name: id - in: path - type: integer - format: int64 - required: true - description: Retention ID. - - name: eid - in: path - type: integer - format: int64 - required: true - description: Retention execution ID. - - name: tid - in: path - type: integer - format: int64 - required: true - description: Retention execution ID. - responses: - '200': - description: Get Retention job task log successfully. - schema: - type: string - '401': - description: User need to log in first. - '403': - description: User have no permission. - '500': - description: Unexpected internal errors. - -responses: - OK: - description: 'Success' - Created: - description: 'Created' - BadRequest: - description: 'Bad Request' - Unauthorized: - description: 'Unauthorized' - Forbidden: - description: 'Forbidden' - NotFound: - description: 'Not Found' - Conflict: - description: 'Conflict' - PreconditionFailed: - description: 'Precondition Failed' - UnsupportedMediaType: - description: 'The Media Type of the request is not supported, it has to be "application/json"' - InternalServerError: - description: 'Internal Server Error' -definitions: - Search: - type: object - properties: - project: - description: Search results of the projects that matched the filter keywords. - type: array - items: - $ref: '#/definitions/Project' - repository: - description: Search results of the repositories that matched the filter keywords. - type: array - items: - $ref: '#/definitions/SearchRepository' - chart: - description: Search results of the charts that macthed the filter keywords. - type: array - items: - $ref: '#/definitions/SearchResult' - RetagReq: - type: object - properties: - tag: - description: new tag to be created - type: string - src_image: - description: Source image to be retagged, e.g. 'stage/app:v1.0' - type: string - override: - description: If target tag already exists, whether to override it - type: boolean - SearchRepository: - type: object - properties: - project_id: - type: integer - description: The ID of the project that the repository belongs to - project_name: - type: string - description: The name of the project that the repository belongs to - project_public: - type: boolean - description: 'The flag to indicate the publicity of the project that the repository belongs to (1 is public, 0 is not)' - repository_name: - type: string - description: The name of the repository - pull_count: - type: integer - description: The count how many times the repository is pulled - tags_count: - type: integer - description: The count of tags in the repository - ProjectReq: - type: object - properties: - project_name: - type: string - description: The name of the project. - metadata: - description: The metadata of the project. - $ref: '#/definitions/ProjectMetadata' - cve_allowlist: - description: The CVE allowlist of the project. - $ref: '#/definitions/CVEAllowlist' - count_limit: - type: integer - format: int64 - description: The count quota of the project. - storage_limit: - type: integer - format: int64 - description: The storage quota of the project. - Project: - type: object - properties: - project_id: - type: integer - format: int32 - description: Project ID - owner_id: - type: integer - format: int32 - description: The owner ID of the project always means the creator of the project. - name: - type: string - description: The name of the project. - creation_time: - type: string - description: The creation time of the project. - update_time: - type: string - description: The update time of the project. - deleted: - type: boolean - description: A deletion mark of the project. - owner_name: - type: string - description: The owner name of the project. - togglable: - type: boolean - description: Correspond to the UI about whether the project's publicity is updatable (for UI) - current_user_role_id: - type: integer - description: The role ID of the current user who triggered the API (for UI) - repo_count: - type: integer - description: The number of the repositories under this project. - chart_count: - type: integer - description: The total number of charts under this project. - metadata: - description: The metadata of the project. - $ref: '#/definitions/ProjectMetadata' - cve_allowlist: - description: The CVE allowlist of this project. - $ref: '#/definitions/CVEAllowlist' - ProjectMetadata: - type: object - properties: - public: - type: string - description: 'The public status of the project. The valid values are "true", "false".' - enable_content_trust: - type: string - description: 'Whether content trust is enabled or not. If it is enabled, user can''t pull unsigned images from this project. The valid values are "true", "false".' - prevent_vul: - type: string - description: 'Whether prevent the vulnerable images from running. The valid values are "true", "false".' - severity: - type: string - description: 'If the vulnerability is high than severity defined here, the images can''t be pulled. The valid values are "negligible", "low", "medium", "high", "critical".' - auto_scan: - type: string - description: 'Whether scan images automatically when pushing. The valid values are "true", "false".' - reuse_sys_cve_allowlist: - type: string - description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false". - If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.' - ProjectSummary: - type: object - properties: - repo_count: - type: integer - description: The number of the repositories under this project. - chart_count: - type: integer - description: The total number of charts under this project. - project_admin_count: - type: integer - description: The total number of project admin members. - master_count: - type: integer - description: The total number of master members. - developer_count: - type: integer - description: The total number of developer members. - guest_count: - type: integer - description: The total number of guest members. - quota: - type: object - properties: - hard: - $ref: "#/definitions/ResourceList" - description: The hard limits of the quota - used: - $ref: "#/definitions/ResourceList" - description: The used status of the quota - Manifest: - type: object - properties: - manifest: - type: object - description: The detail of manifest. - config: - type: string - description: The config of the repository. - User: - type: object - properties: - user_id: - type: integer - format: int - description: The ID of the user. - username: - type: string - email: - type: string - password: - type: string - realname: - type: string - comment: - type: string - deleted: - type: boolean - role_name: - type: string - role_id: - type: integer - format: int - has_admin_role: - type: boolean - reset_uuid: - type: string - Salt: - type: string - creation_time: - type: string - update_time: - type: string - UserSearch: - type: object - properties: - user_id: - type: integer - format: int - description: The ID of the user. - username: - type: string - Password: - type: object - properties: - old_password: - type: string - description: The user's existing password. - new_password: - type: string - description: New password for marking as to be updated. - AccessLog: - type: object - properties: - log_id: - type: integer - description: The ID of the log entry. - username: - type: string - description: Username of the user in this log entry. - repo_name: - type: string - description: Name of the repository in this log entry. - repo_tag: - type: string - description: Tag of the repository in this log entry. - operation: - type: string - description: The operation against the repository in this log entry. - op_time: - type: string - description: The time when this operation is triggered. - Role: - type: object - properties: - role_id: - type: integer - format: int32 - description: ID in table. - role_code: - type: string - description: Description of permissions for the role. - role_name: - type: string - description: Name the the role. - role_mask: - type: string - RoleParam: - type: object - properties: - roles: - type: array - items: - type: integer - format: int32 - description: Role ID for updating project role member. - username: - type: string - description: Username relevant to a project role member. - StatisticMap: - type: object - properties: - private_project_count: - type: integer - format: int32 - description: The count of the private projects which the user is a member of. - private_repo_count: - type: integer - format: int32 - description: The count of the private repositories belonging to the projects which the user is a member of. - public_project_count: - type: integer - format: int32 - description: The count of the public projects. - public_repo_count: - type: integer - format: int32 - description: The count of the public repositories belonging to the public projects which the user is a member of. - total_project_count: - type: integer - format: int32 - description: 'The count of the total projects, only be seen when the is admin.' - total_repo_count: - type: integer - format: int32 - description: 'The count of the total repositories, only be seen when the user is admin.' - JobStatus: - type: object - properties: - id: - type: integer - format: int64 - description: The job ID. - status: - type: string - description: The status of the job. - repository: - type: string - description: The repository handled by the job. - policy_id: - type: integer - format: int64 - description: The ID of the policy that triggered this job. - operation: - type: string - description: The operation of the job. - tags: - type: array - description: The repository's used tag list. - items: - $ref: '#/definitions/Tags' - creation_time: - type: string - description: The creation time of the job. - update_time: - type: string - description: The update time of the job. - Tags: - type: object - properties: - tag: - type: string - description: The repository's used tag. - ReplicationPolicy: - type: object - properties: - id: - type: integer - format: int64 - description: The policy ID. - name: - type: string - description: The policy name. - description: - type: string - description: The description of the policy. - src_registry: - description: The source registry. - $ref: '#/definitions/Registry' - dest_registry: - description: The destination registry. - $ref: '#/definitions/Registry' - dest_namespace: - type: string - description: The destination namespace. - trigger: - $ref: '#/definitions/ReplicationTrigger' - filters: - type: array - description: The replication policy filter array. - items: - $ref: '#/definitions/ReplicationFilter' - deletion: - type: boolean - description: Whether to replicate the deletion operation. - override: - type: boolean - description: Whether to override the resources on the destination registry. - enabled: - type: boolean - description: Whether the policy is enabled or not. - creation_time: - type: string - description: The create time of the policy. - update_time: - type: string - description: The update time of the policy. - ReplicationTrigger: - type: object - properties: - type: - type: string - description: 'The replication policy trigger type. The valid values are manual, event_based and scheduled.' - trigger_settings: - $ref: '#/definitions/TriggerSettings' - TriggerSettings: - type: object - properties: - cron: - type: string - description: The cron string for scheduled trigger - ReplicationFilter: - type: object - properties: - type: - type: string - description: 'The replication policy filter type.' - value: - type: string - description: 'The value of replication policy filter.' - RegistryCredential: - type: object - properties: - type: - type: string - description: Credential type, such as 'basic', 'oauth'. - access_key: - type: string - description: Access key, e.g. user name when credential type is 'basic'. - access_secret: - type: string - description: Access secret, e.g. password when credential type is 'basic'. - Registry: - type: object - properties: - id: - type: integer - format: int64 - description: The registry ID. - url: - type: string - description: The registry URL string. - name: - type: string - description: The registry name. - credential: - $ref: '#/definitions/RegistryCredential' - type: - type: string - description: Type of the registry, e.g. 'harbor'. - insecure: - type: boolean - description: Whether or not the certificate will be verified when Harbor tries to access the server. - description: - type: string - description: Description of the registry. - status: - type: string - description: Health status of the registry. - creation_time: - type: string - description: The create time of the policy. - update_time: - type: string - description: The update time of the policy. - PingRegistry: - type: object - properties: - id: - type: integer - description: The ID of the registry - type: - type: string - description: Type of the registry, e.g. 'harbor'. - url: - type: string - description: The registry address URL string. - credential_type: - type: string - description: Credential type of the registry, e.g. 'basic'. - access_key: - type: string - description: The registry access key. - access_secret: - type: string - description: The registry access secret. - insecure: - type: boolean - description: Whether or not the certificate will be verified when Harbor tries to access the server. - PutRegistry: - type: object - properties: - name: - type: string - description: The registry name. - description: - type: string - description: Description of the registry. - url: - type: string - description: The registry address URL string. - credential_type: - type: string - description: Credential type of the registry, e.g. 'basic'. - access_key: - type: string - description: The registry access key. - access_secret: - type: string - description: The registry access secret. - insecure: - type: boolean - description: Whether or not the certificate will be verified when Harbor tries to access the server. - HasAdminRole: - type: object - properties: - has_admin_role: - type: boolean - description: '1-has admin, 0-not.' - UserProfile: - type: object - properties: - email: - type: string - description: The new email. - realname: - type: string - description: The new realname. - comment: - type: string - description: The new comment. - Storage: - type: object - properties: - total: - type: integer - format: int64 - description: Total volume size. - free: - type: integer - format: int64 - description: Free volume size. - GeneralInfo: - type: object - properties: - with_notary: - type: boolean - description: If the Harbor instance is deployed with nested notary. - with_clair: - type: boolean - description: If the Harbor instance is deployed with nested clair. - with_admiral: - type: boolean - description: If the Harbor instance is deployed with Admiral. - admiral_endpoint: - type: string - description: The url of the endpoint of admiral instance. - registry_url: - type: string - description: The url of registry against which the docker command should be issued. - external_url: - type: string - description: The external URL of Harbor, with protocol. - auth_mode: - type: string - description: The auth mode of current Harbor instance. - project_creation_restriction: - type: string - description: 'Indicate who can create projects, it could be ''adminonly'' or ''everyone''.' - self_registration: - type: boolean - description: Indicate whether the Harbor instance enable user to register himself. - has_ca_root: - type: boolean - description: Indicate whether there is a ca root cert file ready for download in the file system. - harbor_version: - type: string - description: The build version of Harbor. - next_scan_all: - type: integer - description: 'The UTC time in milliseconds, after which user can call scanAll API to scan all images.' - clair_vulnerability_status: - type: object - description: The status of vulnerability data of Clair. - properties: - overall_last_update: - type: integer - description: 'The UTC timestamp in milliseconds of last successful update for Clair vulnerability data, when all the updaters are successfully executed.' - details: - type: array - description: Detail timestamp of different namespace. This is introduced to handle the case when some updaters are executed successfully and some not. - items: - $ref: '#/definitions/VulnNamespaceTimestamp' - VulnNamespaceTimestamp: - type: object - properties: - namespace: - type: string - description: The namespace of the Vulnerability - last_update: - type: integer - description: The UTC timestamp in miliseconds of last successful update for vulnerability data. - SystemInfo: - type: object - properties: - storage: - type: array - description: The storage of system. - items: - $ref: '#/definitions/Storage' - LdapConf: - type: object - properties: - ldap_url: - type: string - description: The url of ldap service. - ldap_search_dn: - type: string - description: The search dn of ldap service. - ldap_search_password: - type: string - description: The search password of ldap service. - ldap_base_dn: - type: string - description: The base dn of ldap service. - ldap_filter: - type: string - description: The serach filter of ldap service. - ldap_uid: - type: string - description: The serach uid from ldap service attributes. - ldap_scope: - type: integer - format: int64 - description: The serach scope of ldap service. - ldap_connection_timeout: - type: integer - format: int64 - description: The connect timeout of ldap service(second). - LdapUsers: - type: object - properties: - ldap_username: - type: string - description: search ldap user name based on ldapconf. - ldap_realname: - type: string - description: system will try to guess the user realname form "uid" or "cn" attribute. - ldap_email: - type: string - description: system will try to guess the user email address form "mail" or "email" attribute. - LdapImportUsers: - type: object - properties: - ldap_uid_list: - type: array - description: selected uid list - items: - type: string - LdapFailedImportUsers: - type: object - properties: - ldap_uid: - type: string - description: the uid can't add to system. - error: - type: string - description: fail reason. - EmailServerSetting: - type: object - properties: - email_host: - type: string - description: The host of email server. - email_port: - type: integer - description: The port of email server. - email_username: - type: string - description: The username of email server. - email_password: - type: string - description: The password of email server. - email_ssl: - type: boolean - description: Use ssl/tls or not. - email_identity: - type: string - description: The dentity of email server. - RepoSignature: - type: object - properties: - tag: - type: string - description: The tag of image. - hashes: - type: object - description: The JSON object of the hash of the image. - DetailedTag: - type: object - properties: - digest: - type: string - description: The digest of the tag. - name: - type: string - description: The name of the tag. - size: - type: integer - description: The size of the image. - architecture: - type: string - description: The architecture of the image. - os: - type: string - description: The os of the image. - docker_version: - type: string - description: The version of docker which builds the image. - author: - type: string - description: The author of the image. - created: - type: string - description: The build time of the image. - signature: - type: object - description: 'The signature of image, defined by RepoSignature. If it is null, the image is unsigned.' - scan_overview: - type: object - description: The overview of the scan result. This is an optional property. - properties: - digest: - type: string - description: The digest of the image. - scan_status: - type: string - description: 'The status of the scan job, it can be "pending", "running", "finished", "error".' - job_id: - type: integer - description: The ID of the job on jobservice to scan the image. - severity: - type: integer - description: '0-Not scanned, 1-Negligible, 2-Unknown, 3-Low, 4-Medium, 5-High' - details_key: - type: string - description: 'The top layer name of this image in Clair, this is for calling Clair API to get the vulnerability list of this image.' - components: - type: object - description: The components overview of the image. - properties: - total: - type: integer - description: Total number of the components in this image. - summary: - description: List of number of components of different severities. - type: array - items: - $ref: '#/definitions/ComponentOverviewEntry' - labels: - type: array - description: The label list. - items: - $ref: '#/definitions/Label' - ComponentOverviewEntry: - type: object - properties: - severity: - type: integer - description: '1-None/Negligible, 2-Unknown, 3-Low, 4-Medium, 5-High' - count: - type: integer - description: number of the components with certain severity. - Repository: - type: object - properties: - id: - type: integer - description: The ID of repository. - name: - type: string - description: The name of repository. - project_id: - type: integer - description: The project ID of repository. - description: - type: string - description: The description of repository. - pull_count: - type: integer - description: The pull count of repository. - star_count: - type: integer - description: The star count of repository. - tags_count: - type: integer - description: The tags count of repository. - labels: - type: array - description: The label list. - items: - $ref: '#/definitions/Label' - creation_time: - type: string - description: The creation time of repository. - update_time: - type: string - description: The update time of repository. - VulnerabilityItem: - type: object - properties: - id: - type: string - description: 'ID of the vulnerability, normally it is the CVE ID' - severity: - type: integer - description: '1-Negligible, 2-Unknown, 3-Low, 4-Medium, 5-High' - package: - type: string - description: The packge that introduces the vulnerability. - version: - type: string - description: The version of the package. - description: - type: string - description: The description of the vulnerability. - fixedVersion: - type: string - description: 'The version which the vulnerability is fixed, this is an optional property.' - Configurations: - type: object - properties: - auth_mode: - type: string - description: 'The auth mode of current system, such as "db_auth", "ldap_auth"' - count_per_project: - type: string - description: The default count quota for the new created projects. - email_from: - type: string - description: The sender name for Email notification. - email_host: - type: string - description: The hostname of SMTP server that sends Email notification. - email_port: - type: integer - description: The port of SMTP server. - email_identity: - type: string - description: By default it's empty so the email_username is picked. - email_username: - type: string - description: The username for authenticate against SMTP server. - email_ssl: - type: boolean - description: 'When it''s set to true the system will access Email server via TLS by default. If it''s set to false, it still will handle "STARTTLS" from server side.' - email_insecure: - type: boolean - description: Whether or not the certificate will be verified when Harbor tries to access the email server. - ldap_url: - type: string - description: The URL of LDAP server. - ldap_base_dn: - type: string - description: The Base DN for LDAP binding. - ldap_filter: - type: string - description: The filter for LDAP binding. - ldap_scope: - type: integer - description: '0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE' - ldap_uid: - type: string - description: 'The attribute which is used as identity for the LDAP binding, such as "CN" or "SAMAccountname"' - ldap_search_dn: - type: string - description: The DN of the user to do the search. - ldap_timeout: - type: integer - description: timeout in seconds for connection to LDAP server. - ldap_group_attribute_name: - type: string - description: 'The attribute which is used as identity of the LDAP group, default is cn.' - ldap_group_base_dn: - type: string - description: The base DN to search LDAP group. - ldap_group_search_filter: - type: string - description: The filter to search the ldap group. - ldap_group_search_scope: - type: integer - description: 'The scope to search ldap. ''0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE''' - ldap_group_admin_dn: - type: string - description: Specify the ldap group which have the same privilege with Harbor admin. - project_creation_restriction: - type: string - description: This attribute restricts what users have the permission to create project. It can be "everyone" or "adminonly". - quota_per_project_enable: - type: boolean - description: This attribute indicates whether quota per project enabled in harbor - read_only: - type: boolean - description: '''docker push'' is prohibited by Harbor if you set it to true. ' - self_registration: - type: boolean - description: 'Whether the Harbor instance supports self-registration. If it''s set to false, admin need to add user to the instance.' - storage_per_project: - type: string - description: The default storage quota for the new created projects. - token_expiration: - type: integer - description: 'The expiration time of the token for internal Registry, in minutes.' - verify_remote_cert: - type: boolean - description: Whether or not the certificate will be verified when Harbor tries to access a remote Harbor instance for replication. - scan_all_policy: - type: object - properties: - type: - type: string - description: 'The type of scan all policy, currently the valid values are "none" and "daily"' - parameter: - type: object - properties: - daily_time: - type: integer - description: 'The offset in seconds of UTC 0 o''clock, only valid when the policy type is "daily"' - description: 'The parameters of the policy, the values are dependant on the type of the policy.' - ConfigurationsResponse: - type: object - properties: - auth_mode: - $ref: '#/definitions/StringConfigItem' - description: 'The auth mode of current system, such as "db_auth", "ldap_auth"' - count_per_project: - $ref: '#/definitions/IntegerConfigItem' - description: The default count quota for the new created projects. - email_from: - $ref: '#/definitions/StringConfigItem' - description: The sender name for Email notification. - email_host: - $ref: '#/definitions/StringConfigItem' - description: The hostname of SMTP server that sends Email notification. - email_port: - $ref: '#/definitions/IntegerConfigItem' - description: The port of SMTP server. - email_identity: - $ref: '#/definitions/StringConfigItem' - description: By default it's empty so the email_username is picked. - email_username: - $ref: '#/definitions/StringConfigItem' - description: The username for authenticate against SMTP server. - email_ssl: - $ref: '#/definitions/BoolConfigItem' - description: 'When it''s set to true the system will access Email server via TLS by default. If it''s set to false, it still will handle "STARTTLS" from server side.' - email_insecure: - $ref: '#/definitions/BoolConfigItem' - description: Whether or not the certificate will be verified when Harbor tries to access the email server. - ldap_url: - $ref: '#/definitions/StringConfigItem' - description: The URL of LDAP server. - ldap_base_dn: - $ref: '#/definitions/StringConfigItem' - description: The Base DN for LDAP binding. - ldap_filter: - $ref: '#/definitions/StringConfigItem' - description: The filter for LDAP binding. - ldap_scope: - type: integer - description: '0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE' - ldap_uid: - $ref: '#/definitions/StringConfigItem' - description: 'The attribute which is used as identity for the LDAP binding, such as "CN" or "SAMAccountname"' - ldap_search_dn: - type: string - description: The DN of the user to do the search. - ldap_timeout: - $ref: '#/definitions/IntegerConfigItem' - description: timeout in seconds for connection to LDAP server. - ldap_group_attribute_name: - $ref: '#/definitions/StringConfigItem' - description: 'The attribute which is used as identity of the LDAP group, default is cn.' - ldap_group_base_dn: - $ref: '#/definitions/StringConfigItem' - description: The base DN to search LDAP group. - ldap_group_search_filter: - $ref: '#/definitions/StringConfigItem' - description: The filter to search the ldap group. - ldap_group_search_scope: - $ref: '#/definitions/IntegerConfigItem' - description: 'The scope to search ldap. ''0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE''' - ldap_group_admin_dn: - $ref: '#/definitions/StringConfigItem' - description: Specify the ldap group which have the same privilege with Harbor admin. - project_creation_restriction: - $ref: '#/definitions/StringConfigItem' - description: This attribute restricts what users have the permission to create project. It can be "everyone" or "adminonly". - quota_per_project_enable: - $ref: '#/definitions/BoolConfigItem' - description: This attribute indicates whether quota per project enabled in harbor - read_only: - $ref: '#/definitions/BoolConfigItem' - description: '''docker push'' is prohibited by Harbor if you set it to true. ' - self_registration: - $ref: '#/definitions/BoolConfigItem' - description: 'Whether the Harbor instance supports self-registration. If it''s set to false, admin need to add user to the instance.' - storage_per_project: - $ref: '#/definitions/IntegerConfigItem' - description: The default storage quota for the new created projects. - token_expiration: - $ref: '#/definitions/IntegerConfigItem' - description: 'The expiration time of the token for internal Registry, in minutes.' - verify_remote_cert: - $ref: '#/definitions/BoolConfigItem' - description: Whether or not the certificate will be verified when Harbor tries to access a remote Harbor instance for replication. - scan_all_policy: - type: object - properties: - type: - type: string - description: 'The type of scan all policy, currently the valid values are "none" and "daily"' - parameter: - type: object - properties: - daily_time: - type: integer - description: 'The offset in seconds of UTC 0 o''clock, only valid when the policy type is "daily"' - description: 'The parameters of the policy, the values are dependant on the type of the policy.' - RepositoryDescription: - type: object - properties: - description: - type: string - description: The description of the repository. - Label: - type: object - properties: - id: - type: integer - description: The ID of label. - name: - type: string - description: The name of label. - description: - type: string - description: The description of label. - color: - type: string - description: The color of label. - scope: - type: string - description: 'The scope of label, g for global labels and p for project labels.' - project_id: - type: integer - description: The project ID if the label is a project label. - creation_time: - type: string - description: The creation time of label. - update_time: - type: string - description: The update time of label. - deleted: - type: boolean - description: The label is deleted or not. - ProjectMemberEntity: - type: object - properties: - id: - type: integer - description: the project member id - project_id: - type: integer - description: the project id - entity_name: - type: string - description: the name of the group member. - role_name: - type: string - description: the name of the role - role_id: - type: integer - description: the role id - entity_id: - type: integer - description: 'the id of entity, if the member is a user, it is user_id in user table. if the member is a user group, it is the user group''s ID in user_group table.' - entity_type: - type: string - description: 'the entity''s type, u for user entity, g for group entity.' - ProjectMember: - type: object - properties: - role_id: - type: integer - description: 'The role id 1 for projectAdmin, 2 for developer, 3 for guest, 4 for master' - member_user: - $ref: '#/definitions/UserEntity' - member_group: - $ref: '#/definitions/UserGroup' - RoleRequest: - type: object - properties: - role_id: - type: integer - description: 'The role id 1 for projectAdmin, 2 for developer, 3 for guest, 4 for master' - UserEntity: - type: object - properties: - user_id: - type: integer - description: The ID of the user. - username: - type: string - description: The name of the user. - UserGroup: - type: object - properties: - id: - type: integer - description: The ID of the user group - group_name: - type: string - description: The name of the user group - group_type: - type: integer - description: 'The group type, 1 for LDAP group, 2 for HTTP group.' - ldap_group_dn: - type: string - description: The DN of the LDAP group if group type is 1 (LDAP group). - Resource: - type: object - properties: - replication_policies: - type: array - description: The replication policy list. - items: - $ref: '#/definitions/ReplicationPolicy' - StringConfigItem: - type: object - properties: - value: - type: string - description: The string value of current config item - editable: - type: boolean - description: The configure item can be updated or not - BoolConfigItem: - type: object - properties: - value: - type: boolean - description: The boolean value of current config item - editable: - type: boolean - description: The configure item can be updated or not - IntegerConfigItem: - type: object - properties: - value: - type: integer - description: The integer value of current config item - editable: - type: boolean - description: The configure item can be updated or not - ChartAPIError: - description: The error object returned by chart repository API - type: object - required: - - error - properties: - error: - type: string - description: The error message returned by the chart API - UnauthorizedChartAPIError: - description: Unauthorized - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - ForbiddenChartAPIError: - description: Operation is forbidden or quota exceeded - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - InternalChartAPIError: - description: Internal server error occurred - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - NotFoundChartAPIError: - description: Not found - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - InsufficientStorageChartAPIError: - description: Insufficient storage - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - BadRequestFormatedError: - description: Bad request - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - ConflictFormatedError: - description: Conflicts - type: object - allOf: - - $ref: '#/definitions/ChartAPIError' - ChartInfoEntry: - type: object - description: The object contains basic chart information - required: - - name - - total_versions - - created - properties: - name: - type: string - description: Name of chart - total_versions: - type: integer - description: Total count of chart versions - latest_version: - type: string - description: latest version of chart - created: - type: string - description: The created time of chart - updated: - type: string - description: The created time of chart - icon: - type: string - description: The icon path of chart - home: - type: string - description: The home website of chart - deprecated: - type: boolean - description: Flag to indicate if the chart is deprecated - ChartInfoList: - type: array - description: The chart list under the project - items: - $ref: '#/definitions/ChartInfoEntry' - ChartMetadata: - type: object - description: The metadata of chart version - required: - - name - - version - - engine - - icon - - apiVersion - - appVersion - properties: - name: - type: string - description: The name of the chart - home: - type: string - description: The URL to the relevant project page - sources: - type: array - description: The URL to the source code of chart - items: - type: string - version: - type: string - description: A SemVer 2 version of chart - description: - type: string - description: A one-sentence description of chart - keywords: - type: array - description: A list of string keywords - items: - type: string - engine: - type: string - description: The name of template engine - icon: - type: string - description: The URL to an icon file - apiVersion: - type: string - description: The API version of this chart - appVersion: - type: string - description: The version of the application enclosed in the chart - deprecated: - type: boolean - description: Whether or not this chart is deprecated - ChartVersion: - type: object - description: A specified chart entry - allOf: - - $ref: '#/definitions/ChartMetadata' - - type: object - properties: - created: - type: string - description: The created time of the chart entry - removed: - type: boolean - description: A flag to indicate if the chart entry is removed - digest: - type: string - description: The digest value of the chart entry - urls: - type: array - description: The urls of the chart entry - items: - type: string - properties: - labels: - $ref: '#/definitions/Labels' - ChartVersions: - type: array - description: A list of chart entry - items: - $ref: '#/definitions/ChartVersion' - DigitalSignature: - type: object - description: The signature of the chart - properties: - signed: - type: boolean - description: A flag to indicate if the chart is signed - prov_file: - type: string - description: The URL of the provance file - SecurityReport: - type: object - description: The security information of the chart - properties: - signature: - $ref: '#/definitions/DigitalSignature' - Dependency: - type: object - description: Another chart the chart depends on - required: - - name - - version - properties: - name: - type: string - description: The name of the chart denpendency - version: - type: string - description: The version of the chart dependency - repository: - type: string - description: The URL to the repository - ChartVersionDetails: - type: object - description: The detailed information of the chart entry - properties: - metadata: - $ref: '#/definitions/ChartVersion' - security: - $ref: '#/definitions/SecurityReport' - dependencies: - type: array - items: - $ref: '#/definitions/Dependency' - values: - type: object - additionalProperties: - type: object - files: - type: object - additionalProperties: - type: string - labels: - $ref: '#/definitions/Labels' - GCResult: - type: object - properties: - id: - type: integer - description: the id of gc job. - job_name: - type: string - description: the job name of gc job. - job_kind: - type: string - description: the job kind of gc job. - schedule: - $ref: '#/definitions/AdminJobScheduleObj' - job_status: - type: string - description: the status of gc job. - deleted: - type: boolean - description: if gc job was deleted. - creation_time: - type: string - description: the creation time of gc job. - update_time: - type: string - description: the update time of gc job. - AdminJobSchedule: - type: object - properties: - schedule: - $ref: '#/definitions/AdminJobScheduleObj' - AdminJobScheduleObj: - type: object - properties: - type: - type: string - description: | - The schedule type. The valid values are 'Hourly', 'Daily', 'Weekly', 'Custom', 'Manually' and 'None'. - 'Manually' means to trigger it right away and 'None' means to cancel the schedule. - cron: - type: string - description: A cron expression, a time-based job scheduler. - SearchResult: - type: object - description: The chart search result item - properties: - name: - type: string - description: The chart name with repo name - score: - type: integer - description: The matched level - chart: - $ref: '#/definitions/ChartVersion' - Labels: - type: array - description: A list of label - items: - $ref: '#/definitions/Label' - OverallHealthStatus: - type: object - description: The system health status - properties: - status: - type: string - description: The overall health status. It is "healthy" only when all the components' status are "healthy" - components: - type: array - items: - $ref: '#/definitions/ComponentHealthStatus' - ComponentHealthStatus: - type: object - description: The health status of component - properties: - name: - type: string - description: The component name - status: - type: string - description: The health status of component - error: - type: string - description: (optional) The error message when the status is "unhealthy" - RobotAccount: - type: object - description: The object of robot account - properties: - id: - type: integer - description: The id of robot account - name: - type: string - description: The name of robot account - description: - type: string - description: The description of robot account - expires_at: - type: integer - description: The expiration of robot account (in seconds) - project_id: - type: integer - description: The project id of robot account - disabled: - type: boolean - description: The robot account is disable or enable - creation_time: - type: string - description: The creation time of the robot account - update_time: - type: string - description: The update time of the robot account - RobotAccountCreate: - type: object - properties: - name: - type: string - description: The name of robot account - description: - type: string - description: The description of robot account - access: - type: array - description: The permission of robot account - items: - $ref: '#/definitions/RobotAccountAccess' - RobotAccountPostRep: - type: object - properties: - name: - type: string - description: the name of robot account - token: - type: string - description: the token of robot account - RobotAccountAccess: - type: object - properties: - resource: - type: string - description: the resource of harbor - action: - type: string - description: the action to resource that perdefined in harbor rbac - RobotAccountUpdate: - type: object - properties: - disabled: - type: boolean - description: The robot account is disable or enable - Permission: - type: object - description: The permission - properties: - resource: - type: string - description: The permission resoruce - action: - type: string - description: The permission action - RegistryInfo: - type: object - description: The registry info contains the base info and capability declarations of the registry - properties: - type: - type: string - description: The registry type - description: - type: string - description: The description - supported_resource_filters: - type: array - description: The filters that the registry supports - items: - $ref: '#/definitions/FilterStyle' - supported_triggers: - type: array - description: The triggers that the registry supports - items: - type: string - FilterStyle: - type: object - description: The style of the resource filter - properties: - type: - type: string - description: The filter type - style: - type: string - description: The filter style - values: - type: array - description: The filter values - items: - type: string - ReplicationExecution: - type: object - description: The replication execution - properties: - id: - type: integer - description: The ID - policy_id: - type: integer - description: The policy ID - status: - type: string - description: The status - status_text: - type: string - description: The status text - trigger: - type: string - description: The trigger mode - total: - type: integer - description: The total count of all tasks - failed: - type: integer - description: The count of failed tasks - succeed: - type: integer - description: The count of succeed tasks - in_progress: - type: integer - description: The count of in_progress tasks - stopped: - type: integer - description: The count of stopped tasks - start_time: - type: string - description: The start time - end_time: - type: string - description: The end time - ReplicationTask: - type: object - description: The replication task - properties: - id: - type: integer - description: The ID - execution_id: - type: integer - description: The execution ID - resource_type: - type: string - description: The resource type - src_resource: - type: string - description: The source resource - dst_resource: - type: string - description: The destination resource - job_id: - type: string - description: The job ID - status: - type: string - description: The status - start_time: - type: string - description: The start time - end_time: - type: string - description: The end time - Namespace: - type: object - description: The namespace of registry - properties: - name: - type: string - description: The name of namespace - metadata: - type: object - description: The metadata of namespace - CVEAllowlist: - type: object - description: The CVE Allowlist for system or project - properties: - id: - type: integer - description: ID of the allowlist - project_id: - type: integer - description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero. - expires_at: - type: integer - description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire. - items: - type: array - items: - $ref: "#/definitions/CVEAllowlistItem" - CVEAllowlistItem: - type: object - description: The item in CVE allowlist - properties: - cve_id: - type: string - description: The ID of the CVE, such as "CVE-2019-10164" - ResourceList: - type: object - additionalProperties: - type: integer - QuotaUpdateReq: - type: object - properties: - hard: - $ref: "#/definitions/ResourceList" - description: The new hard limits for the quota - QuotaRefObject: - type: object - additionalProperties: {} - Quota: - type: object - description: The quota object - properties: - id: - type: integer - description: ID of the quota - ref: - $ref: "#/definitions/QuotaRefObject" - description: The reference object of the quota - hard: - $ref: "#/definitions/ResourceList" - description: The hard limits of the quota - used: - $ref: "#/definitions/ResourceList" - description: The used status of the quota - creation_time: - type: string - description: the creation time of the quota - update_time: - type: string - description: the update time of the quota - WebhookTargetObject: - type: object - description: The webhook policy target object. - properties: - type: - type: string - description: The webhook target notify type. - address: - type: string - description: The webhook target address. - auth_header: - type: string - description: The webhook auth header. - skip_cert_verify: - type: boolean - description: Whether or not to skip cert verify. - WebhookPolicy: - type: object - description: The webhook policy object - properties: - id: - type: integer - format: int64 - description: The webhook policy ID. - name: - type: string - description: The name of webhook policy. - description: - type: string - description: The description of webhook policy. - project_id: - type: integer - description: The project ID of webhook policy. - targets: - type: array - items: - $ref: '#/definitions/WebhookTargetObject' - event_types: - type: array - items: - type: string - creator: - type: string - description: The creator of the webhook policy. - creation_time: - type: string - description: The create time of the webhook policy. - update_time: - type: string - description: The update time of the webhook policy. - enabled: - type: boolean - description: Whether the webhook policy is enabled or not. - WebhookLastTrigger: - type: object - description: The webhook policy and last trigger time group by event type. - properties: - event_type: - type: string - description: The webhook event type. - enabled: - type: boolean - description: Whether or not the webhook policy enabled. - creation_time: - type: string - description: The creation time of webhook policy. - last_trigger_time: - type: string - description: The last trigger time of webhook policy. - WebhookJob: - type: object - description: The webhook job. - properties: - id: - type: integer - format: int64 - description: The webhook job ID. - policy_id: - type: integer - format: int64 - description: The webhook policy ID. - event_type: - type: string - description: The webhook job event type. - notify_type: - type: string - description: The webhook job notify type. - status: - type: string - description: The webhook job status. - job_detail: - type: string - description: The webhook job notify detailed data. - creation_time: - type: string - description: The webhook job creation time. - update_time: - type: string - description: The webhook job update time. - - RetentionMetadata: - type: object - description: the tag retention metadata - properties: - templates: - type: array - description: templates - items: - $ref: '#/definitions/RetentionRuleMetadata' - scope_selectors: - type: array - description: supported scope selectors - items: - $ref: '#/definitions/RetentionSelectorMetadata' - tag_selectors: - type: array - description: supported tag selectors - items: - $ref: '#/definitions/RetentionSelectorMetadata' - - RetentionRuleMetadata: - type: object - description: the tag retention rule metadata - properties: - rule_template: - type: string - description: rule id - display_text: - type: string - description: rule display text - action: - type: string - description: rule action - params: - type: array - description: rule params - items: - $ref: '#/definitions/RetentionRuleParamMetadata' - - RetentionRuleParamMetadata: - type: object - description: rule param - properties: - type: - type: string - unit: - type: string - required: - type: boolean - - - RetentionSelectorMetadata: - type: object - description: retention selector - properties: - display_text: - type: string - kind: - type: string - decorations: - type: array - items: - type: string - - RetentionPolicy: - type: object - description: retention policy - properties: - id: - type: integer - format: int64 - algorithm: - type: string - rules: - type: array - items: - $ref: '#/definitions/RetentionRule' - trigger: - type: object - items: - $ref: '#/definitions/RetentionRuleTrigger' - scope: - type: object - items: - $ref: '#/definitions/RetentionPolicyScope' - - RetentionRuleTrigger: - type: object - properties: - kind: - type: string - settings: - type: object - references: - type: object - - RetentionPolicyScope: - type: object - properties: - level: - type: string - ref: - type: integer - - RetentionRule: - type: object - properties: - id: - type: integer - priority: - type: integer - disabled: - type: boolean - action: - type: string - template: - type: string - params: - type: object - additionalProperties: - type: object - tag_selectors: - type: array - items: - $ref: '#/definitions/RetentionSelector' - scope_selectors: - type: object - additionalProperties: - type: array - items: - $ref: '#/definitions/RetentionSelector' - - RetentionSelector: - type: object - properties: - kind: - type: string - decoration: - type: string - pattern: - type: string - - RetentionExecution: - type: object - properties: - id: - type: integer - format: int64 - policy_id: - type: integer - format: int64 - start_time: - type: string - end_time: - type: string - status: - type: string - trigger: - type: string - dry_run: - type: boolean - - RetentionExecutionTask: - type: object - properties: - id: - type: integer - format: int64 - execution_id: - type: integer - format: int64 - repository: - type: string - job_id: - type: string - status: - type: string - status_code: - type: integer - status_revision: - type: integer - format: int64 - start_time: - type: string - end_time: - type: string - total: - type: integer - retained: - type: integer - QuotaSwitcher: - type: object - properties: - enabled: - type: boolean - description: The quota is enable or disable - ImmutableTagRule: - type: object - properties: - id: - type: integer - format: int64 - project_id: - type: integer - format: int64 - tag_filter: - type: string - enabled: - type: boolean diff --git a/docs/build-customize-contribute/ui-contribution-get-started.md b/docs/build-customize-contribute/ui-contribution-get-started.md deleted file mode 100644 index 993e06ef9..000000000 --- a/docs/build-customize-contribute/ui-contribution-get-started.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Developing the Harbor Frontend ---- - -If you already have a harbor backend environment, you can build a frontend development environment with the following configuration. - -1. Create the file proxy.config.json in the directory harbor/src/portal,and config it according to the sample below. - - **NOTE:** You should replace “$IP_ADDRESS” with your own ip address. - - ```json - { - "/api/*": { - "target": "$IP_ADDRESS", - "secure": false, - "changeOrigin": true, - "logLevel": "debug" - }, - "/service/*": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/c/login": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/sign_in": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/c/log_out": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/sendEmail": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/language": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/reset": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/userExists": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/reset_password": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/i18n/lang/*.json": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug", - "pathRewrite": { "^/src$": "" } - }, - "/chartrepo": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - }, - "/*.json": { - "target": "$IP_ADDRESS", - "secure": false, - "logLevel": "debug" - } - } - ``` - -2. Open the terminal and run the following command,install npm packages as 3rd-party dependencies. - - ```sh - cd harbor/src/portal - npm install - ``` - -3. Execute the following command,serve Harbor locally. - - ```sh - npm run start - ``` - -4. Then you can visit the Harbor by address: https://localhost:4200. diff --git a/docs/build-customize-contribute/use-make.md b/docs/build-customize-contribute/use-make.md deleted file mode 100644 index c426abf28..000000000 --- a/docs/build-customize-contribute/use-make.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Using Make ---- - -## Variables - -Variable | Description --------------------|------------- -BASEIMAGE | Container base image, default: photon -DEVFLAG | Build model flag, default: dev -COMPILETAG | Compile model flag, default: compile_normal (local golang build) -GOBUILDIMAGE | Golang image to compile harbor go source code. -NOTARYFLAG | Whether to enable notary in harbor, default:false -HTTPPROXY | Clarity proxy to build UI. - -## Targets - -Target | Description ---------------------|------------- -all | prepare env, compile binaries, build images and install images -prepare | prepare env -compile | compile ui and jobservice code -compile_portal | compile portal code -compile_core | compile core binary -compile_jobservice | compile jobservice binary -build | build Harbor docker images (default: using build_photon) -build_photon | build Harbor docker images from Photon OS base image -install | compile binaries, build images, prepare specific version of compose file and startup Harbor instance -start | startup Harbor instance -down | shutdown Harbor instance -package_online | prepare online install package -package_offline | prepare offline install package -pushimage | push Harbor images to specific registry server -clean all | remove binary, Harbor images, specific version docker-compose file, specific version tag and online/offline install package -cleanbinary | remove ui and jobservice binary -cleanimage | remove Harbor images -cleandockercomposefile | remove specific version docker-compose -cleanversiontag | remove specific version tag -cleanpackage | remove online/offline install package -version | set harbor version - -## Examples - -### Build and run harbor from source code - -```sh -make install GOBUILDIMAGE=golang:1.14.5 COMPILETAG=compile_golangimage NOTARYFLAG=true -``` - -### Package offline installer - -```sh -make package_offline GOBUILDIMAGE=golang:1.14.5 COMPILETAG=compile_golangimage NOTARYFLAG=true -``` - -### Start harbor with notary - -```sh -make -e NOTARYFLAG=true start -``` - -### Stop harbor with notary - -```sh -make -e NOTARYFLAG=true down -``` diff --git a/docs/img/OIDC/auth0.png b/docs/img/OIDC/auth0.png deleted file mode 100644 index 5798dfa3b..000000000 Binary files a/docs/img/OIDC/auth0.png and /dev/null differ diff --git a/docs/img/OIDC/dex.png b/docs/img/OIDC/dex.png deleted file mode 100644 index 88b6df0f3..000000000 Binary files a/docs/img/OIDC/dex.png and /dev/null differ diff --git a/docs/img/OIDC/google-identity.png b/docs/img/OIDC/google-identity.png deleted file mode 100644 index c739b37b8..000000000 Binary files a/docs/img/OIDC/google-identity.png and /dev/null differ diff --git a/docs/img/OIDC/keycloak.png b/docs/img/OIDC/keycloak.png deleted file mode 100644 index 73084d784..000000000 Binary files a/docs/img/OIDC/keycloak.png and /dev/null differ diff --git a/docs/img/OIDC/ping.png b/docs/img/OIDC/ping.png deleted file mode 100644 index a6f459d20..000000000 Binary files a/docs/img/OIDC/ping.png and /dev/null differ diff --git a/docs/img/add-group.png b/docs/img/add-group.png deleted file mode 100644 index 944ca2c83..000000000 Binary files a/docs/img/add-group.png and /dev/null differ diff --git a/docs/img/add-immutability-rule.png b/docs/img/add-immutability-rule.png deleted file mode 100644 index 7d15ce9fd..000000000 Binary files a/docs/img/add-immutability-rule.png and /dev/null differ diff --git a/docs/img/add-labels-to-chart-versions.png b/docs/img/add-labels-to-chart-versions.png deleted file mode 100644 index 3a43127d7..000000000 Binary files a/docs/img/add-labels-to-chart-versions.png and /dev/null differ diff --git a/docs/img/add-labels-to-images.png b/docs/img/add-labels-to-images.png deleted file mode 100644 index d74c6112a..000000000 Binary files a/docs/img/add-labels-to-images.png and /dev/null differ diff --git a/docs/img/add-oidc-group.png b/docs/img/add-oidc-group.png deleted file mode 100644 index 788c23fa5..000000000 Binary files a/docs/img/add-oidc-group.png and /dev/null differ diff --git a/docs/img/add-robot-account-2.png b/docs/img/add-robot-account-2.png deleted file mode 100644 index 6cd4f49e1..000000000 Binary files a/docs/img/add-robot-account-2.png and /dev/null differ diff --git a/docs/img/add-robot-account.png b/docs/img/add-robot-account.png deleted file mode 100644 index 316f94bc6..000000000 Binary files a/docs/img/add-robot-account.png and /dev/null differ diff --git a/docs/img/add-scanner.png b/docs/img/add-scanner.png deleted file mode 100644 index e41e0757d..000000000 Binary files a/docs/img/add-scanner.png and /dev/null differ diff --git a/docs/img/addtag1.png b/docs/img/addtag1.png deleted file mode 100644 index 10bd5ba3a..000000000 Binary files a/docs/img/addtag1.png and /dev/null differ diff --git a/docs/img/adopters/360.png b/docs/img/adopters/360.png deleted file mode 100644 index bb8feab6b..000000000 Binary files a/docs/img/adopters/360.png and /dev/null differ diff --git a/docs/img/adopters/Yanrong.jpg b/docs/img/adopters/Yanrong.jpg deleted file mode 100644 index 3a4d892d4..000000000 Binary files a/docs/img/adopters/Yanrong.jpg and /dev/null differ diff --git a/docs/img/adopters/anchore_logo.png b/docs/img/adopters/anchore_logo.png deleted file mode 100644 index 289da968e..000000000 Binary files a/docs/img/adopters/anchore_logo.png and /dev/null differ diff --git a/docs/img/adopters/axatp.png b/docs/img/adopters/axatp.png deleted file mode 100644 index 2401c56c8..000000000 Binary files a/docs/img/adopters/axatp.png and /dev/null differ diff --git a/docs/img/adopters/beyondsoft.png b/docs/img/adopters/beyondsoft.png deleted file mode 100644 index 49867c396..000000000 Binary files a/docs/img/adopters/beyondsoft.png and /dev/null differ diff --git a/docs/img/adopters/bingocloud.png b/docs/img/adopters/bingocloud.png deleted file mode 100644 index d1fac9f19..000000000 Binary files a/docs/img/adopters/bingocloud.png and /dev/null differ diff --git a/docs/img/adopters/bocoit.png b/docs/img/adopters/bocoit.png deleted file mode 100644 index 7560b646f..000000000 Binary files a/docs/img/adopters/bocoit.png and /dev/null differ diff --git a/docs/img/adopters/boer.png b/docs/img/adopters/boer.png deleted file mode 100644 index af54d40f6..000000000 Binary files a/docs/img/adopters/boer.png and /dev/null differ diff --git a/docs/img/adopters/caicloud.png b/docs/img/adopters/caicloud.png deleted file mode 100644 index 37e26c0ec..000000000 Binary files a/docs/img/adopters/caicloud.png and /dev/null differ diff --git a/docs/img/adopters/china-mobile.png b/docs/img/adopters/china-mobile.png deleted file mode 100644 index 98e3589da..000000000 Binary files a/docs/img/adopters/china-mobile.png and /dev/null differ diff --git a/docs/img/adopters/cloudchef.png b/docs/img/adopters/cloudchef.png deleted file mode 100644 index 2a5cd00c4..000000000 Binary files a/docs/img/adopters/cloudchef.png and /dev/null differ diff --git a/docs/img/adopters/cloudstar.png b/docs/img/adopters/cloudstar.png deleted file mode 100644 index fe0a58904..000000000 Binary files a/docs/img/adopters/cloudstar.png and /dev/null differ diff --git a/docs/img/adopters/dataman.png b/docs/img/adopters/dataman.png deleted file mode 100644 index 914a3a549..000000000 Binary files a/docs/img/adopters/dataman.png and /dev/null differ diff --git a/docs/img/adopters/datayes.png b/docs/img/adopters/datayes.png deleted file mode 100644 index 707aacfe5..000000000 Binary files a/docs/img/adopters/datayes.png and /dev/null differ diff --git a/docs/img/adopters/dianrong.png b/docs/img/adopters/dianrong.png deleted file mode 100644 index a7a8cd85c..000000000 Binary files a/docs/img/adopters/dianrong.png and /dev/null differ diff --git a/docs/img/adopters/hydsoft.png b/docs/img/adopters/hydsoft.png deleted file mode 100644 index 0a694fa67..000000000 Binary files a/docs/img/adopters/hydsoft.png and /dev/null differ diff --git a/docs/img/adopters/ifre.png b/docs/img/adopters/ifre.png deleted file mode 100644 index de0d4cbea..000000000 Binary files a/docs/img/adopters/ifre.png and /dev/null differ diff --git a/docs/img/adopters/jd.png b/docs/img/adopters/jd.png deleted file mode 100644 index d21d155e0..000000000 Binary files a/docs/img/adopters/jd.png and /dev/null differ diff --git a/docs/img/adopters/openedutainment.png b/docs/img/adopters/openedutainment.png deleted file mode 100644 index 45def4daa..000000000 Binary files a/docs/img/adopters/openedutainment.png and /dev/null differ diff --git a/docs/img/adopters/pivotal.png b/docs/img/adopters/pivotal.png deleted file mode 100644 index 7b5a47ec0..000000000 Binary files a/docs/img/adopters/pivotal.png and /dev/null differ diff --git a/docs/img/adopters/rancher.png b/docs/img/adopters/rancher.png deleted file mode 100644 index 99d095776..000000000 Binary files a/docs/img/adopters/rancher.png and /dev/null differ diff --git a/docs/img/adopters/slamtec.png b/docs/img/adopters/slamtec.png deleted file mode 100644 index df3a46427..000000000 Binary files a/docs/img/adopters/slamtec.png and /dev/null differ diff --git a/docs/img/adopters/talkingdata.png b/docs/img/adopters/talkingdata.png deleted file mode 100644 index c0b69622b..000000000 Binary files a/docs/img/adopters/talkingdata.png and /dev/null differ diff --git a/docs/img/adopters/tenxcloud.png b/docs/img/adopters/tenxcloud.png deleted file mode 100644 index 8db40928b..000000000 Binary files a/docs/img/adopters/tenxcloud.png and /dev/null differ diff --git a/docs/img/adopters/trendmicro.png b/docs/img/adopters/trendmicro.png deleted file mode 100644 index 589254d29..000000000 Binary files a/docs/img/adopters/trendmicro.png and /dev/null differ diff --git a/docs/img/adopters/wangyi.png b/docs/img/adopters/wangyi.png deleted file mode 100644 index 13aad21b2..000000000 Binary files a/docs/img/adopters/wangyi.png and /dev/null differ diff --git a/docs/img/adopters/wise2c.png b/docs/img/adopters/wise2c.png deleted file mode 100644 index eca8db2cb..000000000 Binary files a/docs/img/adopters/wise2c.png and /dev/null differ diff --git a/docs/img/api-explorer-btn.png b/docs/img/api-explorer-btn.png deleted file mode 100644 index bf41bb24b..000000000 Binary files a/docs/img/api-explorer-btn.png and /dev/null differ diff --git a/docs/img/artifact-detail.png b/docs/img/artifact-detail.png deleted file mode 100644 index 7bf615049..000000000 Binary files a/docs/img/artifact-detail.png and /dev/null differ diff --git a/docs/img/artifact-vulnerability-status.png b/docs/img/artifact-vulnerability-status.png deleted file mode 100644 index 84e9cccab..000000000 Binary files a/docs/img/artifact-vulnerability-status.png and /dev/null differ diff --git a/docs/img/authorize.png b/docs/img/authorize.png deleted file mode 100644 index 22c1c0d99..000000000 Binary files a/docs/img/authorize.png and /dev/null differ diff --git a/docs/img/bell-outline-badged.svg b/docs/img/bell-outline-badged.svg deleted file mode 100644 index a8b0a96d0..000000000 --- a/docs/img/bell-outline-badged.svg +++ /dev/null @@ -1,5 +0,0 @@ - - bell-outline-badged - - - \ No newline at end of file diff --git a/docs/img/browse-project-repositories.png b/docs/img/browse-project-repositories.png deleted file mode 100644 index 13746d70c..000000000 Binary files a/docs/img/browse-project-repositories.png and /dev/null differ diff --git a/docs/img/build-history.png b/docs/img/build-history.png deleted file mode 100644 index 0c634f29b..000000000 Binary files a/docs/img/build-history.png and /dev/null differ diff --git a/docs/img/chart-artifact-details.png b/docs/img/chart-artifact-details.png deleted file mode 100644 index 54a8ad3fb..000000000 Binary files a/docs/img/chart-artifact-details.png and /dev/null differ diff --git a/docs/img/chart-dependencies.png b/docs/img/chart-dependencies.png deleted file mode 100644 index bc19cd0b8..000000000 Binary files a/docs/img/chart-dependencies.png and /dev/null differ diff --git a/docs/img/chart-details.png b/docs/img/chart-details.png deleted file mode 100644 index e642feb51..000000000 Binary files a/docs/img/chart-details.png and /dev/null differ diff --git a/docs/img/chart-values.png b/docs/img/chart-values.png deleted file mode 100644 index 26e7b379b..000000000 Binary files a/docs/img/chart-values.png and /dev/null differ diff --git a/docs/img/clair-ready.png b/docs/img/clair-ready.png deleted file mode 100644 index e30256dc2..000000000 Binary files a/docs/img/clair-ready.png and /dev/null differ diff --git a/docs/img/content-trust.png b/docs/img/content-trust.png deleted file mode 100644 index 55d716ad6..000000000 Binary files a/docs/img/content-trust.png and /dev/null differ diff --git a/docs/img/copy-robot-account-token.png b/docs/img/copy-robot-account-token.png deleted file mode 100644 index 33fa2a234..000000000 Binary files a/docs/img/copy-robot-account-token.png and /dev/null differ diff --git a/docs/img/create-user.png b/docs/img/create-user.png deleted file mode 100644 index 7c7903eff..000000000 Binary files a/docs/img/create-user.png and /dev/null differ diff --git a/docs/img/cve-allowlist1.png b/docs/img/cve-allowlist1.png deleted file mode 100644 index f345c4e88..000000000 Binary files a/docs/img/cve-allowlist1.png and /dev/null differ diff --git a/docs/img/cve-allowlist2.png b/docs/img/cve-allowlist2.png deleted file mode 100644 index 905768294..000000000 Binary files a/docs/img/cve-allowlist2.png and /dev/null differ diff --git a/docs/img/cve-allowlist3.png b/docs/img/cve-allowlist3.png deleted file mode 100644 index 524db9387..000000000 Binary files a/docs/img/cve-allowlist3.png and /dev/null differ diff --git a/docs/img/cve-allowlist4.png b/docs/img/cve-allowlist4.png deleted file mode 100644 index 972e84c98..000000000 Binary files a/docs/img/cve-allowlist4.png and /dev/null differ diff --git a/docs/img/cve-allowlist5.png b/docs/img/cve-allowlist5.png deleted file mode 100644 index d9bc6c929..000000000 Binary files a/docs/img/cve-allowlist5.png and /dev/null differ diff --git a/docs/img/cve-allowlist6.png b/docs/img/cve-allowlist6.png deleted file mode 100644 index 1bbc149a8..000000000 Binary files a/docs/img/cve-allowlist6.png and /dev/null differ diff --git a/docs/img/db-auth.png b/docs/img/db-auth.png deleted file mode 100644 index ff1d828d3..000000000 Binary files a/docs/img/db-auth.png and /dev/null differ diff --git a/docs/img/deleteimage1.png b/docs/img/deleteimage1.png deleted file mode 100644 index f5aa68491..000000000 Binary files a/docs/img/deleteimage1.png and /dev/null differ diff --git a/docs/img/deleteimage2.png b/docs/img/deleteimage2.png deleted file mode 100644 index bd3336ffb..000000000 Binary files a/docs/img/deleteimage2.png and /dev/null differ diff --git a/docs/img/deletetag1.png b/docs/img/deletetag1.png deleted file mode 100644 index 8e89c740f..000000000 Binary files a/docs/img/deletetag1.png and /dev/null differ diff --git a/docs/img/disable-delete-robot-account.png b/docs/img/disable-delete-robot-account.png deleted file mode 100644 index d387a6559..000000000 Binary files a/docs/img/disable-delete-robot-account.png and /dev/null differ diff --git a/docs/img/download-harbor-certs.png b/docs/img/download-harbor-certs.png deleted file mode 100644 index 22d89b9c7..000000000 Binary files a/docs/img/download-harbor-certs.png and /dev/null differ diff --git a/docs/img/edit-description.png b/docs/img/edit-description.png deleted file mode 100644 index bf27994a9..000000000 Binary files a/docs/img/edit-description.png and /dev/null differ diff --git a/docs/img/edit-repository-description.png b/docs/img/edit-repository-description.png deleted file mode 100644 index 0b4327e6c..000000000 Binary files a/docs/img/edit-repository-description.png and /dev/null differ diff --git a/docs/img/edit-tag-immutability.png b/docs/img/edit-tag-immutability.png deleted file mode 100644 index d1593ae2d..000000000 Binary files a/docs/img/edit-tag-immutability.png and /dev/null differ diff --git a/docs/img/filter-chart-versions-by-label.png b/docs/img/filter-chart-versions-by-label.png deleted file mode 100644 index 1bfc46505..000000000 Binary files a/docs/img/filter-chart-versions-by-label.png and /dev/null differ diff --git a/docs/img/filter-images-by-label.png b/docs/img/filter-images-by-label.png deleted file mode 100644 index 556505ed5..000000000 Binary files a/docs/img/filter-images-by-label.png and /dev/null differ diff --git a/docs/img/garbage-collection.png b/docs/img/garbage-collection.png deleted file mode 100644 index 3fae281bf..000000000 Binary files a/docs/img/garbage-collection.png and /dev/null differ diff --git a/docs/img/gc-history.png b/docs/img/gc-history.png deleted file mode 100644 index bd5813bff..000000000 Binary files a/docs/img/gc-history.png and /dev/null differ diff --git a/docs/img/gc-policy.png b/docs/img/gc-policy.png deleted file mode 100644 index 7a9e8c5d4..000000000 Binary files a/docs/img/gc-policy.png and /dev/null differ diff --git a/docs/img/generate-create-new-secret.png b/docs/img/generate-create-new-secret.png deleted file mode 100644 index 36594f2ec..000000000 Binary files a/docs/img/generate-create-new-secret.png and /dev/null differ diff --git a/docs/img/ha.png b/docs/img/ha.png deleted file mode 100644 index 6f063c2bb..000000000 Binary files a/docs/img/ha.png and /dev/null differ diff --git a/docs/img/harbor-architecture-1.10.png b/docs/img/harbor-architecture-1.10.png deleted file mode 100644 index 4acbe548a..000000000 Binary files a/docs/img/harbor-architecture-1.10.png and /dev/null differ diff --git a/docs/img/harbor_logo.png b/docs/img/harbor_logo.png deleted file mode 100644 index 57408660e..000000000 Binary files a/docs/img/harbor_logo.png and /dev/null differ diff --git a/docs/img/index-detail.png b/docs/img/index-detail.png deleted file mode 100644 index 2133ef5bf..000000000 Binary files a/docs/img/index-detail.png and /dev/null differ diff --git a/docs/img/index-icon.png b/docs/img/index-icon.png deleted file mode 100644 index 9492923ac..000000000 Binary files a/docs/img/index-icon.png and /dev/null differ diff --git a/docs/img/interrogation-services.png b/docs/img/interrogation-services.png deleted file mode 100644 index b271e1a2f..000000000 Binary files a/docs/img/interrogation-services.png and /dev/null differ diff --git a/docs/img/ldap-auth.png b/docs/img/ldap-auth.png deleted file mode 100644 index a72a9f26d..000000000 Binary files a/docs/img/ldap-auth.png and /dev/null differ diff --git a/docs/img/ldap-cert-test.png b/docs/img/ldap-cert-test.png deleted file mode 100644 index eef322e3b..000000000 Binary files a/docs/img/ldap-cert-test.png and /dev/null differ diff --git a/docs/img/ldap-group-addgroup-dialog.png b/docs/img/ldap-group-addgroup-dialog.png deleted file mode 100644 index fe552dad4..000000000 Binary files a/docs/img/ldap-group-addgroup-dialog.png and /dev/null differ diff --git a/docs/img/ldap-groups.png b/docs/img/ldap-groups.png deleted file mode 100644 index 9bda27d3f..000000000 Binary files a/docs/img/ldap-groups.png and /dev/null differ diff --git a/docs/img/limited-successful-status.png b/docs/img/limited-successful-status.png deleted file mode 100644 index 415416216..000000000 Binary files a/docs/img/limited-successful-status.png and /dev/null differ diff --git a/docs/img/list-artifacts.png b/docs/img/list-artifacts.png deleted file mode 100644 index 1bbbe92a7..000000000 Binary files a/docs/img/list-artifacts.png and /dev/null differ diff --git a/docs/img/list-chart-versions.png b/docs/img/list-chart-versions.png deleted file mode 100644 index ed06fcf33..000000000 Binary files a/docs/img/list-chart-versions.png and /dev/null differ diff --git a/docs/img/list-charts.png b/docs/img/list-charts.png deleted file mode 100644 index 92bbdbc02..000000000 Binary files a/docs/img/list-charts.png and /dev/null differ diff --git a/docs/img/list-repositories.png b/docs/img/list-repositories.png deleted file mode 100644 index c20e0a01b..000000000 Binary files a/docs/img/list-repositories.png and /dev/null differ diff --git a/docs/img/list-tasks.png b/docs/img/list-tasks.png deleted file mode 100644 index 3efc09042..000000000 Binary files a/docs/img/list-tasks.png and /dev/null differ diff --git a/docs/img/log-filter.png b/docs/img/log-filter.png deleted file mode 100644 index 8da927398..000000000 Binary files a/docs/img/log-filter.png and /dev/null differ diff --git a/docs/img/log-search-advanced-date.png b/docs/img/log-search-advanced-date.png deleted file mode 100644 index 0c1cf6bfb..000000000 Binary files a/docs/img/log-search-advanced-date.png and /dev/null differ diff --git a/docs/img/log-search-advanced.png b/docs/img/log-search-advanced.png deleted file mode 100644 index 5ac7cb912..000000000 Binary files a/docs/img/log-search-advanced.png and /dev/null differ diff --git a/docs/img/manage-global-level-labels.png b/docs/img/manage-global-level-labels.png deleted file mode 100644 index 4c8fa87ba..000000000 Binary files a/docs/img/manage-global-level-labels.png and /dev/null differ diff --git a/docs/img/manage-project-level-labels.png b/docs/img/manage-project-level-labels.png deleted file mode 100644 index 94b8ec63e..000000000 Binary files a/docs/img/manage-project-level-labels.png and /dev/null differ diff --git a/docs/img/manage-registry.png b/docs/img/manage-registry.png deleted file mode 100644 index cc369b003..000000000 Binary files a/docs/img/manage-registry.png and /dev/null differ diff --git a/docs/img/new-add-member.png b/docs/img/new-add-member.png deleted file mode 100644 index ae4b56a82..000000000 Binary files a/docs/img/new-add-member.png and /dev/null differ diff --git a/docs/img/new-browse-project.png b/docs/img/new-browse-project.png deleted file mode 100644 index 71d55866b..000000000 Binary files a/docs/img/new-browse-project.png and /dev/null differ diff --git a/docs/img/new-config-email.png b/docs/img/new-config-email.png deleted file mode 100644 index 35237912c..000000000 Binary files a/docs/img/new-config-email.png and /dev/null differ diff --git a/docs/img/new-create-project.png b/docs/img/new-create-project.png deleted file mode 100644 index 352d5f556..000000000 Binary files a/docs/img/new-create-project.png and /dev/null differ diff --git a/docs/img/new-delete-repo.png b/docs/img/new-delete-repo.png deleted file mode 100644 index 05450b8e4..000000000 Binary files a/docs/img/new-delete-repo.png and /dev/null differ diff --git a/docs/img/new-delete-tag.png b/docs/img/new-delete-tag.png deleted file mode 100644 index ac4d6dc60..000000000 Binary files a/docs/img/new-delete-tag.png and /dev/null differ diff --git a/docs/img/new-proj-create.png b/docs/img/new-proj-create.png deleted file mode 100644 index fbe3f72ab..000000000 Binary files a/docs/img/new-proj-create.png and /dev/null differ diff --git a/docs/img/new-project-log.png b/docs/img/new-project-log.png deleted file mode 100644 index 54a96f6b9..000000000 Binary files a/docs/img/new-project-log.png and /dev/null differ diff --git a/docs/img/new-remove-update-member.png b/docs/img/new-remove-update-member.png deleted file mode 100644 index a0c760843..000000000 Binary files a/docs/img/new-remove-update-member.png and /dev/null differ diff --git a/docs/img/new-robot-account.png b/docs/img/new-robot-account.png deleted file mode 100644 index 3e74269a1..000000000 Binary files a/docs/img/new-robot-account.png and /dev/null differ diff --git a/docs/img/new-search.png b/docs/img/new-search.png deleted file mode 100644 index b5d362fa4..000000000 Binary files a/docs/img/new-search.png and /dev/null differ diff --git a/docs/img/new-self-reg.png b/docs/img/new-self-reg.png deleted file mode 100644 index 93986ea3b..000000000 Binary files a/docs/img/new-self-reg.png and /dev/null differ diff --git a/docs/img/new-set-admin-remove-user.png b/docs/img/new-set-admin-remove-user.png deleted file mode 100644 index 8b5c2c35c..000000000 Binary files a/docs/img/new-set-admin-remove-user.png and /dev/null differ diff --git a/docs/img/new-user.png b/docs/img/new-user.png deleted file mode 100644 index 0b8c42f17..000000000 Binary files a/docs/img/new-user.png and /dev/null differ diff --git a/docs/img/oidc-auth-setting.png b/docs/img/oidc-auth-setting.png deleted file mode 100644 index 211935dcd..000000000 Binary files a/docs/img/oidc-auth-setting.png and /dev/null differ diff --git a/docs/img/oidc-cert-verification.png b/docs/img/oidc-cert-verification.png deleted file mode 100644 index f13e6450f..000000000 Binary files a/docs/img/oidc-cert-verification.png and /dev/null differ diff --git a/docs/img/oidc-login.png b/docs/img/oidc-login.png deleted file mode 100644 index 1bf77656a..000000000 Binary files a/docs/img/oidc-login.png and /dev/null differ diff --git a/docs/img/oidc-onboard-dlg.png b/docs/img/oidc-onboard-dlg.png deleted file mode 100644 index 6537ec0ae..000000000 Binary files a/docs/img/oidc-onboard-dlg.png and /dev/null differ diff --git a/docs/img/prevent-vulnerable-images.png b/docs/img/prevent-vulnerable-images.png deleted file mode 100644 index 55c9dbb93..000000000 Binary files a/docs/img/prevent-vulnerable-images.png and /dev/null differ diff --git a/docs/img/profile-dlg.png b/docs/img/profile-dlg.png deleted file mode 100644 index ffaa6330e..000000000 Binary files a/docs/img/profile-dlg.png and /dev/null differ diff --git a/docs/img/project-configuration.png b/docs/img/project-configuration.png deleted file mode 100644 index c4e5d572e..000000000 Binary files a/docs/img/project-configuration.png and /dev/null differ diff --git a/docs/img/project-logs.png b/docs/img/project-logs.png deleted file mode 100644 index ff711d919..000000000 Binary files a/docs/img/project-logs.png and /dev/null differ diff --git a/docs/img/project-members.png b/docs/img/project-members.png deleted file mode 100644 index 740a955d3..000000000 Binary files a/docs/img/project-members.png and /dev/null differ diff --git a/docs/img/project-quota1.png b/docs/img/project-quota1.png deleted file mode 100644 index 896d3a6ca..000000000 Binary files a/docs/img/project-quota1.png and /dev/null differ diff --git a/docs/img/project-quota2.png b/docs/img/project-quota2.png deleted file mode 100644 index 90455ea0d..000000000 Binary files a/docs/img/project-quota2.png and /dev/null differ diff --git a/docs/img/project-quota3.png b/docs/img/project-quota3.png deleted file mode 100644 index dfe2af50c..000000000 Binary files a/docs/img/project-quota3.png and /dev/null differ diff --git a/docs/img/project-quota4.png b/docs/img/project-quota4.png deleted file mode 100644 index 35b160f11..000000000 Binary files a/docs/img/project-quota4.png and /dev/null differ diff --git a/docs/img/project-quota5.png b/docs/img/project-quota5.png deleted file mode 100644 index 221e69894..000000000 Binary files a/docs/img/project-quota5.png and /dev/null differ diff --git a/docs/img/project-scanners.png b/docs/img/project-scanners.png deleted file mode 100644 index 14904c601..000000000 Binary files a/docs/img/project-scanners.png and /dev/null differ diff --git a/docs/img/rbac.png b/docs/img/rbac.png deleted file mode 100644 index 17b1c080c..000000000 Binary files a/docs/img/rbac.png and /dev/null differ diff --git a/docs/img/read-only-enable.png b/docs/img/read-only-enable.png deleted file mode 100644 index 29ad806d1..000000000 Binary files a/docs/img/read-only-enable.png and /dev/null differ diff --git a/docs/img/read-only.png b/docs/img/read-only.png deleted file mode 100644 index ce48fec29..000000000 Binary files a/docs/img/read-only.png and /dev/null differ diff --git a/docs/img/readme/bell-outline-badged.svg b/docs/img/readme/bell-outline-badged.svg deleted file mode 100644 index a8b0a96d0..000000000 --- a/docs/img/readme/bell-outline-badged.svg +++ /dev/null @@ -1,5 +0,0 @@ - - bell-outline-badged - - - \ No newline at end of file diff --git a/docs/img/readme/harbor_logo.png b/docs/img/readme/harbor_logo.png deleted file mode 100644 index 57408660e..000000000 Binary files a/docs/img/readme/harbor_logo.png and /dev/null differ diff --git a/docs/img/rendered-swagger.png b/docs/img/rendered-swagger.png deleted file mode 100644 index d61cf140f..000000000 Binary files a/docs/img/rendered-swagger.png and /dev/null differ diff --git a/docs/img/replication-adapters/acr.png b/docs/img/replication-adapters/acr.png deleted file mode 100644 index ff15570cb..000000000 Binary files a/docs/img/replication-adapters/acr.png and /dev/null differ diff --git a/docs/img/replication-adapters/ali-cr.png b/docs/img/replication-adapters/ali-cr.png deleted file mode 100644 index 35f4bcae7..000000000 Binary files a/docs/img/replication-adapters/ali-cr.png and /dev/null differ diff --git a/docs/img/replication-adapters/artifactory.png b/docs/img/replication-adapters/artifactory.png deleted file mode 100644 index 326fe344c..000000000 Binary files a/docs/img/replication-adapters/artifactory.png and /dev/null differ diff --git a/docs/img/replication-adapters/distribution.png b/docs/img/replication-adapters/distribution.png deleted file mode 100644 index d52a76d2b..000000000 Binary files a/docs/img/replication-adapters/distribution.png and /dev/null differ diff --git a/docs/img/replication-adapters/docker-hub.png b/docs/img/replication-adapters/docker-hub.png deleted file mode 100644 index f9dd0ea67..000000000 Binary files a/docs/img/replication-adapters/docker-hub.png and /dev/null differ diff --git a/docs/img/replication-adapters/ecr-aws.png b/docs/img/replication-adapters/ecr-aws.png deleted file mode 100644 index 4410013de..000000000 Binary files a/docs/img/replication-adapters/ecr-aws.png and /dev/null differ diff --git a/docs/img/replication-adapters/ecr.png b/docs/img/replication-adapters/ecr.png deleted file mode 100644 index cd5cc8194..000000000 Binary files a/docs/img/replication-adapters/ecr.png and /dev/null differ diff --git a/docs/img/replication-adapters/gcr.png b/docs/img/replication-adapters/gcr.png deleted file mode 100644 index bc4e6deca..000000000 Binary files a/docs/img/replication-adapters/gcr.png and /dev/null differ diff --git a/docs/img/replication-adapters/gitlab.png b/docs/img/replication-adapters/gitlab.png deleted file mode 100644 index f2442ccb6..000000000 Binary files a/docs/img/replication-adapters/gitlab.png and /dev/null differ diff --git a/docs/img/replication-adapters/harbor-logo.png b/docs/img/replication-adapters/harbor-logo.png deleted file mode 100644 index dc395201a..000000000 Binary files a/docs/img/replication-adapters/harbor-logo.png and /dev/null differ diff --git a/docs/img/replication-adapters/helm-hub.png b/docs/img/replication-adapters/helm-hub.png deleted file mode 100644 index 834b1d4db..000000000 Binary files a/docs/img/replication-adapters/helm-hub.png and /dev/null differ diff --git a/docs/img/replication-adapters/hw.png b/docs/img/replication-adapters/hw.png deleted file mode 100644 index 14cdd5397..000000000 Binary files a/docs/img/replication-adapters/hw.png and /dev/null differ diff --git a/docs/img/replication-adapters/quay.png b/docs/img/replication-adapters/quay.png deleted file mode 100644 index 17ff9cbdc..000000000 Binary files a/docs/img/replication-adapters/quay.png and /dev/null differ diff --git a/docs/img/replication-adapters/right.png b/docs/img/replication-adapters/right.png deleted file mode 100644 index 4961f2c79..000000000 Binary files a/docs/img/replication-adapters/right.png and /dev/null differ diff --git a/docs/img/replication-endpoint1.png b/docs/img/replication-endpoint1.png deleted file mode 100644 index b5077dcdf..000000000 Binary files a/docs/img/replication-endpoint1.png and /dev/null differ diff --git a/docs/img/replication-endpoint2.png b/docs/img/replication-endpoint2.png deleted file mode 100644 index 53020d763..000000000 Binary files a/docs/img/replication-endpoint2.png and /dev/null differ diff --git a/docs/img/replication-rule1.png b/docs/img/replication-rule1.png deleted file mode 100644 index 43441f7d5..000000000 Binary files a/docs/img/replication-rule1.png and /dev/null differ diff --git a/docs/img/replication-rule2.png b/docs/img/replication-rule2.png deleted file mode 100644 index f0e0244c6..000000000 Binary files a/docs/img/replication-rule2.png and /dev/null differ diff --git a/docs/img/replication-rule3.png b/docs/img/replication-rule3.png deleted file mode 100644 index c50dd0c18..000000000 Binary files a/docs/img/replication-rule3.png and /dev/null differ diff --git a/docs/img/replication-rule4.png b/docs/img/replication-rule4.png deleted file mode 100644 index 892855b56..000000000 Binary files a/docs/img/replication-rule4.png and /dev/null differ diff --git a/docs/img/replication-rule5.png b/docs/img/replication-rule5.png deleted file mode 100644 index 7d148a6cf..000000000 Binary files a/docs/img/replication-rule5.png and /dev/null differ diff --git a/docs/img/replication-rule6.png b/docs/img/replication-rule6.png deleted file mode 100644 index 1f615b2e5..000000000 Binary files a/docs/img/replication-rule6.png and /dev/null differ diff --git a/docs/img/retag-image.png b/docs/img/retag-image.png deleted file mode 100644 index 08c705f46..000000000 Binary files a/docs/img/retag-image.png and /dev/null differ diff --git a/docs/img/retag1.png b/docs/img/retag1.png deleted file mode 100644 index 5ff0593f4..000000000 Binary files a/docs/img/retag1.png and /dev/null differ diff --git a/docs/img/retag2.png b/docs/img/retag2.png deleted file mode 100644 index 26e356cc1..000000000 Binary files a/docs/img/retag2.png and /dev/null differ diff --git a/docs/img/robotaccount/add-robot-account-2.png b/docs/img/robotaccount/add-robot-account-2.png deleted file mode 100644 index 645d7970c..000000000 Binary files a/docs/img/robotaccount/add-robot-account-2.png and /dev/null differ diff --git a/docs/img/robotaccount/add-robot-account.png b/docs/img/robotaccount/add-robot-account.png deleted file mode 100644 index 316f94bc6..000000000 Binary files a/docs/img/robotaccount/add-robot-account.png and /dev/null differ diff --git a/docs/img/robotaccount/copy-robot-account-token.png b/docs/img/robotaccount/copy-robot-account-token.png deleted file mode 100644 index 33fa2a234..000000000 Binary files a/docs/img/robotaccount/copy-robot-account-token.png and /dev/null differ diff --git a/docs/img/robotaccount/disable-delete-robot-account.png b/docs/img/robotaccount/disable-delete-robot-account.png deleted file mode 100644 index d387a6559..000000000 Binary files a/docs/img/robotaccount/disable-delete-robot-account.png and /dev/null differ diff --git a/docs/img/robotaccount/new-robot-account.png b/docs/img/robotaccount/new-robot-account.png deleted file mode 100644 index b81a85996..000000000 Binary files a/docs/img/robotaccount/new-robot-account.png and /dev/null differ diff --git a/docs/img/robotaccount/set-robot-account-token-duration.png b/docs/img/robotaccount/set-robot-account-token-duration.png deleted file mode 100644 index 37c62343e..000000000 Binary files a/docs/img/robotaccount/set-robot-account-token-duration.png and /dev/null differ diff --git a/docs/img/scan-all.png b/docs/img/scan-all.png deleted file mode 100644 index e763ba1f0..000000000 Binary files a/docs/img/scan-all.png and /dev/null differ diff --git a/docs/img/scan-artifact.png b/docs/img/scan-artifact.png deleted file mode 100644 index 51995e99e..000000000 Binary files a/docs/img/scan-artifact.png and /dev/null differ diff --git a/docs/img/scan-on-push.png b/docs/img/scan-on-push.png deleted file mode 100644 index 63a26dfc4..000000000 Binary files a/docs/img/scan-on-push.png and /dev/null differ diff --git a/docs/img/scan-policy.png b/docs/img/scan-policy.png deleted file mode 100644 index eab9d3675..000000000 Binary files a/docs/img/scan-policy.png and /dev/null differ diff --git a/docs/img/scan-result.png b/docs/img/scan-result.png deleted file mode 100644 index df6e15772..000000000 Binary files a/docs/img/scan-result.png and /dev/null differ diff --git a/docs/img/scanner-auth.png b/docs/img/scanner-auth.png deleted file mode 100644 index b470868cf..000000000 Binary files a/docs/img/scanner-auth.png and /dev/null differ diff --git a/docs/img/scanners/anchore.png b/docs/img/scanners/anchore.png deleted file mode 100644 index c9cea2a3d..000000000 Binary files a/docs/img/scanners/anchore.png and /dev/null differ diff --git a/docs/img/scanners/aqua.png b/docs/img/scanners/aqua.png deleted file mode 100644 index db68fdd75..000000000 Binary files a/docs/img/scanners/aqua.png and /dev/null differ diff --git a/docs/img/scanners/clair.png b/docs/img/scanners/clair.png deleted file mode 100644 index f11d0d0cd..000000000 Binary files a/docs/img/scanners/clair.png and /dev/null differ diff --git a/docs/img/scanners/dosec.png b/docs/img/scanners/dosec.png deleted file mode 100644 index 2a4c0f4cb..000000000 Binary files a/docs/img/scanners/dosec.png and /dev/null differ diff --git a/docs/img/scanners/trivy.png b/docs/img/scanners/trivy.png deleted file mode 100644 index 3cc551f9d..000000000 Binary files a/docs/img/scanners/trivy.png and /dev/null differ diff --git a/docs/img/select-ldap-auth.png b/docs/img/select-ldap-auth.png deleted file mode 100644 index 151a3256d..000000000 Binary files a/docs/img/select-ldap-auth.png and /dev/null differ diff --git a/docs/img/select-oidc-auth.png b/docs/img/select-oidc-auth.png deleted file mode 100644 index 6260398fb..000000000 Binary files a/docs/img/select-oidc-auth.png and /dev/null differ diff --git a/docs/img/select-scanner.png b/docs/img/select-scanner.png deleted file mode 100644 index c21a4d51b..000000000 Binary files a/docs/img/select-scanner.png and /dev/null differ diff --git a/docs/img/self-registration-login.png b/docs/img/self-registration-login.png deleted file mode 100644 index c2332ae60..000000000 Binary files a/docs/img/self-registration-login.png and /dev/null differ diff --git a/docs/img/set-robot-account-token-duration.png b/docs/img/set-robot-account-token-duration.png deleted file mode 100644 index 37c62343e..000000000 Binary files a/docs/img/set-robot-account-token-duration.png and /dev/null differ diff --git a/docs/img/set-vulnerability-threshold.png b/docs/img/set-vulnerability-threshold.png deleted file mode 100644 index c6d8f9f9c..000000000 Binary files a/docs/img/set-vulnerability-threshold.png and /dev/null differ diff --git a/docs/img/swagger-editor.png b/docs/img/swagger-editor.png deleted file mode 100644 index e08f991ee..000000000 Binary files a/docs/img/swagger-editor.png and /dev/null differ diff --git a/docs/img/tag-immutability.png b/docs/img/tag-immutability.png deleted file mode 100644 index 86eeb114a..000000000 Binary files a/docs/img/tag-immutability.png and /dev/null differ diff --git a/docs/img/tag-retention1.png b/docs/img/tag-retention1.png deleted file mode 100644 index 7a4a92d0e..000000000 Binary files a/docs/img/tag-retention1.png and /dev/null differ diff --git a/docs/img/tag-retention2.png b/docs/img/tag-retention2.png deleted file mode 100644 index 0b7cd9e87..000000000 Binary files a/docs/img/tag-retention2.png and /dev/null differ diff --git a/docs/img/tag-retention3.png b/docs/img/tag-retention3.png deleted file mode 100644 index 0daa2f78a..000000000 Binary files a/docs/img/tag-retention3.png and /dev/null differ diff --git a/docs/img/tag-retention4.png b/docs/img/tag-retention4.png deleted file mode 100644 index 6f02f89ba..000000000 Binary files a/docs/img/tag-retention4.png and /dev/null differ diff --git a/docs/img/tag-retention5.png b/docs/img/tag-retention5.png deleted file mode 100644 index 2fe975190..000000000 Binary files a/docs/img/tag-retention5.png and /dev/null differ diff --git a/docs/img/test-scanner-connection.png b/docs/img/test-scanner-connection.png deleted file mode 100644 index a9b6306dc..000000000 Binary files a/docs/img/test-scanner-connection.png and /dev/null differ diff --git a/docs/img/upload-charts.png b/docs/img/upload-charts.png deleted file mode 100644 index 9f040d87a..000000000 Binary files a/docs/img/upload-charts.png and /dev/null differ diff --git a/docs/img/user-profile.png b/docs/img/user-profile.png deleted file mode 100644 index ae9f154d1..000000000 Binary files a/docs/img/user-profile.png and /dev/null differ diff --git a/docs/img/vulnerability-summary.png b/docs/img/vulnerability-summary.png deleted file mode 100644 index 50b117238..000000000 Binary files a/docs/img/vulnerability-summary.png and /dev/null differ diff --git a/docs/img/webhooks1.png b/docs/img/webhooks1.png deleted file mode 100644 index 7ca36604f..000000000 Binary files a/docs/img/webhooks1.png and /dev/null differ diff --git a/docs/img/webhooks2.png b/docs/img/webhooks2.png deleted file mode 100644 index 2fffa284b..000000000 Binary files a/docs/img/webhooks2.png and /dev/null differ diff --git a/docs/img/webhooks3.png b/docs/img/webhooks3.png deleted file mode 100644 index 7c70517b2..000000000 Binary files a/docs/img/webhooks3.png and /dev/null differ diff --git a/docs/img/webhooks4.png b/docs/img/webhooks4.png deleted file mode 100644 index 790dab3ec..000000000 Binary files a/docs/img/webhooks4.png and /dev/null differ diff --git a/docs/install-config/_index.md b/docs/install-config/_index.md deleted file mode 100644 index 1f71cbbe9..000000000 --- a/docs/install-config/_index.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Harbor Installation and Configuration -weight: 5 ---- - -This section describes how to perform a new installation of Harbor. - -If you are upgrading from a previous version of Harbor, you might need to update the configuration file and migrate your data to fit the database schema of the later version. For information about upgrading, see [Upgrading Harbor](../administration/upgrade/_index.md). - -Before you install Harbor, you can test the latest version of Harbor on a demo environment maintained by the Harbor team. For information, see [Test Harbor with the Demo Server](demo-server.md). - -Harbor supports integration with different 3rd-party replication adapters for replicating data, OIDC adapters for authN/authZ, and scanner adapters for vulnerability scanning of container images. For information about the supported adapters, see the [Harbor Compatibility List](harbor-compatibility-list.md). - -## Installation Process - -The standard Harbor installation process involves the following stages: - -1. Make sure that your target host meets the [Harbor Installation Prerequisites](installation-prereqs.md). -1. [Download the Harbor Installer](download-installer.md) -1. [Configure HTTPS Access to Harbor](configure-https.md) -1. [Configure the Harbor YML File](configure-yml-file.md) -1. [Configure Enabling Internal TLS](configure-internal-tls.md) -1. [Run the Installer Script](run-installer-script.md) - -If installation fails, see [Troubleshooting Harbor Installation](troubleshoot-installation.md). - -## Quick Installation - -You can run a script that deploys Harbor to Ubuntu 18.04 with a single command. For information, see [Deploy Harbor with the Quick Installation Script](quick-install-script.md). - -## Deploy Harbor on Kubernetes - -You can also use Helm to install Harbor on a Kubernetes cluster, to make Harbor highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see [Deploying Harbor with High Availability via Helm](harbor-ha-helm.md). - -## Post-Installation Configuration - -For information about how to manage your deployed Harbor instance, see [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure-manage-lifecycle.md). - -By default, Harbor uses its own private key and certificate to authenticate with Docker. For information about how to optionally customize your configuration to use your own key and certificate, see [Customize the Harbor Token Service](customize-token-service.md). - -After installation, log into your Harbor via the web console to configure the instance under 'configuration'. Harbor also provides a command line interface (CLI) that allows you to [Configure Harbor User Settings at the Command Line](configure-user-settings-cli.md). - -## Harbor Components - -The table below lists the some of the key components that are deployed when you deploy Harbor. - -|Component|Version| -|---|---| -|Postgresql|9.6.10-1.ph2| -|Redis|4.0.10-1.ph2| -|Clair|2.0.8| -|Beego|1.9.0| -|Chartmuseum|0.9.0| -|Docker/distribution|2.7.1| -|Docker/notary|0.6.1| -|Helm|2.9.1| -|Swagger-ui|3.22.1| - diff --git a/docs/install-config/configure-https.md b/docs/install-config/configure-https.md deleted file mode 100644 index 34d29be37..000000000 --- a/docs/install-config/configure-https.md +++ /dev/null @@ -1,185 +0,0 @@ ---- -title: Configure HTTPS Access to Harbor -weight: 30 ---- - -By default, Harbor does not ship with certificates. It is possible to deploy Harbor without security, so that you can connect to it over HTTP. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS. - -To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use [OpenSSL](https://www.openssl.org/) to create a CA, and how to use your CA to sign a server certificate and a client certificate. You can use other CA providers, for example [Let's Encrypt](https://letsencrypt.org/). - -The procedures below assume that your Harbor registry's hostname is `yourdomain.com`, and that its DNS record points to the host on which you are running Harbor. - -## Generate a Certificate Authority Certificate - -In a production environment, you should obtain a certificate from a CA. In a test or development environment, you can generate your own CA. To generate a CA certficate, run the following commands. - -1. Generate a CA certificate private key. - - ```sh - openssl genrsa -out ca.key 4096 - ``` - -1. Generate the CA certificate. - - Adapt the values in the `-subj` option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (`CN`) attribute. - - ```sh - openssl req -x509 -new -nodes -sha512 -days 3650 \ - -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ - -key ca.key \ - -out ca.crt - ``` - -## Generate a Server Certificate - -The certificate usually contains a `.crt` file and a `.key` file, for example, `yourdomain.com.crt` and `yourdomain.com.key`. - -1. Generate a private key. - - ```sh - openssl genrsa -out yourdomain.com.key 4096 - ``` - -1. Generate a certificate signing request (CSR). - - Adapt the values in the `-subj` option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (`CN`) attribute and use it in the key and CSR filenames. - - ```sh - openssl req -sha512 -new \ - -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ - -key yourdomain.com.key \ - -out yourdomain.com.csr - ``` - -1. Generate an x509 v3 extension file. - - Regardless of whether you're using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the `DNS` entries to reflect your domain. - - ```sh - cat > v3.ext <<-EOF - authorityKeyIdentifier=keyid,issuer - basicConstraints=CA:FALSE - keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment - extendedKeyUsage = serverAuth - subjectAltName = @alt_names - - [alt_names] - DNS.1=yourdomain.com - DNS.2=yourdomain - DNS.3=hostname - EOF - ``` - -1. Use the `v3.ext` file to generate a certificate for your Harbor host. - - Replace the `yourdomain.com` in the CRS and CRT file names with the Harbor host name. - - ```sh - openssl x509 -req -sha512 -days 3650 \ - -extfile v3.ext \ - -CA ca.crt -CAkey ca.key -CAcreateserial \ - -in yourdomain.com.csr \ - -out yourdomain.com.crt - ``` - -## Provide the Certificates to Harbor and Docker - -After generating the `ca.crt`, `yourdomain.com.crt`, and `yourdomain.com.key` files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them. - -1. Copy the server certificate and key into the certficates folder on your Harbor host. - - ```sh - cp yourdomain.com.crt /data/cert/ - cp yourdomain.com.key /data/cert/ - ``` - -1. Convert `yourdomain.com.crt` to `yourdomain.com.cert`, for use by Docker. - - The Docker daemon interprets `.crt` files as CA certificates and `.cert` files as client certificates. - - ```sh - openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert - ``` - -1. Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first. - - ```sh - cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ - cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/ - cp ca.crt /etc/docker/certs.d/yourdomain.com/ - ``` - - If you mapped the default `nginx` port 443 to a different port, create the folder `/etc/docker/certs.d/yourdomain.com:port`, or `/etc/docker/certs.d/harbor_IP:port`. - -1. Restart Docker Engine. - - ```sh - systemctl restart docker - ``` - -You might also need to trust the certificate at the OS level. See [Troubleshooting Harbor Installation](troubleshoot-installation.md#https) for more information. - -The following example illustrates a configuration that uses custom certificates. - -``` -/etc/docker/certs.d/ - └── yourdomain.com:port - ├── yourdomain.com.cert <-- Server certificate signed by CA - ├── yourdomain.com.key <-- Server key signed by CA - └── ca.crt <-- Certificate authority that signed the registry certificate -``` - -## Deploy or Reconfigure Harbor - -If you have not yet deployed Harbor, see [Configure the Harbor YML File](configure-yml-file.md) for information about how to configure Harbor to use the certificates by specifying the `hostname` and `https` attributes in `harbor.yml`. - -If you already deployed Harbor with HTTP and want to reconfigure it to use HTTPS, perform the following steps. - -1. Run the `prepare` script to enable HTTPS. - - Harbor uses an `nginx` instance as a reverse proxy for all services. You use the `prepare` script to configure `nginx` to use HTTPS. The `prepare` is in the Harbor installer bundle, at the same level as the `install.sh` script. - - ```sh - ./prepare - ``` - -1. If Harbor is running, stop and remove the existing instance. - - Your image data remains in the file system, so no data is lost. - - ```sh - docker-compose down -v - ``` - -1. Restart Harbor: - - ```sh - docker-compose up -d - ``` - -## Verify the HTTPS Connection - -After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps. - -* Open a browser and enter https://yourdomain.com. It should display the Harbor interface. - - Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning. - -* On a machine that runs the Docker daemon, check the `/etc/docker/daemon.json` file to make sure that the `-insecure-registry` option is not set for https://yourdomain.com. - -* Log into Harbor from the Docker client. - - ```sh - docker login yourdomain.com - ``` - - If you've mapped `nginx` 443 port to a different port,add the port in the `login` command. - - ```sh - docker login yourdomain.com:port - ``` - -## What to Do Next - -- If the verification succeeds, see [Harbor Administration](../administration) for information about using Harbor. -- If installation fails, see [Troubleshooting Harbor Installation](troubleshoot-installation.md). diff --git a/docs/install-config/configure-internal-tls.md b/docs/install-config/configure-internal-tls.md deleted file mode 100644 index 015320f0e..000000000 --- a/docs/install-config/configure-internal-tls.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Configure Internal TLS communication between Harbor Component -weight: 30 ---- - - By default, The internal communication between Harbor's component (harbor-core,harbor-jobservice,proxy,harbor-portal,registry,registryctl,trivy_adapter,clair_adapter,chartmuseum) use HTTP protocol which might not be secure enough for some production environment. Since Harbor v2.0, TLS can be used for this internal network. In production environments, always use HTTPS is a recommended best practice. - -This functionality is introduced via the `internal_tls` in `harbor.yml` file. To enabled internal TLS, set `enabled` to `true` and set the `dir` value to the path of directory that contains the internal cert files. - -All certs can be automatically generated by `prepare` tool. -```bash -docker run -v /:/hostfs goharbor/prepare:v2.0 gencert -p /path/to/internal/tls/cert -``` - -User also can provide their own CA to generate the other certs. Just put certificate and key of the CA on internal tls cert directory and name them as `harbor_internal_ca.key` and `harbor_internal_ca.crt`. -Besides, a user can also provide the certs for all components. However, there are some constraints for the certs: - -* First, all certs must be signed by a single unique CA -* Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below' - - |name|usage|CN| - |---|---|---| - |`harbor_internal_ca.key`| ca's key file for internal TLS | N/A | - |`harbor_internal_ca.crt`| ca's certificate file for internal TLS | N/A | - |`core.key`| core's key file | N/A | - |`core.crt`| core's certificate file| `core` | - |`job_service.key`| job_service's key file | N/A | - |`job_service.crt`| job_service's certificate file| `jobservice` | - |`proxy.key`| proxy's key file | N/A | - |`proxy.crt`| proxy's certificate file| `proxy` | - |`portal.key`| portal's key file | N/A | - |`portal.crt`| portal's certificate file| `portal` | - |`registry.key`| registry's key file | N/A | - |`registry.crt`| registry's certificate file| `registry` | - |`registryctl.key`| registryctl's key file | N/A | - |`registryctl.crt`| registryctl's certificate file| `registryctl` | - |`notary_server.key`| notary_server's key file | N/A | - |`notary_server.crt`| notary_server's certificate file| `notary-server` | - |`notary_signer.key`| notary_signer's key file | N/A | - |`notary_signer.crt`| notary_signer's certificate file| `notary-signer` | - |`trivy_adapter.key`| trivy_adapter.'s key file | N/A | - |`trivy_adapter.crt`| trivy_adapter.'s certificate file| `trivy-adapter` | - |`clair.key`| clair's key file | N/A | - |`clair.crt`| clair's certificate file| `clair` | - |`clair_adapter.key`| clair_adapter's key file | N/A | - |`clair_adapter.crt`| clair_adapter's certificate file| `clair-adapter` | - |`chartmuseum.key`| chartmuseum's key file | N/A | - |`chartmuseum.crt`| chartmuseum's certificate file| `chartmuseum` | diff --git a/docs/install-config/configure-user-settings-cli.md b/docs/install-config/configure-user-settings-cli.md deleted file mode 100644 index 47e7169f2..000000000 --- a/docs/install-config/configure-user-settings-cli.md +++ /dev/null @@ -1,128 +0,0 @@ ---- -title: Configure Harbor User Settings at the Command Line -weight: 65 ---- - -From release 1.8.0 onwards, user settings are configured separately from the system settings. You do not configure user settings in the `harbor.yml` file, but rather in the Harbor interface or via HTTP requests. - -## Example Configuration Commands: - -**Add a new user in the local database:** - -```sh -curl -X PUT -u ":" -H "Content-Type: application/json" -ki /api/configurations -d'{"":""}' -``` - -**Get the current configuration:** - -```sh -curl -u ":" -H "Content-Type: application/json" -ki /api/configurations -``` - -**Update Harbor to use LDAP authentication:** - -Command - -```shell -curl -X PUT -u ":" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/configurations -d'{"auth_mode":"ldap_auth"}' -``` - -Output - -``` -HTTP/1.1 200 OK -Server: nginx -Date: Wed, 08 May 2019 08:22:02 GMT -Content-Type: text/plain; charset=utf-8 -Content-Length: 0 -Connection: keep-alive -Set-Cookie: sid=a5803a1265e2b095cf65ce1d8bbd79b1; Path=/; HttpOnly -``` - -**Restrict project creation to Harbor administrators:** - -Command - -```shell -curl -X PUT -u ":" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/configurations -d'{"project_creation_restriction":"adminonly"}' -``` - -Output - -``` -HTTP/1.1 200 OK -Server: nginx -Date: Wed, 08 May 2019 08:24:32 GMT -Content-Type: text/plain; charset=utf-8 -Content-Length: 0 -Connection: keep-alive -Set-Cookie: sid=b7925eaf7af53bdefb13bdcae201a14a; Path=/; HttpOnly -``` - -**Update the token expiration time:** - -Command - -```shell -curl -X PUT -u ":" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/configurations -d'{"token_expiration":"300"}' -``` - -Output - -``` -HTTP/1.1 200 OK -Server: nginx -Date: Wed, 08 May 2019 08:23:38 GMT -Content-Type: text/plain; charset=utf-8 -Content-Length: 0 -Connection: keep-alive -Set-Cookie: sid=cc1bc93ffa2675253fc62b4bf3d9de0e; Path=/; HttpOnly -``` - -## Harbor user settings - -| Configure item name | Description | Type | Required | Default Value | -| ------------ |------------ | ---- | ----- | ----- | -auth_mode | Authentication mode, it can be db_auth, ldap_auth, uaa_auth or oidc_auth | string -email_from | Email from | string | required (email feature) -email_host | Email server | string | required (email feature) -email_identity | Email identity | string | optional (email feature) -email_password | Email password | string | required (email feature) -email_insecure | Email verify certificate, true or false |boolean | optional (email feature) | false -email_port | Email server port | number | required (email feature) -email_ssl | Email SSL | boolean | optional | false -email_username | Email username | string | required (email feature) -ldap_url | LDAP URL | string | required | -ldap_base_dn | LDAP base DN | string | required(ldap_auth) -ldap_filter | LDAP filter | string | optional -ldap_scope | LDAP search scope, 0-Base Level, 1- One Level, 2-Sub Tree | number | optional | 2-Sub Tree -ldap_search_dn | LDAP DN to search LDAP users| string | required(ldap_auth) -ldap_search_password | LDAP DN's password |string | required(ldap_auth) -ldap_timeout | LDAP connection timeout | number | optional | 5 -ldap_uid | LDAP attribute to indicate the username in Harbor | string | optional | cn -ldap_verify_cert | Verify cert when create SSL connection with LDAP server, true or false | boolean | optional | true -ldap_group_admin_dn | LDAP Group Admin DN | string | optional -ldap_group_attribute_name | LDAP Group Attribute, the LDAP attribute indicate the groupname in Harbor, it can be gid or cn | string | optional | cn -ldap_group_base_dn | The Base DN which to search the LDAP groups | string | required(ldap_auth and LDAP group) -ldap_group_search_filter | The filter to search LDAP groups | string | optional -ldap_group_search_scope | LDAP group search scope, 0-Base Level, 1- One Level, 2-Sub Tree | number | optional | 2-Sub Tree| -ldap_group_membership_attribute | LDAP group membership attribute, to indicate the group membership, it can be memberof, or ismemberof | string | optional | memberof -project_creation_restriction | The option to indicate user can be create object, it can be everyone, adminonly | string | optional | everyone -read_only | The option to set repository read only, it can be true or false | boolean | optional | false -self_registration | User can register account in Harbor, it can be true or false | boolean | optional| true -token_expiration | Security token expirtation time in minutes | number |optional| 30 -uaa_client_id | UAA client ID | string | required(uaa_auth) -uaa_client_secret | UAA certificate | string | required(uaa_auth) -uaa_endpoint | UAA endpoint | string | required(uaa_auth) -uaa_verify_cert | UAA verify cert, true or false | boolean | optional | true -oidc_name | Name for OIDC authentication | string | required(oidc_auth) -oidc_endpoint | Endpoint for OIDC auth | string | required(oidc_auth) -oidc_client_id | Client id for OIDC auth | string | required(oidc_auth) -oidc_client_secret | Client secret for OIDC auth |string | required(oidc_auth) -oidc_scope | Ccope for OIDC auth | string| required(oidc_auth) -oidc_verify_cert | Verify certificate for OIDC auth, true or false | boolean | optional| true -robot_token_duration | Robot token expiration time in minutes | number | optional | 43200 (30days) - -{{< note >}} -Both booleans and numbers can be enclosed with double quote in the request json, for example: `123`, `"123"`, `"true"` or `true` is OK. -{{< /note >}} diff --git a/docs/install-config/configure-yml-file.md b/docs/install-config/configure-yml-file.md deleted file mode 100644 index 28fa7e30c..000000000 --- a/docs/install-config/configure-yml-file.md +++ /dev/null @@ -1,365 +0,0 @@ ---- -title: Configure the Harbor YML File -weight: 35 ---- - -You set system level parameters for Harbor in the `harbor.yml` file that is contained in the installer package. These parameters take effect when you run the `install.sh` script to install or reconfigure Harbor. - -After the initial deployment and after you have started Harbor, you perform additional configuration in the Harbor Web Portal. - -## Required Parameters - -The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the `harbor.yml` file. The optional parameters are commented with `#`. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the `hostname` parameter. - -**IMPORTANT**: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS. - -You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see [Configuring Harbor with HTTPS Access](configure-https.md). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Required Parameters for Harbor Deployment -
ParameterSub-parametersDescription and Additional Parameters
hostnameNoneSpecify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, 192.168.1.10 or reg.yourdomain.com. The registry service must be accessible to external clients, so do not specify localhost, 127.0.0.1, or 0.0.0.0 as the hostname.
http Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.
 portPort number for HTTP, for both Harbor portal and Docker commands. The default is 80.
https Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped. -
 portThe port number for HTTPS, for both Harbor portal and Docker commands. The default is 443.
 certificateThe path to the SSL certificate.
 private_keyThe path to the SSL key.
internal_tls  Use HTTPS to communicate between harbor components
 enabledSet this flag to true means internal tls is enabled
 certificateThe path to the directory that contains internal certs and keys
harbor_admin_passwordNoneSet an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are admin and Harbor12345.
database Use a local PostgreSQL database. You can optionally configure an external database, in which case you can disable this option.
 passwordSet the root password for the local database. You must change this password for production deployments.
 max_idle_connsThe maximum number of connections in the idle connection pool. If set to <=0 no idle connections are retained. The default value is 50. If it is not configured the value is 2.
 max_open_connsThe maximum number of open connections to the database. If <= 0 there is no limit on the number of open connections. The default value is 100 for the max connections to the Harbor database. If it is not configured the value is 0.
data_volumeNoneThe location on the target host in which to store Harbor's data. This data remains unchanged even when Harbor's containers are removed and/or recreated. You can optionally configure external storage, in which case disable this option and enable storage_service. The default is /data.
clairupdaters_intervalSet an interval for Clair updates, in hours. Set to 0 to disable the updates. The default is 12 hours.
trivy Configure Trivy scanner.
 ignore_unfixedSet the flag to true to display only fixed vulnerabilities. The default value is false
 skip_updateYou might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. If the flag is enabled you have to manually download the `trivy.db` file and mount it in the /home/scanner/.cache/trivy/db/trivy.db path in container. The default value is false
 insecureSet the flag to true to skip verifying registry certificate. The default value is false
 github_tokenSet the GitHub access token to download Trivy DB. Trivy DB is downloaded by Trivy from the GitHub release page. Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult https://developer.github.com/v3/#rate-limiting .You can create a GitHub token by following the instuctions in https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
jobservicemax_job_workersThe maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10.
notificationwebhook_job_max_retrySet the maximum number of retries for web hook jobs. The default is 10.
chartabsolute_urlSet to enabled for Chart to use an absolute URL. Set to disabled for Chart to use a relative URL.
log Configure logging. Harbor uses `rsyslog` to collect the logs for each container.
 levelSet the logging level to debug, info, warning, error, or fatal. The default is info.
 localSet the log retention parameters:
    -
  • rotate_count: Log files are rotated rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. The default is 50.
    • -
  • rotate_size: Log files are rotated only if they grow bigger than rotate_size bytes. Use k for kilobytes, M for megabytes, and G for gigabytes. 100, 100k, 100M and 100G are all valid values. The default is 200M.
    • -
  • location: Set the directory in which to store the logs. The default is /var/log/harbor.
    • -
 external_endpointEnable this option to forward logs to a syslog server. -
    -
  • protocol: Transport protocol for the syslog server. Default is TCP.
    • -
  • host: The URL of the syslog server.
    • -
  • port: The port on which the syslog server listens
    • -
proxy Configure proxies to be used by Clair, the replication jobservice, and Harbor. Leave blank if no proxies are required.
 http_proxyConfigure an HTTP proxy, for example, http://my.proxy.com:3128.
 https_proxyConfigure an HTTPS proxy, for example, http://my.proxy.com:3128.
 no_proxyConfigure when not to use a proxy, for example, 127.0.0.1,localhost,core,registry.
- -## Optional Parameters - -The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in `harbor.yml` by deleting the leading `#` character. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Optional Parameters for Harbor -
ParameterSub-ParametersDescription and Additional Parameters
external_urlNoneEnable this option to use an external proxy. When enabled, the hostname is no longer used.
storage_service By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See *Configuring Storage Backend* below for more information about how to configure a different backend.
 ca_bundleThe path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate.
 filesystemThe default is filesystem, but you can set azure, gcs, s3, swift and oss. For information about how to configure other backends, see Configuring a Storage Backend below. Set maxthreads to limit the number of threads to the external provider. The default is 100.
 redirectSet disable to true when you want to disable registry redirect
external_database Configure external database settings, if you disable the local database option. Currently, Harbor only supports PostgreSQL database. You must create four databases for Harbor core, Clair, Notary server, and Notary signer. The tables are generated automatically when Harbor starts up.
 harbor

Configure an external database for Harbor data.

-
    -
  • host: Hostname of the Harbor database.
    • -
  • port: Database port.
    • -
  • db_name: Database name.
    • -
  • username: Username to connect to the core Harbor database.
    • -
  • password: Password for the account you set in username.
    • -
  • ssl_mode: Enable SSL mode.
    • -
  • max_idle_conns: The maximum number of connections in the idle connection pool. If <=0 no idle connections are retained. The default value is 2.
    • -
  • max_open_conns: The maximum number of open connections to the database. If <= 0 there is no limit on the number of open connections. The default value is 0.
    • -
 clairConfigure an external database for Clair. -
    -
  • host: Hostname of the Clair database
    • -
  • port: Database port.
    • -
  • db_name: Database name.
    • -
  • username: Username to connect to the Clair database.
    • -
  • password: Password for the account you set in username.
    • -
  • ssl_mode: Enable SSL mode.
    • -
 notary_signerConfigure an external database for the Notary signer database -
    -
  • host: Hostname of the Notary signer database
    • -
  • port: Database port.
    • -
  • db_name: Database name.
    • -
  • username: Username to connect to the Notary signer database.
    • -
  • password: Password for the account you set in username.
    • -
  • ssl_mode: Enable SSL mode.
    • -
 notary_server
    -
  • host: Hostname of the Notary server database.
    • -
  • port: Database port.
    • -
  • db_name: Database name.
    • -
  • username: Username to connect to the Notary server database.
    • -
  • password: Password for the account you set in username.
    • -
  • ssl_mode: Enable SSL mode.e
    • -
external_redis Configure an external Redis instance.
 hostHostname of the external Redis instance.
 portRedis instance port.
 passwordPassword to connect to the external Redis instance.
 registry_db_indexDatabase index for Harbor registry.
 jobservice_db_indexDatabase index for jobservice.
 chartmuseum_db_indexDatabase index for Chart museum.
- -{{< note >}} -The `harbor.yml` file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented. -{{< /note >}} - -## Configuring a Storage Backend {#backend} - -By default Harbor uses local storage for the registry, but you can optionally configure the `storage_service` setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the [Registry Configuration Reference](https://docs.docker.com/registry/configuration/#storage) in the Docker documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following: - -``` yaml -storage_service: - ca_bundle: - swift: - username: admin - password: ADMIN_PASS - authurl: http://keystone_addr:35357/v3/auth - tenant: admin - domain: default - region: regionOne - container: docker_images" - redirect: - disable: false -``` - -## What to Do Next - -To install Harbor, [Run the Installer Script](run-installer-script.md). diff --git a/docs/install-config/customize-token-service.md b/docs/install-config/customize-token-service.md deleted file mode 100644 index 4b4d95f5c..000000000 --- a/docs/install-config/customize-token-service.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Customize the Harbor Token Service -weight: 60 ---- - -By default, Harbor uses its own private key and certificate to authenticate with Docker clients. This topic describes how to optionally customize your configuration to use your own key and certificate. - -Harbor requires the Docker client to access the Harbor registry with a token. The procedure to generate a token is like [Docker Registry v2 authentication](https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md). Firstly, you make a request to the token service for a token. The token is signed by the private key. After that, you make a new request with the token to the Harbor registry, Harbor registry verifies the token with the public key in the root cert bundle. Then Harbor registry authorizes the Docker client to push and pull images. - -- If you do not already have a certificate, follow the instructions in [Generate a Root Certificate](#gen-cert) to generate a root certificate by using openSSL. -- If you already have a certificate, go to [Provide the Certificate to Harbor](#provide-cert). - -## Generate a Root Certificate {#gen-cert} - -1. Generate a private key. - - ```sh - openssl genrsa -out private_key.pem 4096 - ``` - -1. Generate a certificate. - - ```sh - openssl req -new -x509 -key private_key.pem -out root.crt -days 3650 - ``` - -1. Enter information to include in your certificate request. - - What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some of them blank. For some fields there is a default value. If you enter `.`, the field is left blank. - - - Country Name (2 letter code) [AU]: - - State or Province Name (full name) [Some-State]: - - Locality Name (eg, city) []: - - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - - Organizational Unit Name (eg, section) []: - - Common Name (eg, server FQDN or YOUR name) []: - - Email Address []: - - After you run these commands, the files `private_key.pem` and `root.crt` are created in the current directory. - -## Provide the Certificate to Harbor {#provide-cert} - -See [Run the Installer Script](run-installer-script.md) or [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure-manage-lifecycle.md) to install or reconfigure Harbor. After you run `./install` or `./prepare`, Harbor generates several configuration files. You need to replace the original private key and certificate with your own key and certificate. - -1. Replace the default key and certificate. - - Assuming that the key and certificate are in `/root/cert`, run the following commands: - - ```sh - cd config/ui - cp /root/cert/private_key.pem private_key.pem - cp /root/cert/root.crt ../registry/root.crt - ``` - -1. Go back to the `make` directory, and start Harbor by using following command: - - ```sh - docker-compose up -d - ``` - -1. Push and pull images to and from Harbor to check that your own certificate works. diff --git a/docs/install-config/demo-server.md b/docs/install-config/demo-server.md deleted file mode 100644 index 9b25d0689..000000000 --- a/docs/install-config/demo-server.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Test Harbor with the Demo Server -weight: 10 ---- - -The Harbor team has made available a demo Harbor instance that you can use to experiment with Harbor and test its functionalities. - -When using the demo server, please take note of the conditions of use. - -## Conditions of Use of the Demo Server ## - - - The demo server is reserved for experimental use only, to allow you to test Harbor functionality. - - Do not upload sensitive images to the demo server. - - The demo server is not a production environment. The Harbor team is not responsible for any loss of data, functionality, or service that might result from its use. - - The demo server is cleaned and reset every two days. - - The demo server only allows you to test user functionalities. You cannot test administrator functionalities. To test administrator functionalities and advanced features, set up a Harbor instance. - - Do not push images >100MB to the demo server, as it has limited storage capacity. - -If you encounter any problems while using the demo server, open an [issue on Github](https://github.com/goharbor/harbor/issues) or contact the Harbor team on [Slack](https://github.com/goharbor/harbor#community). - -## Access the Demo Server ## - -1. Go to [https://demo.goharbor.io](https://demo.goharbor.io). -1. Click **Sign up for an account**. -1. Create a user account by providing a username, your email address, your name, and a password. -1. Log in to the Harbor interface using the account you created. -1. Explore the default project, `library`. -1. Click **New Project** to create your own project. - - For information about how to create a project, see [Create a Project](../working-with-projects/create-projects/_index.md). - -1. Open a Docker client and log in to Harbor with the credentials that you created above. - - ```sh - docker login demo.goharbor.io - ``` - -1. Create a very simple `Dockerfile` with the following contents. - - ```dockerfile - FROM busybox:latest - ``` - -1. Build an image from this Dockerfile and tag it. - - ```sh - docker build -t demo.goharbor.io/your-project/test-image . - ``` - -1. Push the image to your project in Harbor. - - ```sh - docker push demo.goharbor.io/your-project/test-image - ``` - -1. In the Harbor interface, go to **Projects** > *your_project* > **Repositories** to view the image repository that you pushed to your Harbor project. - -## What to Do Next ## - -See the [Harbor Installation Prerequisites](installation-prereqs.md). diff --git a/docs/install-config/download-installer.md b/docs/install-config/download-installer.md deleted file mode 100644 index 1395e7218..000000000 --- a/docs/install-config/download-installer.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Download the Harbor Installer -weight: 25 ---- - -You download the Harbor installers from the [official releases](https://github.com/goharbor/harbor/releases) page. Download either the online installer or the offline installer. - -- **Online installer:** The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size. - -- **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images, so it is larger than the online installer. - -The installation processes are almost the same for both the online and offline installers. - -## Download and Unpack the Installer - -1. Go to the [Harbor releases page](https://github.com/goharbor/harbor/releases). -1. Download either the online or offline installer for the version you want to install. -1. Optionally download the corresponding `*.asc` file to verify that the package is genuine. - - The `*.asc` file is an OpenPGP key file. Perform the following steps to verify that the downloaded bundle is genuine. - - 1. Obtain the public key for the `*.asc` file. - - ```sh - gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C - ``` - - You should see the message ` public key "Harbor-sign (The key for signing Harbor build) " imported` - 1. Verify that the package is genuine by running one of the following commands. - - - Online installer: 
gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-online-installer-version.tgz.asc
- - Offline installer: 
gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-version.tgz.asc
- - The `gpg` command verifies that the signature of the bundle matches that of the `*.asc` key file. You should see confirmation that the signature is correct. - - ```sh - gpg: armor header: Version: GnuPG v1 - gpg: assuming signed data in 'harbor-offline-installer-v1.10.0-rc2.tgz' - gpg: Signature made Fri, Dec 6, 2019 5:04:17 AM WEST - gpg: using RSA key 644FF454C0B4115C - gpg: using pgp trust model - gpg: Good signature from "Harbor-sign (The key for signing Harbor build) [unknown] - ``` - -1. Use `tar` to extract the installer package: - - - Online installer:
bash $ tar xvf harbor-online-installer-version.tgz
- - Offline installer:
bash $ tar xvf harbor-offline-installer-version.tgz
- -## Next Steps - -- To secure the connections to Harbor, see [Configure HTTPS Access to Harbor](configure-https.md). -- To configure your Harbor installation, see [Configure the Harbor YML File](configure-yml-file.md). diff --git a/docs/install-config/harbor-compatibility-list.md b/docs/install-config/harbor-compatibility-list.md deleted file mode 100644 index bd9820899..000000000 --- a/docs/install-config/harbor-compatibility-list.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Harbor Compatibility List -weight: 15 ---- - -This document provides compatibility information for all Harbor components. - -## Replication Adapters - -| | Registries | Pull Mode | Push Mode | Introduced in Release | Automated Pipeline Covered | -|-----|------------------|-----------|-----------|-----------------------|---------------------------| -| [Harbor](https://goharbor.io/)| ![Harbor](../../img/replication-adapters/harbor-logo.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.8 | Y | -| [distribution](https://github.com/docker/distribution) | ![distribution](../../img/replication-adapters/distribution.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.8 | Y | -| [docker hub](https://hub.docker.com/) | ![docker hub](../../img/replication-adapters/docker-hub.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.8 | Y | -| [Huawei SWR](https://www.huaweicloud.com/en-us/product/swr.html) | ![Huawei SWR](../../img/replication-adapters/hw.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.8 | N | -| [GCR](https://cloud.google.com/container-registry/) | ![GCR](../../img/replication-adapters/gcr.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.9 | Y | -| [ECR](https://aws.amazon.com/ecr/) | ![ECR](../../img/replication-adapters/ecr.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.9 | Y | -| [ACR](https://azure.microsoft.com/en-us/services/container-registry/) | ![ACR](../../img/replication-adapters/acr.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.9 | N | -| [AliCR](https://www.alibabacloud.com/product/container-registry) | ![AliCR](../../img/replication-adapters/ali-cr.png)|![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| V1.9 | N | -| [Helm Hub](https://hub.helm.sh/) | ![Helm Hub](../../img/replication-adapters/helm-hub.png)|![Y](../../img/replication-adapters/right.png)| N/A | V1.9 | N | -| [Artifactory](https://jfrog.com/artifactory/) | ![Artifactory](../../img/replication-adapters/artifactory.png)|![Y](../../img/replication-adapters/right.png)| ![Y](../../img/replication-adapters/right.png) | V1.10 | N | -| [Quay](https://github.com/quay/quay) | ![Quay](../../img/replication-adapters/quay.png)|![Y](../../img/replication-adapters/right.png)| ![Y](../../img/replication-adapters/right.png) | V1.10 | N | -| [GitLab Registry](https://docs.gitlab.com/ee/user/packages/container_registry/) | ![GitLab Registry](../../img/replication-adapters/gitlab.png)|![Y](../../img/replication-adapters/right.png)| ![Y](../../img/replication-adapters/right.png) | V1.10 | N | - -{{< note >}} -* `Pull` mode replicates artifacts from the specified source registries into Harbor. -* `Push` mode replicates artifacts from Harbor to the specified target registries. -{{< /note >}} - -## OIDC Adapters - -| | OIDC Providers | Officially Verified | End User Verified | Verified in Release | -|---|-----------------|---------------------|---------------------|-----------------------| -| [Google Identity](https://developers.google.com/identity/protocols/OpenIDConnect) | ![google identity](../../img/OIDC/google-identity.png)| ![Y](../../img/replication-adapters/right.png) | |V1.9| -| [Dex](https://github.com/dexidp/dex) | ![dex](../../img/OIDC/dex.png) | ![Y](../../img/replication-adapters/right.png)| | V1.9 | -| [Ping Identity](https://www.pingidentity.com) | ![ping identity](../../img/OIDC/ping.png) | | ![Y](../../img/replication-adapters/right.png)| V1.9 | -| [Keycloak](https://www.keycloak.org/) | ![Keycloak](../../img/OIDC/keycloak.png) | ![Y](../../img/replication-adapters/right.png) | | V1.10 | -| [Auth0](https://auth0.com/) | ![Auth0](../../img/OIDC/auth0.png) | ![Y](../../img/replication-adapters/right.png) | | V1.10 | - -## Scanner Adapters - -| | Scanners | Providers | Evaluated | As Default | Onboard in Release | -|---|----------|-----------|-----------|------------|--------------------| -| [Clair](https://github.com/goharbor/harbor-scanner-clair) |![Clair](../../img/scanners/clair.png)| CentOS |![Y](../../img/replication-adapters/right.png)|![Y](../../img/replication-adapters/right.png)| v1.10 | -| [Anchore](https://github.com/anchore/harbor-scanner-adapter) |![Anchore](../../img/scanners/anchore.png) | Anchore |![Y](../../img/replication-adapters/right.png)| N | v1.10 | -| [Trivy](https://github.com/aquasecurity/harbor-scanner-trivy)|![Trivy](../../img/scanners/trivy.png)| Aqua |![Y](../../img/replication-adapters/right.png)| ![Y](../../img/replication-adapters/right.png) | v1.10 | -| [CSP](https://github.com/aquasecurity/harbor-scanner-aqua) |![Aqua](../../img/scanners/aqua.png)| Aqua | ![Y](../../img/replication-adapters/right.png) | N | v1.10 | -| [DoSec](https://github.com/dosec-cn/harbor-scanner/blob/master/README_en.md)|![DoSec](../../img/scanners/dosec.png) | DoSec | ![Y](../../img/replication-adapters/right.png) | N | v1.10 | - -{{< note >}} -* `Evaluated` means that the scanner implementation has been officially tested and verified. -* `As Default` means that the scanner is provided as a default option and can be deployed together with the main Harbor components by providing extra options during installation. You must install other scanners manually. -{{< /note >}} diff --git a/docs/install-config/harbor-ha-helm.md b/docs/install-config/harbor-ha-helm.md deleted file mode 100644 index c7c897eab..000000000 --- a/docs/install-config/harbor-ha-helm.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Deploying Harbor with High Availability via Helm -weight: 40 ---- - -You can deploy Harbor on Kubernetes via helm to make it highly available. In this way, if one of the nodes on which Harbor is running becomes unavailable, users do not experience interruptions of service. - -## Prerequisites - -- Kubernetes cluster 1.10+ -- Helm 2.8.0+ -- High available ingress controller (Harbor does not manage the external endpoint) -- High available PostgreSQL database (Harbor does not handle the deployment of HA of database) -- High available Redis (Harbor does not handle the deployment of HA of Redis) -- PVC that can be shared across nodes or external object storage - -## Architecture - -Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods. - -As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts. - -![Harbor High Availability with Helm](../../img/ha.png) - -## Download Chart - -Download Harbor helm chart: - -```bash -helm repo add harbor https://helm.goharbor.io -helm fetch harbor/harbor --untar -``` - -## Configuration - -Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`: - -- **Ingress rule** - Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`. -- **External URL** - Configure the `externalURL`. -- **External PostgreSQL** - Set the `database.type` to `external` and fill the information in `database.external` section. - - Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up. -- **External Redis** - Set the `redis.type` to `external` and fill the information in `redis.external` section. - - As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point. -- **Storage** - By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs. - - If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`. - - If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes. - - You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`. - - If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. - -- **Replica** - Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). - -## Installation - -Install the Harbor helm chart with a release name `my-release`: - -Helm 2: - -```bash -helm install --name my-release . -``` - -Helm 3: - -```bash -helm install my-release . -``` diff --git a/docs/install-config/installation-prereqs.md b/docs/install-config/installation-prereqs.md deleted file mode 100644 index af71748ce..000000000 --- a/docs/install-config/installation-prereqs.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Harbor Installation Prerequisites -weight: 20 ---- - -Harbor is deployed as several Docker containers. You can therefore deploy it on any Linux distribution that supports Docker. The target host requires Docker, and Docker Compose to be installed. - -### Hardware - -The following table lists the minimum and recommended hardware configurations for deploying Harbor. - -|Resource|Minimum|Recommended| -|---|---|---| -|CPU|2 CPU|4 CPU| -|Mem|4 GB|8 GB| -|Disk|40 GB|160 GB| - -### Software - -The following table lists the software versions that must be installed on the target host. - -|Software|Version|Description| -|---|---|---| -|Docker engine|Version 17.06.0-ce+ or higher|For installation instructions, see [Docker Engine documentation](https://docs.docker.com/engine/installation/)| -|Docker Compose|Version 1.18.0 or higher|For installation instructions, see [Docker Compose documentation](https://docs.docker.com/compose/install/)| -|Openssl|Latest is preferred|Used to generate certificate and keys for Harbor| - -### Network ports - -Harbor requires that the following ports be open on the target host. - -|Port|Protocol|Description| -|---|---|---| -|443|HTTPS|Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file.| -|4443|HTTPS|Connections to the Docker Content Trust service for Harbor. Only required if Notary is enabled. You can change this port in the configuration file.| -|80|HTTP|Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file.| - -## What to Do Next ## - -[Download the Harbor Installer](download-installer.md). diff --git a/docs/install-config/quick-install-script.md b/docs/install-config/quick-install-script.md deleted file mode 100644 index f900c2974..000000000 --- a/docs/install-config/quick-install-script.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Deploy Harbor with the Quick Installation Script -weight: 45 ---- - -The Harbor community has provided a script that with a single command prepares an Ubuntu 18.04 machine for Harbor and deploys the latest stable version. - -This script installs Harbor with an HTTP connection, Clair, and the Chart Repository Service. It does not install Notary, which requires HTTPS. - -## Prerequisites - -You have a machine or VM that is running Ubuntu 18.04. The script does not work on earlier versions of Ubuntu. - -## Procedure - -1. Download the `harbor.sh` script from [this GitHub Gist](https://gist.github.com/kacole2/95e83ac84fec950b1a70b0853d6594dc) to your Ubuntu machine or VM. - -1. Grant run permissions to the current user. - - ```sh - chmod u+x - ``` - -1. Run the script as superuser. - - ```sh - sudo ./harbor.sh - ``` - -1. Select whether to deploy Harbor using the IP address or FQDN of the host machine. - - This is the address at which you access the Harbor interface and the registry service. - - - To use the IP address, enter `1`. - - To use the FQDN, enter `2`. - - The script takes several minutes to run. As it runs, the script downloads the necessary packages and dependencies from Ubuntu, installs the latest stable versions of Docker and Docker Compose, and installs the latest stable version of Harbor. - -1. When the script reports `Harbor Installation Complete`, log in to your new Harbor instance. - - ```sh - docker login - ``` - - - User name: `admin` - - Password: `VMware12345` - -1. Enter the Harbor address in a browser to log in to the Harbor interface. - -After deployment, you can enable HTTPS and Notary by reconfiguring the installation. For information, see [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure-manage-lifecycle.md). \ No newline at end of file diff --git a/docs/install-config/reconfigure-manage-lifecycle.md b/docs/install-config/reconfigure-manage-lifecycle.md deleted file mode 100644 index 42291de81..000000000 --- a/docs/install-config/reconfigure-manage-lifecycle.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Reconfigure Harbor and Manage the Harbor Lifecycle -weight: 55 ---- - -You use `docker-compose` to manage the lifecycle of Harbor. This topic provides some useful commands. You must run the commands in the directory in which `docker-compose.yml` is located. - -See the [Docker Compose command-line reference](https://docs.docker.com/compose/reference/) for more information about `docker-compose`. - -## Stop Harbor - -To stop Harbor, run the following command. - -```sh -sudo docker-compose stop -Stopping nginx ... done -Stopping harbor-portal ... done -Stopping harbor-jobservice ... done -Stopping harbor-core ... done -Stopping registry ... done -Stopping redis ... done -Stopping registryctl ... done -Stopping harbor-db ... done -Stopping harbor-log ... done -``` - -## Restart Harbor - -To restart Harbor, run the following command. - -```sh -sudo docker-compose start -Starting log ... done -Starting registry ... done -Starting registryctl ... done -Starting postgresql ... done -Starting core ... done -Starting portal ... done -Starting redis ... done -Starting jobservice ... done -Starting proxy ... done -``` - -## Reconfigure Harbor - -To reconfigure Harbor, perform the following steps. - -1. Stop Harbor. - - ```sh - sudo docker-compose down -v - ``` - -1. Update `harbor.yml`. - - ```sh - vim harbor.yml - ``` - -1. Run the `prepare` script to populate the configuration. - - ```sh - sudo prepare - ``` - - To reconfigure Harbor to install Notary, Clair, and the chart repository service, include all of the components in the `prepare` command. - - ```sh - sudo prepare --with-notary --with-clair --with-chartmuseum - ``` - -1. Re-create and start the Harbor instance. - - ```sh - sudo docker-compose up -d - ``` - -## Other Commands - -Remove Harbor's containers but keep all of the image data and Harbor's database files in the file system: - -```sh -sudo docker-compose down -v -``` - -Remove the Harbor database and image data before performing a clean re-installation: - -```sh -rm -r /data/database -rm -r /data/registry -``` diff --git a/docs/install-config/run-installer-script.md b/docs/install-config/run-installer-script.md deleted file mode 100644 index 2f3a59f25..000000000 --- a/docs/install-config/run-installer-script.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Run the Installer Script - -weight: 35 ---- - -Once you have configured `harbor.yml` copied from `harbor.yml.tmpl` and optionally set up a storage backend, you install and start Harbor by using the `install.sh` script. Note that it might take some time for the online installer to download all of the Harbor images from Docker hub. - -You can install Harbor in different configurations: - -- Just Harbor, without Notary, Clair, or Chart Repository Service -- Harbor with Notary -- Harbor with Clair -- Harbor with Chart Repository Service -- Harbor with two or all three of Notary, Clair, and Chart Repository Service - -## Default installation without Notary, Clair, or Chart Repository Service - -The default Harbor installation does not include Notary or Clair service. Run the following command - -```sh -sudo ./install.sh -``` - -If the installation succeeds, you can open a browser to visit the Harbor interface at `http://reg.yourdomain.com`, changing `reg.yourdomain.com` to the hostname that you configured in `harbor.yml`. If you did not change them in `harbor.yml`, the default administrator username and password are `admin` and `Harbor12345`. - -Log in to the admin portal and create a new project, for example, `myproject`. You can then use Docker commands to log in to Harbor, tag images, and push them to Harbor. - -```sh -docker login reg.yourdomain.com -docker push reg.yourdomain.com/myproject/myrepo:mytag -``` - -{{< important >}} -- If your installation of Harbor uses HTTPS, you must provide the Harbor certificates to the Docker client. For information, see [Configure HTTPS Access to Harbor](configure-https.md#provide-the-certificates-to-harbor-and-docker). -- If your installation of Harbor uses HTTP, you must add the option `--insecure-registry` to your client's Docker daemon and restart the Docker service. For more information, see [Connecting to Harbor via HTTP](#connect-http) below. -{{< /important >}} - -## Installation with Notary - -To install Harbor with the Notary service, add the `--with-notary` parameter when you run `install.sh`: - -```sh -sudo ./install.sh --with-notary -``` - -{{< note >}} -For installation with Notary, you must configure Harbor to use HTTPS. -{{< /note >}} - -For more information about Notary and Docker Content Trust, see [Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) in the Docker documentation. - -## Installation with Clair - -To install Harbor with Clair service, add the `--with-clair` parameter when you run `install.sh`: - -```sh -sudo ./install.sh --with-clair -``` - -For more information about Clair, see the [Clair documentation](https://coreos.com/clair/docs/2.0.1/). - -By default, Harbor limits the CPU usage of the Clair container to 150000 to avoid it using up all CPU resources. This is defined in the `docker-compose.clair.yml` file. You can modify this file based on your hardware configuration. - -## Installation with Chart Repository Service - -To install Harbor with chart repository service, add the `--with-chartmuseum` parameter when you run `install.sh`: - -``` -sudo ./install.sh --with-chartmuseum -``` - -## Installation with Notary, Clair, and Chart Repository Service - -If you want to install all three of Notary, Clair and chart repository service, specify all of the parameters in the same command: - -``` -sudo ./install.sh --with-notary --with-clair --with-chartmuseum -``` - -## Connecting to Harbor via HTTP {#connect-http} - -**IMPORTANT:** If your installation of Harbor uses HTTP rather than HTTPS, you must add the option `--insecure-registry` to your client's Docker daemon. By default, the daemon file is located at `/etc/docker/daemon.json`. - -For example, add the following to your `daemon.json` file: - -
-{
-"insecure-registries" : ["myregistrydomain.com:5000", "0.0.0.0"]
-}
-
- -After you update `daemon.json`, you must restart both Docker Engine and Harbor. - -1. Restart Docker Engine. - - ```sh - systemctl restart docker - ``` - -1. Stop Harbor. - - ```sh - docker-compose down -v - ``` - -1. Restart Harbor. - - ```sh - docker-compose up -d - ``` - -## What to Do Next ## - -- If the installation succeeds, see [Harbor Administration](../administration) for information about using Harbor. -- If you deployed Harbor with HTTP and you want to secure the connections to Harbor, see [Configure HTTPS Access to Harbor](configure-https.md). -- If installation fails, see [Troubleshooting Harbor Installation](troubleshoot-installation.md). diff --git a/docs/install-config/troubleshoot-installation.md b/docs/install-config/troubleshoot-installation.md deleted file mode 100644 index 96d727dcf..000000000 --- a/docs/install-config/troubleshoot-installation.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Troubleshooting Harbor Installation -weight: 50 ---- - -The following sections help you to solve problems when installing Harbor. - -## Access Harbor Logs - -By default, registry data is persisted in the host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated, you can edit the `data_volume` in `harbor.yml` file to change this directory. - -In addition, Harbor uses `rsyslog` to collect the logs of each container. By default, these log files are stored in the directory `/var/log/harbor/` on the target host for troubleshooting, also you can change the log directory in `harbor.yml`. - -## Harbor Does Not Start or Functions Incorrectly - -If Harbor does not start or functions incorrectly, run the following command to check whether all of Harbor's containers are in the `Up` state. - -``` -sudo docker-compose ps - Name Command State Ports - ----------------------------------------------------------------------------------------------------------------------------- - harbor-core /harbor/start.sh Up - harbor-db /entrypoint.sh postgres Up 5432/tcp - harbor-jobservice /harbor/start.sh Up - harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp - harbor-portal nginx -g daemon off; Up 80/tcp - nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp - redis docker-entrypoint.sh redis ... Up 6379/tcp - registry /entrypoint.sh /etc/regist ... Up 5000/tcp - registryctl /harbor/start.sh Up -``` - -If a container is not in the `Up` state, check the log file for that container in `/var/log/harbor`. For example, if the `harbor-core` container is not running, look at the `core.log` log file. - -## Using `nginx` or Load Balancing - -If Harbor is running behind an `nginx` proxy or elastic load balancing, open the file `common/config/nginx/nginx.conf` and search for the following line. - -``` -proxy_set_header X-Forwarded-Proto $scheme; -``` - -If the proxy already has similar settings, remove it from the sections `location /`, `location /v2/` and `location /service/` and redeploy Harbor. For instructions about how to redeploy Harbor, see [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure-manage-lifecycle.md). - -## Troubleshoot HTTPS Connections {#https} - -If you use an intermediate certificate from a certificate issuer, merge the intermediate certificate with your own certificate to create a certificate bundle. Run the following command. - -``` -cat intermediate-certificate.pem >> yourdomain.com.crt -``` -When the Docker daemon runs on certain operating systems, you might need to trust the certificate at the OS level. For example, run the following commands. - -- Ubuntu: - - ```sh - cp yourdomain.com.crt /usr/local/share/ca-certificates/yourdomain.com.crt - update-ca-certificates - ``` - -- Red Hat (CentOS etc): - - ```sh - cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt - update-ca-trust - ``` diff --git a/docs/security/Harbor_Security_Audit_Oct2019.pdf b/docs/security/Harbor_Security_Audit_Oct2019.pdf deleted file mode 100644 index 27e79fc37..000000000 Binary files a/docs/security/Harbor_Security_Audit_Oct2019.pdf and /dev/null differ diff --git a/docs/working-with-projects/_index.md b/docs/working-with-projects/_index.md deleted file mode 100644 index 2bb006f68..000000000 --- a/docs/working-with-projects/_index.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Working with Projects -weight: 15 ---- - -This section describes how users with the developer, master, and project administrator roles manage and participate in Harbor projects. The Harbor administrator can also perform all of these tasks. \ No newline at end of file diff --git a/docs/working-with-projects/create-projects/_index.md b/docs/working-with-projects/create-projects/_index.md deleted file mode 100644 index 1d6f5ed41..000000000 --- a/docs/working-with-projects/create-projects/_index.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Create Projects -weight: 20 ---- - -A project in Harbor contains all repositories of an application. Images cannot be pushed to Harbor before a project is created. Role-Based Access Control (RBAC) is applied to projects, so that only users with the appropriate roles can perform certain operations. - -There are two types of project in Harbor: - -* **Public**: Any user can pull images from this project. This is a convenient way for you to share repositories with others. -* **Private**: Only users who are members of the project can pull images - -You create different projects to which you assign users so that they can push and pull image repositories. You also configure project-specific settings. When you first deploy Harbor, a default public project named `library` is created. - -## Prerequisites - -Log in to Harbor with a Harbor administrator or project administrator account. - -## Procedure - -1. Go to **Projects** and click **New Project**. -1. Provide a name for the project. -1. (Optional) Check the **Public** check box to make the project public. - - If you set the project to **Public**, any user can pull images from this project. If you leave the project set to **Private**, only users who are members of the project can pull images. You can toggle projects from public to private, or the reverse, at any moment after you create the project. - - ![create project](../../img/new-create-project.png) - -5. Click **OK**. - -After the project is created, you can browse repositories, members, logs, replication and configuration using the navigation tab. - -![browse project](../../img/new-browse-project.png) - -There are two views to show repositories, list view and card view, you can switch between them by clicking the corresponding icon. - -![browse repositories](../../img/browse-project-repositories.png) - -Project properties can be changed by clicking "Configuration". - -* To make all repositories under the project accessible to everyone, select the `Public` checkbox. - -* To prevent un-signed images under the project from being pulled, select the `Enable content trust` checkbox. For more information about content trust, see [Implementing Content Trust](../project-configuration/implementing-content-trust.md). - -![browse project](../../img/project-configuration.png) - - -## Searching Projects and Repositories -Entering a keyword in the search field at the top lists all matching projects and repositories. The search result includes both public and private repositories you have access to. - -![browse project](../../img/new-search.png) - -## What to Do Next - -[Assign Users to a Project](add-users.md) - diff --git a/docs/working-with-projects/create-projects/add-users.md b/docs/working-with-projects/create-projects/add-users.md deleted file mode 100644 index 64ece5533..000000000 --- a/docs/working-with-projects/create-projects/add-users.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Assign Users to a Project -weight: 25 ---- - -You can add individual users to an existing project and assign a role to them. You can add an LDAP/AD or OIDC user to the project members if you use LDAP/AD or OIDC authentication, or a user that you have already created if you use database authentication. If you use LDAP/AD or OIDC authentication, you can add groups to projects and assign a role to the group. - -For more information about users and roles in Harbor, see [User Permissions By Role](../../administration/managing-users/user-permissions-by-role.md). - -## Add Individual Members to Projects - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects** and select a project. -1. Select the **Members** tab and click **+User**. - - ![browse project](../../../img/project-members.png) -1. Enter the name of an existing database, LDAP/AD, or OIDC user and select a role for this user. - - ![browse project](../../../img/new-add-member.png) -1. Optionally select one or more members, click **Action**, and select a different role for the user or users, or select **Remove** to remove them from the project. - - ![browse project](../../../img/new-remove-update-member.png) - -## Add LDAP/AD Groups to Projects - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects** and select a project. -1. Select the **Members** tab and click **+Group**. - - ![Add group](../../../img/add-group.png) -1. Select **Add an existing user group to project members** or **Add a group from LDAP to project member**. - - ![Screenshot of add group dialog](../../../img/ldap-group-addgroup-dialog.png) - - - If you selected **Add an existing user group to project members**, enter the name of a group that you have already used in Harbor and assign a role to that group. - - If you selected **Add a group from LDAP to project member**, enter the LDAP Group DN and assign a role to that group. - -Once an LDAP group has been assigned a role in a project, all LDAP/AD users in this group have the privileges of the role you assigned to the group. If a user has both user-level role and group-level role, these privileges are merged. - -If a user in the LDAP group has admin privilege, the user has the same privileges as the Harbor system administrator. - -## Add OIDC Groups to Projects - -To be able to add OIDC groups to projects, your OIDC provider and Harbor instance must be configured correctly. For information about how to configure OIDC so that Harbor can use groups, see [OIDC Provider Authentication](../../administration/configure-authentication/oidc-auth.md). - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects** and select a project. -1. Select the **Members** tab and click **+Group**. - - ![Add group](../../../img/add-group.png) -1. Enter the name of a group that already exists in your OIDC provider and assign a role to that group. - - ![Add group](../../../img/add-oidc-group.png) - -{{< note >}} -Unlike with LDAP groups, Harbor cannot check whether OIDC groups exist when you add them to a project. If you mistype the group name, or if the group does not exist in your OIDC provider, Harbor still creates the group. -{{< /note >}} diff --git a/docs/working-with-projects/project-configuration/_index.md b/docs/working-with-projects/project-configuration/_index.md deleted file mode 100644 index 36fde6dd8..000000000 --- a/docs/working-with-projects/project-configuration/_index.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Project Configuration -weight: 30 ---- - -After the initial creation of a project, you can configure or reconfigure its properties in the **Configuration** tab for that project. - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects** and select a project. -1. Select the **Configuration** tab. -1. To make all repositories under the project accessible to everyone, select the `Public` checkbox, or deselect this checkbox to make the project private. -1. To prevent un-signed images under the project from being pulled, select the `Enable content trust` checkbox. - -![browse project](../../img/project-configuration.png) - -## Searching projects and repositories - -Enter a keyword in the search field at the top to list all matching projects and repositories. The search result includes both public and private repositories you have access to. - -![browse project](../../img/new-search.png) - -## Configure Vulnerability Settings in Projects - -You can configure projects so that images with vulnerabilities cannot be run, and to automatically scan images as soon as they are pushed into the project. - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects** and select a project. -1. Select the **Configuration** tab. -1. To prevent vulnerable images under the project from being pulled, select the **Prevent vulnerable images from running** checkbox. - - ![Prevent vulnerable images from running](../../img/prevent-vulnerable-images.png) - -1. Select the severity level of vulnerabilities to prevent images from running. - - ![Set vulnerability threshold](../../img/set-vulnerability-threshold.png) - - Images cannot be pulled if their level is equal to or higher than the selected level of severity. Harbor does not prevent images with a vulnerability severity of `negligible` from running. -1. To activate an immediate vulnerability scan on new images that are pushed to the project, select the **Automatically scan images on push** check box. - - ![Automatically scan images on push](../../img/scan-on-push.png) - -## Build history - -Build history makes it easy to see the contents of a container image, find the code which builds an image, or locate the image for a source repository. - -In Harbor portal, enter your project, select the repository, click on the link of tag name you'd like to see its build history, the detail page will be opened. Then switch to `Build History` tab, you can see the build history information. - -![build history](../../img/build-history.png) diff --git a/docs/working-with-projects/project-configuration/access-project-logs.md b/docs/working-with-projects/project-configuration/access-project-logs.md deleted file mode 100644 index ff37a3ef9..000000000 --- a/docs/working-with-projects/project-configuration/access-project-logs.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Access and Search Project Logs -weight: 35 ---- - -Harbor keeps a log of all of the operations that users perform in a project. You can apply filters to help you to search the logs. - -## Prerequisites - -Log in to Harbor with a Harbor administrator, project administrator, master, developer, or guest account. - -## Procedure - -1. Go to **Projects**, select a project, and select **Logs**. - - ![View logs](../../../img/project-logs.png) - - All logs for the project are displayed. - -1. Click the **Search** icon and start typing to filter the logs by name. - - ![Filter logs](../../../img/log-filter.png) - -1. Click **Advanced**. - - ![Advanced log search](../../../img/log-search-advanced.png) - -1. Use the **Operations** drop-down menu to filter by operation type. - - ![Search logs by operation type](../../../img/new-project-log.png) - -1. Click the calendar icons to enter dates between which to search for logs of the types you set in the **Operations** drop-down menu. - - ![Filter logs by date](../../../img/log-search-advanced-date.png) diff --git a/docs/working-with-projects/project-configuration/configure-project-allowlist.md b/docs/working-with-projects/project-configuration/configure-project-allowlist.md deleted file mode 100644 index a17c73863..000000000 --- a/docs/working-with-projects/project-configuration/configure-project-allowlist.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Configure a Per-Project CVE Allowlist -weight: 50 ---- - -When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create allowlists of CVEs to ignore during vulnerability scanning. - -Harbor administrators can set a system-wide CVE allowlist. For information about site-wide CVE allowlists, see [Configure System-Wide CVE Allowlists](../../administration/vulnerability-scanning/configure-system-allowlist.md). By default, the system allowlist is applied to all projects. You can configure different CVE allowlists for individual projects, that override the system allowlist. - -1. Go to **Projects**, select a project, and select **Configuration**. -1. Under **CVE allowlist**, select **Project allowlist**. - - ![Project CVE allowlist](../../../img/cve-allowlist5.png) - -1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE allowlist to this project allowlist. -1. Click **Add** and enter a list of additional CVE IDs to ignore during vulnerability scanning of this project. - - ![Add project CVEs](../../../img/cve-allowlist6.png) - - Either use a comma-separated list or newlines to add multiple CVE IDs to the list. - -1. Click **Add** at the bottom of the window to add the CVEs to the project allowlist. -1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist. -1. Click **Save** at the bottom of the page to save your settings. - -After you have created a project allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project allowlist. - -If CVEs are added to the system allowlist after you have created a project allowlist, click **Copy From System** to add the new entries from the system allowlist to the project allowlist. - -{{< note >}} -If CVEs are deleted from the system allowlist after you have created a project allowlist, and if you added the system allowlist to the project allowlist, you must manually remove the deleted CVEs from the project allowlist. If you click **Copy From System** after CVEs have been deleted from the system allowlist, the deleted CVEs are not automatically removed from the project allowlist. -{{< /note >}} diff --git a/docs/working-with-projects/project-configuration/configure-webhooks.md b/docs/working-with-projects/project-configuration/configure-webhooks.md deleted file mode 100644 index bb55851b3..000000000 --- a/docs/working-with-projects/project-configuration/configure-webhooks.md +++ /dev/null @@ -1,136 +0,0 @@ ---- -title: Configure Webhook Notifications -weight: 45 ---- - -If you are a project administrator, you can configure a connection from a project in Harbor to a webhook endpoint. If you configure webhooks, Harbor notifies the webhook endpoint of certain events that occur in the project. Webhooks allow you to integrate Harbor with other tools to streamline continuous integration and development processes. - -The action that is taken upon receiving a notification from a Harbor project depends on your continuous integration and development processes. For example, by configuring Harbor to send a `POST` request to a webhook listener at an endpoint of your choice, you can trigger a build and deployment of an application whenever there is a change to an image in the repository. - -### Supported Events - -You can define multiple webhook endpoints per project. Harbor supports two kinds of endpoints currently, `HTTP` and `SLACK`. Webhook notifications provide information about events in JSON format and are delivered by `HTTP` or `HTTPS POST` to an existing webhhook endpoint URL or Slack address that you provide. The following table describes the events that trigger notifications and the contents of each notification. - -|Event|Webhook Event Type|Contents of Notification| -|---|---|---| -|Push artifact to registry|`PUSH_ARTIFACT`|Repository namespace name, repository name, resource URL, tags, manifest digest, artifact name, push time timestamp, username of user who pushed artifact| -|Pull artifact from registry|`PULL_ARTIFACT`|Repository namespace name, repository name, manifest digest, artifact name, pull time timestamp, username of user who pulled artifact| -|Delete artifact from registry|`DELETE_ARTIFACT`|Repository namespace name, repository name, manifest digest, artifact name, artifact size, delete time timestamp, username of user who deleted image| -|Upload Helm chart to chartMuseum|`UPLOAD_CHART`|Repository name, chart name, chart type, chart version, chart size, tag, timestamp of push, username of user who uploaded chart| -|Download Helm chart from chartMuseum|`DOWNLOAD_CHART`|Repository name, chart name, chart type, chart version, chart size, tag, timestamp of push, username of user who pulled chart| -|Delete Helm chart from chartMuseum|`DELETE_CHART`|Repository name, chart name, chart type, chart version, chart size, tag, timestamp of delete, username of user who deleted chart| -|Image scan completed|`SCANNING_COMPLETED`|Repository namespace name, repository name, tag scanned, image name, number of critical issues, number of major issues, number of minor issues, last scan status, scan completion time timestamp, vulnerability information (CVE ID, description, link to CVE, criticality, URL for any fix), username of user who performed scan| -|Image scan failed|`SCANNING_FAILED`|Repository namespace name, repository name, tag scanned, image name, error that occurred, username of user who performed scan| -|Project quota exceeded|`QUOTA_EXCEED`|Repository namespace name, repository name, tags, manifest digest, artifact name, push time timestamp, username of user who pushed artifact| -|Project quota near threshold|`QUOTA_WARNING`|Repository namespace name, repository name, tags, manifest digest, artifact name, push time timestamp, username of user who pushed artifact| -|Artifact replication finished|`REPLICATION`|Repository namespace name, repository name, tags, manifest digest, artifact name, push time timestamp, username of user who trigger the replication| - -#### Payload Format - -The webhook notification is delivered in JSON format. The following example shows the JSON notification for a push artifact event when using `HTTP` kind endpoint: - -```json -{ - "type": "PUSH_ARTIFACT", - "occur_at": 1586922308, - "operator": "admin", - "event_data": { - "resources": [{ - "digest": "sha256:8a9e9863dbb6e10edb5adfe917c00da84e1700fa76e7ed02476aa6e6fb8ee0d8", - "tag": "latest", - "resource_url": "hub.harbor.com/test-webhook/debian:latest" - }], - "repository": { - "date_created": 1586922308, - "name": "debian", - "namespace": "test-webhook", - "repo_full_name": "test-webhook/debian", - "repo_type": "private" - } - } -} -``` -when you select the Slack type, and fill a Slack incoming webhook URL as endpoint, the message you received in Slack will be like, -```json -Harbor webhook events -event_type: PUSH_ARTIFACT -occur_at: April 15th at 11:59 AM -operator: admin -event_data: -{ - "resources": [ - { - "digest": "sha256:8a9e9863dbb6e10edb5adfe917c00da84e1700fa76e7ed02476aa6e6fb8ee0d8", - "tag": "latest", - "resource_url": "hub.harbor.com/test-webhook/debian:latest" - } - ], - "repository": { - "date_created": 1586922308, - "name": "debian", - "namespace": "test-webhook", - "repo_full_name": "test-webhook/debian", - "repo_type": "private" - } -} -``` - -### Webhook Endpoint Recommendations - -There are two kinds of endpoints. For `HTTP` the endpoint that receives the webhook should ideally have a webhook listener that is capable of interpreting the payload and acting upon the information it contains. For example, running a shell script. - -And for Slack endpoint, you should follow the [guide of Slack incoming webhook](https://api.slack.com/messaging/webhooks). - -### Example Use Cases - -You can configure your continuous integration and development infrastructure so that it performs the following types of operations when it receives a webhook notification from Harbor. - -- Artifact push: - - Trigger a new build immediately following a push on selected repositories or tags. - - Notify services or applications that use the artifact that a new artifact is available and pull it. - - Scan the artifact using Clair. - - Replicate the artifact to remote registries. -- Image scanning: - - If a vulnerability is found, rescan the image or replicate it to another registry. - - If the scan passes, deploy the image. - -### Configure Webhooks - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. - -1. Go to **Projects**, select a project, and select **Webhooks**. - - ![Webhooks option](../../../img/webhooks1.png) - -1. Select notify type `HTTP`, so the webhook will be send to a HTTP endpoint. - -1. Select events that you want to subscribe. - -1. Enter the URL for your webhook endpoint listener. - -1. If your webhook listener implements authentication, enter the authentication header. - -1. To implement `HTTPS POST` instead of `HTTP POST`, select the **Verifiy Remote Certficate** check box. - - ![Webhook URL](../../../img/webhooks2.png) - -1. Click **Test Endpoint** to make sure that Harbor can connect to the listener. - -1. Click **Continue** to create the webhook. - -When you have created the webhook, you can click on the arrow at the left end to see the status of the different notifications and the timestamp of the last time each notification was triggered. You can also manage the webhook by clicking the drop list button of `ACTION...` . - -You can modify the webhook, you can also `Enable` or `Disable` the webhook. - -![Webhook Status](../../../img/webhooks3.png) - -If a webhook notification fails to send, or if it receives an HTTP error response with a code other than `2xx`, the notification is re-sent based on the configuration that you set in `harbor.yml`. - -### Globally Enable and Disable Webhooks - -As a Harbor system administrator, you can enable and disable webhook notifications for all projects. - -1. Go to **Configuration** > **System Settings**. -1. Scroll down and check or uncheck the **Webhooks enabled** check box. - - ![Enable/disable webhooks](../../../img/webhooks4.png) diff --git a/docs/working-with-projects/project-configuration/create-robot-accounts.md b/docs/working-with-projects/project-configuration/create-robot-accounts.md deleted file mode 100644 index 89758576d..000000000 --- a/docs/working-with-projects/project-configuration/create-robot-accounts.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: Create Robot Accounts -weight: 40 ---- - -You can create robot accounts to run automated operations. Robot accounts have the following limitations: - -1. Robot Accounts cannot log in to the Harbor interface. -1. Robot Accounts can only perform operations by using the Docker and Helm CLIs. - -### Add a Robot Account - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects**, select a project, and select **Robot Accounts**. - - ![Robot accounts](../../../img/add-robot-account.png) - -1. Click **New Robot Account**. -1. Enter a name and an optional description for this robot account. -1. Set expiration time for this robot account, you can also select checkbox **Never Expired** if you want to create a never expiring robot account. If not set, the expiration time of system configuration will be used for this robot account. -1. Grant permission to the robot account to push images and to push and pull Helm charts. - - Robot accounts can always pull images, so you cannot deselect this option. - - ![Add a robot account](../../../img/add-robot-account-2.png) - -1. Click **Save**. -1. In the confirmation window, click **Export to File** to download the access token as a JSON file, or click the clipboard icon to copy its contents to the clipboard. - - ![copy_robot_account_token](../../../img/copy-robot-account-token.png) - - {{< important >}} - Harbor does not store robot account tokens, so you must either download the token JSON or copy and paste its contents into a text file. There is no way to get the token from Harbor after you have created the robot account. - {{< /important >}} - - The new robot account appears as `robot$account_name` in the list of robot accounts. The `robot$` prefix makes it easily distinguishable from a normal Harbor user account. - - ![New robot account](../../../img/new-robot-account.png) - -1. To delete or disable a robot account, select the account in the list, and select **Disable account** or **Delete** from the Action drop-down menu. - - ![Disable or delete a robot account](../../../img/disable-delete-robot-account.png) - -### Configure the Expiry Period of Robot Accounts - -By default, robot accounts expire after 30 days. You can set a longer or shorter lifespan for robot accounts by modifying the expiry period for robot account tokens. The expiry period applies to all robot accounts in all projects. - -1. Log in to the Harbor interface with an account that has Harbor system administrator privileges. -1. Go to **Configuration** and select **System Settings**. -1. In the **Robot Token Expiration (Days)** row, modify the number of days after which robot account tokens expire. - - ![Set robot account token expiry](../../../img/set-robot-account-token-duration.png) - -### Authenticate with a Robot Account - -To use a robot account in an automated process, for example a script, use `docker login` and provide the credentials of the robot account. - -
-docker login harbor_address
-Username: robot$account_name
-Password: robot_account_token
-
diff --git a/docs/working-with-projects/project-configuration/implementing-content-trust.md b/docs/working-with-projects/project-configuration/implementing-content-trust.md deleted file mode 100644 index 93384901c..000000000 --- a/docs/working-with-projects/project-configuration/implementing-content-trust.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Implementing Content Trust -weight: 55 ---- - -{{< note >}} -Notary is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section. -{{< /note >}} - -If you want to enable content trust to ensure that images are signed, please set two environment variables in the command line before pushing or pulling any image: - -```sh -export DOCKER_CONTENT_TRUST=1 -export DOCKER_CONTENT_TRUST_SERVER=https://10.117.169.182:4443 -``` - -If you push the image for the first time, You will be asked to enter the root key passphrase. This will be needed every time you push a new image while the `DOCKER_CONTENT_TRUST` flag is set. -The root key is generated at: `/root/.docker/trust/private/root_keys` -You will also be asked to enter a new passphrase for the image. This is generated at `/root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]`. -If you are using a self-signed cert, make sure to copy the CA cert into `/etc/docker/certs.d/10.117.169.182` and `$HOME/.docker/tls/10.117.169.182:4443/`. When an image is signed, it is indicated in the Web UI. - -A signed image will have a checkbox next to it, otherwise an X is displayed instead. - -If you want to remove a tag signature from harbor, you can use 'notary remove' command: - -```sh -notary remove -p 10.117.169.182/libary/alpine latest -``` - -{{< note >}} -Replace "10.117.169.182" with the IP address or domain name of your Harbor node. In order to use content trust, HTTPS must be enabled in Harbor. -{{< /note >}} - -![browse project](../../../img/content-trust.png) diff --git a/docs/working-with-projects/using-api-explorer/_index.md b/docs/working-with-projects/using-api-explorer/_index.md deleted file mode 100644 index 10037695a..000000000 --- a/docs/working-with-projects/using-api-explorer/_index.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: Using the API Explorer -weight: 100 ---- - -Harbor integrated swagger UI from 1.8. That means all APIs can be invoked through the Harbor interface. You can navigate to the API Explorer in two ways. - -1. Log in to Harbor and click the "API EXPLORER" button. All APIs will be invoked with the current user's authorization. -![navigation bar](../../img/api-explorer-btn.png) - -2. Navigate to the Swagger page by using the IP address of your Harbor instance and adding the router "devcenter". For example: https://10.192.111.118/devcenter. Then click the **Authorize** button to give basic authentication to all APIs. All APIs will be invoked with the authorized user's authorization. -![authentication](../../img/authorize.png) diff --git a/docs/working-with-projects/working-with-images/_index.md b/docs/working-with-projects/working-with-images/_index.md deleted file mode 100644 index 49b1b3626..000000000 --- a/docs/working-with-projects/working-with-images/_index.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Working with Images, Tags, and Helm Charts -weight: 60 ---- - -This section describes how to work with images, tags, and Helm charts in Harbor. diff --git a/docs/working-with-projects/working-with-images/adding-tags.md b/docs/working-with-projects/working-with-images/adding-tags.md deleted file mode 100644 index f60a82487..000000000 --- a/docs/working-with-projects/working-with-images/adding-tags.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Tagging Artifacts -weight: 75 ---- - -Harbor v2.0 now supports OCI images and OCI image indexes (https://github.com/opencontainers/image-spec/blob/master/image-index.md). An OCI image index (or OCI index) is a higher level manifest which points to a list of image manifests, ideal for one or more platforms. Both the index itself and the images referenced within are referred to as artifacts in Harbor parlance. An OCI index could hold another OCI index and so on and so forth. For any artifact referenced by an OCI index, the referenced artifact is known as the child artifact and the OCI index referencing the artifact is known as the parent artifact. We can also say that the child artifact belongs to the parent artifact or is a part of the parent artifact. - -Users can add as many tags to any artifact as they wish without impacting the artifact digest or the associated storage. For an OCI index, users can add tags to the parent as well as add tags to the individual referenced artifacts within. Tags added to the parent artifact are not automatically inherited by the children artifacts. You can tag artifacts on the Harbor web console as follows: - -In the Harbor interface, click on an artifact to see its current set of tags, then click 'ADD TAG', specify the name and click 'OK' - -![add artifact](../../../img/addtag1.png) - diff --git a/docs/working-with-projects/working-with-images/create-labels.md b/docs/working-with-projects/working-with-images/create-labels.md deleted file mode 100644 index 321f17433..000000000 --- a/docs/working-with-projects/working-with-images/create-labels.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Managing Labels -weight: 70 ---- - -Harbor provides two kinds of labels to isolate different kinds of resources: - -* **Global Level Label**: Managed by Harbor system administrators and used to manage the images of the whole system. They can be added to images under any projects. -* **Project Level Label**: Managed by project administrators under a project and can only be added to the images of the project. - -## Managing Global Labels -The Harbor system administrators can list, create, update and delete the global level labels under `Administration->Configuration->Labels`: - -![manage global level labels](../../../img/manage-global-level-labels.png) - -## Managing Project-Level Labels -The project administrators and Harbor system administrators can list, create, update and delete the project level labels under `Labels` tab of the project detail page: - -![manage project level labels](../../../img/manage-project-level-labels.png) - -## Adding and Removing Labels to and from Images -Users who have Harbor system administrator, project administrator or project developer role can click the `ADD LABELS` button to add labels to or remove labels from images. The label list contains both globel level labels(come first) and project level labels: - -![add labels to images](../../../img/add-labels-to-images.png) - -## Filtering Images by Label -The images can be filtered by labels: - -![filter images by labels](../../../img/filter-images-by-label.png) diff --git a/docs/working-with-projects/working-with-images/create-tag-immutability-rules.md b/docs/working-with-projects/working-with-images/create-tag-immutability-rules.md deleted file mode 100644 index 76bc2eac8..000000000 --- a/docs/working-with-projects/working-with-images/create-tag-immutability-rules.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Tag Immutability Rules -weight: 85 ---- - -By default, users can repeatedly push an artifact with the same tag to a repository in Harbor. This causes the tag to migrate across the artifacts and every artifact that has its tag taken away becomes tagless. This is due to Docker distribution upstream which does not enforce the mapping between an image tag and the image digest. This can be undesirable in certain cases, because the tag can no longer be trusted to identify the image version. The sha256 digest remains reliable and always points to the same build, but it is not rendered in a human-readable format. - -To prevent this, Harbor allows you to configure tag immutability at the project level, so that artifacts with certain tags cannot be pushed into Harbor if their tags match existing tags. This prevents existing artifacts from being overwritten. Tag immutability guarantees that an immutable tagged artifact cannot be deleted, and also cannot be altered in any way such as through re-pushing, re-tagging, or replication from another target registry. - -Immutability rules use `OR` logic, so if you set multiple rules and a tag is matched by any of those rules, it is marked as immutable. - -## How Immutable Tags Prevent Tag Deletion - -Since v2.0, you can delete any tag of an artifact without deleting the artifact itself. Therefore, you can lock down a particular tag by configuring an immutability rule matching this tag which means the artifact holding the tag also cannot be overwritten or deleted. However you can still delete other tags associated with this immutable artifact. Consider the follow example: - -1. In the Docker client, push `hello-world:v1` into a project. -1. In the project, set an immutable tag rule in this project that matches the image and tag `hello-world:v1`. -1. Push `hello-world:v1` to the project. -1. In your local env, retag `hello-world:v1` to `hello-world:v2`. -1. Push `hello-world:v2` to the project. -1. In the Harbor interface, attempt to delete tag `v1` and `v2` of `hello-world` sequentially. - -In this case, you cannot delete tag `v1` as it's an immutable tag and you cannot delete the artifact `hello-world` holding this tag. But you can delete tag `v2` even it shares the sha256 digest with `v1`. - -## Create a Tag Immutability Rule - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects**, select a project, select policy, and select **Tag Immutability**. - - ![Add an immutability rule](../../../img/tag-immutability.png) - -1. Click **Add Rule**. - - - In the **Respositories** row, enter a comma-separated list of repositories to which to either apply or exclude from the rule by selecting either **matching** or **excluding** from the drop-down menu. - - In the **Tags** row, enter a comma-separated list of tags to which to either apply or exclude from the rule by selecting either **matching** or **excluding** from the drop-down menu. - - ![Add an immutability rule](../../../img/add-immutability-rule.png) -1. Click **Add** to save the rule. - - You can add a maximum of 15 immutability rules per project. - - After you add a rule, any tags that are identified by the rule are marked **Immutable** in the Repositories tab. -1. To modify an existing rule, use the **Action** drop-down menu next to a rule to disable, edit, or delete that rule. - - ![Immutability rules](../../../img/edit-tag-immutability.png) - -## Example - -To make all tags for all repositories in the project immutable, set the following options: - -- Set **For the respositories** to **matching** and enter `**`. -- Set **Tags** to **matching** and enter `**`. - -To allow the tags `rc`, `test`, and `nightly` to be overwritten but make all other tags immutable, set the following options: - -- Set **For the respositories** to **matching** and enter `**`. -- Set **Tags** to **excluding** and enter `rc,test,nightly`. diff --git a/docs/working-with-projects/working-with-images/create-tag-retention-rules.md b/docs/working-with-projects/working-with-images/create-tag-retention-rules.md deleted file mode 100644 index 41894def9..000000000 --- a/docs/working-with-projects/working-with-images/create-tag-retention-rules.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Create Tag Retention Rules -weight: 80 ---- - -A repository can rapidly accumulate a large number of artifacts, many of which might not be required after a given time or once they have been superseded by a subsequent artifact build. These excess artifacts can obviously consume large quantities of storage capacity. As a Harbor system administrator, you can define rules that govern how many artifacts of a given repository to retain, or for how long to retain certain artifacts. - -## How Tag Retention Rules Work - -You define tag retention rules on repositories, not on projects. This allows for greater granularity when defining your retention rules. As the name suggests, when you define a retention rule for a repository, you are identifying which tags to retain. You do not define rules to explicitly remove tags. Rather, when you set a rule, any tags in a repository that are not identified as being eligible for retention are discarded. - -A tag retention rule has 3 filters that are applied sequentially, as described in the following table. - -|Order|Filter|Description| -|---|---|---| -|First|Repository or repositories|Identity the tags on which to apply the rule. You can identify repositories that either have a certain name or name fragment, or that do not have that name or name fragment. Wild cards (for example `*repo`, `repo*`, and `**`) are permitted. The repository filter is applied first to mark the repositories to which to apply the retention rule. The identified repositories are earmarked for further matching based on the tag criteria. No action is taken on the nonspecified repositories at this stage.| -|Second|Quantity to retain|Set which tags to retain either by specifying a maximum number of tags, or by specifying a maximum period for which to retain tags.| -|Third|Tags to retain|Identify the tag or tags on which to apply the rule. You can identify tags that either have a certain name or name fragment, or that do not have that name or name fragment. Wild cards (for example `*tag`, `tag*`, and `**`) are permitted. Use the checkbox to select whether untagged artifacts should be captured as part of the set of artifacts eligible for tag retention.| - -For information about how the `**` wildcard is applied, see https://github.com/bmatcuk/doublestar#patterns. - -### Example 1 - -- You have 5 repositories in a project, repositories A to E. - - Repository A has 102 artifacts with 2 untagged, all of which have been pulled in the last week. - - Repositories B to E each have 7 artifacts with 1 untagged artifact, none of which have been pulled in the last month. -- You set the repository filter to `**`, meaning that all repositories in the project are included. -- You set the retention policy to retain the 10 most recently pulled artifacts in each repository. -- You set the tag filter to `**`, keep "untagged artifacts" unchecked, meaning that all artifacts with at least one tag in the repository are included. - -In this example the rule retains the 10 most recently pulled tagged artifacts in repository A, and the 6 of the artifacts in each of the 4 repositories B to E. So, a total of 34 artifacts are retained in the project. -In other words, the rule does not treat all of the artifacts in repositories A to E as a single pool from which to choose the 10 most recent artifacts. -So, even if the 11th to 100th tags in repository A have been pulled more recently than any of the tags in repositories B to E, all of the tagged artifacts in repositories B to E are retained, because each of those repositories has fewer than 10 tags, and all untagged artifacts are deleted. - -### Example 2 - -This example uses the same project and repositories as example 1, but sets the retention policy to retain the artifacts in each repository that have been pulled in the last 7 days. - -In this case, all of the 100 tagged artifacts in repository A are retained because they have been pulled in the last 7 days. None of the artifacts in repositories B to E are retained, because none of them has been pulled in the last week. In this example, 100 artifacts are retained, as opposed to 34 artifacts in example 1. -And all untagged artifacts are deleted. - -### Example 3 - -This example uses the same project and repositories as example 2, but checked "untagged artifacts", then all artifacts in repository A are retained. - -In this case, all of the 103 artifacts in repository A are retained because they have been pulled in the last 7 days. None of the artifacts in repositories B to E are retained, because none of them has been pulled in the last week. In this example, 103 artifacts are retained, as opposed to 100 artifacts in example 2. -And all untagged artifacts are retained. - -### Tag Retention Rules and Native Docker Tag Deletion - -**Note**: If an artifact has several tags, and only a partial set of tags are matched via the retention policy, then the artifact and all its tags will be retained. In other words, retention is matched at the tag level but retention / deletion is carried out at the artifact level, with retention fully preserving the artifact including all of its tags. - -For example, you have following tags, listed according to their push time, and all of them refer to the same SHA digest: - -- `harbor-1.8`, pushed 8/14/2019 01:00am -- `harbor-release`, pushed 8/14/2019 03:00am -- `harbor-nightly`, pushed 8/14/2019 06:00am -- `harbor-latest`, pushed 8/14/2019 09:00am - -You configure a retention policy to retain the two latest tags that match `harbor-*`, so that `harbor-rc` and `harbor-latest` are retained. However, since all tags refer to the same SHA digest, this policy would also retain the tags `harbor-1.8` and `harbor-release`, so all tags are retained. - -## Combining Rules on a Repository - -You can define up to 15 rules per project. You can apply multiple rules to a repository or set of repositories. When you apply multiple rules to a repository, they are applied with `OR` logic rather than with `AND` logic. In this way, there is no prioritization of application of the rules on a given repository. Rules run concurrently in the background, and the resulting sets from each rule are combined at the end of the run. - -### Example 4 - -This example uses the same project and repositories as examples 1 and 2, but sets two rules: - -- Rule 1: Retain all of the artifacts in each repository that have been pulled in the last 7 days. -- Rule 2: Retain a maximum number of 10 artifacts in each repository. - -For repository A, rule 1 retains all of the 100 tagged artifacts because they have all been pulled in the last week. Rule 2 retains the 10 most recently pulled artifacts. So, since the two rules are applied with an `OR` relationship, all 100 artifacts are retained in repository A. - -For repositories B-E, rule 1 will retain 0 artifacts as no artifacts are pulled in the last week. Rule 2 will retain all 6 artifacts because 6 < 10. So, since the two rules are applied with an `OR` relationship, for repositories B-E, each repository will keep all 6 artifacts. - -In this example, all of the artifacts are retained. - -### Example 5 - -This example uses a different repository to the previous examples. - -- You have a repository that has 12 tags: - - |Production|Release Candidate|Release| - |---|---|---| - |`2.1-your_repo-prod`|`2.1-your_repo-rc`|`2.1-your_repo-release`| - |`2.2-your_repo-prod`|`2.2-your_repo-rc`|`2.2-your_repo-release`| - |`3.1-your_repo-prod`|`3.1-your_repo-rc`|`3.1-your_repo-release`| - |`4.4-your_repo-prod`|`4.4-your_repo-rc`|`4.4-your_repo-release`| - -- You define three tag retention rules on this repository: - - Retain the 10 most recently pushed artifacts that start with `2`. - - Retain the 10 most recently pushed artifacts that end with `-prod`. - - Retain all tags that do not include `2.1-your_repo-prod`. - -In this example, the rules are applied to the following 7 tags: - -- `2.1-your_repo-rc` -- `2.1-your_repo-release` -- `2.2-your_repo-prod` -- `2.2-your_repo-rc` -- `2.2-your_repo-release` -- `3.1-your_repo-prod` -- `4.4-your_repo-prod` - -Because there are no untagged artifacts, checking the checkbox makes no difference. - -## How Tag Retention Rules Interact with Project Quotas - -The Harbor system administrator can set a maximum on the number of tags that a project can contain and the amount of storage that it can consume. For information about project quotas, see [Configure Project Quotas](../../administration/configure-project-quotas/_index.md). - -If you set a quota on a project, this quota cannot be exceeded. The quota is applied to a project even if you set a retention rule that would exceed it. In other words, you cannot use retention rules to bypass quotas. - -## Configure Tag Retention Rules - -1. Log in to the Harbor interface with an account that has at least project administrator privileges. -1. Go to **Projects**, select a project, select **Policy**, and select **Tag Retention**. - - ![Tag options](../../../img/tag-retention1.png) -1. Click **Add Rule** to add a rule. -1. In the **Repositories** drop-down menu, select **matching** or **excluding**. - ![Select repositories](../../../img/tag-retention2.png) -1. In the **Repositories** text box, identify the repositories on which to apply the rule. - - You can define the repositories on which to apply the rule by entering the following information: - - - A repository name, for example `my_repo_1`. - - A comma-separated list of repository names, for example `my_repo_1,my_repo_2,your_repo_3`. - - A partial repository name with wildcards, for example `my_*`, `*_3`, or `*_repo_*`. - - `**` to apply the rule to all of the repositories in the project. - - If you selected **matching**, the rule is applied to the repositories you identified. If you selected **excluding**, the rule is applied to all of the repositories in the project except for the ones that you identified. -1. In the **By artifact count or number of days** drop-down menu, define how many tags to retain or the period to retain tags. - ![Select retention criteria](../../../img/tag-retention3.png) - - |Option|Description| - |---|---| - |**retain the most recently pushed # artifacts**|Enter the maximum number of artifacts to retain, keeping the ones that have been pushed most recently. There is no maximum age for an artifact.| - |**retain the most recently pulled # artifacts**|Enter the maximum number of artifacts to retain, keeping only the ones that have been pulled recently. There is no maximum age for an artifact.| - |**retain the artifacts pushed within the last # days**|Enter the number of days to retain artifacts, keeping only the ones that have been pushed during this period. There is no maximum number of artifacts.| - |**retain the artifacts pulled within the last # days**|Enter the number of days to retain artifacts, keeping only the ones that have been pulled during this period. There is no maximum number of artifacts.| - |**retain always**|Always retain the artifacts identified by this rule.| - -1. In the **Tags** drop-down menu, select **matching** or **excluding**. -1. In the **Tags** text box, identify the tags on which to apply the rule. - - You can define the tags on which to apply the rule by entering the following information: - - - A tag name, for example `my_tag_1`. - - A comma-separated list of tag names, for example `my_tag_1,my_tag_2,your_tag_3`. - - A partial tag name with wildcards, for example `my_*`, `*_3`, or `*_tag_*`. - - `**` to apply the rule to all of the tags in the project. - - If you selected **matching**, the rule is applied to the tags you identified. If you selected **excluding**, the rule is applied to all of the tags in the repository except for the ones that you identified. -1. Click **Add** to save the rule. -1. (Optional) Click **Add Rule** to add more rules, up to a maximum of 15 per project. -1. (Optional) Under Schedule, click **Edit** and select how often to run the rule. - - ![Select retention criteria](../../../img/tag-retention4.png) - - If you select **Custom**, enter a cron job command to schedule the rule. - - **NOTE**: If you define multiple rules, the schedule is applied to all of the rules. You cannot schedule different rules to run at different times. -1. Click **Dry Run** to test the rule or rules that you have defined. -1. Click **Run Now** to run the rule immediately. - -**WARNING**: You cannot revert a rule after you run it. It is strongly recommended to perform a dry run before you run rules. - -To modify an existing rule, use the **Action** drop-down menu next to a rule to disable, edit, or delete that rule. - -![Modify tag retention rules](../../../img/tag-retention5.png) diff --git a/docs/working-with-projects/working-with-images/deleting-artifact.md b/docs/working-with-projects/working-with-images/deleting-artifact.md deleted file mode 100644 index b68f5a46e..000000000 --- a/docs/working-with-projects/working-with-images/deleting-artifact.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Deleting Artifacts -weight: 75 ---- - -Harbor v2.0 now supports OCI images and OCI image indexes (https://github.com/opencontainers/image-spec/blob/master/image-index.md). An OCI image index (or OCI index) is a higher level manifest which points to a list of image manifests, ideal for one or more platforms. Both the index itself and the images referenced within are referred to as artifacts in Harbor parlance. An OCI index could hold another OCI index and so on and so forth. For any artifact referenced by an OCI index, the referenced artifact is known as the child artifact and the OCI index referencing the artifact is known as the parent artifact. We can also say that the child artifact belongs to the parent artifact or is a part of the parent artifact. - -An example of an OCI image index - -``` -{ - "schemaVersion": 2, - "manifests": [ - { - "mediaType": "application/vnd.oci.image.manifest.v1+json", - "size": 7143, - "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f", - "platform": { - "architecture": "ppc64le", - "os": "linux" - } - }, - { - "mediaType": "application/vnd.oci.image.manifest.v1+json", - "size": 7682, - "digest": "sha256:5b0bcabd1ed22e9fb1310cf6c2dec7cdef19f0ad69efa1f392e94a4333501270", - "platform": { - "architecture": "amd64", - "os": "linux" - } - } - ], - "annotations": { - "com.example.key1": "value1", - "com.example.key2": "value2" - } -} -``` - -**Deleting Artifact**: - -When an artifact is not referenced by any OCI index, you can delete the artifact freely which will delete its manifest and all associated tags. - -When an artifact is referenced by an OCI index, you cannot delete it. In order to delete this artifact, you must first delete all OCI indexes referencing this artifact first, remembering that an artifact can be referenced by multiple parents artifacts pushed onto Harbor by different users. So when deleting an OCI index holding 9 children artifacts not referenced by any other index and 1 child artifact referenced by another index, only 9 out of 10 children artifacts will be deleted. - -To delete any artifact in the Harbor interface, click on the artifact and select 'Delete' and confirm. - -![delete image1](../../../img/deleteimage1.png) - -![delete image2](../../../img/deleteimage2.png) diff --git a/docs/working-with-projects/working-with-images/deleting-tags.md b/docs/working-with-projects/working-with-images/deleting-tags.md deleted file mode 100644 index a7689db3b..000000000 --- a/docs/working-with-projects/working-with-images/deleting-tags.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Detagging Artifacts -weight: 75 ---- - -Harbor v2.0 now supports OCI images and OCI image indexes (https://github.com/opencontainers/image-spec/blob/master/image-index.md). An OCI image index (or OCI index) is a higher level manifest which points to a list of image manifests, ideal for one or more platforms. Both the index itself and the images referenced within are referred to as artifacts in Harbor parlance. An OCI index could hold another OCI index and so on and so forth. For any artifact referenced by an OCI index, the referenced artifact is known as the child artifact and the OCI index referencing the artifact is known as the parent artifact. We can also say that the child artifact belongs to the parent artifact or is a part of the parent artifact. - -Users can delete any existing tag from an artifact without deleting the artifact digest and all other existing tags. For an OCI index, users can delete tags from the parent as well as from the referenced artifacts within. Tags removed from the parent artifact are not automatically removed from children artifacts. For example, you can tag artifacts as follows: - -In the Harbor interface, click on an artifact to see its current set of tags, then select the tag you wish to delete and click 'REMOVE TAG', and then click 'OK' - -![delete tag](../../../img/deletetag1.png) - -You can remove all tags from an artifact without deleting the artifact manifest itself. The artifact is still visible on the web console with nothing listed under 'Tags ' \ No newline at end of file diff --git a/docs/working-with-projects/working-with-images/managing-helm-charts.md b/docs/working-with-projects/working-with-images/managing-helm-charts.md deleted file mode 100644 index 7b6e0623e..000000000 --- a/docs/working-with-projects/working-with-images/managing-helm-charts.md +++ /dev/null @@ -1,205 +0,0 @@ ---- -title: Managing Helm Charts -weight: 95 ---- - -[Helm](https://helm.sh) is a package manager for [Kubernetes](https://kubernetes.io). Helm uses a packaging format called [charts](https://docs.helm.sh/developing_charts). Since version 1.6.0 Harbor is now a composite cloud-native registry which supports both container image management and Helm charts management. Access to Helm charts in Harbor is controlled by [role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) and is restricted by projects. - -There are two places to manage helm charts. First one is in the ChartMuseum which is provided by Harbor from version 1.6.0. The second one is in the OCI-compatible registry which is provided by Harbor from version 2.0.0. This means you can now manage Helm charts alongside your container images through the same set of projects and repositories. - -## Manage Helm Charts with the ChartMuseum in Harbor Interface - -### List charts - -Click your project to enter the project detail page after successful logging in. The existing helm charts will be listed under the tab `Helm Charts` which is beside the image `Repositories` tab with the following information: -* Name of helm chart -* The status of the chart: Active or Deprecated -* The count of chart versions -* The created time of the chart - -![list charts](../../../img/list-charts.png) - -You can click the icon buttons on the top right to switch views between card view and list view. - -### Upload a New Chart - -Click the `UPLOAD` button on the top left to open the chart uploading dialog. Choose the uploading chart from your filesystem. Click the `UPLOAD` button to upload it to the chart repository server. - -![upload charts](../../../img/upload-charts.png) - -If the chart is signed, you can choose the corresponding provenance file from your filesystem and Click the `UPLOAD` button to upload them together at once. - -If the chart is successfully uploaded, it will be displayed in the chart list at once. - -### List Chart Versions - -Clicking the chart name from the chart list will show all the available versions of that chart with the following information: -* the chart version number -* the maintainers of the chart version -* the template engine used (default is gotpl) -* the created timestamp of the chart version - -![list charts versions](../../../img/list-chart-versions.png) - -Obviously, there will be at least 1 version for each of the charts in the top chart list. Same with chart list view, you can also click the icon buttons on the top right to switch views between card view and list view. - -Check the checkbox at the 1st column to select the specified chart versions: -* Click the `DELETE` button to delete all the selected chart versions from the chart repository server. Batch operation is supported. -* Click the `DOWNLOAD` button to download the chart artifact file. Batch operation is not supported. -* Click the `UPLOAD` button to upload the new chart version for the current chart - -### Adding Labels to and Removing Labels from Chart Versions -Users who have Harbor system administrator, project administrator or project developer role can click the `ADD LABELS` button to add labels to or remove labels from chart versions. - -![add labels to chart versions](../../../img/add-labels-to-chart-versions.png) - - -### Filtering Chart Versions by Label -The chart versions can be filtered by labels: - -![filter chart versions by labels](../../../img/filter-chart-versions-by-label.png) - -### View Chart Version Details -Clicking the chart version number link will open the chart version details view. You can see more details about the specified chart version here. There are three content sections: -* **Summary:** - * readme of the chart - * overall metadata like home, created timestamp and application version - * related helm commands for reference, such as `helm add repo` and `helm install` etc. -![chart details](../../../img/chart-details.png) -* **Dependencies:** - * list all the dependant sun charts with 'name', 'version' and 'repository' fields -![chart dependencies](../../../img/chart-dependencies.png) -* **Values:** - * display the content from `values.yaml` file with highlight code preview - * clicking the icon buttons on the top right to switch the yaml file view to k-v value pair list view -![chart values](../../../img/chart-values.png) - -Clicking the `DOWNLOAD` button on the top right will start the downloading process. - -## Working with ChartMuseum via the Helm CLI - -As a helm chart repository, Harbor can interoperate with Helm CLI. To install Helm CLI, please refer [install helm](https://helm.sh/docs/intro/install/). Run command `helm version` to make sure the version of Helm CLI is v2.9.1+. - -```sh -helm version - -#Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"} -#Server: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"} -``` - -### Add Harbor to the Repository List - -Before working, Harbor should be added into the repository list with `helm repo add` command. Two different modes are supported. - -* Add Harbor as a unified single index entry point - - With this mode Helm can be made aware of all the charts located in different projects and which are accessible by the currently authenticated user. - - ```sh - helm repo add --ca-file ca.crt --username=admin --password=Passw0rd myrepo https://xx.xx.xx.xx/chartrepo - ``` - - {{< note >}} - Providing both a CA file and cert files is necessary due to an issue in Helm. - {{< /note >}} - -* Add Harbor project as separate index entry point - - With this mode, Helm can only pull charts in the specified project. - - ```sh - helm repo add --ca-file ca.crt --username=admin --password=Passw0rd myrepo https://xx.xx.xx.xx/chartrepo/myproject - ``` - -### Push Charts to the Repository Server with the CLI - -As an alternative, you can also upload charts via the CLI. It is not supported by the native helm CLI. A plugin from the community should be installed before pushing. Run `helm plugin install` to install the `push` plugin first. - -```sh -helm plugin install https://github.com/chartmuseum/helm-push -``` - -After a successful installation, run the `push` command to upload your charts: - -```sh -helm push --ca-file=ca.crt --username=admin --password=passw0rd chart_repo/hello-helm-0.1.0.tgz myrepo -``` - -{{< note >}} -The `push` command does not yet support pushing a prov file of a signed chart. -{{< /note >}} - -### Install Charts - -Before installing, make sure your helm is correctly initialized with command `helm init` and the chart index is synchronized with command `helm repo update`. - -Search the chart with the keyword if you're not sure where it is: - -```sh -helm search hello - -#NAME CHART VERSION APP VERSION DESCRIPTION -#local/hello-helm 0.3.10 1.3 A Helm chart for Kubernetes -#myrepo/chart_repo/hello-helm 0.1.10 1.2 A Helm chart for Kubernetes -#myrepo/library/hello-helm 0.3.10 1.3 A Helm chart for Kubernetes -``` - -If everything is ready, install the chart in your Kubernetes cluster: - -```sh -helm install --ca-file=ca.crt --username=admin --password=Passw0rd --version 0.1.10 repo248/chart_repo/hello-helm -``` - -For other more helm commands like how to sign a chart, please refer to the [helm doc](https://docs.helm.sh/helm/#helm). - - -## Manage Helm Charts with the OCI-compatible registry of Harbor - -Helm 3 now supports registry operations for an OCI-compatible registry including pushing and pulling. To install the latest Helm CLI, please refer [install helm](https://helm.sh/docs/intro/install/). Please also run `helm version` command to make sure the version of Helm CLI is v3.0.0+. - -```sh -helm version - -#version.BuildInfo{Version:"v3.2.1", GitCommit:"fe51cd1e31e6a202cba7dead9552a6d418ded79a", GitTreeState:"clean", GoVersion:"go1.13.10"} -``` - -### Login to the OCI-compatible registry of Harbor - -Before pull/push helm charts with the OCI-compatible registry of Harbor, Harbor should be logged with `helm registry login` command. - -```sh -helm registry login xx.xx.xx.xx -``` - -{{< note >}} -The CA file used by the Harbor is necessary to be trusted in the system due to an [issue](https://github.com/helm/helm/issues/6324) in Helm. -{{< /note >}} - -### Push Charts to the artifact Repository with the CLI - -After logging in, run the `helm chart save` command to save a chart directory which will prepare the artifact for the pushing. - -```sh -helm chart save dummy-chart xx.xx.xx.xx/library/dummy-chart -``` - - -When the chart was saved run the `helm chart push` command to push your charts: - -```sh -helm chart push xx.xx.xx.xx/library/dummy-chart:version -``` - -### Pull Charts from the artifact Repository with the CLI - -To pull charts from the the OCI-compatible registry of Harbor, run the `helm chart pull` command just like pulling image via docker cli. - -```sh -helm chart pull xx.xx.xx.xx/library/dummy-chart:version -``` - -### Manage Helm Charts artifacts in Harbor Interface - -The charts pushed to the OCI-compatible registry of Harbor are treated like any other type of artifact. We can list, copy, delete, update labels, get details, add or remove tags for them just like we can for container images. - -![chart artifact details](../../../img/chart-artifact-details.png) \ No newline at end of file diff --git a/docs/working-with-projects/working-with-images/pulling-pushing-images.md b/docs/working-with-projects/working-with-images/pulling-pushing-images.md deleted file mode 100644 index 30dc09320..000000000 --- a/docs/working-with-projects/working-with-images/pulling-pushing-images.md +++ /dev/null @@ -1,118 +0,0 @@ ---- -title: Pulling and Pushing Images in the Docker Client -weight: 65 ---- - -Harbor optionally supports HTTP connections, however the Docker client always attempts to connect to registries by first using HTTPS. If Harbor is configured for HTTP, you must configure your Docker client so that it can connect to insecure registries. In your Docker client is not configured for insecure registries, you will see the following error when you attempt to pull or push images to Harbor: - -
-Error response from daemon: Get https://myregistrydomain.com/v1/users/: dial tcp myregistrydomain.com:443 getsockopt: connection refused.
-
- -For information about how to add insecure registries to your Docker client, see [Connecting to Harbor via HTTP](../../install-config/run-installer-script.md#connect-http). - -You also see this error if Harbor uses HTTPS with an unknown CA certificate. In this case, obtain the registry's CA certificate, and copy it to /etc/docker/certs.d/myregistrydomain.com/ca.crt. - -{{< note >}} -Harbor only supports the Registry V2 API. You must use Docker client 1.6.0 or higher when pushing and pulling images. -{{< /note >}} - -## Pulling Images - -If the project that the image belongs to is private, you must sign in first: - -```sh -docker login -``` - -You can now pull an image: - -```sh -docker pull /library/ubuntu:14.04 -``` - -{{< note >}} -You cannot pull an unsigned image if you have enabled content trust. -{{< /note >}} - -## Pushing Images - -Before you can push an image to Harbor, you must create a corresponding project in the Harbor interface. For information about how to create a project, see [Create Projects](../create-projects/_index.md). - -First, log in from Docker client: - -```sh -docker login -``` - -Tag the image: - -```sh -docker tag ubuntu:14.04 /demo/ubuntu:14.04 -``` - -Push the image: - -```sh -docker push /demo/ubuntu:14.04 -``` - -## Add Descriptions to Repositories - -After pushing an image, the project administrator can add information to describe the repository. - -Go into the repository and select the **Info** tab, and click the **Edit** button. Enter a description and click **Save** to save the description. - -![edit info](../../../img/edit-description.png) - -## Download the Harbor Certificate - -Users can click the **Registry Certificate** button to download the registry certificate. - -![browse project](../../../img/download-harbor-certs.png) - -## Deleting Repositories - -Deleting repositories involves two steps. - -First, you delete a repository in the Harbor interface. This is soft deletion. You can delete the entire repository or just one of its tags. After the soft deletion, the repository is no longer managed by Harbor, however, the repository files remain in the Harbor storage. - -![browse project](../../../img/new-delete-repo.png) -![browse project](../../../img/new-delete-tag.png) - -{{< danger >}} -If both tag A and tag B refer to the same image, after deleting tag A, B will also get deleted. if you enabled content trust, you need to use notary command line tool to delete the tag's signature before you delete an image. -{{< /danger >}} - -Next, delete the repository files by running [garbage collection](../../administration/garbage-collection/_index.md) in the Harbor interface. - -## Pulling Images from Harbor in Kubernetes -Kubernetes users can easily deploy pods with images stored in Harbor. The settings are similar to those of any other private registry. There are two issues to be aware of: - -1. When your Harbor instance is hosting HTTP and the certificate is self-signed, you must modify `daemon.json` on each work node of your cluster. For information, see https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry. -2. If your pod references an image under a private project, you must create a secret with the credentials of a user who has permission to pull images from the project. For information, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/. - -## Configure Notary Content Trust - -Make sure that `https` is enabled in `harbor.yml` and the attributes `ssl_cert` and `ssl_cert_key` point to valid certificates. For more information about generating a HTTPS certificate, see [Configure HTTPS Access to Harbor](../../install-config/configure-https.md). - -### Copy the Root Certificate - -If Harbor instance is hosted at 192.168.0.5, ff you are using a self-signed certificate, copy the Harbor CA root cert to `/etc/docker/certs.d/192.168.0.5/` and `~/.docker/tls/192.168.0.5:4443/` on the machine on which you run the Docker client. - -### Enable Docker Content Trust - -You can enable content trust by setting the following environment variables on the machine on which you run the Docker client. - -```sh -export DOCKER_CONTENT_TRUST=1 -export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5:4443 -``` - -### Set Alias for Notary (optional) - -By default the local directory for storing meta files for the Notary client is different from the one for the Docker client. To simplify the use of the Notary client to manipulate the keys/meta files that are generated by Docker content trust, you can set an alias. - -```sh -alias notary="notary -s https://192.168.0.5:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/192.168.0.5/ca.crt" -``` diff --git a/docs/working-with-projects/working-with-images/repositories.md b/docs/working-with-projects/working-with-images/repositories.md deleted file mode 100644 index 3e62f8d75..000000000 --- a/docs/working-with-projects/working-with-images/repositories.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Repositories -weight: 75 ---- - -A repository is a collection of artifacts. Since version v2.0, in addition to container images, Harbor can manage different kinds of artifacts that are bundled in OCI-compatible format, such as helm chart (requires helm v3), CNAB, OPA bundle, etc. - -### List Repositories - -Click your project to enter the project detail page after successful logging in. Click the "Repositories" tab to view the list of of repositories. - -![list_repositories](../../../img/list-repositories.png) - -### Description of a repository - -Click the repository, then click the "Info" tab. You can view the description of the project. Users with project admin, master or developer role can click the "Edit" button to edit the description. You can style the description via Markdown syntax. - -![edit_repository_description](../../../img/edit-repository-description.png) - -### List artifacts in a repository - -Click the "Artifacts" tab to view the list of artifacts in a repository. -Each artifact is identified by its sha256 digest in the list of artifacts, and different types of artifacts can be distinguished by the icon on the left of the digest. Hover your mouse on the icon you can see the name of the type. - -By clicking the icon in the column **Pull Command**, the command to pull the artifact in the row of the icon will be copied to the clipboard. -The column **Annotations** in the grid shows the manifest annotations of the artifact, which are a set of key-value pairs. More details about the annotations please refer to (https://github.com/opencontainers/image-spec/blob/master/annotations.md). -The column **Push Time** in the grid shows the time each artifact is pushed to the registry. - -![list_artifacts](../../../img/list-artifacts.png) - -By clicking the search icon in the top right of the list of artifacts, you can user different types of filters to filter the items in the artifact list. You can choose to filter by type, tags, labels. Particularly, if you choose to filter by tags, you can choose to view only the tagged or untagged artifacts. - -![filter_artifacts](../../../img/filter-artifacts.png) - -Since Harbor v2.0.0, [Image index](https://raw.githubusercontent.com/opencontainers/image-spec/master/image-index.md) can also be managed as an artifact in a repository. If an artifact is an index, there will be a folder icon on the right side of its digest. - -![image_index](../../../img/index-icon.png) - -Click the folder icon, you can see the list of artifacts that is referenced by the index. The artifacts in this view is read only. i.e. You can not remove an artifact from an index via Harbor's UI, and none of the actions like 'copy digest', 'add labels', 'copy' are available. - -![index_detail](../../../img/index-detail.png) diff --git a/docs/working-with-projects/working-with-images/retagging-images.md b/docs/working-with-projects/working-with-images/retagging-images.md deleted file mode 100644 index c170d6ede..000000000 --- a/docs/working-with-projects/working-with-images/retagging-images.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Retagging Artifacts -weight: 75 ---- - -User with sufficient privileges can copy artifacts in Harbor to different repositories and projects. For example, you can copy images as follows: - -- `release/app:stg` --> `release/app:prd` -- `develop/app:v1.0` --> `release/app:v1.0` - -To copy an artifact, you must have read permission (guest role or above) in the source project and write permission (developer role or above) in the target project. - -In the Harbor interface, select the artifact to copy, and click `Copy`. - -![retag artifact](../../../img/retag1.png) - -In the Retag window, enter the project name, repository name, the new tag name, and click **Confirm**. - -![retag artifact](../../../img/retag2.png) \ No newline at end of file diff --git a/src/jobservice/README.md b/src/jobservice/README.md index a7c8e4e94..22fa137b5 100644 --- a/src/jobservice/README.md +++ b/src/jobservice/README.md @@ -37,7 +37,7 @@ With job service, you can: The overall architecture of the job service is shown in the below graph: -![js arch](../../docs/img/jobservice/js-arch.png) +![js arch](https://raw.githubusercontent.com/goharbor/website/master/docs/img/jobservice/js-arch.png) Components: @@ -55,7 +55,7 @@ Components: Currently, the worker (compute node) and controller (control plane) are packaged in one process. To achieve scalability and HA functionality, multiple nodes can be deployed under a LB layer. -![js deployment](../../docs/img/jobservice/js-deploy.png) +![js deployment](https://raw.githubusercontent.com/goharbor/website/master/docs/img/jobservice/js-deploy.png) As described in above graph, the controller and work pool which are located in different nodes can also talk to each other via a virtual channel - the backend persistent driver. That means the job enqueued by a controller may be selected by other worker pool which is located in another node. diff --git a/src/portal/README.md b/src/portal/README.md index c4d6bccf7..ceec0b813 100644 --- a/src/portal/README.md +++ b/src/portal/README.md @@ -1,4 +1,4 @@ -![Harbor UI](../../docs/img/harbor_logo.png) +![Harbor UI](https://raw.githubusercontent.com/goharbor/website/master/docs/img/readme/harbor_logo.png) Harbor UI ============ diff --git a/src/testing/chart_utility.go b/src/testing/chart_utility.go index a6b7a9a49..a085d2ea7 100644 --- a/src/testing/chart_utility.go +++ b/src/testing/chart_utility.go @@ -138,7 +138,7 @@ var chartVersionsOfHarbor = ` } ], "engine": "gotpl", - "icon": "https://raw.githubusercontent.com/vmware/harbor/master/docs/img/harbor_logo.png", + "icon": "https://raw.githubusercontent.com/goharbor/website/master/docs/img/harbor_logo.png", "appVersion": "1.5.0", "urls": [ "charts/harbor-0.2.1.tgz" @@ -171,7 +171,7 @@ var chartVersionsOfHarbor = ` } ], "engine": "gotpl", - "icon": "https://raw.githubusercontent.com/vmware/harbor/master/docs/img/harbor_logo.png", + "icon": "https://raw.githubusercontent.com/goharbor/website/master/docs/img/harbor_logo.png", "appVersion": "1.5.0", "urls": [ "charts/harbor-0.2.0.tgz" @@ -207,7 +207,7 @@ var harborChartV = ` } ], "engine": "gotpl", - "icon": "https://github.com/goharbor/harbor/blob/master/docs/img/harbor_logo.png", + "icon": "https://raw.githubusercontent.com/goharbor/website/master/docs/img/harbor_logo.png", "appVersion": "1.5.0", "urls": [ "charts/harbor-0.2.0.tgz" @@ -226,7 +226,7 @@ var repo1IndexYaml = ` digest: 758ae429f362200a7941c600c8112cc3122723b99ffa5713a0902902da9949ba engine: gotpl home: https://github.com/goharbor/harbor - icon: https://github.com/goharbor/harbor/blob/master/docs/img/harbor_logo.png + icon: https://raw.githubusercontent.com/goharbor/website/master/docs/img/harbor_logo.png keywords: - vmware - docker @@ -285,7 +285,7 @@ var repo2IndexYaml = ` digest: 758ae429f362200a7941c600c8112cc3122723b99ffa5713a0902902da9949ba engine: gotpl home: https://github.com/goharbor/harbor - icon: https://github.com/goharbor/harbor/blob/master/docs/img/harbor_logo.png + icon: https://raw.githubusercontent.com/goharbor/website/master/docs/img/harbor_logo.png keywords: - vmware - docker