-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow for configuring the docker hub registry endpoint via API #21385
base: main
Are you sure you want to change the base?
feat: allow for configuring the docker hub registry endpoint via API #21385
Conversation
a250a3e
to
2df26b3
Compare
/label release-note/enhancement |
2df26b3
to
d33cf33
Compare
@Vad1mo any feedback on the approach? Do you want me to write an apitest? |
Makes sense to me.. It might be the stupid questions. but why is the URL hardcoded and not changeable in the first place? |
I have no idea why it is hardcoded 😅 If you want me to change the UI as well to allow changing it. I can do it as part of this PR or another. Just let me know what you guys would prefer on how to continue |
We're doing this due to the behavior in the upstream. You can refer to the following link for more details: https://github.com/moby/moby/blob/master/registry/config.go#L43. @tuunit, If you need to access Docker Hub through a proxy, you should configure the proxy for harbor-core and jobservice, rather than updating the Docker Hub URL. |
@wy65701436 thanks for actually finding the original place in the moby code base 😅 Nevertheless, I already know that is the official registry URL of docker hub. But as explained in my PR description, it is sometimes necessary to run Harbor inside an air gapped / private environment without direct internet access and therefore replications / caching might need to go through a simple reverse proxy to communicate with the public web. For this purpose it would be great to keep the logic of the |
The strategy Docker is following is for commercial reasons and backwards compatibility only. We should not limit ourselves to that. If we ask ourselves why people user Harbor. One of the big arguments for Harbor is replication.
Regarding this PR or its further thinking
Personally, I don't see any strong argument against it, or any negative consequences. |
Hi @tuunit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me, but could you provide additional information from your side? For example, a screenshot and detailed logs after modifying the URL and successfully replicating images through the reverse proxy would be really helpful. Since we don't have a test case to validate this, it would give us more confidence in the implementation.
I have one concern: after updating the URL through the API, the UI still shows the default value. I believe we could either update the front-end code accordingly or fork Harbor on your side to address this.
This looks like a show-stopper... |
No offence but have you ever worked in government project? Or any air gap environments that doesn't allow ANY internet access except from one single proxy that is highly monitored and controlled? I've seen setups like this often enough at my previous employer. Harbor might run inside an internal network without any internet access whatsoever so re-routing to a proxy is the only option which will most likely be behind multiple other hardware loadbalancers and firewalls. |
I will provide some screenshots and logs later.
This isn't correct, it's even worse right now. The UI shows a different URL after updating it via the API but the registry URL is not used inside the code. So it currently seems like you can change it via the API but it doesn't do anything. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #21385 +/- ##
==========================================
+ Coverage 45.36% 46.22% +0.86%
==========================================
Files 244 247 +3
Lines 13333 13883 +550
Branches 2719 2875 +156
==========================================
+ Hits 6049 6418 +369
- Misses 6983 7126 +143
- Partials 301 339 +38
Flags with carried forward coverage won't be shown. Click here to find out more. |
763e7bc
to
1133c64
Compare
Signed-off-by: Jan Larwig <[email protected]>
1133c64
to
ac91c46
Compare
Comprehensive Summary of your change
This PR adds the possibility to change the registry endpoint of DockerHub via API. This is useful for Harbor instances that run in airgapped environments and have to go through a DMZ or use a reverse proxy to access DockerHub.
Why not just use a normal Docker Registry type instead of the DockerHub adapter?
Because of the logic for
library
images which only applies to the Registry Type DockerHub:harbor/src/server/middleware/repoproxy/proxy.go
Lines 128 to 144 in 8bf710a
By allowing to change the registry endpoint for DockerHub, those kinds of environments can still benefit from the
library
substitution logic.Please indicate you've done the following: