Merge branch 'main' into enable_http2_and_use_more_secure_ciphers

Signed-off-by: MinerYang <[email protected]>

Makefile

@@ -103,12 +103,12 @@ PKGVERSIONTAG=dev
 PREPARE_VERSION_NAME=versions
 
 #versions
-REGISTRYVERSION=v2.8.0-patch-redis
+REGISTRYVERSION=v2.8.2-patch-redis
 TRIVYVERSION=v0.39.0
 TRIVYADAPTERVERSION=v0.30.10
 
 # version of registry for pulling the source code
-REGISTRY_SRC_TAG=v2.8.0
+REGISTRY_SRC_TAG=v2.8.2
 
 # dependency binaries
 REGISTRYURL=https://storage.googleapis.com/harbor-builds/bin/registry/release-${REGISTRYVERSION}/registry

make/photon/prepare/templates/nginx/nginx.https.conf.jinja

@@ -58,7 +58,7 @@ http {
     ssl_certificate_key {{ssl_cert_key}};
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-    ssl_protocols TLSv1.2;
+    ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;

make/photon/prepare/templates/portal/nginx.conf.jinja

@@ -21,7 +21,7 @@ http {
         ssl_certificate /etc/harbor/tls/portal.crt;
         ssl_certificate_key /etc/harbor/tls/portal.key;
 
-        ssl_protocols TLSv1.2;
+        ssl_protocols TLSv1.2 TLSv1.3;
     {% if internal_tls.strong_ssl_ciphers %}
         ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
     {% else %}

make/photon/registry/builder

@@ -22,12 +22,6 @@ cur=$PWD
 TEMP=`mktemp -d ${TMPDIR-/tmp}/distribution.XXXXXX`
 git clone -b $VERSION https://github.com/distribution/distribution.git $TEMP
 
-# add patch 2815
-echo 'add patch https://github.com/distribution/distribution/pull/2815 ...'
-cd $TEMP
-wget https://github.com/distribution/distribution/pull/2815.patch
-git apply 2815.patch
-
 # add patch redis
 cd $TEMP
 git apply $cur/redis.patch

src/controller/artifact/controller.go

@@ -154,7 +154,7 @@ func (c *controller) Ensure(ctx context.Context, repository, digest string, opti
 	}
 	if option != nil {
 		for _, tag := range option.Tags {
-			if err = c.tagCtl.Ensure(ctx, artifact.RepositoryID, artifact.ID, tag); err != nil {
+			if _, err = c.tagCtl.Ensure(ctx, artifact.RepositoryID, artifact.ID, tag); err != nil {
 				return false, 0, err
 			}
 		}

src/controller/artifact/controller_test.go

@@ -250,7 +250,7 @@ func (c *controllerTestSuite) TestEnsure() {
 	c.artMgr.On("GetByDigest", mock.Anything, mock.Anything, mock.Anything).Return(nil, errors.NotFoundError(nil))
 	c.artMgr.On("Create", mock.Anything, mock.Anything).Return(int64(1), nil)
 	c.abstractor.On("AbstractMetadata").Return(nil)
-	c.tagCtl.On("Ensure").Return(nil)
+	c.tagCtl.On("Ensure").Return(int64(1), nil)
 	c.accMgr.On("Ensure").Return(nil)
 	_, id, err := c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), "library/hello-world", digest, &ArtOption{
 		Tags: []string{"latest"},
@@ -563,7 +563,7 @@ func (c *controllerTestSuite) TestCopy() {
 	c.abstractor.On("AbstractMetadata").Return(nil)
 	c.artMgr.On("Create", mock.Anything, mock.Anything).Return(int64(1), nil)
 	c.regCli.On("Copy", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
-	c.tagCtl.On("Ensure").Return(nil)
+	c.tagCtl.On("Ensure").Return(int64(1), nil)
 	c.accMgr.On("Ensure", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
 	_, err := c.ctl.Copy(orm.NewContext(nil, &ormtesting.FakeOrmer{}), "library/hello-world", "latest", "library/hello-world2")
 	c.Require().Nil(err)

src/controller/proxy/controller.go

@@ -35,6 +35,7 @@ import (
 	"github.com/goharbor/harbor/src/lib/log"
 	"github.com/goharbor/harbor/src/lib/orm"
 	proModels "github.com/goharbor/harbor/src/pkg/project/models"
+	model_tag "github.com/goharbor/harbor/src/pkg/tag/model/tag"
 )
 
 const (
@@ -117,7 +118,17 @@ func (c *controller) EnsureTag(ctx context.Context, art lib.ArtifactInfo, tagNam
 	if a == nil {
 		return fmt.Errorf("the artifact is not ready yet, failed to tag it to %v", tagName)
 	}
-	return tag.Ctl.Ensure(ctx, a.RepositoryID, a.Artifact.ID, tagName)
+	tagID, err := tag.Ctl.Ensure(ctx, a.RepositoryID, a.Artifact.ID, tagName)
+	if err != nil {
+		return err
+	}
+	// update the pull time of tag for the first time cache
+	return tag.Ctl.Update(ctx, &tag.Tag{
+		Tag: model_tag.Tag{
+			ID:       tagID,
+			PullTime: time.Now(),
+		},
+	}, "PullTime")
 }
 
 func (c *controller) UseLocalBlob(ctx context.Context, art lib.ArtifactInfo) bool {

src/controller/tag/controller.go

@@ -41,7 +41,7 @@ var (
 // Controller manages the tags
 type Controller interface {
 	// Ensure
-	Ensure(ctx context.Context, repositoryID, artifactID int64, name string) error
+	Ensure(ctx context.Context, repositoryID, artifactID int64, name string) (int64, error)
 	// Count returns the total count of tags according to the query.
 	Count(ctx context.Context, query *q.Query) (total int64, err error)
 	// List tags according to the query
@@ -74,7 +74,7 @@ type controller struct {
 }
 
 // Ensure ...
-func (c *controller) Ensure(ctx context.Context, repositoryID, artifactID int64, name string) error {
+func (c *controller) Ensure(ctx context.Context, repositoryID, artifactID int64, name string) (int64, error) {
 	query := &q.Query{
 		Keywords: map[string]interface{}{
 			"repository_id": repositoryID,
@@ -85,43 +85,44 @@ func (c *controller) Ensure(ctx context.Context, repositoryID, artifactID int64,
 		WithImmutableStatus: true,
 	})
 	if err != nil {
-		return err
+		return 0, err
 	}
 	// the tag already exists under the repository
 	if len(tags) > 0 {
 		tag := tags[0]
 		// the tag already exists under the repository and is attached to the artifact, return directly
 		if tag.ArtifactID == artifactID {
-			return nil
+			return tag.ID, nil
 		}
 		// existing tag must check the immutable status and signature
 		if tag.Immutable {
-			return errors.New(nil).WithCode(errors.PreconditionCode).
+			return 0, errors.New(nil).WithCode(errors.PreconditionCode).
 				WithMessage("the tag %s configured as immutable, cannot be updated", tag.Name)
 		}
 		// the tag exists under the repository, but it is attached to other artifact
 		// update it to point to the provided artifact
 		tag.ArtifactID = artifactID
 		tag.PushTime = time.Now()
-		return c.Update(ctx, tag, "ArtifactID", "PushTime")
+		return tag.ID, c.Update(ctx, tag, "ArtifactID", "PushTime")
 	}
 
 	// the tag doesn't exist under the repository, create it
 	// use orm.WithTransaction here to avoid the issue:
 	// https://www.postgresql.org/message-id/002e01c04da9%24a8f95c20%2425efe6c1%40lasting.ro
+	tagID := int64(0)
 	if err = orm.WithTransaction(func(ctx context.Context) error {
 		tag := &Tag{}
 		tag.RepositoryID = repositoryID
 		tag.ArtifactID = artifactID
 		tag.Name = name
 		tag.PushTime = time.Now()
-		_, err = c.Create(ctx, tag)
+		tagID, err = c.Create(ctx, tag)
 		return err
 	})(orm.SetTransactionOpNameToContext(ctx, "tx-tag-ensure")); err != nil && !errors.IsConflictErr(err) {
-		return err
+		return 0, err
 	}
 
-	return nil
+	return tagID, nil
 }
 
 // Count ...

src/controller/tag/controller_test.go

@@ -68,7 +68,7 @@ func (c *controllerTestSuite) TestEnsureTag() {
 		ID: 1,
 	}, nil)
 	c.immutableMtr.On("Match").Return(false, nil)
-	err := c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), 1, 1, "latest")
+	_, err := c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), 1, 1, "latest")
 	c.Require().Nil(err)
 	c.tagMgr.AssertExpectations(c.T())
 
@@ -89,7 +89,7 @@ func (c *controllerTestSuite) TestEnsureTag() {
 		ID: 1,
 	}, nil)
 	c.immutableMtr.On("Match").Return(false, nil)
-	err = c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), 1, 1, "latest")
+	_, err = c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), 1, 1, "latest")
 	c.Require().Nil(err)
 	c.tagMgr.AssertExpectations(c.T())
 
@@ -103,7 +103,7 @@ func (c *controllerTestSuite) TestEnsureTag() {
 		ID: 1,
 	}, nil)
 	c.immutableMtr.On("Match").Return(false, nil)
-	err = c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), 1, 1, "latest")
+	_, err = c.ctl.Ensure(orm.NewContext(nil, &ormtesting.FakeOrmer{}), 1, 1, "latest")
 	c.Require().Nil(err)
 	c.tagMgr.AssertExpectations(c.T())
 }

src/portal/src/app/base/left-side-nav/clearing-job/gc-page/gc/gc.component.html

@@ -56,6 +56,14 @@
             <span class="explain">{{ 'GC.EXPLAIN' | translate }}</span>
         </div>
     </div>
+    <div class="clr-row">
+        <div class="clr-col-2 flex-200"></div>
+        <div class="clr-col">
+            <span class="explain">{{
+                'GC.EXPLAIN_TIME_WINDOW' | translate
+            }}</span>
+        </div>
+    </div>
     <div class="clr-row">
         <div class="clr-col-2 flex-200"></div>
         <div class="clr-col">

src/portal/src/i18n/lang/de-de-lang.json

@@ -1228,6 +1228,7 @@
         "PARAMETERS": "Parameter",
         "DELETE_UNTAGGED": "Erlaube Speicherbereinigung auf Artefakte ohne Tag",
         "EXPLAIN": "Speicherbereinigung (Garbage Collection / GC) ist eine rechenintensive Operation, die die Registry-Leistung beeinflussen kann",
+        "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
         "DRY_RUN_SUCCESS": "Probelauf erfolgreich gestartet"
     },
     "RETAG": {

src/portal/src/i18n/lang/en-us-lang.json

@@ -1228,6 +1228,7 @@
         "PARAMETERS": "Parameters",
         "DELETE_UNTAGGED": "Allow garbage collection on untagged artifacts",
         "EXPLAIN": "GC is a compute intensive operation that may impact registry performance",
+        "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
         "DRY_RUN_SUCCESS": "Triggered dry run successfully"
     },
     "RETAG": {

src/portal/src/i18n/lang/es-es-lang.json

@@ -1225,6 +1225,7 @@
         "PARAMETERS": "Parameters",
         "DELETE_UNTAGGED": "Allow garbage collection on untagged artifacts",
         "EXPLAIN": "GC is a compute intensive operation that may impact registry performance",
+        "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
         "DRY_RUN_SUCCESS": "Triggered dry run successfully"
     },
     "RETAG": {

src/portal/src/i18n/lang/fr-fr-lang.json

@@ -1195,6 +1195,7 @@
         "PARAMETERS": "Paramètres",
         "DELETE_UNTAGGED": "Supprimer les artefacts non tagués",
         "EXPLAIN": "GC est une opération gourmande en puissance de calcul qui peut impacter les performances  du registre",
+        "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
         "DRY_RUN_SUCCESS": "Exécution à blanc déclenchée avec succès"
     },
     "RETAG": {

src/portal/src/i18n/lang/pt-br-lang.json

@@ -1225,6 +1225,7 @@
         "PARAMETERS": "Parâmetros",
         "DELETE_UNTAGGED": "Permitir coleta de artefatos sem tags",
         "EXPLAIN": "A limpeza exige recursos computacionais e pode impactar performance.",
+        "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
         "DRY_RUN_SUCCESS": "Teste executado com sucesso"
     },
     "RETAG": {

src/portal/src/i18n/lang/tr-tr-lang.json

@@ -1228,6 +1228,7 @@
         "PARAMETERS": "Parameters",
         "DELETE_UNTAGGED": "Allow garbage collection on untagged artifacts",
         "EXPLAIN": "GC is a compute intensive operation that may impact registry performance",
+        "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
         "DRY_RUN_SUCCESS": "Triggered dry run successfully"
     },
     "RETAG": {

src/portal/src/i18n/lang/zh-cn-lang.json

@@ -1225,6 +1225,7 @@
         "PARAMETERS": "参数",
         "DELETE_UNTAGGED": "允许回收无 tag 的 artifacts",
         "EXPLAIN": "垃圾回收是一个计算密集型操作，可能会影响仓库性能",
+        "EXPLAIN_TIME_WINDOW": "在最近的两小时（默认窗口期）内被推送的 Artifacts 不会被当做垃圾回收的目标",
         "DRY_RUN_SUCCESS": "触发模拟运行成功"
     },
     "RETAG": {

src/portal/src/i18n/lang/zh-tw-lang.json

@@ -1217,6 +1217,7 @@
     "PARAMETERS": "參數",
     "DELETE_UNTAGGED": "允許對未標籤檔案進行垃圾收集",
     "EXPLAIN": "清理垃圾是一個計算密集的操作，可能影響註冊表的效能",
+    "EXPLAIN_TIME_WINDOW": "Artifacts uploaded in the past 2 hours(the default window) are excluded from garbage collection",
     "DRY_RUN_SUCCESS": "成功觸發測試執行"
   },
   "RETAG": {

src/testing/controller/tag/controller.go

@@ -15,9 +15,9 @@ type FakeController struct {
 }
 
 // Ensure ...
-func (f *FakeController) Ensure(ctx context.Context, repositoryID, artifactID int64, name string) error {
+func (f *FakeController) Ensure(ctx context.Context, repositoryID, artifactID int64, name string) (int64, error) {
 	args := f.Called()
-	return args.Error(0)
+	return int64(0), args.Error(1)
 }
 
 // Count ...