harbor.yml option for registry `http.relativeurls` / back-port fix for "unknown blob" issue from helm-chart to photon

Created on 3 Jun 2020 · 3Comments · Source: goharbor/harbor

I am reverse-proxying an http-only deployment of harbor behind a manually-managed nginx proxy.

When pushing existing layers to the registry, I got the unknown blob error.

The workaround posted in https://github.com/goharbor/harbor-helm/issues/174#issuecomment-484161686 is to set common/config/registry/config.yml http.relativeurls=true .

However, those changes get overriden when running ./install.sh.

This issue was previously discovered and fixed in the helm chart:
https://github.com/goharbor/harbor-helm/issues/174 fixes

I think that this should be fixed in the docker-compose.yml deploy as well, either automatically (by detecting if harbor.yml external_url is set, or through another option in harbor.yml.

manually-managed (=external) nginx.conf

...
    location / {
      client_max_body_size 0;
      chunked_transfer_encoding on;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_http_version 1.1;
      proxy_pass                          http://127.0.0.1:7000;
      proxy_set_header  Host              $http_host;   # required for docker client's sake
      proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
      proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
    }
...

harbor.yml

http:
  port: 127.0.0.1:7000                                                                                        

#https:                                                                                                                 
#  # https port for harbor, default is 443                                                                   
#  port: 443                                                                                                        
#  # The path of cert and key files for nginx     
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path         

external_url: https://registry.example.com

harbor release: v2.0.0

kinrequirement

Source

problame

👍2

Most helpful comment

Having harbor (or any kind of service for that matter) behind a proxy or firewall is a really common practice. Thus it really would make sense to add that setting to harbor.yml so our setups don't potentially break every ./prepare run. Of course, there a ways around this, but harbor.yml is objectively the place were this should be handled.

So, please add this feature. 👍

ls42 on 10 Sep 2020

👍4

All 3 comments

I understand the problem and the fix

But I personally think we have to refrain from adding too many options to the installer to satisfy all kinds of customization.

We'll discuss it, but can't commit to fix it in the short term.

reasonerjt on 5 Jun 2020

So, please add this feature. 👍

ls42 on 10 Sep 2020

👍4

I can only agree that this is a major problem. Basically we have to change the default with every update/upgrade. Why not change it in the default template when there is no downside in setting it? The upside is that it works out-of-the-box for more setups.

The only thing that we needed to add to the "goharbor/registry-photon" container in the docker-compose file:

environment:
  - REGISTRY_HTTP_RELATIVEURLS=true

However, it makes much more sense to add this as an option in case it has some downside. Allowing that in the Helm Chart but not in the docker-compose file looks to me like a mishap because the argument is then invalid to not allow too many options becauase the option is already in the Helm chart but not in the docker-compose file.

Say the word and i will do the PR if that is what is the problem.