Merge branch 'main' into add-client-ip-to-audit-logs

.github/workflows/CI.yml

@@ -89,7 +89,7 @@ jobs:
           bash ./tests/showtime.sh ./tests/ci/ut_run.sh $IP
           df -h
       - name: Codecov For BackEnd
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           file: ./src/github.com/goharbor/harbor/profile.cov
           flags: unittests
@@ -331,7 +331,7 @@ jobs:
           bash ./tests/showtime.sh ./tests/ci/ui_ut_run.sh
           df -h
       - name: Codecov For UI
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           file:  ./src/github.com/goharbor/harbor/src/portal/coverage/lcov.info
           flags: unittests

.github/workflows/auto_assign_prs.yml

@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set the author of a PR as the assignee
-        uses: kentaro-m/auto-assign-action@v1.2.6
+        uses: kentaro-m/auto-assign-action@v2.0.0
         with:
           configuration-path: ".github/auto-assignees.yml"

make/harbor.yml.tmpl

@@ -17,6 +17,16 @@ https:
   certificate: /your/certificate/path
   private_key: /your/private/key/path
 
+# # Harbor will set ipv4 enabled only by defualt if this block is not configured
+# # Otherwise, please uncomment this block to configure your own ip_family stacks
+# ip_family:
+#   # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
+#   ipv6:
+#     enabled: false
+#   # ipv4Enabled set to true by default, currently it affected the nginx related component
+#   ipv4:
+#     enabled: true
+
 # # Uncomment following will enable tls communication between all harbor components
 # internal_tls:
 #   # set enabled to true means internal tls is enabled

make/photon/prepare/migrations/version_2_10_0/harbor.yml.jinja

@@ -33,6 +33,28 @@ https:
 #   private_key: /your/private/key/path
 {% endif %}
 
+{% if ip_family is defined %}
+# # Harbor will set ipv4 enabled only by defualt if this block is not configured
+# # Otherwise, please uncomment this block to configure your own ip_family stacks
+ip_family:
+  # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
+  ipv6:
+    enabled: {{ ip_family.ipv6.enabled | lower }}
+  # ipv4Enabled set to true by default, currently it affected the nginx related component
+  ipv4:
+    enabled: {{ ip_family.ipv4.enabled | lower }}
+{% else %}
+# # Harbor will set ipv4 enabled only by defualt if this block is not configured
+# # Otherwise, please uncomment this block to configure your own ip_family stacks
+ip_family:
+  # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
+  ipv6:
+    enabled: false
+  # ipv4Enabled set to true by default, currently it affected the nginx related component
+  ipv4:
+    enabled: true
+{% endif %}
+
 {% if internal_tls is defined %}
 # Uncomment following will enable tls communication between all harbor components
 internal_tls:

make/photon/prepare/migrations/version_2_9_0/harbor.yml.jinja

@@ -33,6 +33,28 @@ https:
 #   private_key: /your/private/key/path
 {% endif %}
 
+{% if ip_family is defined %}
+# # Harbor will set ipv4 enabled only by defualt if this block is not configured
+# # Otherwise, please uncomment this block to configure your own ip_family stacks
+ip_family:
+  # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
+  ipv6:
+    enabled: {{ ip_family.ipv6.enabled | lower }}
+  # ipv4Enabled set to true by default, currently it affected the nginx related component
+  ipv4:
+    enabled: {{ ip_family.ipv4.enabled | lower }}
+{% else %}
+# # Harbor will set ipv4 enabled only by defualt if this block is not configured
+# # Otherwise, please uncomment this block to configure your own ip_family stacks
+ip_family:
+  # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
+  ipv6:
+    enabled: false
+  # ipv4Enabled set to true by default, currently it affected the nginx related component
+  ipv4:
+    enabled: true
+{% endif %}
+
 {% if internal_tls is defined %}
 # Uncomment following will enable tls communication between all harbor components
 internal_tls:

make/photon/prepare/templates/nginx/nginx.https.conf.jinja

@@ -50,8 +50,12 @@ http {
   include /etc/nginx/conf.d/*.server.conf;
 
   server {
+    {% if ip_family.ipv4.enabled %}
     listen 8443 ssl;
+    {% endif %}
+    {% if ip_family.ipv6.enabled %}
     listen [::]:8443 ssl;
+    {% endif %}
 #    server_name harbordomain.com;
     server_tokens off;
     # SSL

make/photon/prepare/templates/portal/nginx.conf.jinja

@@ -16,8 +16,13 @@ http {
 
     server {
 {% if internal_tls.enabled %}
+        #ip_family
+    {% if ip_family.ipv4.enabled %}
         listen 8443 ssl;
+    {% endif %}
+    {% if ip_family.ipv6.enabled %}
         listen [::]:8443 ssl;
+    {% endif %}
         # SSL
         ssl_certificate /etc/harbor/tls/portal.crt;
         ssl_certificate_key /etc/harbor/tls/portal.key;

make/photon/prepare/utils/configs.py

@@ -298,6 +298,9 @@ def parse_yaml_config(config_file_path, with_trivy):
             external_database=config_dict['external_database'])
     else:
         config_dict['internal_tls'] = InternalTLS()
+
+    # ip_family config
+    config_dict['ip_family'] = configs.get('ip_family') or {'ipv4': {'enabled': True}, 'ipv6': {'enabled': False}}
 
     # metric configs
     metric_config = configs.get('metric')

make/photon/prepare/utils/nginx.py

@@ -63,7 +63,8 @@ def render_nginx_template(config_dict):
             ssl_cert=SSL_CERT_PATH,
             ssl_cert_key=SSL_CERT_KEY_PATH,
             internal_tls=config_dict['internal_tls'],
-            metric=config_dict['metric'])
+            metric=config_dict['metric'],
+            ip_family=config_dict['ip_family'])
         location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
 
     else:

make/photon/prepare/utils/portal.py

@@ -14,5 +14,6 @@ def prepare_portal(config_dict):
         str(portal_conf_template_path),
         portal_conf,
         internal_tls=config_dict['internal_tls'],
+        ip_family=config_dict['ip_family'],
         uid=DEFAULT_UID,
         gid=DEFAULT_GID)

src/go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190726115642-cd293c93fd97
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
-	github.com/aws/aws-sdk-go v1.34.28
+	github.com/aws/aws-sdk-go v1.50.5
 	github.com/beego/beego/v2 v2.0.6
 	github.com/beego/i18n v0.0.0-20140604031826-e87155e8f0c0
 	github.com/bmatcuk/doublestar v1.3.4
@@ -18,15 +18,15 @@ require (
 	github.com/dghubble/sling v1.1.0
 	github.com/docker/distribution v2.8.2+incompatible
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
-	github.com/go-asn1-ber/asn1-ber v1.5.1
-	github.com/go-ldap/ldap/v3 v3.2.4
-	github.com/go-openapi/errors v0.20.4
-	github.com/go-openapi/loads v0.21.2
+	github.com/go-asn1-ber/asn1-ber v1.5.5
+	github.com/go-ldap/ldap/v3 v3.4.6
+	github.com/go-openapi/errors v0.21.0
+	github.com/go-openapi/loads v0.21.2 // indirect
 	github.com/go-openapi/runtime v0.26.2
-	github.com/go-openapi/spec v0.20.11
+	github.com/go-openapi/spec v0.20.11 // indirect
 	github.com/go-openapi/strfmt v0.21.8
 	github.com/go-openapi/swag v0.22.7
-	github.com/go-openapi/validate v0.22.3
+	github.com/go-openapi/validate v0.22.3 // indirect
 	github.com/go-redis/redis/v8 v8.11.4
 	github.com/gocarina/gocsv v0.0.0-20210516172204-ca9e8a8ddea8
 	github.com/gocraft/work v0.5.1
@@ -88,7 +88,7 @@ require (
 	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/Unknwon/goconfig v0.0.0-20160216183935-5f601ca6ef4d // indirect