Harbor – Cloud Native Container Registry

0
563
Harbor – Cloud Native Container Registry

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Always having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and offers advanced security features such as user management, vulnerability analysis, access control and activity auditing.

Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.

Features

  • Cloud native registry: With support for both container images and Helm charts, Harbor serves as registry for cloud native environments like container runtimes and orchestration platforms.
  • Management:
    • Role based access control: Users access different repositories through ‘projects’ and a user can have different permission for images or Helm charts under a project.
    • Policy based replication: Images and charts can be replicated (synchronized) between multiple registry instances based on policies with using filters (repository, tag and label). Harbor automatically retries a replication if it encounters any errors. This can be used to assist load balancing, achieve high availability, and facilitate multi-datacenter deployments in hybrid and multi-cloud scenarios.
    • LDAP/AD support: Harbor integrates with existing enterprise LDAP/AD for user authentication and management and supports importing LDAP groups into Harbor that can then be given permissions to specific projects.
    • OIDC support: Harbor leverages OpenID Connect (OIDC) to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be enabled to log into the Harbor portal.
    • Image deletion & garbage collection: System admin can run garbage collection jobs so that images (dangling manifests and unreferenced blobs) can be deleted and their space can be freed up periodically.
    • Graphical user portal: User can easily browse, search repositories and manage projects.
    • Auditing: All the operations to the repositories are tracked through logs.
    • RESTful API: RESTful APIs are provided to facilitate administrative operations and are easy to use for integration with external systems. An embedded Swagger UI is available for exploring and testing the API.
  • Security:
    • Vulnerability Scanning: Harbor scans images regularly for vulnerabilities and has policy checks to prevent vulnerable images from being deployed.
    • Notary: Support signing container images using Docker Content Trust for guaranteeing authenticity and provenance. In addition, policies that prevent unsigned images from being deployed can also be activated.

Architecture

harbor architecture
Harbor Architecture

From now on (Version 2.0), Harbor has been evolved to a complete OCI compliant cloud-native artifact registry.

OCI compliant cloud-native artifact registry means it now supports OCI images and OCI image indexes. An OCI image index is a higher-level manifest which point to a list of image manifests, ideal for one or more platforms. For example, Docker manifest list is a popular implementation of the OCI image index. This also means Harbor now fully supports multi-architecture images.

With Harbor V2.0, users can manage images, manifest lists, Helm charts, CNABs, OPAs among others which all adhere to the OCI image specification. It also allows for pulling, pushing, deleting, tagging, replicating, and scanning such kinds of artifacts. Signing images and manifest list are also possible now.

Harbor comprises the following components placed in the 3 layers:

Data Access Layer

key-value storage: formed by Redis, provides data cache functions and supports temporarily persisting job metadata for the job service.

data storage: multiple storages supported for data persistence as backend storage of registry and chart museum. For checking more details, please refer to the driver list document at docker website and ChartMuseum GitHub repository.

Database: stores the related metadata of Harbor models, like projects, users, roles, replication policies, tag retention policies, scanners, charts, and images. PostgreSQL is adopted.

Fundamental Services

Proxy: reverse-proxy formed by the Nginx Server to provide API routing capabilities. Components of Harbor, such as core, registry, web portal, and token services, etc., are all behind this reversed proxy. The proxy forwards requests from browsers and Docker clients to various backend services.

Core: Harbor’s core service, which mainly provides the following functions:

  • API Server: A HTTP server accepting REST API requests and responding those requests rely on its submodules such as ‘Authentication & Authorization’, ‘Middleware’, and ‘API Handlers’.
    • Authentication & Authorization
      • requests are protected by the authentication service which can be powered by a local database, AD/LDAP or OIDC.
      • RBAC mechanism is enabled for performing authorizations to the related actions, ex: pull/push an image
      • Token service is designed for issuing a token for every docker push/pull command according to a user’s role of a project. If there is no token in a request sent from a Docker client, the Registry will redirect the request to the token service.
    • Middleware: Preprocess some requests in advance to determine whether they match the required criteria and can be passed to the backend components for further processing or not. Some functions are implemented as kinds of middleware, such as ‘quota management’, ‘signature check’, ‘vulnerability severity check’ and ‘robot account parsing’ etc.
    • API Handlers: Handle the corresponding REST API requests, mainly focus on parsing and validating request parameters, completing business logic on top of the relevant API controller, and writing back the generated response.
  • Config Manager: Covers the management of all the system configurations, like authentication type settings, email settings, and certificates, etc.
  • Project Management: Manages the base data and corresponding metadata of the project, which is created to isolate the managed artifacts.
  • Quota Manager: Manages the quota settings of projects and performs the quota validations when new pushes happened.
  • Chart Controller: Proxy the chart related requests to backend chartmuseum and provides several extensions to improve chart management experiences.
  • Retention Manager: Manages the tag retention policies and perform and monitor the tag retention processes
  • Content Trust: add extensions to the trust capability provided by backend Notary to support the smoothly content trust process. At present, only container images are supported to sign.
  • Replication Controller: Manages the replication policies and registry adapters, triggers and monitors the concurrent replication processes. Many registry adapters are implemented:
    • Distribution (docker registry)
    • Docker Hub
    • Huawei SWR
    • Amazon ECR
    • Google GCR
    • Azure ACR
    • Ali ACR
    • Helm Hub
    • Quay
    • Artifactory
    • GitLab Registry
  • Scan Manager: Manages the multiple configured scanners adapted by different providers and provides scan summaries and reports for the specified artifacts.
    • The Trivy scanner provided by Aqua Security,
    • the Anchore Engine scanner provided by Anchore,
    • the Clair scanner sponsored by CentOS (Redhat), a
    • and DoSec Scanner provided by DoSec will be supported.
    • At present, only container images or bundles are built on top of images like the manifest list/OCI index or CNAB bundle are supported to scan.
  • Notification Manager(webhook): A mechanism configured in Harbor so that artifact status changes in Harbor can be populated to the Webhook endpoints configured in Harbor. The interested parties can trigger some follow-up actions by listening to the related webhook events. Now, two ways are supported:
    • HTTP Post request
    • Slack channel
  • OCI Artifact Manager: Core component to manage the lifecycle of all the OCI artifacts across the whole Harbor registry. It provides the CRUD operations to manage the metadata and related additions such as scanning report, building history of container images and readme, dependencies, and value.yaml of helm charts, etc. of the artifact, it also supports the capabilities of managing artifact tags and other helpful operations.
  • Registry Driver: Implemented as a registry client SDK to do communications with the underlying registry (docker distribution at this moment). ‘OCI Artifact Manager’ relies on this driver to get additional info from the manifest and even config JSON of the specified artifact that located at the underlying registry.

Job Service: General job execution queue service to let other components/services submit requests of running asynchronous tasks concurrently with simple restful APIs

Log collector: Log collector, responsible for collecting logs of other modules into a single place.

GC Controller: manages the online GC schedule settings and start and track the GC progress.

Chart Museum: a 3rd party chart repository server providing chart management and access APIs.

Docker Registry: a 3rd party registry server, responsible for storing Docker images and processing Docker push/pull commands. As Harbor needs to enforce access control to images, the Registry will direct clients to a token service to obtain a valid token for each pull or push request.

Notary: a 3rd party content trust server, responsible for securely publishing and verifying content.

Reference: https://github.com/goharbor/harbor/wiki/Architecture-Overview-of-Harbor

Consumers

As a standard cloud-native artifact registry, the related clients will be naturally supported, like docker CLI, notary client, OCI compatible client like Oras, and Helm. Besides those clients, Harbor also provides a web portal for the administrators to easily manage and monitor all the artifacts.

Web Portal: a graphical user interface to help users manage images on the Registry

Community

Twitter: @project_harbor
Slack: Join Harbor’s community for discussion and ask questions: Cloud Native Computing Foundation, channel: #harbor and #harbor-dev

NO COMMENTS