[Feature Request] Harbor as combined registry and registry mirror

[tschwaller]

If you configure Harbor as a local registry mirror, then it only acts as a mirror server and no longer accepts image pushing requests. As an administrator I would like to be able to use a single Harbor instance for both use cases.

The Harbor registry could then be configured as gatekeeper, i.e. as the only allowed registry to pull images from. Images from the Internet would be automatically scanned by Harbor and disallowed to be pulled according to CVE severity level. One would also avoid downloading images and pushing them to Harbor all the time just to get them scanned, since this is now a fully automated process.

Harbor should be configurable as local registry mirror for several external registries (not just one). In a first step all needed images are cached, but in a second step one should be able to configure which images can be used (e.g. per project, using regular expressions, using Quota limits, etc.).

[tschwaller]

Another use case for PKS encountered at several customers. Internal customer registries are often not using certificates (not a best practice, but simplifies internal registry use). Since PKS does not allow to connect to such registries (i.e. not using certificates) it is necessary to change the dockerd configuration of the k8s worker nodes by hand (which will be overwritten each time bosh deploys/heals nodes). So using a Harbor registry as local mirror (for the unsecured internal registry) and as a regular registry for k8s clusters deployed by PKS would solve this problem.

[ghost]

Hi @tschwaller – good to hear from you. PKS? What's that? 😉

This is definitely on the radar; take a look at goharbor/community#40.

[manojbadam]

Harbor should be configurable as local registry mirror for several external registries (not just one).

👍 Waiting for this..

[steven-zou]

Transfer all the requirements to @xaleeks for tracking.

[mariolenz]

As an administrator I would like to be able to use a single Harbor instance for both use cases.

This would be really awesome :-)

The Harbor registry could then be configured as gatekeeper, i.e. as the only allowed registry to pull images from. Images from the Internet would be automatically scanned by Harbor and disallowed to be pulled according to CVE severity level.

That's just what we need in our (pretty restricted enterprise) environment.

In a first step all needed images are cached, but in a second step one should be able to configure which images can be used (e.g. per project, using regular expressions, using Quota limits, etc.).

Definitely useful. Our IT-Security would want to have a way to whitelist images that are allowed so people can't just pull everything. But I a agree that is a second step.

[michmike]

related to #8082

[xaleeks]

@tschwaller Tom, we are tackling this in v2.1. Please track the ticket Michael linked, and I will share the prd with you as well if you want to add some more requirements

[ambition-consulting]

I second this requirement. Anything else will make Docker+Harbor painful in big corporate companies that require both caching and a local registry simultaneously.