What's New
New Features
-
System Level Robot Account
- Introduce system-level robot accounts to enable them to access multiple projects.
- Support for Aqua CSP Scanner
- Selective API access for robot accounts
- $sign removed from robot accounts names
-
Metrics & Observability
Enable Harbor to expose performance & system information indicators to provide observability. -
OIDC Admin Group
Allows specifying a special privileged admin group for OIDC auth, achieving parity with LDAP auth -
Additional Features
- Migrate GC/Scan all/Tag Retention and Replication to task manager/scheduler.
- Enhance the proxy cache to support Google Container Registry(GCR), Elastic Container Registry(ECR), Azure Container Registry(Azure), Quay.io.
- Support Dell EMC ECS s3(version 3.3.0.0).
- Bump up Trivy 0.14, support pluggable scanner spec v1.1.(https://github.com/goharbor/pluggable-scanner-spec)
- Refine project manage & robot API to support both project ID & Name as indicator.
- Golang v1.15.6. Harbor is now built using Golang v1.15.6 as of this release.
Upgrade Considerations
- Certificate Impact: Since Harbor is compiled by Golang v1.15.6, the certificates may need to be updated. Go
1.15.0
introduced changes to SSL/TLS connection validation which requires certificates to include aSAN
. This field was not included in older certificates are generated by Harbor prepare script. For more information, see Go GitHub issue golang/go#39568. - After upgrading, you may face an issue that the CPU usage is very high. This can occur if there are a number of retention job records. Please refer to #14358 for details. It is recommended to hold off the upgrade and wait for v2.2.1. This will not occur with a fresh install.
Deprecations
- Deprecate built-in Clair. Users still have the option to install Clair in out-of-tree fashion by pairing with Harbor through its interrogation services framework.
- The ChartMuseum is scheduled to be deprecated in a future v2.4.0 release.
Known issues
- If you upgrade from v2.1.x you may see issues sign image using a pre-generated key, more details see #14932, this will be fixed in v2.2.3 and v2.3.1
- Fixing #14932 will cause another break change in the future: If a key is created when signing the image in v2.2.0, a similar key decoding issue like #14932 will happen if you upgrade from v2.2.0 to v2.2.3 or to v2.3.1
Breaking Changes
- API: The
/systeminfo
API now displays less information when the request is triggered by an unauthenticated user. For details please refer to the following issue comment:
#9149 (comment) - Scan Report: After upgrading to v2.2, all scan reports in the previous version have been deleted due to changes in the vulnerability database scheme. Please rescan the artifacts to obtain the reports.
Resolved Issues
Contributors
- Will Sun
- Qian Deng
- Wang Yan
- He Weiwei
- danfengliu
- Daniel Jiang
- Wenkai Yin(尹文开)
- stonezdj(Daojun Zhang)
- Ziming
- Abigail McCarthy
- Chlins Zhang
- Dirk Mueller
- sluetze
- mmpei
- 疯魔慕薇
- Thoro
- Steven Zou
- Ángel Barrera
- Bo Shao
- Greg
- Sven Haardiek
- prahaladdarkin
- Flávio Ramalho
- KeisukeYamashita
- Daniel Pacak