Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add init containers #1423

Merged
merged 4 commits into from
Jun 18, 2024
Merged

feat: add init containers #1423

merged 4 commits into from
Jun 18, 2024

Conversation

kimxogus
Copy link
Contributor

Add init containers to each deployment components

@kimxogus
feat: add init containers
0457580 
Signed-off-by: Taehyun Kim <[email protected]>
@kimxogus kimxogus force-pushed the feat/init-containers branch from 5ae092d to 0457580 Compare February 27, 2023 05:48
@zyyw
Copy link
Collaborator

zyyw commented Mar 9, 2023

@kimxogus could you please justify why we need this init containers?

@kimxogus
Copy link
Contributor Author

kimxogus commented Mar 9, 2023

@zyyw As harbor-registry component doesn't check if the pod has proper iam permission(not like https://github.com/distribution/distribution), I'd like to prevent pod from running if pod doesn't have proper iam permission.

As I have to use kiam or kube2iam to use harbor-registry, there could be mistakes like assigning wrong node groups which don't have permission to assume kiam/kube2iam role.

@rwd5213
Copy link

rwd5213 commented Jan 31, 2024

Hi, we actually need this for Trivy init container. when in offline environments we need an init container that downloads the vulnerability data base to the trivy container

@Vad1mo
Copy link
Member

Vad1mo commented Jan 31, 2024

IMO, Trivy can download the DB itself? Why are you using the init container?

@rwd5213
Copy link

rwd5213 commented Feb 2, 2024
edited
Loading

Because of environment where it cannot download the database from the open internet, we use an init container to pull the database from S3 for example. I am not aware of a way to directly tell Trivy where to download the data base from. Basically to automate this https://aquasecurity.github.io/trivy/v0.49/docs/advanced/air-gap/

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 3, 2024

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

@github-actions github-actions bot added the Stale label Apr 3, 2024
@Vad1mo
Copy link
Member

Vad1mo commented Apr 3, 2024

I don't find this to be a bad idea, there are a many uses cases that I can think of that would simplify the user of harbor with an init container.

@kimxogus @rwd5213 can you rebase and resolve the conflicts, I would like to get those changes in.

@Vad1mo Vad1mo removed the Stale label Apr 3, 2024
@Vad1mo Vad1mo self-requested a review April 3, 2024 19:55
@rwd5213
Copy link

rwd5213 commented Apr 3, 2024

@kimxogus I realized this is missing the init container in the in the https://github.com/goharbor/harbor-helm/blob/main/templates/trivy/trivy-sts.yaml, any chance you can add it there as well?

@kimxogus kimxogus force-pushed the feat/init-containers branch from 645e7f2 to d8da1a0 Compare April 4, 2024 02:14
@kimxogus
Copy link
Contributor Author

kimxogus commented Apr 4, 2024

Merged current main and also applied to trivy statefulset.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 3, 2024

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

@github-actions github-actions bot added the Stale label Jun 3, 2024
@MaximilianB134
Copy link

Hi, I just wanted to state that we also need init containers, if you guys might want another justification for it. Our storage class always creates PVCs in a way that only root can write to it and with an init container we could automate/streamline the setup process so that harbor works directly and no manual intervention is needed.

@github-actions github-actions bot removed the Stale label Jun 8, 2024
MinerYang
MinerYang requested changes Jun 18, 2024
View reviewed changes
Copy link
Collaborator

@MinerYang MinerYang left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we also add this to database sts to keep consistency?

@kimxogus kimxogus force-pushed the feat/init-containers branch from dbb0dd3 to 34b03df Compare June 18, 2024 06:09
@kimxogus
Copy link
Contributor Author

@MinerYang I've just added init containers for database and redis.

@kimxogus kimxogus force-pushed the feat/init-containers branch from 34b03df to e5c177c Compare June 18, 2024 06:10
@Vad1mo
Copy link
Member

Vad1mo commented Jun 18, 2024
edited
Loading

@kimxogus @MinerYang -> Merging can be performed automatically once the requested changes are addressed.

@zyyw zyyw merged commit 1569536 into goharbor:main Jun 18, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MinerYang MinerYang MinerYang approved these changes

@zyyw zyyw zyyw approved these changes

@Vad1mo Vad1mo Vad1mo approved these changes

Assignees
No one assigned
Labels
target/1.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kimxogus @zyyw @rwd5213 @Vad1mo @MaximilianB134 @MinerYang