/harbor-cleaner

Clean images in Harbor by policies

Primary LanguageGoApache License 2.0Apache-2.0

中文

Harbor Cleaner

Clean images in Harbor by policies.

Features

  • Delete tags without side effects As we known when we delete a tag from a repo in docker registry, the underneath manifest is deleted, so are other tags what share the same manifest. In this tool, we protect tags from such situation.
  • Delete by policies Support delete tags by configurable policies
  • Dry run before actual cleanup To see what would be cleaned up before performing real cleanup.
  • Cron Schedule Schedule the cleanup regularly by cron.

Concepts

Image Project Repo Tag
library/busybox:1.30.0 library busybox 1.30.0
release/devops/tools:v1.0 release devops/tools v1.0

Policies

Number Policy

Number policy will retain latest N tags for each repo and remove other old ones. Latest tags are determined by images' creation time.

numberPolicy:
    number: 5

This policy takes only one argument, the number of tags to retain.

Regex Policy

Regex policy removes images that match the given repo and tag regex patterns. A tag will be removed only when following conditions are all satisfied:

  • It matches at least one repo pattern
  • It matches at least one tag pattern

Regex here are Golang supported regex. For example .* matches all.

regexPolicy:
    repos: [".*"]
    tags: [".*-alpha.*", "dev"]

The above policy config will remove tags from all repos that are 'dev' or contain 'alpha'. For example,

  • dev
  • v1.0.0-alpha
  • v1.4.0-alpha.2
  • 1.0-alpha.5

Recently Not Touched Policy

This policy works depends on Harbor's access log. It collects images that are recently touched (pull, push, delete), and remove all other images that are not touched recently. It takes a time in second to configure the time period.

notTouchedPolicy:
  time: 604800

How To Use

Get Image

$ make image VERSION=latest

You can also pull one from DockerHub.

$ docker pull k8sdevops/harbor-cleaner:v0.4.0

Configure

# Host of the Harbor
host: https://dev.cargo.io
# Version of the Harbor, e.g. 1.7, 1.4.0
version: 1.7
# Admin account
auth:
  user: admin
  password: Pwd123456
# Projects list to clean images for, it you want to clean images for all
# projects, leave it empty.
projects: []
# Policy to clean images
policy:
  # Policy type, e.g. "number", "regex", "recentlyNotTouched"
  type: number

  # Number policy: to retain the latest N tags for each repo
  # This configure takes effect only when 'policy.type' is set to 'number'
  numberPolicy:
    number: 5

  # Regex policy: only clean images that match the given repo patterns and tag patterns
  # This configure takes effect only when 'policy.type' is set to 'regex'
  regexPolicy:
    # Regex to match repos, a repo will be regarded as matched when it matches any regex in the list
    repos: [".*"]
    # Regex to match tags, a tag will be regarded as matched when it matches any regex in the list
    tags: [".*-alpha.*", "dev"]

  # Recently not touched policy: clean images that not touched within the given time period
  # This configure takes effect only when 'policy.type' is set to 'recentlyNotTouched'
  notTouchedPolicy:
    # Time in second that to check for images
    time: 604800

  # Tags that should be retained anyway, '?', '*' supported.
  retainTags: []
# Trigger for the cleanup, if you only want to run cleanup once, remove the 'trigger' part or leave
# the 'trigger.cron' empty
trigger:
  # Cron expression to trigger the cleanup, for example "0 0 * * *", leave it empty will disable the
  # trigger and fallback to run cleanup once. Note: you may need to quote the cron expression with double quote.
  # Time zone of the cron depends on the running environment, if run in docker container, it's UTC time.
  cron:
# For Harbor version v1.9+, you should configure the XSRF protection. For other version, keep the default values.
xsrf:
  # Refer to 'EnableXSRF' in Harbor config file 'common/config/core/app.conf'.
  enabled: true
  # Refer to 'XSRFKey' in Harbor config file 'common/config/core/app.conf'.
  key: T20zVqpLbDDlQGVIiiwDtAAtsm8bSRjHBJSMyejG

In the policy part, exact one of numberPolicy, regexPolicy, notTouchedPolicy should be configured according to the policy type.

DryRun

$ docker run -it --rm \
    -v <your-config-file>:/workspace/config.yaml \
    k8sdevops/harbor-cleaner:latest --dryrun=true

Clean

$ docker run -it --rm \
    -v <your-config-file>:/workspace/config.yaml \
    k8sdevops/harbor-cleaner:latest

Cron Schedule

Configure the cron trigger and run harbor cleaner container in background.

# Trigger for the cleanup, if you only want to run cleanup once, remove the 'trigger' part or leave
# the 'trigger.cron' empty
trigger:
  # Cron expression to trigger the cleanup, for example "0 0 * * *", leave it empty will disable the
  # trigger and fallback to run cleanup once.
  cron: 0 0 * * *
$ docker run -d --name=harbor-cleaner --rm \
    -v <your-config-file>:/workspace/config.yaml \
    k8sdevops/harbor-cleaner:latest

Supported Version

  • 1.4.x
  • 1.5.x
  • 1.6.x
  • 1.7.x
  • 1.8.x
  • 1.9.x (harbor-cleaner:v0.4.0+)

Harbor 2.x not supported yet.