roll back go for notary binary

[wy65701436]

Fixes #14932

Harbor recompiles the notary v0.6.1 with go 1.15 from v2.2.0, which introduces an break change that leads to notary key not found after migration.

[Root cause]
Notary v0.6.1 consumed an old version dvsekhvalnov/jose2, which is not compatible with go 1.15.

[References]
dvsekhvalnov/jose2go#26
golang/go#41089

[Resolve]
To resolve this issue, we have to roll back go vesrion to v1.14 for notary v0.6.1 binary and keep it until upstream have a patch release to support go 1.15 or above.

[Break change]
If you pushed and signed image using Harbor v2.2.0 ~ v2.2.2 and created new repository key in notary, you will encouter the same issue after migrate to v2.2.3(or above) or v2.3.1(or above) because of the go version downgrade. We will have a FAQ to help you to resovle this particular scenario.

The influence path of the particular case:
Harbor v2.1.0(or lower) --> [v2.2.0 ~ v2.2.2] --> v2.2.3(or above)
Harbor v2.1.0(or lower) --> v2.3.0 --> v2.3.1(or above)

The non influence path of the paticular case:
Harbor v2.1.0(or lower) --> v2.2.3(or above)
Harbor v2.1.0(or lower) --> v2.3.1(or above)

[Fix in Version]
Harbor v2.2.3 or above
Harbor v2.3.1 or above

[Note]
If you're a heavy user of notary, avoid using v2.2.0, v2.2.1, v2.2.2 and v2.3.0, and use the fixed version for instead.

Signed-off-by: Wang Yan [email protected]

[codecov]

Codecov Report

Merging #15223 (eb959cd) into master (573d97f) will decrease coverage by 0.01%.
The diff coverage is n/a.

❗ Current head eb959cd differs from pull request most recent head 4017e99. Consider uploading reports for the commit 4017e99 to get more accurate results

@@            Coverage Diff             @@
##           master   #15223      +/-   ##
==========================================
- Coverage   67.01%   67.00%   -0.02%     
==========================================
  Files         930      930              
  Lines       76428    76428              
  Branches     2242     2242              
==========================================
- Hits        51220    51208      -12     
- Misses      21295    21306      +11     
- Partials     3913     3914       +1     

Flag	Coverage Δ
unittests	67.00% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/common/rbac/system/namespace.go	33.33% <0.00%> (-11.12%)	⬇️
src/common/utils/passports.go	84.61% <0.00%> (-5.13%)	⬇️
...es/vulnerability/vulnerability-config.component.ts	48.71% <0.00%> (-4.28%)	⬇️
src/jobservice/runner/redis.go	64.64% <0.00%> (-4.05%)	⬇️
...g-retention-tasks/tag-retention-tasks.component.ts	58.33% <0.00%> (-2.78%)	⬇️
src/controller/event/topic.go	9.00% <0.00%> (-1.81%)	⬇️
src/lib/cache/util.go	89.47% <0.00%> (+15.78%)	⬆️

[reasonerjt]

Thanks

To emphasize this only impacts if new key is added, shall we rephrase this

If you're already on Harbor v2.2.0 ~ v2.2.2 and have signed images with notary

to

If you pushed and signed image using Harbor v2.2.0 ~ v2.2.2 and created new repository key in this process...