harboryml 配置详解解释每一行配置如何配置能最优。
由于不清楚具体是哪个应用的 harbor.yml 配置文件,我这里就以官方 harbor 2.3.3 版本的配置文件为例进行讲解。
官方 harbor 2.3.3 版本的 harbor.yml 配置文件如下:
# Configuration file of Harbor
# The items explained in this file are for advanced users, they can take charge of the Harbor behavior
# during installation/upgrade. For most of the users, you shouldn't have to modify this file, and
# the system will auto generate one for you on the first time installation.
# Configuration format version, current version is 2.0
version: 2.0
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.example.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /your/certificate/path
private_key: /your/private/key/path
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before Harbor is deployed to production.
password: root123
# The maximum number of connections in the idle connection pool.
max_idle_conns: 50
# The maximum number of open connections to the database.
max_open_conns: 1000
# Note: for high performance and scalability concern, Postgres is the recommended DB backend.
# Currently support mysql, postgresql, sqlite3
type: postgresql
# The host name of the database server
host: harbor-db
# The port number of the database server
port: 5432
# The username to access the Harbor DB
username: harbor
# The password to access the Harbor DB
password: harbor12345
# The name of Harbor database
database: harbor
# ssl mode of postgresql, disable by default
ssl_mode: disable
# The path of cert file used for ssl enabled postgresql database
ssl_cert: /your/cert/path
# The path of private key file used for ssl enabled postgresql database
ssl_key: /your/private/key/path
# The default data volume
data_volume: /data
# Trivy configuration
trivy:
# Trivy image
image: aquasec/trivy:0.20.0
# The interval of job to update vulnerability database, the unit is day, default is 7 days
ignore_unfixed: false
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
# Skip update operation when starting up Harbor
skip_update: false
# Log configuration
log:
# options are debug, info, warning, error, fatal
level: info
# The path of the log file
location: /var/log/harbor/harbor.log
# The configuration of Clair
clair:
# The interval of job to update vulnerability database, the unit is hour, default is 12 hours
updaters_interval: 12
# The interval of job to send notification email, the unit is hour, default is 24 hours
notifier_interval: 24
# The configuration of the database, only Postgres is supported currently
database:
type: postgresql
options:
# The host name of the database server
host: harbor-db
# The port number of the database server
port: 5432
# The username to access the database
username: clair
# The password to access the database
password: clairpassword
# The name of the database
database: clair
# The configuration of the notifier
notifier:
# The email server, smtp.gmail.com for example
server: smtp.gmail.com
# The email server port, 587 for example
port: 587
# Whether to use TLS when connecting to the email server
use_tls: true
# The username to access the email server
username: example@gmail.com
# The password to access the email server
password: examplepassword
# The sender of the email
sender: example@gmail.com
# The receiver of the email, multiple receivers can be separated by ","
receiver: example@gmail.com
# Email configuration
email:
# Email server address
server: smtp.mydomain.com
# Email server port
port: 25
# Whether to use TLS when connecting to the email server
# NO means do not use TLS, can be empty
# STARTTLS means the starttls command is used to upgrade the connection to encrypted transmission
# TLS means that the connection is always encrypted
# The default value is NO
tls: NO
# Email server username
username: sample_admin
# Email server password
password: sample_password
# Email sender's address
from: sample_admin@mydomain.com
# Email's display name
from_name: Admin
# Authentication mode, can be set to db_auth, ldap_auth, oidc_auth or uaa_auth, default is db_auth
auth_mode: db_auth
# The configuration of LDAP authentication mode
ldap:
# LDAP protocol version
version: 3
# A list of LDAP servers, in the form of ldap://host1:port,ldap://host2:port,...,ldap://hostN:port
url: ldap://ldap.mydomain.com:389
# The base DN of the LDAP server
base_dn: ou=people,dc=mydomain,dc=com
# The username of the LDAP server
# If LDAP doesn't support anonymous bind, you should configure the bind_dn and bind_password
# bind_dn: cn=admin,dc=mydomain,dc=com
# bind_password: password
# Search filter of LDAP
filter: (objectClass=person)
# LDAP attribute that Harbor use as username
uid: uid
# LDAP attribute that Harbor use as email
# If LDAP doesn't have email attribute, just use the username
email: email
# LDAP attribute that Harbor use as full name
# If LDAP doesn't have full name attribute, just use the username
cn: cn
# SSL mode, can be set to off, on or starttls, default is off
ssl: off
# The path of cert file used for ssl enabled ldap connection
ssl_cert: /your/cert/path
# The path of private key file used for ssl enabled ldap connection
ssl_cert_key: /your/cert/key/path
# The configuration of OIDC authentication mode
oidc:
# The issuer of OIDC provider
issuer: https://accounts.mydomain.com
# The client ID of OIDC provider
client_id: harbor
# The client secret of OIDC provider
client_secret: harbor_secret
# The scope of OIDC provider
scope: openid,email,profile
# The authorized redirect URL of OIDC provider
auth_url: https://accounts.mydomain.com/oauth2/auth
# The token URL of OIDC provider
token_url: https://accounts.mydomain.com/oauth2/token
# The URL of user info of OIDC provider
userinfo_url: https://accounts.mydomain.com/oauth2/userinfo
# The URL for the current OIDC session
logout_url: https://accounts.mydomain.com/oauth2/sessions/logout
# The URL to redirect to after logging out
logout_redirect_url: https://mydomain.com
# The configuration of UAA authentication mode
uaa:
# The URL of UAA server
url: https://uaa.mydomain.com
# The client ID of UAA server
client_id: harbor
# The client secret of UAA server
client_secret: harbor_secret
# The scope of UAA server
scope: openid,email,profile
# The authorized redirect URL of UAA server
auth_url: https://uaa.mydomain.com/oauth/authorize
# The token URL of UAA server
token_url: https://uaa.mydomain.com/oauth/token
# The URL of user info of UAA server
userinfo_url: https://uaa.mydomain.com/userinfo
# The URL for the current UAA session
logout_url: https://uaa.mydomain.com/logout.do
# The URL to redirect to after logging out
logout_redirect_url: https://mydomain.com
注:下面的解释可能会比较详细,如果您已经很熟悉 harbor 的配置,可以直接跳到最后一段。
解释如下:
# Configuration file of Harbor
# The items explained in this file are for advanced users, they can take charge of the Harbor behavior
# during installation/upgrade. For most of the users, you shouldn't have to modify this file, and
# the system will auto generate one for you on the first time installation.
# Configuration format version, current version is 2.0
version: 2.0
版本号,目前是 2.0。
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.example.com
Harbor 的访问地址,不要使用 localhost 或 127.0.0.1,因为 Harbor 需要被外部客户端访问。
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
http 相关的配置,http 端口,默认是 80。如果启用了 https,则该端口将重定向到 https 端口。
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /your/certificate/path
private_key: /your/private/key/path
https 相关的配置,https 端口,默认是 443。nginx 的证书和密钥文件路径。
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
如果要启用外部代理,请取消注释 external_url,并且不再使用主机名。
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
Harbor 管理员的初始密码,仅在第一次安装 Harbor 时使用。启动 Harbor 后,请从 UI 更改管理员密码。
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before Harbor is deployed to production.
password: root123
# The maximum number of connections in the idle connection pool.
max_idle_conns: 50
# The maximum number of open connections to the database.
max_open_conns: 1000
# Note: for high performance and scalability concern, Postgres is the recommended DB backend.
# Currently support mysql, postgresql, sqlite3
type: postgresql
# The host name of the database server
host: harbor-db
# The port number of the database server
port: 5432
# The username to access the Harbor DB
username: harbor
# The password to access the Harbor DB
password: harbor12345
# The name of Harbor database
database: harbor
# ssl mode of postgresql, disable by default
ssl_mode: disable
# The path of cert file used for ssl enabled postgresql database
ssl_cert: /your/cert/path
# The path of private key file used for ssl enabled postgresql database
ssl_key: /your/private/key/path
Harbor 数据库配置,root 用户的密码。请在部署到生产环境之前更改此密码。连接池中的最大空闲连接数,最大打开的连接数。高性能和可扩展性方面,推荐使用 Postgres 作为数据库后端。目前支持 mysql、postgresql、sqlite3。数据库服务器的主机名和端口号,用于访问 Harbor 数据库的用户名和密码,Harbor 数据库的名称,postgresql 的 ssl 模式和证书、密钥文件路径。
# The default data volume
data_volume: /data
默认数据卷,即数据存储的路径。
# Trivy configuration
trivy:
# Trivy image
image: aquasec/trivy:0.20.0
# The interval of job to update vulnerability database, the unit is day, default is 7 days
ignore_unfixed: false
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
# Skip update operation when starting up Harbor
skip_update: false
Trivy 配置,Trivy 的镜像、更新漏洞数据库的时间间隔、是否忽略未修复漏洞、漏洞的严重程度、启动 Harbor 时是否跳过更新操作。
# Log configuration
log:
# options are debug, info, warning, error, fatal
level: info
# The path of the log file
location: /var/log/harbor/harbor.log
日志配置,日志级别和日志文件路径。
# The configuration of Clair
clair:
# The interval of job to update vulnerability database, the unit is hour, default is 12 hours
updaters_interval: 12
# The interval of job to send notification email, the unit is hour, default is 24 hours
notifier_interval: 24
# The configuration of the database, only Postgres is supported currently
database:
type: postgresql
options:
# The host name of the database server
host: harbor-db
# The port number of the database server
port: 5432
# The username to access the database
username: clair
# The password to access the database
password: clairpassword
# The name of the database
database: clair
# The configuration of the notifier
notifier:
# The email server, smtp.gmail.com for example
server: smtp.gmail.com
# The email server port, 587 for example
port: 587
# Whether to use TLS when connecting to the email server
use_tls: true
# The username to access the email server
username: example@gmail.com
# The password to access the email server
password: examplepassword
# The sender of the email
sender: example@gmail.com
# The receiver of the email, multiple receivers can be separated by ","
receiver: example@gmail.com
Clair 的配置,更新漏洞数据库的时间间隔、发送通知电子邮件的时间间隔、数据库配置、通知器配置。目前只支持 postgresql 数据库后端。
# Email configuration
email:
# Email server address
server: smtp.mydomain.com
# Email server port
port: 25
# Whether to use TLS when connecting to the email server
# NO means do not use TLS, can be empty
# STARTTLS means the starttls command is used to upgrade the connection to encrypted transmission
# TLS means that the connection is always encrypted
# The default value is NO
tls: NO
# Email server username
username: sample_admin
# Email server password
password: sample_password
# Email sender's address
from: sample_admin@mydomain.com
# Email's display name
from_name: Admin
电子邮件配置,电子邮件服务器地址、端口、是否使用 TLS、用户名、密码、发件人地址和显示名称。
# Authentication mode, can be set to db_auth, ldap_auth, oidc_auth or uaa_auth, default is db_auth
auth_mode: db_auth
认证模式,可以设置为 db_auth、ldap_auth、oidc_auth 或 uaa_auth,默认为 db_auth。
# The configuration of LDAP authentication mode
ldap:
# LDAP protocol version
version: 3
# A list of LDAP servers, in the form of ldap://host1:port,ldap://host2:port,...,ldap://hostN:port
url: ldap://ldap.mydomain.com:389
# The base DN of the LDAP server
base_dn: ou=people,dc=mydomain,dc=com
# The username of the LDAP server
# If LDAP doesn't support anonymous bind, you should configure the bind_dn and bind_password
# bind_dn: cn=admin,dc=mydomain,dc=com
# bind_password: password
# Search filter of LDAP
filter: (objectClass=person)
# LDAP attribute that Harbor use as username
uid: uid
# LDAP attribute that Harbor use as email
# If LDAP doesn't have email attribute, just use the username
email: email
# LDAP attribute that Harbor use as full name
# If LDAP doesn't have full name attribute, just use the username
cn: c
原文地址: https://www.cveoy.top/t/topic/cpk6 著作权归作者所有。请勿转载和采集!