Harbor.yml 配置详解:解释每一行配置,如何配置能最优
由于不清楚具体是哪个应用的 harbor.yml 配置文件,我这里就以官方 harbor 2.3.3 版本的配置文件为例进行讲解。
官方 harbor 2.3.3 版本的 harbor.yml 配置文件如下:
# Configuration file of Harbor
# The items explained in this file are for advanced users, they can take charge of the Harbor behavior
# during installation/upgrade. For most of the users, you shouldn't have to modify this file, and
# the system will auto generate one for you on the first time installation.
# Configuration format version, current version is 2.0
version: 2.0
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
h hostname: 'harbor.example.com'
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: '/your/certificate/path'
private_key: '/your/private/key/path'
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: 'https://reg.mydomain.com:8433'
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: 'Harbor12345'
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before Harbor is deployed to production.
password: 'root123'
# The maximum number of connections in the idle connection pool.
max_idle_conns: 50
# The maximum number of open connections to the database.
max_open_conns: 1000
# Note: for high performance and scalability concern, Postgres is the recommended DB backend.
# Currently support mysql, postgresql, sqlite3
type: 'postgresql'
# The host name of the database server
host: 'harbor-db'
# The port number of the database server
port: 5432
# The username to access the Harbor DB
username: 'harbor'
# The password to access the Harbor DB
password: 'harbor12345'
# The name of Harbor database
database: 'harbor'
# ssl mode of postgresql, disable by default
ssl_mode: 'disable'
# The path of cert file used for ssl enabled postgresql database
ssl_cert: '/your/cert/path'
# The path of private key file used for ssl enabled postgresql database
ssl_key: '/your/private/key/path'
# The default data volume
data_volume: '/data'
# Trivy configuration
trivy:
# Trivy image
image: 'aquasec/trivy:0.20.0'
# The interval of job to update vulnerability database, the unit is day, default is 7 days
ignore_unfixed: false
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
# Skip update operation when starting up Harbor
skip_update: false
# Log configuration
log:
# options are debug, info, warning, error, fatal
level: 'info'
# The path of the log file
location: '/var/log/harbor/harbor.log'
# The configuration of Clair
clair:
# The interval of job to update vulnerability database, the unit is hour, default is 12 hours
updaters_interval: 12
# The interval of job to send notification email, the unit is hour, default is 24 hours
notifier_interval: 24
# The configuration of the database, only Postgres is supported currently
database:
type: 'postgresql'
options:
# The host name of the database server
host: 'harbor-db'
# The port number of the database server
port: 5432
# The username to access the database
username: 'clair'
# The password to access the database
password: 'clairpassword'
# The name of the database
database: 'clair'
# The configuration of the notifier
notifier:
# The email server, smtp.gmail.com for example
server: 'smtp.gmail.com'
# The email server port, 587 for example
port: 587
# Whether to use TLS when connecting to the email server
use_tls: true
# The username to access the email server
username: 'example@gmail.com'
# The password to access the email server
password: 'examplepassword'
# The sender of the email
sender: 'example@gmail.com'
# The receiver of the email, multiple receivers can be separated by ','
receiver: 'example@gmail.com'
# Email configuration
email:
# Email server address
server: 'smtp.mydomain.com'
# Email server port
port: 25
# Whether to use TLS when connecting to the email server
# NO means do not use TLS, can be empty
# STARTTLS means the starttls command is used to upgrade the connection to encrypted transmission
# TLS means that the connection is always encrypted
# The default value is NO
tls: 'NO'
# Email server username
username: 'sample_admin'
# Email server password
password: 'sample_password'
# Email sender's address
from: 'sample_admin@mydomain.com'
# Email's display name
from_name: 'Admin'
# Authentication mode, can be set to db_auth, ldap_auth, oidc_auth or uaa_auth, default is db_auth
auth_mode: 'db_auth'
# The configuration of LDAP authentication mode
ldap:
# LDAP protocol version
version: 3
# A list of LDAP servers, in the form of ldap://host1:port,ldap://host2:port,...,ldap://hostN:port
url: 'ldap://ldap.mydomain.com:389'
# The base DN of the LDAP server
base_dn: 'ou=people,dc=mydomain,dc=com'
# The username of the LDAP server
# If LDAP doesn't support anonymous bind, you should configure the bind_dn and bind_password
# bind_dn: 'cn=admin,dc=mydomain,dc=com'
# bind_password: 'password'
# Search filter of LDAP
filter: '(objectClass=person)'
# LDAP attribute that Harbor use as username
uid: 'uid'
# LDAP attribute that Harbor use as email
# If LDAP doesn't have email attribute, just use the username
email: 'email'
# LDAP attribute that Harbor use as full name
# If LDAP doesn't have full name attribute, just use the username
cn: 'cn'
# SSL mode, can be set to off, on or starttls, default is off
ssl: 'off'
# The path of cert file used for ssl enabled ldap connection
ssl_cert: '/your/cert/path'
# The path of private key file used for ssl enabled ldap connection
ssl_cert_key: '/your/cert/key/path'
# The configuration of OIDC authentication mode
oidc:
# The issuer of OIDC provider
issuer: 'https://accounts.mydomain.com'
# The client ID of OIDC provider
client_id: 'harbor'
# The client secret of OIDC provider
client_secret: 'harbor_secret'
# The scope of OIDC provider
scope: 'openid,email,profile'
# The authorized redirect URL of OIDC provider
auth_url: 'https://accounts.mydomain.com/oauth2/auth'
# The token URL of OIDC provider
token_url: 'https://accounts.mydomain.com/oauth2/token'
# The URL of user info of OIDC provider
userinfo_url: 'https://accounts.mydomain.com/oauth2/userinfo'
# The URL for the current OIDC session
logout_url: 'https://accounts.mydomain.com/oauth2/sessions/logout'
# The URL to redirect to after logging out
logout_redirect_url: 'https://mydomain.com'
# The configuration of UAA authentication mode
uua:
# The URL of UAA server
url: 'https://uaa.mydomain.com'
# The client ID of UAA server
client_id: 'harbor'
# The client secret of UAA server
client_secret: 'harbor_secret'
# The scope of UAA server
scope: 'openid,email,profile'
# The authorized redirect URL of UAA server
auth_url: 'https://uaa.mydomain.com/oauth/authorize'
# The token URL of UAA server
token_url: 'https://uaa.mydomain.com/oauth/token'
# The URL of user info of UAA server
userinfo_url: 'https://uaa.mydomain.com/userinfo'
# The URL for the current UAA session
logout_url: 'https://uaa.mydomain.com/logout.do'
# The URL to redirect to after logging out
logout_redirect_url: 'https://mydomain.com'
注:下面的解释可能会比较详细,如果您已经很熟悉 harbor 的配置,可以直接跳到最后一段。
解释如下:
# Configuration file of Harbor
# The items explained in this file are for advanced users, they can take charge of the Harbor behavior
# during installation/upgrade. For most of the users, you shouldn't have to modify this file, and
# the system will auto generate one for you on the first time installation.
# Configuration format version, current version is 2.0
version: 2.0
版本号,目前是 2.0。
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
h hostname: 'harbor.example.com'
Harbor 的访问地址,不要使用 localhost 或 127.0.0.1,因为 Harbor 需要被外部客户端访问。
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
http 相关的配置,http 端口,默认是 80。如果启用了 https,则该端口将重定向到 https 端口。
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: '/your/certificate/path'
private_key: '/your/private/key/path'
https 相关的配置,https 端口,默认是 443。nginx 的证书和密钥文件路径。
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: 'https://reg.mydomain.com:8433'
如果要启用外部代理,请取消注释 external_url,并且不再使用主机名。
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: 'Harbor12345'
Harbor 管理员的初始密码,仅在第一次安装 Harbor 时使用。启动 Harbor 后,请从 UI 更改管理员密码。
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before Harbor is deployed to production.
password: 'root123'
# The maximum number of connections in the idle connection pool.
max_idle_conns: 50
# The maximum number of open connections to the database.
max_open_conns: 1000
# Note: for high performance and scalability concern, Postgres is the recommended DB backend.
# Currently support mysql, postgresql, sqlite3
type: 'postgresql'
# The host name of the database server
host: 'harbor-db'
# The port number of the database server
port: 5432
# The username to access the Harbor DB
username: 'harbor'
# The password to access the Harbor DB
password: 'harbor12345'
# The name of Harbor database
database: 'harbor'
# ssl mode of postgresql, disable by default
ssl_mode: 'disable'
# The path of cert file used for ssl enabled postgresql database
ssl_cert: '/your/cert/path'
# The path of private key file used for ssl enabled postgresql database
ssl_key: '/your/private/key/path'
Harbor 数据库配置,root 用户的密码。请在部署到生产环境之前更改此密码。连接池中的最大空闲连接数,最大打开的连接数。高性能和可扩展性方面,推荐使用 Postgres 作为数据库后端。目前支持 mysql、postgresql、sqlite3。数据库服务器的主机名和端口号,用于访问 Harbor 数据库的用户名和密码,Harbor 数据库的名称,postgresql 的 ssl 模式和证书、密钥文件路径。
# The default data volume
data_volume: '/data'
默认数据卷,即数据存储的路径。
# Trivy configuration
trivy:
# Trivy image
image: 'aquasec/trivy:0.20.0'
# The interval of job to update vulnerability database, the unit is day, default is 7 days
ignore_unfixed: false
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
# Skip update operation when starting up Harbor
skip_update: false
Trivy 配置,Trivy 的镜像、更新漏洞数据库的时间间隔、是否忽略未修复漏洞、漏洞的严重程度、启动 Harbor 时是否跳过更新操作。
# Log configuration
log:
# options are debug, info, warning, error, fatal
level: 'info'
# The path of the log file
location: '/var/log/harbor/harbor.log'
日志配置,日志级别和日志文件路径。
# The configuration of Clair
clair:
# The interval of job to update vulnerability database, the unit is hour, default is 12 hours
updaters_interval: 12
# The interval of job to send notification email, the unit is hour, default is 24 hours
notifier_interval: 24
# The configuration of the database, only Postgres is supported currently
database:
type: 'postgresql'
options:
# The host name of the database server
host: 'harbor-db'
# The port number of the database server
port: 5432
# The username to access the database
username: 'clair'
# The password to access the database
password: 'clairpassword'
# The name of the database
database: 'clair'
# The configuration of the notifier
notifier:
# The email server, smtp.gmail.com for example
server: 'smtp.gmail.com'
# The email server port, 587 for example
port: 587
# Whether to use TLS when connecting to the email server
use_tls: true
# The username to access the email server
username: 'example@gmail.com'
# The password to access the email server
password: 'examplepassword'
# The sender of the email
sender: 'example@gmail.com'
# The receiver of the email, multiple receivers can be separated by ','
receiver: 'example@gmail.com'
Clair 的配置,更新漏洞数据库的时间间隔、发送通知电子邮件的时间间隔、数据库配置、通知器配置。目前只支持 postgresql 数据库后端。
# Email configuration
email:
# Email server address
server: 'smtp.mydomain.com'
# Email server port
port: 25
# Whether to use TLS when connecting to the email server
# NO means do not use TLS, can be empty
# STARTTLS means the starttls command is used to upgrade the connection to encrypted transmission
# TLS means that the connection is always encrypted
# The default value is NO
tls: 'NO'
# Email server username
username: 'sample_admin'
# Email server password
password: 'sample_password'
# Email sender's address
from: 'sample_admin@mydomain.com'
# Email's display name
from_name: 'Admin'
电子邮件配置,电子邮件服务器地址、端口、是否使用 TLS、用户名、密码、发件人地址和显示名称。
# Authentication mode, can be set to db_auth, ldap_auth, oidc_auth or uaa_auth, default is db_auth
auth_mode: 'db_auth'
认证模式,可以设置为 db_auth、ldap_auth、oidc_auth 或 uaa_auth,默认为 db_auth。
# The configuration of LDAP authentication mode
ldap:
# LDAP protocol version
version: 3
# A list of LDAP servers, in the form of ldap://host1:port,ldap://host2:port,...,ldap://hostN:port
url: 'ldap://ldap.mydomain.com:389'
# The base DN of the LDAP server
base_dn: 'ou=people,dc=mydomain,dc=com'
# The username of the LDAP server
# If LDAP doesn't support anonymous bind, you should configure the bind_dn and bind_password
# bind_dn: 'cn=admin,dc=mydomain,dc=com'
# bind_password: 'password'
# Search filter of LDAP
filter: '(objectClass=person)'
# LDAP attribute that Harbor use as username
uid: 'uid'
# LDAP attribute that Harbor use as email
# If LDAP doesn't have email attribute, just use the username
email: 'email'
# LDAP attribute that Harbor use as full name
# If LDAP doesn't have full name attribute, just use the username
cn: 'cn'
# SSL mode, can be set to off, on or starttls, default is off
ssl: 'off'
# The path of cert file used for ssl enabled ldap connection
ssl_cert: '/your/cert/path'
# The path of private key file used for ssl enabled ldap connection
ssl_cert_key: '/your/cert/key/path'
# The configuration of OIDC authentication mode
oidc:
# The issuer of OIDC provider
issuer: 'https://accounts.mydomain.com'
# The client ID of OIDC provider
client_id: 'harbor'
# The client secret of OIDC provider
client_secret: 'harbor_secret'
# The scope of OIDC provider
scope: 'openid,email,profile'
# The authorized redirect URL of OIDC provider
auth_url: 'https://accounts.mydomain.com/oauth2/auth'
# The token URL of OIDC provider
token_url: 'https://accounts.mydomain.com/oauth2/token'
# The URL of user info of OIDC provider
userinfo_url: 'https://accounts.mydomain.com/oauth2/userinfo'
# The URL for the current OIDC session
logout_url: 'https://accounts.mydomain.com/oauth2/sessions/logout'
# The URL to redirect to after logging out
logout_redirect_url: 'https://mydomain.com'
# The configuration of UAA authentication mode
uua:
# The URL of UAA server
url: 'https://uaa.mydomain.com'
# The client ID of UAA server
client_id: 'harbor'
# The client secret of UAA server
client_secret: 'harbor_secret'
# The scope of UAA server
scope: 'openid,email,profile'
# The authorized redirect URL of UAA server
auth_url: 'https://uaa.mydomain.com/oauth/authorize'
# The token URL of UAA server
token_url: 'https://uaa.mydomain.com/oauth/token'
# The URL of user info of UAA server
userinfo_url: 'https://uaa.mydomain.com/userinfo'
# The URL for the current UAA session
logout_url: 'https://uaa.mydomain.com/logout.do'
# The URL to redirect to after logging out
logout_redirect_url: 'https://mydomain.com'
以下是一些最佳配置方案,您可以参考进行调整:
-
安全
- 更换默认的管理员密码和数据库密码,并使用更强的密码策略。
- 启用 HTTPS 访问,并使用有效证书。
- 配置 Clair 和 Trivy,定期扫描镜像漏洞并及时修复。
- 根据您的安全需求选择合适的认证模式,并配置相应的参数。
-
性能
- 使用高性能的数据库,例如 PostgreSQL。
- 根据实际情况调整连接池大小,避免连接过多造成资源浪费。
- 优化数据卷的存储路径,确保足够的存储空间和读写性能。
-
可扩展性
- 使用负载均衡器或反向代理来分担负载。
- 根据需要扩展数据库和存储空间。
-
可维护性
- 使用统一的配置管理工具,例如 Ansible 或 Puppet,方便维护和更新配置。
- 定期备份数据,防止数据丢失。
通过合理的配置,您可以充分利用 Harbor 的功能,提升安全性和性能,并确保系统的可扩展性和可维护性。
原文地址: https://www.cveoy.top/t/topic/nu4g 著作权归作者所有。请勿转载和采集!