runner
Ansible role that deployes services on my runner machine
14.6 KB•J2
harbor.yml.j2
14.6 KB • 327 lines • plaintext
1# Configuration file of Harbor
2
3# The IP address or hostname to access admin UI and registry service.
4# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5hostname: {{ harbor_hostname | default(ansible_default_ipv4.address) }}
6
7# http related config
8http:
9 # port for http, default is 80. If https enabled, this port will redirect to https port
10 relativeurls: true
11 port: {{ harbor_http_port | default(8080) }}
12
13# https related config
14# https:
15 # https port for harbor, default is 443
16 # port: 443
17 # The path of cert and key files for nginx
18 # certificate: /your/certificate/path
19 # private_key: /your/private/key/path
20 # enable strong ssl ciphers (default: false)
21 # strong_ssl_ciphers: false
22
23# # Harbor will set ipv4 enabled only by default if this block is not configured
24# # Otherwise, please uncomment this block to configure your own ip_family stacks
25# ip_family:
26# # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
27# ipv6:
28# enabled: false
29# # ipv4Enabled set to true by default, currently it affected the nginx related component
30# ipv4:
31# enabled: true
32
33# # Uncomment following will enable tls communication between all harbor components
34# internal_tls:
35# # set enabled to true means internal tls is enabled
36# enabled: true
37# # put your cert and key files on dir
38# dir: /etc/harbor/tls/internal
39
40
41# Uncomment external_url if you want to enable external proxy
42# And when it enabled the hostname will no longer used
43# external_url: https://reg.mydomain.com:8433
44
45# The initial password of Harbor admin
46# It only works in first time to install harbor
47# Remember Change the admin password from UI after launching Harbor.
48harbor_admin_password: {{ harbor_admin_password | default('Harbor12345') }}
49
50# Harbor DB configuration
51database:
52 # The password for the user('postgres' by default) of Harbor DB. Change this before any production use.
53 password: {{ harbor_db_password | default('root123') }}
54 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
55 max_idle_conns: 100
56 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
57 # Note: the default number of connections is 1024 for postgres of harbor.
58 max_open_conns: 900
59 # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
60 # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
61 conn_max_lifetime: 5m
62 # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
63 # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
64 conn_max_idle_time: 0
65
66# The default data volume
67data_volume: {{ harbor_data_volume | default('/mnt/docker/harbor') }}
68
69# Harbor Storage settings by default is using /data dir on local filesystem
70# Uncomment storage_service setting If you want to using external storage
71# storage_service:
72# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
73# # of registry's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
74# ca_bundle:
75
76# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
77# # for more info about this configuration please refer https://distribution.github.io/distribution/about/configuration/
78# # and https://distribution.github.io/distribution/storage-drivers/
79# filesystem:
80# maxthreads: 100
81# # set disable to true when you want to disable registry redirect
82# redirect:
83# disable: false
84
85# Trivy configuration
86#
87# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
88# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
89# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
90# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
91# 12 hours and published as a new release to GitHub.
92trivy:
93 # ignoreUnfixed The flag to display only fixed vulnerabilities
94 ignore_unfixed: false
95 # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
96 #
97 # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
98 # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
99 # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
100 skip_update: false
101 #
102 # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
103 # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
104 skip_java_db_update: false
105 #
106 # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
107 # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
108 # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
109 # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
110 # It would work if all the dependencies are in local.
111 # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
112 offline_scan: false
113 #
114 # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
115 security_check: vuln
116 #
117 # insecure The flag to skip verifying registry certificate
118 insecure: false
119 #
120 # timeout The duration to wait for scan completion.
121 # There is upper bound of 30 minutes defined in scan job. So if this `timeout` is larger than 30m0s, it will also timeout at 30m0s.
122 timeout: 5m0s
123 #
124 # github_token The GitHub access token to download Trivy DB
125 #
126 # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
127 # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
128 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
129 # https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting
130 #
131 # You can create a GitHub token by following the instructions in
132 # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
133 #
134 # github_token: xxx
135
136jobservice:
137 # Maximum number of job workers in job service
138 max_job_workers: 10
139 # Maximum hours of task duration in job service, default 24
140 max_job_duration_hours: 24
141 # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB"
142 job_loggers:
143 - STD_OUTPUT
144 - FILE
145 # - DB
146 # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
147 logger_sweeper_duration: 1 #days
148
149notification:
150 # Maximum retry count for webhook job
151 webhook_job_max_retry: 3
152 # HTTP client timeout for webhook job
153 webhook_job_http_client_timeout: 3 #seconds
154
155# Log configurations
156log:
157 # options are debug, info, warning, error, fatal
158 level: info
159 # configs for logs in local storage
160 local:
161 # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
162 rotate_count: 50
163 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
164 # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
165 # are all valid.
166 rotate_size: 200M
167 # The directory on your host that store log
168 location: /var/log/harbor
169
170 # Uncomment following lines to enable external syslog endpoint.
171 # external_endpoint:
172 # # protocol used to transmit log to external endpoint, options is tcp or udp
173 # protocol: tcp
174 # # The host of external endpoint
175 # host: localhost
176 # # Port of external endpoint
177 # port: 5140
178
179#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
180_version: 2.13.0
181
182# Uncomment external_database if using external database.
183# external_database:
184# harbor:
185# host: harbor_db_host
186# port: harbor_db_port
187# db_name: harbor_db_name
188# username: harbor_db_username
189# password: harbor_db_password
190# ssl_mode: disable
191# max_idle_conns: 2
192# max_open_conns: 0
193
194# Uncomment redis if need to customize redis db
195# redis:
196# # db_index 0 is for core, it's unchangeable
197# # registry_db_index: 1
198# # jobservice_db_index: 2
199# # trivy_db_index: 5
200# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
201# # harbor_db_index: 6
202# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
203# # cache_layer_db_index: 7
204
205# Uncomment external_redis if using external Redis server
206# external_redis:
207# # support redis, redis+sentinel
208# # host for redis: <host_redis>:<port_redis>
209# # host for redis+sentinel:
210# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
211# host: redis:6379
212# password:
213# # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
214# # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
215# # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage
216# # username:
217# # sentinel_master_set must be set to support redis+sentinel
218# #sentinel_master_set:
219# # tls configuration for redis connection
220# # only server-authentication is supported
221# # mtls for redis connection is not supported
222# # tls connection will be disable by default
223# tlsOptions:
224# enable: false
225# # if it is a self-signed ca, please set the ca path specifically.
226# rootCA:
227# # db_index 0 is for core, it's unchangeable
228# registry_db_index: 1
229# jobservice_db_index: 2
230# trivy_db_index: 5
231# idle_timeout_seconds: 30
232# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
233# # harbor_db_index: 6
234# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
235# # cache_layer_db_index: 7
236
237# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
238# uaa:
239# ca_file: /path/to/ca
240
241# Global proxy
242# Config http proxy for components, e.g. http://my.proxy.com:3128
243# Components doesn't need to connect to each others via http proxy.
244# Remove component from `components` array if want disable proxy
245# for it. If you want use proxy for replication, MUST enable proxy
246# for core and jobservice, and set `http_proxy` and `https_proxy`.
247# Add domain to the `no_proxy` field, when you want disable proxy
248# for some special registry.
249proxy:
250 http_proxy:
251 https_proxy:
252 no_proxy:
253 components:
254 - core
255 - jobservice
256 - trivy
257
258# metric:
259# enabled: false
260# port: 9090
261# path: /metrics
262
263# Trace related config
264# only can enable one trace provider(jaeger or otel) at the same time,
265# and when using jaeger as provider, can only enable it with agent mode or collector mode.
266# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
267# if using jaeger agetn mode uncomment agent_host and agent_port
268# trace:
269# enabled: true
270# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
271# sample_rate: 1
272# # # namespace used to differentiate different harbor services
273# # namespace:
274# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
275# # attributes:
276# # application: harbor
277# # # jaeger should be 1.26 or newer.
278# # jaeger:
279# # endpoint: http://hostname:14268/api/traces
280# # username:
281# # password:
282# # agent_host: hostname
283# # # export trace data by jaeger.thrift in compact mode
284# # agent_port: 6831
285# # otel:
286# # endpoint: hostname:4318
287# # url_path: /v1/traces
288# # compression: false
289# # insecure: true
290# # # timeout is in seconds
291# # timeout: 10
292
293# Enable purge _upload directories
294upload_purging:
295 enabled: true
296 # remove files in _upload directories which exist for a period of time, default is one week.
297 age: 168h
298 # the interval of the purge operations
299 interval: 24h
300 dryrun: false
301
302# Cache layer configurations
303# If this feature enabled, harbor will cache the resource
304# `project/project_metadata/repository/artifact/manifest` in the redis
305# which can especially help to improve the performance of high concurrent
306# manifest pulling.
307# NOTICE
308# If you are deploying Harbor in HA mode, make sure that all the harbor
309# instances have the same behaviour, all with caching enabled or disabled,
310# otherwise it can lead to potential data inconsistency.
311cache:
312 # not enabled by default
313 enabled: false
314 # keep cache for one day by default
315 expire_hours: 24
316
317# Harbor core configurations
318# Uncomment to enable the following harbor core related configuration items.
319# core:
320# # The provider for updating project quota(usage), there are 2 options, redis or db,
321# # by default is implemented by db but you can switch the updation via redis which
322# # can improve the performance of high concurrent pushing to the same project,
323# # and reduce the database connections spike and occupies.
324# # By redis will bring up some delay for quota usage updation for display, so only
325# # suggest switch provider to redis if you were ran into the db connections spike around
326# # the scenario of high concurrent pushing to same project, no improvement for other scenes.
327# quota_update_provider: redis # Or db