runner

1# Configuration file of Harbor
2
3# The IP address or hostname to access admin UI and registry service.
4# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5hostname: {{ harbor_hostname | default(ansible_default_ipv4.address) }}
6
7# http related config
8http:
9  # port for http, default is 80. If https enabled, this port will redirect to https port
10  relativeurls: true
11  port: {{ harbor_http_port | default(8080) }}
12
13# https related config
14# https:
15  # https port for harbor, default is 443
16  # port: 443
17  # The path of cert and key files for nginx
18  # certificate: /your/certificate/path
19  # private_key: /your/private/key/path
20  # enable strong ssl ciphers (default: false)
21  # strong_ssl_ciphers: false
22
23# # Harbor will set ipv4 enabled only by default if this block is not configured
24# # Otherwise, please uncomment this block to configure your own ip_family stacks
25# ip_family:
26#   # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component
27#   ipv6:
28#     enabled: false
29#   # ipv4Enabled set to true by default, currently it affected the nginx related component
30#   ipv4:
31#     enabled: true
32
33# # Uncomment following will enable tls communication between all harbor components
34# internal_tls:
35#   # set enabled to true means internal tls is enabled
36#   enabled: true
37#   # put your cert and key files on dir
38#   dir: /etc/harbor/tls/internal
39
40
41# Uncomment external_url if you want to enable external proxy
42# And when it enabled the hostname will no longer used
43# external_url: https://reg.mydomain.com:8433
44
45# The initial password of Harbor admin
46# It only works in first time to install harbor
47# Remember Change the admin password from UI after launching Harbor.
48harbor_admin_password: {{ harbor_admin_password | default('Harbor12345') }}
49
50# Harbor DB configuration
51database:
52  # The password for the user('postgres' by default) of Harbor DB. Change this before any production use.
53  password: {{ harbor_db_password | default('root123') }}
54  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
55  max_idle_conns: 100
56  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
57  # Note: the default number of connections is 1024 for postgres of harbor.
58  max_open_conns: 900
59  # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
60  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
61  conn_max_lifetime: 5m
62  # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
63  # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
64  conn_max_idle_time: 0
65
66# The default data volume
67data_volume: {{ harbor_data_volume | default('/mnt/docker/harbor') }}
68
69# Harbor Storage settings by default is using /data dir on local filesystem
70# Uncomment storage_service setting If you want to using external storage
71# storage_service:
72#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
73#   # of registry's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
74#   ca_bundle:
75
76#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
77#   # for more info about this configuration please refer https://distribution.github.io/distribution/about/configuration/
78#   # and https://distribution.github.io/distribution/storage-drivers/
79#   filesystem:
80#     maxthreads: 100
81#   # set disable to true when you want to disable registry redirect
82#   redirect:
83#     disable: false
84
85# Trivy configuration
86#
87# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
88# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
89# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
90# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
91# 12 hours and published as a new release to GitHub.
92trivy:
93  # ignoreUnfixed The flag to display only fixed vulnerabilities
94  ignore_unfixed: false
95  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
96  #
97  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
98  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
99  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
100  skip_update: false
101  #
102  # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
103  # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
104  skip_java_db_update: false
105  #
106  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
107  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
108  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
109  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
110  # It would work if all the dependencies are in local.
111  # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
112  offline_scan: false
113  #
114  # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
115  security_check: vuln
116  #
117  # insecure The flag to skip verifying registry certificate
118  insecure: false
119  #
120  # timeout The duration to wait for scan completion.
121  # There is upper bound of 30 minutes defined in scan job. So if this `timeout` is larger than 30m0s, it will also timeout at 30m0s.
122  timeout: 5m0s
123  #
124  # github_token The GitHub access token to download Trivy DB
125  #
126  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
127  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
128  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
129  # https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting
130  #
131  # You can create a GitHub token by following the instructions in
132  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
133  #
134  # github_token: xxx
135
136jobservice:
137  # Maximum number of job workers in job service
138  max_job_workers: 10
139  # Maximum hours of task duration in job service, default 24
140  max_job_duration_hours: 24
141  # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB"
142  job_loggers:
143    - STD_OUTPUT
144    - FILE
145    # - DB
146  # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
147  logger_sweeper_duration: 1 #days
148
149notification:
150  # Maximum retry count for webhook job
151  webhook_job_max_retry: 3
152  # HTTP client timeout for webhook job
153  webhook_job_http_client_timeout: 3 #seconds
154
155# Log configurations
156log:
157  # options are debug, info, warning, error, fatal
158  level: info
159  # configs for logs in local storage
160  local:
161    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
162    rotate_count: 50
163    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
164    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
165    # are all valid.
166    rotate_size: 200M
167    # The directory on your host that store log
168    location: /var/log/harbor
169
170  # Uncomment following lines to enable external syslog endpoint.
171  # external_endpoint:
172  #   # protocol used to transmit log to external endpoint, options is tcp or udp
173  #   protocol: tcp
174  #   # The host of external endpoint
175  #   host: localhost
176  #   # Port of external endpoint
177  #   port: 5140
178
179#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
180_version: 2.13.0
181
182# Uncomment external_database if using external database.
183# external_database:
184#   harbor:
185#     host: harbor_db_host
186#     port: harbor_db_port
187#     db_name: harbor_db_name
188#     username: harbor_db_username
189#     password: harbor_db_password
190#     ssl_mode: disable
191#     max_idle_conns: 2
192#     max_open_conns: 0
193
194# Uncomment redis if need to customize redis db
195# redis:
196#   # db_index 0 is for core, it's unchangeable
197#   # registry_db_index: 1
198#   # jobservice_db_index: 2
199#   # trivy_db_index: 5
200#   # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
201#   # harbor_db_index: 6
202#   # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
203#   # cache_layer_db_index: 7
204
205# Uncomment external_redis if using external Redis server
206# external_redis:
207#   # support redis, redis+sentinel
208#   # host for redis: <host_redis>:<port_redis>
209#   # host for redis+sentinel:
210#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
211#   host: redis:6379
212#   password: 
213#   # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
214#   # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
215#   # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage
216#   # username:
217#   # sentinel_master_set must be set to support redis+sentinel
218#   #sentinel_master_set:
219#   # tls configuration for redis connection
220#   # only server-authentication is supported
221#   # mtls for redis connection is not supported
222#   # tls connection will be disable by default 
223#   tlsOptions:
224#     enable: false
225#   # if it is a self-signed ca, please set the ca path specifically.
226#     rootCA:
227#   # db_index 0 is for core, it's unchangeable
228#   registry_db_index: 1
229#   jobservice_db_index: 2
230#   trivy_db_index: 5
231#   idle_timeout_seconds: 30
232#   # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
233#   # harbor_db_index: 6
234#   # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
235#   # cache_layer_db_index: 7
236
237# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
238# uaa:
239#   ca_file: /path/to/ca
240
241# Global proxy
242# Config http proxy for components, e.g. http://my.proxy.com:3128
243# Components doesn't need to connect to each others via http proxy.
244# Remove component from `components` array if want disable proxy
245# for it. If you want use proxy for replication, MUST enable proxy
246# for core and jobservice, and set `http_proxy` and `https_proxy`.
247# Add domain to the `no_proxy` field, when you want disable proxy
248# for some special registry.
249proxy:
250  http_proxy:
251  https_proxy:
252  no_proxy:
253  components:
254    - core
255    - jobservice
256    - trivy
257
258# metric:
259#   enabled: false
260#   port: 9090
261#   path: /metrics
262
263# Trace related config
264# only can enable one trace provider(jaeger or otel) at the same time,
265# and when using jaeger as provider, can only enable it with agent mode or collector mode.
266# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
267# if using jaeger agetn mode uncomment agent_host and agent_port
268# trace:
269#   enabled: true
270#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
271#   sample_rate: 1
272#   # # namespace used to differentiate different harbor services
273#   # namespace:
274#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
275#   # attributes:
276#   #   application: harbor
277#   # # jaeger should be 1.26 or newer.
278#   # jaeger:
279#   #   endpoint: http://hostname:14268/api/traces
280#   #   username:
281#   #   password:
282#   #   agent_host: hostname
283#   #   # export trace data by jaeger.thrift in compact mode
284#   #   agent_port: 6831
285#   # otel:
286#   #   endpoint: hostname:4318
287#   #   url_path: /v1/traces
288#   #   compression: false
289#   #   insecure: true
290#   #   # timeout is in seconds
291#   #   timeout: 10
292
293# Enable purge _upload directories
294upload_purging:
295  enabled: true
296  # remove files in _upload directories which exist for a period of time, default is one week.
297  age: 168h
298  # the interval of the purge operations
299  interval: 24h
300  dryrun: false
301
302# Cache layer configurations
303# If this feature enabled, harbor will cache the resource
304# `project/project_metadata/repository/artifact/manifest` in the redis
305# which can especially help to improve the performance of high concurrent
306# manifest pulling.
307# NOTICE
308# If you are deploying Harbor in HA mode, make sure that all the harbor
309# instances have the same behaviour, all with caching enabled or disabled,
310# otherwise it can lead to potential data inconsistency.
311cache:
312  # not enabled by default
313  enabled: false
314  # keep cache for one day by default
315  expire_hours: 24
316
317# Harbor core configurations
318# Uncomment to enable the following harbor core related configuration items.
319# core:
320#   # The provider for updating project quota(usage), there are 2 options, redis or db,
321#   # by default is implemented by db but you can switch the updation via redis which
322#   # can improve the performance of high concurrent pushing to the same project,
323#   # and reduce the database connections spike and occupies.
324#   # By redis will bring up some delay for quota usage updation for display, so only
325#   # suggest switch provider to redis if you were ran into the db connections spike around
326#   # the scenario of high concurrent pushing to same project, no improvement for other scenes.
327#   quota_update_provider: redis # Or db