# Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. # 指定要部署 Harbor 的目标主机的 IP 地址或完全限定域名 (FQDN)。这是您访问 Harbor Portal 和 registry 服务的地址。 # 例如,192.168.1.10 或 reg.yourdomain.com。registry 服务必须可供外部客户端访问, # 因此不要将 localhost、127.0.0.1 或 0.0.0.0 指定为主机名。 hostname: harbor.rojers.com # http related config # 请勿在生产环境中使用 HTTP。仅在没有连接到外部互联网的测试或开发环境中,使用 HTTP 才是可以接受的。 # 使用 HTTP 会使您容易受到中间人攻击。 http: # port for http, default is 80. If https enabled, this port will redirect to https port # HTTP 的端口号,用于 Harbor portal 和 Docker 命令。默认值为 80。 port: 380 # https related config 没有证书-注释掉,默认是开启的 # 使用 HTTPS 访问 Harbor Portal 和令牌/通知服务。始终在生产环境和非气隙环境中使用 HTTPS。 https: # https port for harbor, default is 443 # HTTPS 的端口号,用于 Harbor portal 和 Docker 命令。默认值为 443。 port: 3443 # The path of cert and key files for nginx # SSL 证书的路径。 certificate: /root/harbor/ca/harbor.rojers.com.crt # SSL 密钥的路径。 private_key: /root/harbor/ca/harbor.rojers.com.key # enable strong ssl ciphers (default: false) # strong_ssl_ciphers: false # # Harbor will set ipv4 enabled only by default if this block is not configured # # Otherwise, please uncomment this block to configure your own ip_family stacks # ip_family: # # ipv6Enabled set to true if ipv6 is enabled in docker network, currently it affected the nginx related component # ipv6: # enabled: false # # ipv4Enabled set to true by default, currently it affected the nginx related component # ipv4: # enabled: true # # Uncomment following will enable tls communication between all harbor components # 使用 HTTPS 在 Harbor 组件之间进行通信 # internal_tls: # # set enabled to true means internal tls is enabled # 将此标志设置为 true 表示启用内部 tls # enabled: true # # put your cert and key files on dir # 包含内部证书和密钥的目录的路径 # dir: /etc/harbor/tls/internal # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # 启用此选项可使用外部代理。启用后,将不再使用主机名。 # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. # 为 Harbor 系统管理员设置初始密码。 # 此密码仅在 Harbor 首次启动时使用。 # 在后续登录时,将忽略此设置,管理员密码在 Harbor Portal 中设置。 # 默认用户名和密码为 admin 和 Harbor12345。 harbor_admin_password: rojers@110 # Harbor DB configuration # 使用本地 PostgreSQL 数据库。您可以选择配置外部数据库,在这种情况下,您可以停用此选项。 database: # The password for the user('postgres' by default) of Harbor DB. Change this before any production use. password: rojers@110 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 100 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 1024 for postgres of harbor. max_open_conns: 900 # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age. # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". conn_max_lifetime: 5m # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time. # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". conn_max_idle_time: 0 # The default data volume # 目标主机上存储 Harbor 数据的location。 # 即使 Harbor 的容器被删除和/或重新创建,此数据也保持不变。 # 您可以选择配置外部存储,在这种情况下,停用此选项并启用 storage_service。默认值为 /data。 data_volume: /harbor_data # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # 默认情况下,Harbor 将镜像和图表存储在本地文件系统中。 # 在生产环境中,您可能希望使用另一个存储后端而不是本地文件系统。 # 下面列出的参数是 registry 的配置。有关如何配置不同后端的更多信息,请参阅下面的 *配置存储后端*。 # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # 自定义根 CA 证书的路径,该证书被注入到 registry 和 chart repository 容器的信任存储中。 # 如果内部存储使用自签名证书,则通常需要此证书。 # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://distribution.github.io/distribution/about/configuration/ # # and https://distribution.github.io/distribution/storage-drivers/ # 默认值为 filesystem,但您可以设置为 azure、gcs、s3、swift 和 oss。 # 有关如何配置其他后端的信息,请参阅下面的 配置存储后端。 # 设置 maxthreads 以限制到外部提供商的线程数。默认值为 100。 # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # 当您要停用 registry 重定向时,将 deactivate 设置为 true # redirect: # disable: false # Trivy configuration # 配置 Trivy 扫描器。 # # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it # should download a newer version from the Internet or use the cached one. Currently, the database is updated every # 12 hours and published as a new release to GitHub. trivy: # ignoreUnfixed The flag to display only fixed vulnerabilities # 将此标志设置为 true 以仅显示已修复的漏洞。默认值为 false ignore_unfixed: false # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. # 您可能需要在测试或 CI/CD 环境中启用此标志,以避免 GitHub 速率限制问题。 # 如果启用该标志,您必须手动下载 trivy-offline.tar.gz 存档,解压缩 trivy.db 和 metadata.json 文件, # 并将它们挂载到容器中的 /home/scanner/.cache/trivy/db/trivy.db 路径中。默认值为 false skip_update: false # # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path skip_java_db_update: false # # OCI repository to retrieve the trivy vulnerability database from. db_repository: ghcr.io/aquasecurity/trivy-db # OCI repository to retrieve the Java trivy vulnerability database from. java_db_repository: ghcr.io/aquasecurity/trivy-java-db # # The offline_scan option prevents Trivy from sending API requests to identify dependencies. # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. # It would work if all the dependencies are in local. # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment. offline_scan: false # # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. # 要检测的安全问题(以逗号分隔的列表)。可能的值为 vuln、config 和 secret。默认为 vuln。 security_check: vuln # # insecure The flag to skip verifying registry certificate # 将此标志设置为 true 以跳过验证 registry 证书。默认值为 false insecure: false # # timeout The duration to wait for scan completion. # There is upper bound of 30 minutes defined in scan job. So if this `timeout` is larger than 30m0s, it will also timeout at 30m0s. timeout: 5m0s # # github_token The GitHub access token to download Trivy DB # # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult # https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting # # You can create a GitHub token by following the instructions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line #设置 GitHub 访问令牌以下载 Trivy DB。 # Trivy DB 由 Trivy 从 GitHub 发布页面下载。 # 从 GitHub 匿名下载受每小时 60 个请求的限制。 # 通常,这样的速率限制对于生产操作来说是足够的。 # 如果出于任何原因,它不够用,您可以通过指定 GitHub 访问令牌将速率限制提高到每小时 5000 个请求。 # 有关 GitHub 速率限制的更多详细信息,请参阅 https://developer.github.com/v3/#rate-limiting 。 # 您可以通过按照 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line # 中的说明创建 GitHub 令牌 # github_token: xxx # 作业服务中的最大复制 worker 数。对于每个镜像复制作业,worker 将仓库的所有标签同步到远程目标。 # 增加此数字允许系统中进行更多并发复制作业。 # 但是,由于每个 worker 都会消耗一定的网络/CPU/IO 资源,因此请根据主机的硬件资源设置此属性的值。默认值为 10。 jobservice: # Maximum number of job workers in job service max_job_workers: 10 # Maximum hours of task duration in job service, default 24 max_job_duration_hours: 24 # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB" job_loggers: - STD_OUTPUT - FILE # - DB # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) logger_sweeper_duration: 1 #days notification: # Maximum retry count for webhook job # 设置 Webhook 作业的最大重试次数。默认值为 10。 webhook_job_max_retry: 3 # HTTP client timeout for webhook job webhook_job_http_client_timeout: 3 #seconds # Log configurations # 配置日志记录。Harbor 使用 `rsyslog` 收集每个容器的日志。 log: # options are debug, info, warning, error, fatal # 将日志记录级别设置为 debug、info、warning、error 或 fatal。默认值为 info。 level: info # configs for logs in local storage local: # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. # 日志文件在被删除之前轮换 rotate_count 次。如果计数为 0,则删除旧版本而不是轮换。默认值为 50。 rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. # rotate_size:仅当日志文件增长到大于 rotate_size 字节时才轮换。 # 使用 k 表示千字节,M 表示兆字节,G 表示千兆字节。100、100k、100M 和 100G 都是有效值。 # 默认值为 200M。 rotate_size: 100M # The directory on your host that store log # location:设置存储日志的目录。默认值为 /var/log/harbor。 location: /var/log/harbor # Uncomment following lines to enable external syslog endpoint. # 启用此选项可将日志转发到 syslog 服务器。 # external_endpoint: # # protocol used to transmit log to external endpoint, options is tcp or udp # protocol:syslog 服务器的传输协议。默认为 TCP。 # protocol: tcp # # The host of external endpoint # host:syslog 服务器的 URL。 # host: localhost # # Port of external endpoint # port:syslog 服务器监听的端口 # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 2.15.0 # Uncomment external_database if using external database. # 如果您停用本地数据库选项,请配置外部数据库设置。 # 目前,Harbor 仅支持 PostgreSQL 数据库。您必须为 Harbor core 创建一个数据库。 # 表在 Harbor 启动时自动生成。 # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # max_idle_conns: 2 # max_open_conns: 0 # Uncomment redis if need to customize redis db # redis: # # db_index 0 is for core, it's unchangeable # # registry_db_index: 1 # # jobservice_db_index: 2 # # trivy_db_index: 5 # # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. # # harbor_db_index: 6 # # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. # # cache_layer_db_index: 7 # Uncomment external_redis if using external Redis server # 配置外部 Redis 实例。 # external_redis: # # support redis, redis+sentinel # # host for redis: : # # host for redis+sentinel: # # :,:,: # host: redis:6379 # password: # # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH form. # # username: # # sentinel_master_set must be set to support redis+sentinel # #sentinel_master_set: # # tls configuration for redis connection # # only server-authentication is supported # # mtls for redis connection is not supported # # tls connection will be disable by default # tlsOptions: # enable: false # # if it is a self-signed ca, please set the ca path specifically. # rootCA: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # trivy_db_index: 5 # idle_timeout_seconds: 30 # # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. # # harbor_db_index: 6 # # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. # # cache_layer_db_index: 7 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca # Global proxy # Config http proxy for components, e.g. http://my.proxy.com:3128 # Components doesn't need to connect to each others via http proxy. # Remove component from `components` array if want disable proxy # for it. If you want use proxy for replication, MUST enable proxy # for core and jobservice, and set `http_proxy` and `https_proxy`. # Add domain to the `no_proxy` field, when you want disable proxy # for some special registry. # 配置供 trivy-adapter、复制作业服务和 Harbor 使用的代理。 # 如果不需要代理,请留空。 # 某些代理具有白名单设置,如果启用了 Trivy, # 则需要将以下 URL 添加到代理服务器白名单:github.com、github-releases.githubusercontent.com 和 *.s3.amazonaws.com. proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy # 配置将 Harbor 实例指标暴露到指定的端口和路径 # metric: # enabled: false # port: 9090 # path: /metrics # Trace related config # 配置暴露分布式跟踪数据 # only can enable one trace provider(jaeger or otel) at the same time, # and when using jaeger as provider, can only enable it with agent mode or collector mode. # if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed # if using jaeger agetn mode uncomment agent_host and agent_port # trace: # 通过将其设置为 true 来启用在您的 Harbor 实例上暴露跟踪。默认为 false # enabled: true # # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth # 设置跟踪的采样率。例如,如果您要采样 100% 的跟踪数据,请将 sample_rate 设置为 1;如果您要采样 50% 的跟踪数据,请设置为 0.5,依此类推 # sample_rate: 1 # # # namespace used to differentiate different harbor services # 用于区分不同 Harbor 服务的命名空间,它将设置为键为 service.namespace 的属性 # # namespace: # # # attributes is a key value dict contains user defined attributes used to initialize trace provider # attributes 是一个键值字典,包含用于初始化跟踪提供程序的用户定义的自定义属性,所有这些属性都将添加到跟踪数据中 # # attributes: # # application: harbor # # # jaeger should be 1.26 or newer. # # jaeger: # # endpoint: http://hostname:14268/api/traces # # username: # # password: # # agent_host: hostname # # # export trace data by jaeger.thrift in compact mode # # agent_port: 6831 # # otel: # # endpoint: hostname:4318 # # url_path: /v1/traces # # compression: false # # insecure: true # # # timeout is in seconds # # timeout: 10 # Enable purge _upload directories upload_purging: enabled: true # remove files in _upload directories which exist for a period of time, default is one week. age: 168h # the interval of the purge operations interval: 24h dryrun: false # Cache layer configurations # If this feature enabled, harbor will cache the resource # `project/project_metadata/repository/artifact/manifest` in the redis # which can especially help to improve the performance of high concurrent # manifest pulling. # NOTICE # If you are deploying Harbor in HA mode, make sure that all the harbor # instances have the same behaviour, all with caching enabled or disabled, # otherwise it can lead to potential data inconsistency. # 为您的 Harbor 实例配置缓存层。 # 启用后,Harbor 将缓存一些 Harbor 资源(例如,工件、项目或项目元数据),从而减少重复请求相同 Harbor 资源所花费的时间和资源。 # 强烈建议您在高并发拉取请求率的 Harbor 实例上启用此功能,以提高 Harbor 的整体性能。 # 有关缓存层实现和性能改进的更多详细信息,请参阅 缓存层 wiki 页面。 cache: # not enabled by default enabled: false # keep cache for one day by default expire_hours: 24 # Harbor core configurations # Uncomment to enable the following harbor core related configuration items. # core: # # The provider for updating project quota(usage), there are 2 options, redis or db, # # by default is implemented by db but you can switch the updation via redis which # # can improve the performance of high concurrent pushing to the same project, # # and reduce the database connections spike and occupies. # # By redis will bring up some delay for quota usage updation for display, so only # # suggest switch provider to redis if you were ran into the db connections spike around # # the scenario of high concurrent pushing to same project, no improvement for other scenes. # quota_update_provider: redis # Or db