version: '2.3' services: log: image: goharbor/harbor-log:{{version}} container_name: harbor-log restart: always dns_search: . cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID volumes: - {{log_location}}/:/var/log/docker/:z - type: bind source: ./common/config/log/logrotate.conf target: /etc/logrotate.d/logrotate.conf - type: bind source: ./common/config/log/rsyslog_docker.conf target: /etc/rsyslog.d/rsyslog_docker.conf ports: - 127.0.0.1:1514:10514 networks: - harbor registry: image: goharbor/registry-photon:{{reg_version}} container_name: registry restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - {{data_volume}}/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - type: bind source: {{data_volume}}/secret/registry/root.crt target: /etc/registry/root.crt {% if gcs_keyfile %} - type: bind source: {{gcs_keyfile}} target: /etc/registry/gcs.key {% endif %} {%if internal_tls.enabled %} - type: bind source: {{internal_tls.core_key_path}} target: /harbor_cust_cert/core.crt - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.registry_crt_path}} target: /etc/harbor/tls/registry.crt - type: bind source: {{internal_tls.registry_key_path}} target: /etc/harbor/tls/registry.key {% endif %} networks: - harbor {% if with_clair %} - harbor-clair {% endif %} dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "registry" registryctl: image: goharbor/harbor-registryctl:{{version}} container_name: registryctl env_file: - ./common/config/registryctl/env restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - {{data_volume}}/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - type: bind source: ./common/config/registryctl/config.yml target: /etc/registryctl/config.yml {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.registryctl_crt_path}} target: /etc/harbor/ssl/registryctl.crt - type: bind source: {{internal_tls.registryctl_key_path}} target: /etc/harbor/ssl/registryctl.key {% endif %} networks: - harbor dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "registryctl" {% if external_database == False %} postgresql: image: goharbor/harbor-db:{{version}} container_name: harbor-db restart: always cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID volumes: - {{data_volume}}/database:/var/lib/postgresql/data:z networks: harbor: {% if with_notary %} harbor-notary: aliases: - harbor-db {% endif %} {% if with_clair %} harbor-clair: aliases: - harbor-db {% endif %} dns_search: . env_file: - ./common/config/db/env depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "postgresql" {% endif %} core: image: goharbor/harbor-core:{{version}} container_name: harbor-core env_file: - ./common/config/core/env restart: always cap_drop: - ALL cap_add: - SETGID - SETUID volumes: - {{data_volume}}/ca_download/:/etc/core/ca/:z - {{data_volume}}/:/data/:z - ./common/config/core/certificates/:/etc/core/certificates/:z - type: bind source: ./common/config/core/app.conf target: /etc/core/app.conf - type: bind source: {{data_volume}}/secret/core/private_key.pem target: /etc/core/private_key.pem - type: bind source: {{data_volume}}/secret/keys/secretkey target: /etc/core/key {% if uaa_ca_file %} - type: bind source: {{uaa_ca_file}} target: /etc/core/certificates/uaa_ca.pem {% endif %} {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.core_crt_path}} target: /etc/harbor/ssl/core.crt - type: bind source: {{internal_tls.core_key_path}} target: /etc/harbor/ssl/core.key {% endif %} networks: harbor: {% if with_notary %} harbor-notary: {% endif %} {% if with_clair %} harbor-clair: aliases: - harbor-core {% endif %} {% if with_chartmuseum %} harbor-chartmuseum: aliases: - harbor-core {% endif %} dns_search: . depends_on: - log - registry {% if external_redis == False %} - redis {% endif %} {% if external_database == False %} - postgresql {% endif %} logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "core" portal: image: goharbor/harbor-portal:{{version}} container_name: harbor-portal restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE networks: - harbor dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "portal" jobservice: image: goharbor/harbor-jobservice:{{version}} container_name: harbor-jobservice env_file: - ./common/config/jobservice/env restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - {{data_volume}}/job_logs:/var/log/jobs:z - type: bind source: ./common/config/jobservice/config.yml target: /etc/jobservice/config.yml {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.job_service_crt_path}} target: /etc/harbor/ssl/job_service.crt - type: bind source: {{internal_tls.job_service_key_path}} target: /etc/harbor/ssl/job_service.key {% endif %} networks: - harbor {% if with_clair %} - harbor-clair {% endif %} dns_search: . depends_on: - core logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "jobservice" {% if external_redis == False %} redis: image: goharbor/redis-photon:{{redis_version}} container_name: redis restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - {{data_volume}}/redis:/var/lib/redis networks: harbor: {% if with_chartmuseum %} harbor-chartmuseum: aliases: - redis {% endif %} {% if with_clair %} harbor-clair: aliases: - redis {% endif %} dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "redis" {% endif %} proxy: image: goharbor/nginx-photon:{{version}} container_name: nginx restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE volumes: - ./common/config/nginx:/etc/nginx:z {% if protocol == 'https' %} - {{data_volume}}/secret/cert:/etc/cert:z {% endif %} {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /etc/harbor/tls/harbor_internal_ca.crt - type: bind source: {{internal_tls.proxy_crt_path}} target: /etc/harbor/tls/proxy.crt - type: bind source: {{internal_tls.proxy_key_path}} target: /etc/harbor/tls/proxy.key {% endif %} networks: - harbor {% if with_notary %} - harbor-notary {% endif %} dns_search: . ports: - {{http_port}}:8080 {% if protocol == 'https' %} - {{https_port}}:8443 {% endif %} {% if with_notary %} - 4443:4443 {% endif %} depends_on: - registry - core - portal - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "proxy" {% if with_notary %} notary-server: image: goharbor/notary-server-photon:{{notary_version}} container_name: notary-server restart: always networks: - notary-sig - harbor-notary dns_search: . volumes: - ./common/config/notary:/etc/notary:z - type: bind source: {{data_volume}}/secret/notary/notary-signer-ca.crt target: /etc/notary/notary-signer-ca.crt - type: bind source: {{data_volume}}/secret/registry/root.crt target: /etc/notary/root.crt {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /etc/harbor/ssl/harbor_internal_ca.crt - type: bind source: {{internal_tls.notary_server_crt_path}} target: /etc/harbor/ssl/notary_server.crt - type: bind source: {{internal_tls.notary_server_key_path}} target: /etc/harbor/ssl/notary_server.key {% endif %} env_file: - ./common/config/notary/server_env depends_on: {% if external_database == False %} - postgresql {% endif %} - notary-signer logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "notary-server" notary-signer: image: goharbor/notary-signer-photon:{{notary_version}} container_name: notary-signer restart: always networks: harbor-notary: notary-sig: aliases: - notarysigner dns_search: . volumes: - ./common/config/notary:/etc/notary:z - type: bind source: {{data_volume}}/secret/notary/notary-signer.crt target: /etc/notary/notary-signer.crt - type: bind source: {{data_volume}}/secret/notary/notary-signer.key target: /etc/notary/notary-signer.key {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /etc/harbor/ssl/harbor_internal_ca.crt - type: bind source: {{internal_tls.notary_signer_crt_path}} target: /etc/harbor/ssl/notary_signer.crt - type: bind source: {{internal_tls.notary_signer_key_path}} target: /etc/harbor/ssl/notary_signer.key {% endif %} env_file: - ./common/config/notary/signer_env depends_on: - log {% if external_database == False %} - postgresql {% endif %} logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "notary-signer" {% endif %} {% if with_clair %} clair: networks: - harbor-clair container_name: clair image: goharbor/clair-photon:{{clair_version}} restart: always cap_drop: - ALL cap_add: - DAC_OVERRIDE - SETGID - SETUID cpu_quota: 50000 dns_search: . depends_on: - log {% if external_database == False %} - postgresql {% endif %} volumes: - type: bind source: ./common/config/clair/config.yaml target: /etc/clair/config.yaml {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.clair_crt_path}} target: /etc/harbor/ssl/clair.crt - type: bind source: {{internal_tls.clair_key_path}} target: /etc/harbor/ssl/clair.key {% endif %} logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "clair" env_file: ./common/config/clair/clair_env clair-adapter: networks: - harbor-clair container_name: clair-adapter image: goharbor/clair-adapter-photon:{{clair_adapter_version}} restart: always cap_drop: - ALL cap_add: - DAC_OVERRIDE - SETGID - SETUID cpu_quota: 50000 dns_search: . depends_on: - clair {% if external_redis == False %} - redis {% endif %} {%if internal_tls.enabled %} volumes: - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.clair_adapter_crt_path}} target: /etc/harbor/ssl/clair_adapter.crt - type: bind source: {{internal_tls.clair_adapter_key_path}} target: /etc/harbor/ssl/clair_adapter.key {% endif %} logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "clair-adapter" env_file: ./common/config/clair-adapter/env {% endif %} {% if with_trivy %} trivy-adapter: container_name: trivy-adapter image: goharbor/trivy-adapter-photon:{{trivy_adapter_version}} restart: always cap_drop: - ALL dns_search: . networks: - harbor {% if external_redis == False %} depends_on: - redis {% endif %} volumes: - type: bind source: {{data_volume}}/trivy-adapter/trivy target: /home/scanner/.cache/trivy - type: bind source: {{data_volume}}/trivy-adapter/reports target: /home/scanner/.cache/reports {%if internal_tls.enabled %} volumes: - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /harbor_cust_cert/harbor_internal_ca.crt - type: bind source: {{internal_tls.trivy_adapter_crt_path}} target: /etc/harbor/ssl/trivy_adapter.crt - type: bind source: {{internal_tls.trivy_adapter_key_path}} target: /etc/harbor/ssl/trivy_adapter.key {% endif %} logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "trivy-adapter" env_file: ./common/config/trivy-adapter/env {% endif %} {% if with_chartmuseum %} chartmuseum: container_name: chartmuseum image: goharbor/chartmuseum-photon:{{chartmuseum_version}} restart: always cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID networks: - harbor-chartmuseum dns_search: . depends_on: - log volumes: - {{data_volume}}/chart_storage:/chart_storage:z - ./common/config/chartserver:/etc/chartserver:z {%if internal_tls.enabled %} - type: bind source: {{internal_tls.harbor_internal_ca_crt_path}} target: /etc/harbor/ssl/harbor_internal_ca.crt - type: bind source: {{internal_tls.chartmuseum_crt_path}} target: /etc/harbor/ssl/chartmuseum.crt - type: bind source: {{internal_tls.chartmuseum_key_path}} target: /etc/harbor/ssl/chartmuseum.key {% endif %} {% if gcs_keyfile %} - type: bind source: {{gcs_keyfile}} target: /etc/chartserver/gcs.key {% endif %} logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "chartmuseum" env_file: ./common/config/chartserver/env {% endif %} networks: harbor: external: false {% if with_notary %} harbor-notary: external: false notary-sig: external: false {% endif %} {% if with_clair %} harbor-clair: external: false {% endif %} {% if with_chartmuseum %} harbor-chartmuseum: external: false {% endif %}