mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-23 17:17:46 +01:00
e02de2068a
Enable configuring the path of root cert of UAA in harbor.cfg. It only takes effects if the verify_cert is set to "true" If the file does not exist, the configuration is skipped. The intention for this commit is to support integration with nested UAA in PAS or PKS, we don't expect user to manually configure this value, though he can do it if he wants.
147 lines
5.3 KiB
INI
147 lines
5.3 KiB
INI
## Configuration file of Harbor
|
|
|
|
#The IP address or hostname to access admin UI and registry service.
|
|
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
|
|
hostname = reg.mydomain.com
|
|
|
|
#The protocol for accessing the UI and token/notification service, by default it is http.
|
|
#It can be set to https if ssl is enabled on nginx.
|
|
ui_url_protocol = http
|
|
|
|
#The password for the root user of mysql db, change this before any production use.
|
|
db_password = root123
|
|
|
|
#Maximum number of job workers in job service
|
|
max_job_workers = 3
|
|
|
|
#Determine whether or not to generate certificate for the registry's token.
|
|
#If the value is on, the prepare script creates new root cert and private key
|
|
#for generating token to access the registry. If the value is off the default key/cert will be used.
|
|
#This flag also controls the creation of the notary signer's cert.
|
|
customize_crt = on
|
|
|
|
#The path of cert and key files for nginx, they are applied only the protocol is set to https
|
|
ssl_cert = /data/cert/server.crt
|
|
ssl_cert_key = /data/cert/server.key
|
|
|
|
#The path of secretkey storage
|
|
secretkey_path = /data
|
|
|
|
#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
|
|
admiral_url = NA
|
|
|
|
#The password of the Clair's postgres database, only effective when Harbor is deployed with Clair.
|
|
#Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
|
|
clair_db_password = password
|
|
|
|
#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
|
|
log_rotate_count = 50
|
|
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
|
|
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
|
|
#are all valid.
|
|
log_rotate_size = 200M
|
|
|
|
#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
|
|
#only take effect in the first boot, the subsequent changes of these properties
|
|
#should be performed on web ui
|
|
|
|
#************************BEGIN INITIAL PROPERTIES************************
|
|
|
|
#Email account settings for sending out password resetting emails.
|
|
|
|
#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
|
|
#Identity left blank to act as username.
|
|
email_identity =
|
|
|
|
email_server = smtp.mydomain.com
|
|
email_server_port = 25
|
|
email_username = sample_admin@mydomain.com
|
|
email_password = abc
|
|
email_from = admin <sample_admin@mydomain.com>
|
|
email_ssl = false
|
|
email_insecure = false
|
|
|
|
##The initial password of Harbor admin, only works for the first time when Harbor starts.
|
|
#It has no effect after the first launch of Harbor.
|
|
#Change the admin password from UI after launching Harbor.
|
|
harbor_admin_password = Harbor12345
|
|
|
|
##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
|
|
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
|
|
auth_mode = db_auth
|
|
|
|
#The url for an ldap endpoint.
|
|
ldap_url = ldaps://ldap.mydomain.com
|
|
|
|
#A user's DN who has the permission to search the LDAP/AD server.
|
|
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
|
|
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
|
|
|
|
#the password of the ldap_searchdn
|
|
#ldap_search_pwd = password
|
|
|
|
#The base DN from which to look up a user in LDAP/AD
|
|
ldap_basedn = ou=people,dc=mydomain,dc=com
|
|
|
|
#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
|
|
#ldap_filter = (objectClass=person)
|
|
|
|
# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
|
|
ldap_uid = uid
|
|
|
|
#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
|
|
ldap_scope = 3
|
|
|
|
#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
|
|
ldap_timeout = 5
|
|
|
|
#Verify certificate from LDAP server
|
|
ldap_verify_cert = true
|
|
|
|
#Turn on or off the self-registration feature
|
|
self_registration = on
|
|
|
|
#The expiration time (in minute) of token created by token service, default is 30 minutes
|
|
token_expiration = 30
|
|
|
|
#The flag to control what users have permission to create projects
|
|
#The default value "everyone" allows everyone to creates a project.
|
|
#Set to "adminonly" so that only admin user can create project.
|
|
project_creation_restriction = everyone
|
|
|
|
#The follow configurations are for Harbor HA mode only
|
|
#####################################################
|
|
#the address of the mysql database.
|
|
db_host = mysql
|
|
|
|
#The port of mysql database host
|
|
db_port = 3306
|
|
|
|
#The user name of mysql database
|
|
db_user = root
|
|
#The redis server address
|
|
redis_url =
|
|
|
|
#Clair DB host address
|
|
clair_db_host = postgres
|
|
|
|
#Clair DB connect port
|
|
clair_db_port = 5432
|
|
|
|
#Clair DB username
|
|
clair_db_username = postgres
|
|
|
|
#Clair default database
|
|
clair_db = postgres
|
|
|
|
|
|
################### end of HA section #####################
|
|
#************************END INITIAL PROPERTIES************************
|
|
#The following attributes only need to be set when auth mode is uaa_auth
|
|
uaa_endpoint = uaa.mydomain.org
|
|
uaa_clientid = id
|
|
uaa_clientsecret = secret
|
|
uaa_verify_cert = true
|
|
uaa_ca_cert = /path/to/ca.pem
|
|
#############
|