harbor/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
DQ d3ab9d7c6b Add internal tls configs for portal
add related file, config, command to enabled https for portal

Signed-off-by: DQ <dengq@vmware.com>
2020-07-31 12:10:47 +08:00

650 lines
16 KiB
Django/Jinja

version: '2.3'
services:
log:
image: goharbor/harbor-log:{{version}}
container_name: harbor-log
restart: always
dns_search: .
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- {{log_location}}/:/var/log/docker/:z
- type: bind
source: ./common/config/log/logrotate.conf
target: /etc/logrotate.d/logrotate.conf
- type: bind
source: ./common/config/log/rsyslog_docker.conf
target: /etc/rsyslog.d/rsyslog_docker.conf
ports:
- 127.0.0.1:1514:10514
networks:
- harbor
registry:
image: goharbor/registry-photon:{{reg_version}}
container_name: registry
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- {{data_volume}}/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: {{data_volume}}/secret/registry/root.crt
target: /etc/registry/root.crt
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{% if gcs_keyfile %}
- type: bind
source: {{gcs_keyfile}}
target: /etc/registry/gcs.key
{% endif %}
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.core_crt_path}}
target: /harbor_cust_cert/core.crt
- type: bind
source: {{internal_tls.registry_crt_path}}
target: /etc/harbor/tls/registry.crt
- type: bind
source: {{internal_tls.registry_key_path}}
target: /etc/harbor/tls/registry.key
{% endif %}
networks:
- harbor
{% if with_clair %}
- harbor-clair
{% endif %}
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
registryctl:
image: goharbor/harbor-registryctl:{{version}}
container_name: registryctl
env_file:
- ./common/config/registryctl/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- {{data_volume}}/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z
- type: bind
source: ./common/config/registryctl/config.yml
target: /etc/registryctl/config.yml
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{% if gcs_keyfile %}
- type: bind
source: {{gcs_keyfile}}
target: /etc/registry/gcs.key
{% endif %}
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.registryctl_crt_path}}
target: /etc/harbor/ssl/registryctl.crt
- type: bind
source: {{internal_tls.registryctl_key_path}}
target: /etc/harbor/ssl/registryctl.key
{% endif %}
networks:
- harbor
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registryctl"
{% if external_database == False %}
postgresql:
image: goharbor/harbor-db:{{version}}
container_name: harbor-db
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes:
- {{data_volume}}/database:/var/lib/postgresql/data:z
networks:
harbor:
{% if with_notary %}
harbor-notary:
aliases:
- harbor-db
{% endif %}
{% if with_clair %}
harbor-clair:
aliases:
- harbor-db
{% endif %}
dns_search: .
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "postgresql"
{% endif %}
core:
image: goharbor/harbor-core:{{version}}
container_name: harbor-core
env_file:
- ./common/config/core/env
restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
volumes:
- {{data_volume}}/ca_download/:/etc/core/ca/:z
- {{data_volume}}/:/data/:z
- ./common/config/core/certificates/:/etc/core/certificates/:z
- type: bind
source: ./common/config/core/app.conf
target: /etc/core/app.conf
- type: bind
source: {{data_volume}}/secret/core/private_key.pem
target: /etc/core/private_key.pem
- type: bind
source: {{data_volume}}/secret/keys/secretkey
target: /etc/core/key
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{% if uaa_ca_file %}
- type: bind
source: {{uaa_ca_file}}
target: /etc/core/certificates/uaa_ca.pem
{% endif %}
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.core_crt_path}}
target: /etc/harbor/ssl/core.crt
- type: bind
source: {{internal_tls.core_key_path}}
target: /etc/harbor/ssl/core.key
{% endif %}
networks:
harbor:
{% if with_notary %}
harbor-notary:
{% endif %}
{% if with_clair %}
harbor-clair:
aliases:
- harbor-core
{% endif %}
{% if with_chartmuseum %}
harbor-chartmuseum:
aliases:
- harbor-core
{% endif %}
dns_search: .
depends_on:
- log
- registry
{% if external_redis == False %}
- redis
{% endif %}
{% if external_database == False %}
- postgresql
{% endif %}
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "core"
portal:
image: goharbor/harbor-portal:{{version}}
container_name: harbor-portal
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- type: bind
source: ./common/config/portal/nginx.conf
target: /etc/nginx/nginx.conf
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.portal_crt_path}}
target: /etc/harbor/tls/portal.crt
- type: bind
source: {{internal_tls.portal_key_path}}
target: /etc/harbor/tls/portal.key
{% endif %}
networks:
- harbor
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "portal"
jobservice:
image: goharbor/harbor-jobservice:{{version}}
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- {{data_volume}}/job_logs:/var/log/jobs:z
- type: bind
source: ./common/config/jobservice/config.yml
target: /etc/jobservice/config.yml
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.job_service_crt_path}}
target: /etc/harbor/ssl/job_service.crt
- type: bind
source: {{internal_tls.job_service_key_path}}
target: /etc/harbor/ssl/job_service.key
{% endif %}
networks:
- harbor
{% if with_clair %}
- harbor-clair
{% endif %}
dns_search: .
depends_on:
- core
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
{% if external_redis == False %}
redis:
image: goharbor/redis-photon:{{redis_version}}
container_name: redis
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes:
- {{data_volume}}/redis:/var/lib/redis
networks:
harbor:
{% if with_chartmuseum %}
harbor-chartmuseum:
aliases:
- redis
{% endif %}
{% if with_clair %}
harbor-clair:
aliases:
- redis
{% endif %}
dns_search: .
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
{% endif %}
proxy:
image: goharbor/nginx-photon:{{version}}
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
{% if protocol == 'https' %}
- {{data_volume}}/secret/cert:/etc/cert:z
{% endif %}
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.proxy_crt_path}}
target: /etc/harbor/tls/proxy.crt
- type: bind
source: {{internal_tls.proxy_key_path}}
target: /etc/harbor/tls/proxy.key
{% endif %}
networks:
- harbor
{% if with_notary %}
- harbor-notary
{% endif %}
dns_search: .
ports:
- {{http_port}}:8080
{% if protocol == 'https' %}
- {{https_port}}:8443
{% endif %}
{% if with_notary %}
- 4443:4443
{% endif %}
depends_on:
- registry
- core
- portal
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
{% if with_notary %}
notary-server:
image: goharbor/notary-server-photon:{{notary_version}}
container_name: notary-server
restart: always
networks:
- notary-sig
- harbor-notary
dns_search: .
volumes:
- ./common/config/notary:/etc/notary:z
- type: bind
source: {{data_volume}}/secret/notary/notary-signer-ca.crt
target: /etc/notary/notary-signer-ca.crt
- type: bind
source: {{data_volume}}/secret/registry/root.crt
target: /etc/notary/root.crt
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.notary_server_crt_path}}
target: /etc/harbor/ssl/notary_server.crt
- type: bind
source: {{internal_tls.notary_server_key_path}}
target: /etc/harbor/ssl/notary_server.key
{% endif %}
env_file:
- ./common/config/notary/server_env
depends_on:
{% if external_database == False %}
- postgresql
{% endif %}
- notary-signer
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "notary-server"
notary-signer:
image: goharbor/notary-signer-photon:{{notary_version}}
container_name: notary-signer
restart: always
networks:
harbor-notary:
notary-sig:
aliases:
- notarysigner
dns_search: .
volumes:
- ./common/config/notary:/etc/notary:z
- type: bind
source: {{data_volume}}/secret/notary/notary-signer.crt
target: /etc/notary/notary-signer.crt
- type: bind
source: {{data_volume}}/secret/notary/notary-signer.key
target: /etc/notary/notary-signer.key
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.notary_signer_crt_path}}
target: /etc/harbor/ssl/notary_signer.crt
- type: bind
source: {{internal_tls.notary_signer_key_path}}
target: /etc/harbor/ssl/notary_signer.key
{% endif %}
env_file:
- ./common/config/notary/signer_env
depends_on:
- log
{% if external_database == False %}
- postgresql
{% endif %}
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "notary-signer"
{% endif %}
{% if with_clair %}
clair:
networks:
- harbor-clair
container_name: clair
image: goharbor/clair-photon:{{clair_version}}
restart: always
cap_drop:
- ALL
cap_add:
- DAC_OVERRIDE
- SETGID
- SETUID
cpu_quota: 50000
dns_search: .
depends_on:
- log
{% if external_database == False %}
- postgresql
{% endif %}
volumes:
- type: bind
source: ./common/config/clair/config.yaml
target: /etc/clair/config.yaml
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.clair_crt_path}}
target: /etc/harbor/ssl/clair.crt
- type: bind
source: {{internal_tls.clair_key_path}}
target: /etc/harbor/ssl/clair.key
{% endif %}
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "clair"
env_file:
./common/config/clair/clair_env
clair-adapter:
networks:
- harbor-clair
container_name: clair-adapter
image: goharbor/clair-adapter-photon:{{clair_adapter_version}}
restart: always
cap_drop:
- ALL
cap_add:
- DAC_OVERRIDE
- SETGID
- SETUID
cpu_quota: 50000
dns_search: .
depends_on:
- clair
{% if external_redis == False %}
- redis
{% endif %}
volumes:
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.clair_adapter_crt_path}}
target: /etc/harbor/ssl/clair_adapter.crt
- type: bind
source: {{internal_tls.clair_adapter_key_path}}
target: /etc/harbor/ssl/clair_adapter.key
{% endif %}
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "clair-adapter"
env_file:
./common/config/clair-adapter/env
{% endif %}
{% if with_trivy %}
trivy-adapter:
container_name: trivy-adapter
image: goharbor/trivy-adapter-photon:{{trivy_adapter_version}}
restart: always
cap_drop:
- ALL
dns_search: .
networks:
- harbor
{% if external_redis == False %}
depends_on:
- redis
{% endif %}
volumes:
- type: bind
source: {{data_volume}}/trivy-adapter/trivy
target: /home/scanner/.cache/trivy
- type: bind
source: {{data_volume}}/trivy-adapter/reports
target: /home/scanner/.cache/reports
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{% if internal_tls.enabled %}
- type: bind
source: {{internal_tls.trivy_adapter_crt_path}}
target: /etc/harbor/ssl/trivy_adapter.crt
- type: bind
source: {{internal_tls.trivy_adapter_key_path}}
target: /etc/harbor/ssl/trivy_adapter.key
{% endif %}
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "trivy-adapter"
env_file:
./common/config/trivy-adapter/env
{% endif %}
{% if with_chartmuseum %}
chartmuseum:
container_name: chartmuseum
image: goharbor/chartmuseum-photon:{{chartmuseum_version}}
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
networks:
- harbor-chartmuseum
dns_search: .
depends_on:
- log
volumes:
- {{data_volume}}/chart_storage:/chart_storage:z
- ./common/config/chartserver:/etc/chartserver:z
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
{%if internal_tls.enabled %}
- type: bind
source: {{internal_tls.chartmuseum_crt_path}}
target: /etc/harbor/ssl/chartmuseum.crt
- type: bind
source: {{internal_tls.chartmuseum_key_path}}
target: /etc/harbor/ssl/chartmuseum.key
{% endif %}
{% if gcs_keyfile %}
- type: bind
source: {{gcs_keyfile}}
target: /etc/chartserver/gcs.key
{% endif %}
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "chartmuseum"
env_file:
./common/config/chartserver/env
{% endif %}
networks:
harbor:
external: false
{% if with_notary %}
harbor-notary:
external: false
notary-sig:
external: false
{% endif %}
{% if with_clair %}
harbor-clair:
external: false
{% endif %}
{% if with_chartmuseum %}
harbor-chartmuseum:
external: false
{% endif %}