mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-28 11:37:42 +01:00
d3ab9d7c6b
add related file, config, command to enabled https for portal Signed-off-by: DQ <dengq@vmware.com>
650 lines
16 KiB
Django/Jinja
650 lines
16 KiB
Django/Jinja
version: '2.3'
|
|
services:
|
|
log:
|
|
image: goharbor/harbor-log:{{version}}
|
|
container_name: harbor-log
|
|
restart: always
|
|
dns_search: .
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- DAC_OVERRIDE
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{log_location}}/:/var/log/docker/:z
|
|
- type: bind
|
|
source: ./common/config/log/logrotate.conf
|
|
target: /etc/logrotate.d/logrotate.conf
|
|
- type: bind
|
|
source: ./common/config/log/rsyslog_docker.conf
|
|
target: /etc/rsyslog.d/rsyslog_docker.conf
|
|
ports:
|
|
- 127.0.0.1:1514:10514
|
|
networks:
|
|
- harbor
|
|
registry:
|
|
image: goharbor/registry-photon:{{reg_version}}
|
|
container_name: registry
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{data_volume}}/registry:/storage:z
|
|
- ./common/config/registry/:/etc/registry/:z
|
|
- type: bind
|
|
source: {{data_volume}}/secret/registry/root.crt
|
|
target: /etc/registry/root.crt
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{% if gcs_keyfile %}
|
|
- type: bind
|
|
source: {{gcs_keyfile}}
|
|
target: /etc/registry/gcs.key
|
|
{% endif %}
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.core_crt_path}}
|
|
target: /harbor_cust_cert/core.crt
|
|
- type: bind
|
|
source: {{internal_tls.registry_crt_path}}
|
|
target: /etc/harbor/tls/registry.crt
|
|
- type: bind
|
|
source: {{internal_tls.registry_key_path}}
|
|
target: /etc/harbor/tls/registry.key
|
|
{% endif %}
|
|
networks:
|
|
- harbor
|
|
{% if with_clair %}
|
|
- harbor-clair
|
|
{% endif %}
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "registry"
|
|
registryctl:
|
|
image: goharbor/harbor-registryctl:{{version}}
|
|
container_name: registryctl
|
|
env_file:
|
|
- ./common/config/registryctl/env
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{data_volume}}/registry:/storage:z
|
|
- ./common/config/registry/:/etc/registry/:z
|
|
- type: bind
|
|
source: ./common/config/registryctl/config.yml
|
|
target: /etc/registryctl/config.yml
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{% if gcs_keyfile %}
|
|
- type: bind
|
|
source: {{gcs_keyfile}}
|
|
target: /etc/registry/gcs.key
|
|
{% endif %}
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.registryctl_crt_path}}
|
|
target: /etc/harbor/ssl/registryctl.crt
|
|
- type: bind
|
|
source: {{internal_tls.registryctl_key_path}}
|
|
target: /etc/harbor/ssl/registryctl.key
|
|
{% endif %}
|
|
networks:
|
|
- harbor
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "registryctl"
|
|
{% if external_database == False %}
|
|
postgresql:
|
|
image: goharbor/harbor-db:{{version}}
|
|
container_name: harbor-db
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- DAC_OVERRIDE
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{data_volume}}/database:/var/lib/postgresql/data:z
|
|
networks:
|
|
harbor:
|
|
{% if with_notary %}
|
|
harbor-notary:
|
|
aliases:
|
|
- harbor-db
|
|
{% endif %}
|
|
{% if with_clair %}
|
|
harbor-clair:
|
|
aliases:
|
|
- harbor-db
|
|
{% endif %}
|
|
dns_search: .
|
|
env_file:
|
|
- ./common/config/db/env
|
|
depends_on:
|
|
- log
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "postgresql"
|
|
{% endif %}
|
|
core:
|
|
image: goharbor/harbor-core:{{version}}
|
|
container_name: harbor-core
|
|
env_file:
|
|
- ./common/config/core/env
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{data_volume}}/ca_download/:/etc/core/ca/:z
|
|
- {{data_volume}}/:/data/:z
|
|
- ./common/config/core/certificates/:/etc/core/certificates/:z
|
|
- type: bind
|
|
source: ./common/config/core/app.conf
|
|
target: /etc/core/app.conf
|
|
- type: bind
|
|
source: {{data_volume}}/secret/core/private_key.pem
|
|
target: /etc/core/private_key.pem
|
|
- type: bind
|
|
source: {{data_volume}}/secret/keys/secretkey
|
|
target: /etc/core/key
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{% if uaa_ca_file %}
|
|
- type: bind
|
|
source: {{uaa_ca_file}}
|
|
target: /etc/core/certificates/uaa_ca.pem
|
|
{% endif %}
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.core_crt_path}}
|
|
target: /etc/harbor/ssl/core.crt
|
|
- type: bind
|
|
source: {{internal_tls.core_key_path}}
|
|
target: /etc/harbor/ssl/core.key
|
|
{% endif %}
|
|
networks:
|
|
harbor:
|
|
{% if with_notary %}
|
|
harbor-notary:
|
|
{% endif %}
|
|
{% if with_clair %}
|
|
harbor-clair:
|
|
aliases:
|
|
- harbor-core
|
|
{% endif %}
|
|
{% if with_chartmuseum %}
|
|
harbor-chartmuseum:
|
|
aliases:
|
|
- harbor-core
|
|
{% endif %}
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
- registry
|
|
{% if external_redis == False %}
|
|
- redis
|
|
{% endif %}
|
|
{% if external_database == False %}
|
|
- postgresql
|
|
{% endif %}
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "core"
|
|
portal:
|
|
image: goharbor/harbor-portal:{{version}}
|
|
container_name: harbor-portal
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
- NET_BIND_SERVICE
|
|
volumes:
|
|
- type: bind
|
|
source: ./common/config/portal/nginx.conf
|
|
target: /etc/nginx/nginx.conf
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.portal_crt_path}}
|
|
target: /etc/harbor/tls/portal.crt
|
|
- type: bind
|
|
source: {{internal_tls.portal_key_path}}
|
|
target: /etc/harbor/tls/portal.key
|
|
{% endif %}
|
|
networks:
|
|
- harbor
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "portal"
|
|
|
|
jobservice:
|
|
image: goharbor/harbor-jobservice:{{version}}
|
|
container_name: harbor-jobservice
|
|
env_file:
|
|
- ./common/config/jobservice/env
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{data_volume}}/job_logs:/var/log/jobs:z
|
|
- type: bind
|
|
source: ./common/config/jobservice/config.yml
|
|
target: /etc/jobservice/config.yml
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.job_service_crt_path}}
|
|
target: /etc/harbor/ssl/job_service.crt
|
|
- type: bind
|
|
source: {{internal_tls.job_service_key_path}}
|
|
target: /etc/harbor/ssl/job_service.key
|
|
{% endif %}
|
|
networks:
|
|
- harbor
|
|
{% if with_clair %}
|
|
- harbor-clair
|
|
{% endif %}
|
|
dns_search: .
|
|
depends_on:
|
|
- core
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "jobservice"
|
|
{% if external_redis == False %}
|
|
redis:
|
|
image: goharbor/redis-photon:{{redis_version}}
|
|
container_name: redis
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
volumes:
|
|
- {{data_volume}}/redis:/var/lib/redis
|
|
networks:
|
|
harbor:
|
|
{% if with_chartmuseum %}
|
|
harbor-chartmuseum:
|
|
aliases:
|
|
- redis
|
|
{% endif %}
|
|
{% if with_clair %}
|
|
harbor-clair:
|
|
aliases:
|
|
- redis
|
|
{% endif %}
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "redis"
|
|
{% endif %}
|
|
proxy:
|
|
image: goharbor/nginx-photon:{{version}}
|
|
container_name: nginx
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
- NET_BIND_SERVICE
|
|
volumes:
|
|
- ./common/config/nginx:/etc/nginx:z
|
|
{% if protocol == 'https' %}
|
|
- {{data_volume}}/secret/cert:/etc/cert:z
|
|
{% endif %}
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.proxy_crt_path}}
|
|
target: /etc/harbor/tls/proxy.crt
|
|
- type: bind
|
|
source: {{internal_tls.proxy_key_path}}
|
|
target: /etc/harbor/tls/proxy.key
|
|
{% endif %}
|
|
networks:
|
|
- harbor
|
|
{% if with_notary %}
|
|
- harbor-notary
|
|
{% endif %}
|
|
dns_search: .
|
|
ports:
|
|
- {{http_port}}:8080
|
|
{% if protocol == 'https' %}
|
|
- {{https_port}}:8443
|
|
{% endif %}
|
|
{% if with_notary %}
|
|
- 4443:4443
|
|
{% endif %}
|
|
depends_on:
|
|
- registry
|
|
- core
|
|
- portal
|
|
- log
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "proxy"
|
|
{% if with_notary %}
|
|
notary-server:
|
|
image: goharbor/notary-server-photon:{{notary_version}}
|
|
container_name: notary-server
|
|
restart: always
|
|
networks:
|
|
- notary-sig
|
|
- harbor-notary
|
|
dns_search: .
|
|
volumes:
|
|
- ./common/config/notary:/etc/notary:z
|
|
- type: bind
|
|
source: {{data_volume}}/secret/notary/notary-signer-ca.crt
|
|
target: /etc/notary/notary-signer-ca.crt
|
|
- type: bind
|
|
source: {{data_volume}}/secret/registry/root.crt
|
|
target: /etc/notary/root.crt
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.notary_server_crt_path}}
|
|
target: /etc/harbor/ssl/notary_server.crt
|
|
- type: bind
|
|
source: {{internal_tls.notary_server_key_path}}
|
|
target: /etc/harbor/ssl/notary_server.key
|
|
{% endif %}
|
|
env_file:
|
|
- ./common/config/notary/server_env
|
|
depends_on:
|
|
{% if external_database == False %}
|
|
- postgresql
|
|
{% endif %}
|
|
- notary-signer
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "notary-server"
|
|
notary-signer:
|
|
image: goharbor/notary-signer-photon:{{notary_version}}
|
|
container_name: notary-signer
|
|
restart: always
|
|
networks:
|
|
harbor-notary:
|
|
notary-sig:
|
|
aliases:
|
|
- notarysigner
|
|
dns_search: .
|
|
volumes:
|
|
- ./common/config/notary:/etc/notary:z
|
|
- type: bind
|
|
source: {{data_volume}}/secret/notary/notary-signer.crt
|
|
target: /etc/notary/notary-signer.crt
|
|
- type: bind
|
|
source: {{data_volume}}/secret/notary/notary-signer.key
|
|
target: /etc/notary/notary-signer.key
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.notary_signer_crt_path}}
|
|
target: /etc/harbor/ssl/notary_signer.crt
|
|
- type: bind
|
|
source: {{internal_tls.notary_signer_key_path}}
|
|
target: /etc/harbor/ssl/notary_signer.key
|
|
{% endif %}
|
|
env_file:
|
|
- ./common/config/notary/signer_env
|
|
depends_on:
|
|
- log
|
|
{% if external_database == False %}
|
|
- postgresql
|
|
{% endif %}
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "notary-signer"
|
|
{% endif %}
|
|
{% if with_clair %}
|
|
clair:
|
|
networks:
|
|
- harbor-clair
|
|
container_name: clair
|
|
image: goharbor/clair-photon:{{clair_version}}
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- DAC_OVERRIDE
|
|
- SETGID
|
|
- SETUID
|
|
cpu_quota: 50000
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
{% if external_database == False %}
|
|
- postgresql
|
|
{% endif %}
|
|
volumes:
|
|
- type: bind
|
|
source: ./common/config/clair/config.yaml
|
|
target: /etc/clair/config.yaml
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.clair_crt_path}}
|
|
target: /etc/harbor/ssl/clair.crt
|
|
- type: bind
|
|
source: {{internal_tls.clair_key_path}}
|
|
target: /etc/harbor/ssl/clair.key
|
|
{% endif %}
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "clair"
|
|
env_file:
|
|
./common/config/clair/clair_env
|
|
clair-adapter:
|
|
networks:
|
|
- harbor-clair
|
|
container_name: clair-adapter
|
|
image: goharbor/clair-adapter-photon:{{clair_adapter_version}}
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- DAC_OVERRIDE
|
|
- SETGID
|
|
- SETUID
|
|
cpu_quota: 50000
|
|
dns_search: .
|
|
depends_on:
|
|
- clair
|
|
{% if external_redis == False %}
|
|
- redis
|
|
{% endif %}
|
|
volumes:
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.clair_adapter_crt_path}}
|
|
target: /etc/harbor/ssl/clair_adapter.crt
|
|
- type: bind
|
|
source: {{internal_tls.clair_adapter_key_path}}
|
|
target: /etc/harbor/ssl/clair_adapter.key
|
|
{% endif %}
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "clair-adapter"
|
|
env_file:
|
|
./common/config/clair-adapter/env
|
|
{% endif %}
|
|
{% if with_trivy %}
|
|
trivy-adapter:
|
|
container_name: trivy-adapter
|
|
image: goharbor/trivy-adapter-photon:{{trivy_adapter_version}}
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
dns_search: .
|
|
networks:
|
|
- harbor
|
|
{% if external_redis == False %}
|
|
depends_on:
|
|
- redis
|
|
{% endif %}
|
|
volumes:
|
|
- type: bind
|
|
source: {{data_volume}}/trivy-adapter/trivy
|
|
target: /home/scanner/.cache/trivy
|
|
- type: bind
|
|
source: {{data_volume}}/trivy-adapter/reports
|
|
target: /home/scanner/.cache/reports
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{% if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.trivy_adapter_crt_path}}
|
|
target: /etc/harbor/ssl/trivy_adapter.crt
|
|
- type: bind
|
|
source: {{internal_tls.trivy_adapter_key_path}}
|
|
target: /etc/harbor/ssl/trivy_adapter.key
|
|
{% endif %}
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "trivy-adapter"
|
|
env_file:
|
|
./common/config/trivy-adapter/env
|
|
{% endif %}
|
|
{% if with_chartmuseum %}
|
|
chartmuseum:
|
|
container_name: chartmuseum
|
|
image: goharbor/chartmuseum-photon:{{chartmuseum_version}}
|
|
restart: always
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- DAC_OVERRIDE
|
|
- SETGID
|
|
- SETUID
|
|
networks:
|
|
- harbor-chartmuseum
|
|
dns_search: .
|
|
depends_on:
|
|
- log
|
|
volumes:
|
|
- {{data_volume}}/chart_storage:/chart_storage:z
|
|
- ./common/config/chartserver:/etc/chartserver:z
|
|
- type: bind
|
|
source: ./common/config/shared/trust-certificates
|
|
target: /harbor_cust_cert
|
|
{%if internal_tls.enabled %}
|
|
- type: bind
|
|
source: {{internal_tls.chartmuseum_crt_path}}
|
|
target: /etc/harbor/ssl/chartmuseum.crt
|
|
- type: bind
|
|
source: {{internal_tls.chartmuseum_key_path}}
|
|
target: /etc/harbor/ssl/chartmuseum.key
|
|
{% endif %}
|
|
{% if gcs_keyfile %}
|
|
- type: bind
|
|
source: {{gcs_keyfile}}
|
|
target: /etc/chartserver/gcs.key
|
|
{% endif %}
|
|
logging:
|
|
driver: "syslog"
|
|
options:
|
|
syslog-address: "tcp://127.0.0.1:1514"
|
|
tag: "chartmuseum"
|
|
env_file:
|
|
./common/config/chartserver/env
|
|
{% endif %}
|
|
networks:
|
|
harbor:
|
|
external: false
|
|
{% if with_notary %}
|
|
harbor-notary:
|
|
external: false
|
|
notary-sig:
|
|
external: false
|
|
{% endif %}
|
|
{% if with_clair %}
|
|
harbor-clair:
|
|
external: false
|
|
{% endif %}
|
|
{% if with_chartmuseum %}
|
|
harbor-chartmuseum:
|
|
external: false
|
|
{% endif %}
|