expose: # Set the way how to expose the service. Set the type as "ingress", # "clusterIP", "nodePort" or "loadBalancer" and fill the information # in the corresponding section # 设置暴露服务的方式。将类型设置为 ingress、clusterIP、nodePort、loadBalancer 并在相应的区域填写对应的信息 type:ingress tls: # Enable the tls or not. # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" # Note: if the "expose.type" is "ingress" and the tls # is disabled, the port must be included in the command when pull/push # images. Refer to https://github.com/goharbor/harbor/issues/5291 # for the detail. # 是否开启 TLS # 当 TLS 被禁用并且 expose.type 为 ingress 时,删除 expose.ingress.annotations 中的 ingress.kubernetes.io/ssl-redirect 注释项 # 注意:如果 expose.type 为 ingress 并且 TLS 被禁用,则在 pull/push 镜像时,服务端口必须包含在命令中。详情查看文档 https://github.com/goharbor/harbor/issues/5291 enabled:true # The source of the tls certificate. Set it as "auto", "secret" # or "none" and fill the information in the corresponding section # 1) auto: generate the tls certificate automatically # 2) secret: read the tls certificate from the specified secret. # The tls certificate can be generated manually or by cert manager # 3) none: configure no tls certificate for the ingress. If the default # tls certificate is configured in the ingress controller, choose this option # TLS 证书的来源。将其设置为 auto、secret 或 none 并在相应的区域填写对应的信息 # 1)auto:自动生成 TLS 证书 # 2)secret:从指定的 secret 中读取 TLS 证书,TLS 证书可以手动生成也可以由证书管理器生成 # 3)none:不为入口配置 TLS 证书。如果在入口控制器中配置了默认 TLS 证书,请选择此选项 certSource:auto auto: # The common name used to generate the certificate, it's necessary # when the type isn't "ingress" # 用于生成证书的通用名称,当 expose.type 不是 ingrss 时是必需的 commonName:"" secret: # The name of secret which contains keys named: # "tls.crt" - the certificate # "tls.key" - the private key # secret 的名称,这个 secret 必须包含名为 tls.crt 的证书和名为 tls.key 的密钥文件 secretName:"" # The name of secret which contains keys named: # "tls.crt" - the certificate # "tls.key" - the private key # Only needed when the "expose.type" is "ingress". # secret 的名称,这个 secret 必须包含名为 tls.crt 的证书和名为 tls.key 的密钥文件 # 仅当 expose.type 为 ingress 时才需要 notarySecretName:"" ingress: hosts: # The host of Harbor core service in ingress rule # Harbor core service 的 ingress 规则中的域名 core:harbor.koenli.net # The host of Harbor Notary service in ingress rule # Harbor Notary service ingress 规则中的域名 notary:notary.koenli.net # set to the type of ingress controller if it has specific requirements. # leave as `default` for most ingress controllers. # set to `gce` if using the GCE ingress controller # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller # 设置 ingress controller 的类型,对于大部分 ingress 控制器保留为 default 即可 # 当使用 GCE ingress控制器时,设置为 gce # 当使用 NCP (NSX-T Container Plugin) ingress控制器时,设置为 ncp controller:default annotations: # note different ingress controllers may require a different ssl-redirect annotation # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below # 注意:不同的 ingress 控制器可能需要不同的 SSL重定向注释 # 对于 Envoy,请使用 ingress.kubernetes.io/force-ssl-redirect: "true" 并删除下面的 nginx 行(nginx.ingress.kubernetes.io/ssl-redirect和nginx.ingress.kubernetes.io/proxy-body-size) ingress.kubernetes.io/ssl-redirect:"true" ingress.kubernetes.io/proxy-body-size:"0" nginx.ingress.kubernetes.io/ssl-redirect:"true" nginx.ingress.kubernetes.io/proxy-body-size:"0" notary: # notary-specific annotations annotations: {} harbor: # harbor ingress-specific annotations annotations: {} clusterIP: # The name of ClusterIP service name:harbor # Annotations on the ClusterIP service annotations: {} ports: # The service port Harbor listens on when serving with HTTP httpPort:80 # The service port Harbor listens on when serving with HTTPS httpsPort:443 # The service port Notary listens on. Only needed when notary.enabled # is set to true notaryPort:4443 nodePort: # The name of NodePort service name:harbor ports: http: # The service port Harbor listens on when serving with HTTP port:80 # The node port Harbor listens on when serving with HTTP nodePort:30002 https: # The service port Harbor listens on when serving with HTTPS port:443 # The node port Harbor listens on when serving with HTTPS nodePort:30003 # Only needed when notary.enabled is set to true notary: # The service port Notary listens on port:4443 # The node port Notary listens on nodePort:30004 loadBalancer: # The name of LoadBalancer service name:harbor # Set the IP if the LoadBalancer supports assigning IP IP:"" ports: # The service port Harbor listens on when serving with HTTP httpPort:80 # The service port Harbor listens on when serving with HTTPS httpsPort:443 # The service port Notary listens on. Only needed when notary.enabled # is set to true notaryPort:4443 annotations: {} sourceRanges: []
# The external URL for Harbor core service. It is used to # 1) populate the docker/helm commands showed on portal # 2) populate the token service URL returned to docker/notary client # # Format: protocol://domain[:port]. Usually: # 1) if "expose.type" is "ingress", the "domain" should be # the value of "expose.ingress.hosts.core" # 2) if "expose.type" is "clusterIP", the "domain" should be # the value of "expose.clusterIP.name" # 3) if "expose.type" is "nodePort", the "domain" should be # the IP address of k8s node # # If Harbor is deployed behind the proxy, set it as the URL of proxy
# The internal TLS used for harbor components secure communicating. In order to enable https # in each components tls cert files need to provided in advance. internalTLS: # If internal TLS enabled enabled:false # There are three ways to provide tls # 1) "auto" will generate cert automatically # 2) "manual" need provide cert file manually in following value # 3) "secret" internal certificates from secret certSource:"auto" # The content of trust ca, only available when `certSource` is "manual" trustCa:"" # core related cert configuration core: # secret name for core's tls certs secretName:"" # Content of core's TLS cert file, only available when `certSource` is "manual" crt:"" # Content of core's TLS key file, only available when `certSource` is "manual" key:"" # jobservice related cert configuration jobservice: # secret name for jobservice's tls certs secretName:"" # Content of jobservice's TLS key file, only available when `certSource` is "manual" crt:"" # Content of jobservice's TLS key file, only available when `certSource` is "manual" key:"" # registry related cert configuration registry: # secret name for registry's tls certs secretName:"" # Content of registry's TLS key file, only available when `certSource` is "manual" crt:"" # Content of registry's TLS key file, only available when `certSource` is "manual" key:"" # portal related cert configuration portal: # secret name for portal's tls certs secretName:"" # Content of portal's TLS key file, only available when `certSource` is "manual" crt:"" # Content of portal's TLS key file, only available when `certSource` is "manual" key:"" # chartmuseum related cert configuration chartmuseum: # secret name for chartmuseum's tls certs secretName:"" # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" crt:"" # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" key:"" # trivy related cert configuration trivy: # secret name for trivy's tls certs secretName:"" # Content of trivy's TLS key file, only available when `certSource` is "manual" crt:"" # Content of trivy's TLS key file, only available when `certSource` is "manual" key:""
# The persistence is enabled by default and a default StorageClass # is needed in the k8s cluster to provision volumes dynamicly. # Specify another StorageClass in the "storageClass" or set "existingClaim" # if you have already existing persistent volumes to use # # For storing images and charts, you can also use "azure", "gcs", "s3", # "swift" or "oss". Set it in the "imageChartStorage" section
# 默认情况下会启用持久化存储,K8S群集中需要一个默认的 StorageClass 来动态调配卷。 # 在 StorageClass 中指定另一个StorageClass,或者设置 existingClaim (如果已经存在要使用的持久卷) # 为了存储 Docker镜像 和Charts,您还可以使用 azure、gcs、s3、swift 或 oss。在 imageChartStorage 部分进行设置 persistence: enabled:true # Setting it to "keep" to avoid removing PVCs during a helm delete # operation. Leaving it empty will delete PVCs after the chart deleted # (this does not apply for PVCs that are created for internal database # and redis components, i.e. they are never deleted automatically) # 将其设置为 keep,以避免在执行 helm 删除操作期间移除 PVC。保留为空将在 chart 被删除后删除 PVC # 这不适用于为内部数据库和redis组件创建的 PVC,即它们不会自动删除 resourcePolicy:"keep" persistentVolumeClaim: registry: # Use the existing PVC which must be created manually before bound, # and specify the "subPath" if the PVC is shared with other components # 使用已经存在的 PVC(必须在绑定前先手动创建),如果 PVC 与其他组件共享,请指定 subPath existingClaim:"" # Specify the "storageClass" used to provision the volume. Or the default # StorageClass will be used(the default). # Set it to "-" to disable dynamic provisioning # 指定 storageClass 用于提供存储卷,或者使用默认的 StorageClass 对象,设置为“-”禁用动态供给 storageClass:"" subPath:"" accessMode:ReadWriteOnce # 配置持久卷的容量大小 size:5Gi chartmuseum: existingClaim:"" storageClass:"" subPath:"" accessMode:ReadWriteOnce size:5Gi jobservice: existingClaim:"" storageClass:"" subPath:"" accessMode:ReadWriteOnce size:1Gi # If external database is used, the following settings for database will # be ignored # 如果使用外部的数据库服务,下面的设置将会被忽略 database: existingClaim:"" storageClass:"" subPath:"" accessMode:ReadWriteOnce size:1Gi # If external Redis is used, the following settings for Redis will # be ignored # 如果使用外部的 Redis 服务,下面的设置将会被忽略 redis: existingClaim:"" storageClass:"" subPath:"" accessMode:ReadWriteOnce size:1Gi trivy: existingClaim:"" storageClass:"" subPath:"" accessMode:ReadWriteOnce size:5Gi # Define which storage backend is used for registry and chartmuseum to store # images and charts. Refer to # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage # for the detail. # 定义使用什么存储后端来存储镜像和 chart 包,详细查看文档 https://github.com/docker/distribution/blob/master/docs/configuration.md#storage imageChartStorage: # Specify whether to disable `redirect` for images and chart storage, for # backends which not supported it (such as using minio for `s3` storage type), please disable # it. To disable redirects, simply set `disableredirect` to `true` instead. # Refer to # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect # for the detail. # 指定是否对镜像和 chart 包禁用重定向,对于一些不支持的后端(例如对于使用minio的S3存储),请禁用。要禁用重定向,只需将 disableredirect 改为 true。 # 详情查看文档 https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect disableredirect:false # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. # The secret must contain keys named "ca.crt" which will be injected into the trust store # of registry's and chartmuseum's containers. # caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", # "oss" and fill the information needed in the corresponding section. The type # must be "filesystem" if you want to use persistent volumes for registry # and chartmuseum # 指定存储类型为 filesystem, azure, gcs, s3, swift, oss并在相应的区域填写对应的信息 # 如果想使用持久卷则必须设置成 filesystem 类型 type:filesystem filesystem: rootdirectory:/storage #maxthreads: 100 azure: accountname:accountname accountkey:base64encodedaccountkey container:containername #realm: core.windows.net gcs: bucket:bucketname # The base64 encoded json file which contains the key encodedkey:base64-encoded-json-key-file #rootdirectory: /gcs/object/name/prefix #chunksize: "5242880" s3: region:us-west-1 bucket:bucketname #accesskey: awsaccesskey #secretkey: awssecretkey #regionendpoint: http://myobjects.local #encrypt: false #keyid: mykeyid #secure: true #skipverify: false #v4auth: true #chunksize: "5242880" #rootdirectory: /s3/object/name/prefix #storageclass: STANDARD #multipartcopychunksize: "33554432" #multipartcopymaxconcurrency: 100 #multipartcopythresholdsize: "33554432" swift: authurl:https://storage.myprovider.com/v3/auth username:username password:password container:containername #region: fr #tenant: tenantname #tenantid: tenantid #domain: domainname #domainid: domainid #trustid: trustid #insecureskipverify: false #chunksize: 5M #prefix: #secretkey: secretkey #accesskey: accesskey #authversion: 3 #endpointtype: public #tempurlcontainerkey: false #tempurlmethods: oss: accesskeyid:accesskeyid accesskeysecret:accesskeysecret region:regionname bucket:bucketname #endpoint: endpoint #internal: false #encrypt: false #secure: true #chunksize: 10M #rootdirectory: rootdirectory
# 配置镜像拉取策略 imagePullPolicy:IfNotPresent
# Use this set to assign a list of default pullSecrets imagePullSecrets: # - name: docker-registry-secret # - name: internal-registry-secret
# The update strategy for deployments with persistent volumes(jobservice, registry # and chartmuseum): "RollingUpdate" or "Recreate" # Set it as "Recreate" when "RWM" for volumes isn't supported # 设置具有持久卷的 Deployment(jobservice, registry和chartmuseum) 的更新策略为 RollingUpdate 或 Recreate,在使用的持久卷不支持 RWM 时设置为 Recreate updateStrategy: type:RollingUpdate
# debug, info, warning, error or fatal # 日志级别 logLevel:info
# The initial password of Harbor admin. Change it from portal after launching Harbor # 设置 admin 用户初始密码,Harbor 启动后可通过 Portal 修改该密码 harborAdminPassword:"Harbor12345"
# The name of the secret which contains key named "ca.crt". Setting this enables the # download link on portal to download the certificate of CA when the certificate isn't # generated automatically caSecretName:""
# The secret key used for encryption. Must be a string of 16 chars. # 用于加密的一个 secret key,必须是一个16位的字符串 secretKey:"not-a-secure-key"
# The proxy settings for updating trivy vulnerabilities from the Internet and replicating # artifacts from/to the registries that cannot be reached directly proxy: httpProxy: httpsProxy: noProxy:127.0.0.1,localhost,.local,.internal components: -core -jobservice -trivy
# docker login harbor.koenli.net Username: admin Password: Error response from daemon: Get https://harbor.koenli.net/v2/: x509: certificate signed by unknown authority
这是因为docker login默认使用https去连接镜像仓库,而此时并没有提供证书文件,所以导致出现如上x509: certificate signed by unknown authority的报错。因此我们需要先在所有要访问镜像仓库的节点上创建存放证书文件的目录,默认路径为/etc/docker/certs.d/<registry.domain.name>,其中<registry.domain.name>为镜像仓库访问域名,在本文中即为harbor.koenli.net
# docker login harbor.koenli.net Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
# docker login harbor.koenli.net Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
