程序员经验分享-hwhale

KuberSphere安装harbor的配置文件解读

2023-05-16 
# 这个配置文件,其实就是上面部分是harbor配置,下面都是自定义的配置需要的镜像配置。 
# 综合下来,其实秘钥用系统默认就行,会自动生成的。没有特殊的配置,基本用默认的都能启动啊。为啥我安装会报错?
expose:
  # Set the way how to expose the service. Set the type as "ingress",
  # "clusterIP", "nodePort" or "loadBalancer" and fill the information
  # in the corresponding section
  # 中文解读
  	# 配置harbor外部访问方式,其中包括4种:ingress、clusterIP、nodePort、loadBalancer
  # 配置作用
  	# 这个配置的目的就是外部通过哪种方式访问搭建的harbor,对于每一种方式,都要进行相应的配置。配置在下面能看到。
  # 采坑记录
  type: ingress
  tls:
    # Enable the tls or not. Note: if the type is "ingress" and the tls
    # is disabled, the port must be included in the command when pull/push
    # images. Refer to https://github.com/goharbor/harbor/issues/5291
    # for the detail.
    # 中文解读
    	# 就是tls开关,强调。如果外部访问方式是"ingress",tls=disabled,那么在执行pull/push命令时,端口号一定要包含到命令中
    # 配置作用
    # 采坑记录
    enabled: true
    # Fill the name of secret if you want to use your own TLS certificate.
    # The secret contains keys named:
    # "tls.crt" - the certificate (required)
    # "tls.key" - the private key (required)
    # "ca.crt" - the certificate of CA (optional), this enables the download
    # link on portal to download the certificate of CA
    # These files will be generated automatically if the "secretName" is not set
    # 中文解读
    	# 填写秘钥名称,如果要使用自己的秘钥。介绍了密码需要包括 其中tls.crt和tls.key是必须的,ca.crt可选。
    	# 登录门harbor的门户网站下载秘钥,如果“secretName”设置为空,这些文件将会自动生成
    # 配置作用
    	# 其实就是harbor验证机制,相当于项目总的koken的作用
    # 采坑记录
    secretName: ""
    # By default, the Notary service will use the same cert and key as
    # described above. Fill the name of secret if you want to use a
    # separated one. Only needed when the type is "ingress".
    # 中文解读
    	# 默认值,验证服务会使用相同的cert和key
    	# 如果需要使用另外的,可以填写自己的,这个配置在ingres访问方式下才需要
    # 配置作用
    	# 一般用默认值就可以,如果真的需要自己的验证服务,可以自定义。配置就是在这里。
    # 采坑记录
    notarySecretName: ""
    # The common name used to generate the certificate, it's necessary
    # when the type isn't "ingress" and "secretName" is null
    # 中文解读
    	# 这个配置常常是用来生成验证证书的,当访问方式不是“ingress"并且“secretName”为null,这个配置是必须的。
    # 配置作用
    	# 记住上面说的这个配置的限制条件,不然是跑不起来的。
    # 采坑记录
    commonName: ""
  ingress:
    hosts:
      core: core.harbor.domain
      notary: notary.harbor.domain
    # set to the type of ingress controller if it has specific requirements.
    # leave as `default` for most ingress controllers.
    # set to `gce` if using the GCE ingress controller
    # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
    # 中文解读
    	# 如果有特殊的需求需要配置,没有的话就用默认的就行。这里有两种方式:GCE和NCP
    # 配置作用
    # 采坑记录
    controller: default
    annotations:
      ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
	# clusterIP属性配置,这里我暂时是用的ingress,暂时不研究这个配置
  clusterIP:
    # The name of ClusterIP service
    # 中文解读
    # 配置作用
    # 采坑记录
    name: harbor
    ports:
      # The service port Harbor listens on when serving with HTTP
      # 中文解读
      # 配置作用
      # 采坑记录
      httpPort: 80
      # The service port Harbor listens on when serving with HTTPS
      # 中文解读
      # 配置作用
      # 采坑记录
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      # 中文解读
      # 配置作用
      # 采坑记录
      notaryPort: 4443
  nodePort:
    # The name of NodePort service
    # 中文解读
    # 配置租用
    # 采坑记录
    name: harbor
    ports:
      http:
        # The service port Harbor listens on when serving with HTTP
        # 中文解读
    	# 配置作用
    	# 采坑记录
        port: 80
        # The node port Harbor listens on when serving with HTTP
        # 中文解读
    	# 配置租用
    	# 采坑记录
        nodePort: 30002
      https:
        # The service port Harbor listens on when serving with HTTPS
        # 中文解读
    	# 配置作用
    	# 采坑记录
        port: 443
        # The node port Harbor listens on when serving with HTTPS
        # 中文解读
    	# 配置作用
    	# 采坑记录
        nodePort: 30003
      # Only needed when notary.enabled is set to true
      # 中文解读
      # 配置作用
      # 采坑记录
      notary:
        # The service port Notary listens on
        port: 4443
        # The node port Notary listens on
        nodePort: 30004
  loadBalancer:
    # The name of LoadBalancer service
    name: harbor
    # Set the IP if the LoadBalancer supports assigning IP
    IP: ""
    ports:
      # The service port Harbor listens on when serving with HTTP
      httpPort: 80
      # The service port Harbor listens on when serving with HTTPS
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      notaryPort: 4443
    annotations: {}
    sourceRanges: []

# The external URL for Harbor core service. It is used to
# 1) populate the docker/helm commands showed on portal
# 2) populate the token service URL returned to docker/notary client
#
# Format: protocol://domain[:port]. Usually:
# 1) if "expose.type" is "ingress", the "domain" should be
# the value of "expose.ingress.hosts.core"
# 2) if "expose.type" is "clusterIP", the "domain" should be
# the value of "expose.clusterIP.name"
# 3) if "expose.type" is "nodePort", the "domain" should be
# the IP address of k8s node
#
# If Harbor is deployed behind the proxy, set it as the URL of proxy
# 中文解读
	# 如果harbor是部署在代理服务上,这里配置代理服务器的URL
# 配置作用
# 采坑记录
externalURL: https://core.harbor.domain

# The internal TLS used for harbor components secure communicating. In order to enable https
# in each components tls cert files need to provided in advance.
# 中文解读
	# 内部TLS用于harbor组件安全通信。为了开始每个组件的的验证文件https方式,这个配置需要提前提供
# 配置作用
	# 就是如果下面认证方式为HTTPS,这里的配置就是提前配置好。不然应该会出现错
# 采坑记录
internalTLS:
  # If internal TLS enabled
  # 中文解读
  	# 内部TLS的开关配置
  # 配置作用
  # 采坑记录
  enabled: false
  # There are three ways to provide tls
  # 1) "auto" will generate cert automatically
  # 2) "manual" need provide cert file manually in following value
  # 3) "secret" internal certificates from secret
  # 中文解读
  	# 有三种方式提供TLS
  	# "auto"自动生成cert
  	# "manual"需要下面配置中手动提供cert file
  	# "secret" 从秘钥中获取
  # 配置作用
  # 采坑记录
  certSource: "auto"
  # The content of trust ca, only available when `certSource` is "manual"
  # 中文解读
  	# 当centSource为nanual需要这里配置
  # 配置作用
  # 采坑记录
  trustCa: ""
  # core related cert configuration
  # 中文解读
  # 配置作用
  # 采坑记录
  core:
    # secret name for core's tls certs
    # 中文解读
    	# core的tls的秘钥名称
    # 配置作用
    # 采坑记录
    secretName: ""
    # Content of core's TLS cert file, only available when `certSource` is "manual"
    # 中文解读
    	# 之前说过,manual类型需要手动配置cert file,就是在这里配置。只有manual配置这里才生效。
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of core's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    	# TLS key file手动配置,也是只有manual方式才生效
    # 配置作用
    # 采坑记录
    key: ""
  # jobservice related cert configuration
  # 中文解读
  	# jobservice属性配置
  # 配置作用
  	# 没理解jobservice配置的作用
  	#  jobservice 在后端中作为守护进程为其他组件提供服务,在和其他组件进行通信时为确保通信安全,其他组件在访问jobservice的 API 时,访问请求的header中必须要有Authorization字段
  	# 就是配置不同组件之间通行的安全配置, 和上面的安全配置的是一样的。基本可以用默认值。
  # 采坑记录
  jobservice:
    # secret name for jobservice's tls certs
    # 中文解读
    # 配置作用
    # 采坑记录
    secretName: ""
    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    key: ""
  # registry related cert configuration
  # 中文解读
  	# 注册表相关的证书配置
  # 配置作用
  # 采坑记录
  registry:
    # secret name for registry's tls certs
    # 中文解读
    	# 注册表的tls证书的秘钥名称
    # 配置作用
    # 采坑记录
    secretName: ""
    # Content of registry's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    	# 注册表的TLS密钥文件的内容,仅在“ certSource”为“manual”时可用
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of registry's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    	# 注册表的TLS密钥文件的内容,仅在“ certSource”为“manual”时可用
    # 配置作用
    # 采坑记录
    key: ""
  # portal related cert configuration
  portal:
    # secret name for portal's tls certs
    # 中文解读
    	# 门户网站相关的证书配置,这种配置都是一样的,暂时不详细介绍了。都是在“manual”方式下才会生效
    # 配置作用
    # 采坑记录
    secretName: ""
    # Content of portal's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of portal's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    key: ""
  # chartmuseum related cert configuration
  chartmuseum:
    # secret name for chartmuseum's tls certs
    # 中文解读
    	# Chartmuseum相关证书配置
    # 配置作用
    # 采坑记录
    secretName: ""
    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    key: ""
  # clair related cert configuration
  clair:
    # secret name for clair's tls certs
    # 中文解读
    	# 与clair相关的证书配置
    # 配置作用
    # 采坑记录
    secretName: ""
    # Content of clair's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of clair's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    key: ""
  # trivy related cert configuration
  trivy:
    # secret name for trivy's tls certs
    # 中文解读
    	# trivy相关证书配置
    # 配置作用
    	# trivy是镜像漏洞扫描。
    # 采坑记录
    secretName: ""
    # Content of trivy's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    crt: ""
    # Content of trivy's TLS key file, only available when `certSource` is "manual"
    # 中文解读
    # 配置作用
    # 采坑记录
    key: ""

# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamicly.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
# if you have already existing persistent volumes to use
#
# For storing images and charts, you can also use "azure", "gcs", "s3",
# "swift" or "oss". Set it in the "imageChartStorage" section
# 中文解读
	# 就是配置持久化,可以挂在持久化盘。
	# 持久性默认情况下启用,默认情况下为StorageClass
# 配置作用
# 采坑记录
persistence:
  enabled: true
  # Setting it to "keep" to avoid removing PVCs during a helm delete
  # operation. Leaving it empty will delete PVCs after the chart deleted
  # 中文解读
  	# 配置为keep时,删除harbor是不会删除该挂载的盘的。
  # 配置作用
  # 采坑记录
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      # Use the existing PVC which must be created manually before bound,
      # and specify the "subPath" if the PVC is shared with other components
      # 中文解读
      	# 使用必须在绑定之前手动创建的现有PVC
      	# 如果PVC与其他组件共享,则指定“ subPath”
      # 配置作用
      # 采坑记录
      existingClaim: ""
      # Specify the "storageClass" used to provision the volume. Or the default
      # StorageClass will be used(the default).
      # Set it to "-" to disable dynamic provisioning
      # 中文解读
      	# 就是配置默认的挂载盘,这里配置就是默认的。上面说过,不指定挂载盘,将使用默认,默认的盘是在这里设置
      	# 配置包括: 盘名称、子盘路径、访问权限和大小
      # 配置作用
      # 采坑记录
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # If external database is used, the following settings for database will
    # be ignored
    # 中文解读
    	# 如果使用外部数据库,则数据库的以下设置将会被忽略。这里就是数据库配置
    # 配置作用
    # 采坑记录
    database:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # If external Redis is used, the following settings for Redis will
    # be ignored
    # 中文解读
    	# redis配置,如果使用了外部redis,这里将会被忽视
    # 配置作用
    # 采坑记录
    redis:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
  # Define which storage backend is used for registry and chartmuseum to store
  # images and charts. Refer to
  # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
  # for the detail.
  # 中文解读
  	# 定义用于注册表和图表的存储后端
  # 配置作用
  # 采坑记录
  imageChartStorage:
    # Specify whether to disable `redirect` for images and chart storage, for
    # backends which not supported it (such as using minio for `s3` storage type), please disable
    # it. To disable redirects, simply set `disableredirect` to `true` instead.
    # Refer to
    # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
    # for the detail.
    # 中文解读
    	# 就是配置禁止重定向
    # 配合作用
    # 采坑记录
    disableredirect: false
    # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
    # The secret must contain keys named "ca.crt" which will be injected into the trust store
    # of registry's and chartmuseum's containers.
    # caBundleSecretName:

    # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
    # "oss" and fill the information needed in the corresponding section. The type
    # must be "filesystem" if you want to use persistent volumes for registry
    # and chartmuseum
    # 中文解读
    	# 如果存储服务使用自签名证书,请指定“ caBundleSecretName”。
    	# 指定文件系统,如果要使用永久卷进行注册表,则必须为“文件系统”
    # 配置作用
    # 采坑记录
    type: filesystem
    filesystem:
      rootdirectory: /storage
      #maxthreads: 100
    azure:
      accountname: accountname
      accountkey: base64encodedaccountkey
      container: containername
      #realm: core.windows.net
    gcs:
      bucket: bucketname
      # The base64 encoded json file which contains the key
      # 中文解读
      # 配置作用
      # 采坑记录
      encodedkey: base64-encoded-json-key-file
      #rootdirectory: /gcs/object/name/prefix
      #chunksize: "5242880"
      
    s3:
      region: us-west-1
      bucket: bucketname
      #accesskey: awsaccesskey
      #secretkey: awssecretkey
      #regionendpoint: http://myobjects.local
      #encrypt: false
      #keyid: mykeyid
      #secure: true
      #v4auth: true
      #chunksize: "5242880"
      #rootdirectory: /s3/object/name/prefix
      #storageclass: STANDARD
     
    swift:
      authurl: https://storage.myprovider.com/v3/auth
      username: username
      password: password
      container: containername
      #region: fr
      #tenant: tenantname
      #tenantid: tenantid
      #domain: domainname
      #domainid: domainid
      #trustid: trustid
      #insecureskipverify: false
      #chunksize: 5M
      #prefix:
      #secretkey: secretkey
      #accesskey: accesskey
      #authversion: 3
      #endpointtype: public
      #tempurlcontainerkey: false
      #tempurlmethods:
     
    oss:
      accesskeyid: accesskeyid
      accesskeysecret: accesskeysecret
      region: regionname
      bucket: bucketname
      #endpoint: endpoint
      #internal: false
      #encrypt: false
      #secure: true
      #chunksize: 10M
      #rootdirectory: rootdirectory
      # 中文解读
      # 配置作用
      # 采坑记录

imagePullPolicy: IfNotPresent

# Use this set to assign a list of default pullSecrets
# 中文解读
	# 使用此设置分配默认pullSecrets列表
# 配置作用
# 采坑记录
imagePullSecrets:
#  - name: docker-registry-secret
#  - name: internal-registry-secret

# The update strategy for deployments with persistent volumes(jobservice, registry
# and chartmuseum): "RollingUpdate" or "Recreate"
# Set it as "Recreate" when "RWM" for volumes isn't supported
# 中文解读
	# 具有持久卷(jobservice,注册表)的部署的更新策略 和chartmuseum):“ RollingUpdate”或“重新创建”
	# 如果不支持卷的“ RWM”,则将其设置为“重新创建”
# 配置作用
# 采坑记录
updateStrategy:
  type: RollingUpdate

# debug, info, warning, error or fatal
# 中文解读
	# 配置更新策略,这里和日志过滤的等级是一致的。
# 配置作用
# 采坑记录
logLevel: info

# The initial password of Harbor admin. Change it from portal after launching Harbor
# 中文解读
	# 配置harbor初始密码,第一次登陆之后将会失效
# 配置作用
# 采坑记录
harborAdminPassword: "Harbor12345"
# The secret key used for encryption. Must be a string of 16 chars.
# 中文解读
	# 用于加密的秘密密钥。必须是16个字符的字符串
# 配置作用
# 采坑记录
secretKey: "not-a-secure-key"

# The proxy settings for updating clair vulnerabilities from the Internet and replicating
# artifacts from/to the registries that cannot be reached directly
# 中文解读
	# 代理设置,用于从Internet更新安全漏洞并进行复制
	# 无法直接到达/来自注册表的组件
# 配置作用
# 采坑记录
proxy:
  httpProxy:
  httpsProxy:
  noProxy: 127.0.0.1,localhost,.local,.internal
  # 无法到达注册表的组件配置
  components:
    - core
    - jobservice
    - clair

## UAA Authentication Options
# If you're using UAA for authentication behind a self-signed
# certificate you will need to provide the CA Cert.
# Set uaaSecretName below to provide a pre-created secret that
# contains a base64 encoded CA Certificate named `ca.crt`.
# uaaSecretName:

# If expose the service via "ingress", the Nginx will not be used
# 中文解读
	# 如果暴露的方式是ingress,则nginx将不会被使用
	# 这里就是nginx的配置地方
# 配置作用
# 采坑记录
nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v2.0.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}

portal:
  image:
    repository: goharbor/harbor-portal
    tag: v2.0.0
  replicas: 1
# resources:
#  requests:
#    memory: 256Mi
#    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}

core:
  image:
    repository: goharbor/harbor-core
    tag: v2.0.0
  replicas: 1
  ## Liveness probe values
  livenessProbe:
    initialDelaySeconds: 300
# resources:
#  requests:
#    memory: 256Mi
#    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used when core server communicates with other components.
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  # 中文解读
  	# 核心服务器与其他组件通信时使用秘钥
  # 配置作用
  # 采坑记录
  secret: ""
  # Fill the name of a kubernetes secret if you want to use your own
  # TLS certificate and private key for token encryption/decryption.
  # The secret must contain keys named:
  # "tls.crt" - the certificate
  # "tls.key" - the private key
  # The default key pair will be used if it isn't set
  # 中文解读
  	# 配置使用自己的秘钥名称,这个应该是要在kuberSphere中配置的秘钥
  # 配置作用
  # 采坑记录
  secretName: ""
  # The XSRF key. Will be generated automatically if it isn't specified
  # 中文解读
  # 配置作用
  # 采坑记录
  xsrfKey: ""

jobservice:
  image:
    repository: goharbor/harbor-jobservice
    tag: v2.0.0
  replicas: 1
  maxJobWorkers: 10
  # The logger for jobs: "file", "database" or "stdout"
  # 中文解读
  # 配置作用
  # 采坑记录
  jobLogger: file
# resources:
#   requests:
#     memory: 256Mi
#     cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used when job service communicates with other components.
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  # 中文解读
  	# 业服务与其他组件通信时使用秘钥
  	# 如果未指定密钥,Helm将生成一个
  	# 必须要16位字符串
  # 配置作用
  # 采坑记录
  secret: ""
# 注册表镜像配置
registry:
  registry:
    image:
      repository: goharbor/registry-photon
      tag: v2.0.0

    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  # 这里就是上面的controller镜像配置
  controller:
    image:
      repository: goharbor/harbor-registryctl
      tag: v2.0.0

    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  replicas: 1
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used to secure the upload state from client
  # and registry storage backend.
  # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  # 中文解读
  	# 机密用于保护客户端的上传状态和注册表存储后端
  	# 如果未指定密钥,Helm将生成一个。这些都可以使用默认的
  # 配置作用
  # 采坑记录
  secret: ""
  # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
  # 中文解读
  	# 如果为true,则注册表在Location标头中返回相对URL。客户端负责解析正确的URL
  # 配置作用
  # 采坑记录
  relativeurls: false
  # 证书
  credentials:
    username: "harbor_registry_user"
    password: "harbor_registry_password"
    # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
    # e.g. "htpasswd -nbBC10 $username $password"
    
    htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
# 中间件
  middleware:
    enabled: false
    type: cloudFront
    cloudFront:
      baseurl: example.cloudfront.net
      keypairid: KEYPAIRID
      duration: 3000s
      ipfilteredby: none
      # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
      # that allows access to CloudFront
      privateKeySecret: "my-secret"

chartmuseum:
  enabled: true
  # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
  absoluteUrl: false
  image:
    repository: goharbor/chartmuseum-photon
    tag: v2.0.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}

clair:
  enabled: true
  clair:
    image:
      repository: goharbor/clair-photon
      tag: v2.0.0
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  adapter:
    image:
      repository: goharbor/clair-adapter-photon
      tag: v2.0.0
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  replicas: 1
  # The interval of clair updaters, the unit is hour, set to 0 to
  # disable the updaters
  updatersInterval: 12
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}

trivy:
  # enabled the flag to enable Trivy scanner
  enabled: true
  image:
    # repository the repository for Trivy adapter image
    repository: goharbor/trivy-adapter-photon
    # tag the tag for Trivy adapter image
    tag: v2.0.0
  # replicas the number of Pod replicas
  replicas: 1
  # debugMode the flag to enable Trivy debug mode with more verbose scanning log
  debugMode: false
  # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
  vulnType: "os,library"
  # severity a comma-separated list of severities to be checked
  severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  # ignoreUnfixed the flag to display only fixed vulnerabilities
  ignoreUnfixed: false
  # insecure the flag to skip verifying registry certificate
  insecure: false
  # gitHubToken the GitHub access token to download Trivy DB
  #
  # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
  # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
  # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
  # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
  # Currently, the database is updated every 12 hours and published as a new release to GitHub.
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  gitHubToken: ""
  # skipUpdate the flag to disable Trivy DB downloads from GitHub
  #
  # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
  # `/home/scanner/.cache/trivy/db/trivy.db` path.
  skipUpdate: false
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1
      memory: 1Gi
  ## Additional deployment annotations
  podAnnotations: {}

notary:
  enabled: true
  server:
    image:
      repository: goharbor/notary-server-photon
      tag: v2.0.0
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  signer:
    image:
      repository: goharbor/notary-signer-photon
      tag: v2.0.0
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Fill the name of a kubernetes secret if you want to use your own
  # TLS certificate authority, certificate and private key for notary
  # communications.
  # The secret must contain keys named ca.crt, tls.crt and tls.key that
  # contain the CA, certificate and private key.
  # They will be generated if not set.
  secretName: ""

database:
  # if external database is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: internal
  internal:
    image:
      repository: goharbor/harbor-db
      tag: v2.0.0
    # the image used by the init container
    initContainerImage:
      repository: busybox
      tag: latest
    # The initial superuser password for internal database
    password: "changeit"
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    # "disable" - No SSL
    # "require" - Always SSL (skip verification)
    # "verify-ca" - Always SSL (verify that the certificate presented by the
    # server was signed by a trusted CA)
    # "verify-full" - Always SSL (verify that the certification presented by the
    # server was signed by a trusted CA and the server host name matches the one
    # in the certificate)
    sslmode: "disable"
  # The maximum number of connections in the idle connection pool.
  # If it <=0, no idle connections are retained.
  maxIdleConns: 50
  # The maximum number of open connections to the database.
  # If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 100 for postgre.
  maxOpenConns: 100
  ## Additional deployment annotations
  podAnnotations: {}

redis:
  # if external Redis is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: internal
  internal:
    image:
      repository: goharbor/redis-photon
      tag: v2.0.0
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.2"
    port: "6379"
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    clairAdapterIndex: "4"
    trivyAdapterIndex: "5"
    password: ""
  ## Additional deployment annotations
  podAnnotations: {}

总结

正在学习KuberSphere中通过应用商店安装harbor,这是配置文件解读。后期再完善各种采坑记录和配置。

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

KuberSphere

harbor

配置文件解读

KuberSphere安装harbor的配置文件解读 的相关文章

  • harbor

    harbor简介 无论是使用Docker distribution去自建仓库 xff0c 还是通过官方镜像跑容器的方式去自建仓库 xff0c 通过前面的演示我们可以发现其是非常的简陋的 xff0c 还不如直接使用官方的Docker Hub去

  • k8s-----------YAML&harbor

    目录 概述使用YAML文件创建资源1 查看资源版本的标签2 创建yaml文件测试 Pod1 特点2 pod容器分类3 镜像拉取策略 部署harbor1 登录harbor私有仓库2 下载Tomcat镜像进行推送3 推送 概述 Kubernet

  • Harbor新建仓库目标提示 the registry is unhealthy

    两个harbor需要通过镜像复制策略来同步镜像 在仓库管理添加的harbor状态是unhealthy 问题排查 两个harbor需要通过镜像复制策略来同步镜像 在仓库管理添加的harbor状态是unhealthy 本文中 目标仓库的地址是i

  • 配置对 Harbor 的 HTTPS 访问

    配置对 Harbor 的 HTTPS 访问 默认情况下 xff0c Harbor 不附带证书 可以在没有安全性的情况下部署 Harbor xff0c 以便你可以通过 HTTP 连接到它 但是 xff0c 在生产环境中 xff0c 建议使用

  • docker企业级镜像仓库harbor搭建

    目录 1 下载harbor离线安装包2 解压harbor安装包3 编辑harbor配置文件4 编辑docker配置文件5 安装docker compose6 运行安装脚本7 访问harbor网页端8 登录harbor9 推送docker镜像

  • Harbor

    目录 一 Docker Harbor 概述1 Harbor 简介2 Harbor 的特性3 Harbor 的构成4 Harbor cfg 两类参数 二 搭建 Harbor 服务1 下载 Harbor 安装程序2 修改 Harbor 配置文件

  • docker(2)——docker仓库之Registry、harbor仓库

    一 什么是仓库 Docker 仓库是用来包含镜像的位置 xff0c Docker提供一个注册服务器 xff08 Register xff09 来保存多个仓库 xff0c 每个仓库又可以包含多个具备不同tag的镜像 Docker运行中使用的默

  • 使用 Helm Cli 将 chart 推送到 Harbor

    使用 Helm Cli 将 chart 推送到 Harbor 背景问题 努力寻找适用于特定版本的 Harbor 和 Helm 的文档 我尝试添加我的仓库 xff08 repo xff09 helm repo span class token

  • 记录一次harbor的镜像扫描和更新

    前提 已经部署好harbor 192 168 14 16 项目名称 harbor 1 在harbor服务器拉取centos源镜像 root localhost docker pull centos Using default tag lat

  • Docker自动从Harbor下更新镜像

    JAVA开发Docker容器下自动更新镜像仓库的工具 前段时间在做一套分布式多租户系统 xff0c 它包括控制平台和应用服务器两部分 xff0c 应用服务器为企业客户服务 xff0c 系统会为每家企业建立一个应用服务器实例 xff0c 它存

  • Docker之私有镜像仓库Harbor搭建

    简介 Docker离不开可靠的镜像管理 官方默认的DockHub 虽然Docker官方也提供了公共的镜像仓库Registry 但是功能略显简单 Harbor是由VMware公司开源的企业级的Docker Registry管理项目 它包括权限

  • Harbor----使用 Harbor 安装包安装部署 Harbor

    文章目录 一 Harbor安装准备条件 1 1 硬件要求 1 2 软件要求 1 3 网络端口要求 二 下载 Harbor 的安装包文件 2 1 Harbor 安装包分类 2 2 下载并解压安装包 三 配置安装 Harbor 3 1 安装基于

  • GitLab+Jenkins+Harbor+Kubernetes构建Devops体系

    文章目录 一 架构设计 二 环境准备 1 安装GitLab 2 安装Jenkins 1 安装方式 2 配置 3 安装Harbor 4 安装k8s 1 安装方式 2 配置 三 服务代码结构 四 Jenkins持续集成 本文介绍一套比较简单的

  • 搭建Harbor2.1.0最新版私有镜像仓库

    文章目录 搭建Harbor仓库 Harbor是什么 为什么会用到Harbor Harbor的三种安装方式 离线安装 测试推送镜像 搭建Harbor仓库 Harbor是什么 为什么会用到Harbor harbor是构建企业级私有docker镜

  • 【登陆harbor仓库报错——解决方法】Error response from daemon:Get... http: server gave HTTP response to HTTs client

    大家好 我是好学的小师弟 今天和大家分享下我在部署harbor的过程中遇到的一些问题的解决方法 问题 通过服务器docker登录harbor 发现登陆报错 Error response from daemon Get https v2 ht

  • harbor 中 使用 push 上传镜像时候 显示 没有认证

    harbor 中 使用 upload 上传镜像时候 显示 没有认证 概述 VMware harbor 安装完成后 使用docker tag 打新的标签 然后 用docker push上传镜像的时候 显示 安全方面的错误 1 客户端显示信息

  • Harbor仓库介绍与搭建过程

    一 介绍 Harbor 是一个英文单词 意思是港湾 港湾是干什么的呢 就是停放货物的 而货物呢 是装在集装箱中的 说到集装箱 就不得不提到Docker容器 因为docker容器的技术正是借鉴了集装箱的原理 所以 Harbor正是一个用于存储

  • Harbor仓库自启动设置

    1 配置文件 cd etc systemd system vi harbor service Unit Description Harbor After docker service systemd networkd service sys

  • Install Harbor 2.8 on Centos

    目录 Node System Software Lists Architecture Overview of Harbor Install Harbor 2 8 Harbor Installation Prerequisites Insta

  • Docker: getsockopt: connection refused 问题解决

    操作系统 centos7 问题描述 部署好的harbor无法从其他服务器登陆 问题原因 docker1 3 2版本开始默认docker registry使用的是https 而我们设置Harbor默认http方式 所以当执行用docker l

随机推荐

  • 我的 Ubuntu 装机必备软件

    文章目录 我的 Ubuntu 装机必备软件Ubuntu的安装u盘制作添加中科大镜像源NVIDIA显卡驱动的安装卸载旧显卡驱动 安装sogou输入法下载安装配置 安装gitROS kinetic installationgoogle chro

  • GCC源码分析(十三) — 机器描述文件

    版权声明 xff1a 本文为CSDN博主 ashimida 64 的原创文章 xff0c 遵循CC 4 0 BY SA版权协议 xff0c 转载请附上原文出处链接及本声明 原文链接 xff1a https blog csdn net lid

  • VNC登录报错too many security failures解决方法

    桌面进程编号为1 xff0c 可以通过使用 sudo vncserver kill 1 sudo vncserver 1 杀掉并重启解决

  • tensorflow模型保存、读取与可训练参数提取

    一 保存 读取说明 我们创建好模型之后需要保存模型 xff0c 以方便后续对模型的读取与调用 xff0c 保存模型我们可能有下面三种需求 xff1a 1 只保存模型权重参数 xff1b 2 同时保存模型图结构与权重参数 xff1b 3 在训

  • pytorch------cpu与gpu load时相互转化 torch.load(map_location=)

    将gpu改为cpu时 xff0c 遇到一个报错 xff1a RuntimeError Attempting to deserialize object on a CUDA device but torch cuda is available

  • 优化OpenCV视频的读取速度

    我们使用Opencv读取视频时 xff0c 常规的做法是使用read 函数逐帧读取 xff0c 如 code import cv2 cap 61 cv2 VideoCapture 34 test mp4 34 while True read

  • 图像信噪比SNR求解

    xff08 xff08 通常也采用图像信号与噪声的方差之比来近似估计图像的信噪比 xff09 xff09 利用OpenCV计算灰度图像的峰值信噪比 xff08 PSNR xff09 计算两灰度图像之间的峰值信噪比 cpp view plai

  • Jetson TX1启动自带的摄像头

    最近在使用NVIDIA的Jetson TX1开发板 xff0c 并对开发板上自带的摄像头进行了测试 xff0c 下面将测试过程中所使用的一些指令做一些记录 xff0c 在终端上输入 xff1a nvgstcapture 1 0即可打开板子上

  • 判断用new申请内存是否成功

    c 43 43 申请大的内存空间 xff08 如何判断失败 xff09 我想用new申请一个特别大的空间 xff08 多大都可以 xff09 xff0c 主要是我不能判断到底是成功还是失败 假如我这样写 int p i 61 new int

  • 图像对比度计算

    matlab中求解方式 xff1a 计算图像对比度 方法一 xff1a 中心像素灰度值与周围4近邻像素灰度值之差的平方之和 xff0c 除以以上平方项的个数 functioncg 61 duibidu4 f f为输入图像 xff0c cg为

  • 图片占内存容量计算公式

    1 图片占内存容量计算公式为 xff1a 图片所占内存大小 61 图片长度 xff08 像素 xff09 图片宽度 xff08 像素 xff09 一个像素所占内存空间 xff08 单位 xff1a 字节 xff09 一般地 xff0c 一个

  • OpenCV学习:fastAtan2函数解密

    OpenCV学习 xff1a fastAtan2函数解密 高中数学中各种正弦函数 xff0c 余弦函数总是把人搞得头大 xff0c 但是具体应用时你会发现 xff0c 其实你只需要搞清楚一个2 空间内函数分布即可 下面分析OpenCV中fa

  • ubuntu 下安装NVIDIA显卡驱动出现X service error问题解决方法

    34 You appear to be running an X server 34 的解决方法 xff1a 在安装过程中出现了这个问题 xff0c 我在刚刚看到的教程 xff08 http wenku baidu com link url

  • 移动硬盘提示磁盘结构损坏且无法读取怎么办

    移动硬盘出现 磁盘结构损坏且无法读取 xff0c 1 突然关机 xff1b 2 硬盘没有正常通过系统卸载 xff1b 3 病毒破坏 xff1b 4 有可能是usb供电不足 xff1b 5 也可能是文件丢失 xff1b 6 还可能是盘片损坏

  • windows下pycharm中安装和使用tensorflow

    配置 xff1a win7 43 cuda8 0 43 vs2015 43 cudnn6 0 43 python3 5 43 tensorflow1 4 43 pycharm 大体思路是 xff1a 先安装vs2015 再将cudnn6 0

  • 程序员常用网站

    1J2me 开发网 http www j2medev com bbs index asp 2J2me 社区 http www j2meforums com forum 3csdn http www csdn net 4Vc 知识库 http

  • MATLAB加速技巧

    1 向量化 目的 xff1a 减少for循环的使用 96 nonVecl m clear all tic A 61 0 0 000001 10 B 61 0 0 000001 10 Z 61 zeros size A y 61 0 for

  • Linux 开启VNCSERVER

    一般 xff0c 通过ssh来远程连接linux服务器 xff0c 进行命令操作 但是没有图形化界面确实有些不太方便 xff0c 因此可以通过ssh来启动vnc ssh和vncserver以及vnc软件的安装这里就不再介绍 首先 xff0c

  • 从输入URL到网页显示,期间发生了什么(详解)

    从输入URL到网页显示 xff0c 期间都发生了什么 解析URL操作系统协议栈TCP封装IP封装MAC封装 网卡交换机路由器到达服务器 Internet上的每一个网页都具有一个唯一的名称标识 xff0c 通常称之为URL xff08 Uni

  • KuberSphere安装harbor的配置文件解读

    span class token comment 这个配置文件 xff0c 其实就是上面部分是harbor配置 xff0c 下面都是自定义的配置需要的镜像配置 span span class token comment 综合下来 xff0c

热门标签