Add harbor files to containers.

2022-07-12 05:43:15 +02:00
parent 175d5c7695
commit 7466ecab31
23 changed files with 1780 additions and 0 deletions
--- a/harbor/common/config/core/app.conf
+++ b/harbor/common/config/core/app.conf
@@ -0,0 +1,6 @@
+appname = Harbor
+runmode = prod
+enablegzip = true
+
+[prod]
+httpport = 8080
--- a/harbor/common/config/core/env
+++ b/harbor/common/config/core/env
@@ -0,0 +1,50 @@
+CONFIG_PATH=/etc/core/app.conf
+UAA_CA_ROOT=/etc/core/certificates/uaa_ca.pem
+_REDIS_URL_CORE=redis://redis:6379?idle_timeout_seconds=30
+SYNC_QUOTA=true
+CHART_CACHE_DRIVER=redis
+_REDIS_URL_REG=redis://redis:6379/1?idle_timeout_seconds=30
+
+LOG_LEVEL=info
+EXT_ENDPOINT=https://cs-registry.ddnss.de
+DATABASE_TYPE=postgresql
+POSTGRESQL_HOST=postgresql
+POSTGRESQL_PORT=5432
+POSTGRESQL_USERNAME=postgres
+POSTGRESQL_PASSWORD=mH3^tE6FPhUxk#W5iBP9FTq^AsyB8g
+POSTGRESQL_DATABASE=registry
+POSTGRESQL_SSLMODE=disable
+POSTGRESQL_MAX_IDLE_CONNS=100
+POSTGRESQL_MAX_OPEN_CONNS=900
+REGISTRY_URL=http://registry:5000
+PORTAL_URL=http://portal:8080
+TOKEN_SERVICE_URL=http://core:8080/service/token
+HARBOR_ADMIN_PASSWORD=j2Q2gRX@zpGYGsUZwJ@ynvnU3gw6Y*
+MAX_JOB_WORKERS=10
+CORE_SECRET=Q1kOSJ2hbw3qs2Uh
+JOBSERVICE_SECRET=LURd3ymSGca6nuB5
+WITH_NOTARY=False
+WITH_TRIVY=True
+CORE_URL=http://core:8080
+CORE_LOCAL_URL=http://127.0.0.1:8080
+JOBSERVICE_URL=http://jobservice:8080
+TRIVY_ADAPTER_URL=http://trivy-adapter:8080
+NOTARY_URL=http://notary-server:4443
+REGISTRY_STORAGE_PROVIDER_NAME=filesystem
+READ_ONLY=false
+RELOAD_KEY=
+CHART_REPOSITORY_URL=http://chartmuseum:9999
+REGISTRY_CONTROLLER_URL=http://registryctl:8080
+WITH_CHARTMUSEUM=False
+REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
+REGISTRY_CREDENTIAL_PASSWORD=nTDpudVQRYA4rPGrDvmLvHskdd5gPcUU
+CSRF_KEY=dtP7zBtDmaQR9fhuxuy5fNpbCVZfFSD4
+PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry
+
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql
+
+PORT=8080
+
+
--- a/harbor/common/config/db/env
+++ b/harbor/common/config/db/env
@@ -0,0 +1 @@
+POSTGRES_PASSWORD=mH3^tE6FPhUxk#W5iBP9FTq^AsyB8g
--- a/harbor/common/config/jobservice/config.yml
+++ b/harbor/common/config/jobservice/config.yml
@@ -0,0 +1,36 @@
+---
+#Protocol used to serve
+protocol: "http"
+
+#Server listening port
+port: 8080
+
+#Worker pool
+worker_pool:
+  #Worker concurrency
+  workers: 10
+  backend: "redis"
+  #Additional config if use 'redis' backend
+  redis_pool:
+    #redis://[arbitrary_username:password@]ipaddress:port/database_index
+    redis_url: redis://redis:6379/2?idle_timeout_seconds=30
+    namespace: "harbor_job_service_namespace"
+    idle_timeout_second: 3600
+#Loggers for the running job
+job_loggers:
+  - name: "STD_OUTPUT" # logger backend name, only support "FILE" and "STD_OUTPUT"
+    level: "INFO" # INFO/DEBUG/WARNING/ERROR/FATAL
+  - name: "FILE"
+    level: "INFO"
+    settings: # Customized settings of logger
+      base_dir: "/var/log/jobs"
+    sweeper:
+      duration: 1 #days
+      settings: # Customized settings of sweeper
+        work_dir: "/var/log/jobs"
+
+#Loggers for the job service
+loggers:
+  - name: "STD_OUTPUT" # Same with above
+    level: "INFO"
+
--- a/harbor/common/config/jobservice/env
+++ b/harbor/common/config/jobservice/env
@@ -0,0 +1,15 @@
+CORE_SECRET=Q1kOSJ2hbw3qs2Uh
+REGISTRY_URL=http://registry:5000
+JOBSERVICE_SECRET=LURd3ymSGca6nuB5
+CORE_URL=http://core:8080
+REGISTRY_CONTROLLER_URL=http://registryctl:8080
+JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10
+
+
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql
+REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
+REGISTRY_CREDENTIAL_PASSWORD=nTDpudVQRYA4rPGrDvmLvHskdd5gPcUU
+
+
--- a/harbor/common/config/log/logrotate.conf
+++ b/harbor/common/config/log/logrotate.conf
@@ -0,0 +1,8 @@
+/var/log/docker/*.log {
+        rotate 50
+        size 200M
+        copytruncate
+        compress
+        missingok
+        nodateext
+}
--- a/harbor/common/config/log/rsyslog_docker.conf
+++ b/harbor/common/config/log/rsyslog_docker.conf
@@ -0,0 +1,7 @@
+# Rsyslog configuration file for docker.
+
+template(name="DynaFile" type="string" string="/var/log/docker/%programname%.log")
+
+if $programname != "rsyslogd" then {
+	action(type="omfile" dynaFile="DynaFile")
+}
--- a/harbor/common/config/nginx/nginx.conf
+++ b/harbor/common/config/nginx/nginx.conf
@@ -0,0 +1,130 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+  worker_connections 3096;
+  use epoll;
+  multi_accept on;
+}
+
+http {
+  client_body_temp_path /tmp/client_body_temp;
+  proxy_temp_path /tmp/proxy_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
+  tcp_nodelay on;
+
+  # this is necessary for us to be able to disable request buffering in all cases
+  proxy_http_version 1.1;
+
+  upstream core {
+    server core:8080;
+  }
+
+  upstream portal {
+    server portal:8080;
+  }
+
+  log_format timed_combined '$remote_addr - '
+    '"$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" '
+    '$request_time $upstream_response_time $pipe';
+
+  access_log /dev/stdout timed_combined;
+
+  map $http_x_forwarded_proto $x_forwarded_proto {
+    default $http_x_forwarded_proto;
+    ""      $scheme;
+  }
+
+  server {
+    listen 8080;
+    server_tokens off;
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # Add extra headers
+    add_header X-Frame-Options DENY;
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+
+    # customized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf
+    include /etc/nginx/conf.d/harbor.http.*.conf;
+
+    location / {
+      proxy_pass http://portal/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /c/ {
+      proxy_pass http://core/c/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /api/ {
+      proxy_pass http://core/api/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /chartrepo/ {
+      proxy_pass http://core/chartrepo/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /v1/ {
+      return 404;
+    }
+
+    location /v2/ {
+      proxy_pass http://core/v2/;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+      proxy_buffering off;
+      proxy_request_buffering off;
+
+      proxy_send_timeout 900;
+      proxy_read_timeout 900;
+    }
+
+    location /service/ {
+      proxy_pass http://core/service/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /service/notifications {
+      return 404;
+    }
+  }
+}
--- a/harbor/common/config/nginx/nginx.conf~
+++ b/harbor/common/config/nginx/nginx.conf~
@@ -0,0 +1,130 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+  worker_connections 3096;
+  use epoll;
+  multi_accept on;
+}
+
+http {
+  client_body_temp_path /tmp/client_body_temp;
+  proxy_temp_path /tmp/proxy_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
+  tcp_nodelay on;
+
+  # this is necessary for us to be able to disable request buffering in all cases
+  proxy_http_version 1.1;
+
+  upstream core {
+    server core:8080;
+  }
+
+  upstream portal {
+    server portal:8080;
+  }
+
+  log_format timed_combined '$remote_addr - '
+    '"$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" '
+    '$request_time $upstream_response_time $pipe';
+
+  access_log /dev/stdout timed_combined;
+
+  map $http_x_forwarded_proto $x_forwarded_proto {
+    default $http_x_forwarded_proto;
+    ""      $scheme;
+  }
+
+  server {
+    listen 8080;
+    server_tokens off;
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # Add extra headers
+    add_header X-Frame-Options DENY;
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+
+    # customized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf
+    include /etc/nginx/conf.d/harbor.http.*.conf;
+
+    location / {
+      proxy_pass http://portal/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /c/ {
+      proxy_pass http://core/c/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /api/ {
+      proxy_pass http://core/api/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /chartrepo/ {
+      proxy_pass http://core/chartrepo/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /v1/ {
+      return 404;
+    }
+
+    location /v2/ {
+      proxy_pass http://core/v2/;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+      proxy_buffering off;
+      proxy_request_buffering off;
+
+      proxy_send_timeout 900;
+      proxy_read_timeout 900;
+    }
+
+    location /service/ {
+      proxy_pass http://core/service/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /service/notifications {
+      return 404;
+    }
+  }
+}
--- a/harbor/common/config/portal/nginx.conf
+++ b/harbor/common/config/portal/nginx.conf
@@ -0,0 +1,38 @@
+
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+
+    client_body_temp_path /tmp/client_body_temp;
+    proxy_temp_path /tmp/proxy_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    server {
+        listen 8080;
+        server_name  localhost;
+
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        include /etc/nginx/mime.types;
+
+        gzip on;
+        gzip_min_length 1000;
+        gzip_proxied expired no-cache no-store private auth;
+        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        location = /index.html {
+            add_header Cache-Control "no-store, no-cache, must-revalidate";
+        }
+    }
+}
--- a/harbor/common/config/registry/config.yml
+++ b/harbor/common/config/registry/config.yml
@@ -0,0 +1,43 @@
+version: 0.1
+log:
+  level: info
+  fields:
+    service: registry
+storage:
+  cache:
+    layerinfo: redis
+  filesystem:
+    rootdirectory: /storage
+  maintenance:
+    uploadpurging:
+      enabled: true
+      age: 168h
+      interval: 24h
+      dryrun: false
+  delete:
+    enabled: true
+redis:
+  addr: redis:6379
+  readtimeout: 10s
+  writetimeout: 10s
+  dialtimeout: 10s
+  password: 
+  db: 1
+  pool:
+    maxidle: 100
+    maxactive: 500
+    idletimeout: 60s
+http:
+  addr: :5000
+  secret: placeholder
+  debug:
+    addr: localhost:5001
+auth:
+  htpasswd:
+    realm: harbor-registry-basic-realm
+    path: /etc/registry/passwd
+validation:
+  disabled: true
+compatibility:
+  schema1:
+    enabled: true
--- a/harbor/common/config/registry/passwd
+++ b/harbor/common/config/registry/passwd
@@ -0,0 +1 @@
+harbor_registry_user:$2y$05$ZZgSSdASjscjf4QfvkaEHus/y62rx0h2qPoLeb/MsoG5FvUmrPfI.
--- a/harbor/common/config/registry/root.crt
+++ b/harbor/common/config/registry/root.crt
--- a/harbor/common/config/registryctl/config.yml
+++ b/harbor/common/config/registryctl/config.yml
@@ -0,0 +1,5 @@
+---
+protocol: "http"
+port: 8080
+log_level: info
+registry_config: "/etc/registry/config.yml"
--- a/harbor/common/config/registryctl/env
+++ b/harbor/common/config/registryctl/env
@@ -0,0 +1,2 @@
+CORE_SECRET=Q1kOSJ2hbw3qs2Uh
+JOBSERVICE_SECRET=LURd3ymSGca6nuB5
--- a/harbor/common/config/trivy-adapter/env
+++ b/harbor/common/config/trivy-adapter/env
@@ -0,0 +1,19 @@
+SCANNER_LOG_LEVEL=info
+SCANNER_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_STORE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_STORE_REDIS_NAMESPACE=harbor.scanner.trivy:store
+SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue
+SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
+SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
+SCANNER_TRIVY_VULN_TYPE=os,library
+SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+SCANNER_TRIVY_IGNORE_UNFIXED=False
+SCANNER_TRIVY_SKIP_UPDATE=False
+SCANNER_TRIVY_OFFLINE_SCAN=False
+SCANNER_TRIVY_GITHUB_TOKEN=
+SCANNER_TRIVY_INSECURE=False
+SCANNER_TRIVY_TIMEOUT=5m0s
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=.internal,notary-signer,registryctl,.local,nginx,chartmuseum,portal,127.0.0.1,exporter,redis,jobservice,db,core,registry,localhost,trivy-adapter,log,notary-server,postgresql
				`@@ -0,0 +1 @@`
				`POSTGRES_PASSWORD=mH3^tE6FPhUxk#W5iBP9FTq^AsyB8g`
				`@@ -0,0 +1 @@`
				`harbor_registry_user:$2y$05$ZZgSSdASjscjf4QfvkaEHus/y62rx0h2qPoLeb/MsoG5FvUmrPfI.`