SRE文档1. 在k8s部署
安装依赖:
- Kubernetes cluster 1.10+
- Helm 2.8.0+
- High available ingress controller (Harbor does not manage the external endpoint)
- High available PostgreSQL database (Harbor does not handle the deployment of HA of database)
- High available Redis (Harbor does not handle the deployment of HA of Redis)
- PVC that can be shared across nodes or external object storage
1.0 ssl证书
1.1 helm部署
1.1.1 添加仓库
bash
# 添加仓库
helm repo add harbor https://helm.goharbor.io
# 查看
[root@kube-master ~]# helm repo list
NAME URL
bitnami https://charts.bitnami.com/bitnami
openkruise https://openkruise.github.io/charts
harbor https://helm.goharbor.io# 添加仓库
helm repo add harbor https://helm.goharbor.io
# 查看
[root@kube-master ~]# helm repo list
NAME URL
bitnami https://charts.bitnami.com/bitnami
openkruise https://openkruise.github.io/charts
harbor https://helm.goharbor.io配置文件
https://github.com/goharbor/harbor-helm/blob/master/values.yamlhttps://github.com/goharbor/harbor-helm/blob/master/values.yaml几个重要的配置
yaml
expose:
# 设置暴露服务的方式:"ingress", "clusterIP", "nodePort" or "loadBalancer"
type: ingress
tls:
# SSL
enabled: true
...
ingress:
hosts:
# Core 域名
core: core.harbor.domain
# Notary 域名
notary: notary.harbor.domain
...
# 一般就是 nginx
className: ""
...
# 暴露给外部访问的域名
externalURL: https://core.harbor.domain
...
# 数据持久化
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# 因为需要高可用,一般需要使用支持 ReadWriteMany 存储
storageClass: ""
accessMode: ReadWriteMany
size: 5Gi
jobservice:
jobLog:
storageClass: ""
accessMode: ReadWriteMany
size: 1Gi
database:
storageClass: ""
accessMode: ReadWriteMany
size: 1Gi
redis:
storageClass: ""
accessMode: ReadWriteOnce
size: 1Gi
trivy:
storageClass: ""
accessMode: ReadWriteOnce
imageChartStorage:
# 各种存储介质
type: filesystem
filesystem:
# 日志级别
logLevel: info
# 默认密码
harborAdminPassword: "Harbor12345"
# 服务部署,主要修改副本数
nginx:
portal:
core:
jobservice:
registry:
trivy:
notary:
# 数据库可以自带也可以用外部的
database:
# Redis 可以自带也可以用外部的
redis:
# 监控
exporter:
metrics:expose:
# 设置暴露服务的方式:"ingress", "clusterIP", "nodePort" or "loadBalancer"
type: ingress
tls:
# SSL
enabled: true
...
ingress:
hosts:
# Core 域名
core: core.harbor.domain
# Notary 域名
notary: notary.harbor.domain
...
# 一般就是 nginx
className: ""
...
# 暴露给外部访问的域名
externalURL: https://core.harbor.domain
...
# 数据持久化
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# 因为需要高可用,一般需要使用支持 ReadWriteMany 存储
storageClass: ""
accessMode: ReadWriteMany
size: 5Gi
jobservice:
jobLog:
storageClass: ""
accessMode: ReadWriteMany
size: 1Gi
database:
storageClass: ""
accessMode: ReadWriteMany
size: 1Gi
redis:
storageClass: ""
accessMode: ReadWriteOnce
size: 1Gi
trivy:
storageClass: ""
accessMode: ReadWriteOnce
imageChartStorage:
# 各种存储介质
type: filesystem
filesystem:
# 日志级别
logLevel: info
# 默认密码
harborAdminPassword: "Harbor12345"
# 服务部署,主要修改副本数
nginx:
portal:
core:
jobservice:
registry:
trivy:
notary:
# 数据库可以自带也可以用外部的
database:
# Redis 可以自带也可以用外部的
redis:
# 监控
exporter:
metrics:1.1.2 搜索chart
bash
[root@kube-master ~]# helm search repo harbor -l | grep harbor/harbor | head -4
harbor/harbor 1.15.0 2.11.0 An open source trusted cloud native registry th...
harbor/harbor 1.14.3 2.10.3 An open source trusted cloud native registry th...
harbor/harbor 1.14.2 2.10.2 An open source trusted cloud native registry th...
harbor/harbor 1.14.1 2.10.1 An open source trusted cloud native registry th...[root@kube-master ~]# helm search repo harbor -l | grep harbor/harbor | head -4
harbor/harbor 1.15.0 2.11.0 An open source trusted cloud native registry th...
harbor/harbor 1.14.3 2.10.3 An open source trusted cloud native registry th...
harbor/harbor 1.14.2 2.10.2 An open source trusted cloud native registry th...
harbor/harbor 1.14.1 2.10.1 An open source trusted cloud native registry th...1.1.3 下载
bash
#不指定版本,则下载最新版本
helm fetch harbor/harbor --untar
#指定版本
helm pull harbor/harbor --version 2.11.0#不指定版本,则下载最新版本
helm fetch harbor/harbor --untar
#指定版本
helm pull harbor/harbor --version 2.11.01.1.4 安装
- 创建namepase
bash
kubectl create namespace kube-harborkubectl create namespace kube-harbor- 修改配置文件
vi values.yaml
yaml
#入口配置, 暴露服务的方式:"ingress", "clusterIP", "nodePort" or "loadBalancer"
expose:
type: ingress
tls:
### 是否启用 https 协议
enabled: true
certSource: secret
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: "harbor.ikubernetes.net"
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: "harbor-tls"
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ""
## 如果Harbor部署在代理后,将其设置为代理的URL
externalURL: https://harbor.ikubernetes.net
### Harbor 各个组件的持久化配置,并将 storageClass 设置为集群默认的 storageClass
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany # 因为需要高可用,一般需要使用支持 ReadWriteMany 存储
size: 100Gi
chartmuseum:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
jobservice:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
trivy:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
### 默认用户名 admin 的密码配置,注意:密码中一定要包含大小写字母与数字
harborAdminPassword: "Hx123456"
### 设置日志级别
logLevel: info
#各个组件 CPU & Memory 资源相关配置
nginx:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
portal:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
core:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 1000m
jobservice:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
registry:
replicas: 1
registry:
resources:
requests:
memory: 256Mi
cpu: 500m
controller:
resources:
requests:
memory: 256Mi
cpu: 500m
clair:
clair:
resources:
requests:
memory: 256Mi
cpu: 500m
adapter:
resources:
requests:
memory: 256Mi
cpu: 500m
notary:
server:
resources:
requests:
memory: 256Mi
cpu: 500m
signer:
resources:
requests:
memory: 256Mi
cpu: 500m
database:
replicas: 1
internal:
resources:
requests:
memory: 256Mi
cpu: 500m
redis:
replicas: 1
internal:
resources:
requests:
memory: 256Mi
cpu: 500m
trivy:
enabled: true
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1024Mi
#开启 chartmuseum,使 Harbor 能够存储 Helm 的 chart
chartmuseum:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 500m
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
# of registry's and chartmuseum's containers.
# caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry
# and chartmuseum
type: s3
s3:
region: cn-hangzhou-1
bucket: harbor
accesskey: VGZQY32LMFQOQPVNTDSJ
secretkey: YZMMYqoy1ypHaqGOUfwLvdAj9A731iDYDjYqwkU5
regionendpoint: http://172.16.7.1
#encrypt: false
#keyid: mykeyid
secure: false
#skipverify: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
#multipartcopychunksize: "33554432"
#multipartcopymaxconcurrency: 100
#multipartcopythresholdsize: "33554432"#入口配置, 暴露服务的方式:"ingress", "clusterIP", "nodePort" or "loadBalancer"
expose:
type: ingress
tls:
### 是否启用 https 协议
enabled: true
certSource: secret
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: "harbor.ikubernetes.net"
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: "harbor-tls"
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ""
## 如果Harbor部署在代理后,将其设置为代理的URL
externalURL: https://harbor.ikubernetes.net
### Harbor 各个组件的持久化配置,并将 storageClass 设置为集群默认的 storageClass
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany # 因为需要高可用,一般需要使用支持 ReadWriteMany 存储
size: 100Gi
chartmuseum:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
jobservice:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
trivy:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
### 默认用户名 admin 的密码配置,注意:密码中一定要包含大小写字母与数字
harborAdminPassword: "Hx123456"
### 设置日志级别
logLevel: info
#各个组件 CPU & Memory 资源相关配置
nginx:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
portal:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
core:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 1000m
jobservice:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
registry:
replicas: 1
registry:
resources:
requests:
memory: 256Mi
cpu: 500m
controller:
resources:
requests:
memory: 256Mi
cpu: 500m
clair:
clair:
resources:
requests:
memory: 256Mi
cpu: 500m
adapter:
resources:
requests:
memory: 256Mi
cpu: 500m
notary:
server:
resources:
requests:
memory: 256Mi
cpu: 500m
signer:
resources:
requests:
memory: 256Mi
cpu: 500m
database:
replicas: 1
internal:
resources:
requests:
memory: 256Mi
cpu: 500m
redis:
replicas: 1
internal:
resources:
requests:
memory: 256Mi
cpu: 500m
trivy:
enabled: true
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1024Mi
#开启 chartmuseum,使 Harbor 能够存储 Helm 的 chart
chartmuseum:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 500m
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
# of registry's and chartmuseum's containers.
# caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry
# and chartmuseum
type: s3
s3:
region: cn-hangzhou-1
bucket: harbor
accesskey: VGZQY32LMFQOQPVNTDSJ
secretkey: YZMMYqoy1ypHaqGOUfwLvdAj9A731iDYDjYqwkU5
regionendpoint: http://172.16.7.1
#encrypt: false
#keyid: mykeyid
secure: false
#skipverify: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
#multipartcopychunksize: "33554432"
#multipartcopymaxconcurrency: 100
#multipartcopythresholdsize: "33554432"- 安装
bash
helm install harbor harbor/harbor -f harbor_values.yaml -n harborhelm install harbor harbor/harbor -f harbor_values.yaml -n harbor1.2 数据库在外部
yaml
#入口配置, 暴露服务的方式:"ingress", "clusterIP", "nodePort" or "loadBalancer"
expose:
type: ingress
tls:
### 是否启用 https 协议
enabled: true
certSource: secret
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: "harbor.ikubernetes.net"
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: "harbor-tls"
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ""
## 如果Harbor部署在代理后,将其设置为代理的URL
externalURL: https://harbor.ikubernetes.net
### Harbor 各个组件的持久化配置,并将 storageClass 设置为集群默认的 storageClass
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany # 因为需要高可用,一般需要使用支持 ReadWriteMany 存储
size: 100Gi
chartmuseum:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
jobservice:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
trivy:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
### 默认用户名 admin 的密码配置,注意:密码中一定要包含大小写字母与数字
harborAdminPassword: "Hx123456"
### 设置日志级别
logLevel: info
#各个组件 CPU & Memory 资源相关配置
nginx:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
portal:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
core:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 1000m
jobservice:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
registry:
replicas: 1
registry:
resources:
requests:
memory: 256Mi
cpu: 500m
controller:
resources:
requests:
memory: 256Mi
cpu: 500m
clair:
clair:
resources:
requests:
memory: 256Mi
cpu: 500m
adapter:
resources:
requests:
memory: 256Mi
cpu: 500m
notary:
server:
resources:
requests:
memory: 256Mi
cpu: 500m
signer:
resources:
requests:
memory: 256Mi
cpu: 500m
database:
type: external
external:
host: "172.139.20.188"
port: "5432"
username: "postgres"
password: "123456"
coreDatabase: "registry"
redis:
replicas: 1
internal:
resources:
requests:
memory: 256Mi
cpu: 500m
trivy:
enabled: true
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1024Mi
#开启 chartmuseum,使 Harbor 能够存储 Helm 的 chart
chartmuseum:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 500m
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
# of registry's and chartmuseum's containers.
# caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry
# and chartmuseum
type: s3
s3:
region: cn-hangzhou-1
bucket: harbor
accesskey: VGZQY32LMFQOQPVNTDSJ
secretkey: YZMMYqoy1ypHaqGOUfwLvdAj9A731iDYDjYqwkU5
regionendpoint: http://172.16.7.1
#encrypt: false
#keyid: mykeyid
secure: false
#skipverify: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
#multipartcopychunksize: "33554432"
#multipartcopymaxconcurrency: 100
#multipartcopythresholdsize: "33554432"#入口配置, 暴露服务的方式:"ingress", "clusterIP", "nodePort" or "loadBalancer"
expose:
type: ingress
tls:
### 是否启用 https 协议
enabled: true
certSource: secret
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: "harbor.ikubernetes.net"
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: "harbor-tls"
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ""
## 如果Harbor部署在代理后,将其设置为代理的URL
externalURL: https://harbor.ikubernetes.net
### Harbor 各个组件的持久化配置,并将 storageClass 设置为集群默认的 storageClass
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany # 因为需要高可用,一般需要使用支持 ReadWriteMany 存储
size: 100Gi
chartmuseum:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
jobservice:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
trivy:
existingClaim: ""
storageClass: "csi-rbd-sc"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
### 默认用户名 admin 的密码配置,注意:密码中一定要包含大小写字母与数字
harborAdminPassword: "Hx123456"
### 设置日志级别
logLevel: info
#各个组件 CPU & Memory 资源相关配置
nginx:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
portal:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
core:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 1000m
jobservice:
replicas: 1
resources:
requests:
memory: 256Mi
cpu: 500m
registry:
replicas: 1
registry:
resources:
requests:
memory: 256Mi
cpu: 500m
controller:
resources:
requests:
memory: 256Mi
cpu: 500m
clair:
clair:
resources:
requests:
memory: 256Mi
cpu: 500m
adapter:
resources:
requests:
memory: 256Mi
cpu: 500m
notary:
server:
resources:
requests:
memory: 256Mi
cpu: 500m
signer:
resources:
requests:
memory: 256Mi
cpu: 500m
database:
type: external
external:
host: "172.139.20.188"
port: "5432"
username: "postgres"
password: "123456"
coreDatabase: "registry"
redis:
replicas: 1
internal:
resources:
requests:
memory: 256Mi
cpu: 500m
trivy:
enabled: true
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1024Mi
#开启 chartmuseum,使 Harbor 能够存储 Helm 的 chart
chartmuseum:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 500m
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
# of registry's and chartmuseum's containers.
# caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry
# and chartmuseum
type: s3
s3:
region: cn-hangzhou-1
bucket: harbor
accesskey: VGZQY32LMFQOQPVNTDSJ
secretkey: YZMMYqoy1ypHaqGOUfwLvdAj9A731iDYDjYqwkU5
regionendpoint: http://172.16.7.1
#encrypt: false
#keyid: mykeyid
secure: false
#skipverify: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
#multipartcopychunksize: "33554432"
#multipartcopymaxconcurrency: 100
#multipartcopythresholdsize: "33554432"