Add Harbor And Update Traefik

Repository/Harbor/common/config/core/app.conf

@@ -0,0 +1,6 @@
+appname = Harbor
+runmode = prod
+enablegzip = true
+
+[prod]
+httpport = 8080

Repository/Harbor/common/config/core/env

@@ -0,0 +1,51 @@
+CONFIG_PATH=/etc/core/app.conf
+UAA_CA_ROOT=/etc/core/certificates/uaa_ca.pem
+_REDIS_URL_CORE=redis://redis:6379?idle_timeout_seconds=30
+SYNC_QUOTA=true
+_REDIS_URL_REG=redis://redis:6379/1?idle_timeout_seconds=30
+
+LOG_LEVEL=info
+EXT_ENDPOINT=https://registry.traefik.me
+DATABASE_TYPE=postgresql
+POSTGRESQL_HOST=postgresql
+POSTGRESQL_PORT=5432
+POSTGRESQL_USERNAME=postgres
+POSTGRESQL_PASSWORD=root123
+POSTGRESQL_DATABASE=registry
+POSTGRESQL_SSLMODE=disable
+POSTGRESQL_MAX_IDLE_CONNS=100
+POSTGRESQL_MAX_OPEN_CONNS=1000
+POSTGRESQL_CONN_MAX_LIFETIME=5m
+POSTGRESQL_CONN_MAX_IDLE_TIME=0
+REGISTRY_URL=http://registry:5000
+PORTAL_URL=http://portal:8080
+TOKEN_SERVICE_URL=http://core:8080/service/token
+HARBOR_ADMIN_PASSWORD=Harbor12345
+MAX_JOB_WORKERS=10
+CORE_SECRET=M6GdkMmjBufXLqN5
+JOBSERVICE_SECRET=c8Au1Hk9BjPy0N9h
+WITH_TRIVY=True
+CORE_URL=http://core:8080
+CORE_LOCAL_URL=http://127.0.0.1:8080
+JOBSERVICE_URL=http://jobservice:8080
+TRIVY_ADAPTER_URL=http://trivy-adapter:8080
+REGISTRY_STORAGE_PROVIDER_NAME=filesystem
+READ_ONLY=false
+RELOAD_KEY=
+REGISTRY_CONTROLLER_URL=http://registryctl:8080
+REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
+REGISTRY_CREDENTIAL_PASSWORD=kgDZdlQTjZDmwDvO97aUELPEQfPT1woN
+CSRF_KEY=miI1hsOC4q36kMcq5wswiQWOTtroIVsZ
+ROBOT_SCANNER_NAME_PREFIX=3zdTeO5W
+PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory
+
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=
+
+PORT=8080
+
+
+
+
+QUOTA_UPDATE_PROVIDER=db

Repository/Harbor/common/config/db/env

@@ -0,0 +1 @@
+POSTGRES_PASSWORD=root123

Repository/Harbor/common/config/jobservice/config.yml

@@ -0,0 +1,46 @@
+---
+#Protocol used to serve
+protocol: "http"
+
+#Server listening port
+port: 8080
+
+#Worker pool
+worker_pool:
+  #Worker concurrency
+  workers: 10
+  backend: "redis"
+  #Additional config if use 'redis' backend
+  redis_pool:
+    #redis://[arbitrary_username:password@]ipaddress:port/database_index
+    redis_url: redis://redis:6379/2?idle_timeout_seconds=30
+    namespace: "harbor_job_service_namespace"
+    idle_timeout_second: 3600
+#Loggers for the running job
+job_loggers:
+  # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB"
+  - name: "STD_OUTPUT"
+    level: "INFO" # INFO/DEBUG/WARNING/ERROR/FATAL
+  - name: "FILE"
+    level: "INFO"
+    settings: # Customized settings of logger
+      base_dir: "/var/log/jobs"
+    sweeper:
+      duration: 1 #days
+      settings: # Customized settings of sweeper
+        work_dir: "/var/log/jobs"
+
+#Loggers for the job service
+loggers:
+  - name: "STD_OUTPUT" # Same with above
+    level: "INFO"
+
+
+reaper:
+  # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24,
+  max_update_hours: 24
+  # the max time for execution in running state without new task created
+  max_dangling_hours: 168
+
+# the max size of job log returned by API, default is 10M
+max_retrieve_size_mb: 10

Repository/Harbor/common/config/jobservice/env

@@ -0,0 +1,17 @@
+CORE_SECRET=M6GdkMmjBufXLqN5
+REGISTRY_URL=http://registry:5000
+JOBSERVICE_SECRET=c8Au1Hk9BjPy0N9h
+CORE_URL=http://core:8080
+REGISTRY_CONTROLLER_URL=http://registryctl:8080
+JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=3
+JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT=3
+
+
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=
+REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
+REGISTRY_CREDENTIAL_PASSWORD=kgDZdlQTjZDmwDvO97aUELPEQfPT1woN
+
+
+

Repository/Harbor/common/config/log/logrotate.conf

@@ -0,0 +1,8 @@
+/var/log/docker/*.log {
+        rotate 50
+        size 200M
+        copytruncate
+        compress
+        missingok
+        nodateext
+}

Repository/Harbor/common/config/log/rsyslog_docker.conf

@@ -0,0 +1,7 @@
+# Rsyslog configuration file for docker.
+
+template(name="DynaFile" type="string" string="/var/log/docker/%programname%.log")
+
+if $programname != "rsyslogd" then {
+	action(type="omfile" dynaFile="DynaFile")
+}

Repository/Harbor/common/config/nginx/nginx.conf

@@ -0,0 +1,119 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+  worker_connections 3096;
+  use epoll;
+  multi_accept on;
+}
+
+http {
+  client_body_temp_path /tmp/client_body_temp;
+  proxy_temp_path /tmp/proxy_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
+  tcp_nodelay on;
+
+  # this is necessary for us to be able to disable request buffering in all cases
+  proxy_http_version 1.1;
+
+  upstream core {
+    server core:8080;
+  }
+
+  upstream portal {
+    server portal:8080;
+  }
+
+  log_format timed_combined '$remote_addr - '
+    '"$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" '
+    '$request_time $upstream_response_time $pipe';
+
+  access_log /dev/stdout timed_combined;
+
+  map $http_x_forwarded_proto $x_forwarded_proto {
+    default $http_x_forwarded_proto;
+    ""      $scheme;
+  }
+
+  server {
+    listen 8080;
+    server_tokens off;
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # Add extra headers
+    add_header X-Frame-Options DENY;
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+
+    # customized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf
+    include /etc/nginx/conf.d/harbor.http.*.conf;
+
+    location / {
+      proxy_pass http://portal/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /c/ {
+      proxy_pass http://core/c/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /api/ {
+      proxy_pass http://core/api/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /v1/ {
+      return 404;
+    }
+
+    location /v2/ {
+      proxy_pass http://core/v2/;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+      proxy_buffering off;
+      proxy_request_buffering off;
+
+      proxy_send_timeout 900;
+      proxy_read_timeout 900;
+    }
+
+    location /service/ {
+      proxy_pass http://core/service/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /service/notifications {
+      return 404;
+    }
+  }
+}

Repository/Harbor/common/config/portal/nginx.conf

@@ -0,0 +1,42 @@
+
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+
+    client_body_temp_path /tmp/client_body_temp;
+    proxy_temp_path /tmp/proxy_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    server {
+        listen 8080;
+        server_name  localhost;
+
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        include /etc/nginx/mime.types;
+
+        gzip on;
+        gzip_min_length 1000;
+        gzip_proxied expired no-cache no-store private auth;
+        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+        location /devcenter-api-2.0 {
+            try_files $uri $uri/ /swagger-ui-index.html;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        location = /index.html {
+            add_header Cache-Control "no-store, no-cache, must-revalidate";
+        }
+    }
+}

Repository/Harbor/common/config/registry/config.yml

@@ -0,0 +1,43 @@
+version: 0.1
+log:
+  level: info
+  fields:
+    service: registry
+storage:
+  cache:
+    layerinfo: redis
+  filesystem:
+    rootdirectory: /storage
+  maintenance:
+    uploadpurging:
+      enabled: true
+      age: 168h
+      interval: 24h
+      dryrun: false
+  delete:
+    enabled: true
+redis:
+  addr: redis:6379
+  readtimeout: 10s
+  writetimeout: 10s
+  dialtimeout: 10s
+  password: 
+  db: 1
+  pool:
+    maxidle: 100
+    maxactive: 500
+    idletimeout: 60s
+http:
+  addr: :5000
+  secret: placeholder
+  debug:
+    addr: localhost:5001
+auth:
+  htpasswd:
+    realm: harbor-registry-basic-realm
+    path: /etc/registry/passwd
+validation:
+  disabled: true
+compatibility:
+  schema1:
+    enabled: true

Repository/Harbor/common/config/registry/passwd

@@ -0,0 +1 @@
+harbor_registry_user:$2y$05$FCbp41JTQ3jGiNuk4RekiOAHvKwcY5b2xE9ql6dAt6yngVIyhzsAa

Repository/Harbor/common/config/registryctl/config.yml

@@ -0,0 +1,5 @@
+---
+protocol: "http"
+port: 8080
+log_level: info
+registry_config: "/etc/registry/config.yml"

Repository/Harbor/common/config/registryctl/env

@@ -0,0 +1,2 @@
+CORE_SECRET=M6GdkMmjBufXLqN5
+JOBSERVICE_SECRET=c8Au1Hk9BjPy0N9h

Repository/Harbor/common/config/trivy-adapter/env

@@ -0,0 +1,21 @@
+SCANNER_LOG_LEVEL=info
+SCANNER_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_STORE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_STORE_REDIS_NAMESPACE=harbor.scanner.trivy:store
+SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue
+SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
+SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
+SCANNER_TRIVY_VULN_TYPE=os,library
+SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+SCANNER_TRIVY_IGNORE_UNFIXED=False
+SCANNER_TRIVY_SKIP_UPDATE=False
+SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE=False
+SCANNER_TRIVY_OFFLINE_SCAN=False
+SCANNER_TRIVY_SECURITY_CHECKS=vuln
+SCANNER_TRIVY_GITHUB_TOKEN=
+SCANNER_TRIVY_INSECURE=False
+SCANNER_TRIVY_TIMEOUT=5m0s
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=