docker harbor 域名_harbor docker 仓库 https配置

1，harbor.cfg 配置修改

1.1 hostname = reg.mydomain.com #必须是域名

1.2 ui_url_protocol = https #https

1.3 verify_remote_cert = off #默认是on，如果是自签证书，配置为off

2,将证书reg.mydomain.com.crt 拷贝到 需要登录该仓库的目标机器/etc/docker/certs.d/reg.mydomain.com目录下(注意：该目录一开始是不存在的，连certs.d都不存在，手动建)

3，将证书reg.mydomain.com.crt 拷贝到需要登录该仓库的目标机器 /etc/pki/ca-trust/source/anchors 目录下 ，然后执行 update-ca-trust

root@registry anchors]# docker login -u xxx -p xxx reg.mydomain.com

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

cat harbor.cfg

## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!

_version = 1.5.0

#The IP address or hostname to access admin UI and registry service.

#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

hostname = reg.mydomain.com

#The protocol for accessing the UI and token/notification service, by default it is http.

#It can be set to https if ssl is enabled on nginx.

ui_url_protocol = https

#Maximum number of job workers in job service

max_job_workers = 50

#Determine whether or not to generate certificate for the registry's token.

#If the value is on, the prepare script creates new root cert and private key

#for generating token to access the registry. If the value is off the default key/cert will be used.

#This flag also controls the creation of the notary signer's cert.

customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https

ssl_cert = /data/cert/reg.mydomain.com.crt

ssl_cert_key = /data/cert/reg.mydomain.com.key

#The path of secretkey storage

secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone

admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

log_rotate_count = 50

#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G

#are all valid.

log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128

#Clair doesn't need to connect to harbor ui container via http proxy.

http_proxy =

https_proxy =

no_proxy = 127.0.0.1,localhost,ui

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES

#only take effect in the first boot, the subsequent changes of these properties

#should be performed on web ui

#************************BEGIN INITIAL PROPERTIES************************

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.

#Identity left blank to act as username.

email_identity =

email_server = smtp.mydomain.com

email_server_port = 25

email_username = sample_admin@mydomain.com

email_password = abc

email_from = admin

email_ssl = false

email_insecure = false

##The initial password of Harbor admin, only works for the first time when Harbor starts.

#It has no effect after the first launch of Harbor.

#Change the admin password from UI after launching Harbor.

harbor_admin_password = xxxx

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.

#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.

auth_mode = db_auth

#The url for an ldap endpoint.

ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server.

#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.

#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn

#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD

ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.

#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD

ldap_uid = uid

#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

ldap_scope = 2

#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.

ldap_timeout = 5

#Verify certificate from LDAP server

ldap_verify_cert = true

#The base dn from which to lookup a group in LDAP/AD

ldap_group_basedn = ou=group,dc=mydomain,dc=com

#filter to search LDAP/AD group

ldap_group_filter = objectclass=group

#The attribute used to name a LDAP/AD group, it could be cn, name

ldap_group_gid = cn

#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE

ldap_group_scope = 2

#Turn on or off the self-registration feature

self_registration = on

#The expiration time (in minute) of token created by token service, default is 30 minutes

token_expiration = 30

#The flag to control what users have permission to create projects

#The default value "everyone" allows everyone to creates a project.

#Set to "adminonly" so that only admin user can create project.

project_creation_restriction = everyone

#************************END INITIAL PROPERTIES************************

#######Harbor DB configuration section#######

#The address of the Harbor database. Only need to change when using external db.

db_host = mysql

#The password for the root user of Harbor DB. Change this before any production use.

db_password = root123

#The port of Harbor database host

db_port = 3306

#The user name of Harbor database

db_user = root

##### End of Harbor DB configuration#######

#The redis server address. Only needed in HA installation.

#address:port[,weight,password,db_index]

redis_url = redis:6379

##########Clair DB configuration############

#Clair DB host address. Only change it when using an exteral DB.

clair_db_host = postgres

#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.

#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.

clair_db_password = password

#Clair DB connect port

clair_db_port = 5432

#Clair DB username

clair_db_username = postgres

#Clair default database

clair_db = postgres

##########End of Clair DB configuration############

#The following attributes only need to be set when auth mode is uaa_auth

uaa_endpoint = uaa.my****domain.org

uaa_clientid = id

uaa_clientsecret = secret

uaa_verify_cert = true

uaa_ca_cert = /path/to/ca.pem

### Docker Registry setting ###

#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.

registry_storage_provider_name = filesystem

#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".

#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.

registry_storage_provider_config =

verify_remote_cert = off

(END)

标签：mydomain,harbor,ldap,Harbor,https,LDAP,docker,password,com

来源： https://www.cnblogs.com/riseast/p/12930746.html