mirror of
https://github.com/bitnami/charts.git
synced 2026-03-27 15:27:10 +08:00
252 lines
8.6 KiB
YAML
252 lines
8.6 KiB
YAML
{{- if and (eq .Values.exposureType "proxy") .Values.nginx.tls.enabled }}
|
|
{{- $scheme := ternary "https" "http" .Values.internalTLS.enabled -}}
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ include "harbor.nginx" . }}
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
|
{{- if .Values.commonLabels }}
|
|
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
|
{{- end }}
|
|
app.kubernetes.io/component: nginx
|
|
{{- if .Values.commonAnnotations }}
|
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
|
{{- end }}
|
|
data:
|
|
nginx.conf: |+
|
|
worker_processes auto;
|
|
pid /opt/bitnami/nginx/tmp/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 3096;
|
|
use epoll;
|
|
multi_accept on;
|
|
}
|
|
|
|
http {
|
|
client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2;
|
|
proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2;
|
|
fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
|
|
scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2;
|
|
uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
|
|
|
|
tcp_nodelay on;
|
|
|
|
# this is necessary for us to be able to disable request buffering in all cases
|
|
proxy_http_version 1.1;
|
|
|
|
upstream core {
|
|
server {{ printf "%s:%d" (include "harbor.core" .) (ternary .Values.core.service.ports.https .Values.core.service.ports.http .Values.internalTLS.enabled | int) }};
|
|
}
|
|
|
|
upstream portal {
|
|
server {{ printf "%s:%d" (include "harbor.portal" .) (ternary .Values.portal.service.ports.https .Values.portal.service.ports.http .Values.internalTLS.enabled | int) }};
|
|
}
|
|
|
|
{{- if .Values.notary.enabled }}
|
|
upstream notary-server {
|
|
server {{ printf "%s:%d" (include "harbor.notary-server" .) (.Values.notary.service.ports.server | int) }};
|
|
}
|
|
{{- end }}
|
|
|
|
log_format timed_combined '[$time_local]:$remote_addr - '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" '
|
|
'$request_time $upstream_response_time $pipe';
|
|
|
|
access_log /dev/stdout timed_combined;
|
|
|
|
{{- if .Values.notary.enabled }}
|
|
server {
|
|
{{- if .Values.ipFamily.ipv4.enabled }}
|
|
listen {{ .Values.nginx.containerPorts.notary }} ssl;
|
|
{{- end }}
|
|
{{- if .Values.ipFamily.ipv6.enabled }}
|
|
listen [::]:{{ .Values.nginx.containerPorts.notary }} ssl;
|
|
{{- end }}
|
|
server_tokens off;
|
|
# ssl
|
|
ssl_certificate /etc/nginx/cert/tls.crt;
|
|
ssl_certificate_key /etc/nginx/cert/tls.key;
|
|
|
|
# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
|
|
ssl_protocols tlsv1.1 tlsv1.2;
|
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:ssl:10m;
|
|
|
|
# disable any limits to avoid http 413 for large image uploads
|
|
client_max_body_size 0;
|
|
|
|
# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
chunked_transfer_encoding on;
|
|
|
|
location /v2/ {
|
|
proxy_pass http://notary-server/v2/;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
}
|
|
{{- end }}
|
|
|
|
server {
|
|
{{- if .Values.ipFamily.ipv4.enabled }}
|
|
listen {{ .Values.nginx.containerPorts.https }} ssl;
|
|
{{- end }}
|
|
{{- if .Values.ipFamily.ipv6.enabled }}
|
|
listen [::]:{{ .Values.nginx.containerPorts.https }} ssl;
|
|
{{- end }}
|
|
server_tokens off;
|
|
# SSL
|
|
ssl_certificate /etc/nginx/cert/tls.crt;
|
|
ssl_certificate_key /etc/nginx/cert/tls.key;
|
|
|
|
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
ssl_protocols TLSv1.1 TLSv1.2;
|
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
# disable any limits to avoid HTTP 413 for large image uploads
|
|
client_max_body_size 0;
|
|
|
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
chunked_transfer_encoding on;
|
|
|
|
# Add extra headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
add_header X-Frame-Options DENY;
|
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
|
|
location / {
|
|
proxy_pass {{ $scheme }}://portal/;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
|
|
# Add Secure flag when serving HTTPS
|
|
proxy_cookie_path / "/; HttpOnly; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /devcenter-api-2.0 {
|
|
try_files $uri $uri/ /swagger-ui-index.html;
|
|
}
|
|
|
|
location /api/ {
|
|
proxy_pass {{ $scheme }}://core/api/;
|
|
{{- if and .Values.internalTLS.enabled }}
|
|
proxy_ssl_verify off;
|
|
proxy_ssl_session_reuse on;
|
|
{{- end }}
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /chartrepo/ {
|
|
proxy_pass {{ $scheme }}://core/chartrepo/;
|
|
{{- if and .Values.internalTLS.enabled }}
|
|
proxy_ssl_verify off;
|
|
proxy_ssl_session_reuse on;
|
|
{{- end }}
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /c/ {
|
|
proxy_pass {{ $scheme }}://core/c/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /v1/ {
|
|
return 404;
|
|
}
|
|
|
|
location /v2/ {
|
|
proxy_pass {{ $scheme }}://core/v2/;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /service/ {
|
|
proxy_pass {{ $scheme }}://core/service/;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
{{- if not .Values.nginx.behindReverseProxy }}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
{{- end }}
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /service/notifications {
|
|
return 404;
|
|
}
|
|
}
|
|
server {
|
|
{{- if .Values.ipFamily.ipv4.enabled }}
|
|
listen 8080;
|
|
{{- end }}
|
|
{{- if .Values.ipFamily.ipv6.enabled }}
|
|
listen [::]:8080;
|
|
{{- end }}
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
{{- end }}
|