diff --git a/README.md b/README.md index f4ed292..54a761a 100644 --- a/README.md +++ b/README.md @@ -366,6 +366,7 @@ folder for help with: - [GitLab](example_configs/gitlab.md) - [Grafana](example_configs/grafana_ldap_config.toml) - [Grocy](example_configs/grocy.md) +- [Harbor](example_configs/harbor.md) - [Hedgedoc](example_configs/hedgedoc.md) - [Home Assistant](example_configs/home-assistant.md) - [Jellyfin](example_configs/jellyfin.md) diff --git a/example_configs/harbor.md b/example_configs/harbor.md new file mode 100644 index 0000000..c006b87 --- /dev/null +++ b/example_configs/harbor.md @@ -0,0 +1,31 @@ +[Harbor](https://goharbor.io) is a CNCF cloud native container registry for kubernetes. + +You can pass environment variables into ``harbor-core`` for auth configuration as documented [here](https://github.com/goharbor/website/blob/release-2.10.0/docs/install-config/configure-system-settings-cli.md#harbor-configuration-items). + +Configure ``ldap_url`` and ``ldap_verify_cert`` as needed for your installation. + +Using the [harbor-helm](https://github.com/goharbor/harbor-helm) chart, these vars can be passed in under ``core.configureUserSettings`` as a JSON string: + +```yaml +core: + configureUserSettings: | + { + "auth_mode": "ldap_auth", + "ldap_url": "ldaps://lldap.example.com", + "ldap_base_dn": "ou=people,dc=example,dc=com", + "ldap_search_dn": "uid=bind,ou=people,dc=example,dc=com", + "ldap_search_password": "very-secure-password", + "ldap_group_base_dn": "ou=groups,dc=example,dc=com", + "ldap_group_admin_dn": "cn=harbor-admin-group,ou=groups,dc=example,dc=com", + "ldap_group_search_filter": "(objectClass=groupOfUniqueNames)", + "ldap_group_attribute_name": "uid" + } +``` + +> [!IMPORTANT] +> ``ldap_search_dn`` needs to be able to bind and search. The ``lldap_strict_readonly`` group is sufficient. + +> [!NOTE] +> Members of the ``ldap_group_admin_dn`` group will receive harbor admin privledges. +> Users outside this group will have their ldap group(s) imported into harbor (under "groups" with type "ldap"). +> These groups can be used for permissions assigned to a harbor "project".