Configuration
log:
level: debug
# proxy for another registry(eg: docker.io) log level
proxyLevel: info
database:
# The database type to use. Supported types are: sqlite3, mysql, postgresql
type: sqlite3
sqlite3:
path: sigma.db
mysql:
host: localhost
port: 3306
username: sigma
password: sigma
database: sigma
postgresql:
host: localhost
port: 5432
username: sigma
password: sigma
database: sigma
sslMode: disable
redis:
# redis type available: none, external. Following all of redis config just use reference here.
# none: means never use redis
# external: means use the specific redis instance
type: none
url: redis://:sigma@localhost:6379/0
badger:
# badger is used to implement lock and cache in a single-node mode.
enabled: true
path: /var/lib/sigma/badger/
cache:
# the cache type available is: redis, inmemory, badger
# please attention in multi-node mode, you should use redis
type: badger
inmemory:
prefix: sigma-cache
size: 10240
redis:
prefix: sigma-cache
ttl: 72h
badger:
prefix: sigma-cache
ttl: 72h
workqueue:
# the workqueue type available: redis, kafka, database, inmemory
type: redis
redis:
concurrency: 10
kafka: {}
database: {}
inmemory:
concurrency: 1024
locker:
# the locker type available: redis, badger
type: badger
badger:
prefix: sigma-locker
redis:
prefix: sigma-locker
namespace:
# push image to registry, if namespace not exist, it will be created automatically
autoCreate: false
# the automatic created namespace visibility, available: public, private
visibility: public
http:
# endpoint can be a domain or domain with port, eg: http://sigma.test.io, https://sigma.test.io:30080, http://127.0.0.1:3000
# this endpoint will be used to generate the token service url in auth middleware,
# you can leave it blank and it will use http://127.0.0.1:3000 as internal domain by default,
# because the front page need show this endpoint.
endpoint:
# in some cases, daemon may pull image and scan it, but we don't want to pull image from public registry domain,
# so use this internal domain to pull image from registry.
# you can leave it blank and it will use http://127.0.0.1:3000 as internal domain by default.
# in k8s cluster, it will be set to the distribution service which is used to pull image from registry, eg: http://registry.default.svc.cluster.local:3000
# in docker-compose, it will be set to the registry service which is used to pull image from registry, eg: http://registry:3000
# if http.tls.enabled is true, internalEndpoint should start with 'https://'
# eg: http://sigma.test.io, http://sigma.test.io:3000, https://sigma.test.io:30080
internalEndpoint:
tls:
enabled: false
certificate: /etc/sigma/sigma.tosone.cn.crt
key: /etc/sigma/sigma.tosone.cn.key
storage:
rootdirectory: ./storage
type: filesystem
filesystem:
path: /var/lib/sigma/oci/
s3:
ak: sigma
sk: sigma-sigma
endpoint: http://127.0.0.1:9000
region: cn-north-1
bucket: sigma
forcePathStyle: true
cos:
ak: sigma
sk: sigma-sigma
endpoint: https://hack-1251887554.cos.na-toronto.myqcloud.com
oss:
ak: sigma
sk: sigma-sigma
endpoint: http://127.0.0.1:9000
forcePathStyle: true
# Notice: the tag never update after the first pulled from remote registry, unless you delete the image and pull again.
proxy:
enabled: false
endpoint: https://registry-1.docker.io
tlsVerify: true
username: ""
password: ""
# daemon task config
daemon:
builder:
image: sigma-builder:latest
type: docker
docker:
sock:
network: sigma
kubernetes:
kubeconfig:
namespace: sigma-builder
podman:
uri: unix:///run/podman/podman.sock
auth:
anonymous:
# anonymous will disabled if auth.anonymous.enabled set false
enabled: true
admin:
username: sigma
password: sigma
token:
realm: ""
service: ""
jwt:
ttl: 1h
refreshTtl: 72h
# generate the key with: openssl genrsa 4096 | base64
privateKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSB"
oauth2:
github:
# github login will disable if auth.oauth.github.enabled set false
enabled: false
clientId: "e5f9fa9e372dfac66aed"
clientSecret: "49ab83f4d0665f8579516f7a3f2f753a6a57189b"
gitlab:
# gitlab login will disable if auth.oauth.gitlab.enabled set false
enabled: false
clientId: "4df6efcf8c319efb73e8116c72d881c559ccaf822096220a13cee3047b05ed70"
clientSecret: "94ceddf22fc1560f33caec6be32c9c61a91719bd2df3b5127ccd43187192f95b"