easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update harbor v2.1.3

pull/992/head
gjmzj 2021-02-08 21:23:00 +08:00
parent 3dc47c9146
commit 97f9df2b7a
12 changed files with 283 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
docs/guide/harbor.md
View File

@ -1,6 +1,6 @@
# harbor 镜像仓库
Habor是由VMWare中国团队开源的容器镜像仓库。事实上Habor是在Docker Registry上进行了相应的企业级扩展从而获得了更加广泛的应用这些新的企业级特性包括管理用户界面基于角色的访问控制 水平扩展同步AD/LDAP集成以及审计日志等。本文档仅说明部署单个基础harbor服务的步骤
Habor是由VMWare中国团队开源的企业级容器镜像仓库。特性包括友好的用户界面基于角色的访问控制水平扩展同步复制AD/LDAP集成以及审计日志等。本文档仅说明单机安装harbor 服务
- 目录
- 安装步骤
@ -11,46 +11,66 @@ Habor是由VMWare中国团队开源的容器镜像仓库。事实上Habor是
### 安装步骤
1. 在ansible控制端下载最新的 [docker-compose](https://github.com/docker/compose/releases) 二进制文件,改名后把它放到项目 `/etc/ansible/bin`目录(已包含)
1. 下载离线安装包,成功后在/etc/kubeasz/down/目录下有离线包harbor-offline-installer-$HARBOR_VER.tgz
2. 在ansible控制端下载最新的 [harbor](https://github.com/vmware/harbor/releases) 离线安装包,把它放到项目 `/etc/ansible/down` 目录
3. 在ansible控制端编辑/etc/ansible/hosts文件可以参考 `example`目录下的模板,修改部分举例如下
``` bash
# 参数 NEW_INSTALL=(yes/no)yes表示新建 harbor并配置k8s节点的docker可以使用harbor仓库
# no 表示仅配置k8s节点的docker使用已有的harbor仓库
# 参数 SELF_SIGNED_CERT=(yes/no): yes表示使用自签名证书即安装程序帮你做一个自己签名的证书当然这样的证书是得不到浏览器直接认可的
# no 表示使用已有的证书,如 letsencrypt 或者其他证书颁发机构,如使用此参数,需把证书提前放在 down 目录下文件名称分别为harbor.pem 和 harbor-key.pem
# 如果不需要设置域名访问 harbor可以配置参数 HARBOR_DOMAIN=""
[harbor]
192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=yes SELF_SIGNED_CERT=yes
```
ezdown -D
ezdown -R
```
4. 在ansible控制端执行 `ansible-playbook /etc/ansible/11.harbor.yml`完成harbor安装和docker 客户端配置
2. 利用ezctl [文档](../setup/ezctl.md) 创建一个新的集群,已有集群修改同样的文件
```
#clusters/xxx/hosts 中修改如下配置harbor组下机器设置NEW_INSTALL=true
...
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
[harbor]
192.168.1.8 NEW_INSTALL=true
...
#clusters/xxx/config.yml 中修改如下按需修改HARBOR_DOMAIN/HARBOR_TLS_PORT 等配置项
############################
# role:harbor
############################
# harbor version完整版本号
HARBOR_VER: "v2.1.3"
HARBOR_DOMAIN: "harbor.yourdomain.com"
HARBOR_TLS_PORT: 8443
# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
HARBOR_SELF_SIGNED_CERT: true
# install component
HARBOR_WITH_NOTARY: false
HARBOR_WITH_TRIVY: false
HARBOR_WITH_CLAIR: false
HARBOR_WITH_CHARTMUSEUM: true
```
3. 配置完成后,执行 `./ezctl setup xxx harbor`完成harbor安装和docker 客户端配置
- 安装验证
1. 在harbor节点使用`docker ps -a` 查看harbor容器组件运行情况
2. 浏览器访问harbor节点的IP地址 `https://$NodeIP`,管理员账号是 admin ,密码见 harbor.cfg(v1.5-v1.7) 或 harbor.yml(v1.8+) 文件 harbor_admin_password 对应值(默认密码 Harbor12345 已被随机生成的16位随机密码替换不然存在安全隐患)
2. 浏览器访问地址(忽略证书报错) `https://${HARBOR_DOMAIN}:${HARBOR_TLS_PORT}`,管理员账号是 admin 密码见harbor.yml文件 harbor_admin_password 对应值(默认密码 Harbor12345 已被随机生成的16位随机密码替换不然存在安全隐患)
### 安装讲解
根据`11.harbor.yml`文件harbor节点需要以下步骤
根据`playbooks/11.harbor.yml`文件harbor节点需要以下步骤
- role `os-harden` 系统安全加固(可选)
- role `chrony` 时间同步服务(可选)
- role `prepare` 基础系统环境准备
- role `docker` 安装docker
- role `harbor` 安装harbor
- 注意:`kube_node`节点在harbor部署完之后需要配置harbor的证书详见下节配置docker/containerd信任harbor证书并可以在hosts里面添加harbor的域名解析如果你的环境中有dns服务器可以跳过hosts文件设置
请在另外窗口打开 [roles/harbor/tasks/main.yml](../../roles/harbor/tasks/main.yml),对照以下讲解
1. 下载docker-compose可执行文件到$PATH目录
1. 自注册变量result判断是否已经安装harbor避免重复安装问题
1. 解压harbor离线安装包到指定目录
1. 导入harbor所需 docker images
1. 创建harbor证书和私钥(复用集群的CA证书)
1. 修改harbor.cfg配置文件
1. 修改harbor.yml配置文件
1. 启动harbor安装脚本
### 配置docker/containerd信任harbor证书
@ -67,13 +87,13 @@ $ crictl pull harbor.test.lo/pub/hello:v0.1.4
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "harbor.test.lo/pub/hello:v0.1.4": no available registry endpoint: failed to do request: Head https://harbor.test.lo/v2/pub/hello/manifests/v0.1.4: x509: certificate signed by unknown authority
```
项目脚本`11.harbor.yml`中已经自动为k8s集群的每个node节点配置 docker/containerd 信任自建 harbor 证书;如果你无法运行此脚本,可以参考下述手工配置(使用受信任的正式证书 SELF_SIGNED_CERT=no 可忽略)
项目脚本`11.harbor.yml`中已经自动为k8s集群的每个node节点配置 docker/containerd 信任自建 harbor 证书;如果你无法运行此脚本,可以参考下述手工配置
#### docker配置信任harbor证书
在集群每个 node 节点进行如下配置
- 创建目录 /etc/docker/certs.d/harbor.test.lo/ (harbor.test.lo为你的harbor域名)
- 创建目录 /etc/docker/certs.d/harbor.yourdomain.com:8443/ (以默认配置举例)
- 复制 harbor 安装时的 CA 证书到上述目录,并改名 ca.crt 即可
#### containerd配置信任harbor证书
@ -164,9 +184,9 @@ type: kubernetes.io/dockerconfigjson
### 管理维护
+ 日志目录 `/var/log/harbor`
+ 数据目录 `/data` ,其中最主要是 `/data/database` 和 `/data/registry` 目录如果你要彻底重新安装harbor删除这两个目录即可
+ 数据目录 `/var/data` ,其中最主要是 `/var/data/database` 和 `/var/data/registry` 目录如果你要彻底重新安装harbor删除这两个目录即可
先进入harbor安装目录 `cd /data/harbor`,常规操作如下:
先进入harbor安装目录 `cd /var/data/harbor`,常规操作如下:
1. 暂停harbor `docker-compose stop` : docker容器stop并不删除容器
2. 恢复harbor `docker-compose start` : 恢复docker容器运行
@ -185,33 +205,3 @@ type: kubernetes.io/dockerconfigjson
# 启动 harbor
docker-compose up -d
```
#### harbor 升级
以下步骤基于harbor 1.1.2 版本升级到 1.2.2版本
``` bash
# 进入harbor解压缩后的目录停止harbor
cd /data/harbor
docker-compose down
# 备份这个目录
cd ..
mkdir -p /backup && mv harbor /backup/harbor
# 下载更新的离线安装包,并解压
tar xvf harbor-offline-installer-v1.2.2.tgz -C /data
# 使用官方数据库迁移工具,备份数据库,修改数据库连接用户和密码,创建数据库备份目录
# 迁移工具使用docker镜像镜像tag由待升级到目标harbor版本决定这里由 1.1.2升级到1.2.2,所以使用 tag 1.2
docker pull vmware/harbor-db-migrator:1.2
mkdir -p /backup/db-1.1.2
docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql -v /backup/db-1.1.2:/harbor-migration/backup vmware/harbor-db-migrator:1.2 backup
# 因为新老版本数据库结构不一样需要数据库migration
docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator:1.2 up head
# 修改新版本 harbor.cfg(v1.5-v1.7) 或 harbor.yml(v1.8+) 配置,需要保持与老版本相关配置项保持一致,然后执行安装即可
cd /data/harbor
vi harbor.cfg
./install.sh
```

39
docs/setup/00-planning_and_overall_intro.md
View File

@ -58,17 +58,18 @@ yum update
yum install python -y
```
### 3.在ansible控制端安装及准备ansible
### 3.在部署节点安装ansible及准备ssh免密登陆
- 3.1 pip 安装 ansible如果 Ubuntu pip报错请看[附录](00-planning_and_overall_intro.md#Appendix)
- 3.1 安装ansible (也可以使用容器化运行kubeasz已经预装好ansible)
``` bash
# Ubuntu 16.04
apt-get install git python-pip -y
# CentOS 7
yum install git python-pip -y
# 注意pip 21.0以后不再支持python2和python3.5,需要如下安装
# To install pip for Python 2.7 install it from https://bootstrap.pypa.io/2.7/ :
curl -O https://bootstrap.pypa.io/2.7/get-pip.py
python get-pip.py
python -m pip install --upgrade "pip < 21.0"
# pip安装ansible(国内如果安装太慢可以直接用pip阿里云加速)
pip install pip --upgrade -i https://mirrors.aliyun.com/pypi/simple/
pip install ansible -i https://mirrors.aliyun.com/pypi/simple/
```
@ -125,29 +126,5 @@ ezctl setup k8s-01 all
...
```
## Appendix
- Ubuntu 1604 安装 ansible 如果出现以下错误
``` bash
Traceback (most recent call last):
File "/usr/bin/pip", line 9, in <module>
from pip import main
ImportError: cannot import name main
```
将`/usr/bin/pip`做以下修改即可
``` bash
#原代码
from pip import main
if __name__ == '__main__':
sys.exit(main())
#修改后
from pip import __main__
if __name__ == '__main__':
sys.exit(__main__._main())
```
[后一篇](01-CA_and_prerequisite.md)

13
example/config.yml
View File

@ -194,4 +194,15 @@ prom_chart_ver: "__prom_chart__"
# role:harbor
############################
# harbor version完整版本号
HARBOR_VER: "v1.9.4"
HARBOR_VER: "__harbor__"
HARBOR_DOMAIN: "harbor.yourdomain.com"
HARBOR_TLS_PORT: 8443
# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
HARBOR_SELF_SIGNED_CERT: true
# install extra component
HARBOR_WITH_NOTARY: false
HARBOR_WITH_TRIVY: false
HARBOR_WITH_CLAIR: false
HARBOR_WITH_CHARTMUSEUM: true

5
example/hosts.allinone
View File

@ -11,10 +11,9 @@
192.168.1.1
# [optional] harbor server, a private docker registry
# 'NEW_INSTALL': 'yes' to install a harbor server; 'no' to integrate with existed one
# 'SELF_SIGNED_CERT': 'no' you need put files of certificates named harbor.pem and harbor-key.pem in directory 'down'
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
[harbor]
#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no SELF_SIGNED_CERT=yes
#192.168.1.8 NEW_INSTALL=false
# [optional] loadbalance for accessing k8s from outside
[ex_lb]

5
example/hosts.multi-node
View File

@ -15,10 +15,9 @@
192.168.1.4
# [optional] harbor server, a private docker registry
# 'NEW_INSTALL': 'yes' to install a harbor server; 'no' to integrate with existed one
# 'SELF_SIGNED_CERT': 'no' you need put files of certificates named harbor.pem and harbor-key.pem in directory 'down'
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
[harbor]
#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no SELF_SIGNED_CERT=yes
#192.168.1.8 NEW_INSTALL=false
# [optional] loadbalance for accessing k8s from outside
[ex_lb]

6
ezctl
View File

@ -118,6 +118,7 @@ available steps:
06 network to setup the network plugin
07 cluster-addon to setup other useful plugins
all to run 01~07 all at once
harbor to install a new harbor server or to integrate with an existed one
examples: ./ezctl setup test-k8s 01
./ezctl setup test-k8s 02
@ -150,6 +151,7 @@ function new() {
metricsVer=$(grep 'metricsVer=' ezdown|cut -d'=' -f2)
promChartVer=$(grep 'promChartVer=' ezdown|cut -d'=' -f2)
traefikChartVer=$(grep 'traefikChartVer=' ezdown|cut -d'=' -f2)
harborVer=$(grep 'HARBOR_VER=' ezdown|cut -d'=' -f2)
registryMirror=true
grep registry-mirrors /etc/docker/daemon.json > /dev/null 2>&1 || { logger debug "disable registry mirrors"; registryMirror=false; }
@ -165,6 +167,7 @@ function new() {
-e "s/__dash_metrics__/$dashboardMetricsScraperVer/g" \
-e "s/__prom_chart__/$promChartVer/g" \
-e "s/__traefik_chart__/$traefikChartVer/g" \
-e "s/__harbor__/$harborVer/g" \
-e "s/^ENABLE_MIRROR_REGISTRY.*$/ENABLE_MIRROR_REGISTRY: $registryMirror/g" \
-e "s/__metrics__/$metricsVer/g" "clusters/$1/config.yml"
@ -207,6 +210,9 @@ function setup() {
(all)
PLAY_BOOK="90.setup.yml"
;;
(harbor)
PLAY_BOOK="11.harbor.yml"
;;
(*)
usage-setup
exit 1

20
ezdown
View File

@ -18,6 +18,7 @@ KUBEASZ_VER=3.0.0
K8S_BIN_VER=v1.20.2
EXT_BIN_VER=0.8.1
SYS_PKG_VER=0.3.3
HARBOR_VER=v2.1.3
REGISTRY_MIRROR=CN
# images needed by k8s cluster
@ -42,6 +43,7 @@ function usage() {
-C stop&clean all local containers
-D download all into "$BASE"
-P download system packages for offline installing
-R download Registry(harbor) offline installer
-S start kubeasz in a container
-d <ver> set docker-ce version, default "$DOCKER_VER"
-e <ver> set kubeasz-ext-bin version, default "$EXT_BIN_VER"
@ -245,6 +247,19 @@ function get_sys_pkg() {
docker rm -f temp_sys_pkg
}
function get_harbor_offline_pkg() {
[[ -f "$BASE/down/harbor-offline-installer-$HARBOR_VER.tgz" ]] && { logger warn "harbor-offline existed"; return 0; }
logger info "downloading harbor-offline:$HARBOR_VER"
docker pull "easzlab/harbor-offline:$HARBOR_VER" && \
logger debug "run a temporary container" && \
docker run -d --name temp_harbor "easzlab/harbor-offline:$HARBOR_VER" && \
logger debug "cp harbor-offline installer package" && \
docker cp "temp_harbor:/harbor-offline-installer-$HARBOR_VER.tgz" "$BASE/down" && \
logger debug "stop&remove temporary container" && \
docker rm -f temp_harbor
}
function get_offline_image() {
imageDir="$BASE/down"
@ -358,7 +373,7 @@ function main() {
[[ "$#" -eq 0 ]] && { usage >&2; exit 1; }
ACTION=""
while getopts "CDPSd:e:k:m:p:z:" OPTION; do
while getopts "CDPRSd:e:k:m:p:z:" OPTION; do
case "$OPTION" in
C)
ACTION="clean_container"
@ -369,6 +384,9 @@ function main() {
P)
ACTION="get_sys_pkg"
;;
R)
ACTION="get_harbor_offline_pkg"
;;
S)
ACTION="start_kubeasz_docker"
;;

30
playbooks/11.harbor.yml
View File

@ -1,39 +1,45 @@
# [optional] to set up a HARBOR, and to integrate the HARBOR with k8s cluster
# read the guide: 'guide/harbor.md'
### --- install harbor ---
- hosts: harbor
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" }
- { role: prepare, when: "NEW_INSTALL == 'yes'" }
- { role: docker, when: "NEW_INSTALL == 'yes'" }
- { role: harbor, when: "NEW_INSTALL == 'yes'" }
- { role: os-harden, when: "NEW_INSTALL|bool and OS_HARDEN|bool" }
- { role: chrony, when: "NEW_INSTALL|bool and groups['chrony']|length > 0" }
- { role: prepare, when: "NEW_INSTALL|bool" }
- { role: docker, when: "NEW_INSTALL|bool" }
- { role: harbor, when: "NEW_INSTALL|bool" }
tasks:
- name: Fetching the HARBOR SERVER's CA cert
fetch:
src: "{{ ca_dir }}/ca.pem"
dest: "{{ base_dir }}/down/"
flat: yes
when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT'] == 'yes'
when: 'HARBOR_SELF_SIGNED_CERT|bool'
#when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT']|bool
### --- config k8s nodes to use with harbor ---
- hosts:
- kube_master
- kube_node
tasks:
- name: Define 'harbor_hostname', a domain name
set_fact: harbor_hostname={{ hostvars[groups.harbor[0]]['HARBOR_DOMAIN'] }}
set_fact: harbor_hostname={{ HARBOR_DOMAIN }}
when: "HARBOR_DOMAIN != ''"
- name: Define 'harbor_hostname', an IP Addr
set_fact: harbor_hostname={{ groups['harbor'][0] }}
when: hostvars[groups.harbor[0]]['HARBOR_DOMAIN'] == ''
when: "HARBOR_DOMAIN == ''"
- block:
- block:
- name: Creating cert dir for the docker daemon
file: name=/etc/docker/certs.d/{{ harbor_hostname }} state=directory
file: name=/etc/docker/certs.d/{{ harbor_hostname }}:{{ HARBOR_TLS_PORT }} state=directory
- name: Installing the HARBOR SERVER's CA cert for docker
copy: src={{ base_dir }}/down/ca.pem dest=/etc/docker/certs.d/{{ harbor_hostname }}/ca.crt
copy:
src: "{{ base_dir }}/down/ca.pem"
dest: "/etc/docker/certs.d/{{ harbor_hostname }}:{{ HARBOR_TLS_PORT }}/ca.crt"
when: CONTAINER_RUNTIME == 'docker'
- block:
@ -68,7 +74,7 @@
when:
- 'CONTAINER_RUNTIME == "containerd"'
- 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT'] == 'yes'
when: 'HARBOR_SELF_SIGNED_CERT|bool'
# [optional] if you have a DNS server, add an 'A record' instead
- name: Adding an '/etc/hosts' entry for the HARBOR DOMAIN

79
roles/harbor/tasks/main.yml
View File

@ -1,36 +1,40 @@
- name: 生成 harbor 随机密码
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
register: harbor_password_gen
- name: 生成 DB 随机密码
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
register: db_password_gen
- name: 创建 data 目录
- name: 创建 /var/data 目录
file:
path: /data
path: /var/data
state: directory
mode: 0755
# 注册变量 result如果 /data 目录下存在 registry 目录说明已经安装过 harbor则不进行安装
# 注册变量 result如果 /var/data 目录下存在 registry 目录说明已经安装过 harbor则不进行安装
- name: 注册变量 result
command: ls /data
command: ls /var/data
register: result
- block:
- name: 生成 harbor 随机密码
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
register: harbor_password_gen
- debug: var="harbor_password_gen.stdout"
- name: 生成 DB 随机密码
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
register: db_password_gen
- debug: var="db_password_gen.stdout"
- name: 下发 docker compose 二进制文件
copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755
- name: 下发 harbor 离线安装包
copy:
src: "{{ base_dir }}/down/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
dest: "/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
dest: "/var/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
- name: 解压 harbor 离线安装包
shell: "cd /data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz"
shell: "cd /var/data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz"
- name: 导入 harbor 所需 docker images
shell: "{{ bin_dir }}/docker load -i /data/harbor/harbor.{{ HARBOR_VER }}.tar.gz"
shell: "{{ bin_dir }}/docker load -i /var/data/harbor/harbor.{{ HARBOR_VER }}.tar.gz"
- block:
- name: 创建 harbor 证书请求
@ -45,31 +49,44 @@
-profile=kubernetes harbor-csr.json|{{ base_dir }}/bin/cfssljson -bare harbor"
connection: local
- name: 生成自签名证书相关
- name: 分发自签名证书
copy: src={{ cluster_dir }}/ssl/{{ item }} dest={{ ca_dir }}/{{ item }}
with_items:
- ca.pem
- harbor.pem
- harbor-key.pem
when: SELF_SIGNED_CERT == 'yes'
when: 'HARBOR_SELF_SIGNED_CERT|bool'
- name: 复制 down 目录下 harbor 证书
- name: 推送非自签名证书(需提前在{{ base_dir }}/down/ 下载好证书)
copy: src={{ base_dir }}/down/{{ item }} dest={{ ca_dir }}/{{ item }}
with_items:
- harbor.pem
- harbor-key.pem
when: SELF_SIGNED_CERT == 'no'
when: 'not HARBOR_SELF_SIGNED_CERT|bool'
- name: 配置 harbor.cfg 文件
template: src=harbor-{{ HARBOR_VER_MAIN }}.cfg.j2 dest=/data/harbor/harbor.cfg
when: HARBOR_VER_MAIN in ["v1.5", "v1.6", "v1.7"]
- name: 准备 harbor 配置文件
template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/var/data/harbor/harbor.yml
- name: 配置 harbor.yml 文件
template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/data/harbor/harbor.yml
when: HARBOR_VER_MAIN in ["v1.8", "v1.9", "v1.10"]
- name: 安装 harbor --with-clair
shell: "cd /data/harbor && \
export PATH={{ bin_dir }}:$PATH && \
./install.sh --with-clair"
#- name: 配置 harbor.yml 文件
#template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/var/data/harbor/harbor.yml
#when: HARBOR_VER_MAIN in ["v1.8", "v1.9", "v1.10"]
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-chartmuseum"
when: "HARBOR_WITH_CHARTMUSEUM|bool"
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-notary"
when: "HARBOR_WITH_NOTARY|bool"
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-trivy"
when: "HARBOR_WITH_TRIVY|bool"
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-clair"
when: "HARBOR_WITH_CLAIR|bool"
- debug: var="HARBOR_INST_OPS"
- name: 安装 harbor
shell: "cd /var/data/harbor && \
export PATH={{ bin_dir }}:$PATH && \
./install.sh {{ HARBOR_INST_OPS }} >> /tmp/harbor-`date +'%Y%m%d%H%M%S'`.log 2>&1"
when: '"registry" not in result.stdout'

3
roles/harbor/templates/harbor-csr.json.j2
View File

@ -2,7 +2,8 @@
"CN": "harbor",
"hosts": [
"127.0.0.1",
"{{ HARBOR_HOSTNAME }}"
"{{ inventory_hostname }}",
"{{ HARBOR_DOMAIN }}"
],
"key": {
"algo": "rsa",

118
roles/harbor/templates/harbor-v2.1.yml.j2 100644
View File

@ -0,0 +1,118 @@
# Configuration file of Harbor
hostname: {{ HARBOR_HOSTNAME }}
# https related config
https:
port: {{ HARBOR_TLS_PORT }}
certificate: {{ ca_dir }}/harbor.pem
private_key: {{ ca_dir }}/harbor-key.pem
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: {{ harbor_password_gen.stdout }}
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: {{ db_password_gen.stdout }}
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 1000
# The default data volume
data_volume: /var/data
# Clair configuration
clair:
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
updaters_interval: 12
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 3
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 100M
# The directory on your host that store log
location: /var/log/harbor
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.0.0
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- clair
- trivy

5
roles/harbor/vars/main.yml
View File

@ -3,4 +3,7 @@
HARBOR_VER_MAIN: "{{ HARBOR_VER.split('.')[0] }}.{{ HARBOR_VER.split('.')[1] }}"
# HARBOR_HOSTNAME 值设置
HARBOR_HOSTNAME: "{% if HARBOR_DOMAIN != '' %}HARBOR_DOMAIN{% else %}inventory_hostname{% endif %}"
HARBOR_HOSTNAME: "{% if HARBOR_DOMAIN != '' %}{{ HARBOR_DOMAIN }}{% else %}{{ inventory_hostname }}{% endif %}"
# harobr 默认安装选项
HARBOR_INST_OPS: ""