diff --git a/docs/guide/harbor.md b/docs/guide/harbor.md index f3cf6df..70a1d01 100644 --- a/docs/guide/harbor.md +++ b/docs/guide/harbor.md @@ -1,6 +1,6 @@ # harbor 镜像仓库 -Habor是由VMWare中国团队开源的容器镜像仓库。事实上,Habor是在Docker Registry上进行了相应的企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访问控制 ,水平扩展,同步,AD/LDAP集成以及审计日志等。本文档仅说明部署单个基础harbor服务的步骤。 +Habor是由VMWare中国团队开源的企业级容器镜像仓库。特性包括:友好的用户界面,基于角色的访问控制,水平扩展,同步复制,AD/LDAP集成以及审计日志等。本文档仅说明单机安装harbor 服务。 - 目录 - 安装步骤 @@ -11,46 +11,66 @@ Habor是由VMWare中国团队开源的容器镜像仓库。事实上,Habor是 ### 安装步骤 -1. 在ansible控制端下载最新的 [docker-compose](https://github.com/docker/compose/releases) 二进制文件,改名后把它放到项目 `/etc/ansible/bin`目录(已包含) +1. 下载离线安装包,成功后在/etc/kubeasz/down/目录下有离线包harbor-offline-installer-$HARBOR_VER.tgz -2. 在ansible控制端下载最新的 [harbor](https://github.com/vmware/harbor/releases) 离线安装包,把它放到项目 `/etc/ansible/down` 目录 - -3. 在ansible控制端编辑/etc/ansible/hosts文件,可以参考 `example`目录下的模板,修改部分举例如下 - -``` bash -# 参数 NEW_INSTALL=(yes/no):yes表示新建 harbor,并配置k8s节点的docker可以使用harbor仓库 -# no 表示仅配置k8s节点的docker使用已有的harbor仓库 -# 参数 SELF_SIGNED_CERT=(yes/no): yes表示使用自签名证书,即安装程序帮你做一个自己签名的证书(当然这样的证书是得不到浏览器直接认可的) -# no 表示使用已有的证书,如 letsencrypt 或者其他证书颁发机构,如使用此参数,需把证书提前放在 down 目录下,文件名称分别为:harbor.pem 和 harbor-key.pem -# 如果不需要设置域名访问 harbor,可以配置参数 HARBOR_DOMAIN="" -[harbor] -192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=yes SELF_SIGNED_CERT=yes +``` +ezdown -D +ezdown -R ``` -4. 在ansible控制端执行 `ansible-playbook /etc/ansible/11.harbor.yml`,完成harbor安装和docker 客户端配置 +2. 利用ezctl [文档](../setup/ezctl.md) 创建一个新的集群,已有集群修改同样的文件 + +``` +#clusters/xxx/hosts 中修改如下,配置harbor组下机器,设置NEW_INSTALL=true +... +# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one +[harbor] +192.168.1.8 NEW_INSTALL=true +... + +#clusters/xxx/config.yml 中修改如下,按需修改HARBOR_DOMAIN/HARBOR_TLS_PORT 等配置项 +############################ +# role:harbor +############################ +# harbor version,完整版本号 +HARBOR_VER: "v2.1.3" +HARBOR_DOMAIN: "harbor.yourdomain.com" +HARBOR_TLS_PORT: 8443 + +# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down' +HARBOR_SELF_SIGNED_CERT: true + +# install component +HARBOR_WITH_NOTARY: false +HARBOR_WITH_TRIVY: false +HARBOR_WITH_CLAIR: false +HARBOR_WITH_CHARTMUSEUM: true +``` + +3. 配置完成后,执行 `./ezctl setup xxx harbor`,完成harbor安装和docker 客户端配置 - 安装验证 1. 在harbor节点使用`docker ps -a` 查看harbor容器组件运行情况 -2. 浏览器访问harbor节点的IP地址 `https://$NodeIP`,管理员账号是 admin ,密码见 harbor.cfg(v1.5-v1.7) 或 harbor.yml(v1.8+) 文件 harbor_admin_password 对应值(默认密码 Harbor12345 已被随机生成的16位随机密码替换,不然存在安全隐患) +2. 浏览器访问地址(忽略证书报错) `https://${HARBOR_DOMAIN}:${HARBOR_TLS_PORT}`,管理员账号是 admin ,密码见harbor.yml文件 harbor_admin_password 对应值(默认密码 Harbor12345 已被随机生成的16位随机密码替换,不然存在安全隐患) ### 安装讲解 -根据`11.harbor.yml`文件,harbor节点需要以下步骤: +根据`playbooks/11.harbor.yml`文件,harbor节点需要以下步骤: +- role `os-harden` 系统安全加固(可选) +- role `chrony` 时间同步服务(可选) - role `prepare` 基础系统环境准备 - role `docker` 安装docker - role `harbor` 安装harbor - 注意:`kube_node`节点在harbor部署完之后,需要配置harbor的证书(详见下节配置docker/containerd信任harbor证书),并可以在hosts里面添加harbor的域名解析,如果你的环境中有dns服务器,可以跳过hosts文件设置 -请在另外窗口打开 [roles/harbor/tasks/main.yml](../../roles/harbor/tasks/main.yml),对照以下讲解 - 1. 下载docker-compose可执行文件到$PATH目录 1. 自注册变量result判断是否已经安装harbor,避免重复安装问题 1. 解压harbor离线安装包到指定目录 1. 导入harbor所需 docker images 1. 创建harbor证书和私钥(复用集群的CA证书) -1. 修改harbor.cfg配置文件 +1. 修改harbor.yml配置文件 1. 启动harbor安装脚本 ### 配置docker/containerd信任harbor证书 @@ -67,13 +87,13 @@ $ crictl pull harbor.test.lo/pub/hello:v0.1.4 FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "harbor.test.lo/pub/hello:v0.1.4": no available registry endpoint: failed to do request: Head https://harbor.test.lo/v2/pub/hello/manifests/v0.1.4: x509: certificate signed by unknown authority ``` -项目脚本`11.harbor.yml`中已经自动为k8s集群的每个node节点配置 docker/containerd 信任自建 harbor 证书;如果你无法运行此脚本,可以参考下述手工配置(使用受信任的正式证书 SELF_SIGNED_CERT=no 可忽略) +项目脚本`11.harbor.yml`中已经自动为k8s集群的每个node节点配置 docker/containerd 信任自建 harbor 证书;如果你无法运行此脚本,可以参考下述手工配置 #### docker配置信任harbor证书 在集群每个 node 节点进行如下配置 -- 创建目录 /etc/docker/certs.d/harbor.test.lo/ (harbor.test.lo为你的harbor域名) +- 创建目录 /etc/docker/certs.d/harbor.yourdomain.com:8443/ (以默认配置举例) - 复制 harbor 安装时的 CA 证书到上述目录,并改名 ca.crt 即可 #### containerd配置信任harbor证书 @@ -164,9 +184,9 @@ type: kubernetes.io/dockerconfigjson ### 管理维护 + 日志目录 `/var/log/harbor` -+ 数据目录 `/data` ,其中最主要是 `/data/database` 和 `/data/registry` 目录,如果你要彻底重新安装harbor,删除这两个目录即可 ++ 数据目录 `/var/data` ,其中最主要是 `/var/data/database` 和 `/var/data/registry` 目录,如果你要彻底重新安装harbor,删除这两个目录即可 -先进入harbor安装目录 `cd /data/harbor`,常规操作如下: +先进入harbor安装目录 `cd /var/data/harbor`,常规操作如下: 1. 暂停harbor `docker-compose stop` : docker容器stop,并不删除容器 2. 恢复harbor `docker-compose start` : 恢复docker容器运行 @@ -185,33 +205,3 @@ type: kubernetes.io/dockerconfigjson # 启动 harbor docker-compose up -d ``` -#### harbor 升级 - -以下步骤基于harbor 1.1.2 版本升级到 1.2.2版本 - -``` bash -# 进入harbor解压缩后的目录,停止harbor -cd /data/harbor -docker-compose down - -# 备份这个目录 -cd .. -mkdir -p /backup && mv harbor /backup/harbor - -# 下载更新的离线安装包,并解压 -tar xvf harbor-offline-installer-v1.2.2.tgz -C /data - -# 使用官方数据库迁移工具,备份数据库,修改数据库连接用户和密码,创建数据库备份目录 -# 迁移工具使用docker镜像,镜像tag由待升级到目标harbor版本决定,这里由 1.1.2升级到1.2.2,所以使用 tag 1.2 -docker pull vmware/harbor-db-migrator:1.2 -mkdir -p /backup/db-1.1.2 -docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql -v /backup/db-1.1.2:/harbor-migration/backup vmware/harbor-db-migrator:1.2 backup - -# 因为新老版本数据库结构不一样,需要数据库migration -docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator:1.2 up head - -# 修改新版本 harbor.cfg(v1.5-v1.7) 或 harbor.yml(v1.8+) 配置,需要保持与老版本相关配置项保持一致,然后执行安装即可 -cd /data/harbor -vi harbor.cfg -./install.sh -``` diff --git a/docs/setup/00-planning_and_overall_intro.md b/docs/setup/00-planning_and_overall_intro.md index e572534..8d57c80 100644 --- a/docs/setup/00-planning_and_overall_intro.md +++ b/docs/setup/00-planning_and_overall_intro.md @@ -58,17 +58,18 @@ yum update yum install python -y ``` -### 3.在ansible控制端安装及准备ansible +### 3.在部署节点安装ansible及准备ssh免密登陆 -- 3.1 pip 安装 ansible(如果 Ubuntu pip报错,请看[附录](00-planning_and_overall_intro.md#Appendix)) +- 3.1 安装ansible (也可以使用容器化运行kubeasz,已经预装好ansible) ``` bash -# Ubuntu 16.04 -apt-get install git python-pip -y -# CentOS 7 -yum install git python-pip -y +# 注意pip 21.0以后不再支持python2和python3.5,需要如下安装 +# To install pip for Python 2.7 install it from https://bootstrap.pypa.io/2.7/ : +curl -O https://bootstrap.pypa.io/2.7/get-pip.py +python get-pip.py +python -m pip install --upgrade "pip < 21.0" + # pip安装ansible(国内如果安装太慢可以直接用pip阿里云加速) -pip install pip --upgrade -i https://mirrors.aliyun.com/pypi/simple/ pip install ansible -i https://mirrors.aliyun.com/pypi/simple/ ``` @@ -125,29 +126,5 @@ ezctl setup k8s-01 all ... ``` -## Appendix - -- Ubuntu 1604 安装 ansible 如果出现以下错误 - -``` bash -Traceback (most recent call last): - File "/usr/bin/pip", line 9, in - from pip import main -ImportError: cannot import name main -``` -将`/usr/bin/pip`做以下修改即可 - -``` bash -#原代码 -from pip import main -if __name__ == '__main__': - sys.exit(main()) - -#修改后 -from pip import __main__ -if __name__ == '__main__': - sys.exit(__main__._main()) -``` - [后一篇](01-CA_and_prerequisite.md) diff --git a/example/config.yml b/example/config.yml index da37028..ef58c8c 100644 --- a/example/config.yml +++ b/example/config.yml @@ -194,4 +194,15 @@ prom_chart_ver: "__prom_chart__" # role:harbor ############################ # harbor version,完整版本号 -HARBOR_VER: "v1.9.4" +HARBOR_VER: "__harbor__" +HARBOR_DOMAIN: "harbor.yourdomain.com" +HARBOR_TLS_PORT: 8443 + +# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down' +HARBOR_SELF_SIGNED_CERT: true + +# install extra component +HARBOR_WITH_NOTARY: false +HARBOR_WITH_TRIVY: false +HARBOR_WITH_CLAIR: false +HARBOR_WITH_CHARTMUSEUM: true diff --git a/example/hosts.allinone b/example/hosts.allinone index 5a1c448..4f8bfec 100644 --- a/example/hosts.allinone +++ b/example/hosts.allinone @@ -11,10 +11,9 @@ 192.168.1.1 # [optional] harbor server, a private docker registry -# 'NEW_INSTALL': 'yes' to install a harbor server; 'no' to integrate with existed one -# 'SELF_SIGNED_CERT': 'no' you need put files of certificates named harbor.pem and harbor-key.pem in directory 'down' +# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one [harbor] -#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no SELF_SIGNED_CERT=yes +#192.168.1.8 NEW_INSTALL=false # [optional] loadbalance for accessing k8s from outside [ex_lb] diff --git a/example/hosts.multi-node b/example/hosts.multi-node index a449644..2e774ff 100644 --- a/example/hosts.multi-node +++ b/example/hosts.multi-node @@ -15,10 +15,9 @@ 192.168.1.4 # [optional] harbor server, a private docker registry -# 'NEW_INSTALL': 'yes' to install a harbor server; 'no' to integrate with existed one -# 'SELF_SIGNED_CERT': 'no' you need put files of certificates named harbor.pem and harbor-key.pem in directory 'down' +# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one [harbor] -#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no SELF_SIGNED_CERT=yes +#192.168.1.8 NEW_INSTALL=false # [optional] loadbalance for accessing k8s from outside [ex_lb] diff --git a/ezctl b/ezctl index fc2e14f..b02c632 100755 --- a/ezctl +++ b/ezctl @@ -118,6 +118,7 @@ available steps: 06 network to setup the network plugin 07 cluster-addon to setup other useful plugins all to run 01~07 all at once + harbor to install a new harbor server or to integrate with an existed one examples: ./ezctl setup test-k8s 01 ./ezctl setup test-k8s 02 @@ -150,6 +151,7 @@ function new() { metricsVer=$(grep 'metricsVer=' ezdown|cut -d'=' -f2) promChartVer=$(grep 'promChartVer=' ezdown|cut -d'=' -f2) traefikChartVer=$(grep 'traefikChartVer=' ezdown|cut -d'=' -f2) + harborVer=$(grep 'HARBOR_VER=' ezdown|cut -d'=' -f2) registryMirror=true grep registry-mirrors /etc/docker/daemon.json > /dev/null 2>&1 || { logger debug "disable registry mirrors"; registryMirror=false; } @@ -165,6 +167,7 @@ function new() { -e "s/__dash_metrics__/$dashboardMetricsScraperVer/g" \ -e "s/__prom_chart__/$promChartVer/g" \ -e "s/__traefik_chart__/$traefikChartVer/g" \ + -e "s/__harbor__/$harborVer/g" \ -e "s/^ENABLE_MIRROR_REGISTRY.*$/ENABLE_MIRROR_REGISTRY: $registryMirror/g" \ -e "s/__metrics__/$metricsVer/g" "clusters/$1/config.yml" @@ -207,6 +210,9 @@ function setup() { (all) PLAY_BOOK="90.setup.yml" ;; + (harbor) + PLAY_BOOK="11.harbor.yml" + ;; (*) usage-setup exit 1 diff --git a/ezdown b/ezdown index ccbf03b..770faf1 100755 --- a/ezdown +++ b/ezdown @@ -18,6 +18,7 @@ KUBEASZ_VER=3.0.0 K8S_BIN_VER=v1.20.2 EXT_BIN_VER=0.8.1 SYS_PKG_VER=0.3.3 +HARBOR_VER=v2.1.3 REGISTRY_MIRROR=CN # images needed by k8s cluster @@ -42,6 +43,7 @@ function usage() { -C stop&clean all local containers -D download all into "$BASE" -P download system packages for offline installing + -R download Registry(harbor) offline installer -S start kubeasz in a container -d set docker-ce version, default "$DOCKER_VER" -e set kubeasz-ext-bin version, default "$EXT_BIN_VER" @@ -245,6 +247,19 @@ function get_sys_pkg() { docker rm -f temp_sys_pkg } +function get_harbor_offline_pkg() { + [[ -f "$BASE/down/harbor-offline-installer-$HARBOR_VER.tgz" ]] && { logger warn "harbor-offline existed"; return 0; } + + logger info "downloading harbor-offline:$HARBOR_VER" + docker pull "easzlab/harbor-offline:$HARBOR_VER" && \ + logger debug "run a temporary container" && \ + docker run -d --name temp_harbor "easzlab/harbor-offline:$HARBOR_VER" && \ + logger debug "cp harbor-offline installer package" && \ + docker cp "temp_harbor:/harbor-offline-installer-$HARBOR_VER.tgz" "$BASE/down" && \ + logger debug "stop&remove temporary container" && \ + docker rm -f temp_harbor +} + function get_offline_image() { imageDir="$BASE/down" @@ -358,7 +373,7 @@ function main() { [[ "$#" -eq 0 ]] && { usage >&2; exit 1; } ACTION="" - while getopts "CDPSd:e:k:m:p:z:" OPTION; do + while getopts "CDPRSd:e:k:m:p:z:" OPTION; do case "$OPTION" in C) ACTION="clean_container" @@ -369,6 +384,9 @@ function main() { P) ACTION="get_sys_pkg" ;; + R) + ACTION="get_harbor_offline_pkg" + ;; S) ACTION="start_kubeasz_docker" ;; diff --git a/playbooks/11.harbor.yml b/playbooks/11.harbor.yml index 229b7af..425bf8d 100644 --- a/playbooks/11.harbor.yml +++ b/playbooks/11.harbor.yml @@ -1,39 +1,45 @@ # [optional] to set up a HARBOR, and to integrate the HARBOR with k8s cluster # read the guide: 'guide/harbor.md' +### --- install harbor --- - hosts: harbor roles: - - { role: os-harden, when: "OS_HARDEN|bool" } - - { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" } - - { role: prepare, when: "NEW_INSTALL == 'yes'" } - - { role: docker, when: "NEW_INSTALL == 'yes'" } - - { role: harbor, when: "NEW_INSTALL == 'yes'" } + - { role: os-harden, when: "NEW_INSTALL|bool and OS_HARDEN|bool" } + - { role: chrony, when: "NEW_INSTALL|bool and groups['chrony']|length > 0" } + - { role: prepare, when: "NEW_INSTALL|bool" } + - { role: docker, when: "NEW_INSTALL|bool" } + - { role: harbor, when: "NEW_INSTALL|bool" } tasks: - name: Fetching the HARBOR SERVER's CA cert fetch: src: "{{ ca_dir }}/ca.pem" dest: "{{ base_dir }}/down/" flat: yes - when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT'] == 'yes' + when: 'HARBOR_SELF_SIGNED_CERT|bool' + #when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT']|bool +### --- config k8s nodes to use with harbor --- - hosts: - kube_master - kube_node tasks: - name: Define 'harbor_hostname', a domain name - set_fact: harbor_hostname={{ hostvars[groups.harbor[0]]['HARBOR_DOMAIN'] }} + set_fact: harbor_hostname={{ HARBOR_DOMAIN }} + when: "HARBOR_DOMAIN != ''" - name: Define 'harbor_hostname', an IP Addr set_fact: harbor_hostname={{ groups['harbor'][0] }} - when: hostvars[groups.harbor[0]]['HARBOR_DOMAIN'] == '' - + when: "HARBOR_DOMAIN == ''" + - block: - block: - name: Creating cert dir for the docker daemon - file: name=/etc/docker/certs.d/{{ harbor_hostname }} state=directory + file: name=/etc/docker/certs.d/{{ harbor_hostname }}:{{ HARBOR_TLS_PORT }} state=directory - name: Installing the HARBOR SERVER's CA cert for docker - copy: src={{ base_dir }}/down/ca.pem dest=/etc/docker/certs.d/{{ harbor_hostname }}/ca.crt + copy: + src: "{{ base_dir }}/down/ca.pem" + dest: "/etc/docker/certs.d/{{ harbor_hostname }}:{{ HARBOR_TLS_PORT }}/ca.crt" when: CONTAINER_RUNTIME == 'docker' - block: @@ -68,7 +74,7 @@ when: - 'CONTAINER_RUNTIME == "containerd"' - 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]' - when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT'] == 'yes' + when: 'HARBOR_SELF_SIGNED_CERT|bool' # [optional] if you have a DNS server, add an 'A record' instead - name: Adding an '/etc/hosts' entry for the HARBOR DOMAIN diff --git a/roles/harbor/tasks/main.yml b/roles/harbor/tasks/main.yml index b841b24..369cec3 100644 --- a/roles/harbor/tasks/main.yml +++ b/roles/harbor/tasks/main.yml @@ -1,36 +1,40 @@ -- name: 生成 harbor 随机密码 - shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16 - register: harbor_password_gen - -- name: 生成 DB 随机密码 - shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16 - register: db_password_gen - -- name: 创建 data 目录 +- name: 创建 /var/data 目录 file: - path: /data + path: /var/data state: directory mode: 0755 -# 注册变量 result,如果 /data 目录下存在 registry 目录说明已经安装过 harbor,则不进行安装 +# 注册变量 result,如果 /var/data 目录下存在 registry 目录说明已经安装过 harbor,则不进行安装 - name: 注册变量 result - command: ls /data + command: ls /var/data register: result - block: + - name: 生成 harbor 随机密码 + shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16 + register: harbor_password_gen + + - debug: var="harbor_password_gen.stdout" + + - name: 生成 DB 随机密码 + shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16 + register: db_password_gen + + - debug: var="db_password_gen.stdout" + - name: 下发 docker compose 二进制文件 copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755 - name: 下发 harbor 离线安装包 copy: src: "{{ base_dir }}/down/harbor-offline-installer-{{ HARBOR_VER }}.tgz" - dest: "/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz" + dest: "/var/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz" - name: 解压 harbor 离线安装包 - shell: "cd /data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz" + shell: "cd /var/data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz" - name: 导入 harbor 所需 docker images - shell: "{{ bin_dir }}/docker load -i /data/harbor/harbor.{{ HARBOR_VER }}.tar.gz" + shell: "{{ bin_dir }}/docker load -i /var/data/harbor/harbor.{{ HARBOR_VER }}.tar.gz" - block: - name: 创建 harbor 证书请求 @@ -45,31 +49,44 @@ -profile=kubernetes harbor-csr.json|{{ base_dir }}/bin/cfssljson -bare harbor" connection: local - - name: 生成自签名证书相关 + - name: 分发自签名证书 copy: src={{ cluster_dir }}/ssl/{{ item }} dest={{ ca_dir }}/{{ item }} with_items: + - ca.pem - harbor.pem - harbor-key.pem - when: SELF_SIGNED_CERT == 'yes' + when: 'HARBOR_SELF_SIGNED_CERT|bool' - - name: 复制 down 目录下 harbor 证书 + - name: 推送非自签名证书(需提前在{{ base_dir }}/down/ 下载好证书) copy: src={{ base_dir }}/down/{{ item }} dest={{ ca_dir }}/{{ item }} with_items: - harbor.pem - harbor-key.pem - when: SELF_SIGNED_CERT == 'no' + when: 'not HARBOR_SELF_SIGNED_CERT|bool' - - name: 配置 harbor.cfg 文件 - template: src=harbor-{{ HARBOR_VER_MAIN }}.cfg.j2 dest=/data/harbor/harbor.cfg - when: HARBOR_VER_MAIN in ["v1.5", "v1.6", "v1.7"] + - name: 准备 harbor 配置文件 + template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/var/data/harbor/harbor.yml - - name: 配置 harbor.yml 文件 - template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/data/harbor/harbor.yml - when: HARBOR_VER_MAIN in ["v1.8", "v1.9", "v1.10"] - - - - name: 安装 harbor --with-clair - shell: "cd /data/harbor && \ - export PATH={{ bin_dir }}:$PATH && \ - ./install.sh --with-clair" + #- name: 配置 harbor.yml 文件 + #template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/var/data/harbor/harbor.yml + #when: HARBOR_VER_MAIN in ["v1.8", "v1.9", "v1.10"] + + - set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-chartmuseum" + when: "HARBOR_WITH_CHARTMUSEUM|bool" + + - set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-notary" + when: "HARBOR_WITH_NOTARY|bool" + + - set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-trivy" + when: "HARBOR_WITH_TRIVY|bool" + + - set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-clair" + when: "HARBOR_WITH_CLAIR|bool" + + - debug: var="HARBOR_INST_OPS" + + - name: 安装 harbor + shell: "cd /var/data/harbor && \ + export PATH={{ bin_dir }}:$PATH && \ + ./install.sh {{ HARBOR_INST_OPS }} >> /tmp/harbor-`date +'%Y%m%d%H%M%S'`.log 2>&1" when: '"registry" not in result.stdout' diff --git a/roles/harbor/templates/harbor-csr.json.j2 b/roles/harbor/templates/harbor-csr.json.j2 index c08604d..1247a2b 100644 --- a/roles/harbor/templates/harbor-csr.json.j2 +++ b/roles/harbor/templates/harbor-csr.json.j2 @@ -2,7 +2,8 @@ "CN": "harbor", "hosts": [ "127.0.0.1", - "{{ HARBOR_HOSTNAME }}" + "{{ inventory_hostname }}", + "{{ HARBOR_DOMAIN }}" ], "key": { "algo": "rsa", diff --git a/roles/harbor/templates/harbor-v2.1.yml.j2 b/roles/harbor/templates/harbor-v2.1.yml.j2 new file mode 100644 index 0000000..8e21ab7 --- /dev/null +++ b/roles/harbor/templates/harbor-v2.1.yml.j2 @@ -0,0 +1,118 @@ +# Configuration file of Harbor +hostname: {{ HARBOR_HOSTNAME }} + +# https related config +https: + port: {{ HARBOR_TLS_PORT }} + certificate: {{ ca_dir }}/harbor.pem + private_key: {{ ca_dir }}/harbor-key.pem + +# Uncomment external_url if you want to enable external proxy +# And when it enabled the hostname will no longer used +# external_url: https://reg.mydomain.com:8433 + +# The initial password of Harbor admin +# It only works in first time to install harbor +# Remember Change the admin password from UI after launching Harbor. +harbor_admin_password: {{ harbor_password_gen.stdout }} + +# Harbor DB configuration +database: + # The password for the root user of Harbor DB. Change this before any production use. + password: {{ db_password_gen.stdout }} + # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. + max_idle_conns: 50 + # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgres of harbor. + max_open_conns: 1000 + +# The default data volume +data_volume: /var/data + +# Clair configuration +clair: + # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. + updaters_interval: 12 + +# Trivy configuration +# +# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. +# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached +# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it +# should download a newer version from the Internet or use the cached one. Currently, the database is updated every +# 12 hours and published as a new release to GitHub. +trivy: + # ignoreUnfixed The flag to display only fixed vulnerabilities + ignore_unfixed: false + # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub + # + # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and + # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. + skip_update: false + # + # insecure The flag to skip verifying registry certificate + insecure: false + # github_token The GitHub access token to download Trivy DB + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + # + # github_token: xxx + +jobservice: + # Maximum number of job workers in job service + max_job_workers: 10 + +notification: + # Maximum retry count for webhook job + webhook_job_max_retry: 10 + +chart: + # Change the value of absolute_url to enabled can enable absolute url in chart + absolute_url: disabled + +# Log configurations +log: + # options are debug, info, warning, error, fatal + level: info + # configs for logs in local storage + local: + # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. + rotate_count: 3 + # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. + # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G + # are all valid. + rotate_size: 100M + # The directory on your host that store log + location: /var/log/harbor + +#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! +_version: 2.0.0 + +# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. +# uaa: +# ca_file: /path/to/ca + +# Global proxy +# Config http proxy for components, e.g. http://my.proxy.com:3128 +# Components doesn't need to connect to each others via http proxy. +# Remove component from `components` array if want disable proxy +# for it. If you want use proxy for replication, MUST enable proxy +# for core and jobservice, and set `http_proxy` and `https_proxy`. +# Add domain to the `no_proxy` field, when you want disable proxy +# for some special registry. +proxy: + http_proxy: + https_proxy: + no_proxy: + components: + - core + - jobservice + - clair + - trivy diff --git a/roles/harbor/vars/main.yml b/roles/harbor/vars/main.yml index 0cbff3e..cd95307 100644 --- a/roles/harbor/vars/main.yml +++ b/roles/harbor/vars/main.yml @@ -3,4 +3,7 @@ HARBOR_VER_MAIN: "{{ HARBOR_VER.split('.')[0] }}.{{ HARBOR_VER.split('.')[1] }}" # HARBOR_HOSTNAME 值设置 -HARBOR_HOSTNAME: "{% if HARBOR_DOMAIN != '' %}HARBOR_DOMAIN{% else %}inventory_hostname{% endif %}" +HARBOR_HOSTNAME: "{% if HARBOR_DOMAIN != '' %}{{ HARBOR_DOMAIN }}{% else %}{{ inventory_hostname }}{% endif %}" + +# harobr 默认安装选项 +HARBOR_INST_OPS: ""