mirror of https://github.com/easzlab/kubeasz.git
update harbor v2.1.3
parent
3dc47c9146
commit
97f9df2b7a
|
@ -1,6 +1,6 @@
|
||||||
# harbor 镜像仓库
|
# harbor 镜像仓库
|
||||||
|
|
||||||
Habor是由VMWare中国团队开源的容器镜像仓库。事实上,Habor是在Docker Registry上进行了相应的企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访问控制 ,水平扩展,同步,AD/LDAP集成以及审计日志等。本文档仅说明部署单个基础harbor服务的步骤。
|
Habor是由VMWare中国团队开源的企业级容器镜像仓库。特性包括:友好的用户界面,基于角色的访问控制,水平扩展,同步复制,AD/LDAP集成以及审计日志等。本文档仅说明单机安装harbor 服务。
|
||||||
|
|
||||||
- 目录
|
- 目录
|
||||||
- 安装步骤
|
- 安装步骤
|
||||||
|
@ -11,46 +11,66 @@ Habor是由VMWare中国团队开源的容器镜像仓库。事实上,Habor是
|
||||||
|
|
||||||
### 安装步骤
|
### 安装步骤
|
||||||
|
|
||||||
1. 在ansible控制端下载最新的 [docker-compose](https://github.com/docker/compose/releases) 二进制文件,改名后把它放到项目 `/etc/ansible/bin`目录(已包含)
|
1. 下载离线安装包,成功后在/etc/kubeasz/down/目录下有离线包harbor-offline-installer-$HARBOR_VER.tgz
|
||||||
|
|
||||||
2. 在ansible控制端下载最新的 [harbor](https://github.com/vmware/harbor/releases) 离线安装包,把它放到项目 `/etc/ansible/down` 目录
|
```
|
||||||
|
ezdown -D
|
||||||
3. 在ansible控制端编辑/etc/ansible/hosts文件,可以参考 `example`目录下的模板,修改部分举例如下
|
ezdown -R
|
||||||
|
|
||||||
``` bash
|
|
||||||
# 参数 NEW_INSTALL=(yes/no):yes表示新建 harbor,并配置k8s节点的docker可以使用harbor仓库
|
|
||||||
# no 表示仅配置k8s节点的docker使用已有的harbor仓库
|
|
||||||
# 参数 SELF_SIGNED_CERT=(yes/no): yes表示使用自签名证书,即安装程序帮你做一个自己签名的证书(当然这样的证书是得不到浏览器直接认可的)
|
|
||||||
# no 表示使用已有的证书,如 letsencrypt 或者其他证书颁发机构,如使用此参数,需把证书提前放在 down 目录下,文件名称分别为:harbor.pem 和 harbor-key.pem
|
|
||||||
# 如果不需要设置域名访问 harbor,可以配置参数 HARBOR_DOMAIN=""
|
|
||||||
[harbor]
|
|
||||||
192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=yes SELF_SIGNED_CERT=yes
|
|
||||||
```
|
```
|
||||||
|
|
||||||
4. 在ansible控制端执行 `ansible-playbook /etc/ansible/11.harbor.yml`,完成harbor安装和docker 客户端配置
|
2. 利用ezctl [文档](../setup/ezctl.md) 创建一个新的集群,已有集群修改同样的文件
|
||||||
|
|
||||||
|
```
|
||||||
|
#clusters/xxx/hosts 中修改如下,配置harbor组下机器,设置NEW_INSTALL=true
|
||||||
|
...
|
||||||
|
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
|
||||||
|
[harbor]
|
||||||
|
192.168.1.8 NEW_INSTALL=true
|
||||||
|
...
|
||||||
|
|
||||||
|
#clusters/xxx/config.yml 中修改如下,按需修改HARBOR_DOMAIN/HARBOR_TLS_PORT 等配置项
|
||||||
|
############################
|
||||||
|
# role:harbor
|
||||||
|
############################
|
||||||
|
# harbor version,完整版本号
|
||||||
|
HARBOR_VER: "v2.1.3"
|
||||||
|
HARBOR_DOMAIN: "harbor.yourdomain.com"
|
||||||
|
HARBOR_TLS_PORT: 8443
|
||||||
|
|
||||||
|
# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
|
||||||
|
HARBOR_SELF_SIGNED_CERT: true
|
||||||
|
|
||||||
|
# install component
|
||||||
|
HARBOR_WITH_NOTARY: false
|
||||||
|
HARBOR_WITH_TRIVY: false
|
||||||
|
HARBOR_WITH_CLAIR: false
|
||||||
|
HARBOR_WITH_CHARTMUSEUM: true
|
||||||
|
```
|
||||||
|
|
||||||
|
3. 配置完成后,执行 `./ezctl setup xxx harbor`,完成harbor安装和docker 客户端配置
|
||||||
|
|
||||||
- 安装验证
|
- 安装验证
|
||||||
|
|
||||||
1. 在harbor节点使用`docker ps -a` 查看harbor容器组件运行情况
|
1. 在harbor节点使用`docker ps -a` 查看harbor容器组件运行情况
|
||||||
2. 浏览器访问harbor节点的IP地址 `https://$NodeIP`,管理员账号是 admin ,密码见 harbor.cfg(v1.5-v1.7) 或 harbor.yml(v1.8+) 文件 harbor_admin_password 对应值(默认密码 Harbor12345 已被随机生成的16位随机密码替换,不然存在安全隐患)
|
2. 浏览器访问地址(忽略证书报错) `https://${HARBOR_DOMAIN}:${HARBOR_TLS_PORT}`,管理员账号是 admin ,密码见harbor.yml文件 harbor_admin_password 对应值(默认密码 Harbor12345 已被随机生成的16位随机密码替换,不然存在安全隐患)
|
||||||
|
|
||||||
### 安装讲解
|
### 安装讲解
|
||||||
|
|
||||||
根据`11.harbor.yml`文件,harbor节点需要以下步骤:
|
根据`playbooks/11.harbor.yml`文件,harbor节点需要以下步骤:
|
||||||
|
|
||||||
|
- role `os-harden` 系统安全加固(可选)
|
||||||
|
- role `chrony` 时间同步服务(可选)
|
||||||
- role `prepare` 基础系统环境准备
|
- role `prepare` 基础系统环境准备
|
||||||
- role `docker` 安装docker
|
- role `docker` 安装docker
|
||||||
- role `harbor` 安装harbor
|
- role `harbor` 安装harbor
|
||||||
- 注意:`kube_node`节点在harbor部署完之后,需要配置harbor的证书(详见下节配置docker/containerd信任harbor证书),并可以在hosts里面添加harbor的域名解析,如果你的环境中有dns服务器,可以跳过hosts文件设置
|
- 注意:`kube_node`节点在harbor部署完之后,需要配置harbor的证书(详见下节配置docker/containerd信任harbor证书),并可以在hosts里面添加harbor的域名解析,如果你的环境中有dns服务器,可以跳过hosts文件设置
|
||||||
|
|
||||||
请在另外窗口打开 [roles/harbor/tasks/main.yml](../../roles/harbor/tasks/main.yml),对照以下讲解
|
|
||||||
|
|
||||||
1. 下载docker-compose可执行文件到$PATH目录
|
1. 下载docker-compose可执行文件到$PATH目录
|
||||||
1. 自注册变量result判断是否已经安装harbor,避免重复安装问题
|
1. 自注册变量result判断是否已经安装harbor,避免重复安装问题
|
||||||
1. 解压harbor离线安装包到指定目录
|
1. 解压harbor离线安装包到指定目录
|
||||||
1. 导入harbor所需 docker images
|
1. 导入harbor所需 docker images
|
||||||
1. 创建harbor证书和私钥(复用集群的CA证书)
|
1. 创建harbor证书和私钥(复用集群的CA证书)
|
||||||
1. 修改harbor.cfg配置文件
|
1. 修改harbor.yml配置文件
|
||||||
1. 启动harbor安装脚本
|
1. 启动harbor安装脚本
|
||||||
|
|
||||||
### 配置docker/containerd信任harbor证书
|
### 配置docker/containerd信任harbor证书
|
||||||
|
@ -67,13 +87,13 @@ $ crictl pull harbor.test.lo/pub/hello:v0.1.4
|
||||||
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "harbor.test.lo/pub/hello:v0.1.4": no available registry endpoint: failed to do request: Head https://harbor.test.lo/v2/pub/hello/manifests/v0.1.4: x509: certificate signed by unknown authority
|
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "harbor.test.lo/pub/hello:v0.1.4": no available registry endpoint: failed to do request: Head https://harbor.test.lo/v2/pub/hello/manifests/v0.1.4: x509: certificate signed by unknown authority
|
||||||
```
|
```
|
||||||
|
|
||||||
项目脚本`11.harbor.yml`中已经自动为k8s集群的每个node节点配置 docker/containerd 信任自建 harbor 证书;如果你无法运行此脚本,可以参考下述手工配置(使用受信任的正式证书 SELF_SIGNED_CERT=no 可忽略)
|
项目脚本`11.harbor.yml`中已经自动为k8s集群的每个node节点配置 docker/containerd 信任自建 harbor 证书;如果你无法运行此脚本,可以参考下述手工配置
|
||||||
|
|
||||||
#### docker配置信任harbor证书
|
#### docker配置信任harbor证书
|
||||||
|
|
||||||
在集群每个 node 节点进行如下配置
|
在集群每个 node 节点进行如下配置
|
||||||
|
|
||||||
- 创建目录 /etc/docker/certs.d/harbor.test.lo/ (harbor.test.lo为你的harbor域名)
|
- 创建目录 /etc/docker/certs.d/harbor.yourdomain.com:8443/ (以默认配置举例)
|
||||||
- 复制 harbor 安装时的 CA 证书到上述目录,并改名 ca.crt 即可
|
- 复制 harbor 安装时的 CA 证书到上述目录,并改名 ca.crt 即可
|
||||||
|
|
||||||
#### containerd配置信任harbor证书
|
#### containerd配置信任harbor证书
|
||||||
|
@ -164,9 +184,9 @@ type: kubernetes.io/dockerconfigjson
|
||||||
### 管理维护
|
### 管理维护
|
||||||
|
|
||||||
+ 日志目录 `/var/log/harbor`
|
+ 日志目录 `/var/log/harbor`
|
||||||
+ 数据目录 `/data` ,其中最主要是 `/data/database` 和 `/data/registry` 目录,如果你要彻底重新安装harbor,删除这两个目录即可
|
+ 数据目录 `/var/data` ,其中最主要是 `/var/data/database` 和 `/var/data/registry` 目录,如果你要彻底重新安装harbor,删除这两个目录即可
|
||||||
|
|
||||||
先进入harbor安装目录 `cd /data/harbor`,常规操作如下:
|
先进入harbor安装目录 `cd /var/data/harbor`,常规操作如下:
|
||||||
|
|
||||||
1. 暂停harbor `docker-compose stop` : docker容器stop,并不删除容器
|
1. 暂停harbor `docker-compose stop` : docker容器stop,并不删除容器
|
||||||
2. 恢复harbor `docker-compose start` : 恢复docker容器运行
|
2. 恢复harbor `docker-compose start` : 恢复docker容器运行
|
||||||
|
@ -185,33 +205,3 @@ type: kubernetes.io/dockerconfigjson
|
||||||
# 启动 harbor
|
# 启动 harbor
|
||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
```
|
```
|
||||||
#### harbor 升级
|
|
||||||
|
|
||||||
以下步骤基于harbor 1.1.2 版本升级到 1.2.2版本
|
|
||||||
|
|
||||||
``` bash
|
|
||||||
# 进入harbor解压缩后的目录,停止harbor
|
|
||||||
cd /data/harbor
|
|
||||||
docker-compose down
|
|
||||||
|
|
||||||
# 备份这个目录
|
|
||||||
cd ..
|
|
||||||
mkdir -p /backup && mv harbor /backup/harbor
|
|
||||||
|
|
||||||
# 下载更新的离线安装包,并解压
|
|
||||||
tar xvf harbor-offline-installer-v1.2.2.tgz -C /data
|
|
||||||
|
|
||||||
# 使用官方数据库迁移工具,备份数据库,修改数据库连接用户和密码,创建数据库备份目录
|
|
||||||
# 迁移工具使用docker镜像,镜像tag由待升级到目标harbor版本决定,这里由 1.1.2升级到1.2.2,所以使用 tag 1.2
|
|
||||||
docker pull vmware/harbor-db-migrator:1.2
|
|
||||||
mkdir -p /backup/db-1.1.2
|
|
||||||
docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql -v /backup/db-1.1.2:/harbor-migration/backup vmware/harbor-db-migrator:1.2 backup
|
|
||||||
|
|
||||||
# 因为新老版本数据库结构不一样,需要数据库migration
|
|
||||||
docker run -it --rm -e DB_USR=root -e DB_PWD=xxxx -v /data/database:/var/lib/mysql vmware/harbor-db-migrator:1.2 up head
|
|
||||||
|
|
||||||
# 修改新版本 harbor.cfg(v1.5-v1.7) 或 harbor.yml(v1.8+) 配置,需要保持与老版本相关配置项保持一致,然后执行安装即可
|
|
||||||
cd /data/harbor
|
|
||||||
vi harbor.cfg
|
|
||||||
./install.sh
|
|
||||||
```
|
|
||||||
|
|
|
@ -58,17 +58,18 @@ yum update
|
||||||
yum install python -y
|
yum install python -y
|
||||||
```
|
```
|
||||||
|
|
||||||
### 3.在ansible控制端安装及准备ansible
|
### 3.在部署节点安装ansible及准备ssh免密登陆
|
||||||
|
|
||||||
- 3.1 pip 安装 ansible(如果 Ubuntu pip报错,请看[附录](00-planning_and_overall_intro.md#Appendix))
|
- 3.1 安装ansible (也可以使用容器化运行kubeasz,已经预装好ansible)
|
||||||
|
|
||||||
``` bash
|
``` bash
|
||||||
# Ubuntu 16.04
|
# 注意pip 21.0以后不再支持python2和python3.5,需要如下安装
|
||||||
apt-get install git python-pip -y
|
# To install pip for Python 2.7 install it from https://bootstrap.pypa.io/2.7/ :
|
||||||
# CentOS 7
|
curl -O https://bootstrap.pypa.io/2.7/get-pip.py
|
||||||
yum install git python-pip -y
|
python get-pip.py
|
||||||
|
python -m pip install --upgrade "pip < 21.0"
|
||||||
|
|
||||||
# pip安装ansible(国内如果安装太慢可以直接用pip阿里云加速)
|
# pip安装ansible(国内如果安装太慢可以直接用pip阿里云加速)
|
||||||
pip install pip --upgrade -i https://mirrors.aliyun.com/pypi/simple/
|
|
||||||
pip install ansible -i https://mirrors.aliyun.com/pypi/simple/
|
pip install ansible -i https://mirrors.aliyun.com/pypi/simple/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -125,29 +126,5 @@ ezctl setup k8s-01 all
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
## Appendix
|
|
||||||
|
|
||||||
- Ubuntu 1604 安装 ansible 如果出现以下错误
|
|
||||||
|
|
||||||
``` bash
|
|
||||||
Traceback (most recent call last):
|
|
||||||
File "/usr/bin/pip", line 9, in <module>
|
|
||||||
from pip import main
|
|
||||||
ImportError: cannot import name main
|
|
||||||
```
|
|
||||||
将`/usr/bin/pip`做以下修改即可
|
|
||||||
|
|
||||||
``` bash
|
|
||||||
#原代码
|
|
||||||
from pip import main
|
|
||||||
if __name__ == '__main__':
|
|
||||||
sys.exit(main())
|
|
||||||
|
|
||||||
#修改后
|
|
||||||
from pip import __main__
|
|
||||||
if __name__ == '__main__':
|
|
||||||
sys.exit(__main__._main())
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
[后一篇](01-CA_and_prerequisite.md)
|
[后一篇](01-CA_and_prerequisite.md)
|
||||||
|
|
|
@ -194,4 +194,15 @@ prom_chart_ver: "__prom_chart__"
|
||||||
# role:harbor
|
# role:harbor
|
||||||
############################
|
############################
|
||||||
# harbor version,完整版本号
|
# harbor version,完整版本号
|
||||||
HARBOR_VER: "v1.9.4"
|
HARBOR_VER: "__harbor__"
|
||||||
|
HARBOR_DOMAIN: "harbor.yourdomain.com"
|
||||||
|
HARBOR_TLS_PORT: 8443
|
||||||
|
|
||||||
|
# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
|
||||||
|
HARBOR_SELF_SIGNED_CERT: true
|
||||||
|
|
||||||
|
# install extra component
|
||||||
|
HARBOR_WITH_NOTARY: false
|
||||||
|
HARBOR_WITH_TRIVY: false
|
||||||
|
HARBOR_WITH_CLAIR: false
|
||||||
|
HARBOR_WITH_CHARTMUSEUM: true
|
||||||
|
|
|
@ -11,10 +11,9 @@
|
||||||
192.168.1.1
|
192.168.1.1
|
||||||
|
|
||||||
# [optional] harbor server, a private docker registry
|
# [optional] harbor server, a private docker registry
|
||||||
# 'NEW_INSTALL': 'yes' to install a harbor server; 'no' to integrate with existed one
|
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
|
||||||
# 'SELF_SIGNED_CERT': 'no' you need put files of certificates named harbor.pem and harbor-key.pem in directory 'down'
|
|
||||||
[harbor]
|
[harbor]
|
||||||
#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no SELF_SIGNED_CERT=yes
|
#192.168.1.8 NEW_INSTALL=false
|
||||||
|
|
||||||
# [optional] loadbalance for accessing k8s from outside
|
# [optional] loadbalance for accessing k8s from outside
|
||||||
[ex_lb]
|
[ex_lb]
|
||||||
|
|
|
@ -15,10 +15,9 @@
|
||||||
192.168.1.4
|
192.168.1.4
|
||||||
|
|
||||||
# [optional] harbor server, a private docker registry
|
# [optional] harbor server, a private docker registry
|
||||||
# 'NEW_INSTALL': 'yes' to install a harbor server; 'no' to integrate with existed one
|
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
|
||||||
# 'SELF_SIGNED_CERT': 'no' you need put files of certificates named harbor.pem and harbor-key.pem in directory 'down'
|
|
||||||
[harbor]
|
[harbor]
|
||||||
#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no SELF_SIGNED_CERT=yes
|
#192.168.1.8 NEW_INSTALL=false
|
||||||
|
|
||||||
# [optional] loadbalance for accessing k8s from outside
|
# [optional] loadbalance for accessing k8s from outside
|
||||||
[ex_lb]
|
[ex_lb]
|
||||||
|
|
6
ezctl
6
ezctl
|
@ -118,6 +118,7 @@ available steps:
|
||||||
06 network to setup the network plugin
|
06 network to setup the network plugin
|
||||||
07 cluster-addon to setup other useful plugins
|
07 cluster-addon to setup other useful plugins
|
||||||
all to run 01~07 all at once
|
all to run 01~07 all at once
|
||||||
|
harbor to install a new harbor server or to integrate with an existed one
|
||||||
|
|
||||||
examples: ./ezctl setup test-k8s 01
|
examples: ./ezctl setup test-k8s 01
|
||||||
./ezctl setup test-k8s 02
|
./ezctl setup test-k8s 02
|
||||||
|
@ -150,6 +151,7 @@ function new() {
|
||||||
metricsVer=$(grep 'metricsVer=' ezdown|cut -d'=' -f2)
|
metricsVer=$(grep 'metricsVer=' ezdown|cut -d'=' -f2)
|
||||||
promChartVer=$(grep 'promChartVer=' ezdown|cut -d'=' -f2)
|
promChartVer=$(grep 'promChartVer=' ezdown|cut -d'=' -f2)
|
||||||
traefikChartVer=$(grep 'traefikChartVer=' ezdown|cut -d'=' -f2)
|
traefikChartVer=$(grep 'traefikChartVer=' ezdown|cut -d'=' -f2)
|
||||||
|
harborVer=$(grep 'HARBOR_VER=' ezdown|cut -d'=' -f2)
|
||||||
registryMirror=true
|
registryMirror=true
|
||||||
|
|
||||||
grep registry-mirrors /etc/docker/daemon.json > /dev/null 2>&1 || { logger debug "disable registry mirrors"; registryMirror=false; }
|
grep registry-mirrors /etc/docker/daemon.json > /dev/null 2>&1 || { logger debug "disable registry mirrors"; registryMirror=false; }
|
||||||
|
@ -165,6 +167,7 @@ function new() {
|
||||||
-e "s/__dash_metrics__/$dashboardMetricsScraperVer/g" \
|
-e "s/__dash_metrics__/$dashboardMetricsScraperVer/g" \
|
||||||
-e "s/__prom_chart__/$promChartVer/g" \
|
-e "s/__prom_chart__/$promChartVer/g" \
|
||||||
-e "s/__traefik_chart__/$traefikChartVer/g" \
|
-e "s/__traefik_chart__/$traefikChartVer/g" \
|
||||||
|
-e "s/__harbor__/$harborVer/g" \
|
||||||
-e "s/^ENABLE_MIRROR_REGISTRY.*$/ENABLE_MIRROR_REGISTRY: $registryMirror/g" \
|
-e "s/^ENABLE_MIRROR_REGISTRY.*$/ENABLE_MIRROR_REGISTRY: $registryMirror/g" \
|
||||||
-e "s/__metrics__/$metricsVer/g" "clusters/$1/config.yml"
|
-e "s/__metrics__/$metricsVer/g" "clusters/$1/config.yml"
|
||||||
|
|
||||||
|
@ -207,6 +210,9 @@ function setup() {
|
||||||
(all)
|
(all)
|
||||||
PLAY_BOOK="90.setup.yml"
|
PLAY_BOOK="90.setup.yml"
|
||||||
;;
|
;;
|
||||||
|
(harbor)
|
||||||
|
PLAY_BOOK="11.harbor.yml"
|
||||||
|
;;
|
||||||
(*)
|
(*)
|
||||||
usage-setup
|
usage-setup
|
||||||
exit 1
|
exit 1
|
||||||
|
|
20
ezdown
20
ezdown
|
@ -18,6 +18,7 @@ KUBEASZ_VER=3.0.0
|
||||||
K8S_BIN_VER=v1.20.2
|
K8S_BIN_VER=v1.20.2
|
||||||
EXT_BIN_VER=0.8.1
|
EXT_BIN_VER=0.8.1
|
||||||
SYS_PKG_VER=0.3.3
|
SYS_PKG_VER=0.3.3
|
||||||
|
HARBOR_VER=v2.1.3
|
||||||
REGISTRY_MIRROR=CN
|
REGISTRY_MIRROR=CN
|
||||||
|
|
||||||
# images needed by k8s cluster
|
# images needed by k8s cluster
|
||||||
|
@ -42,6 +43,7 @@ function usage() {
|
||||||
-C stop&clean all local containers
|
-C stop&clean all local containers
|
||||||
-D download all into "$BASE"
|
-D download all into "$BASE"
|
||||||
-P download system packages for offline installing
|
-P download system packages for offline installing
|
||||||
|
-R download Registry(harbor) offline installer
|
||||||
-S start kubeasz in a container
|
-S start kubeasz in a container
|
||||||
-d <ver> set docker-ce version, default "$DOCKER_VER"
|
-d <ver> set docker-ce version, default "$DOCKER_VER"
|
||||||
-e <ver> set kubeasz-ext-bin version, default "$EXT_BIN_VER"
|
-e <ver> set kubeasz-ext-bin version, default "$EXT_BIN_VER"
|
||||||
|
@ -245,6 +247,19 @@ function get_sys_pkg() {
|
||||||
docker rm -f temp_sys_pkg
|
docker rm -f temp_sys_pkg
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function get_harbor_offline_pkg() {
|
||||||
|
[[ -f "$BASE/down/harbor-offline-installer-$HARBOR_VER.tgz" ]] && { logger warn "harbor-offline existed"; return 0; }
|
||||||
|
|
||||||
|
logger info "downloading harbor-offline:$HARBOR_VER"
|
||||||
|
docker pull "easzlab/harbor-offline:$HARBOR_VER" && \
|
||||||
|
logger debug "run a temporary container" && \
|
||||||
|
docker run -d --name temp_harbor "easzlab/harbor-offline:$HARBOR_VER" && \
|
||||||
|
logger debug "cp harbor-offline installer package" && \
|
||||||
|
docker cp "temp_harbor:/harbor-offline-installer-$HARBOR_VER.tgz" "$BASE/down" && \
|
||||||
|
logger debug "stop&remove temporary container" && \
|
||||||
|
docker rm -f temp_harbor
|
||||||
|
}
|
||||||
|
|
||||||
function get_offline_image() {
|
function get_offline_image() {
|
||||||
|
|
||||||
imageDir="$BASE/down"
|
imageDir="$BASE/down"
|
||||||
|
@ -358,7 +373,7 @@ function main() {
|
||||||
[[ "$#" -eq 0 ]] && { usage >&2; exit 1; }
|
[[ "$#" -eq 0 ]] && { usage >&2; exit 1; }
|
||||||
|
|
||||||
ACTION=""
|
ACTION=""
|
||||||
while getopts "CDPSd:e:k:m:p:z:" OPTION; do
|
while getopts "CDPRSd:e:k:m:p:z:" OPTION; do
|
||||||
case "$OPTION" in
|
case "$OPTION" in
|
||||||
C)
|
C)
|
||||||
ACTION="clean_container"
|
ACTION="clean_container"
|
||||||
|
@ -369,6 +384,9 @@ function main() {
|
||||||
P)
|
P)
|
||||||
ACTION="get_sys_pkg"
|
ACTION="get_sys_pkg"
|
||||||
;;
|
;;
|
||||||
|
R)
|
||||||
|
ACTION="get_harbor_offline_pkg"
|
||||||
|
;;
|
||||||
S)
|
S)
|
||||||
ACTION="start_kubeasz_docker"
|
ACTION="start_kubeasz_docker"
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -1,39 +1,45 @@
|
||||||
# [optional] to set up a HARBOR, and to integrate the HARBOR with k8s cluster
|
# [optional] to set up a HARBOR, and to integrate the HARBOR with k8s cluster
|
||||||
# read the guide: 'guide/harbor.md'
|
# read the guide: 'guide/harbor.md'
|
||||||
|
|
||||||
|
### --- install harbor ---
|
||||||
- hosts: harbor
|
- hosts: harbor
|
||||||
roles:
|
roles:
|
||||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
- { role: os-harden, when: "NEW_INSTALL|bool and OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" }
|
- { role: chrony, when: "NEW_INSTALL|bool and groups['chrony']|length > 0" }
|
||||||
- { role: prepare, when: "NEW_INSTALL == 'yes'" }
|
- { role: prepare, when: "NEW_INSTALL|bool" }
|
||||||
- { role: docker, when: "NEW_INSTALL == 'yes'" }
|
- { role: docker, when: "NEW_INSTALL|bool" }
|
||||||
- { role: harbor, when: "NEW_INSTALL == 'yes'" }
|
- { role: harbor, when: "NEW_INSTALL|bool" }
|
||||||
tasks:
|
tasks:
|
||||||
- name: Fetching the HARBOR SERVER's CA cert
|
- name: Fetching the HARBOR SERVER's CA cert
|
||||||
fetch:
|
fetch:
|
||||||
src: "{{ ca_dir }}/ca.pem"
|
src: "{{ ca_dir }}/ca.pem"
|
||||||
dest: "{{ base_dir }}/down/"
|
dest: "{{ base_dir }}/down/"
|
||||||
flat: yes
|
flat: yes
|
||||||
when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT'] == 'yes'
|
when: 'HARBOR_SELF_SIGNED_CERT|bool'
|
||||||
|
#when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT']|bool
|
||||||
|
|
||||||
|
### --- config k8s nodes to use with harbor ---
|
||||||
- hosts:
|
- hosts:
|
||||||
- kube_master
|
- kube_master
|
||||||
- kube_node
|
- kube_node
|
||||||
tasks:
|
tasks:
|
||||||
- name: Define 'harbor_hostname', a domain name
|
- name: Define 'harbor_hostname', a domain name
|
||||||
set_fact: harbor_hostname={{ hostvars[groups.harbor[0]]['HARBOR_DOMAIN'] }}
|
set_fact: harbor_hostname={{ HARBOR_DOMAIN }}
|
||||||
|
when: "HARBOR_DOMAIN != ''"
|
||||||
|
|
||||||
- name: Define 'harbor_hostname', an IP Addr
|
- name: Define 'harbor_hostname', an IP Addr
|
||||||
set_fact: harbor_hostname={{ groups['harbor'][0] }}
|
set_fact: harbor_hostname={{ groups['harbor'][0] }}
|
||||||
when: hostvars[groups.harbor[0]]['HARBOR_DOMAIN'] == ''
|
when: "HARBOR_DOMAIN == ''"
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- block:
|
- block:
|
||||||
- name: Creating cert dir for the docker daemon
|
- name: Creating cert dir for the docker daemon
|
||||||
file: name=/etc/docker/certs.d/{{ harbor_hostname }} state=directory
|
file: name=/etc/docker/certs.d/{{ harbor_hostname }}:{{ HARBOR_TLS_PORT }} state=directory
|
||||||
|
|
||||||
- name: Installing the HARBOR SERVER's CA cert for docker
|
- name: Installing the HARBOR SERVER's CA cert for docker
|
||||||
copy: src={{ base_dir }}/down/ca.pem dest=/etc/docker/certs.d/{{ harbor_hostname }}/ca.crt
|
copy:
|
||||||
|
src: "{{ base_dir }}/down/ca.pem"
|
||||||
|
dest: "/etc/docker/certs.d/{{ harbor_hostname }}:{{ HARBOR_TLS_PORT }}/ca.crt"
|
||||||
when: CONTAINER_RUNTIME == 'docker'
|
when: CONTAINER_RUNTIME == 'docker'
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
|
@ -68,7 +74,7 @@
|
||||||
when:
|
when:
|
||||||
- 'CONTAINER_RUNTIME == "containerd"'
|
- 'CONTAINER_RUNTIME == "containerd"'
|
||||||
- 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
|
- 'ansible_distribution in ["CentOS","RedHat","Amazon","Aliyun"]'
|
||||||
when: hostvars[groups.harbor[0]]['SELF_SIGNED_CERT'] == 'yes'
|
when: 'HARBOR_SELF_SIGNED_CERT|bool'
|
||||||
|
|
||||||
# [optional] if you have a DNS server, add an 'A record' instead
|
# [optional] if you have a DNS server, add an 'A record' instead
|
||||||
- name: Adding an '/etc/hosts' entry for the HARBOR DOMAIN
|
- name: Adding an '/etc/hosts' entry for the HARBOR DOMAIN
|
||||||
|
|
|
@ -1,36 +1,40 @@
|
||||||
- name: 生成 harbor 随机密码
|
- name: 创建 /var/data 目录
|
||||||
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
|
|
||||||
register: harbor_password_gen
|
|
||||||
|
|
||||||
- name: 生成 DB 随机密码
|
|
||||||
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
|
|
||||||
register: db_password_gen
|
|
||||||
|
|
||||||
- name: 创建 data 目录
|
|
||||||
file:
|
file:
|
||||||
path: /data
|
path: /var/data
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
# 注册变量 result,如果 /data 目录下存在 registry 目录说明已经安装过 harbor,则不进行安装
|
# 注册变量 result,如果 /var/data 目录下存在 registry 目录说明已经安装过 harbor,则不进行安装
|
||||||
- name: 注册变量 result
|
- name: 注册变量 result
|
||||||
command: ls /data
|
command: ls /var/data
|
||||||
register: result
|
register: result
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
|
- name: 生成 harbor 随机密码
|
||||||
|
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
|
||||||
|
register: harbor_password_gen
|
||||||
|
|
||||||
|
- debug: var="harbor_password_gen.stdout"
|
||||||
|
|
||||||
|
- name: 生成 DB 随机密码
|
||||||
|
shell: < /dev/urandom tr -dc 0-9A-Za-z-_ | head -c 16
|
||||||
|
register: db_password_gen
|
||||||
|
|
||||||
|
- debug: var="db_password_gen.stdout"
|
||||||
|
|
||||||
- name: 下发 docker compose 二进制文件
|
- name: 下发 docker compose 二进制文件
|
||||||
copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755
|
copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755
|
||||||
|
|
||||||
- name: 下发 harbor 离线安装包
|
- name: 下发 harbor 离线安装包
|
||||||
copy:
|
copy:
|
||||||
src: "{{ base_dir }}/down/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
|
src: "{{ base_dir }}/down/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
|
||||||
dest: "/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
|
dest: "/var/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz"
|
||||||
|
|
||||||
- name: 解压 harbor 离线安装包
|
- name: 解压 harbor 离线安装包
|
||||||
shell: "cd /data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz"
|
shell: "cd /var/data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz"
|
||||||
|
|
||||||
- name: 导入 harbor 所需 docker images
|
- name: 导入 harbor 所需 docker images
|
||||||
shell: "{{ bin_dir }}/docker load -i /data/harbor/harbor.{{ HARBOR_VER }}.tar.gz"
|
shell: "{{ bin_dir }}/docker load -i /var/data/harbor/harbor.{{ HARBOR_VER }}.tar.gz"
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: 创建 harbor 证书请求
|
- name: 创建 harbor 证书请求
|
||||||
|
@ -45,31 +49,44 @@
|
||||||
-profile=kubernetes harbor-csr.json|{{ base_dir }}/bin/cfssljson -bare harbor"
|
-profile=kubernetes harbor-csr.json|{{ base_dir }}/bin/cfssljson -bare harbor"
|
||||||
connection: local
|
connection: local
|
||||||
|
|
||||||
- name: 生成自签名证书相关
|
- name: 分发自签名证书
|
||||||
copy: src={{ cluster_dir }}/ssl/{{ item }} dest={{ ca_dir }}/{{ item }}
|
copy: src={{ cluster_dir }}/ssl/{{ item }} dest={{ ca_dir }}/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
|
- ca.pem
|
||||||
- harbor.pem
|
- harbor.pem
|
||||||
- harbor-key.pem
|
- harbor-key.pem
|
||||||
when: SELF_SIGNED_CERT == 'yes'
|
when: 'HARBOR_SELF_SIGNED_CERT|bool'
|
||||||
|
|
||||||
- name: 复制 down 目录下 harbor 证书
|
- name: 推送非自签名证书(需提前在{{ base_dir }}/down/ 下载好证书)
|
||||||
copy: src={{ base_dir }}/down/{{ item }} dest={{ ca_dir }}/{{ item }}
|
copy: src={{ base_dir }}/down/{{ item }} dest={{ ca_dir }}/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- harbor.pem
|
- harbor.pem
|
||||||
- harbor-key.pem
|
- harbor-key.pem
|
||||||
when: SELF_SIGNED_CERT == 'no'
|
when: 'not HARBOR_SELF_SIGNED_CERT|bool'
|
||||||
|
|
||||||
- name: 配置 harbor.cfg 文件
|
- name: 准备 harbor 配置文件
|
||||||
template: src=harbor-{{ HARBOR_VER_MAIN }}.cfg.j2 dest=/data/harbor/harbor.cfg
|
template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/var/data/harbor/harbor.yml
|
||||||
when: HARBOR_VER_MAIN in ["v1.5", "v1.6", "v1.7"]
|
|
||||||
|
|
||||||
- name: 配置 harbor.yml 文件
|
#- name: 配置 harbor.yml 文件
|
||||||
template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/data/harbor/harbor.yml
|
#template: src=harbor-{{ HARBOR_VER_MAIN }}.yml.j2 dest=/var/data/harbor/harbor.yml
|
||||||
when: HARBOR_VER_MAIN in ["v1.8", "v1.9", "v1.10"]
|
#when: HARBOR_VER_MAIN in ["v1.8", "v1.9", "v1.10"]
|
||||||
|
|
||||||
|
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-chartmuseum"
|
||||||
|
when: "HARBOR_WITH_CHARTMUSEUM|bool"
|
||||||
|
|
||||||
- name: 安装 harbor --with-clair
|
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-notary"
|
||||||
shell: "cd /data/harbor && \
|
when: "HARBOR_WITH_NOTARY|bool"
|
||||||
|
|
||||||
|
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-trivy"
|
||||||
|
when: "HARBOR_WITH_TRIVY|bool"
|
||||||
|
|
||||||
|
- set_fact: HARBOR_INST_OPS="{{ HARBOR_INST_OPS }} --with-clair"
|
||||||
|
when: "HARBOR_WITH_CLAIR|bool"
|
||||||
|
|
||||||
|
- debug: var="HARBOR_INST_OPS"
|
||||||
|
|
||||||
|
- name: 安装 harbor
|
||||||
|
shell: "cd /var/data/harbor && \
|
||||||
export PATH={{ bin_dir }}:$PATH && \
|
export PATH={{ bin_dir }}:$PATH && \
|
||||||
./install.sh --with-clair"
|
./install.sh {{ HARBOR_INST_OPS }} >> /tmp/harbor-`date +'%Y%m%d%H%M%S'`.log 2>&1"
|
||||||
when: '"registry" not in result.stdout'
|
when: '"registry" not in result.stdout'
|
||||||
|
|
|
@ -2,7 +2,8 @@
|
||||||
"CN": "harbor",
|
"CN": "harbor",
|
||||||
"hosts": [
|
"hosts": [
|
||||||
"127.0.0.1",
|
"127.0.0.1",
|
||||||
"{{ HARBOR_HOSTNAME }}"
|
"{{ inventory_hostname }}",
|
||||||
|
"{{ HARBOR_DOMAIN }}"
|
||||||
],
|
],
|
||||||
"key": {
|
"key": {
|
||||||
"algo": "rsa",
|
"algo": "rsa",
|
||||||
|
|
|
@ -0,0 +1,118 @@
|
||||||
|
# Configuration file of Harbor
|
||||||
|
hostname: {{ HARBOR_HOSTNAME }}
|
||||||
|
|
||||||
|
# https related config
|
||||||
|
https:
|
||||||
|
port: {{ HARBOR_TLS_PORT }}
|
||||||
|
certificate: {{ ca_dir }}/harbor.pem
|
||||||
|
private_key: {{ ca_dir }}/harbor-key.pem
|
||||||
|
|
||||||
|
# Uncomment external_url if you want to enable external proxy
|
||||||
|
# And when it enabled the hostname will no longer used
|
||||||
|
# external_url: https://reg.mydomain.com:8433
|
||||||
|
|
||||||
|
# The initial password of Harbor admin
|
||||||
|
# It only works in first time to install harbor
|
||||||
|
# Remember Change the admin password from UI after launching Harbor.
|
||||||
|
harbor_admin_password: {{ harbor_password_gen.stdout }}
|
||||||
|
|
||||||
|
# Harbor DB configuration
|
||||||
|
database:
|
||||||
|
# The password for the root user of Harbor DB. Change this before any production use.
|
||||||
|
password: {{ db_password_gen.stdout }}
|
||||||
|
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
|
||||||
|
max_idle_conns: 50
|
||||||
|
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
|
||||||
|
# Note: the default number of connections is 1024 for postgres of harbor.
|
||||||
|
max_open_conns: 1000
|
||||||
|
|
||||||
|
# The default data volume
|
||||||
|
data_volume: /var/data
|
||||||
|
|
||||||
|
# Clair configuration
|
||||||
|
clair:
|
||||||
|
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
|
||||||
|
updaters_interval: 12
|
||||||
|
|
||||||
|
# Trivy configuration
|
||||||
|
#
|
||||||
|
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
|
||||||
|
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
|
||||||
|
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
|
||||||
|
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
|
||||||
|
# 12 hours and published as a new release to GitHub.
|
||||||
|
trivy:
|
||||||
|
# ignoreUnfixed The flag to display only fixed vulnerabilities
|
||||||
|
ignore_unfixed: false
|
||||||
|
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
|
||||||
|
#
|
||||||
|
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
|
||||||
|
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
|
||||||
|
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
|
||||||
|
skip_update: false
|
||||||
|
#
|
||||||
|
# insecure The flag to skip verifying registry certificate
|
||||||
|
insecure: false
|
||||||
|
# github_token The GitHub access token to download Trivy DB
|
||||||
|
#
|
||||||
|
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
|
||||||
|
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
|
||||||
|
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
|
||||||
|
# https://developer.github.com/v3/#rate-limiting
|
||||||
|
#
|
||||||
|
# You can create a GitHub token by following the instructions in
|
||||||
|
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
|
||||||
|
#
|
||||||
|
# github_token: xxx
|
||||||
|
|
||||||
|
jobservice:
|
||||||
|
# Maximum number of job workers in job service
|
||||||
|
max_job_workers: 10
|
||||||
|
|
||||||
|
notification:
|
||||||
|
# Maximum retry count for webhook job
|
||||||
|
webhook_job_max_retry: 10
|
||||||
|
|
||||||
|
chart:
|
||||||
|
# Change the value of absolute_url to enabled can enable absolute url in chart
|
||||||
|
absolute_url: disabled
|
||||||
|
|
||||||
|
# Log configurations
|
||||||
|
log:
|
||||||
|
# options are debug, info, warning, error, fatal
|
||||||
|
level: info
|
||||||
|
# configs for logs in local storage
|
||||||
|
local:
|
||||||
|
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
|
||||||
|
rotate_count: 3
|
||||||
|
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
|
||||||
|
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
|
||||||
|
# are all valid.
|
||||||
|
rotate_size: 100M
|
||||||
|
# The directory on your host that store log
|
||||||
|
location: /var/log/harbor
|
||||||
|
|
||||||
|
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
|
||||||
|
_version: 2.0.0
|
||||||
|
|
||||||
|
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
|
||||||
|
# uaa:
|
||||||
|
# ca_file: /path/to/ca
|
||||||
|
|
||||||
|
# Global proxy
|
||||||
|
# Config http proxy for components, e.g. http://my.proxy.com:3128
|
||||||
|
# Components doesn't need to connect to each others via http proxy.
|
||||||
|
# Remove component from `components` array if want disable proxy
|
||||||
|
# for it. If you want use proxy for replication, MUST enable proxy
|
||||||
|
# for core and jobservice, and set `http_proxy` and `https_proxy`.
|
||||||
|
# Add domain to the `no_proxy` field, when you want disable proxy
|
||||||
|
# for some special registry.
|
||||||
|
proxy:
|
||||||
|
http_proxy:
|
||||||
|
https_proxy:
|
||||||
|
no_proxy:
|
||||||
|
components:
|
||||||
|
- core
|
||||||
|
- jobservice
|
||||||
|
- clair
|
||||||
|
- trivy
|
|
@ -3,4 +3,7 @@
|
||||||
HARBOR_VER_MAIN: "{{ HARBOR_VER.split('.')[0] }}.{{ HARBOR_VER.split('.')[1] }}"
|
HARBOR_VER_MAIN: "{{ HARBOR_VER.split('.')[0] }}.{{ HARBOR_VER.split('.')[1] }}"
|
||||||
|
|
||||||
# HARBOR_HOSTNAME 值设置
|
# HARBOR_HOSTNAME 值设置
|
||||||
HARBOR_HOSTNAME: "{% if HARBOR_DOMAIN != '' %}HARBOR_DOMAIN{% else %}inventory_hostname{% endif %}"
|
HARBOR_HOSTNAME: "{% if HARBOR_DOMAIN != '' %}{{ HARBOR_DOMAIN }}{% else %}{{ inventory_hostname }}{% endif %}"
|
||||||
|
|
||||||
|
# harobr 默认安装选项
|
||||||
|
HARBOR_INST_OPS: ""
|
||||||
|
|
Loading…
Reference in New Issue