From f28fc48d5ec2bb7c96a4d2ebdc8023a02d1b40e7 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Tue, 5 Feb 2019 09:46:26 +0800 Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81harbor=201.6.3,=E8=B0=83?= =?UTF-8?q?=E6=95=B4=E9=83=A8=E5=88=86=E5=AE=89=E8=A3=85=E6=AD=A5=E9=AA=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/harbor/defaults/main.yml | 8 +- roles/harbor/tasks/main.yml | 33 +-- .../{harbor.cfg.j2 => harbor-v1.5.cfg.j2} | 0 roles/harbor/templates/harbor-v1.6.cfg.j2 | 203 ++++++++++++++++++ 4 files changed, 227 insertions(+), 17 deletions(-) rename roles/harbor/templates/{harbor.cfg.j2 => harbor-v1.5.cfg.j2} (100%) create mode 100644 roles/harbor/templates/harbor-v1.6.cfg.j2 diff --git a/roles/harbor/defaults/main.yml b/roles/harbor/defaults/main.yml index 59bbc62..4f54702 100644 --- a/roles/harbor/defaults/main.yml +++ b/roles/harbor/defaults/main.yml @@ -1,2 +1,6 @@ -# harbor version -HARBOR_VER: "v1.5.2" +# harbor version,完整版本号,目前支持 v1.5.x 和 v1.6.x +HARBOR_VER: "v1.6.3" + +# harbor 主版本号,目前支持主版本号 v1.5/v1.6 +# 从完整版本号提取出主版本号 v1.5/v1.6 +HARBOR_VER_MAIN: "{{ HARBOR_VER.split('.')[0] }}.{{ HARBOR_VER.split('.')[1] }}" diff --git a/roles/harbor/tasks/main.yml b/roles/harbor/tasks/main.yml index dd1d95e..4edb900 100644 --- a/roles/harbor/tasks/main.yml +++ b/roles/harbor/tasks/main.yml @@ -10,26 +10,29 @@ register: result - block: - - name: 下载docker compose 二进制文件 + - name: 下发docker compose二进制文件 copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755 - - name: 安装解压工具 - package: name={{ item }} state=present - with_items: - - zip - - unzip - + - name: 下发harbor离线安装包 + copy: + src: "{{ base_dir }}/down/harbor-offline-installer-{{ HARBOR_VER }}.tgz" + dest: "/data/harbor-offline-installer-{{ HARBOR_VER }}.tgz" + - name: 解压harbor离线安装包 - unarchive: - src: "{{ base_dir }}/down/harbor-offline-installer-{{ HARBOR_VER }}.zip" - dest: /data - copy: yes - keep_newer: yes - mode: 0755 - + shell: "cd /data && tar zxf harbor-offline-installer-{{ HARBOR_VER }}.tgz" + - name: 导入harbor所需 docker images shell: "{{ bin_dir }}/docker load -i /data/harbor/harbor.{{ HARBOR_VER }}.tar.gz" + - name: 分发证书相关 + synchronize: src={{ ca_dir }}/{{ item }} dest={{ ca_dir }}/{{ item }} + with_items: + - ca.pem + - ca-key.pem + - ca.csr + - ca-config.json + delegate_to: "{{ groups.deploy[0] }}" + - name: 创建harbor证书请求 template: src=harbor-csr.json.j2 dest={{ ca_dir }}/harbor-csr.json @@ -41,7 +44,7 @@ -profile=kubernetes harbor-csr.json | {{ bin_dir }}/cfssljson -bare harbor" - name: 配置 harbor.cfg 文件 - template: src=harbor.cfg.j2 dest=/data/harbor/harbor.cfg + template: src=harbor-{{ HARBOR_VER_MAIN }}.cfg.j2 dest=/data/harbor/harbor.cfg - name: 安装 harbor shell: "cd /data/harbor && \ diff --git a/roles/harbor/templates/harbor.cfg.j2 b/roles/harbor/templates/harbor-v1.5.cfg.j2 similarity index 100% rename from roles/harbor/templates/harbor.cfg.j2 rename to roles/harbor/templates/harbor-v1.5.cfg.j2 diff --git a/roles/harbor/templates/harbor-v1.6.cfg.j2 b/roles/harbor/templates/harbor-v1.6.cfg.j2 new file mode 100644 index 0000000..ad5eb17 --- /dev/null +++ b/roles/harbor/templates/harbor-v1.6.cfg.j2 @@ -0,0 +1,203 @@ +## Configuration file of Harbor + +#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! +_version = 1.6.0 +#The IP address or hostname to access admin UI and registry service. +#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. +hostname = {{ inventory_hostname }} + +#The protocol for accessing the UI and token/notification service, by default it is http. +#It can be set to https if ssl is enabled on nginx. +ui_url_protocol = https + +#Maximum number of job workers in job service +max_job_workers = 10 + +#Determine whether or not to generate certificate for the registry's token. +#If the value is on, the prepare script creates new root cert and private key +#for generating token to access the registry. If the value is off the default key/cert will be used. +#This flag also controls the creation of the notary signer's cert. +customize_crt = on + +#The path of cert and key files for nginx, they are applied only the protocol is set to https +ssl_cert = {{ ca_dir }}/harbor.pem +ssl_cert_key = {{ ca_dir }}/harbor-key.pem + +#The path of secretkey storage +secretkey_path = /data + +#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone +admiral_url = NA + +#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. +log_rotate_count = 50 +#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. +#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G +#are all valid. +log_rotate_size = 200M + +#Config http proxy for Clair, e.g. http://my.proxy.com:3128 +#Clair doesn't need to connect to harbor ui container via http proxy. +http_proxy = +https_proxy = +no_proxy = 127.0.0.1,localhost,ui,registry + +#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES +#only take effect in the first boot, the subsequent changes of these properties +#should be performed on web ui + +#************************BEGIN INITIAL PROPERTIES************************ + +#Email account settings for sending out password resetting emails. + +#Email server uses the given username and password to authenticate on TLS connections to host and act as identity. +#Identity left blank to act as username. +email_identity = + +email_server = smtp.mydomain.com +email_server_port = 25 +email_username = sample_admin@mydomain.com +email_password = abc +email_from = admin +email_ssl = false +email_insecure = false + +##The initial password of Harbor admin, only works for the first time when Harbor starts. +#It has no effect after the first launch of Harbor. +#Change the admin password from UI after launching Harbor. +harbor_admin_password = Harbor12345 + +##By default the auth mode is db_auth, i.e. the credentials are stored in a local database. +#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server. +auth_mode = db_auth + +#The url for an ldap endpoint. +ldap_url = ldaps://ldap.mydomain.com + +#A user's DN who has the permission to search the LDAP/AD server. +#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd. +#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com + +#the password of the ldap_searchdn +#ldap_search_pwd = password + +#The base DN from which to look up a user in LDAP/AD +ldap_basedn = ou=people,dc=mydomain,dc=com + +#Search filter for LDAP/AD, make sure the syntax of the filter is correct. +#ldap_filter = (objectClass=person) + +# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD +ldap_uid = uid + +#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE +ldap_scope = 2 + +#Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds. +ldap_timeout = 5 + +#Verify certificate from LDAP server +ldap_verify_cert = true + +#The base dn from which to lookup a group in LDAP/AD +ldap_group_basedn = ou=group,dc=mydomain,dc=com + +#filter to search LDAP/AD group +ldap_group_filter = objectclass=group + +#The attribute used to name a LDAP/AD group, it could be cn, name +ldap_group_gid = cn + +#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE +ldap_group_scope = 2 + +#Turn on or off the self-registration feature +self_registration = off + +#The expiration time (in minute) of token created by token service, default is 30 minutes +token_expiration = 30 + +#The flag to control what users have permission to create projects +#The default value "everyone" allows everyone to creates a project. +#Set to "adminonly" so that only admin user can create project. +project_creation_restriction = adminonly + +#************************END INITIAL PROPERTIES************************ + +#######Harbor DB configuration section####### + +#The address of the Harbor database. Only need to change when using external db. +db_host = postgresql + +#The password for the root user of Harbor DB. Change this before any production use. +db_password = root123 + +#The port of Harbor database host +db_port = 5432 + +#The user name of Harbor database +db_user = postgres + +##### End of Harbor DB configuration####### + +##########Redis server configuration.############ + +#Redis connection address +redis_host = redis + +#Redis connection port +redis_port = 6379 + +#Redis connection password +redis_password = + +#Redis connection db index +#db_index 1,2,3 is for registry, jobservice and chartmuseum. +#db_index 0 is for UI, it's unchangeable +redis_db_index = 1,2,3 + +##########Redis server configuration.############ + +##########Clair DB configuration############ + +#Clair DB host address. Only change it when using an exteral DB. +clair_db_host = postgresql +#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair. +#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database. +clair_db_password = root123 +#Clair DB connect port +clair_db_port = 5432 +#Clair DB username +clair_db_username = postgres +#Clair default database +clair_db = postgres + +#The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. +clair_updaters_interval = 12 + +##########End of Clair DB configuration############ + +#The following attributes only need to be set when auth mode is uaa_auth +uaa_endpoint = uaa.mydomain.org +uaa_clientid = id +uaa_clientsecret = secret +uaa_verify_cert = true +uaa_ca_cert = /path/to/ca.pem + + +### Harbor Storage settings ### +#Please be aware that the following storage settings will be applied to both docker registry and helm chart repository. +#registry_storage_provider can be: filesystem, s3, gcs, azure, etc. +registry_storage_provider_name = filesystem +#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2". +#To avoid duplicated configurations, both docker registry and chart repository follow the same storage configuration specifications of docker registry. +#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration. +registry_storage_provider_config = +#registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore +#of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. +registry_custom_ca_bundle = + +#If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings. +#reload_config=true +#Regular expression to match skipped environment variables +#skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)