增加harbor部署

2017-12-25 15:05:21 +08:00 · 2017-12-25 15:05:21 +08:00 · f697d49c86
parent 10023afdff
commit f697d49c86
9 changed files with 216 additions and 8 deletions
--- a/11.harbor.yml
+++ b/11.harbor.yml
@ -0,0 +1,17 @@
 - hosts: harbor
  roles:
  - prepare
  - docker
  - harbor
 - hosts: kube-node
  tasks:
  - name: harbor证书目录创建
    file: name=/etc/docker/certs.d/{{ HARBOR_DOMAIN }} state=directory
  - name: harbor服务器证书安装
    copy: src={{ base_dir }}/roles/prepare/files/ca.pem dest=/etc/docker/certs.d/{{ HARBOR_DOMAIN }}/ca.crt
  - name: 增加harbor的hosts解析
    shell: "sed -i '/{{ HARBOR_DOMAIN }}/d' /etc/hosts && \
 	echo {{ HARBOR_IP }} {{ HARBOR_DOMAIN }} >> /etc/hosts"
--- a/docs/00-集群规划和基础参数设定.md
+++ b/docs/00-集群规划和基础参数设定.md
@ -66,8 +66,8 @@ ca_dir="/etc/kubernetes/ssl"
 base_dir="/etc/ansible"
 #私有仓库 harbor服务器 (域名或者IP) 【可选】
-#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+HARBOR_IP="192.168.1.8"
-HARBOR_SERVER="harbor.mydomain.com"
+HARBOR_DOMAIN="harbor.mydomain.com"
 ```
 ## 部署步骤
--- a/down/download.sh
+++ b/down/download.sh
@ -4,6 +4,8 @@ export K8S_VER=v1.9.0
 export ETCD_VER=v3.2.11
 export DOCKER_VER=17.09.1-ce
 export CALICO_VER=v2.6.3
 export DOCKER_COMPOSE=1.18.0
 export HARBOR=v1.2.2
 echo "\n建议直接下载本人打包好的所有必要二进制包k8s-190.all.tar.gz，然后解压到bin目录"
 echo "\n建议不使用此脚本，如果你想升级组件或者实验，请通读该脚本，必要时适当修改后使用"
@ -31,6 +33,12 @@ echo https://docs.projectcalico.org/v2.6/releases/
 echo "\n----download calico cni-plugin at:"
 echo https://github.com/projectcalico/cni-plugin/releases
 echo "\n----download docker-compose at:"
 echo https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE}/docker-compose-Linux-x86_64
 echo "\n----download harbor-offline-installer at:"
 echo https://github.com/vmware/harbor/releases/download/${HARBOR}/harbor-offline-installer-${HARBOR}.tgz
 sleep 30
 ### 准备证书工具程序
--- a/example/hosts.allinone.example
+++ b/example/hosts.allinone.example
@ -18,6 +18,10 @@
 kube-node
 kube-master
 # 如果启用harbor，请配置后面harbor相关参数
 [harbor]
 #10.100.97.44 NODE_IP="192.168.1.8"
 [all:vars]
 # ---------集群主要参数---------------
 #集群 MASTER IP
@ -71,5 +75,5 @@ ca_dir="/etc/kubernetes/ssl"
 base_dir="/etc/ansible"
 #私有仓库 harbor服务器 (域名或者IP)
-#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+#HARBOR_IP="192.168.1.8"
-HARBOR_SERVER="harbor.yourdomain.com"
+#HARBOR_DOMAIN="harbor.yourdomain.com"
--- a/example/hosts.m-masters.example
+++ b/example/hosts.m-masters.example
@ -34,6 +34,10 @@ MASTER_PORT="8443"		# api-server 服务端口
 kube-node
 kube-master
 # 如果启用harbor，请配置后面harbor相关参数
 [harbor]
 #10.100.97.44 NODE_IP="192.168.1.8"
 # 预留组，后续添加node节点使用
 [new-node]
 #192.168.1.xx NODE_ID=node6 NODE_IP="192.168.1.xx"
@ -90,5 +94,5 @@ ca_dir="/etc/kubernetes/ssl"
 base_dir="/etc/ansible"
 #私有仓库 harbor服务器 (域名或者IP)
-#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+#HARBOR_IP="192.168.1.8"
-HARBOR_SERVER="harbor.mydomain.com"
+#HARBOR_DOMAIN="harbor.yourdomain.com"
--- a/example/hosts.s-master.example
+++ b/example/hosts.s-master.example
@ -22,6 +22,10 @@
 kube-node
 kube-master
 # 如果启用harbor，请配置后面harbor相关参数
 [harbor]
 #10.100.97.44 NODE_IP="192.168.1.8"
 [all:vars]
 # ---------集群主要参数---------------
 #集群 MASTER IP
@ -75,5 +79,5 @@ ca_dir="/etc/kubernetes/ssl"
 base_dir="/etc/ansible"
 #私有仓库 harbor服务器 (域名或者IP)
-#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+#HARBOR_IP="192.168.1.8"
-HARBOR_SERVER="harbor.yourdomain.com"
+#HARBOR_DOMAIN="harbor.yourdomain.com"
--- a/roles/harbor/tasks/main.yml
+++ b/roles/harbor/tasks/main.yml
@ -0,0 +1,44 @@
 - name: 下载docker compose 二进制文件
  copy: src={{ base_dir }}/bin/docker-compose dest={{ bin_dir }}/docker-compose mode=0755
 # 注册变量result，根据result结果判断是否已经安装过harbor
 # result|failed 说明没有安装过harbor，下一步进行安装
 # result|succeeded 说明已经安装过harbor，下一步跳过安装
 - name: 注册变量result
  command: ls /data
  register: result
  ignore_errors: True
 - name: 解压harbor离线安装包
  unarchive: 
    src: "{{ base_dir }}/down/harbor-offline-installer-v1.2.2.tgz"
    dest: /root/local
    copy: yes
    keep_newer: yes
  when: result|failed
 - name: 导入harbor所需 docker images
  shell: "{{ bin_dir }}/docker load -i /root/local/harbor/harbor.v1.2.2.tar.gz"
  when: result|failed
 - name: 创建harbor证书请求
  template: src=harbor-csr.json.j2 dest={{ ca_dir }}/harbor-csr.json
  when: result|failed
 - name: 创建harbor证书和私钥
  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
        -ca={{ ca_dir }}/ca.pem \
        -ca-key={{ ca_dir }}/ca-key.pem \
        -config={{ ca_dir }}/ca-config.json \
        -profile=kubernetes harbor-csr.json | {{ bin_dir }}/cfssljson -bare harbor"
  when: result|failed
 - name: 配置 harbor.cfg 文件
  template: src=harbor.cfg.j2 dest=/root/local/harbor/harbor.cfg
  when: result|failed
 - name: 安装 harbor
  shell: "cd /root/local/harbor && \
 	export PATH={{ bin_dir }}:$PATH && \
 	 ./install.sh"
  when: result|failed
--- a/roles/harbor/templates/harbor-csr.json.j2
+++ b/roles/harbor/templates/harbor-csr.json.j2
@ -0,0 +1,21 @@
 {
  "CN": "harbor",
  "hosts": [
    "127.0.0.1",
    "{{ NODE_IP }}",
    "{{ HARBOR_DOMAIN }}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ]
 }
--- a/roles/harbor/templates/harbor.cfg.j2
+++ b/roles/harbor/templates/harbor.cfg.j2
@ -0,0 +1,106 @@
 ## Configuration file of Harbor
 #The IP address or hostname to access admin UI and registry service.
 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
 hostname = {{ NODE_IP }}
 #The protocol for accessing the UI and token/notification service, by default it is http.
 #It can be set to https if ssl is enabled on nginx.
 ui_url_protocol = https
 #The password for the root user of mysql db, change this before any production use.
 db_password = Harbor12345
 #Maximum number of job workers in job service  
 max_job_workers = 3 
 #Determine whether or not to generate certificate for the registry's token.
 #If the value is on, the prepare script creates new root cert and private key 
 #for generating token to access the registry. If the value is off the default key/cert will be used.
 #This flag also controls the creation of the notary signer's cert.
 customize_crt = on
 #The path of cert and key files for nginx, they are applied only the protocol is set to https
 ssl_cert = {{ ca_dir }}/harbor.pem
 ssl_cert_key = {{ ca_dir }}/harbor-key.pem
 #The path of secretkey storage
 secretkey_path = /data
 #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
 admiral_url = NA
 #The password of the Clair's postgres database, only effective when Harbor is deployed with Clair.
 #Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
 clair_db_password = password
 #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
 #only take effect in the first boot, the subsequent changes of these properties 
 #should be performed on web ui
 #************************BEGIN INITIAL PROPERTIES************************
 #Email account settings for sending out password resetting emails.
 #Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
 #Identity left blank to act as username.
 email_identity = 
 email_server = smtp.mydomain.com
 email_server_port = 25
 email_username = sample_admin@mydomain.com
 email_password = abc
 email_from = admin <sample_admin@mydomain.com>
 email_ssl = false
 ##The initial password of Harbor admin, only works for the first time when Harbor starts. 
 #It has no effect after the first launch of Harbor.
 #Change the admin password from UI after launching Harbor.
 harbor_admin_password = Harbor12345
 ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
 #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
 auth_mode = db_auth
 #The url for an ldap endpoint.
 ldap_url = ldaps://ldap.mydomain.com
 #A user's DN who has the permission to search the LDAP/AD server. 
 #If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
 #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
 #the password of the ldap_searchdn
 #ldap_search_pwd = password
 #The base DN from which to look up a user in LDAP/AD
 ldap_basedn = ou=people,dc=mydomain,dc=com
 #Search filter for LDAP/AD, make sure the syntax of the filter is correct.
 #ldap_filter = (objectClass=person)
 # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD  
 ldap_uid = uid 
 #the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
 ldap_scope = 3 
 #Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
 ldap_timeout = 5
 #Turn on or off the self-registration feature
 self_registration = on
 #The expiration time (in minute) of token created by token service, default is 30 minutes
 token_expiration = 30
 #The flag to control what users have permission to create projects
 #The default value "everyone" allows everyone to creates a project. 
 #Set to "adminonly" so that only admin user can create project.
 project_creation_restriction = everyone
 #Determine whether the job service should verify the ssl cert when it connects to a remote registry.
 #Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
 verify_remote_cert = on
 #************************END INITIAL PROPERTIES************************
 #############