Ansible Role: Harbor

This is an Ansible Role that installs Harbor on Linux.

Please note that this role is currently in the alpha stage. Feel free to report issues or submit pull requests.

Requirements

No special requirements.

Role Variables

For a full list of variables, check defaults/main.yaml.

By default, the role uses the current host's IP address to set harbor_hostname, but you can change it.

To change the installation directory:

harbor_install_dir: /opt

To change the default protocol:

harbor_ui_url_protocol: "http"

To modify the exposed ports of Harbor's NGINX (default ports are 80 and 443), use:

harbor_exposed_http_port: 81
harbor_exposed_https_port: 444

If you're running Harbor behind a proxy, set harbor_behind_proxy: yes. This will adjust Harbor's Nginx settings according to their troubleshooting guide.

To install additional components, set:

harbor_extras:
    - clair
    - notary

If you already have a Redis server, change the default Redis hostname and port:

# Only change these if you have your own Redis running
harbor_redis_host: redis
harbor_redis_port: 6379

You can also add extra arguments to the installer with harbor_installer_extra_args (as a string).

If you want to create projects automatically after installing Harbor, define harbor_projects:

harbor_projects:
  - project_name: test
    is_public: "false"
    content_trust: "false"
    prevent_vul: "true"
    severity: "high"
    auto_scan: "true"

By default, users can self-register. If you want to create users automatically, you need to disable self-registration and create a list of users. The default password is "HarborUser12345".

This setup is idempotent.

harbor_self_registration: "off"
harbor_users:
    - username: user1
      email: [email protected]
      realname: User Number 1
      role_name: developer
      role_id: 2
      has_admin_role: true

Dependencies

There are no dependencies.

Example Playbook

---
- name: Installing and configuring Harbor
  hosts: registry
  vars:
    harbor_projects:
      - project_name: myproject
        is_public: "false"
        content_trust: "false"
        prevent_vul: "true"
        severity: "high"
        auto_scan: "true"
    harbor_users:
      - username: user1
        email: [email protected]
        realname: User Number 1
        role_name: developer
        role_id: 2
        has_admin_role: true
  roles:
    - nicholasamorim.harbor

After running this playbook, you should be able to access Harbor's UI on ports 80/443. Log in with admin/Harbor12345. If you changed the ports, use those instead of 80/443.

Running Harbor Behind a Proxy

A common setup is to run Harbor behind a proxy, which handles SSL termination. This can be tricky since Harbor has its own Nginx. Here’s what to keep in mind:

a) Harbor's Nginx needs to run as http. b) Some lines in Harbor's Nginx must be commented out if using a proxy. c) The URL for the registry realm must be set to be externally visible: https.

Here’s an example of variables for this setup:

harbor_hostname: "myharbor.company.com"
harbor_api_url: "https://myharbor.company.com/api"
harbor_behind_proxy: yes
# Internally, Harbor still runs on http
harbor_ui_url_protocol: "http"
harbor_customize_crt: "off"
harbor_registry_realm_protocol: "https"
# Using different ports for Harbor's nginx to avoid conflict with 80/443
harbor_exposed_http_port: 8798
harbor_exposed_https_port: 8799
harbor_extras:
  - clair
harbor_self_registration: "off"
# If you have a Redis container running
harbor_redis_host: redisharbor
harbor_ssl_cert: /etc/ssl/certs/cert.pem
harbor_ssl_cert_key: /etc/ssl/certs/cert.key

This will ensure that:

• The necessary lines in Harbor's Nginx are commented out.
• The registry realm URL is correctly set.

Though it may seem complex, this minimizes changes to Harbor’s files/templates, which helps prevent issues. Suggestions for improvement are welcome.

Managing State

This role includes tasks to stop, start, and restart the registry using docker-compose.

Here’s a playbook to specifically restart the registry:

---
- hosts: registry
  tasks:
    - name: Restarting Harbor
      include_role:
        name: harbor
        tasks_from: restart

Running this playbook restarts all components of Harbor. It considers if you're using clair and/or notary and uses their docker-compose files.

Available tasks include restart, start, and stop.

If you run the playbook again to ensure the user list, but you've changed the default admin password, you can set harbor_admin_password or pass it via the command line with -e "harbor_admin_password=mypass".

Author Information

This role was created in 2019 by Nicholas Amorim.