Ansible Role: Harbor

This role has been updated to work with newer versions of Ansible because some features are no longer supported, and the original role is not maintained.

This Ansible Role installs Harbor on Linux.

Note: This role is still in the early testing phase. Feedback and contributions are welcome.

Requirements

No special requirements.

Role Variables

For a complete list of variables, check defaults/main.yaml.

By default, the role uses the current host's IP for harbor_hostname, but you can change it.

To change the installation directory:

harbor_install_dir: /opt

To set the default protocol:

harbor_ui_url_protocol: "http"

To change the ports that Harbor’s NGINX uses (default are 80 for HTTP and 443 for HTTPS):

harbor_exposed_http_port: 81
harbor_exposed_https_port: 444

If Harbor is behind a proxy, set harbor_behind_proxy: yes. This will modify the NGINX configuration to work correctly as per their troubleshooting guide.

To install additional features, set:

harbor_extras:
    - clair
    - notary

If you already have a Redis instance, you can change the default Redis hostname and port:

# Update these if you are using your own Redis
harbor_redis_host: redis
harbor_redis_port: 6379

You can also add extra arguments to the installer with harbor_installer_extra_args (as a string).

If you want to automatically create projects when Harbor is installed, define harbor_projects:

harbor_projects:
  - project_name: test
    is_public: "false"
    content_trust: "false"
    prevent_vul: "true"
    severity: "high"
    auto_scan: "true"

By default, users can sign up themselves. If you want to create users automatically, you must turn off self-registration and provide a list of users. The default password is "HarborUser12345".

This operation can be run multiple times without changing the outcome.

harbor_self_registration: "off"
harbor_users:
    - username: user1
      email: [email protected]
      realname: User Number 1
      role_name: developer
      role_id: 2
      has_admin_role: true

Dependencies

None.

Example Playbook

---
- name: Installing and configuring Harbor
  hosts: registry
  vars:
    harbor_projects:
      - project_name: myproject
        is_public: "false"
        content_trust: "false"
        prevent_vul: "true"
        severity: "high"
        auto_scan: "true"
    harbor_users:
      - username: user1
        email: [email protected]
        realname: User Number 1
        role_name: developer
        role_id: 2
        has_admin_role: true
  roles:
    - harbor

After executing the playbook, you can access Harbor's user interface at ports 80/443. Use admin/Harbor12345 to log in. If you've changed the ports, use those instead.

Running Harbor Behind a Proxy

If you run Harbor behind a proxy handling SSL, you'll need to make a few adjustments because:

a) Harbor runs its own NGINX, which must be set up to use HTTP. b) Certain lines need to be commented out in Harbor's NGINX configuration if a proxy is used. c) The realm URL must be updated to be externally visible: https.

Here’s an example of the necessary variable settings:

harbor_hostname: "myharbor.company.com"
harbor_api_url: "https://myharbor.company.com/api"
harbor_behind_proxy: yes
# Internally, Harbor runs on HTTP
harbor_ui_url_protocol: "http"
harbor_customize_crt: "off"
harbor_registry_realm_protocol: "https"
# Using different ports to avoid conflicts with 80/443
harbor_exposed_http_port: 8798
harbor_exposed_https_port: 8799
harbor_extras:
  - clair
harbor_self_registration: "off"
# Pointing to an existing Redis container
harbor_redis_host: redisharbor

This setup will:

• Comment out a necessary line in Harbor's NGINX configuration.
• Correctly update the registry realm URL.

While this may seem complex, it avoids excessive changes to Harbor's files that could cause issues. Suggestions for improvement are welcome.

Managing State

This role includes tasks to stop, start, and restart the registry using Docker Compose.

Here’s a playbook to specifically restart the registry:

---
- hosts: registry
  tasks:
    - name: Restarting Harbor
      include_role:
        name: harbor
        tasks_from: restart

Running this playbook will restart all components of Harbor, including any additional features like clair and notary.

The tasks_from option can be restart, start, or stop.

If you want to rerun the playbook but have already changed the default admin password, set the harbor_admin_password variable or pass it via the command line with -e "harbor_admin_password=mypass".

Author Information

This role was created in 2019 by Nicholas Amorim and updated in 2022 by Pascal Watteel.