bodsch.harbor
Ansible Role: harbor
An Ansible Role that installs Harbor on Linux.
This role is an Fork from amuwxf.
I will not maintain the role in the future! Please create a fork and continue if you need new features.
If you need a Docker Registry and are looking for a replacement for Harbor, I can suggest ansible-registry. And as UI ansible-registry-ui.
If latest is set for harbor_version, the role tries to install the latest release version.
Please use this with caution, as incompatibilities between releases may occur!
Harbor is installed below harbor_install_dir in its own directory (harbor_${harbor_version}) and later linked to {{ harbor_install_dir }}/harbor.
This should make it possible to downgrade relatively safely.
The Harbor installation archive is stored on the Ansible controller and then copied to the target system.
The cache directory can be defined via the environment variable CUSTOM_LOCAL_TMP_DIRECTORY.
By default it is ${HOME}/.cache/ansible/harbor.
If this type of installation is not desired, the download can take place directly on the target system.
However, this must be explicitly activated by setting harbor_direct_download to true.
Requirements
- running docker service
- installed docker-compose
Operating systems
Tested on
- Debian based
- Debian 10 / 11
- Ubuntu 20.04
usage
For a complete list see defaults/main.yaml.
For a complete example see molecule/default/group_vars/all/vars.yaml.
harbor_version: 2.5.2
harbor_installer_type: offline
harbor_download_release_url: "https://github.com/goharbor/harbor/releases"
harbor_download_artifact: "harbor-{{ harbor_installer_type }}-installer-v{{ harbor_version }}.tgz"
harbor_download_url: "{{ harbor_download_release_url }}/download/v{{ harbor_version }}/{{ harbor_download_artifact }}"
harbor_direct_download: false
harbor_force_configuration: false
harbor_hostname: "{{ ansible_fqdn }}"
harbor_install_dir: /opt
harbor_data_volume: "{{ harbor_install_dir }}/data"
harbor_admin_password: Harbor12345
harbor_http: {}
harbor_https: {}
harbor_external_url: {}
harbor_internal_tls: {}
harbor_ssl: {}
harbor_database: {}
harbor_external_database: {}
harbor_external_redis: {}
harbor_storage_service: {}
harbor_trivy: {}
harbor_jobservice: {}
harbor_notification: {}
harbor_chart: {}
harbor_log: {}
harbor_metric: {}
harbor_trace: {}
harbor_upload_purging: {}
harbor_users: {}
harbor_projects: {}
harbor_robots: {}
harbor_install_with:
- --with-trivy
harbor_behind_proxy: false
harbor_http
harbor_defaults_http:
# port for http, default is 80.
# If https enabled, this port will redirect to https port
port: 80
harbor_https
harbor_defaults_https:
enabled: false
# https port for harbor, default is 443
port: 443
certificate: ""
private_key: ""
harbor_external_url
harbor_defaults_external_url:
protocol: http # or https
url: ""
harbor_internal_tls
harbor_defaults_internal_tls:
enabled: false
dir: /etc/harbor/tls/internal
harbor_ssl
harbor_defaults_ssl:
create_self_signed: false
cert: "{{ harbor_install_dir }}/harbor/ssl/harbor.crt"
cert_key: "{{ harbor_install_dir }}/harbor/ssl/harbor.key"
self_days: 180
self_subject: "/O=Harbor Server/OU=Self signed/CN=test"
harbor_database
harbor_defaults_database:
password: root123
max_idle_conns: 50
max_open_conns: 500
harbor_external_database
harbor_defaults_external_database:
harbor:
host: ""
port: ""
db_name: ""
username: ""
password: ""
ssl_mode: disable
max_idle_conns: 2
max_open_conns: 0
notary_signer:
host: ""
port: ""
db_name: ""
username: ""
password: ""
ssl_mode: disable
notary_server:
host: ""
port: ""
db_name: ""
username: ""
password: ""
ssl_mode: disable
harbor_external_redis
support redis and redis+sentinel
redis
host = host_redis:port_redis
redis+sentinel
host = host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2,host_sentinel3:port_sentinel3
harbor_defaults_external_redis:
host: ""
password: ""
# sentinel_master_set must be set to support redis+sentinel
sentinel_master_set: false
# db_index 0 is for core, it's unchangeable
# db_index 0 is for core, it's unchangeable
registry_db_index: 1
jobservice_db_index: 2
chartmuseum_db_index: 3
clair_db_index: 4
trivy_db_index: 5
idle_timeout_seconds: 30
harbor_storage_service
harbor_defaults_storage_service:
# ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
ca_bundle: ""
# storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# for more info about this configuration please refer https://docs.docker.com/registry/configuration/
filesystem:
maxthreads: ""
# set disable to true when you want to disable registry redirect
redirect:
disabled: false
harbor_trivy
harbor_defaults_trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
insecure: false
github_token: ""
harbor_jobservice
harbor_defaults_jobservice:
max_job_workers: 10
harbor_notification
harbor_defaults_notification:
webhook_job_max_retry: 10
harbor_chart
harbor_defaults_chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: "disabled"
harbor_log
harbor_defaults_log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
external_endpoint:
protocol: "" # tcp
host: "" # localhost
port: "" # 5140
harbor_metric
harbor_defaults_metric:
enabled: false
port: 9090
path: /metrics
harbor_trace
harbor_defaults_trace:
enabled: false
# set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
sample_rate: 1
# namespace used to differenciate different harbor services
namespace:
# attributes is a key value dict contains user defined attributes used to initialize trace provider
attributes:
application: harbor
# jaeger should be 1.26 or newer.
jaeger:
endpoint: http://hostname:14268/api/traces
username:
password:
agent_host: hostname
# export trace data by jaeger.thrift in compact mode
agent_port: 6831
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
timeout: 10s
harbor_upload_purging
harbor_defaults_upload_purging:
enabled: true
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: false
harbor_users
By default, users can self-register.
If you prefer to create users automatically, you must disable self-registration and set a list of users.
The user must be unique with an email address! Therefore, a corresponding plausibility check is carried out when the role is started. It is important to understand that Harbor implements restrictions regarding the length of the password.
This operation is idempotent.
harbor_users:
coremedia:
password: C0remedia
email: [email protected]
realname: automatic build
#
has_admin_role: true
coremedia2:
password: C0remedia2
email: [email protected]
realname: automatic build
#
has_admin_role: false
harbor_projects
You may define harbor_projects if you want projects to be automatically created once harbor is installed.
matrix:
is_public: "false"
content_trust: "true"
prevent_vul: "true"
severity: "high"
auto_scan: "true"
project_members:
coremedia3:
role: guest
coremedia4:
role: developer
harbor_robots
harbor_robots:
master:
description: master robot # The description of the robot
secret: "xxxxxx" # The secret of the robot
disable: false # The disable status of the robot
level: system # The level of the robot, project or system
duration: -1 # The duration of the robot in days
permissions:
kind: "system" # The kind of the permission
namespace: "/" # The namespace of the permission
access:
- action: create
resource: project
coremedia:
description: robot user for coremedia # The description of the robot
secret: "xxxxxx" # The secret of the robot
disable: false # The disable status of the robot
level: project # The level of the robot, project or system
duration: 0 # The duration of the robot in days
permissions:
kind: "project" # The kind of the permission
namespace: "coremedia" # The namespace of the permission
access:
# REPOSITORY
- action: pull # The action of the access
resource: repository # The resource of the access
- action: push
resource: repository
- action: list
resource: repository
- action: delete
resource: repository
# TAGS
- action: create
resource: tag
- action: delete
resource: tag
- action: list
resource: tag
# ARTIFACT
- action: list
resource: artifact-label
# SCAN
- action: create
resource: scan
# HELM
- action: read
resource: helm-chart
- action: read
resource: helm-chart-version
Author and License
- original harbor role written by: Nicholas Amorim
- modified: Bodo Schulz
License
FREE SOFTWARE, HELL YEAH!
Installs, Configures and Manages Harbor (docker)
ansible-galaxy install bodsch.harbor