From ebd91306cd1f562c07e09f275327655d00dc7597 Mon Sep 17 00:00:00 2001 From: Sheppy Date: Fri, 29 Dec 2023 13:02:54 +0000 Subject: [PATCH] feat: rewrite harbor deployment --- .../files/harbor-config/config/core/app.conf | 6 - .../harbor-config/config/core/private_key.pem | 51 --- .../config/jobservice/config.yml | 41 --- .../harbor-config/config/proxy/nginx.conf | 130 -------- .../harbor-config/config/registry/config.yml | 36 --- .../harbor-config/config/registry/passwd | 1 - .../harbor-config/config/registry/root.crt | 35 -- .../config/registryctl/config.yml | 9 - roles/docker-deployments/tasks/main.yaml | 17 - .../docker-deployments/templates/harbor.yaml | 119 ------- roles/harbor-registry/handlers/main.yaml | 5 + roles/harbor-registry/meta/main.yml | 2 + roles/harbor-registry/tasks/main.yaml | 46 +++ .../templates/harbor-oidc.json | 13 + .../templates/harbor.config.yaml | 306 ++++++++++++++++++ 15 files changed, 372 insertions(+), 445 deletions(-) delete mode 100644 roles/docker-deployments/files/harbor-config/config/core/app.conf delete mode 100644 roles/docker-deployments/files/harbor-config/config/core/private_key.pem delete mode 100644 roles/docker-deployments/files/harbor-config/config/jobservice/config.yml delete mode 100644 roles/docker-deployments/files/harbor-config/config/proxy/nginx.conf delete mode 100644 roles/docker-deployments/files/harbor-config/config/registry/config.yml delete mode 100644 roles/docker-deployments/files/harbor-config/config/registry/passwd delete mode 100644 roles/docker-deployments/files/harbor-config/config/registry/root.crt delete mode 100644 roles/docker-deployments/files/harbor-config/config/registryctl/config.yml delete mode 100644 roles/docker-deployments/templates/harbor.yaml create mode 100644 roles/harbor-registry/handlers/main.yaml create mode 100644 roles/harbor-registry/meta/main.yml create mode 100644 roles/harbor-registry/tasks/main.yaml create mode 100644 roles/harbor-registry/templates/harbor-oidc.json create mode 100644 roles/harbor-registry/templates/harbor.config.yaml diff --git a/roles/docker-deployments/files/harbor-config/config/core/app.conf b/roles/docker-deployments/files/harbor-config/config/core/app.conf deleted file mode 100644 index 6110364..0000000 --- a/roles/docker-deployments/files/harbor-config/config/core/app.conf +++ /dev/null @@ -1,6 +0,0 @@ -appname = Harbor -runmode = dev -enablegzip = true - -[dev] -httpport = 8080 diff --git a/roles/docker-deployments/files/harbor-config/config/core/private_key.pem b/roles/docker-deployments/files/harbor-config/config/core/private_key.pem deleted file mode 100644 index d3e1eb4..0000000 --- a/roles/docker-deployments/files/harbor-config/config/core/private_key.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEAtpMvyv153iSmwm6TrFpUOzsIGBEDbGtOOEZMEm08D8IC2n1G -d6/XOZ5FxPAD6gIpE0EAcMojY5O0Hl4CDoyV3e/iKcBqFOgYtpogNtan7yT5J8gw -KsPbU/8nBkK75GOq56nfvq4t9GVAclIDtHbuvmlh6O2n+fxtR0M9LbuotbSBdXYU -hzXqiSsMclBvLyIk/z327VP5l0nUNOzPuKIwQjuxYKDkvq1oGy98oVlE6wl0ldh2 -HISTORY_PURGED_SECRET -9dzyhA5paDM06lj2gsg9hQWxCgbFh1x39c6pSI8hmVe6x2d4tAtSyOm3Qwz+zO2l -bPDvkY8Svh5nxUYObrNreoO8wHr8MC6TGUQLnUt/RfdVKe5fYPFl6VYqJP/L3LDn -Xj771nFq6PKiYbhBwJw3TM49gpKNS/Of70TP2m7nVlyuyMdE5T1j3xyXNkixXqqn -JuSMqX/3Bmm0On9KEbemwn7KRYF/bqc50+RcGUdKNcOkN6vuMVZei4GbxALnVqac -s+/UQAiQP4212UO7iZFwMaCNJ3r/b4GOlyalI1yEA4odoZov7k5zVOzHu8O6QmCj -3R5TVOudpGiUh+lumRRpNqxDgjngLljvaWU6ttyIbjnAwCjnJoppZM2lkRkCAwEA -AQKCAgAvsvCPlf2a3fR7Y6xNISRUfS22K+u7DaXX6fXB8qv4afWY45Xfex89vG35 -78L2Bi55C0h0LztjrpkmPeVHq88TtrJduhl88M5UFpxH93jUb9JwZErBQX4xyb2G -UzUHjEqAT89W3+a9rR5TP74cDd59/MZJtp1mIF7keVqochi3sDsKVxkx4hIuWALe -csk5hTApRyUWCBRzRCSe1yfF0wnMpA/JcP+SGXfTcmqbNNlelo/Q/kaga59+3UmT -C0Wy41s8fIvP+MnGT2QLxkkrqYyfwrWTweqoTtuKEIHjpdnwUcoYJKfQ6jKp8aH0 -STyP5UIyFOKNuFjyh6ZfoPbuT1nGW+YKlUnK4hQ9N/GE0oMoecTaHTbqM+psQvbj -6+CG/1ukA5ZTQyogNyuOApArFBQ+RRmVudPKA3JYygIhwctuB2oItsVEOEZMELCn -g2aVFAVXGfGRDXvpa8oxs3Pc6RJEp/3tON6+w7cMCx0lwN/Jk2Ie6RgTzUycT3k6 -MoTQJRoO6/ZHcx3hTut/CfnrWiltyAUZOsefLuLg+Pwf9GHhOycLRI6gHfgSwdIV -S77UbbELWdscVr1EoPIasUm1uYWBBcFRTturRW+GHJ8TZX+mcWSBcWwBhp15LjEl -tJf+9U6lWMOSB2LvT+vFmR0M9q56fo7UeKFIR7mo7/GpiVu5AQKCAQEA6Qs7G9mw -N/JZOSeQO6xIQakC+sKApPyXO58fa7WQzri+l2UrLNp0DEQfZCujqDgwys6OOzR/ -xg8ZKQWVoad08Ind3ZwoJgnLn6QLENOcE6PpWxA/JjnVGP4JrXCYR98cP0sf9jEI -xkR1qT50GbeqU3RDFliI4kGRvbZ8cekzuWppfQcjstSBPdvuxqAcUVmTnTw83nvD -FmBbhlLiEgI3iKtJ97UB7480ivnWnOuusduk7FO4jF3hkrOa+YRidinTCi8JBo0Y -jx4Ci3Y5x6nvwkXhKzXapd7YmPNisUc5xA7/a+W71cyC0IKUwRc/8pYWLL3R3CpR -YiV8gf6gwzOckQKCAQEAyI9CSNoAQH4zpS8B9PF8zILqEEuun8m1f5JB3hQnfWzm -7uz/zg6I0TkcCE0AJVSKPHQm1V9+TRbF9+DiOWHEYYzPmK8h63SIufaWxZPqai4E -PUj6eQWykBUVJ96n6/AW0JHRZ+WrJ5RXBqCLuY7NP6wDhORrCJjBwaGMohNpbKPS -HISTORY_PURGED_SECRET -uFT8n+XH5IwgjdXFSDim15rQ8jD2l2xLcwKboTpx5GeRl8oB1VGm0fUbBn1dvGPG -4WfHGyrp9VNZtP160WoHr+vRVPqvHNkoeAlCfEwQCQKCAQBN1dtzLN0HgqE8TrOE -ysEDdTCykj4nXNoiJr522hi4gsndhQPLolb6NdKKQW0S5Vmekyi8K4e1nhtYMS5N -5MFRCasZtmtOcR0af87WWucZRDjPmniNCunaxBZ1YFLsRl+H4E6Xir8UgY8O7PYY -FNkFsKIrl3x4nU/RHl8oKKyG9Dyxbq4Er6dPAuMYYiezIAkGjjUCVjHNindnQM2T -GDx2IEe/PSydV6ZD+LguhyU88FCAQmI0N7L8rZJIXmgIcWW0VAterceTHYHaFK2t -u1uB9pcDOKSDnA+Z3kiLT2/CxQOYhQ2clgbnH4YRi/Nm0awsW2X5dATklAKm5GXL -bLSRAoIBAQClaNnPQdTBXBR2IN3pSZ2XAkXPKMwdxvtk+phOc6raHA4eceLL7FrU -y9gd1HvRTfcwws8gXcDKDYU62gNaNhMELWEt2QsNqS/2x7Qzwbms1sTyUpUZaSSL -BohLOKyfv4ThgdIGcXoGi6Z2tcRnRqpq4BCK8uR/05TBgN5+8amaS0ZKYLfaCW4G -nlPk1fVgHWhtAChtnYZLuKg494fKmB7+NMfAbmmVlxjrq+gkPkxyqXvk9Vrg+V8y -HISTORY_PURGED_SECRET -9sNerUw1GNC8O66K+rGgBk4FKgXmg8kZAoIBABBcuisK250fXAfjAWXGqIMs2+Di -vqAdT041SNZEOJSGNFsLJbhd/3TtCLf29PN/YXtnvBmC37rqryTsqjSbx/YT2Jbr -Bk3jOr9JVbmcoSubXl8d/uzf7IGs91qaCgBwPZHgeH+kK13FCLexz+U9zYMZ78fF -/yO82CpoekT+rcl1jzYn43b6gIklHABQU1uCD6MMyMhJ9Op2WmbDk3X+py359jMc -+Cr2zfzdHAIVff2dOV3OL+ZHEWbwtnn3htKUdOmjoTJrciFx0xNZJS5Q7QYHMONj -yPqbajyhopiN01aBQpCSGF1F1uRpWeIjTrAZPbrwLl9YSYXz0AT05QeFEFk= ------END RSA PRIVATE KEY----- diff --git a/roles/docker-deployments/files/harbor-config/config/jobservice/config.yml b/roles/docker-deployments/files/harbor-config/config/jobservice/config.yml deleted file mode 100644 index a575ce7..0000000 --- a/roles/docker-deployments/files/harbor-config/config/jobservice/config.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -#Protocol used to serve -protocol: "http" - -#Config certification if use 'https' protocol -#https_config: -# cert: "server.crt" -# key: "server.key" - -#Server listening port -port: 8080 - -#Worker pool -worker_pool: - #Worker concurrency - workers: 10 - backend: "redis" - #Additional config if use 'redis' backend - redis_pool: - #redis://[arbitrary_username:password@]ipaddress:port/database_index - redis_url: redis://redis:6379/2 - namespace: "harbor_job_service_namespace" -#Loggers for the running job -job_loggers: - - name: "STD_OUTPUT" # logger backend name, only support "FILE" and "STD_OUTPUT" - level: "INFO" # INFO/DEBUG/WARNING/ERROR/FATAL - - name: "FILE" - level: "INFO" - settings: # Customized settings of logger - base_dir: "/var/log/jobs" - sweeper: - duration: 1 #days - settings: # Customized settings of sweeper - work_dir: "/var/log/jobs" - -#Loggers for the job service -loggers: - - name: "STD_OUTPUT" # Same with above - level: "INFO" -#Admin server endpoint -admin_server: "http://adminserver:8080/" diff --git a/roles/docker-deployments/files/harbor-config/config/proxy/nginx.conf b/roles/docker-deployments/files/harbor-config/config/proxy/nginx.conf deleted file mode 100644 index 833c54c..0000000 --- a/roles/docker-deployments/files/harbor-config/config/proxy/nginx.conf +++ /dev/null @@ -1,130 +0,0 @@ -worker_processes auto; -error_log "/opt/bitnami/nginx/logs/error.log"; -pid "/opt/bitnami/nginx/tmp/nginx.pid"; - -events { - worker_connections 1024; - use epoll; - multi_accept on; -} - -http { - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server core:8080; - } - - upstream portal { - server portal:8080; - } - - log_format timed_combined '$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2; - proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2; - fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2; - scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2; - uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2; - - server { - listen 8080; - server_tokens off; - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # costumized location config file can place to /opt/bitnami/nginx/conf with prefix harbor.http. and suffix .conf - include /opt/bitnami/conf/nginx/conf.d/harbor.http.*.conf; - - location / { - proxy_pass http://portal/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass http://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass http://core/api/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass http://core/chartrepo/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass http://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass http://core/service/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } -} diff --git a/roles/docker-deployments/files/harbor-config/config/registry/config.yml b/roles/docker-deployments/files/harbor-config/config/registry/config.yml deleted file mode 100644 index e4e99a7..0000000 --- a/roles/docker-deployments/files/harbor-config/config/registry/config.yml +++ /dev/null @@ -1,36 +0,0 @@ -version: 0.1 -log: - level: info - fields: - service: registry -storage: - cache: - layerinfo: redis - filesystem: - rootdirectory: /storage - maintenance: - uploadpurging: - enabled: false - delete: - enabled: true -redis: - addr: redis:6379 - password: - db: 1 -http: - addr: :5000 - secret: placeholder - debug: - addr: localhost:5001 -auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd -notifications: - endpoints: - - name: harbor - disabled: false - url: http://core:8080/service/notifications - timeout: 3000ms - threshold: 5 - backoff: 1s diff --git a/roles/docker-deployments/files/harbor-config/config/registry/passwd b/roles/docker-deployments/files/harbor-config/config/registry/passwd deleted file mode 100644 index bec5ef9..0000000 --- a/roles/docker-deployments/files/harbor-config/config/registry/passwd +++ /dev/null @@ -1 +0,0 @@ -harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m \ No newline at end of file diff --git a/roles/docker-deployments/files/harbor-config/config/registry/root.crt b/roles/docker-deployments/files/harbor-config/config/registry/root.crt deleted file mode 100644 index 1c7f9e6..0000000 --- a/roles/docker-deployments/files/harbor-config/config/registry/root.crt +++ /dev/null @@ -1,35 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGBzCCA++gAwIBAgIJAKB8CNqCxhr7MA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD -VQQGEwJDTjEOMAwGA1UECAwFU3RhdGUxCzAJBgNVBAcMAkNOMRUwEwYDVQQKDAxv -cmdhbml6YXRpb24xHDAaBgNVBAsME29yZ2FuaXphdGlvbmFsIHVuaXQxFDASBgNV -BAMMC2V4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNleGFtcGxlQGV4YW1wbGUu -Y29tMB4XDTE2MDUxNjAyNDY1NVoXDTI2MDUxNDAyNDY1NVowgZkxCzAJBgNVBAYT -AkNOMQ4wDAYDVQQIDAVTdGF0ZTELMAkGA1UEBwwCQ04xFTATBgNVBAoMDG9yZ2Fu -aXphdGlvbjEcMBoGA1UECwwTb3JnYW5pemF0aW9uYWwgdW5pdDEUMBIGA1UEAwwL -ZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20w -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2ky/K/XneJKbCbpOsWlQ7 -OwgYEQNsa044RkwSbTwPwgLafUZ3r9c5nkXE8APqAikTQQBwyiNjk7QeXgIOjJXd -7+IpwGoU6Bi2miA21qfvJPknyDAqw9tT/ycGQrvkY6rnqd++ri30ZUByUgO0du6+ -aWHo7af5/G1HQz0tu6i1tIF1dhSHNeqJKwxyUG8vIiT/PfbtU/mXSdQ07M+4ojBC -O7FgoOS+rWgbL3yhWUTrCXSV2HZlhksYBhtWGoFVRPVSf89iqL02h9rZEjmfVY6R -QlCnzu9v49Q8WFU528f+gDNXr9v13PKEDmloMzTqWPaCyD2FBbEKBsWHXHf1zqlI -jyGZV7rHZ3i0C1LI6bdDDP7M7aVs8O+RjxK+HmfFRg5us2t6g7zAevwwLpMZRAud -HISTORY_PURGED_SECRETa -budWXK7Ix0TlPWPfHJc2SLFeqqcm5Iypf/cGabQ6f0oRt6bCfspFgX9upznT5FwZ -R0o1w6Q3q+4xVl6LgZvEAudWppyz79RACJA/jbXZQ7uJkXAxoI0nev9vgY6XJqUj -XIQDih2hmi/uTnNU7Me7w7pCYKPdHlNU652kaJSH6W6ZFGk2rEOCOeAuWO9pZTq2 -3IhuOcDAKOcmimlkzaWRGQIDAQABo1AwTjAdBgNVHQ4EFgQUPJF++WMsv1OJvf7F -oCew37JTnfQwHwYDVR0jBBgwFoAUPJF++WMsv1OJvf7FoCew37JTnfQwDAYDVR0T -BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAb5LvqukMxWd5Zajbh3orfYsXmhWn -UWiwG176+bd3b5xMlG9iLd4vQ11lTZoIhFOfprRQzbizQ8BzR2JBQckpLcy+5hyA -D3M9vLL37OwA0wT6kxFnd6LtlFaH5gG++huw2ts2PDXFz0jqw+0YE/R8ov2+YdaZ -aPSEMunmAuEY1TbYWzz4u6PxycxhQzDQ34ZmJZ34Elvw1NYMfPMGTKp34PsxIcgT -ao5jqb9RMU6JAumfXrOvXRjjl573vX2hgMZzEU6OF2/+uyg95chn6nO1GUQrT2+F -/1xIqfHfFCm8+jujSDgqfBtGI+2C7No+Dq8LEyEINZe6wSQ81+ryt5jy5SZmAsnj -V4OsSIwlpR5fLUwrFStVoUWHEKl1DflkYki/cAC1TL0Om+ldJ219kcOnaXDNaq66 -3I75BvRY7/88MYLl4Fgt7sn05Mn3uNPrCrci8d0R1tlXIcwMdCowIHeZdWHX43f7 -NsVk/7VSOxJ343csgaQc+3WxEFK0tBxGO6GP+Xj0XmdVGLhalVBsEhPjnmx+Yyrn -oMsTA1Yrs88C8ItQn7zuO/30eKNGTnby0gptHiS6sa/c3O083Mpi8y33GPVZDvBl -l9PfSZT8LG7SvpjsdgdNZlyFvTY4vsB+Vd5Howh7gXYPVXdCs4k7HMyo7zvzliZS -ekCw9NGLoNqQqnA= ------END CERTIFICATE----- diff --git a/roles/docker-deployments/files/harbor-config/config/registryctl/config.yml b/roles/docker-deployments/files/harbor-config/config/registryctl/config.yml deleted file mode 100644 index 636f674..0000000 --- a/roles/docker-deployments/files/harbor-config/config/registryctl/config.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -protocol: "http" -port: 8080 -log_level: "INFO" -registry_config: "/etc/registry/config.yml" - -#https_config: -# cert: "server.crt" -# key: "server.key" diff --git a/roles/docker-deployments/tasks/main.yaml b/roles/docker-deployments/tasks/main.yaml index d0cec66..eacef4f 100644 --- a/roles/docker-deployments/tasks/main.yaml +++ b/roles/docker-deployments/tasks/main.yaml @@ -47,16 +47,10 @@ - tmnf-replay-server - atlantis-hub - grafana - - harbor - event-dispatcher - reactive-resume - hedgedoc -- name: Copy Harbor Registry config - copy: - src: "harbor-config/" - dest: "/data/harbor/harbor-config" - - name: Copy AtlantisHub config copy: src: "atlantis-hub-content/config.yaml" @@ -86,7 +80,6 @@ name: "/opt/{{ item }}" state: directory with_items: - - harbor - athq-landing - grafana - potaris @@ -105,7 +98,6 @@ src: "{{ item }}.yaml" dest: "/opt/{{ item }}/" with_items: - - harbor - athq-landing - grafana - potaris @@ -125,15 +117,6 @@ username: docker password: HISTORY_PURGED_SECRET -#- name: Deploy high prio compose templates -# community.docker.docker_compose: -# project_src: "/opt/{{ item }}/" -# pull: true -# files: -# - "{{ item }}.yaml" -# with_items: -# - harbor - - name: Deploy compose templates community.docker.docker_compose: project_src: "/opt/{{ item }}/" diff --git a/roles/docker-deployments/templates/harbor.yaml b/roles/docker-deployments/templates/harbor.yaml deleted file mode 100644 index a0bce92..0000000 --- a/roles/docker-deployments/templates/harbor.yaml +++ /dev/null @@ -1,119 +0,0 @@ -# Copyright VMware, Inc. -# SPDX-License-Identifier: APACHE-2.0 - -version: '2' - -services: - registry: - image: docker.io/bitnami/harbor-registry:2 - environment: - - REGISTRY_HTTP_SECRET={{ harbor_http_secret }} - volumes: - - registry_data:/storage - - /data/harbor/harbor-config/config/registry/:/etc/registry/:ro - registryctl: - image: docker.io/bitnami/harbor-registryctl:2 - environment: - - CORE_SECRET={{ harbor_core_secret }} - - JOBSERVICE_SECRET={{ harbor_jobservice_secret }} - - REGISTRY_HTTP_SECRET={{ harbor_http_secret }} - volumes: - - registry_data:/storage - - /data/harbor/harbor-config/config/registry/:/etc/registry/:ro - - /data/harbor/harbor-config/config/registryctl/config.yml:/etc/registryctl/config.yml:ro - postgresql: - image: docker.io/bitnami/postgresql:13 - container_name: harbor-db - environment: - - POSTGRESQL_PASSWORD={{ harbor_postgres_pass }} - - POSTGRESQL_DATABASE=registry - volumes: - - postgresql_data:/bitnami/postgresql - core: - image: docker.io/bitnami/harbor-core:2 - container_name: harbor-core - depends_on: - - registry - environment: - - CORE_KEY=change-this-key - - _REDIS_URL_CORE=redis://redis:6379/0 - - SYNC_REGISTRY=false - - CHART_CACHE_DRIVER=redis - - _REDIS_URL_REG=redis://redis:6379/1 - - PORT=8080 - - LOG_LEVEL=info - - EXT_ENDPOINT=http://registry.atlantishq.de - - DATABASE_TYPE=postgresql - - REGISTRY_CONTROLLER_URL=http://registryctl:8080 - - POSTGRESQL_HOST=postgresql - - POSTGRESQL_PORT=5432 - - POSTGRESQL_DATABASE=registry - - POSTGRESQL_USERNAME=postgres - - POSTGRESQL_PASSWORD={{ harbor_postgres_pass }} - - POSTGRESQL_SSLMODE=disable - - REGISTRY_URL=http://registry:5000 - - TOKEN_SERVICE_URL=http://core:8080/service/token - - HARBOR_ADMIN_PASSWORD=bitnami - - CORE_SECRET={{ harbor_core_secret }} - - JOBSERVICE_SECRET={{ harbor_jobservice_secret }} - - ADMIRAL_URL= - - WITH_NOTARY=False - - CORE_URL=http://core:8080 - - JOBSERVICE_URL=http://jobservice:8080 - - REGISTRY_STORAGE_PROVIDER_NAME=filesystem - - REGISTRY_CREDENTIAL_USERNAME={{ harbor_registry_user }} - - REGISTRY_CREDENTIAL_PASSWORD={{ harbor_registry_password }} - - READ_ONLY=false - - RELOAD_KEY= - volumes: - - core_data:/data - - /data/harbor/harbor-config/config/core/app.conf:/etc/core/app.conf:ro - - /data/harbor/harbor-config/config/core/private_key.pem:/etc/core/private_key.pem:ro - portal: - image: docker.io/bitnami/harbor-portal:2 - container_name: harbor-portal - depends_on: - - core - jobservice: - image: docker.io/bitnami/harbor-jobservice:2 - container_name: harbor-jobservice - depends_on: - - redis - - core - environment: - - JOB_SERVICE_PROTOCOL=http - - CORE_SECRET={{ harbor_core_secret }} - - JOBSERVICE_SECRET={{ harbor_jobservice_secret }} - - CORE_URL=http://core:8080 - - REGISTRY_CONTROLLER_URL=http://registryctl:8080 - - REGISTRY_CREDENTIAL_USERNAME={{ harbor_registry_user }} - - REGISTRY_CREDENTIAL_PASSWORD={{ harbor_registry_password }} - volumes: - - jobservice_data:/var/log/jobs - - /data/harbor/harbor-config/config/jobservice/config.yml:/etc/jobservice/config.yml:ro - redis: - image: docker.io/bitnami/redis:7.0 - environment: - # ALLOW_EMPTY_PASSWORD is recommended only for development. - - ALLOW_EMPTY_PASSWORD=yes - harbor-nginx: - image: docker.io/bitnami/nginx:1.25 - container_name: nginx - volumes: - - /data/harbor/harbor-config/config/proxy/nginx.conf:/opt/bitnami/nginx/conf/nginx.conf:ro - ports: - - '9000:8080' - depends_on: - - postgresql - - registry - - core - - portal -volumes: - registry_data: - driver: local - core_data: - driver: local - jobservice_data: - driver: local - postgresql_data: - driver: local diff --git a/roles/harbor-registry/handlers/main.yaml b/roles/harbor-registry/handlers/main.yaml new file mode 100644 index 0000000..4876301 --- /dev/null +++ b/roles/harbor-registry/handlers/main.yaml @@ -0,0 +1,5 @@ +- name: restart harbor + docker_compose: + project_src: /opt/harbor/ + state: present + restarted: yes diff --git a/roles/harbor-registry/meta/main.yml b/roles/harbor-registry/meta/main.yml new file mode 100644 index 0000000..c808c92 --- /dev/null +++ b/roles/harbor-registry/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - global-handlers diff --git a/roles/harbor-registry/tasks/main.yaml b/roles/harbor-registry/tasks/main.yaml new file mode 100644 index 0000000..f160bed --- /dev/null +++ b/roles/harbor-registry/tasks/main.yaml @@ -0,0 +1,46 @@ +- name: Install Docker prerequisites + apt: + state: present + pkg: + - docker.io + - docker-compose + +- set_fact: + harbor_version: v2.10.0 + harbor_file: harbor-online-installer-{{ harbor_version }}.tgz + +- name: Create /data/ dir + file: + path: /data/ + state: directory + +- name: Download release + get_url: + url: https://github.com/goharbor/harbor/releases/download/{{ harbor_version }}/{{ harbor_file }} + dest: /opt/{{ harbor_file }} + +- name: Extract release + unarchive: + remote_src: true + src: /opt/harbor-online-installer-v2.10.0.tgz + dest: /opt/harbor/ + +- name: Copy harbor config + template: + src: harbor.config.yaml + dest: /opt/harbor/harbor.yaml + +- name: run installer + shell: + cmd: ./install.sh + chdir: /opt/harbor/ + +- name: Read in OIDC-json + set_fact: + oidc_config_json: "{{ lookup('file','harbor-oidc.json') | from_json }}" + +- name: Inject OIDC Config + line_in_file: + file: /opt/harbor/common/config/core/env + line: CONFIG_OVERWRITE_JSON={{ oidc_config_json }} + notify: restart harbor diff --git a/roles/harbor-registry/templates/harbor-oidc.json b/roles/harbor-registry/templates/harbor-oidc.json new file mode 100644 index 0000000..0a5e415 --- /dev/null +++ b/roles/harbor-registry/templates/harbor-oidc.json @@ -0,0 +1,13 @@ +{ + "auth_mode": "oidc_auth", + "oidc_name": "keycloak", + "oidc_endpoint": "https://", + "oidc_groups_claim": "groups", + "oidc_admin_group": "admin", + "oidc_client_id": "defaultwithclientkey", + "oidc_client_secret": "asdfasdfasdfasdfasddfasdfasdfasdf", + "oidc_scope": "openid,email,profile,offline_access", + "oidc_verify_cert": "true", + "oidc_auto_onboard": "true", + "oidc_user_claim": "preferred_username" +} diff --git a/roles/harbor-registry/templates/harbor.config.yaml b/roles/harbor-registry/templates/harbor.config.yaml new file mode 100644 index 0000000..056d960 --- /dev/null +++ b/roles/harbor-registry/templates/harbor.config.yaml @@ -0,0 +1,306 @@ +# Configuration file of Harbor + +# The IP address or hostname to access admin UI and registry service. +# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. +hostname: NOPE + +# http related config +http: + # port for http, default is 80. If https enabled, this port will redirect to https port + port: 80 + +# https related config +#https: +# # https port for harbor, default is 443 +# port: 443 +# # The path of cert and key files for nginx +# certificate: /your/certificate/path +# private_key: /your/private/key/path + +# # Uncomment following will enable tls communication between all harbor components +# internal_tls: +# # set enabled to true means internal tls is enabled +# enabled: true +# # put your cert and key files on dir +# dir: /etc/harbor/tls/internal +# # enable strong ssl ciphers (default: false) +# strong_ssl_ciphers: false + +# Uncomment external_url if you want to enable external proxy +# And when it enabled the hostname will no longer used +external_url: https://harbor.atlantishq.de + +# The initial password of Harbor admin +# It only works in first time to install harbor +# Remember Change the admin password from UI after launching Harbor. +harbor_admin_password: Harbor12345 + +# Harbor DB configuration +database: + # The password for the root user of Harbor DB. Change this before any production use. + password: root123 + # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. + max_idle_conns: 100 + # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgres of harbor. + max_open_conns: 900 + # The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age. + # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + conn_max_lifetime: 5m + # The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time. + # The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + conn_max_idle_time: 0 + +# The default data volume +data_volume: /data/harbor/ + +# Harbor Storage settings by default is using /data dir on local filesystem +# Uncomment storage_service setting If you want to using external storage +# storage_service: +# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore +# # of registry's containers. This is usually needed when the user hosts a internal storage with self signed certificate. +# ca_bundle: + +# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss +# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ +# filesystem: +# maxthreads: 100 +# # set disable to true when you want to disable registry redirect +# redirect: +# disable: false + +# Trivy configuration +# +# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. +# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached +# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it +# should download a newer version from the Internet or use the cached one. Currently, the database is updated every +# 12 hours and published as a new release to GitHub. +trivy: + # ignoreUnfixed The flag to display only fixed vulnerabilities + ignore_unfixed: false + # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub + # + # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and + # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. + skip_update: false + # + # The offline_scan option prevents Trivy from sending API requests to identify dependencies. + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment. + offline_scan: false + # + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + security_check: vuln + # + # insecure The flag to skip verifying registry certificate + insecure: false + # github_token The GitHub access token to download Trivy DB + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + # + # github_token: xxx + +jobservice: + # Maximum number of job workers in job service + max_job_workers: 10 + # The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB" + job_loggers: + - STD_OUTPUT + - FILE + # - DB + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + logger_sweeper_duration: 1 #days + +notification: + # Maximum retry count for webhook job + webhook_job_max_retry: 3 + # HTTP client timeout for webhook job + webhook_job_http_client_timeout: 3 #seconds + +# Log configurations +log: + # options are debug, info, warning, error, fatal + level: info + # configs for logs in local storage + local: + # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. + rotate_count: 50 + # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. + # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G + # are all valid. + rotate_size: 200M + # The directory on your host that store log + location: /var/log/harbor + + # Uncomment following lines to enable external syslog endpoint. + # external_endpoint: + # # protocol used to transmit log to external endpoint, options is tcp or udp + # protocol: tcp + # # The host of external endpoint + # host: localhost + # # Port of external endpoint + # port: 5140 + +#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! +_version: 2.10.0 + +# Uncomment external_database if using external database. +# external_database: +# harbor: +# host: harbor_db_host +# port: harbor_db_port +# db_name: harbor_db_name +# username: harbor_db_username +# password: harbor_db_password +# ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 + +# Uncomment redis if need to customize redis db +# redis: +# # db_index 0 is for core, it's unchangeable +# # registry_db_index: 1 +# # jobservice_db_index: 2 +# # trivy_db_index: 5 +# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. +# # harbor_db_index: 6 +# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. +# # cache_db_index: 7 + +# Uncomment redis if need to customize redis db +# redis: +# # db_index 0 is for core, it's unchangeable +# # registry_db_index: 1 +# # jobservice_db_index: 2 +# # trivy_db_index: 5 +# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. +# # harbor_db_index: 6 +# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. +# # cache_layer_db_index: 7 + +# Uncomment external_redis if using external Redis server +# external_redis: +# # support redis, redis+sentinel +# # host for redis: : +# # host for redis+sentinel: +# # :,:,: +# host: redis:6379 +# password: +# # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH form. +# # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892 +# # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage +# # username: +# # sentinel_master_set must be set to support redis+sentinel +# #sentinel_master_set: +# # db_index 0 is for core, it's unchangeable +# registry_db_index: 1 +# jobservice_db_index: 2 +# trivy_db_index: 5 +# idle_timeout_seconds: 30 +# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it. +# # harbor_db_index: 6 +# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it. +# # cache_layer_db_index: 7 + +# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. +# uaa: +# ca_file: /path/to/ca + +# Global proxy +# Config http proxy for components, e.g. http://my.proxy.com:3128 +# Components doesn't need to connect to each others via http proxy. +# Remove component from `components` array if want disable proxy +# for it. If you want use proxy for replication, MUST enable proxy +# for core and jobservice, and set `http_proxy` and `https_proxy`. +# Add domain to the `no_proxy` field, when you want disable proxy +# for some special registry. +proxy: + http_proxy: + https_proxy: + no_proxy: + components: + - core + - jobservice + - trivy + +# metric: +# enabled: false +# port: 9090 +# path: /metrics + +# Trace related config +# only can enable one trace provider(jaeger or otel) at the same time, +# and when using jaeger as provider, can only enable it with agent mode or collector mode. +# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed +# if using jaeger agetn mode uncomment agent_host and agent_port +# trace: +# enabled: true +# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth +# sample_rate: 1 +# # # namespace used to differenciate different harbor services +# # namespace: +# # # attributes is a key value dict contains user defined attributes used to initialize trace provider +# # attributes: +# # application: harbor +# # # jaeger should be 1.26 or newer. +# # jaeger: +# # endpoint: http://hostname:14268/api/traces +# # username: +# # password: +# # agent_host: hostname +# # # export trace data by jaeger.thrift in compact mode +# # agent_port: 6831 +# # otel: +# # endpoint: hostname:4318 +# # url_path: /v1/traces +# # compression: false +# # insecure: true +# # # timeout is in seconds +# # timeout: 10 + +# Enable purge _upload directories +upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +# Cache layer configurations +# If this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which can especially help to improve the performance of high concurrent +# manifest pulling. +# NOTICE +# If you are deploying Harbor in HA mode, make sure that all the harbor +# instances have the same behaviour, all with caching enabled or disabled, +# otherwise it can lead to potential data inconsistency. +cache: + # not enabled by default + enabled: false + # keep cache for one day by default + expire_hours: 24 + +# Harbor core configurations +# Uncomment to enable the following harbor core related configuration items. +# core: +# # The provider for updating project quota(usage), there are 2 options, redis or db, +# # by default is implemented by db but you can switch the updation via redis which +# # can improve the performance of high concurrent pushing to the same project, +# # and reduce the database connections spike and occupies. +# # By redis will bring up some delay for quota usage updation for display, so only +# # suggest switch provider to redis if you were ran into the db connections spike aroud +# # the scenario of high concurrent pushing to same project, no improvment for other scenes. +# quota_update_provider: redis # Or db