diff --git a/roles/harbor/defaults/main.yml b/roles/harbor/defaults/main.yml index ed97d53..46909b2 100644 --- a/roles/harbor/defaults/main.yml +++ b/roles/harbor/defaults/main.yml @@ -1 +1,3 @@ --- + +harbor_version: v2.2.2 diff --git a/roles/harbor/tasks/main.yml b/roles/harbor/tasks/main.yml index 3d9f4fc..abb71fb 100644 --- a/roles/harbor/tasks/main.yml +++ b/roles/harbor/tasks/main.yml @@ -15,6 +15,94 @@ when: - send_status_messages +- name: "Setup DNS configuration for {{ service_name }} harbor" + include_role: + name: _digitalocean + tasks_from: domain + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ service_name }}" + +- name: 'Ensures {{ service_base_path }}/{{ service_name }} directory exists' + file: + state: directory + path: '{{ service_base_path }}/{{ service_name }}' + tags: + - update_deployment + - update_config + +- name: 'Ensure directory structure for harbor exists' + file: + path: "{{ service_base_path }}/{{ service_name }}/{{ item.path }}" + state: directory + owner: "{{ docker_owner }}" + group: "{{ docker_group }}" + mode: 0755 + with_filetree: "templates/harbor" + when: item.state == "directory" + tags: + - update_config + +- name: Ensure config template files are populated from templates/harbor + template: + src: "{{ item.src }}" + dest: "{{ service_base_path }}/{{ service_name }}/{{ item.path | regex_replace('\\.j2$', '') }}" + owner: "{{ docker_owner }}" + group: "{{ docker_group }}" + mode: 0644 + with_filetree: "templates/harbor" + when: item.state == 'file' and item.src is match('.*\.j2$') + tags: + - update_config + +- name: Ensure config files are populated from from templates/harbor + copy: + src: "{{ item.src }}" + dest: "{{ service_base_path }}/{{ service_name }}/{{ item.path }}" + owner: "{{ docker_owner }}" + group: "{{ docker_group }}" + mode: 0644 + with_filetree: "templates/harbor" + when: item.state == 'file' and item.src is not match('.*\.j2$') + tags: + - update_config + +- name: Download harbor offline installer + get_url: + url: https://github.com/goharbor/harbor/releases/download/{{ harbor_version }}/harbor-offline-installer-{{ harbor_version }}.tgz + dest: "{{ service_base_path }}/{{ service_name }}/harbor-offline-installer-{{ harbor_version }}.tgz" + +- name: Extract harbor-offline-installer-{{ harbor_version }}.tgz into {{ service_base_path }}/{{ service_name }} + ansible.builtin.unarchive: + src: "{{ service_base_path }}/{{ service_name }}/harbor-offline-installer-{{ harbor_version }}.tgz" + dest: "{{ service_base_path }}/{{ service_name }}" + remote_src: yes + +- name: "Check if {{ service_name }}/harbor/docker-compose.yml exists" + stat: + path: '{{ service_base_path }}/harbor/{{ service_name }}/docker-compose.yml' + register: check_docker_compose_file + tags: + - update_deployment + +- name: "Stop {{ service_name }}" + shell: docker-compose down + args: + chdir: '{{ service_base_path }}/{{ service_name }}/harbor' + when: check_docker_compose_file.stat.exists + ignore_errors: yes + tags: + - update_deployment + +# TODO +# sudo ./install.sh --with-trivy --with-chartmuseum + +# update nginx onfig +# -> #proxy_set_header Host $host; +# -> #proxy_set_header X-Forwarded-Proto $scheme; + +# update compose file + - name: "Send mattermost messsge" uri: url: "{{ mattermost_hook_smardigo }}" diff --git a/smardigo.yml b/smardigo.yml index 62982ba..d13255b 100644 --- a/smardigo.yml +++ b/smardigo.yml @@ -50,5 +50,7 @@ when: "'keycloak' in group_names" - role: postfix when: "'postfix' in group_names" + - role: harbor + when: "'harbor' in group_names" - role: prometheus when: "'prometheus' in group_names" diff --git a/stage-dev b/stage-dev index e98e4f1..44ba159 100644 --- a/stage-dev +++ b/stage-dev @@ -3,7 +3,7 @@ dev-connect-01 dev-connect-02 dev-connect-03 -[docker_registry] +[harbor] dev-docker-registry-01 [elastic] @@ -22,8 +22,8 @@ dev-prometheus-01 [stage_dev:children] connect -docker_registry elastic +harbor keycloak postfix prometheus diff --git a/templates/harbor/config/chartserver/env b/templates/harbor/config/chartserver/env deleted file mode 100644 index be36baf..0000000 --- a/templates/harbor/config/chartserver/env +++ /dev/null @@ -1,37 +0,0 @@ -## Settings should be set -PORT=9999 - -# Only support redis now. If redis is setup, then enable cache -CACHE=redis -CACHE_REDIS_ADDR=redis:6379 -CACHE_REDIS_PASSWORD= -CACHE_REDIS_DB=3 - -# Credential for internal communication -BASIC_AUTH_USER=chart_controller -BASIC_AUTH_PASS= - -# Multiple tenants -# Must be set with 1 to support project namespace -DEPTH=1 - -# Backend storage driver: e.g. "local", "amazon", "google" etc. -STORAGE=local -# Storage driver settings -STORAGE_LOCAL_ROOTDIR=/chart_storage -## Settings with default values. Just put here for future changes -DEBUG=false -LOG_JSON=true -DISABLE_METRICS=false -DISABLE_API=false -DISABLE_STATEFILES=false -ALLOW_OVERWRITE=true -CHART_URL= -AUTH_ANONYMOUS_GET=false -CONTEXT_PATH= -INDEX_LIMIT=0 -MAX_STORAGE_OBJECTS=0 -MAX_UPLOAD_SIZE=20971520 -CHART_POST_FORM_FIELD_NAME=chart -PROV_POST_FORM_FIELD_NAME=prov -STORAGE_TIMESTAMP_TOLERANCE=1s \ No newline at end of file diff --git a/templates/harbor/config/core/app.conf b/templates/harbor/config/core/app.conf deleted file mode 100644 index 28351cd..0000000 --- a/templates/harbor/config/core/app.conf +++ /dev/null @@ -1,6 +0,0 @@ -appname = Harbor -runmode = prod -enablegzip = true - -[prod] -httpport = 8080 diff --git a/templates/harbor/config/core/certificates/.keepDir b/templates/harbor/config/core/certificates/.keepDir deleted file mode 100644 index e69de29..0000000 diff --git a/templates/harbor/config/core/env.j2 b/templates/harbor/config/core/env.j2 deleted file mode 100644 index b502268..0000000 --- a/templates/harbor/config/core/env.j2 +++ /dev/null @@ -1,50 +0,0 @@ -CONFIG_PATH=/etc/core/app.conf -UAA_CA_ROOT=/etc/core/certificates/uaa_ca.pem -_REDIS_URL_CORE=redis://redis:6379?idle_timeout_seconds=30 -SYNC_QUOTA=true -CHART_CACHE_DRIVER=redis -_REDIS_URL_REG=redis://redis:6379/1?idle_timeout_seconds=30 - -LOG_LEVEL=info -EXT_ENDPOINT=https://dev-docker-registry-01.smardigo.digital -DATABASE_TYPE=postgresql -POSTGRESQL_HOST=postgresql -POSTGRESQL_PORT=5432 -POSTGRESQL_USERNAME=postgres -POSTGRESQL_PASSWORD={{ harbor_postgresql_password }} -POSTGRESQL_DATABASE=registry -POSTGRESQL_SSLMODE=disable -POSTGRESQL_MAX_IDLE_CONNS=50 -POSTGRESQL_MAX_OPEN_CONNS=1000 -REGISTRY_URL=http://registry:5000 -PORTAL_URL=http://portal:8080 -TOKEN_SERVICE_URL=http://core:8080/service/token -HARBOR_ADMIN_PASSWORD={{ harbor_admin_password }} -MAX_JOB_WORKERS=10 -CORE_SECRET=ydNg7WrBhEcyJuL3 -JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1 -WITH_NOTARY=False -WITH_CLAIR=False -WITH_TRIVY=True -CORE_URL=http://core:8080 -CORE_LOCAL_URL=http://127.0.0.1:8080 -JOBSERVICE_URL=http://jobservice:8080 -CLAIR_ADAPTER_URL=http://clair-adapter:8080 -TRIVY_ADAPTER_URL=http://trivy-adapter:8080 -NOTARY_URL=http://notary-server:4443 -REGISTRY_STORAGE_PROVIDER_NAME=filesystem -READ_ONLY=false -RELOAD_KEY= -CHART_REPOSITORY_URL=http://chartmuseum:9999 -REGISTRY_CONTROLLER_URL=http://registryctl:8080 -WITH_CHARTMUSEUM=True -REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user -REGISTRY_CREDENTIAL_PASSWORD=spYrLufyLbHrqlAFUPlnijhIFKS3ys1H -CSRF_KEY=fNvrK554TPxFnLUUByjumlvirGOQGdRi -PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor - -HTTP_PROXY= -HTTPS_PROXY= -NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis - -PORT=8080 diff --git a/templates/harbor/config/db/env.j2 b/templates/harbor/config/db/env.j2 deleted file mode 100644 index d90aebe..0000000 --- a/templates/harbor/config/db/env.j2 +++ /dev/null @@ -1 +0,0 @@ -POSTGRES_PASSWORD={{ harbor_postgresql_password }} \ No newline at end of file diff --git a/templates/harbor/config/jobservice/config.yml b/templates/harbor/config/jobservice/config.yml deleted file mode 100644 index 82d5be9..0000000 --- a/templates/harbor/config/jobservice/config.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -#Protocol used to serve -protocol: "http" - -#Server listening port -port: 8080 - -#Worker pool -worker_pool: - #Worker concurrency - workers: 10 - backend: "redis" - #Additional config if use 'redis' backend - redis_pool: - #redis://[arbitrary_username:password@]ipaddress:port/database_index - redis_url: redis://redis:6379/2?idle_timeout_seconds=30 - namespace: "harbor_job_service_namespace" - idle_timeout_second: 3600 -#Loggers for the running job -job_loggers: - - name: "STD_OUTPUT" # logger backend name, only support "FILE" and "STD_OUTPUT" - level: "INFO" # INFO/DEBUG/WARNING/ERROR/FATAL - - name: "FILE" - level: "INFO" - settings: # Customized settings of logger - base_dir: "/var/log/jobs" - sweeper: - duration: 1 #days - settings: # Customized settings of sweeper - work_dir: "/var/log/jobs" - -#Loggers for the job service -loggers: - - name: "STD_OUTPUT" # Same with above - level: "INFO" \ No newline at end of file diff --git a/templates/harbor/config/jobservice/env b/templates/harbor/config/jobservice/env deleted file mode 100644 index 2d6a2cb..0000000 --- a/templates/harbor/config/jobservice/env +++ /dev/null @@ -1,13 +0,0 @@ -CORE_SECRET=ydNg7WrBhEcyJuL3 -REGISTRY_URL=http://registry:5000 -JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1 -CORE_URL=http://core:8080 -REGISTRY_CONTROLLER_URL=http://registryctl:8080 -JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10 - - -HTTP_PROXY= -HTTPS_PROXY= -NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis -REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user -REGISTRY_CREDENTIAL_PASSWORD=spYrLufyLbHrqlAFUPlnijhIFKS3ys1H \ No newline at end of file diff --git a/templates/harbor/config/log/logrotate.conf b/templates/harbor/config/log/logrotate.conf deleted file mode 100644 index 97f5f93..0000000 --- a/templates/harbor/config/log/logrotate.conf +++ /dev/null @@ -1,8 +0,0 @@ -/var/log/docker/*.log { - rotate 50 - size 200M - copytruncate - compress - missingok - nodateext -} \ No newline at end of file diff --git a/templates/harbor/config/log/rsyslog_docker.conf b/templates/harbor/config/log/rsyslog_docker.conf deleted file mode 100644 index 0be27a6..0000000 --- a/templates/harbor/config/log/rsyslog_docker.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Rsyslog configuration file for docker. - -template(name="DynaFile" type="string" string="/var/log/docker/%programname%.log") - -if $programname != "rsyslogd" then { - action(type="omfile" dynaFile="DynaFile") -} \ No newline at end of file diff --git a/templates/harbor/config/nginx/conf.d/.keepDir b/templates/harbor/config/nginx/conf.d/.keepDir deleted file mode 100644 index e69de29..0000000 diff --git a/templates/harbor/config/nginx/nginx.conf b/templates/harbor/config/nginx/nginx.conf deleted file mode 100644 index 5ac4978..0000000 --- a/templates/harbor/config/nginx/nginx.conf +++ /dev/null @@ -1,137 +0,0 @@ -worker_processes auto; -pid /tmp/nginx.pid; - -events { - worker_connections 1024; - use epoll; - multi_accept on; -} - -http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server core:8080; - } - - upstream portal { - server portal:8080; - } - - log_format timed_combined '$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - server { - listen 8080; - server_tokens off; - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # Add extra headers - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - # costumized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf - include /etc/nginx/conf.d/harbor.http.*.conf; - - location / { - proxy_pass http://portal/; - # proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - # proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass http://core/c/; - # proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - # proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass http://core/api/; - # proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - # proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass http://core/chartrepo/; - # proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - # proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass http://core/v2/; - # proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - # proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - - proxy_send_timeout 900; - proxy_read_timeout 900; - } - - location /service/ { - proxy_pass http://core/service/; - # proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - # proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } -} diff --git a/templates/harbor/config/portal/nginx.conf b/templates/harbor/config/portal/nginx.conf deleted file mode 100644 index 475fa6e..0000000 --- a/templates/harbor/config/portal/nginx.conf +++ /dev/null @@ -1,38 +0,0 @@ - -worker_processes auto; -pid /tmp/nginx.pid; - -events { - worker_connections 1024; -} - -http { - - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - server { - listen 8080; - server_name localhost; - - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - - gzip on; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - location / { - try_files $uri $uri/ /index.html; - } - - location = /index.html { - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - } -} \ No newline at end of file diff --git a/templates/harbor/config/registry/config.yml b/templates/harbor/config/registry/config.yml deleted file mode 100644 index 30150b4..0000000 --- a/templates/harbor/config/registry/config.yml +++ /dev/null @@ -1,36 +0,0 @@ -version: 0.1 -log: - level: info - fields: - service: registry -storage: - cache: - layerinfo: redis - filesystem: - rootdirectory: /storage - maintenance: - uploadpurging: - enabled: false - delete: - enabled: true -redis: - addr: redis:6379 - readtimeout: 10s - writetimeout: 10s - dialtimeout: 10s - password: - db: 1 -http: - addr: :5000 - secret: placeholder - debug: - addr: localhost:5001 -auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd -validation: - disabled: true -compatibility: - schema1: - enabled: true \ No newline at end of file diff --git a/templates/harbor/config/registry/passwd b/templates/harbor/config/registry/passwd deleted file mode 100644 index a656144..0000000 --- a/templates/harbor/config/registry/passwd +++ /dev/null @@ -1 +0,0 @@ -harbor_registry_user:$2y$05$EE3OyDzK1lhlSFIDIc0HcuMAl2hiwZraRg0yWgnfSfa1459Z5sFey diff --git a/templates/harbor/config/registry/root.crt b/templates/harbor/config/registry/root.crt deleted file mode 100644 index e69de29..0000000 diff --git a/templates/harbor/config/registryctl/config.yml b/templates/harbor/config/registryctl/config.yml deleted file mode 100644 index bf1e29a..0000000 --- a/templates/harbor/config/registryctl/config.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -protocol: "http" -port: 8080 -log_level: "INFO" -registry_config: "/etc/registry/config.yml" \ No newline at end of file diff --git a/templates/harbor/config/registryctl/env b/templates/harbor/config/registryctl/env deleted file mode 100644 index 4b88d7f..0000000 --- a/templates/harbor/config/registryctl/env +++ /dev/null @@ -1,2 +0,0 @@ -CORE_SECRET=ydNg7WrBhEcyJuL3 -JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1 diff --git a/templates/harbor/config/shared/trust-certificates/.keepDir b/templates/harbor/config/shared/trust-certificates/.keepDir deleted file mode 100644 index e69de29..0000000 diff --git a/templates/harbor/config/trivy-adapter/env b/templates/harbor/config/trivy-adapter/env deleted file mode 100644 index b2fe36a..0000000 --- a/templates/harbor/config/trivy-adapter/env +++ /dev/null @@ -1,17 +0,0 @@ -SCANNER_LOG_LEVEL=info -SCANNER_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30 -SCANNER_STORE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30 -SCANNER_STORE_REDIS_NAMESPACE=harbor.scanner.trivy:store -SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30 -SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue -SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy -SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports -SCANNER_TRIVY_VULN_TYPE=os,library -SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -SCANNER_TRIVY_IGNORE_UNFIXED=False -SCANNER_TRIVY_SKIP_UPDATE=False -SCANNER_TRIVY_GITHUB_TOKEN= -SCANNER_TRIVY_INSECURE=False -HTTP_PROXY= -HTTPS_PROXY= -NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis diff --git a/templates/harbor/docker-compose.yml.j2 b/templates/harbor/harbor/docker-compose.yml.j2 similarity index 85% rename from templates/harbor/docker-compose.yml.j2 rename to templates/harbor/harbor/docker-compose.yml.j2 index b7e5f75..3bdbd59 100644 --- a/templates/harbor/docker-compose.yml.j2 +++ b/templates/harbor/harbor/docker-compose.yml.j2 @@ -10,7 +10,7 @@ networks: services: log: - image: goharbor/harbor-log:v2.1.5 + image: goharbor/harbor-log:v2.2.2 container_name: harbor-log restart: always dns_search: . @@ -35,7 +35,7 @@ services: - harbor registry: - image: goharbor/registry-photon:v2.1.5 + image: goharbor/registry-photon:v2.2.2 container_name: registry restart: always cap_drop: @@ -65,7 +65,7 @@ services: tag: "registry" registryctl: - image: goharbor/harbor-registryctl:v2.1.5 + image: goharbor/harbor-registryctl:v2.2.2 container_name: registryctl env_file: - ./common/config/registryctl/env @@ -97,7 +97,7 @@ services: tag: "registryctl" postgresql: - image: goharbor/harbor-db:v2.1.5 + image: goharbor/harbor-db:v2.2.2 container_name: harbor-db restart: always cap_drop: @@ -123,7 +123,7 @@ services: tag: "postgresql" core: - image: goharbor/harbor-core:v2.1.5 + image: goharbor/harbor-core:v2.2.2 container_name: harbor-core env_file: - ./common/config/core/env @@ -167,9 +167,10 @@ services: tag: "core" extra_hosts: - dev-keycloak-01.smardigo.digital:10.1.0.2 + - dev-mail-01.smardigo.digital:10.2.0.2 portal: - image: goharbor/harbor-portal:v2.1.5 + image: goharbor/harbor-portal:v2.2.2 container_name: harbor-portal restart: always cap_drop: @@ -195,7 +196,7 @@ services: tag: "portal" jobservice: - image: goharbor/harbor-jobservice:v2.1.5 + image: goharbor/harbor-jobservice:v2.2.2 container_name: harbor-jobservice env_file: - ./common/config/jobservice/env @@ -226,7 +227,7 @@ services: tag: "jobservice" redis: - image: goharbor/redis-photon:v2.1.5 + image: goharbor/redis-photon:v2.2.2 container_name: redis restart: always cap_drop: @@ -252,7 +253,7 @@ services: tag: "redis" proxy: - image: goharbor/nginx-photon:v2.1.5 + image: goharbor/nginx-photon:v2.2.2 container_name: nginx restart: always cap_drop: @@ -271,6 +272,8 @@ services: - harbor - front-tier dns_search: . +# ports: +# - 80:8080 depends_on: - registry - core @@ -291,39 +294,9 @@ services: - "traefik.http.routers.dev-docker-registry-01-harbor.tls.certresolver=letsencrypt" - "traefik.http.services.dev-docker-registry-01-harbor.loadbalancer.server.port=8080" - trivy-adapter: - container_name: trivy-adapter - image: goharbor/trivy-adapter-photon:v2.1.5 - restart: always - cap_drop: - - ALL - dns_search: . - depends_on: - - log - - redis - networks: - - harbor - volumes: - - type: bind - source: /data/trivy-adapter/trivy - target: /home/scanner/.cache/trivy - - type: bind - source: /data/trivy-adapter/reports - target: /home/scanner/.cache/reports - - type: bind - source: ./common/config/shared/trust-certificates - target: /harbor_cust_cert - logging: - driver: "syslog" - options: - syslog-address: "tcp://127.0.0.1:1514" - tag: "trivy-adapter" - env_file: - ./common/config/trivy-adapter/env - chartmuseum: container_name: chartmuseum - image: goharbor/chartmuseum-photon:v2.1.5 + image: goharbor/chartmuseum-photon:v2.2.2 restart: always cap_drop: - ALL @@ -349,4 +322,4 @@ services: syslog-address: "tcp://127.0.0.1:1514" tag: "chartmuseum" env_file: - ./common/config/chartserver/env \ No newline at end of file + ./common/config/chartserver/env diff --git a/templates/harbor/harbor.yml.j2 b/templates/harbor/harbor/harbor.yml.j2 similarity index 88% rename from templates/harbor/harbor.yml.j2 rename to templates/harbor/harbor/harbor.yml.j2 index 2e35bbb..71e0e83 100644 --- a/templates/harbor/harbor.yml.j2 +++ b/templates/harbor/harbor/harbor.yml.j2 @@ -18,7 +18,6 @@ https: #certificate: /etc/smardigo/harbor/smardigo.digital.cert #private_key: /etc/smardigo/harbor/smardigo.digital.key -# # Uncomment following will enable tls communication between all harbor components # internal_tls: # # set enabled to true means internal tls is enabled # enabled: true @@ -32,7 +31,7 @@ external_url: https://dev-docker-registry-01.smardigo.digital # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. -harbor_admin_password: {{ harbor_admin_password }} +harbor_admin_password: fhbp937zefh45 # Harbor DB configuration database: @@ -41,12 +40,14 @@ database: # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 50 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgres of harbor. + # Note: the default number of connections is 100 for postgres. max_open_conns: 1000 # The default data volume data_volume: /data +# Harbor Storage settings by default is using /data dir on local filesystem +# Uncomment storage_service setting If you want to using external storage # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: @@ -62,11 +63,6 @@ data_volume: /data # redirect: # disabled: false -# Clair configuration -clair: - # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. - updaters_interval: 12 - # Trivy configuration # # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. @@ -124,19 +120,18 @@ log: rotate_size: 200M # The directory on your host that store log location: /var/log/harbor + # Uncomment following lines to enable external syslog endpoint. + # external_endpoint: + # # protocol used to transmit log to external endpoint, options is tcp or udp + # protocol: tcp + # # The host of external endpoint + # host: localhost + # # Port of external endpoint + # port: 5140 - # Uncomment following lines to enable external syslog endpoint. - # external_endpoint: - # # protocol used to transmit log to external endpoint, options is tcp or udp - # protocol: tcp - # # The host of external endpoint - # host: localhost - # # Port of external endpoint - # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! -_version: 2.0.0 - +_version: 2.2.0 # Uncomment external_database if using external database. # external_database: # harbor: @@ -148,13 +143,6 @@ _version: 2.0.0 # ssl_mode: disable # max_idle_conns: 2 # max_open_conns: 0 -# clair: -# host: clair_db_host -# port: clair_db_port -# db_name: clair_db_name -# username: clair_db_username -# password: clair_db_password -# ssl_mode: disable # notary_signer: # host: notary_signer_db_host # port: notary_signer_db_port @@ -170,7 +158,7 @@ _version: 2.0.0 # password: notary_server_db_password # ssl_mode: disable -# Uncomment external_redis if using external Redis server +# Umcomments external_redis if using external Redis server # external_redis: # # support redis, redis+sentinel # # host for redis: : @@ -184,7 +172,6 @@ _version: 2.0.0 # registry_db_index: 1 # jobservice_db_index: 2 # chartmuseum_db_index: 3 -# clair_db_index: 4 # trivy_db_index: 5 # idle_timeout_seconds: 30 @@ -192,6 +179,7 @@ _version: 2.0.0 # uaa: # ca_file: /path/to/ca + # Global proxy # Config http proxy for components, e.g. http://my.proxy.com:3128 # Components doesn't need to connect to each others via http proxy. @@ -201,11 +189,15 @@ _version: 2.0.0 # Add domain to the `no_proxy` field, when you want disable proxy # for some special registry. proxy: - http_proxy: - https_proxy: - no_proxy: + http_proxy: + https_proxy: + no_proxy: components: - core - jobservice - - clair - trivy + +metric: + enabled: false + port: 9090 + path: /metrics