From 46b2367622e29581e081db2f62acd358357a9bb7 Mon Sep 17 00:00:00 2001 From: Sven Ketelsen Date: Sat, 8 May 2021 12:35:39 +0200 Subject: [PATCH] chore: harbor playground --- group_vars/all/plain.yml | 2 + group_vars/all/vault.yml | 89 ++--- roles/harbor/defaults/main.yml | 1 + roles/harbor/handlers/main.yml | 1 + roles/harbor/meta/main.yml | 1 + roles/harbor/tasks/main.yml | 29 ++ roles/harbor/vars/main.yml | 1 + templates/harbor/config/chartserver/env | 37 ++ templates/harbor/config/core/app.conf | 6 + .../harbor/config/core/certificates/.keepDir | 0 templates/harbor/config/core/env.j2 | 50 +++ templates/harbor/config/db/env.j2 | 1 + templates/harbor/config/jobservice/config.yml | 35 ++ templates/harbor/config/jobservice/env | 13 + templates/harbor/config/log/logrotate.conf | 8 + .../harbor/config/log/rsyslog_docker.conf | 7 + templates/harbor/config/nginx/conf.d/.keepDir | 0 templates/harbor/config/nginx/nginx.conf | 137 +++++++ templates/harbor/config/portal/nginx.conf | 38 ++ templates/harbor/config/registry/config.yml | 36 ++ templates/harbor/config/registry/passwd | 1 + templates/harbor/config/registry/root.crt | 0 .../harbor/config/registryctl/config.yml | 5 + templates/harbor/config/registryctl/env | 2 + .../config/shared/trust-certificates/.keepDir | 0 templates/harbor/config/trivy-adapter/env | 17 + templates/harbor/docker-compose.yml.j2 | 352 ++++++++++++++++++ templates/harbor/harbor.yml.j2 | 211 +++++++++++ 28 files changed, 1038 insertions(+), 42 deletions(-) create mode 100644 roles/harbor/defaults/main.yml create mode 100644 roles/harbor/handlers/main.yml create mode 100644 roles/harbor/meta/main.yml create mode 100644 roles/harbor/tasks/main.yml create mode 100644 roles/harbor/vars/main.yml create mode 100644 templates/harbor/config/chartserver/env create mode 100644 templates/harbor/config/core/app.conf create mode 100644 templates/harbor/config/core/certificates/.keepDir create mode 100644 templates/harbor/config/core/env.j2 create mode 100644 templates/harbor/config/db/env.j2 create mode 100644 templates/harbor/config/jobservice/config.yml create mode 100644 templates/harbor/config/jobservice/env create mode 100644 templates/harbor/config/log/logrotate.conf create mode 100644 templates/harbor/config/log/rsyslog_docker.conf create mode 100644 templates/harbor/config/nginx/conf.d/.keepDir create mode 100644 templates/harbor/config/nginx/nginx.conf create mode 100644 templates/harbor/config/portal/nginx.conf create mode 100644 templates/harbor/config/registry/config.yml create mode 100644 templates/harbor/config/registry/passwd create mode 100644 templates/harbor/config/registry/root.crt create mode 100644 templates/harbor/config/registryctl/config.yml create mode 100644 templates/harbor/config/registryctl/env create mode 100644 templates/harbor/config/shared/trust-certificates/.keepDir create mode 100644 templates/harbor/config/trivy-adapter/env create mode 100644 templates/harbor/docker-compose.yml.j2 create mode 100644 templates/harbor/harbor.yml.j2 diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index 5b59325..324c376 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -111,3 +111,5 @@ hetzner_ssh_keys: #grafana_user_guest_login: "< see vault >" #grafana_user_guest_password: "< see vault >" +harbor_admin_password: "< see vault >" +harbor_postgresql_password: "< see vault >" \ No newline at end of file diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 9fdacb5..2f95041 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,43 +1,48 @@ $ANSIBLE_VAULT;1.1;AES256 -64643166313265363734313932666666643238333366393865343132313835666433326366653337 -6135633264613662366233323835663034373761663864350a663161316266653238323332656336 -35323166323062323465623933653538356334666230616339313533613431613234653136386230 -3764333134323538310a353530616532613365326131376664386335336161326638663335326530 -38383166343939316537396332313664313064613561393036353164626566343136623835623237 -62383834376661643537356335646462323962633432336238333033343666326230326639363364 -37666261343733373839613362346166666231663463616436363838626134663861616566663137 -64613666616336303134393161323262386264666232336132376534316461333764363037376531 -63363433363233653839616132373038623436333866326338343130343734323662323137643033 -66313664636565323333646238363339653235346362393435323032656536373838643765313562 -61343437353165666464316135366266623263383033346534666538383566303162393430393761 -39663732636164346633396230336538376236663330323363626132383964323530336338363836 -37333837343836616231643730626134303031376130393431646464646438336334343565326463 -65623237373166303662336362663636333964643866643638666132303862626264353064616163 -39333130396237343431336132383238343535363834356462393430363162643635356363383238 -64626434616365346238626236366232333333366431336436363863316563313462366538366436 -33373264623837346232303131653464376534646438643332626566613735653439646661383536 -38346263346336346137616337363435666466343836656638653638646133303733363365323934 -64393631303163633061393530623535313961313737643638626665303363366439306366373064 -65333563636631373931313837653738356234393036323165663036653565386663313938373430 -34656233326230356262306464323563393066646262613933653032333864326261626330643333 -33636464396263323563626335306432373764353265373833653230333837653363333761666136 -34653035393262623134353361323230323238653034316466663663346462353337613939313238 -61393930373037313266663563386632343262373061333838646531373666383535323065646639 -66326539393061373465613130643761346330623866633263336532663966366339323665323363 -39386539633163653233356439303635646666303662393235316238393934633066373866623230 -34316366656130393738353637626166383563343233383163383639373539626234363265356532 -65303739393637656433656164373934613237336436326630393535633637323865386531646638 -63316365623639373332323366373461393766633662396562306534306466653162633131623131 -65306334656535383137343830323966346337323363343663326438613562643466643666386537 -64326334356561653231346433396439666237626336666239336463333536376130373866343736 -32396233333161313230656461396361626435666664616462363036386636396364636364323966 -31656130323264363862656461616562613934636636373535343333666565626134376266613937 -66393266613635313030356263366235323139663439303861356665333163386334646339613933 -62636338343237376630376364323763383562383462613366393738663237643931636161383631 -30623834383839613531616435613833636662313664323166363935396231643430376330396431 -36366235393933613362303466343433643731363835343862346131343836376132316536633034 -32333263313031313464343562633835323663363965373465633433386566313832346639623232 -63393832643937396130613638623231663137303832616266326461636164393565336537656437 -62393866636233343766633863643532396138636638326531326430613634353564386633343265 -33613930356433356139623830326165323632633039333837623136376661303736356661343364 -3736353162636662646162333934306562626662633931386565 +64643037663332613065363239666532333039666436303731643261663438396133653737326461 +3435363331316634306364613537613637666538313766310a396335346137393862336133646262 +63636330313462653330326166383431343262306666323861343039623364326233616238646336 +3864643932643661660a313133666334636436633030386239313934636664376462396639636264 +62326166653166396137616136336231373838303134643463356665366562356332343661343736 +31356661393263633765313136316531336231666366353361656265626632313339623062666261 +64356233303633326136646563356564383637336162646366343238343462616532396638383061 +63613030393162646239656664373162633937373132383832656363633462656163633432306336 +32393736396636333230363561663166336330646536316231666333343662633034626335323266 +63623439323737386663303066373036396431306166306231616638306136616365393332653764 +38303635613766613161373638393730613235306162396665653832386563333537313434343730 +66346234643838343638333035666330363265393436646630363065646130613632623964383262 +35633132373563656664623337343130303130633831333833323766313438373461666538613638 +33323763356636346634343533363037633966313639613833396330666632373636646362623662 +61613461626431663566363966313332363266643965666463353134656463396235663063363638 +62313766643934363637626234323462646337343839353464326534303837633838366639616334 +37353336653766346538663931616361316161323466303964363864386434643966303937316365 +34313635613734356563346465623162303630626534666562653530323438326532656337363838 +61323332393365303738613836313237646665343266323661313261323163393765613731346138 +66663838343562366232383566626538346231626435616632356365623762363939376561613666 +62343535363464346564326134313466373530313336356263373738386539613565363236363931 +38326636616439343737356161666161636234363966346435336333323261336433633132666332 +38393039353934333566326535633366363431393532626431633566336365363466626332646662 +39393232336562333533626233643734316662383732323962653765656466623437316336663832 +37626262373364643933626434636636373133646432353765343134653635343239353833306231 +30616165373833343964376363636461366663383939333538303235623162646261656462326662 +61666538353236323736646238313639623537613862353036663261303238393366636464333730 +35646233363761656238373434386533663736303061313664393565666632343231643537653531 +34306262306631653562353265656433323433666263386438636461613661333965616539393035 +38623635343861636665656136626261363239353363633964646537616633353439313235326564 +62396264653538346433396663353933393232633536396663333366623163663930366364396566 +66373937643139636637643932343733303131373765343232636639663862333966326235353031 +31303630616337323432366532343138363035383634356335646262623634626665313331386136 +33643264616463303861336161646237663030623861623838363538396133626334346261663336 +62666436653332376633303063336664646530316139626330393666623330663439613039643635 +65393335633631386338386564643939393238333237366337386539303961656338336338326237 +35666361363232653934336134663865623732326466323061326232356336613965356633326337 +65663761383735346565346530646239643165656330393664663434393139346431336633396639 +65366333343330353432396332653736623832633439613032653565616435383539386161663664 +34356265303430643535636162343234646162623932656431613734643038363732393166653562 +31306537373630346532363939363764353862653339643237613338356163316233663337393631 +33386335656366376436353764333265333835346132313331636261626434653031636264333133 +36343637306132363766616339323536643138343735316130363462376232323263333063383064 +61366434623335333232666239303261333132346332653633363439656266646462376664626530 +65666239643562646431633466366336326538363761333639396638633738336533636339323236 +39376361386262373831653831666430303132643632323535643261336137383232386235306530 +396465326533646330393661633165363331 diff --git a/roles/harbor/defaults/main.yml b/roles/harbor/defaults/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/harbor/defaults/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/harbor/handlers/main.yml b/roles/harbor/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/harbor/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/harbor/meta/main.yml b/roles/harbor/meta/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/harbor/meta/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/harbor/tasks/main.yml b/roles/harbor/tasks/main.yml new file mode 100644 index 0000000..3d9f4fc --- /dev/null +++ b/roles/harbor/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +### tags: + +- name: "Send mattermost message" + uri: + url: "{{ mattermost_hook_smardigo }}" + method: POST + body: "{{ lookup('template','mattermost-deploy-start.json.j2') }}" + body_format: json + headers: + Content-Type: "application/json" + delegate_to: 127.0.0.1 + become: false + when: + - send_status_messages + +- name: "Send mattermost messsge" + uri: + url: "{{ mattermost_hook_smardigo }}" + method: POST + body: "{{ lookup('template','mattermost-deploy-end.json.j2') }}" + body_format: json + headers: + Content-Type: "application/json" + delegate_to: 127.0.0.1 + become: false + when: + - send_status_messages diff --git a/roles/harbor/vars/main.yml b/roles/harbor/vars/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/harbor/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/templates/harbor/config/chartserver/env b/templates/harbor/config/chartserver/env new file mode 100644 index 0000000..be36baf --- /dev/null +++ b/templates/harbor/config/chartserver/env @@ -0,0 +1,37 @@ +## Settings should be set +PORT=9999 + +# Only support redis now. If redis is setup, then enable cache +CACHE=redis +CACHE_REDIS_ADDR=redis:6379 +CACHE_REDIS_PASSWORD= +CACHE_REDIS_DB=3 + +# Credential for internal communication +BASIC_AUTH_USER=chart_controller +BASIC_AUTH_PASS= + +# Multiple tenants +# Must be set with 1 to support project namespace +DEPTH=1 + +# Backend storage driver: e.g. "local", "amazon", "google" etc. +STORAGE=local +# Storage driver settings +STORAGE_LOCAL_ROOTDIR=/chart_storage +## Settings with default values. Just put here for future changes +DEBUG=false +LOG_JSON=true +DISABLE_METRICS=false +DISABLE_API=false +DISABLE_STATEFILES=false +ALLOW_OVERWRITE=true +CHART_URL= +AUTH_ANONYMOUS_GET=false +CONTEXT_PATH= +INDEX_LIMIT=0 +MAX_STORAGE_OBJECTS=0 +MAX_UPLOAD_SIZE=20971520 +CHART_POST_FORM_FIELD_NAME=chart +PROV_POST_FORM_FIELD_NAME=prov +STORAGE_TIMESTAMP_TOLERANCE=1s \ No newline at end of file diff --git a/templates/harbor/config/core/app.conf b/templates/harbor/config/core/app.conf new file mode 100644 index 0000000..28351cd --- /dev/null +++ b/templates/harbor/config/core/app.conf @@ -0,0 +1,6 @@ +appname = Harbor +runmode = prod +enablegzip = true + +[prod] +httpport = 8080 diff --git a/templates/harbor/config/core/certificates/.keepDir b/templates/harbor/config/core/certificates/.keepDir new file mode 100644 index 0000000..e69de29 diff --git a/templates/harbor/config/core/env.j2 b/templates/harbor/config/core/env.j2 new file mode 100644 index 0000000..b502268 --- /dev/null +++ b/templates/harbor/config/core/env.j2 @@ -0,0 +1,50 @@ +CONFIG_PATH=/etc/core/app.conf +UAA_CA_ROOT=/etc/core/certificates/uaa_ca.pem +_REDIS_URL_CORE=redis://redis:6379?idle_timeout_seconds=30 +SYNC_QUOTA=true +CHART_CACHE_DRIVER=redis +_REDIS_URL_REG=redis://redis:6379/1?idle_timeout_seconds=30 + +LOG_LEVEL=info +EXT_ENDPOINT=https://dev-docker-registry-01.smardigo.digital +DATABASE_TYPE=postgresql +POSTGRESQL_HOST=postgresql +POSTGRESQL_PORT=5432 +POSTGRESQL_USERNAME=postgres +POSTGRESQL_PASSWORD={{ harbor_postgresql_password }} +POSTGRESQL_DATABASE=registry +POSTGRESQL_SSLMODE=disable +POSTGRESQL_MAX_IDLE_CONNS=50 +POSTGRESQL_MAX_OPEN_CONNS=1000 +REGISTRY_URL=http://registry:5000 +PORTAL_URL=http://portal:8080 +TOKEN_SERVICE_URL=http://core:8080/service/token +HARBOR_ADMIN_PASSWORD={{ harbor_admin_password }} +MAX_JOB_WORKERS=10 +CORE_SECRET=ydNg7WrBhEcyJuL3 +JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1 +WITH_NOTARY=False +WITH_CLAIR=False +WITH_TRIVY=True +CORE_URL=http://core:8080 +CORE_LOCAL_URL=http://127.0.0.1:8080 +JOBSERVICE_URL=http://jobservice:8080 +CLAIR_ADAPTER_URL=http://clair-adapter:8080 +TRIVY_ADAPTER_URL=http://trivy-adapter:8080 +NOTARY_URL=http://notary-server:4443 +REGISTRY_STORAGE_PROVIDER_NAME=filesystem +READ_ONLY=false +RELOAD_KEY= +CHART_REPOSITORY_URL=http://chartmuseum:9999 +REGISTRY_CONTROLLER_URL=http://registryctl:8080 +WITH_CHARTMUSEUM=True +REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user +REGISTRY_CREDENTIAL_PASSWORD=spYrLufyLbHrqlAFUPlnijhIFKS3ys1H +CSRF_KEY=fNvrK554TPxFnLUUByjumlvirGOQGdRi +PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor + +HTTP_PROXY= +HTTPS_PROXY= +NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis + +PORT=8080 diff --git a/templates/harbor/config/db/env.j2 b/templates/harbor/config/db/env.j2 new file mode 100644 index 0000000..d90aebe --- /dev/null +++ b/templates/harbor/config/db/env.j2 @@ -0,0 +1 @@ +POSTGRES_PASSWORD={{ harbor_postgresql_password }} \ No newline at end of file diff --git a/templates/harbor/config/jobservice/config.yml b/templates/harbor/config/jobservice/config.yml new file mode 100644 index 0000000..82d5be9 --- /dev/null +++ b/templates/harbor/config/jobservice/config.yml @@ -0,0 +1,35 @@ +--- +#Protocol used to serve +protocol: "http" + +#Server listening port +port: 8080 + +#Worker pool +worker_pool: + #Worker concurrency + workers: 10 + backend: "redis" + #Additional config if use 'redis' backend + redis_pool: + #redis://[arbitrary_username:password@]ipaddress:port/database_index + redis_url: redis://redis:6379/2?idle_timeout_seconds=30 + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 +#Loggers for the running job +job_loggers: + - name: "STD_OUTPUT" # logger backend name, only support "FILE" and "STD_OUTPUT" + level: "INFO" # INFO/DEBUG/WARNING/ERROR/FATAL + - name: "FILE" + level: "INFO" + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: 1 #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + +#Loggers for the job service +loggers: + - name: "STD_OUTPUT" # Same with above + level: "INFO" \ No newline at end of file diff --git a/templates/harbor/config/jobservice/env b/templates/harbor/config/jobservice/env new file mode 100644 index 0000000..2d6a2cb --- /dev/null +++ b/templates/harbor/config/jobservice/env @@ -0,0 +1,13 @@ +CORE_SECRET=ydNg7WrBhEcyJuL3 +REGISTRY_URL=http://registry:5000 +JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1 +CORE_URL=http://core:8080 +REGISTRY_CONTROLLER_URL=http://registryctl:8080 +JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10 + + +HTTP_PROXY= +HTTPS_PROXY= +NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis +REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user +REGISTRY_CREDENTIAL_PASSWORD=spYrLufyLbHrqlAFUPlnijhIFKS3ys1H \ No newline at end of file diff --git a/templates/harbor/config/log/logrotate.conf b/templates/harbor/config/log/logrotate.conf new file mode 100644 index 0000000..97f5f93 --- /dev/null +++ b/templates/harbor/config/log/logrotate.conf @@ -0,0 +1,8 @@ +/var/log/docker/*.log { + rotate 50 + size 200M + copytruncate + compress + missingok + nodateext +} \ No newline at end of file diff --git a/templates/harbor/config/log/rsyslog_docker.conf b/templates/harbor/config/log/rsyslog_docker.conf new file mode 100644 index 0000000..0be27a6 --- /dev/null +++ b/templates/harbor/config/log/rsyslog_docker.conf @@ -0,0 +1,7 @@ +# Rsyslog configuration file for docker. + +template(name="DynaFile" type="string" string="/var/log/docker/%programname%.log") + +if $programname != "rsyslogd" then { + action(type="omfile" dynaFile="DynaFile") +} \ No newline at end of file diff --git a/templates/harbor/config/nginx/conf.d/.keepDir b/templates/harbor/config/nginx/conf.d/.keepDir new file mode 100644 index 0000000..e69de29 diff --git a/templates/harbor/config/nginx/nginx.conf b/templates/harbor/config/nginx/nginx.conf new file mode 100644 index 0000000..5ac4978 --- /dev/null +++ b/templates/harbor/config/nginx/nginx.conf @@ -0,0 +1,137 @@ +worker_processes auto; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server core:8080; + } + + upstream portal { + server portal:8080; + } + + log_format timed_combined '$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + server { + listen 8080; + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + # costumized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf + include /etc/nginx/conf.d/harbor.http.*.conf; + + location / { + proxy_pass http://portal/; + # proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + # proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass http://core/c/; + # proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + # proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass http://core/api/; + # proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + # proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass http://core/chartrepo/; + # proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + # proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass http://core/v2/; + # proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + # proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_request_buffering off; + + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass http://core/service/; + # proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + # proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } +} diff --git a/templates/harbor/config/portal/nginx.conf b/templates/harbor/config/portal/nginx.conf new file mode 100644 index 0000000..475fa6e --- /dev/null +++ b/templates/harbor/config/portal/nginx.conf @@ -0,0 +1,38 @@ + +worker_processes auto; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; +} + +http { + + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + location / { + try_files $uri $uri/ /index.html; + } + + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } +} \ No newline at end of file diff --git a/templates/harbor/config/registry/config.yml b/templates/harbor/config/registry/config.yml new file mode 100644 index 0000000..30150b4 --- /dev/null +++ b/templates/harbor/config/registry/config.yml @@ -0,0 +1,36 @@ +version: 0.1 +log: + level: info + fields: + service: registry +storage: + cache: + layerinfo: redis + filesystem: + rootdirectory: /storage + maintenance: + uploadpurging: + enabled: false + delete: + enabled: true +redis: + addr: redis:6379 + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + password: + db: 1 +http: + addr: :5000 + secret: placeholder + debug: + addr: localhost:5001 +auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd +validation: + disabled: true +compatibility: + schema1: + enabled: true \ No newline at end of file diff --git a/templates/harbor/config/registry/passwd b/templates/harbor/config/registry/passwd new file mode 100644 index 0000000..a656144 --- /dev/null +++ b/templates/harbor/config/registry/passwd @@ -0,0 +1 @@ +harbor_registry_user:$2y$05$EE3OyDzK1lhlSFIDIc0HcuMAl2hiwZraRg0yWgnfSfa1459Z5sFey diff --git a/templates/harbor/config/registry/root.crt b/templates/harbor/config/registry/root.crt new file mode 100644 index 0000000..e69de29 diff --git a/templates/harbor/config/registryctl/config.yml b/templates/harbor/config/registryctl/config.yml new file mode 100644 index 0000000..bf1e29a --- /dev/null +++ b/templates/harbor/config/registryctl/config.yml @@ -0,0 +1,5 @@ +--- +protocol: "http" +port: 8080 +log_level: "INFO" +registry_config: "/etc/registry/config.yml" \ No newline at end of file diff --git a/templates/harbor/config/registryctl/env b/templates/harbor/config/registryctl/env new file mode 100644 index 0000000..4b88d7f --- /dev/null +++ b/templates/harbor/config/registryctl/env @@ -0,0 +1,2 @@ +CORE_SECRET=ydNg7WrBhEcyJuL3 +JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1 diff --git a/templates/harbor/config/shared/trust-certificates/.keepDir b/templates/harbor/config/shared/trust-certificates/.keepDir new file mode 100644 index 0000000..e69de29 diff --git a/templates/harbor/config/trivy-adapter/env b/templates/harbor/config/trivy-adapter/env new file mode 100644 index 0000000..b2fe36a --- /dev/null +++ b/templates/harbor/config/trivy-adapter/env @@ -0,0 +1,17 @@ +SCANNER_LOG_LEVEL=info +SCANNER_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30 +SCANNER_STORE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30 +SCANNER_STORE_REDIS_NAMESPACE=harbor.scanner.trivy:store +SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30 +SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue +SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy +SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports +SCANNER_TRIVY_VULN_TYPE=os,library +SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +SCANNER_TRIVY_IGNORE_UNFIXED=False +SCANNER_TRIVY_SKIP_UPDATE=False +SCANNER_TRIVY_GITHUB_TOKEN= +SCANNER_TRIVY_INSECURE=False +HTTP_PROXY= +HTTPS_PROXY= +NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis diff --git a/templates/harbor/docker-compose.yml.j2 b/templates/harbor/docker-compose.yml.j2 new file mode 100644 index 0000000..b7e5f75 --- /dev/null +++ b/templates/harbor/docker-compose.yml.j2 @@ -0,0 +1,352 @@ +version: '2.3' + +networks: + front-tier: + external: true + harbor: + external: false + harbor-chartmuseum: + external: false + +services: + log: + image: goharbor/harbor-log:v2.1.5 + container_name: harbor-log + restart: always + dns_search: . + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_OVERRIDE + - SETGID + - SETUID + volumes: + - /var/log/harbor/:/var/log/docker/:z + - type: bind + source: ./common/config/log/logrotate.conf + target: /etc/logrotate.d/logrotate.conf + - type: bind + source: ./common/config/log/rsyslog_docker.conf + target: /etc/rsyslog.d/rsyslog_docker.conf + ports: + - 127.0.0.1:1514:10514 + networks: + - harbor + + registry: + image: goharbor/registry-photon:v2.1.5 + container_name: registry + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + volumes: + - /data/registry:/storage:z + - ./common/config/registry/:/etc/registry/:z + - type: bind + source: /data/secret/registry/root.crt + target: /etc/registry/root.crt + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + networks: + - harbor + dns_search: . + depends_on: + - log + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "registry" + + registryctl: + image: goharbor/harbor-registryctl:v2.1.5 + container_name: registryctl + env_file: + - ./common/config/registryctl/env + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + volumes: + - /data/registry:/storage:z + - ./common/config/registry/:/etc/registry/:z + - type: bind + source: ./common/config/registryctl/config.yml + target: /etc/registryctl/config.yml + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + networks: + - harbor + dns_search: . + depends_on: + - log + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "registryctl" + + postgresql: + image: goharbor/harbor-db:v2.1.5 + container_name: harbor-db + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_OVERRIDE + - SETGID + - SETUID + volumes: + - /data/database:/var/lib/postgresql/data:z + networks: + harbor: + dns_search: . + env_file: + - ./common/config/db/env + depends_on: + - log + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "postgresql" + + core: + image: goharbor/harbor-core:v2.1.5 + container_name: harbor-core + env_file: + - ./common/config/core/env + restart: always + cap_drop: + - ALL + cap_add: + - SETGID + - SETUID + volumes: + - /data/ca_download/:/etc/core/ca/:z + - /data/:/data/:z + - ./common/config/core/certificates/:/etc/core/certificates/:z + - type: bind + source: ./common/config/core/app.conf + target: /etc/core/app.conf + - type: bind + source: /data/secret/core/private_key.pem + target: /etc/core/private_key.pem + - type: bind + source: /data/secret/keys/secretkey + target: /etc/core/key + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + networks: + harbor: + harbor-chartmuseum: + aliases: + - harbor-core + dns_search: . + depends_on: + - log + - registry + - redis + - postgresql + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "core" + extra_hosts: + - dev-keycloak-01.smardigo.digital:10.1.0.2 + + portal: + image: goharbor/harbor-portal:v2.1.5 + container_name: harbor-portal + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + - NET_BIND_SERVICE + volumes: + - type: bind + source: ./common/config/portal/nginx.conf + target: /etc/nginx/nginx.conf + networks: + - harbor + dns_search: . + depends_on: + - log + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "portal" + + jobservice: + image: goharbor/harbor-jobservice:v2.1.5 + container_name: harbor-jobservice + env_file: + - ./common/config/jobservice/env + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + volumes: + - /data/job_logs:/var/log/jobs:z + - type: bind + source: ./common/config/jobservice/config.yml + target: /etc/jobservice/config.yml + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + networks: + - harbor + dns_search: . + depends_on: + - core + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "jobservice" + + redis: + image: goharbor/redis-photon:v2.1.5 + container_name: redis + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + volumes: + - /data/redis:/var/lib/redis + networks: + harbor: + harbor-chartmuseum: + aliases: + - redis + dns_search: . + depends_on: + - log + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "redis" + + proxy: + image: goharbor/nginx-photon:v2.1.5 + container_name: nginx + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + - NET_BIND_SERVICE + volumes: + - ./common/config/nginx:/etc/nginx:z + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + networks: + - harbor + - front-tier + dns_search: . + depends_on: + - registry + - core + - portal + - log + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "proxy" + labels: + - "traefik.enable=true" + - "traefik.http.middlewares.dev-docker-registry-01-harbor.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.dev-docker-registry-01-harbor.service=dev-docker-registry-01-harbor" + - "traefik.http.routers.dev-docker-registry-01-harbor.rule=Host(`dev-docker-registry-01.smardigo.digital`)" + - "traefik.http.routers.dev-docker-registry-01-harbor.entrypoints=websecure" + - "traefik.http.routers.dev-docker-registry-01-harbor.tls=true" + - "traefik.http.routers.dev-docker-registry-01-harbor.tls.certresolver=letsencrypt" + - "traefik.http.services.dev-docker-registry-01-harbor.loadbalancer.server.port=8080" + + trivy-adapter: + container_name: trivy-adapter + image: goharbor/trivy-adapter-photon:v2.1.5 + restart: always + cap_drop: + - ALL + dns_search: . + depends_on: + - log + - redis + networks: + - harbor + volumes: + - type: bind + source: /data/trivy-adapter/trivy + target: /home/scanner/.cache/trivy + - type: bind + source: /data/trivy-adapter/reports + target: /home/scanner/.cache/reports + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "trivy-adapter" + env_file: + ./common/config/trivy-adapter/env + + chartmuseum: + container_name: chartmuseum + image: goharbor/chartmuseum-photon:v2.1.5 + restart: always + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_OVERRIDE + - SETGID + - SETUID + networks: + - harbor-chartmuseum + dns_search: . + depends_on: + - log + volumes: + - /data/chart_storage:/chart_storage:z + - ./common/config/chartserver:/etc/chartserver:z + - type: bind + source: ./common/config/shared/trust-certificates + target: /harbor_cust_cert + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "chartmuseum" + env_file: + ./common/config/chartserver/env \ No newline at end of file diff --git a/templates/harbor/harbor.yml.j2 b/templates/harbor/harbor.yml.j2 new file mode 100644 index 0000000..2e35bbb --- /dev/null +++ b/templates/harbor/harbor.yml.j2 @@ -0,0 +1,211 @@ +# Configuration file of Harbor + +# The IP address or hostname to access admin UI and registry service. +# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. +hostname: dev-docker-registry-01.smardigo.digital + +# http related config +http: + # port for http, default is 80. If https enabled, this port will redirect to https port + port: 80 + relativeurls: true + +# https related config +https: + # https port for harbor, default is 443 + #port: 443 + # The path of cert and key files for nginx + #certificate: /etc/smardigo/harbor/smardigo.digital.cert + #private_key: /etc/smardigo/harbor/smardigo.digital.key + +# # Uncomment following will enable tls communication between all harbor components +# internal_tls: +# # set enabled to true means internal tls is enabled +# enabled: true +# # put your cert and key files on dir +# dir: /etc/harbor/tls/internal + +# Uncomment external_url if you want to enable external proxy +# And when it enabled the hostname will no longer used +external_url: https://dev-docker-registry-01.smardigo.digital + +# The initial password of Harbor admin +# It only works in first time to install harbor +# Remember Change the admin password from UI after launching Harbor. +harbor_admin_password: {{ harbor_admin_password }} + +# Harbor DB configuration +database: + # The password for the root user of Harbor DB. Change this before any production use. + password: {{ harbor_postgresql_password }} + # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. + max_idle_conns: 50 + # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgres of harbor. + max_open_conns: 1000 + +# The default data volume +data_volume: /data + +# Harbor Storage settings by default is using /data dir on local filesystem +# Uncomment storage_service setting If you want to using external storage +# storage_service: +# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore +# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. +# ca_bundle: + +# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss +# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ +# filesystem: +# maxthreads: 100 +# # set disable to true when you want to disable registry redirect +# redirect: +# disabled: false + +# Clair configuration +clair: + # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. + updaters_interval: 12 + +# Trivy configuration +# +# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. +# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached +# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it +# should download a newer version from the Internet or use the cached one. Currently, the database is updated every +# 12 hours and published as a new release to GitHub. +trivy: + # ignoreUnfixed The flag to display only fixed vulnerabilities + ignore_unfixed: false + # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub + # + # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and + # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. + skip_update: false + # + # insecure The flag to skip verifying registry certificate + insecure: false + # github_token The GitHub access token to download Trivy DB + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + # + # github_token: xxx + +jobservice: + # Maximum number of job workers in job service + max_job_workers: 10 + +notification: + # Maximum retry count for webhook job + webhook_job_max_retry: 10 + +chart: + # Change the value of absolute_url to enabled can enable absolute url in chart + absolute_url: disabled + +# Log configurations +log: + # options are debug, info, warning, error, fatal + level: info + # configs for logs in local storage + local: + # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. + rotate_count: 50 + # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. + # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G + # are all valid. + rotate_size: 200M + # The directory on your host that store log + location: /var/log/harbor + + # Uncomment following lines to enable external syslog endpoint. + # external_endpoint: + # # protocol used to transmit log to external endpoint, options is tcp or udp + # protocol: tcp + # # The host of external endpoint + # host: localhost + # # Port of external endpoint + # port: 5140 + +#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! +_version: 2.0.0 + +# Uncomment external_database if using external database. +# external_database: +# harbor: +# host: harbor_db_host +# port: harbor_db_port +# db_name: harbor_db_name +# username: harbor_db_username +# password: harbor_db_password +# ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 +# clair: +# host: clair_db_host +# port: clair_db_port +# db_name: clair_db_name +# username: clair_db_username +# password: clair_db_password +# ssl_mode: disable +# notary_signer: +# host: notary_signer_db_host +# port: notary_signer_db_port +# db_name: notary_signer_db_name +# username: notary_signer_db_username +# password: notary_signer_db_password +# ssl_mode: disable +# notary_server: +# host: notary_server_db_host +# port: notary_server_db_port +# db_name: notary_server_db_name +# username: notary_server_db_username +# password: notary_server_db_password +# ssl_mode: disable + +# Uncomment external_redis if using external Redis server +# external_redis: +# # support redis, redis+sentinel +# # host for redis: : +# # host for redis+sentinel: +# # :,:,: +# host: redis:6379 +# password: +# # sentinel_master_set must be set to support redis+sentinel +# #sentinel_master_set: +# # db_index 0 is for core, it's unchangeable +# registry_db_index: 1 +# jobservice_db_index: 2 +# chartmuseum_db_index: 3 +# clair_db_index: 4 +# trivy_db_index: 5 +# idle_timeout_seconds: 30 + +# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. +# uaa: +# ca_file: /path/to/ca + +# Global proxy +# Config http proxy for components, e.g. http://my.proxy.com:3128 +# Components doesn't need to connect to each others via http proxy. +# Remove component from `components` array if want disable proxy +# for it. If you want use proxy for replication, MUST enable proxy +# for core and jobservice, and set `http_proxy` and `https_proxy`. +# Add domain to the `no_proxy` field, when you want disable proxy +# for some special registry. +proxy: + http_proxy: + https_proxy: + no_proxy: + components: + - core + - jobservice + - clair + - trivy