chore: harbor playground

group_vars/all/plain.yml

@@ -111,3 +111,5 @@ hetzner_ssh_keys:
 #grafana_user_guest_login: "< see vault >"
 #grafana_user_guest_password: "< see vault >"
 
+harbor_admin_password: "< see vault >"
+harbor_postgresql_password: "< see vault >"

group_vars/all/vault.yml

@@ -1,43 +1,48 @@
 $ANSIBLE_VAULT;1.1;AES256
-64643166313265363734313932666666643238333366393865343132313835666433326366653337
+64643037663332613065363239666532333039666436303731643261663438396133653737326461
-6135633264613662366233323835663034373761663864350a663161316266653238323332656336
+3435363331316634306364613537613637666538313766310a396335346137393862336133646262
-35323166323062323465623933653538356334666230616339313533613431613234653136386230
+63636330313462653330326166383431343262306666323861343039623364326233616238646336
-3764333134323538310a353530616532613365326131376664386335336161326638663335326530
+3864643932643661660a313133666334636436633030386239313934636664376462396639636264
-38383166343939316537396332313664313064613561393036353164626566343136623835623237
+62326166653166396137616136336231373838303134643463356665366562356332343661343736
-62383834376661643537356335646462323962633432336238333033343666326230326639363364
+31356661393263633765313136316531336231666366353361656265626632313339623062666261
-37666261343733373839613362346166666231663463616436363838626134663861616566663137
+64356233303633326136646563356564383637336162646366343238343462616532396638383061
-64613666616336303134393161323262386264666232336132376534316461333764363037376531
+63613030393162646239656664373162633937373132383832656363633462656163633432306336
-63363433363233653839616132373038623436333866326338343130343734323662323137643033
+32393736396636333230363561663166336330646536316231666333343662633034626335323266
-66313664636565323333646238363339653235346362393435323032656536373838643765313562
+63623439323737386663303066373036396431306166306231616638306136616365393332653764
-61343437353165666464316135366266623263383033346534666538383566303162393430393761
+38303635613766613161373638393730613235306162396665653832386563333537313434343730
-39663732636164346633396230336538376236663330323363626132383964323530336338363836
+66346234643838343638333035666330363265393436646630363065646130613632623964383262
-37333837343836616231643730626134303031376130393431646464646438336334343565326463
+35633132373563656664623337343130303130633831333833323766313438373461666538613638
-65623237373166303662336362663636333964643866643638666132303862626264353064616163
+33323763356636346634343533363037633966313639613833396330666632373636646362623662
-39333130396237343431336132383238343535363834356462393430363162643635356363383238
+61613461626431663566363966313332363266643965666463353134656463396235663063363638
-64626434616365346238626236366232333333366431336436363863316563313462366538366436
+62313766643934363637626234323462646337343839353464326534303837633838366639616334
-33373264623837346232303131653464376534646438643332626566613735653439646661383536
+37353336653766346538663931616361316161323466303964363864386434643966303937316365
-38346263346336346137616337363435666466343836656638653638646133303733363365323934
+34313635613734356563346465623162303630626534666562653530323438326532656337363838
-64393631303163633061393530623535313961313737643638626665303363366439306366373064
+61323332393365303738613836313237646665343266323661313261323163393765613731346138
-65333563636631373931313837653738356234393036323165663036653565386663313938373430
+66663838343562366232383566626538346231626435616632356365623762363939376561613666
-34656233326230356262306464323563393066646262613933653032333864326261626330643333
+62343535363464346564326134313466373530313336356263373738386539613565363236363931
-33636464396263323563626335306432373764353265373833653230333837653363333761666136
+38326636616439343737356161666161636234363966346435336333323261336433633132666332
-34653035393262623134353361323230323238653034316466663663346462353337613939313238
+38393039353934333566326535633366363431393532626431633566336365363466626332646662
-61393930373037313266663563386632343262373061333838646531373666383535323065646639
+39393232336562333533626233643734316662383732323962653765656466623437316336663832
-66326539393061373465613130643761346330623866633263336532663966366339323665323363
+37626262373364643933626434636636373133646432353765343134653635343239353833306231
-39386539633163653233356439303635646666303662393235316238393934633066373866623230
+30616165373833343964376363636461366663383939333538303235623162646261656462326662
-34316366656130393738353637626166383563343233383163383639373539626234363265356532
+61666538353236323736646238313639623537613862353036663261303238393366636464333730
-65303739393637656433656164373934613237336436326630393535633637323865386531646638
+35646233363761656238373434386533663736303061313664393565666632343231643537653531
-63316365623639373332323366373461393766633662396562306534306466653162633131623131
+34306262306631653562353265656433323433666263386438636461613661333965616539393035
-65306334656535383137343830323966346337323363343663326438613562643466643666386537
+38623635343861636665656136626261363239353363633964646537616633353439313235326564
-64326334356561653231346433396439666237626336666239336463333536376130373866343736
+62396264653538346433396663353933393232633536396663333366623163663930366364396566
-32396233333161313230656461396361626435666664616462363036386636396364636364323966
+66373937643139636637643932343733303131373765343232636639663862333966326235353031
-31656130323264363862656461616562613934636636373535343333666565626134376266613937
+31303630616337323432366532343138363035383634356335646262623634626665313331386136
-66393266613635313030356263366235323139663439303861356665333163386334646339613933
+33643264616463303861336161646237663030623861623838363538396133626334346261663336
-62636338343237376630376364323763383562383462613366393738663237643931636161383631
+62666436653332376633303063336664646530316139626330393666623330663439613039643635
-30623834383839613531616435613833636662313664323166363935396231643430376330396431
+65393335633631386338386564643939393238333237366337386539303961656338336338326237
-36366235393933613362303466343433643731363835343862346131343836376132316536633034
+35666361363232653934336134663865623732326466323061326232356336613965356633326337
-32333263313031313464343562633835323663363965373465633433386566313832346639623232
+65663761383735346565346530646239643165656330393664663434393139346431336633396639
-63393832643937396130613638623231663137303832616266326461636164393565336537656437
+65366333343330353432396332653736623832633439613032653565616435383539386161663664
-62393866636233343766633863643532396138636638326531326430613634353564386633343265
+34356265303430643535636162343234646162623932656431613734643038363732393166653562
-33613930356433356139623830326165323632633039333837623136376661303736356661343364
+31306537373630346532363939363764353862653339643237613338356163316233663337393631
-3736353162636662646162333934306562626662633931386565
+33386335656366376436353764333265333835346132313331636261626434653031636264333133
+36343637306132363766616339323536643138343735316130363462376232323263333063383064
+61366434623335333232666239303261333132346332653633363439656266646462376664626530
+65666239643562646431633466366336326538363761333639396638633738336533636339323236
+39376361386262373831653831666430303132643632323535643261336137383232386235306530
+396465326533646330393661633165363331

roles/harbor/defaults/main.yml

@@ -0,0 +1 @@
+---

roles/harbor/handlers/main.yml

@@ -0,0 +1 @@
+---

roles/harbor/meta/main.yml

@@ -0,0 +1 @@
+---

roles/harbor/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+### tags:
+
+- name: "Send mattermost message"
+  uri:
+    url: "{{ mattermost_hook_smardigo }}"
+    method: POST
+    body: "{{ lookup('template','mattermost-deploy-start.json.j2') }}"
+    body_format: json
+    headers:
+      Content-Type: "application/json"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+    - send_status_messages
+
+- name: "Send mattermost messsge"
+  uri:
+    url: "{{ mattermost_hook_smardigo }}"
+    method: POST
+    body: "{{ lookup('template','mattermost-deploy-end.json.j2') }}"
+    body_format: json
+    headers:
+      Content-Type: "application/json"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+    - send_status_messages

roles/harbor/vars/main.yml

@@ -0,0 +1 @@
+---

templates/harbor/config/chartserver/env

@@ -0,0 +1,37 @@
+## Settings should be set
+PORT=9999
+
+# Only support redis now. If redis is setup, then enable cache
+CACHE=redis
+CACHE_REDIS_ADDR=redis:6379
+CACHE_REDIS_PASSWORD=
+CACHE_REDIS_DB=3
+
+# Credential for internal communication
+BASIC_AUTH_USER=chart_controller
+BASIC_AUTH_PASS=
+
+# Multiple tenants
+# Must be set with 1 to support project namespace
+DEPTH=1
+
+# Backend storage driver: e.g. "local", "amazon", "google" etc.
+STORAGE=local
+# Storage driver settings
+STORAGE_LOCAL_ROOTDIR=/chart_storage
+## Settings with default values. Just put here for future changes
+DEBUG=false
+LOG_JSON=true
+DISABLE_METRICS=false
+DISABLE_API=false
+DISABLE_STATEFILES=false
+ALLOW_OVERWRITE=true
+CHART_URL=
+AUTH_ANONYMOUS_GET=false
+CONTEXT_PATH=
+INDEX_LIMIT=0
+MAX_STORAGE_OBJECTS=0
+MAX_UPLOAD_SIZE=20971520
+CHART_POST_FORM_FIELD_NAME=chart
+PROV_POST_FORM_FIELD_NAME=prov
+STORAGE_TIMESTAMP_TOLERANCE=1s

templates/harbor/config/core/app.conf

@@ -0,0 +1,6 @@
+appname = Harbor
+runmode = prod
+enablegzip = true
+
+[prod]
+httpport = 8080

templates/harbor/config/core/env.j2

@@ -0,0 +1,50 @@
+CONFIG_PATH=/etc/core/app.conf
+UAA_CA_ROOT=/etc/core/certificates/uaa_ca.pem
+_REDIS_URL_CORE=redis://redis:6379?idle_timeout_seconds=30
+SYNC_QUOTA=true
+CHART_CACHE_DRIVER=redis
+_REDIS_URL_REG=redis://redis:6379/1?idle_timeout_seconds=30
+
+LOG_LEVEL=info
+EXT_ENDPOINT=https://dev-docker-registry-01.smardigo.digital
+DATABASE_TYPE=postgresql
+POSTGRESQL_HOST=postgresql
+POSTGRESQL_PORT=5432
+POSTGRESQL_USERNAME=postgres
+POSTGRESQL_PASSWORD={{ harbor_postgresql_password }}
+POSTGRESQL_DATABASE=registry
+POSTGRESQL_SSLMODE=disable
+POSTGRESQL_MAX_IDLE_CONNS=50
+POSTGRESQL_MAX_OPEN_CONNS=1000
+REGISTRY_URL=http://registry:5000
+PORTAL_URL=http://portal:8080
+TOKEN_SERVICE_URL=http://core:8080/service/token
+HARBOR_ADMIN_PASSWORD={{ harbor_admin_password }}
+MAX_JOB_WORKERS=10
+CORE_SECRET=ydNg7WrBhEcyJuL3
+JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1
+WITH_NOTARY=False
+WITH_CLAIR=False
+WITH_TRIVY=True
+CORE_URL=http://core:8080
+CORE_LOCAL_URL=http://127.0.0.1:8080
+JOBSERVICE_URL=http://jobservice:8080
+CLAIR_ADAPTER_URL=http://clair-adapter:8080
+TRIVY_ADAPTER_URL=http://trivy-adapter:8080
+NOTARY_URL=http://notary-server:4443
+REGISTRY_STORAGE_PROVIDER_NAME=filesystem
+READ_ONLY=false
+RELOAD_KEY=
+CHART_REPOSITORY_URL=http://chartmuseum:9999
+REGISTRY_CONTROLLER_URL=http://registryctl:8080
+WITH_CHARTMUSEUM=True
+REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
+REGISTRY_CREDENTIAL_PASSWORD=spYrLufyLbHrqlAFUPlnijhIFKS3ys1H
+CSRF_KEY=fNvrK554TPxFnLUUByjumlvirGOQGdRi
+PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE=docker-hub,harbor
+
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis
+
+PORT=8080

templates/harbor/config/db/env.j2

@@ -0,0 +1 @@
+POSTGRES_PASSWORD={{ harbor_postgresql_password }}

templates/harbor/config/jobservice/config.yml

@@ -0,0 +1,35 @@
+---
+#Protocol used to serve
+protocol: "http"
+
+#Server listening port
+port: 8080
+
+#Worker pool
+worker_pool:
+  #Worker concurrency
+  workers: 10
+  backend: "redis"
+  #Additional config if use 'redis' backend
+  redis_pool:
+    #redis://[arbitrary_username:password@]ipaddress:port/database_index
+    redis_url: redis://redis:6379/2?idle_timeout_seconds=30
+    namespace: "harbor_job_service_namespace"
+    idle_timeout_second: 3600
+#Loggers for the running job
+job_loggers:
+  - name: "STD_OUTPUT" # logger backend name, only support "FILE" and "STD_OUTPUT"
+    level: "INFO" # INFO/DEBUG/WARNING/ERROR/FATAL
+  - name: "FILE"
+    level: "INFO"
+    settings: # Customized settings of logger
+      base_dir: "/var/log/jobs"
+    sweeper:
+      duration: 1 #days
+      settings: # Customized settings of sweeper
+        work_dir: "/var/log/jobs"
+
+#Loggers for the job service
+loggers:
+  - name: "STD_OUTPUT" # Same with above
+    level: "INFO"

templates/harbor/config/jobservice/env

@@ -0,0 +1,13 @@
+CORE_SECRET=ydNg7WrBhEcyJuL3
+REGISTRY_URL=http://registry:5000
+JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1
+CORE_URL=http://core:8080
+REGISTRY_CONTROLLER_URL=http://registryctl:8080
+JOBSERVICE_WEBHOOK_JOB_MAX_RETRY=10
+
+
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis
+REGISTRY_CREDENTIAL_USERNAME=harbor_registry_user
+REGISTRY_CREDENTIAL_PASSWORD=spYrLufyLbHrqlAFUPlnijhIFKS3ys1H

templates/harbor/config/log/logrotate.conf

@@ -0,0 +1,8 @@
+/var/log/docker/*.log {
+        rotate 50
+        size 200M
+        copytruncate
+        compress
+        missingok
+        nodateext
+}

templates/harbor/config/log/rsyslog_docker.conf

@@ -0,0 +1,7 @@
+# Rsyslog configuration file for docker.
+
+template(name="DynaFile" type="string" string="/var/log/docker/%programname%.log")
+
+if $programname != "rsyslogd" then {
+	action(type="omfile" dynaFile="DynaFile")
+}

templates/harbor/config/nginx/nginx.conf

@@ -0,0 +1,137 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+  worker_connections 1024;
+  use epoll;
+  multi_accept on;
+}
+
+http {
+  client_body_temp_path /tmp/client_body_temp;
+  proxy_temp_path /tmp/proxy_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
+  tcp_nodelay on;
+
+  # this is necessary for us to be able to disable request buffering in all cases
+  proxy_http_version 1.1;
+
+  upstream core {
+    server core:8080;
+  }
+
+  upstream portal {
+    server portal:8080;
+  }
+
+  log_format timed_combined '$remote_addr - '
+    '"$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" '
+    '$request_time $upstream_response_time $pipe';
+
+  access_log /dev/stdout timed_combined;
+
+  server {
+    listen 8080;
+    server_tokens off;
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # Add extra headers
+    add_header X-Frame-Options DENY;
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+
+    # costumized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf
+    include /etc/nginx/conf.d/harbor.http.*.conf;
+
+    location / {
+      proxy_pass http://portal/;
+      # proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      # proxy_set_header X-Forwarded-Proto $scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /c/ {
+      proxy_pass http://core/c/;
+      # proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      # proxy_set_header X-Forwarded-Proto $scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /api/ {
+      proxy_pass http://core/api/;
+      # proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      # proxy_set_header X-Forwarded-Proto $scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /chartrepo/ {
+      proxy_pass http://core/chartrepo/;
+      # proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      # proxy_set_header X-Forwarded-Proto $scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /v1/ {
+      return 404;
+    }
+
+    location /v2/ {
+      proxy_pass http://core/v2/;
+      # proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      # proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_buffering off;
+      proxy_request_buffering off;
+
+      proxy_send_timeout 900;
+      proxy_read_timeout 900;
+    }
+
+    location /service/ {
+      proxy_pass http://core/service/;
+      # proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      # proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /service/notifications {
+      return 404;
+    }
+  }
+}

templates/harbor/config/portal/nginx.conf

@@ -0,0 +1,38 @@
+
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+
+    client_body_temp_path /tmp/client_body_temp;
+    proxy_temp_path /tmp/proxy_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    server {
+        listen 8080;
+        server_name  localhost;
+
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        include /etc/nginx/mime.types;
+
+        gzip on;
+        gzip_min_length 1000;
+        gzip_proxied expired no-cache no-store private auth;
+        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        location = /index.html {
+            add_header Cache-Control "no-store, no-cache, must-revalidate";
+        }
+    }
+}

templates/harbor/config/registry/config.yml

@@ -0,0 +1,36 @@
+version: 0.1
+log:
+  level: info
+  fields:
+    service: registry
+storage:
+  cache:
+    layerinfo: redis
+  filesystem:
+    rootdirectory: /storage
+  maintenance:
+    uploadpurging:
+      enabled: false
+  delete:
+    enabled: true
+redis:
+  addr: redis:6379
+  readtimeout: 10s
+  writetimeout: 10s
+  dialtimeout: 10s
+  password: 
+  db: 1
+http:
+  addr: :5000
+  secret: placeholder
+  debug:
+    addr: localhost:5001
+auth:
+  htpasswd:
+    realm: harbor-registry-basic-realm
+    path: /etc/registry/passwd
+validation:
+  disabled: true
+compatibility:
+  schema1:
+    enabled: true

templates/harbor/config/registry/passwd

@@ -0,0 +1 @@
+harbor_registry_user:$2y$05$EE3OyDzK1lhlSFIDIc0HcuMAl2hiwZraRg0yWgnfSfa1459Z5sFey

templates/harbor/config/registryctl/config.yml

@@ -0,0 +1,5 @@
+---
+protocol: "http"
+port: 8080
+log_level: "INFO"
+registry_config: "/etc/registry/config.yml"

templates/harbor/config/registryctl/env

@@ -0,0 +1,2 @@
+CORE_SECRET=ydNg7WrBhEcyJuL3
+JOBSERVICE_SECRET=9fjG7ZiGRpyZ3nX1

templates/harbor/config/trivy-adapter/env

@@ -0,0 +1,17 @@
+SCANNER_LOG_LEVEL=info
+SCANNER_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_STORE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_STORE_REDIS_NAMESPACE=harbor.scanner.trivy:store
+SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379/5?idle_timeout_seconds=30
+SCANNER_JOB_QUEUE_REDIS_NAMESPACE=harbor.scanner.trivy:job-queue
+SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
+SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
+SCANNER_TRIVY_VULN_TYPE=os,library
+SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+SCANNER_TRIVY_IGNORE_UNFIXED=False
+SCANNER_TRIVY_SKIP_UPDATE=False
+SCANNER_TRIVY_GITHUB_TOKEN=
+SCANNER_TRIVY_INSECURE=False
+HTTP_PROXY=
+HTTPS_PROXY=
+NO_PROXY=clair,jobservice,registryctl,core,notary-server,clair-adapter,trivy-adapter,postgresql,chartmuseum,localhost,db,nginx,notary-signer,.internal,portal,log,127.0.0.1,.local,registry,redis

templates/harbor/docker-compose.yml.j2

@@ -0,0 +1,352 @@
+version: '2.3'
+
+networks:
+  front-tier:
+    external: true
+  harbor:
+    external: false
+  harbor-chartmuseum:
+    external: false
+
+services:
+  log:
+    image: goharbor/harbor-log:v2.1.5
+    container_name: harbor-log
+    restart: always
+    dns_search: .
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+    volumes:
+      - /var/log/harbor/:/var/log/docker/:z
+      - type: bind
+        source: ./common/config/log/logrotate.conf
+        target: /etc/logrotate.d/logrotate.conf
+      - type: bind
+        source: ./common/config/log/rsyslog_docker.conf
+        target: /etc/rsyslog.d/rsyslog_docker.conf
+    ports:
+      - 127.0.0.1:1514:10514
+    networks:
+      - harbor
+
+  registry:
+    image: goharbor/registry-photon:v2.1.5
+    container_name: registry
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    volumes:
+      - /data/registry:/storage:z
+      - ./common/config/registry/:/etc/registry/:z
+      - type: bind
+        source: /data/secret/registry/root.crt
+        target: /etc/registry/root.crt
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    networks:
+      - harbor
+    dns_search: .
+    depends_on:
+      - log
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "registry"
+
+  registryctl:
+    image: goharbor/harbor-registryctl:v2.1.5
+    container_name: registryctl
+    env_file:
+      - ./common/config/registryctl/env
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    volumes:
+      - /data/registry:/storage:z
+      - ./common/config/registry/:/etc/registry/:z
+      - type: bind
+        source: ./common/config/registryctl/config.yml
+        target: /etc/registryctl/config.yml
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    networks:
+      - harbor
+    dns_search: .
+    depends_on:
+      - log
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "registryctl"
+
+  postgresql:
+    image: goharbor/harbor-db:v2.1.5
+    container_name: harbor-db
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+    volumes:
+      - /data/database:/var/lib/postgresql/data:z
+    networks:
+      harbor:
+    dns_search: .
+    env_file:
+      - ./common/config/db/env
+    depends_on:
+      - log
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "postgresql"
+
+  core:
+    image: goharbor/harbor-core:v2.1.5
+    container_name: harbor-core
+    env_file:
+      - ./common/config/core/env
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+    volumes:
+      - /data/ca_download/:/etc/core/ca/:z
+      - /data/:/data/:z
+      - ./common/config/core/certificates/:/etc/core/certificates/:z
+      - type: bind
+        source: ./common/config/core/app.conf
+        target: /etc/core/app.conf
+      - type: bind
+        source: /data/secret/core/private_key.pem
+        target: /etc/core/private_key.pem
+      - type: bind
+        source: /data/secret/keys/secretkey
+        target: /etc/core/key
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    networks:
+      harbor:
+      harbor-chartmuseum:
+        aliases:
+          - harbor-core
+    dns_search: .
+    depends_on:
+      - log
+      - registry
+      - redis
+      - postgresql
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "core"
+    extra_hosts:
+      - dev-keycloak-01.smardigo.digital:10.1.0.2
+
+  portal:
+    image: goharbor/harbor-portal:v2.1.5
+    container_name: harbor-portal
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - NET_BIND_SERVICE
+    volumes:
+      - type: bind
+        source: ./common/config/portal/nginx.conf
+        target: /etc/nginx/nginx.conf
+    networks:
+      - harbor
+    dns_search: .
+    depends_on:
+      - log
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "portal"
+
+  jobservice:
+    image: goharbor/harbor-jobservice:v2.1.5
+    container_name: harbor-jobservice
+    env_file:
+      - ./common/config/jobservice/env
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    volumes:
+      - /data/job_logs:/var/log/jobs:z
+      - type: bind
+        source: ./common/config/jobservice/config.yml
+        target: /etc/jobservice/config.yml
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    networks:
+      - harbor
+    dns_search: .
+    depends_on:
+      - core
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "jobservice"
+
+  redis:
+    image: goharbor/redis-photon:v2.1.5
+    container_name: redis
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    volumes:
+      - /data/redis:/var/lib/redis
+    networks:
+      harbor:
+      harbor-chartmuseum:
+        aliases:
+          - redis
+    dns_search: .
+    depends_on:
+      - log
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "redis"
+
+  proxy:
+    image: goharbor/nginx-photon:v2.1.5
+    container_name: nginx
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - NET_BIND_SERVICE
+    volumes:
+      - ./common/config/nginx:/etc/nginx:z
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    networks:
+      - harbor
+      - front-tier
+    dns_search: .
+    depends_on:
+      - registry
+      - core
+      - portal
+      - log
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "proxy"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.dev-docker-registry-01-harbor.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.dev-docker-registry-01-harbor.service=dev-docker-registry-01-harbor"
+      - "traefik.http.routers.dev-docker-registry-01-harbor.rule=Host(`dev-docker-registry-01.smardigo.digital`)"
+      - "traefik.http.routers.dev-docker-registry-01-harbor.entrypoints=websecure"
+      - "traefik.http.routers.dev-docker-registry-01-harbor.tls=true"
+      - "traefik.http.routers.dev-docker-registry-01-harbor.tls.certresolver=letsencrypt"
+      - "traefik.http.services.dev-docker-registry-01-harbor.loadbalancer.server.port=8080"
+
+  trivy-adapter:
+    container_name: trivy-adapter
+    image: goharbor/trivy-adapter-photon:v2.1.5
+    restart: always
+    cap_drop:
+      - ALL
+    dns_search: .
+    depends_on:
+      - log
+      - redis
+    networks:
+      - harbor
+    volumes:
+      - type: bind
+        source: /data/trivy-adapter/trivy
+        target: /home/scanner/.cache/trivy
+      - type: bind
+        source: /data/trivy-adapter/reports
+        target: /home/scanner/.cache/reports
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "trivy-adapter"
+    env_file:
+      ./common/config/trivy-adapter/env
+
+  chartmuseum:
+    container_name: chartmuseum
+    image: goharbor/chartmuseum-photon:v2.1.5
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+    networks:
+      - harbor-chartmuseum
+    dns_search: .
+    depends_on:
+      - log
+    volumes:
+      - /data/chart_storage:/chart_storage:z
+      - ./common/config/chartserver:/etc/chartserver:z
+      - type: bind
+        source: ./common/config/shared/trust-certificates
+        target: /harbor_cust_cert
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "chartmuseum"
+    env_file:
+      ./common/config/chartserver/env

templates/harbor/harbor.yml.j2

@@ -0,0 +1,211 @@
+# Configuration file of Harbor
+
+# The IP address or hostname to access admin UI and registry service.
+# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
+hostname: dev-docker-registry-01.smardigo.digital
+
+# http related config
+http:
+  # port for http, default is 80. If https enabled, this port will redirect to https port
+  port: 80
+  relativeurls: true
+
+# https related config
+https:
+  # https port for harbor, default is 443
+  #port: 443
+  # The path of cert and key files for nginx
+  #certificate: /etc/smardigo/harbor/smardigo.digital.cert
+  #private_key: /etc/smardigo/harbor/smardigo.digital.key
+
+# # Uncomment following will enable tls communication between all harbor components
+# internal_tls:
+#   # set enabled to true means internal tls is enabled
+#   enabled: true
+#   # put your cert and key files on dir
+#   dir: /etc/harbor/tls/internal
+
+# Uncomment external_url if you want to enable external proxy
+# And when it enabled the hostname will no longer used
+external_url: https://dev-docker-registry-01.smardigo.digital
+
+# The initial password of Harbor admin
+# It only works in first time to install harbor
+# Remember Change the admin password from UI after launching Harbor.
+harbor_admin_password: {{ harbor_admin_password }}
+
+# Harbor DB configuration
+database:
+  # The password for the root user of Harbor DB. Change this before any production use.
+  password: {{ harbor_postgresql_password }}
+  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
+  max_idle_conns: 50
+  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
+  # Note: the default number of connections is 1024 for postgres of harbor.
+  max_open_conns: 1000
+
+# The default data volume
+data_volume: /data
+
+# Harbor Storage settings by default is using /data dir on local filesystem
+# Uncomment storage_service setting If you want to using external storage
+# storage_service:
+#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
+#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
+#   ca_bundle:
+
+#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
+#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
+#   filesystem:
+#     maxthreads: 100
+#   # set disable to true when you want to disable registry redirect
+#   redirect:
+#     disabled: false
+
+# Clair configuration
+clair:
+  # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
+  updaters_interval: 12
+
+# Trivy configuration
+#
+# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
+# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
+# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
+# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
+# 12 hours and published as a new release to GitHub.
+trivy:
+  # ignoreUnfixed The flag to display only fixed vulnerabilities
+  ignore_unfixed: false
+  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
+  #
+  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
+  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
+  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
+  skip_update: false
+  #
+  # insecure The flag to skip verifying registry certificate
+  insecure: false
+  # github_token The GitHub access token to download Trivy DB
+  #
+  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
+  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
+  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
+  # https://developer.github.com/v3/#rate-limiting
+  #
+  # You can create a GitHub token by following the instructions in
+  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
+  #
+  # github_token: xxx
+
+jobservice:
+  # Maximum number of job workers in job service
+  max_job_workers: 10
+
+notification:
+  # Maximum retry count for webhook job
+  webhook_job_max_retry: 10
+
+chart:
+  # Change the value of absolute_url to enabled can enable absolute url in chart
+  absolute_url: disabled
+
+# Log configurations
+log:
+  # options are debug, info, warning, error, fatal
+  level: info
+  # configs for logs in local storage
+  local:
+    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
+    rotate_count: 50
+    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
+    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
+    # are all valid.
+    rotate_size: 200M
+    # The directory on your host that store log
+    location: /var/log/harbor
+
+  # Uncomment following lines to enable external syslog endpoint.
+  # external_endpoint:
+  #   # protocol used to transmit log to external endpoint, options is tcp or udp
+  #   protocol: tcp
+  #   # The host of external endpoint
+  #   host: localhost
+  #   # Port of external endpoint
+  #   port: 5140
+
+#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
+_version: 2.0.0
+
+# Uncomment external_database if using external database.
+# external_database:
+#   harbor:
+#     host: harbor_db_host
+#     port: harbor_db_port
+#     db_name: harbor_db_name
+#     username: harbor_db_username
+#     password: harbor_db_password
+#     ssl_mode: disable
+#     max_idle_conns: 2
+#     max_open_conns: 0
+#   clair:
+#     host: clair_db_host
+#     port: clair_db_port
+#     db_name: clair_db_name
+#     username: clair_db_username
+#     password: clair_db_password
+#     ssl_mode: disable
+#   notary_signer:
+#     host: notary_signer_db_host
+#     port: notary_signer_db_port
+#     db_name: notary_signer_db_name
+#     username: notary_signer_db_username
+#     password: notary_signer_db_password
+#     ssl_mode: disable
+#   notary_server:
+#     host: notary_server_db_host
+#     port: notary_server_db_port
+#     db_name: notary_server_db_name
+#     username: notary_server_db_username
+#     password: notary_server_db_password
+#     ssl_mode: disable
+
+# Uncomment external_redis if using external Redis server
+# external_redis:
+#   # support redis, redis+sentinel
+#   # host for redis: <host_redis>:<port_redis>
+#   # host for redis+sentinel:
+#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
+#   host: redis:6379
+#   password:
+#   # sentinel_master_set must be set to support redis+sentinel
+#   #sentinel_master_set:
+#   # db_index 0 is for core, it's unchangeable
+#   registry_db_index: 1
+#   jobservice_db_index: 2
+#   chartmuseum_db_index: 3
+#   clair_db_index: 4
+#   trivy_db_index: 5
+#   idle_timeout_seconds: 30
+
+# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
+# uaa:
+#   ca_file: /path/to/ca
+
+# Global proxy
+# Config http proxy for components, e.g. http://my.proxy.com:3128
+# Components doesn't need to connect to each others via http proxy.
+# Remove component from `components` array if want disable proxy
+# for it. If you want use proxy for replication, MUST enable proxy
+# for core and jobservice, and set `http_proxy` and `https_proxy`.
+# Add domain to the `no_proxy` field, when you want disable proxy
+# for some special registry.
+proxy:
+  http_proxy:
+  https_proxy:
+  no_proxy:
+  components:
+    - core
+    - jobservice
+    - clair
+    - trivy