hetzner-ansible/roles/harbor/defaults/main.yml

---
harbor_homedir: "/data"

harbor_pgdatadir_lvm_hcloudvol_size: 50
harbor_pgdatadir_lvm_hcloudvol_count: 1
harbor_pgdatadir_lvm_hcloudvol_mountpath: "{{ harbor_homedir }}"

harbor_hostname: "{{ stage_server_domain }}"
harbor_external_url: "https://{{ stage_server_domain }}"

harbor_id: "{{ inventory_hostname }}-harbor"

harbor_dockercompose_customized:
  services:
    proxy:
      networks:
        - harbor
        - front-tier
      ports: [] # not exposing ports - already used by traefik
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.{{ harbor_id }}.headers.customrequestheaders.X-Forwarded-Proto=https"
        - "traefik.http.routers.{{ harbor_id }}.service={{ harbor_id }}"
        - "traefik.http.routers.{{ harbor_id }}.rule=Host(`{{ harbor_hostname }}`)"
        - "traefik.http.routers.{{ harbor_id }}.entrypoints=websecure"
        - "traefik.http.routers.{{ harbor_id }}.tls=true"
        - "traefik.http.routers.{{ harbor_id }}.tls.certresolver=letsencrypt"
        - "traefik.http.services.{{ harbor_id }}.loadbalancer.server.port=8080"
        - "traefik.http.middlewares.{{ harbor_id }}-monitor.headers.customrequestheaders.X-Forwarded-Proto=https"
        - "traefik.http.routers.{{ harbor_id }}-monitor.service={{ harbor_id }}-monitor"
        - "traefik.http.routers.{{ harbor_id }}-monitor.rule=Host(`{{ harbor_hostname }}`)"
        - "traefik.http.routers.{{ harbor_id }}-monitor.entrypoints=monitoring-harbor"
        - "traefik.http.routers.{{ harbor_id }}-monitor.tls=true"
        - "traefik.http.routers.{{ harbor_id }}-monitor.tls.certresolver=letsencrypt"
        - "traefik.http.services.{{ harbor_id }}-monitor.loadbalancer.server.port=9090"
  networks:
    front-tier:
      external: true

harbor_base_configuration:
  email_host: "{{ shared_service_mail_hostname }}"
  email_port: 25
  email_from: "{{ harbor_id }}@netgo.de"
  email_password: ""
  email_username: ""
  email_insecure: true
  auth_mode: oidc_auth
  oidc_name: "{{ harbor_oidc_realm }}"
  oidc_endpoint: "https://{{ shared_service_hostname_keycloak }}/auth/realms/{{ harbor_oidc_realm }}"
  oidc_client_id: "{{ harbor_oidc_client_id }}"
  oidc_client_secret: "{{ harbor_oidc_client_secret }}"
  oidc_groups_claim: groups
  oidc_scope: openid
  oidc_verify_cert: true
  oidc_auto_onboard: true
  oidc_admin_group: "admin"
  oidc_user_claim: "sub"
  scan_all_policy:
    parameter:
      daily_time: 0

project_object_template:
  project_attributes:
    project_name: "{{ elem }}"
  meta_data:
    auto_scan: true
  project_state: present
  members:
    - group_name: "{{ elem }}"
      group_type: oidc
      role: projectadmin

harbor_projects_smardigo_default:
  - awx
  - smardigo
  - infrastructure

harbor_projects: []

harbor_robot_tokens:
  - secret_refresh: true
    #    token_state: present
    name: ansible
    level: system
    description: "smardigo docker pull credentials"
    secret: "{{ harbor_token }}"
    disable: false
    duration: -1
    editable: true
    expires_at: -1
    permissions:
      - access:
          - action: push
            resource: repository
          - action: pull
            resource: repository
          - action: delete
            resource: artifact
          - action: read
            resource: helm-chart
          - action: create
            resource: helm-chart-version
          - action: delete
            resource: helm-chart-version
          - action: create
            resource: tag
          - action: delete
            resource: tag
          - action: create
            resource: artifact-label
          - action: create
            resource: scan
        kind: project
        namespace: "*"

harbor_scanall:
  - schedule:
      cron: 0 0 1 * * *
      type: Custom