hetzner-ansible/roles/harbor/defaults/main.yml

---

harbor_hostname: '{{ stage_server_domain }}'
harbor_external_url: 'https://{{ stage_server_domain }}'

harbor_id: '{{ inventory_hostname }}-harbor'

harbor_dockercompose_customized:
  services:
    core:
      extra_hosts:
        - '{{ shared_service_keycloak_hostname }}:{{ shared_service_keycloak_ip }}'
        - '{{ shared_service_mail_hostname }}:{{ shared_service_mail_ip }}'
    proxy:
      networks:
        - harbor
        - front-tier
      ports: [] # not exposing ports - already used by traefik
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.{{ harbor_id }}.headers.customrequestheaders.X-Forwarded-Proto=https"
        - "traefik.http.routers.{{ harbor_id }}.service={{ harbor_id }}"
        - "traefik.http.routers.{{ harbor_id }}.rule=Host(`{{ harbor_hostname }}`)"
        - "traefik.http.routers.{{ harbor_id }}.entrypoints=websecure"
        - "traefik.http.routers.{{ harbor_id }}.tls=true"
        - "traefik.http.routers.{{ harbor_id }}.tls.certresolver=letsencrypt"
        - "traefik.http.services.{{ harbor_id }}.loadbalancer.server.port=8080"
        - "traefik.http.middlewares.{{ harbor_id }}-monitor.headers.customrequestheaders.X-Forwarded-Proto=https"
        - "traefik.http.routers.{{ harbor_id }}-monitor.service={{ harbor_id }}-monitor"
        - "traefik.http.routers.{{ harbor_id }}-monitor.rule=Host(`{{ harbor_hostname }}`)"
        - "traefik.http.routers.{{ harbor_id }}-monitor.entrypoints=monitoring-harbor"
        - "traefik.http.routers.{{ harbor_id }}-monitor.tls=true"
        - "traefik.http.routers.{{ harbor_id }}-monitor.tls.certresolver=letsencrypt"
        - "traefik.http.services.{{ harbor_id }}-monitor.loadbalancer.server.port=9090"
  networks:
    front-tier:
      external: true

harbor_base_configuration:
  email_host: '{{ shared_service_mail_hostname }}'
  email_port: 25
  email_from: '{{ harbor_id }}@{{ domain }}'
  email_password: ''
  email_username: ''
  email_insecure: true
  auth_mode: oidc_auth
  oidc_name: "{{ harbor_oidc_realm }}"
  oidc_endpoint: 'https://{{ shared_service_keycloak_hostname }}/auth/realms/{{ harbor_oidc_realm }}'
  oidc_client_id: "{{ harbor_oidc_client_id }}"
  oidc_client_secret: "{{ harbor_oidc_client_secret }}"
  oidc_groups_claim: groups
  oidc_scope: openid
  oidc_verify_cert: true
  oidc_auto_onboard: true
  oidc_admin_group: 'admin'
  oidc_user_claim: 'sub'
  scan_all_policy:
    parameter:
      daily_time: 0

project_object_template:
  project_attributes:
    project_name: '{{ elem }}'
  meta_data:
    auto_scan: true
  project_state: present
  members:
    -
      group_name: '{{ elem }}'
      group_type: oidc
      role: projectadmin

harbor_projects_smardigo_default:
  - awx
  - sensw
  - smardigo

harbor_projects: []

harbor_robot_tokens:
  -
    secret_refresh: true
#    token_state: present
    name: ansible
    level: system
    description: 'smardigo docker pull credentials'
    secret: '{{ harbor_token }}'
    disable: false
    duration: -1
    editable: true
    expires_at: -1
    permissions:
    - access:
      - action: push
        resource: repository
      - action: pull
        resource: repository
      - action: delete
        resource: artifact
      - action: read
        resource: helm-chart
      - action: create
        resource: helm-chart-version
      - action: delete
        resource: helm-chart-version
      - action: create
        resource: tag
      - action: delete
        resource: tag
      - action: create
        resource: artifact-label
      - action: create
        resource: scan
      kind: project
      namespace: "*"

harbor_scanall:
  -
    schedule:
      cron: 0 0 1 * * *
      type: Custom