An Ansible Role that installs Harbor on Linux.
This role is an Fork from amuwxf.
I will not maintain the role in the future! Please create a fork and continue if you need new features.
If you need a Docker Registry and are looking for a replacement for Harbor, I can suggest ansible-registry. And as UI ansible-registry-ui.
If latest is set for harbor_version, the role tries to install the latest release version.
Please use this with caution, as incompatibilities between releases may occur!
Harbor is installed below harbor_install_dir in its own directory (harbor_${harbor_version}) and later linked to {{ harbor_install_dir }}/harbor.
This should make it possible to downgrade relatively safely.
The Harbor installation archive is stored on the Ansible controller and then copied to the target system.
The cache directory can be defined via the environment variable CUSTOM_LOCAL_TMP_DIRECTORY.
By default it is ${HOME}/.cache/ansible/harbor.
If this type of installation is not desired, the download can take place directly on the target system.
However, this must be explicitly activated by setting harbor_direct_download to true.
- running docker service
- installed docker-compose
Tested on
- Debian based
- Debian 10 / 11
- Ubuntu 20.04
For a complete list see defaults/main.yaml.
For a complete example see molecule/default/group_vars/all/vars.yaml.
harbor_version: 2.5.2
harbor_installer_type: offline
harbor_download_release_url: "https://github.com/goharbor/harbor/releases"
harbor_download_artifact: "harbor-{{ harbor_installer_type }}-installer-v{{ harbor_version }}.tgz"
harbor_download_url: "{{ harbor_download_release_url }}/download/v{{ harbor_version }}/{{ harbor_download_artifact }}"
harbor_direct_download: false
harbor_force_configuration: false
harbor_hostname: "{{ ansible_fqdn }}"
harbor_install_dir: /opt
harbor_data_volume: "{{ harbor_install_dir }}/data"
harbor_admin_password: Harbor12345
harbor_http: {}
harbor_https: {}
harbor_external_url: {}
harbor_internal_tls: {}
harbor_ssl: {}
harbor_database: {}
harbor_external_database: {}
harbor_external_redis: {}
harbor_storage_service: {}
harbor_trivy: {}
harbor_jobservice: {}
harbor_notification: {}
harbor_chart: {}
harbor_log: {}
harbor_metric: {}
harbor_trace: {}
harbor_upload_purging: {}
harbor_users: {}
harbor_projects: {}
harbor_robots: {}
harbor_install_with:
- --with-trivy
harbor_behind_proxy: falseharbor_defaults_http:
# port for http, default is 80.
# If https enabled, this port will redirect to https port
port: 80harbor_defaults_https:
enabled: false
# https port for harbor, default is 443
port: 443
certificate: ""
private_key: ""harbor_defaults_external_url:
protocol: http # or https
url: ""harbor_defaults_internal_tls:
enabled: false
dir: /etc/harbor/tls/internalharbor_defaults_ssl:
create_self_signed: false
cert: "{{ harbor_install_dir }}/harbor/ssl/harbor.crt"
cert_key: "{{ harbor_install_dir }}/harbor/ssl/harbor.key"
self_days: 180
self_subject: "/O=Harbor Server/OU=Self signed/CN=test"harbor_defaults_database:
password: root123
max_idle_conns: 50
max_open_conns: 500harbor_defaults_external_database:
harbor:
host: ""
port: ""
db_name: ""
username: ""
password: ""
ssl_mode: disable
max_idle_conns: 2
max_open_conns: 0
notary_signer:
host: ""
port: ""
db_name: ""
username: ""
password: ""
ssl_mode: disable
notary_server:
host: ""
port: ""
db_name: ""
username: ""
password: ""
ssl_mode: disablesupport redis and redis+sentinel
host = host_redis:port_redis
host = host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2,host_sentinel3:port_sentinel3
harbor_defaults_external_redis:
host: ""
password: ""
# sentinel_master_set must be set to support redis+sentinel
sentinel_master_set: false
# db_index 0 is for core, it's unchangeable
# db_index 0 is for core, it's unchangeable
registry_db_index: 1
jobservice_db_index: 2
chartmuseum_db_index: 3
clair_db_index: 4
trivy_db_index: 5
idle_timeout_seconds: 30harbor_defaults_storage_service:
# ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
ca_bundle: ""
# storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# for more info about this configuration please refer https://docs.docker.com/registry/configuration/
filesystem:
maxthreads: ""
# set disable to true when you want to disable registry redirect
redirect:
disabled: falseharbor_defaults_trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
insecure: false
github_token: ""harbor_defaults_jobservice:
max_job_workers: 10harbor_defaults_notification:
webhook_job_max_retry: 10harbor_defaults_chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: "disabled"harbor_defaults_log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
external_endpoint:
protocol: "" # tcp
host: "" # localhost
port: "" # 5140harbor_defaults_metric:
enabled: false
port: 9090
path: /metricsharbor_defaults_trace:
enabled: false
# set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
sample_rate: 1
# namespace used to differenciate different harbor services
namespace:
# attributes is a key value dict contains user defined attributes used to initialize trace provider
attributes:
application: harbor
# jaeger should be 1.26 or newer.
jaeger:
endpoint: http://hostname:14268/api/traces
username:
password:
agent_host: hostname
# export trace data by jaeger.thrift in compact mode
agent_port: 6831
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
timeout: 10sharbor_defaults_upload_purging:
enabled: true
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: falseBy default, users can self-register.
If you prefer to create users automatically, you must disable self-registration and set a list of users.
The user must be unique with an email address! Therefore, a corresponding plausibility check is carried out when the role is started. It is important to understand that Harbor implements restrictions regarding the length of the password.
This operation is idempotent.
harbor_users:
coremedia:
password: C0remedia
email: build@cm.lan
realname: automatic build
#
has_admin_role: true
coremedia2:
password: C0remedia2
email: build.2@cm.lan
realname: automatic build
#
has_admin_role: falseYou may define harbor_projects if you want projects to be automatically created once harbor is installed.
matrix:
is_public: "false"
content_trust: "true"
prevent_vul: "true"
severity: "high"
auto_scan: "true"
project_members:
coremedia3:
role: guest
coremedia4:
role: developerharbor_robots:
master:
description: master robot # The description of the robot
secret: "xxxxxx" # The secret of the robot
disable: false # The disable status of the robot
level: system # The level of the robot, project or system
duration: -1 # The duration of the robot in days
permissions:
kind: "system" # The kind of the permission
namespace: "/" # The namespace of the permission
access:
- action: create
resource: project
coremedia:
description: robot user for coremedia # The description of the robot
secret: "xxxxxx" # The secret of the robot
disable: false # The disable status of the robot
level: project # The level of the robot, project or system
duration: 0 # The duration of the robot in days
permissions:
kind: "project" # The kind of the permission
namespace: "coremedia" # The namespace of the permission
access:
# REPOSITORY
- action: pull # The action of the access
resource: repository # The resource of the access
- action: push
resource: repository
- action: list
resource: repository
- action: delete
resource: repository
# TAGS
- action: create
resource: tag
- action: delete
resource: tag
- action: list
resource: tag
# ARTIFACT
- action: list
resource: artifact-label
# SCAN
- action: create
resource: scan
# HELM
- action: read
resource: helm-chart
- action: read
resource: helm-chart-version- original harbor role written by: Nicholas Amorim
- modified: Bodo Schulz
FREE SOFTWARE, HELL YEAH!