nicholasamorim / ansible-role-harbor Goto Github PK

View Code? Open in Web Editor NEW

24.0 2.0 30.0 40 KB

An Ansible Role that installs Harbor.

License: MIT License

Python 69.93% Jinja 30.07%

ansible-role-harbor's Introduction

Ansible Role: Harbor

An Ansible Role that installs Harbor on Linux.

This role is in alpha stage. Issues and PRs are welcome.

Requirements

None.

Role Variables

For a complete list see defaults/main.yaml.

By default, the role uses the IP of the current host to set harbor_hostname. You can override it.

To change the install dir:

harbor_install_dir: /opt

To change default protocol:

harbor_ui_url_protocol: "http"

If you want to change the exposed ports of Harbor's NGINX from the defaults of 80 and 443, use:

harbor_exposed_http_port: 81
harbor_exposed_https_port: 444

If you are running Harbor behind a proxy, set harbor_behind_proxy: yes. This will comment the necessary lines in Harbor's Nginx to make it work as per their troubleshooting section.

To install with extras set:

harbor_extras:
    - clair
    - notary

If you already have a Redis set-up, you might want to change the default redis hostname and port of Harbor:

# change these if you have your own redis running already
harbor_redis_host: redis
harbor_redis_port: 6379

You can also pass extra arguments to the installer with harbor_installer_extra_args (a string).

You may define harbor_projects if you want projects to be automatically created once harbor is installed.

harbor_projects:
  - project_name: test
    is_public: "false"
    content_trust: "false"
    prevent_vul: "true"
    severity: "high"
    auto_scan: "true"

By default, users can self-register. If you prefer to create users automatically, you must disable self-registration and set a list of users. Those users will be created automatically. The password defaults to "HarborUser12345".

This operation is idempotent.

harbor_self_registration: "off"
harbor_users:
    - username: user1
      email: [email protected]
      realname: User Number 1
      role_name: developer
      role_id: 2
      has_admin_role: true

Dependencies

None.

Example Playbook

---
- name: Installing and configuring Harbor
  hosts: registry
  vars:
    harbor_projects:
      - project_name: myproject
        is_public: "false"
        content_trust: "false"
        prevent_vul: "true"
        severity: "high"
        auto_scan: "true"
    harbor_users:
      - username: user1
        email: [email protected]
        realname: User Number 1
        role_name: developer
        role_id: 2
        has_admin_role: true
  roles:
    - nicholasamorim.harbor

After the playbook runs, you should be able to navigate to your host on port 80/443 and see Harbor's UI. You can login with admin/Harbor12345. If you changed the exposed ports, remember to use them instead of 80/443.

Running Harbor behind your proxy

A common setup is to run Harbor behind a proxy where the proxy is responsible for SSL termination. Harbor can pretty fiddly with that as it has its own Nginx inside and things can get confusing because

a) Harbor has its own Nginx proxy, that must run as http b) However, certain lines must be commented out in harbor's nginx if you use a proxy. c) The realm URL must also be changed to what's externally visible: https.

Here's an example of the variables that have to bet set in such scenario:

harbor_hostname: "myharbor.company.com"
harbor_api_url: "https://myharbor.company.com/api"
harbor_behind_proxy: yes
# Internally, Harbor is still running on http
harbor_ui_url_protocol: "http"
harbor_customize_crt: "off"
harbor_registry_realm_protocol: "https"
# Running Harbor's nginx in different ports not to conflict with 80/443
harbor_exposed_http_port: 8798
harbor_exposed_https_port: 8799
harbor_extras:
  - clair
harbor_self_registration: "off"
# This is useful if you already have a redis container running
harbor_redis_host: redisharbor
harbor_ssl_cert: /etc/ssl/certs/cert.pem
harbor_ssl_cert_key: /etc/ssl/certs/cert.key

This will ensure that:

Harbor's nginx gets this line commented.
The registry realm url is updated correctly.

This is a bit convoluted but it's a compromise to try and not change Harbor's files/templates too much as this will incur frequent breakage. I'm open to suggestions on how to improve, though.

Managing state

For convenience, this role includes tasks to stop, start and restart the registry using docker-compose.

Here's a playbook created specifically to restart the registry:

---
- hosts: registry
  tasks:
    - name: Restarting Harbor
      include_role:
        name: harbor
        tasks_from: restart

Running the playbook above effectively restarts all components of Harbor. This takes into consideration if you are using clair and/or notary and uses their docker-compose files too.

tasks_from can be restart, start and stop.

If you are running the playbook again to ensure the list of users but you have already changed the default admin password, you can set the harbor_admin_password variable somewhere or simply pass it in the command-line with -e "harbor_admin_password=mypass".

Author Information

This role was created in 2019 by Nicholas Amorim.

ansible-role-harbor's People

Contributors

Stargazers

Watchers

ansible-role-harbor's Issues

ERROR! the role 'harbor' was not found

Hello!
I try install harbor and get error

ERROR! the role 'harbor' was not found in /home/user/github/infrastructure-as-a-code-example/12-harbor/roles:/home/user/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/home/user/github/infrastructure-as-a-code-example/12-harbor

The error appears to be in '/home/user/github/infrastructure-as-a-code-example/12-harbor/playbook.yml': line 20, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  roles:
    - harbor
      ^ here

I install role

ansible-galaxy install nicholasamorim.harbor

Playbook

---
- name: Installing and configuring Harbor
  hosts: harbor
  vars:
    harbor_projects:
      - project_name: myproject
        is_public: "false"
        content_trust: "false"
        prevent_vul: "true"
        severity: "high"
        auto_scan: "true"
    harbor_users:
      - username: user1
        email: [email protected]
        realname: User Number 1
        role_name: developer
        role_id: 2
        has_admin_role: true
  roles:
    - harbor

docker login won't work if we use a custom port (8443) - redirects to 443

This is what you get with a custom port (HTTPS):

CURL:
< HTTP/1.1 401 Unauthorized

< Server: nginx

< Date: Fri, 05 Apr 2019 13:29:45 GMT

< Content-Type: application/json; charset=utf-8

< Content-Length: 87

< Connection: keep-alive

< Docker-Distribution-Api-Version: registry/2.0

< Set-Cookie: sid=b9969f27808d09cd150a27e0122fc068; Path=/; HttpOnly

< Www-Authenticate: Bearer realm="https://DOMAIN.COM/service/token",service="harbor-registry"

<

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

* Connection #0 to host  DOMAIN.COM left intact

$ sudo docker login DOMAIN.COM8443

[sudo] password for user:

Username: user

Password:

Error response from daemon: Get https://DOMAIN.COM:8443/v2/: Get https://DOMAIN.COM/service/token?account=user&client_id=docker&offline_token=true&service=harbor-registry: dial tcp 192.168.x.x:443: connect: connection refused

I found what is wrong and will try to fix it.
./config/notary/server-config.postgres.json: "realm": "https://DOMAIN.COM/service/token"

Too permissive permissions?

By default, things are created with "mode": "0755"
This could be changed to 0750 I believe.

The conditional check 'not harbor_folder_st.stat.isdir' failed. The error was: error while evaluating conditional (not harbor_folder_st.stat.isdir): 'dict object' has no attribute 'isdir'

Hello,
Thank you for sharing this nice project!
When I run it I get:
The conditional check 'not harbor_folder_st.stat.isdir' failed. The error was: error while evaluating conditional (not harbor_folder_st.stat.isdir): 'dict object' has no attribute 'isdir'

I do not have the directory created initially.

So I did a debug and there is the big picture:

TASK [deploy_harbor_via_compose : debug] *******************************************************************************
ok: [test_server] => {
    "msg": {
        "changed": false,
        "failed": false,
        "stat": {
            "exists": false
        }
    }
}

TASK [deploy_harbor_via_compose : Downloading Harbor 1.7.4 (offline installer)] ****************************************
fatal: [test_server]: FAILED! => {"msg": "The conditional check 'not harbor_folder_st.stat.isdir' failed. The error was: error while evaluating conditional (not harbor_folder_st.stat.isdir): 'dict object' has no attribute 'isdir'\n\nThe error appears to have been in '/DIR/roles/deploy_harbor_via_compose/tasks/main.yml': line 8, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n    msg: \"{{ harbor_folder_st }}\"\n- name: \"Downloading Harbor {{ harbor_version }} (offline installer)\"\n  ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes.  Always quote template expression brackets when they\nstart a value. For instance:\n\n    with_items:\n      - {{ foo }}\n\nShould be written as:\n\n    with_items:\n      - \"{{ foo }}\"\n"}
        to retry, use: --limit @/DIR/playbook-deploy-docker-repo.retry

So I tried to replace those instances:

  when:
    - not harbor_folder_st.stat.exists
    - not harbor_folder_st.stat.isdir

when:
    - not harbor_folder_st.stat.exists or (harbor_folder_st.stat.isdir is defined and not harbor_folder_st.stat.isdir)

But then it would skip the unzip:

TASK [deploy_harbor_via_compose : Uncompressing Harbor installer...] ***************************************************
skipping: [test_server]

Did I miss something? How would it be best to fix that?

Unable to install this role using ansible-galaxy

When I try to install the role from Ansible Galaxy I get an error message:

$ sudo ansible-galaxy install nicholasamorim.harbor
- downloading role 'harbor', owned by nicholasamorim
- downloading role from https://github.com/nicholasamorim/ansible-role-harbor/archive/master.tar.gz
 [WARNING]: - nicholasamorim.harbor was NOT installed successfully: this role does not appear to have a meta/main.yml file.

ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

I believe that this is because ansible-galaxy expects a meta/main.yml but the meta file in this repository is meta/main.yaml

Harbor v1.8.0+ support

Because of many changes on v1.8.0, this role doesnt support 1.8.0 :(

harbor_ssl_cert is missing

fatal: [192.168.30.249]: FAILED! => {
    "msg": "The task includes an option with an undefined variable. The error was: 'harbor_ssl_cert' is undefined\n\nThe error appears to be in '/root/ansible-command-test/harbor/ansible-role-harbor/tasks/main.yml': line 59, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Creating SSL certs folder\n  ^ here\n"
}

fatal: [test_server]: FAILED! => {"changed": false, "msg": "Failed to import docker or docker-py - No module named 'docker'. Try `pip install docker` or `pip install docker-py` (Python 2.6)"}

It seems some things are missing if you don't enable the "behind proxy" flag but on my way to figure out what it is I am reporting more issues.
On my last run I got fatal: [test_server]: FAILED! => {"changed": false, "msg": "Failed to import docker or docker-py - No module named 'docker'. Try pip install dockerorpip install docker-py (Python 2.6)"}

I think the role should include this to solve this error:

- name: Install base packages needed for docker install
  apt:
    name: "{{ packages }}"
    update_cache: yes
    state: latest
  vars:
    packages:
      - python3-pip
  become: true

- name: Install latest docker python bindings
  pip:
    name: "{{ packages }}"
    executable: pip3
    state: latest
  vars:
    packages:
      - docker
      - jsondiff ##check if needed, I know it is for swarm but don't know about compose
      - pyyaml ##check if needed, I know it is for swarm but don't know about compose
      - docker-compose
  become: true

Creating users fail

I updated to the latest version.
Getting to the end of the corridor!

Creating users fail with the message below. Would you have any idea why?

failed: [test_server] (item={u'username': u'julien', u'has_admin_role': True, u'role_name': 
u'developer', u'realname': u'Julien', u'password': u'PASSWORD', u'email': u'[email protected]', 
u'role_id': 2}) => {"changed": false, "connection": "close", "content": "<html>\r\n<head>
<title>502 Bad Gateway</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>502 
Bad Gateway</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n", 
"content_length": "166", "content_type": "text/html", "date": "Wed, 20 Mar 2019 07:35:00 GMT", 
"item": {"email": "[email protected]", "has_admin_role": true, "password": "PASSWORD", 
"realname": "Julien", "role_id": 2, "role_name": "developer", "username": "julien"}, "msg": "Status 
code was 502 and not [201, 409]: HTTP Error 502: Bad Gateway", "redirected": false, "server": 
"nginx", "status": 502, "url": "https://repo.mydomain.domain.com:8443/api/users"}

In addition:

If I try to l try to login with admin/Harbor12345 admin/MY_SET_PASSWORD. It doesn't work
I did set harbor_self_registration: "off"

Here is my playbook:

- name: Deploying a docker repository at "{{ DOCKER_REPO_DOMAIM }}:{{ DOCKER_REPO_HTTPS_PORT }}"
  hosts: docker-servers
  remote_user: "{{ SSH_USER }}"
  become: true
  roles:
    - deploy_harbor_via_compose
  vars:
    ansible_become_pass: "{{ INITIAL_PASSWORD }}"
    harbor_self_registration: "off"
    harbor_hostname: "{{ DOCKER_REPO_DOMAIM }}"
    harbor_admin_password: "{{ DOCKER_REPO_ADMIN_PASSWORD }}"
    harbor_extras:
      - clair
      - notary
    harbor_install_dir: "{{ WORKING_DIRECTORY }}/repository/install"
    harbor_datadir: "{{ WORKING_DIRECTORY }}/repository/data"
    harbor_ui_url_protocol: "https"
    harbor_exposed_http_port: "{{ DOCKER_REPO_HTTP_PORT }}"
    harbor_exposed_https_port: "{{ DOCKER_REPO_HTTPS_PORT }}"
    harbor_ssl_cert: "{{ WORKING_DIRECTORY }}/certs/{{ DOMAIN_NAME }}-fullcert.pem"
    harbor_ssl_cert_key: "{{ WORKING_DIRECTORY }}/certs/{{ DOMAIN_NAME }}-privkey.pem"
    harbor_users: "{{ DOCKER_REPO_USERS }}"

By default, Uncompressing Harbor installer is skipped

When you first run the role you get:

TASK [ Uncompressing Harbor installer...] ************************************************
skipping: [test_server]

That is probably because unarchive sees that {{ harbor_install_dir }}/harbor already exists. It is created by

- name: "Creating Harbor directory... ({{ harbor_install_dir }}/harbor)"
  file: ...