use harbor for docker and helm

This commit is contained in:
ace 2021-02-01 21:17:48 +03:00
parent 643b90eef8
commit 1b8b5973c7
No known key found for this signature in database
GPG Key ID: 32989872B72276A0
13 changed files with 255 additions and 24 deletions

View File

@ -1,6 +1,6 @@
# Common #
namespace: ghp
docker_registry: registry.ghp.0xace.cc
docker_registry: registry.geekhome.org/ghp
domain: example.com
mail_domain: "{{ domain }}"
local_domain: lan
@ -42,19 +42,13 @@ openldap_simple_users:
- { name: testuser1, sn: 6001, uid: 6001, gid: 6001 }
- { name: testuser2, sn: 6002, uid: 6002, gid: 6002 }
## Docker-registry ##
registry_enabled: true
#registry_size: "100Gi"
#registry_storage: "nfs-hdd"
registry_publish: false
## ChartMuseum ##
chartmuseum_enabled: true
#chartmuseum_size: "10Gi"
#chartmuseum_storage: "nfs-hdd"
#chartmuseum_publish: false
#chartmuseum_login: admin
#chartmuseum_pass:
## Harbor ##
harbor_enabled: true
harbor_publish: false
#harbor_registry_size: "100Gi"
#harbor_registry_storage: "nfs-hdd"
#harbor_chartmuseum_size: "50Gi"
#harbor_chartmuseum_storage: "nfs-ssd"
# End User Applications #
## Email ##

View File

@ -33,7 +33,9 @@ ddclient_hosts:
- "{% if chartmuseum_publish | default(false) %}{{ chartsmuseum_short_name | default('charts') }}.{{ domain }}{% else %}omitme{% endif %}"
- "{% if registry_publish | default(false) %}{{ registry_short_name | default('registry') }}.{{ domain }}{% else %}omitme{% endif %}"
- "{% if peertube_publish | default(false) %}{{ peertube_short_name | default('peertube') }}.{{ domain }}{% else %}omitme{% endif %}"
- "{% if harbor_publish | default(false) %}{{ harbor_short_name | default('harbor') }}.{{ domain }}{% else %}omitme{% endif %}"
- "{% if roundcube_publish | default(false) %}{{ roundcube_short_name | default('webmail') }}.{{ domain }}{% else %}omitme{% endif %}"
- "{{ harbor_readonly_ingress | default('omitme') }}"
- "{{ registry_readonly_ingress | default('omitme') }}"
- "{{ chartmuseum_readonly_ingress | default('omitme') }}"
- "{{ wikijs_readonly_ingress | default('omitme') }}"

View File

@ -0,0 +1 @@
harbor_values: {}

View File

@ -65,26 +65,32 @@ nginx:
{% if nextcloud_publish %}
{{ nextcloud_short_name | default('nextcloud') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if harbor_publish %}
{{ harbor_short_name | default('harbor') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if registry_publish %}
{{ registry_short_name | default('registry') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if registry_readonly_ingress %}
{{ registry_readonly_ingress }} https_{{ namespace }};
{% if peertube_publish %}
{{ peertube_short_name | default('peertube') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if roundcube_publish %}
{{ roundcube_short_name | default('webmail') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if chartmuseum_publish %}
{{ chartsmuseum_short_name | default('charts') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if registry_readonly_ingress %}
{{ registry_readonly_ingress }} https_{{ namespace }};
{% endif %}
{% if chartmuseum_readonly_ingress %}
{{ chartmuseum_readonly_ingress }} https_{{ namespace }};
{% endif %}
{% if wikijs_readonly_ingress %}
{{ wikijs_readonly_ingress }} https_{{ namespace }};
{% endif %}
{% if peertube_publish %}
{{ peertube_short_name | default('peertube') }}.{{ domain }} https_{{ namespace }};
{% endif %}
{% if roundcube_publish %}
{{ roundcube_short_name | default('webmail') }}.{{ domain }} https_{{ namespace }};
{% if harbor_readonly_ingress %}
{{ harbor_readonly_ingress }} https_{{ namespace }};
{% endif %}
- name: "k8s-ghp-{{ namespace }}.conf"
data: |-

View File

@ -0,0 +1,5 @@
---
- hosts: k8s
connection: local
roles:
- harbor

View File

@ -17,11 +17,17 @@
- name: Deploy Docker registry
import_role:
name: registry
when: registry_enabled | default(true)
when: registry_enabled | default(false)
tags: registry
- name: Deploy ChartMuseum
import_role:
name: chartmuseum
when: chartmuseum_enabled | default(true)
when: chartmuseum_enabled | default(false)
tags: chartmuseum
- name: Deploy Harbor
import_role:
name: harbor
when: harbor_enabled | default(true)
tags: harbor

View File

@ -0,0 +1,157 @@
harbor_enabled: true
harbor_publish: false
harbor_short_name: "harbor"
harbor_use_external_db: true
harbor_default_values:
expose:
ingress:
hosts:
core: "{{ harbor_short_name }}.{{ domain }}"
notary: "notary.{{ harbor_short_name }}.{{ domain }}"
annotations:
kubernetes.io/ingress.class: "{{ external_ingress_class if harbor_publish else internal_ingress_class }}"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
externalURL: "https://{{ harbor_short_name }}.{{ domain }}"
# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamicly.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
# if you have already existing persistent volumes to use
#
# For storing images and charts, you can also use "azure", "gcs", "s3",
# "swift" or "oss". Set it in the "imageChartStorage" section
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: "{{ harbor_registry_storage | default(harbor_storage) | default('nfs-hdd') }}"
subPath: ""
accessMode: "{{ harbor_registry_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
size: "{{ harbor_registry_size | default('100Gi') }}"
chartmuseum:
existingClaim: ""
storageClass: "{{ harbor_charts_storage | default(harbor_storage) | default('nfs-ssd') }}"
subPath: ""
accessMode: "{{ harbor_charts_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
size: "{{ harbor_charts_size | default('50Gi') }}"
jobservice:
existingClaim: ""
storageClass: "{{ harbor_jobservice_storage | default(harbor_storage) | default('nfs-ssd') }}"
subPath: ""
accessMode: "{{ harbor_jobservice_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
size: "{{ harbor_jobservice_size | default('5Gi') }}"
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ""
storageClass: "{{ harbor_database_storage | default(harbor_storage) | default('nfs-ssd') }}"
subPath: ""
accessMode: "{{ harbor_database_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
size: "{{ harbor_database_size | default('10Gi') }}"
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ""
storageClass: "{{ harbor_redis_storage | default(harbor_storage) | default('nfs-ssd') }}"
subPath: ""
accessMode: "{{ harbor_redis_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
size: "{{ harbor_redis_size | default('5Gi') }}"
trivy:
existingClaim: ""
storageClass: "{{ harbor_trivy_storage | default(harbor_storage) | default('nfs-ssd') }}"
subPath: ""
accessMode: "{{ harbor_trivy_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
size: "{{ harbor_trivy_size | default('10Gi') }}"
imagePullPolicy: IfNotPresent
# The update strategy for deployments with persistent volumes(jobservice, registry
# and chartmuseum): "RollingUpdate" or "Recreate"
# Set it as "Recreate" when "RWM" for volumes isn't supported
updateStrategy:
type: RollingUpdate
# debug, info, warning, error or fatal
logLevel: info
# The initial password of Harbor admin. Change it from portal after launching Harbor
harborAdminPassword: "{{ harbor_admin_pass | default(harbor_admin_password) }}"
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: "{{ harbor_encription_key | default('not-a-secure-key') }}"
jobservice:
maxJobWorkers: 32
registry:
credentials:
username: "harbor_registry_user"
password: "{{ harbor_registry_user_password }}"
# If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
# e.g. "htpasswd -nbBC10 $username $password"
htpasswd: "harbor_registry_user:{{ harbor_registry_user_htpasswd_hash }}"
database:
# if external database is used, set "type" to "external"
# and fill the connection informations in "external" section
type: external
external:
host: "{{ postgres_db_team | default(namespace) }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local"
username: "{{ harbor_db_username | default(omit) }}"
password: "{{ harbor_db_password | default(omit) }}"
coreDatabase: "harbor_registry"
clairDatabase: "harbor_clair"
notaryServerDatabase: "harbor_notary_server"
notarySignerDatabase: "harbor_notary_signer"
harbor_readonly_ingress_definition: |
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: "{{ external_ingress_class }}"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: harbor-public-ingress
namespace: "{{ harbor_namespace | default(namespace) }}"
spec:
rules:
- host: "{{ harbor_readonly_ingress }}"
http:
paths:
- backend:
serviceName: harbor-harbor-core
servicePort: 80
path: /v2
pathType: ImplementationSpecific
- backend:
serviceName: harbor-harbor-core
servicePort: 80
path: /chartrepo
- backend:
serviceName: harbor-harbor-core
servicePort: 80
path: /api
pathType: ImplementationSpecific
tls:
- hosts:
- "{{ harbor_readonly_ingress }}"
secretName: "{{ harbor_readonly_ingress }}-tls"

View File

@ -0,0 +1,25 @@
- name: Import secret.yaml to obtain secrets
include_tasks: secrets.yaml
when:
- harbor_use_external_db
- postgres_enabled is defined and postgres_enabled
- set_fact:
harbor_combined_values: "{{ harbor_default_values | combine(harbor_values, recursive=true) }}"
- name: Deploy Harbor
community.kubernetes.helm:
create_namespace: true
release_namespace: "{{ harbor_namespace | default(namespace) }}"
release_name: "{{ harbor_name | default('harbor') }}"
chart_ref: "{{ harbor_chart | default('harbor/harbor') }}"
chart_version: "{{ harbor_version | default(omit) }}"
release_values: "{{ harbor_combined_values | from_yaml }}"
wait: true
- name: Deploy readonly public ingress for Harbor
when: harbor_readonly_ingress is defined
k8s:
state: present
definition:
"{{ harbor_readonly_ingress_definition }}"

View File

@ -0,0 +1,25 @@
- block:
- name: Set DB namespace for secret lookup
set_fact:
db_namespace: "{{ harbor_db_namespace | default(postgres_db_namespace) | default(postgres_namespace) | default(postgres_operator_namespace) | default(namespace) }}"
- name: Set DB secret name for lookup
set_fact:
db_secret_name: "harbor.{{ postgres_db_team | default(namespace) }}-postgres.credentials.postgresql.acid.zalan.do"
- name: Lookup Harbor DB secret
set_fact:
harbor_db_secret: "{{ lookup('k8s', kind='Secret', namespace=db_namespace, resource_name=db_secret_name) }}"
- debug:
msg: "{{ harbor_db_secret }}"
verbosity: 2
- name: Set Harbor DB username
set_fact:
harbor_db_username: "{{ harbor_db_secret.data.username | b64decode }}"
- name: Set Harbor DB password
set_fact:
harbor_db_password: "{{ harbor_db_secret.data.password | b64decode }}"

View File

@ -1,5 +1,5 @@
helm_repos:
- { name: 'ghp', url: 'https://charts.geekhome.org' }
- { name: 'ghp', url: 'https://registry.geekhome.org/chartrepo/ghp' }
- { name: 'jetstack', url: 'https://charts.jetstack.io' }
- { name: 'bitnami', url: 'https://charts.bitnami.com/bitnami' }
- { name: 'drone', url: 'https://charts.drone.io' }
@ -8,3 +8,5 @@ helm_repos:
- { name: 'nextcloud', url: 'https://nextcloud.github.io/helm' }
- { name: 'k8s-at-home', url: 'https://k8s-at-home.com/charts' }
- { name: 'gitea-charts', url: 'https://dl.gitea.io/charts' }
- { name: 'harbor', url: 'https://helm.goharbor.io' }

View File

@ -1,3 +1,4 @@
harbor_readonly_ingress: false
registry_readonly_ingress: false
wikijs_readonly_ingress: false
chartmuseum_readonly_ingress: false

View File

@ -66,6 +66,7 @@ postgres_db_definitions:
wikijs: []
nextcloud: []
roundcube: []
harbor: []
databases:
gitea: gitea
drone: drone
@ -73,6 +74,10 @@ postgres_db_definitions:
wikijs: wikijs
nextcloud: nextcloud
roundcube: roundcube
harbor_registry: harbor
harbor_clair: harbor
harbor_notary_server: harbor
harbor_notary_signer: harbor
preparedDatabases:
peertube:
defaultUsers: true

View File

@ -12,8 +12,10 @@ default_accounts:
- { name: chartmuseum_admin }
- { name: peertube_ldap }
- { name: peertube_admin }
- { name: harbor_admin }
- { name: systemuser }
htpasswd_accounts:
- { name: pypiserver_admin }
- { name: adguard_admin }
- { name: harbor_registry_user }