use harbor for docker and helm

2021-02-01 21:17:48 +03:00 · 2021-02-01 21:17:48 +03:00 · 1b8b5973c7
commit 1b8b5973c7
parent 643b90eef8
13 changed files with 255 additions and 24 deletions
--- a/inventory/ghp/sample/group_vars/all/all.yaml
+++ b/inventory/ghp/sample/group_vars/all/all.yaml
@ -1,6 +1,6 @@
 # Common #
 namespace: ghp
-docker_registry: registry.ghp.0xace.cc
+docker_registry: registry.geekhome.org/ghp
 domain: example.com
 mail_domain: "{{ domain }}"
 local_domain: lan
@ -42,19 +42,13 @@ openldap_simple_users:
  - { name: testuser1, sn: 6001, uid: 6001, gid: 6001 }
  - { name: testuser2, sn: 6002, uid: 6002, gid: 6002 }

-## Docker-registry ##
-registry_enabled: true
-#registry_size: "100Gi"
-#registry_storage: "nfs-hdd"
-registry_publish: false
-
-## ChartMuseum ##
-chartmuseum_enabled: true
-#chartmuseum_size: "10Gi"
-#chartmuseum_storage: "nfs-hdd"
-#chartmuseum_publish: false
-#chartmuseum_login: admin
-#chartmuseum_pass:
+## Harbor ##
+harbor_enabled: true
+harbor_publish: false
+#harbor_registry_size: "100Gi"
+#harbor_registry_storage: "nfs-hdd"
+#harbor_chartmuseum_size: "50Gi"
+#harbor_chartmuseum_storage: "nfs-ssd"

 # End User Applications #
 ## Email ##
--- a/inventory/ghp/sample/group_vars/ddclient.yaml
+++ b/inventory/ghp/sample/group_vars/ddclient.yaml
@ -33,7 +33,9 @@ ddclient_hosts:
  - "{% if chartmuseum_publish | default(false) %}{{ chartsmuseum_short_name | default('charts') }}.{{ domain }}{% else %}omitme{% endif %}"
  - "{% if registry_publish | default(false) %}{{ registry_short_name | default('registry') }}.{{ domain }}{% else %}omitme{% endif %}"
  - "{% if peertube_publish | default(false) %}{{ peertube_short_name | default('peertube') }}.{{ domain }}{% else %}omitme{% endif %}"
+  - "{% if harbor_publish | default(false) %}{{ harbor_short_name | default('harbor') }}.{{ domain }}{% else %}omitme{% endif %}"
  - "{% if roundcube_publish | default(false) %}{{ roundcube_short_name | default('webmail') }}.{{ domain }}{% else %}omitme{% endif %}"
+  - "{{ harbor_readonly_ingress | default('omitme') }}"
  - "{{ registry_readonly_ingress | default('omitme') }}"
  - "{{ chartmuseum_readonly_ingress | default('omitme') }}"
  - "{{ wikijs_readonly_ingress | default('omitme') }}"
--- a/inventory/ghp/sample/group_vars/k8s/harbor.yaml
+++ b/inventory/ghp/sample/group_vars/k8s/harbor.yaml
@ -0,0 +1 @@
+harbor_values: {}
--- a/inventory/ghp/sample/group_vars/web_proxy.yaml
+++ b/inventory/ghp/sample/group_vars/web_proxy.yaml
@ -65,26 +65,32 @@ nginx:
        {% if nextcloud_publish %}
        {{ nextcloud_short_name | default('nextcloud') }}.{{ domain }} https_{{ namespace }};
        {% endif %}
+        {% if harbor_publish %}
+        {{ harbor_short_name | default('harbor') }}.{{ domain }} https_{{ namespace }};
+        {% endif %}
        {% if registry_publish %}
        {{ registry_short_name | default('registry') }}.{{ domain }} https_{{ namespace }};
        {% endif %}
-        {% if registry_readonly_ingress %}
-        {{ registry_readonly_ingress }} https_{{ namespace }};
+        {% if peertube_publish %}
+        {{ peertube_short_name | default('peertube') }}.{{ domain }} https_{{ namespace }};
+        {% endif %}
+        {% if roundcube_publish %}
+        {{ roundcube_short_name | default('webmail') }}.{{ domain }} https_{{ namespace }};
        {% endif %}
        {% if chartmuseum_publish %}
        {{ chartsmuseum_short_name | default('charts') }}.{{ domain }} https_{{ namespace }};
        {% endif %}
+        {% if registry_readonly_ingress %}
+        {{ registry_readonly_ingress }} https_{{ namespace }};
+        {% endif %}
        {% if chartmuseum_readonly_ingress %}
        {{ chartmuseum_readonly_ingress }} https_{{ namespace }};
        {% endif %}
        {% if wikijs_readonly_ingress %}
        {{ wikijs_readonly_ingress }} https_{{ namespace }};
        {% endif %}
-        {% if peertube_publish %}
-        {{ peertube_short_name | default('peertube') }}.{{ domain }} https_{{ namespace }};
-        {% endif %}
-        {% if roundcube_publish %}
-        {{ roundcube_short_name | default('webmail') }}.{{ domain }} https_{{ namespace }};
+        {% if harbor_readonly_ingress %}
+        {{ harbor_readonly_ingress }} https_{{ namespace }};
        {% endif %}
    - name: "k8s-ghp-{{ namespace }}.conf"
      data: |-
--- a/playbooks/ghp/harbor.yaml
+++ b/playbooks/ghp/harbor.yaml
@ -0,0 +1,5 @@
+---
+- hosts: k8s
+  connection: local
+  roles:
+    - harbor
--- a/playbooks/ghp/shared-infra.yaml
+++ b/playbooks/ghp/shared-infra.yaml
@ -17,11 +17,17 @@
  - name: Deploy Docker registry
    import_role: 
      name: registry
-    when: registry_enabled | default(true)
+    when: registry_enabled | default(false)
    tags: registry

  - name: Deploy ChartMuseum
    import_role: 
      name: chartmuseum
-    when: chartmuseum_enabled | default(true)
+    when: chartmuseum_enabled | default(false)
    tags: chartmuseum
+
+  - name: Deploy Harbor
+    import_role: 
+      name: harbor
+    when: harbor_enabled | default(true)
+    tags: harbor
--- a/roles/harbor/defaults/main.yaml
+++ b/roles/harbor/defaults/main.yaml
@ -0,0 +1,157 @@
+harbor_enabled: true
+harbor_publish: false
+harbor_short_name: "harbor"
+harbor_use_external_db: true
+harbor_default_values:
+  expose:
+    ingress:
+      hosts:
+        core: "{{ harbor_short_name }}.{{ domain }}"
+        notary: "notary.{{ harbor_short_name }}.{{ domain }}"
+      annotations:
+        kubernetes.io/ingress.class: "{{ external_ingress_class if harbor_publish else internal_ingress_class }}"
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        nginx.ingress.kubernetes.io/proxy-body-size: "0"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+        nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  externalURL: "https://{{ harbor_short_name }}.{{ domain }}"
+  
+  # The persistence is enabled by default and a default StorageClass
+  # is needed in the k8s cluster to provision volumes dynamicly.
+  # Specify another StorageClass in the "storageClass" or set "existingClaim"
+  # if you have already existing persistent volumes to use
+  #
+  # For storing images and charts, you can also use "azure", "gcs", "s3",
+  # "swift" or "oss". Set it in the "imageChartStorage" section
+  persistence:
+    enabled: true
+    # Setting it to "keep" to avoid removing PVCs during a helm delete
+    # operation. Leaving it empty will delete PVCs after the chart deleted
+    # (this does not apply for PVCs that are created for internal database
+    # and redis components, i.e. they are never deleted automatically)
+    resourcePolicy: "keep"
+    persistentVolumeClaim:
+      registry:
+        # Use the existing PVC which must be created manually before bound,
+        # and specify the "subPath" if the PVC is shared with other components
+        existingClaim: ""
+        # Specify the "storageClass" used to provision the volume. Or the default
+        # StorageClass will be used(the default).
+        # Set it to "-" to disable dynamic provisioning
+        storageClass: "{{ harbor_registry_storage | default(harbor_storage) | default('nfs-hdd') }}"
+        subPath: ""
+        accessMode: "{{ harbor_registry_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
+        size: "{{ harbor_registry_size | default('100Gi') }}"
+      chartmuseum:
+        existingClaim: ""
+        storageClass: "{{ harbor_charts_storage | default(harbor_storage) | default('nfs-ssd') }}"
+        subPath: ""
+        accessMode: "{{ harbor_charts_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
+        size: "{{ harbor_charts_size | default('50Gi') }}"
+      jobservice:
+        existingClaim: ""
+        storageClass: "{{ harbor_jobservice_storage | default(harbor_storage) | default('nfs-ssd') }}"
+        subPath: ""
+        accessMode: "{{ harbor_jobservice_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
+        size: "{{ harbor_jobservice_size | default('5Gi') }}"
+      # If external database is used, the following settings for database will
+      # be ignored
+      database:
+        existingClaim: ""
+        storageClass: "{{ harbor_database_storage | default(harbor_storage) | default('nfs-ssd') }}"
+        subPath: ""
+        accessMode: "{{ harbor_database_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
+        size: "{{ harbor_database_size | default('10Gi') }}"
+      # If external Redis is used, the following settings for Redis will
+      # be ignored
+      redis:
+        existingClaim: ""
+        storageClass: "{{ harbor_redis_storage | default(harbor_storage) | default('nfs-ssd') }}"
+        subPath: ""
+        accessMode: "{{ harbor_redis_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
+        size: "{{ harbor_redis_size | default('5Gi') }}"
+      trivy:
+        existingClaim: ""
+        storageClass: "{{ harbor_trivy_storage | default(harbor_storage) | default('nfs-ssd') }}"
+        subPath: ""
+        accessMode: "{{ harbor_trivy_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
+        size: "{{ harbor_trivy_size | default('10Gi') }}"
+  
+  imagePullPolicy: IfNotPresent
+  
+  # The update strategy for deployments with persistent volumes(jobservice, registry
+  # and chartmuseum): "RollingUpdate" or "Recreate"
+  # Set it as "Recreate" when "RWM" for volumes isn't supported
+  updateStrategy:
+    type: RollingUpdate
+  
+  # debug, info, warning, error or fatal
+  logLevel: info
+  
+  # The initial password of Harbor admin. Change it from portal after launching Harbor
+  harborAdminPassword: "{{ harbor_admin_pass | default(harbor_admin_password) }}"
+  
+  # The secret key used for encryption. Must be a string of 16 chars.
+  secretKey: "{{ harbor_encription_key | default('not-a-secure-key') }}"
+  
+  jobservice:
+    maxJobWorkers: 32
+  registry:
+    credentials:
+      username: "harbor_registry_user"
+      password: "{{ harbor_registry_user_password }}"
+      # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
+      # e.g. "htpasswd -nbBC10 $username $password"
+      htpasswd: "harbor_registry_user:{{ harbor_registry_user_htpasswd_hash }}"
+  
+  database:
+    # if external database is used, set "type" to "external"
+    # and fill the connection informations in "external" section
+    type: external
+    external:
+      host: "{{ postgres_db_team | default(namespace) }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local"
+      username: "{{ harbor_db_username | default(omit) }}"
+      password: "{{ harbor_db_password | default(omit) }}"
+      coreDatabase: "harbor_registry"
+      clairDatabase: "harbor_clair"
+      notaryServerDatabase: "harbor_notary_server"
+      notarySignerDatabase: "harbor_notary_signer"
+
+harbor_readonly_ingress_definition: |
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      kubernetes.io/ingress.class: "{{ external_ingress_class }}"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    name: harbor-public-ingress
+    namespace: "{{ harbor_namespace | default(namespace) }}"
+  spec:
+    rules:
+    - host: "{{ harbor_readonly_ingress }}"
+      http:
+        paths:
+        - backend:
+            serviceName: harbor-harbor-core
+            servicePort: 80
+          path: /v2
+          pathType: ImplementationSpecific
+        - backend:
+            serviceName: harbor-harbor-core
+            servicePort: 80
+          path: /chartrepo
+        - backend:
+            serviceName: harbor-harbor-core
+            servicePort: 80
+          path: /api
+          pathType: ImplementationSpecific
+    tls:
+    - hosts:
+      - "{{ harbor_readonly_ingress }}"
+      secretName: "{{ harbor_readonly_ingress }}-tls"
+
--- a/roles/harbor/tasks/main.yaml
+++ b/roles/harbor/tasks/main.yaml
@ -0,0 +1,25 @@
+- name: Import secret.yaml to obtain secrets
+  include_tasks: secrets.yaml
+  when:
+    - harbor_use_external_db
+    - postgres_enabled is defined and postgres_enabled
+
+- set_fact:
+    harbor_combined_values: "{{ harbor_default_values | combine(harbor_values, recursive=true) }}"
+
+- name: Deploy Harbor
+  community.kubernetes.helm:
+    create_namespace: true
+    release_namespace: "{{ harbor_namespace | default(namespace) }}"
+    release_name: "{{ harbor_name | default('harbor') }}"
+    chart_ref: "{{ harbor_chart | default('harbor/harbor') }}"
+    chart_version: "{{ harbor_version | default(omit) }}"
+    release_values: "{{ harbor_combined_values | from_yaml }}"
+    wait: true
+
+- name: Deploy readonly public ingress for Harbor
+  when: harbor_readonly_ingress is defined
+  k8s:
+    state: present
+    definition:
+      "{{ harbor_readonly_ingress_definition }}"
--- a/roles/harbor/tasks/secrets.yaml
+++ b/roles/harbor/tasks/secrets.yaml
@ -0,0 +1,25 @@
+- block:
+  - name: Set DB namespace for secret lookup
+    set_fact:
+      db_namespace: "{{ harbor_db_namespace | default(postgres_db_namespace) | default(postgres_namespace) | default(postgres_operator_namespace) | default(namespace) }}"
+
+  - name: Set DB secret name for lookup
+    set_fact:
+      db_secret_name: "harbor.{{ postgres_db_team | default(namespace) }}-postgres.credentials.postgresql.acid.zalan.do"
+
+  - name: Lookup Harbor DB secret
+    set_fact:
+      harbor_db_secret: "{{ lookup('k8s', kind='Secret', namespace=db_namespace, resource_name=db_secret_name) }}"
+
+  - debug:
+      msg: "{{ harbor_db_secret }}"
+      verbosity: 2
+
+  - name: Set Harbor DB username
+    set_fact:
+      harbor_db_username: "{{ harbor_db_secret.data.username | b64decode }}"
+
+  - name: Set Harbor DB password
+    set_fact:
+      harbor_db_password: "{{ harbor_db_secret.data.password | b64decode }}"
+
--- a/roles/helm-repos/defaults/main.yaml
+++ b/roles/helm-repos/defaults/main.yaml
@ -1,5 +1,5 @@
 helm_repos:
-  - { name: 'ghp', url: 'https://charts.geekhome.org' }
+  - { name: 'ghp', url: 'https://registry.geekhome.org/chartrepo/ghp' }
  - { name: 'jetstack', url: 'https://charts.jetstack.io' }
  - { name: 'bitnami', url: 'https://charts.bitnami.com/bitnami' }
  - { name: 'drone', url: 'https://charts.drone.io' }
@ -8,3 +8,5 @@ helm_repos:
  - { name: 'nextcloud', url: 'https://nextcloud.github.io/helm' }
  - { name: 'k8s-at-home', url: 'https://k8s-at-home.com/charts' }
  - { name: 'gitea-charts', url: 'https://dl.gitea.io/charts' }
+  - { name: 'harbor', url: 'https://helm.goharbor.io' }
+
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,3 +1,4 @@
+harbor_readonly_ingress: false
 registry_readonly_ingress: false
 wikijs_readonly_ingress: false
 chartmuseum_readonly_ingress: false
--- a/roles/postgres/defaults/main.yaml
+++ b/roles/postgres/defaults/main.yaml
@ -66,6 +66,7 @@ postgres_db_definitions:
        wikijs: []
        nextcloud: []
        roundcube: []
+        harbor: []
      databases:
        gitea: gitea
        drone: drone
@ -73,6 +74,10 @@ postgres_db_definitions:
        wikijs: wikijs
        nextcloud: nextcloud
        roundcube: roundcube
+        harbor_registry: harbor
+        harbor_clair: harbor
+        harbor_notary_server: harbor
+        harbor_notary_signer: harbor
      preparedDatabases:
        peertube:
          defaultUsers: true
--- a/roles/pwgen/defaults/main.yaml
+++ b/roles/pwgen/defaults/main.yaml
@ -12,8 +12,10 @@ default_accounts:
  - { name: chartmuseum_admin }
  - { name: peertube_ldap }
  - { name: peertube_admin }
+  - { name: harbor_admin }
  - { name: systemuser }

 htpasswd_accounts:
  - { name: pypiserver_admin }
  - { name: adguard_admin }
+  - { name: harbor_registry_user }