From 488a36ace94062e9331e43f6490db3676ebb6f34 Mon Sep 17 00:00:00 2001 From: djpbessems Date: Fri, 19 Mar 2021 13:32:52 +0100 Subject: [PATCH] Replay changes --- .drone.yml | 37 ++++++ inventory.yml | 13 ++ playbook.yml | 7 ++ roles/dockerhost/tasks/main.yml | 77 ++++++++++++ roles/registry/files/harbor.yml | 211 ++++++++++++++++++++++++++++++++ roles/registry/tasks/main.yml | 31 +++++ 6 files changed, 376 insertions(+) create mode 100644 .drone.yml create mode 100644 inventory.yml create mode 100644 playbook.yml create mode 100644 roles/dockerhost/tasks/main.yml create mode 100644 roles/registry/files/harbor.yml create mode 100644 roles/registry/tasks/main.yml diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..3ab9f5e --- /dev/null +++ b/.drone.yml @@ -0,0 +1,37 @@ +kind: pipeline +type: kubernetes +name: harbor + +steps: +- name: Check syntax + image: plugins/ansible:1 +# environment: +# additional_var: +# from_secret: additional_var +# another_var: foo + settings: + playbook: playbook.yml + inventory: inventory.yml + syntax_check: true + +- name: Apply playbook + image: plugins/ansible:1 +# environment: +# additional_var: +# from_secret: additional_var +# another_var: foo + volumes: + - name: certificates + path: /certificates + settings: + playbook: playbook.yml + inventory: inventory.yml + private_key: + from_secret: ssh_privatekey + # vault_password: + # from_secret: ansible_vault_password + +volumes: +- name: certificates + claim: + name: flexvolsmb-drone-certs diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..35ab4fe --- /dev/null +++ b/inventory.yml @@ -0,0 +1,13 @@ +all: + children: + registry: + # vars: + # # Credentials for Dockerhub + # docker_username: # TODO add your ENCRYPTED Docker Hub username here + # docker_password: # TODO add your ENCRYPTED Docker Hub password here + hosts: + bv11-cr01: + ansible_host: bv11-cr01.bessems.eu + + # apps: + # - harbor \ No newline at end of file diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..d15c98a --- /dev/null +++ b/playbook.yml @@ -0,0 +1,7 @@ +--- +- hosts: registry + remote_user: root + gather_facts: false + roles: + - dockerhost + - registry diff --git a/roles/dockerhost/tasks/main.yml b/roles/dockerhost/tasks/main.yml new file mode 100644 index 0000000..b2a6c21 --- /dev/null +++ b/roles/dockerhost/tasks/main.yml @@ -0,0 +1,77 @@ +- name: Remove undesired packages + apt: + name: + - containerd + - docker + - docker-engine + - docker.io + - runc + - snapd + state: absent + autoremove: yes + purge: yes + +- name: Install prereqs for custom apt repository over https + apt: + update_cache: yes + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg-agent + - software-properties-common + state: present + +- name: Add Docker repo key + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present + +- name: Determine Ubuntu distribution name + command: lsb_release -cs + register: releasename + +- name: Add Docker apt repository + apt_repository: + repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ releasename.stdout }} stable + state: present + +# Pinning versions due to odd DNS issue in 20.x +- name: Pin Docker engine to specific version + copy: + dest: "{{ item.dest }}" + content: "{{ item.content }}" + with_items: + - dest: /etc/apt/preferences.d/docker-ce + content: | + Package: docker-ce + Pin: version 5:19.03.13~3-0~ubuntu-focal + Pin-Priority: 1001 + - dest: /etc/apt/preferences.d/docker-ce-cli + content: | + Package: docker-ce-cli + Pin: version 5:19.03.13~3-0~ubuntu-focal + Pin-Priority: 1001 + +- name: Install Docker engine + apt: + update_cache: yes + allow_unauthenticated: yes + name: + # - docker-ce=5:19.03.13~3-0~ubuntu-focal + # - docker-ce-cli=5:19.03.13~3-0~ubuntu-focal + - docker-ce + - docker-ce-cli + - containerd.io + +- name: Install Docker Compose + get_url: + url: https://github.com/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 + dest: /usr/local/bin/docker-compose + mode: '0755' + +- name: Add Docker Compose to path + command: ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose + args: + creates: /usr/bin/docker-compose diff --git a/roles/registry/files/harbor.yml b/roles/registry/files/harbor.yml new file mode 100644 index 0000000..2403e09 --- /dev/null +++ b/roles/registry/files/harbor.yml @@ -0,0 +1,211 @@ +# Configuration file of Harbor + +# The IP address or hostname to access admin UI and registry service. +# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. +hostname: bv11-cr01.bessems.eu + +# http related config +http: + # port for http, default is 80. If https enabled, this port will redirect to https port + port: 80 + +# https related config +https: + # https port for harbor, default is 443 + port: 443 + # The path of cert and key files for nginx + certificate: /tmp/harbor/certificate.crt + private_key: /tmp/harbor/privatekey.key + +# # Uncomment following will enable tls communication between all harbor components +# internal_tls: +# # set enabled to true means internal tls is enabled +# enabled: true +# # put your cert and key files on dir +# dir: /etc/harbor/tls/internal + +# Uncomment external_url if you want to enable external proxy +# And when it enabled the hostname will no longer used +#external_url: https://registry.spamasaurus.com + +# The initial password of Harbor admin +# It only works in first time to install harbor +# Remember Change the admin password from UI after launching Harbor. +harbor_admin_password: Harbor12345 + +# Harbor DB configuration +database: + # The password for the root user of Harbor DB. Change this before any production use. + password: ccU3AQjwZ5yLEFE26p6YZFWj2jp5jq89 + # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. + max_idle_conns: 50 + # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgres of harbor. + max_open_conns: 1000 + +# The default data volume +data_volume: /data + +# Harbor Storage settings by default is using /data dir on local filesystem +# Uncomment storage_service setting If you want to using external storage +# storage_service: +# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore +# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. +# ca_bundle: + +# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss +# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ +# filesystem: +# maxthreads: 100 +# # set disable to true when you want to disable registry redirect +# redirect: +# disabled: false + +# Clair configuration +clair: + # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. + updaters_interval: 6 + +# Trivy configuration +# +# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. +# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached +# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it +# should download a newer version from the Internet or use the cached one. Currently, the database is updated every +# 12 hours and published as a new release to GitHub. +trivy: + # ignoreUnfixed The flag to display only fixed vulnerabilities + ignore_unfixed: false + # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub + # + # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and + # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. + skip_update: false + # + # insecure The flag to skip verifying registry certificate + insecure: false + # github_token The GitHub access token to download Trivy DB + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + # + github_token: cf7da8f07d2dc9f63ad45f07b74f1162c82a99fa + +jobservice: + # Maximum number of job workers in job service + max_job_workers: 10 + +notification: + # Maximum retry count for webhook job + webhook_job_max_retry: 10 + +chart: + # Change the value of absolute_url to enabled can enable absolute url in chart + absolute_url: disabled + +# Log configurations +log: + # options are debug, info, warning, error, fatal + level: info + # configs for logs in local storage + local: + # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. + rotate_count: 50 + # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. + # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G + # are all valid. + rotate_size: 200M + # The directory on your host that store log + location: /var/log/harbor + + # Uncomment following lines to enable external syslog endpoint. + # external_endpoint: + # # protocol used to transmit log to external endpoint, options is tcp or udp + # protocol: tcp + # # The host of external endpoint + # host: localhost + # # Port of external endpoint + # port: 5140 + +#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! +_version: 2.0.0 + +# Uncomment external_database if using external database. +# external_database: +# harbor: +# host: harbor_db_host +# port: harbor_db_port +# db_name: harbor_db_name +# username: harbor_db_username +# password: harbor_db_password +# ssl_mode: disable +# max_idle_conns: 2 +# max_open_conns: 0 +# clair: +# host: clair_db_host +# port: clair_db_port +# db_name: clair_db_name +# username: clair_db_username +# password: clair_db_password +# ssl_mode: disable +# notary_signer: +# host: notary_signer_db_host +# port: notary_signer_db_port +# db_name: notary_signer_db_name +# username: notary_signer_db_username +# password: notary_signer_db_password +# ssl_mode: disable +# notary_server: +# host: notary_server_db_host +# port: notary_server_db_port +# db_name: notary_server_db_name +# username: notary_server_db_username +# password: notary_server_db_password +# ssl_mode: disable + +# Uncomment external_redis if using external Redis server +# external_redis: +# # support redis, redis+sentinel +# # host for redis: : +# # host for redis+sentinel: +# # :,:,: +# host: redis:6379 +# password: +# # sentinel_master_set must be set to support redis+sentinel +# #sentinel_master_set: +# # db_index 0 is for core, it's unchangeable +# registry_db_index: 1 +# jobservice_db_index: 2 +# chartmuseum_db_index: 3 +# clair_db_index: 4 +# trivy_db_index: 5 +# idle_timeout_seconds: 30 + +# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. +# uaa: +# ca_file: /path/to/ca + +# Global proxy +# Config http proxy for components, e.g. http://my.proxy.com:3128 +# Components doesn't need to connect to each others via http proxy. +# Remove component from `components` array if want disable proxy +# for it. If you want use proxy for replication, MUST enable proxy +# for core and jobservice, and set `http_proxy` and `https_proxy`. +# Add domain to the `no_proxy` field, when you want disable proxy +# for some special registry. +proxy: + http_proxy: + https_proxy: + no_proxy: + components: + - core + - jobservice + - clair + - trivy + diff --git a/roles/registry/tasks/main.yml b/roles/registry/tasks/main.yml new file mode 100644 index 0000000..450ddb3 --- /dev/null +++ b/roles/registry/tasks/main.yml @@ -0,0 +1,31 @@ +- name: Download Harbor installer + get_url: + url: https://github.com/goharbor/harbor/releases/download/v2.2.0/harbor-online-installer-v2.2.0.tgz + dest: /tmp/harbor-installer.tgz + mode: '0777' +- name: Extract installer + unarchive: + src: /tmp/harbor-installer.tgz + dest: /tmp + remote_src: yes +- name: Copy Harbor configuration file and public/private keys + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + backup: "{{ item.backup }}" + with_items: + - src: harbor.yml + dest: /tmp/harbor + backup: yes + - src: /certificates/*.bessems.eu/certificate.crt + dest: /tmp/harbor + backup: no + - src: /certificates/*.bessems.eu/privatekey.key + dest: /tmp/harbor + backup: no +- name: Install Harbor + command: /tmp/harbor/install.sh --with-trivy +- name: Delete temporary files + file: + path: /tmp/harbor-installer.tgz + state: absent