Skip to content
Snippets Groups Projects
Verified Commit 4aa51d7e authored by Rafael László's avatar Rafael László :speech_balloon:
Browse files

Update harbor playbook, add auto retry when docker fails, update k8s iptables rule

parent ad5cb53f
Branches
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
ansible/main/tasks/harbor.yaml
+ 12
5
View file @ 4aa51d7e
...@@ -22,12 +22,21 @@ ...@@ -22,12 +22,21 @@
src: home/user/harbor/harbor.yml.j2 src: home/user/harbor/harbor.yml.j2
dest: /home/{{ user }}/harbor/harbor.yml dest: /home/{{ user }}/harbor/harbor.yml
- name: Setup harbor (You might need to restart the docker service manually!) - name: Setup harbor
become: yes
shell: "/home/{{ user }}/harbor/install.sh" shell: "/home/{{ user }}/harbor/install.sh"
register: install_command
- name: Restart docker daemon on harbor setup failure
systemd:
name: docker
state: restarted
when: install_command.rc != 0
- name: Setup harbor again (Retry after docker daemon restart)
shell: "/home/{{ user }}/harbor/install.sh"
when: install_command.rc != 0
- name: Add service to start harbor on startup - name: Add service to start harbor on startup
become: yes
template: template:
src: etc/systemd/system/harbor-docker-compose.service src: etc/systemd/system/harbor-docker-compose.service
dest: /etc/systemd/system/harbor-docker-compose.service dest: /etc/systemd/system/harbor-docker-compose.service
...@@ -37,13 +46,11 @@ ...@@ -37,13 +46,11 @@
register: service_conf register: service_conf
- name: System daemon-reload on service file change - name: System daemon-reload on service file change
become: yes
systemd: systemd:
daemon-reload: yes daemon-reload: yes
when: service_conf.changed when: service_conf.changed
- name: Ensure harbor service is enabled - name: Ensure harbor service is enabled
become: yes
systemd: systemd:
name: harbor-docker-compose.service name: harbor-docker-compose.service
enabled: yes enabled: yes
ansible/main/templates/etc/iptables/rules.v4.j2
+ 2
2
View file @ 4aa51d7e
...@@ -14,11 +14,11 @@ ...@@ -14,11 +14,11 @@
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT -A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ base_ssh.port }} --src 152.66.0.0/8,192.168.0.0/16,10.0.0.0/8 -j ACCEPT -A INPUT -p tcp -m tcp --dport {{ base_ssh.port }} --src 152.66.0.0/8,10.0.0.0/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Accept from the Kubernetes cluster # Accept from the Kubernetes cluster
-A INPUT -p tcp -m tcp --dport 9100 --src 192.168.101.0/24 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9100 --src 10.44.0.0/16 -j ACCEPT
-A INPUT -j DROP -A INPUT -j DROP
......
ansible/main/vars/harbor.yaml
+ 1
1
View file @ 4aa51d7e
...@@ -42,7 +42,7 @@ iptables_rules_v6_file: etc/iptables/rules.v6.j2 ...@@ -42,7 +42,7 @@ iptables_rules_v6_file: etc/iptables/rules.v6.j2
user: harbor user: harbor
harbor_hostname: harbor.sch.bme.hu harbor_hostname: harbor.sch.bme.hu
acme_email: laszlo.rafael@kszk.bme.hu acme_email: k8sadmin@sch.bme.hu
sites: sites:
- name: harbor.sch.bme.hu - name: harbor.sch.bme.hu
proxy_to: http://localhost:8080 proxy_to: http://localhost:8080
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Hosted with :heart: by KSZK