diff --git a/.gitignore b/.gitignore index e7948523..529a4171 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,8 @@ # doc build environment and artifacts doc/build +doc/source/_build .tox/ +.vscode/ + +tools/deployment/vagrant/.vagrant \ No newline at end of file diff --git a/charts/Makefile b/charts/Makefile index d71fa28a..c3f8dc7a 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -15,9 +15,8 @@ SHELL := /bin/bash TASK := build EXCLUDES := playbooks roles doc tests tools logs tmp zuul.d releasenotes -# FIXME(lamt): Excluding the dex-aio as there are linting errors and should be -# fixed in follow on patch. Once that's done, this can be removed. -EXCLUDES += dex-aio loki grafana nfs +# NOTE(Portdirect): Exlude chart directories that are presnt only for the purposes of housing over-rides +EXCLUDES += harbor loki gerrit CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) .PHONY: $(EXCLUDES) $(CHARTS) @@ -47,11 +46,5 @@ clean: rm -f *tgz */charts/*tgz */requirements.lock rm -rf */charts */tmpcharts -pull-all-images: - @./tools/pull-images.sh - -pull-images: - @./tools/pull-images.sh $(filter-out $@,$(MAKECMDGOALS)) - %: @: diff --git a/charts/dex-aio/.helmignore b/charts/dex-aio/.helmignore index 0e8a0eb3..51ccab8d 100644 --- a/charts/dex-aio/.helmignore +++ b/charts/dex-aio/.helmignore @@ -1,23 +1 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +values_overrides \ No newline at end of file diff --git a/charts/dex-aio/templates/ClusterRole-dex.yaml b/charts/dex-aio/templates/ClusterRole-dex.yaml index f3bec5d9..0127d7c0 100644 --- a/charts/dex-aio/templates/ClusterRole-dex.yaml +++ b/charts/dex-aio/templates/ClusterRole-dex.yaml @@ -1,6 +1,6 @@ {{- define "ClusterRole-dex" -}} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "helpers.labels.fullname" . }} diff --git a/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml b/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml index c94a60a7..d1d619bf 100644 --- a/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml +++ b/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml @@ -1,6 +1,6 @@ {{- define "ClusterRoleBinding-dex" -}} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "helpers.labels.fullname" . }} diff --git a/charts/dex-aio/templates/Role-dex.yaml b/charts/dex-aio/templates/Role-dex.yaml index d893dbfd..d343b133 100644 --- a/charts/dex-aio/templates/Role-dex.yaml +++ b/charts/dex-aio/templates/Role-dex.yaml @@ -1,6 +1,6 @@ {{- define "Role-dex" -}} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "helpers.labels.fullname" . }} diff --git a/charts/dex-aio/templates/RoleBinding-dex.yaml b/charts/dex-aio/templates/RoleBinding-dex.yaml index 25b68833..561ffb46 100644 --- a/charts/dex-aio/templates/RoleBinding-dex.yaml +++ b/charts/dex-aio/templates/RoleBinding-dex.yaml @@ -1,6 +1,6 @@ {{- define "RoleBinding-dex" -}} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "helpers.labels.fullname" . }} diff --git a/charts/dex-aio/templates/helpers/_template.tpl b/charts/dex-aio/templates/helpers/_template.tpl index 82dfbc25..b54f54e3 100644 --- a/charts/dex-aio/templates/helpers/_template.tpl +++ b/charts/dex-aio/templates/helpers/_template.tpl @@ -9,26 +9,20 @@ {{- $_ := set $local "merge_same_named" $.merge_same_named -}} {{- end -}} {{- end -}} - {{- $_ := set $local "input" ( fromYaml ( toString ( include $.template_definition $.Global ) ) ) -}} - {{- $target := dict -}} - - {{ $overlay_keys := regexSplit "-+" ( trimSuffix ".yaml" ( lower ( base $.Global.Template.Name ) ) ) 2 }} - + {{- $overlay_keys := regexSplit "-+" ( trimSuffix ".yaml" ( lower ( base $.Global.Template.Name ) ) ) 2 }} {{- $_ := set $local "overlay" dict -}} {{- if hasKey $.Global.Values.over_rides ( index $overlay_keys 0 ) -}} {{- if hasKey ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ) ( index $overlay_keys 1 ) -}} {{- $_ := set $local "overlay" ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ( index $overlay_keys 1 ) ) -}} - {{ end }} - {{ end }} - + {{- end }} + {{- end }} {{- range $item := tuple $local.input $local.overlay -}} {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}} {{- $_ := include "helpers._merge" $call -}} {{- $_ := set $local "result" $call.result -}} {{- end -}} - {{- if kindIs "map" $ -}} {{- $_ := set $ "result" $local.result -}} {{- end -}} @@ -37,14 +31,11 @@ {{- define "helpers._merge" -}} {{- $local := dict -}} - {{- $_ := set $ "result" $.source -}} - {{/* TODO: Should we `fail` when trying to merge a collection (map or slice) with either a different kind of collection or a scalar? */}} - {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}} {{- range $key, $sourceValue := $.source -}} {{- if not (hasKey $.target $key) -}} @@ -77,7 +68,6 @@ {{- $_ := set $local "has_name_key" true -}} {{- end -}} {{- end -}} - {{- if $local.has_name_key -}} {{- if hasKey $local.named_items $item.name -}} {{- $named_item := index $local.named_items $item.name -}} @@ -114,4 +104,4 @@ {{- $_ := set $local "result" (append $local.result $value) -}} {{- end -}} {{- $_ := set $ "result" $local.result -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/gerrit/values_overrides/default-default.yaml b/charts/gerrit/values_overrides/default-default.yaml new file mode 100644 index 00000000..36978a30 --- /dev/null +++ b/charts/gerrit/values_overrides/default-default.yaml @@ -0,0 +1,11 @@ +#NOTE(portdirect): we use the following images, untill https://gerrit-review.googlesource.com/c/k8s-gerrit/+/230465 is resolved. +images: + registry: + name: quay.io + version: v0.1-191-g251041b-dirty-3.3.0 +gerrit: + images: + gerritInit: port/gerrit-init + gerrit: port/gerrit +gitGC: + image: port/git-gc \ No newline at end of file diff --git a/charts/gerrit/values_overrides/default.yaml b/charts/gerrit/values_overrides/default.yaml new file mode 100644 index 00000000..814ab169 --- /dev/null +++ b/charts/gerrit/values_overrides/default.yaml @@ -0,0 +1,76 @@ + +storageClasses: + default: + name: standard + shared: + name: standard + +ingress: + enabled: true + host: gerrit.jarvis.local + additionalAnnotations: + cert-manager.io/cluster-issuer: jarvis-ca-issuer + tls: + enabled: true + secret: + create: false + name: gerrit-tls + +gerrit: + service: + ssh: + enabled: true + port: 29418 + + etc: + # Some values are expected to have a specific value for the deployment installed + # by this chart to work. These are marked with `# FIXED`. + # Do not change them! + config: + gerrit.config: |- + [gerrit] + basePath = git # FIXED + serverId = gerrit-1 + # The canonical web URL has to be set to the Ingress host, if an Ingress + # is used. If a LoadBalancer-service is used, this should be set to the + # LoadBalancer's external IP. This can only be done manually after installing + # the chart, when you know the external IP the LoadBalancer got from the + # cluster. + canonicalWebUrl = http://gerrit.jarvis.local/ + disableReverseDnsLookup = true + [index] + type = LUCENE + onlineUpgrade = false # FIXED + [auth] + type = DEVELOPMENT_BECOME_ANY_ACCOUNT + [httpd] + # If using an ingress use proxy-http or proxy-https + listenUrl = proxy-http://*:8080/ + requestLog = true + [sshd] + listenAddress = off + [transfer] + timeout = 120 s + [user] + name = Gerrit Code Review + email = gerrit@example.com + anonymousCoward = Unnamed User + [cache] + directory = cache + [container] + user = gerrit # FIXED + javaHome = /usr/lib/jvm/java-11-openjdk # FIXED + javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED + javaOptions = -Xms200m + # Has to be lower than 'gerrit.resources.limits.memory'. Also + # consider memories used by other applications in the container. + javaOptions = -Xmx4g + replication.config: |- + [gerrit] + autoReload = false + replicateOnStartup = true + defaultForceUpdate = true + # [remote "replica"] + # url = http://gerrit-replica.example.com/git/${name}.git + # replicationDelay = 0 + # timeout = 30 \ No newline at end of file diff --git a/charts/grafana/values_overrides/grafana.yaml b/charts/grafana/values_overrides/grafana.yaml deleted file mode 100644 index dc588703..00000000 --- a/charts/grafana/values_overrides/grafana.yaml +++ /dev/null @@ -1,79 +0,0 @@ -ingress: - enabled: true - hosts: ["grafana","grafana.jarvis","grafana.jarvis.svc.cluster.local"] - public: true - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "X-Frame-Options: deny"; - more_set_headers "X-XSS-Protection: 1; mode=block"; - nginx.ingress.kubernetes.io/rewrite-target: / - labels: {} - path: / - hosts: - - grafana-jarvis.domain - ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. - extraPaths: [] - # - path: /* - # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - -## Enable persistence using Persistent Volume Claims -## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ -## -persistence: - type: pvc - enabled: false - storageClassName: nfs-provisioner - accessModes: - - ReadWriteOnce - size: 10Gi - # annotations: {} - finalizers: - - kubernetes.io/pvc-protection - # selectorLabels: {} - # subPath: "" - # existingClaim: - - -# Administrator credentials when not using an existing secret (see below) -adminUser: admin -# adminPassword: strongpassword - -# Use an existing secret for the admin user. -admin: - existingSecret: "" - userKey: admin-user - passwordKey: admin-password - -## Define command to be executed at startup by grafana container -## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) -## Default is "run.sh" as defined in grafana's Dockerfile -# command: -# - "sh" -# - "/run.sh" - -## Configure grafana datasources -## ref: http://docs.grafana.org/administration/provisioning/#datasources -## -datasources: - datasources.yaml: - apiVersion: 1 - datasources: - - name: Loki - type: loki - access: proxy - url: http://loki.loki-stack:3100 - version: 1 diff --git a/charts/harbor/Chart.yaml b/charts/harbor/Chart.yaml deleted file mode 100644 index 20f07819..00000000 --- a/charts/harbor/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v2 -name: harbor -version: 1.4.0-dev -appVersion: dev -description: An open source trusted cloud native registry that stores, signs, and scans content -keywords: -- docker -- registry -- harbor -home: https://goharbor.io -icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png -sources: -- https://github.com/goharbor/harbor -- https://github.com/goharbor/harbor-helm -engine: gotpl diff --git a/charts/harbor/cert/tls.crt b/charts/harbor/cert/tls.crt deleted file mode 100644 index de4aa3e0..00000000 --- a/charts/harbor/cert/tls.crt +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw -NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o -F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr -PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT -RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q -LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp -UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q -w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc -jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr -vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d -1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN -2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA -AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA -FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL -BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS -Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA -er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY -Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ -qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n -KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB -Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2 -52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1 -2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F -5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX -jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe ------END CERTIFICATE----- diff --git a/charts/harbor/cert/tls.key b/charts/harbor/cert/tls.key deleted file mode 100644 index 014e2faf..00000000 --- a/charts/harbor/cert/tls.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o -F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr -PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT -RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q -LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp -UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q -w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc -jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr -vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d -1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN -2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA -AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/ -k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4 -MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu -XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz -ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5 -F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K -F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97 -b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5 -fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ -yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um -lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW -YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+ -viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1 -pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+ -/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA -So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt -DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3 -YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn -IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW -gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf -Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC -oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb -FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN -c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn -YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf -Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl -IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ -rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi -vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj -yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g -1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil -u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M -BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK -OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y -AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e -Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh -cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q -OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04 ------END RSA PRIVATE KEY----- diff --git a/charts/harbor/conf/clair.yaml b/charts/harbor/conf/clair.yaml deleted file mode 100644 index 1cdac908..00000000 --- a/charts/harbor/conf/clair.yaml +++ /dev/null @@ -1,16 +0,0 @@ -clair: - database: - type: pgsql - options: - source: "{{ template "harbor.database.clair" . }}" - # Number of elements kept in the cache - # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. - cachesize: 16384 - api: - # API server port - port: 6060 - healthport: 6061 - # Deadline before an API request will respond with a 503 - timeout: 300s - updater: - interval: {{ .Values.clair.updatersInterval }}h diff --git a/charts/harbor/conf/notary-server.json b/charts/harbor/conf/notary-server.json deleted file mode 100644 index b3c26241..00000000 --- a/charts/harbor/conf/notary-server.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "server": { - "http_addr": ":4443" - }, - "trust_service": { - "type": "remote", - "hostname": "{{ template "harbor.notary-signer" . }}", - "port": "7899", - "tls_ca_file": "/etc/ssl/notary/ca.crt", - "key_algorithm": "ecdsa" - }, - "logging": { - "level": "{{ .Values.logLevel }}" - }, - "storage": { - "backend": "postgres", - "db_url": "{{ template "harbor.database.notaryServer" . }}" - }, - "auth": { - "type": "token", - "options": { - "realm": "{{ .Values.externalURL }}/service/token", - "service": "harbor-notary", - "issuer": "harbor-token-issuer", - "rootcertbundle": "/root.crt" - } - } -} \ No newline at end of file diff --git a/charts/harbor/conf/notary-signer.json b/charts/harbor/conf/notary-signer.json deleted file mode 100644 index 75a4d68b..00000000 --- a/charts/harbor/conf/notary-signer.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "server": { - "grpc_addr": ":7899", - "tls_cert_file": "/etc/ssl/notary/tls.crt", - "tls_key_file": "/etc/ssl/notary/tls.key" - }, - "logging": { - "level": "{{ .Values.logLevel }}" - }, - "storage": { - "backend": "postgres", - "db_url": "{{ template "harbor.database.notarySigner" . }}", - "default_alias": "defaultalias" - } -} \ No newline at end of file diff --git a/charts/harbor/templates/_helpers.tpl b/charts/harbor/templates/_helpers.tpl deleted file mode 100644 index 3a491070..00000000 --- a/charts/harbor/templates/_helpers.tpl +++ /dev/null @@ -1,583 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "harbor.name" -}} -{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "harbor.fullname" -}} -{{- $name := default "harbor" .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Helm required labels */}} -{{- define "harbor.labels" -}} -heritage: {{ .Release.Service }} -release: {{ .Release.Name }} -chart: {{ .Chart.Name }} -app: "{{ template "harbor.name" . }}" -{{- end -}} - -{{/* matchLabels */}} -{{- define "harbor.matchLabels" -}} -release: {{ .Release.Name }} -app: "{{ template "harbor.name" . }}" -{{- end -}} - -{{- define "harbor.autoGenCert" -}} - {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.autoGenCertForIngress" -}} - {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.autoGenCertForNginx" -}} - {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.host" -}} - {{- if eq .Values.database.type "internal" -}} - {{- template "harbor.database" . }} - {{- else -}} - {{- .Values.database.external.host -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.port" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "5432" -}} - {{- else -}} - {{- .Values.database.external.port -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.username" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "postgres" -}} - {{- else -}} - {{- .Values.database.external.username -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.rawPassword" -}} - {{- if eq .Values.database.type "internal" -}} - {{- .Values.database.internal.password -}} - {{- else -}} - {{- .Values.database.external.password -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.escapedRawPassword" -}} - {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} -{{- end -}} - -{{- define "harbor.database.encryptedPassword" -}} - {{- include "harbor.database.rawPassword" . | b64enc | quote -}} -{{- end -}} - -{{- define "harbor.database.coreDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "registry" -}} - {{- else -}} - {{- .Values.database.external.coreDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.clairDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "postgres" -}} - {{- else -}} - {{- .Values.database.external.clairDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.notaryServerDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "notaryserver" -}} - {{- else -}} - {{- .Values.database.external.notaryServerDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.notarySignerDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "notarysigner" -}} - {{- else -}} - {{- .Values.database.external.notarySignerDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.sslmode" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "disable" -}} - {{- else -}} - {{- .Values.database.external.sslmode -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.clair" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.database.notaryServer" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.database.notarySigner" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.redis.scheme" -}} - {{- with .Values.redis }} - {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} - {{- end }} -{{- end -}} - -/*host:port*/ -{{- define "harbor.redis.addr" -}} - {{- with .Values.redis }} - {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.masterSet" -}} - {{- with .Values.redis }} - {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.password" -}} - {{- with .Values.redis }} - {{- ternary "" .external.password (eq .type "internal") }} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]host:port[/master_set]*/ -{{- define "harbor.redis.url" -}} - {{- with .Values.redis }} - {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} - {{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} - {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForCore" -}} - {{- with .Values.redis }} - {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index*/ -{{- define "harbor.redis.urlForJobservice" -}} - {{- with .Values.redis }} - {{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForRegistry" -}} - {{- with .Values.redis }} - {{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForClair" -}} - {{- with .Values.redis }} - {{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForTrivy" -}} - {{- with .Values.redis }} - {{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.dbForRegistry" -}} - {{- with .Values.redis }} - {{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.dbForChartmuseum" -}} - {{- with .Values.redis }} - {{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.portal" -}} - {{- printf "%s-portal" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.core" -}} - {{- printf "%s-core" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.redis" -}} - {{- printf "%s-redis" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.jobservice" -}} - {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.registry" -}} - {{- printf "%s-registry" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.chartmuseum" -}} - {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.database" -}} - {{- printf "%s-database" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.clair" -}} - {{- printf "%s-clair" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.trivy" -}} - {{- printf "%s-trivy" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.notary-server" -}} - {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.notary-signer" -}} - {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.nginx" -}} - {{- printf "%s-nginx" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.ingress" -}} - {{- printf "%s-ingress" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.ingress-notary" -}} - {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.noProxy" -}} - {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}} -{{- end -}} - -{{- define "harbor.caBundleVolume" -}} -- name: ca-bundle-certs - secret: - secretName: {{ .Values.caBundleSecretName }} -{{- end -}} - -{{- define "harbor.caBundleVolumeMount" -}} -- name: ca-bundle-certs - mountPath: /harbor_cust_cert/custom-ca.crt - subPath: ca.crt -{{- end -}} - -{{/* scheme for all components except notary because it only support http mode */}} -{{- define "harbor.component.scheme" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "https" -}} - {{- else -}} - {{- printf "http" -}} - {{- end -}} -{{- end -}} - -{{/* chartmuseum component container port */}} -{{- define "harbor.chartmuseum.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "9443" -}} - {{- else -}} - {{- printf "9999" -}} - {{- end -}} -{{- end -}} - -{{/* chartmuseum component service port */}} -{{- define "harbor.chartmuseum.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* clair adapter component container port */}} -{{- define "harbor.clairAdapter.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* clair adapter component service port */}} -{{- define "harbor.clairAdapter.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* core component container port */}} -{{- define "harbor.core.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* core component service port */}} -{{- define "harbor.core.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* jobservice component container port */}} -{{- define "harbor.jobservice.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* jobservice component service port */}} -{{- define "harbor.jobservice.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* portal component container port */}} -{{- define "harbor.portal.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* portal component service port */}} -{{- define "harbor.portal.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* registry component container port */}} -{{- define "harbor.registry.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "5443" -}} - {{- else -}} - {{- printf "5000" -}} - {{- end -}} -{{- end -}} - -{{/* registry component service port */}} -{{- define "harbor.registry.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "5443" -}} - {{- else -}} - {{- printf "5000" -}} - {{- end -}} -{{- end -}} - -{{/* registryctl component container port */}} -{{- define "harbor.registryctl.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* registryctl component service port */}} -{{- define "harbor.registryctl.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* trivy component container port */}} -{{- define "harbor.trivy.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* trivy component service port */}} -{{- define "harbor.trivy.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* CLAIR_ADAPTER_URL */}} -{{- define "harbor.clairAdapterURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}} -{{- end -}} - -{{/* CORE_URL */}} -{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} -{{- define "harbor.coreURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} -{{- end -}} - -{{/* JOBSERVICE_URL */}} -{{- define "harbor.jobserviceURL" -}} - {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} -{{- end -}} - -{{/* PORTAL_URL */}} -{{- define "harbor.portalURL" -}} - {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} -{{- end -}} - -{{/* REGISTRY_URL */}} -{{- define "harbor.registryURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} -{{- end -}} - -{{/* REGISTRY_CONTROLLER_URL */}} -{{- define "harbor.registryControllerURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} -{{- end -}} - -{{/* TOKEN_SERVICE_URL */}} -{{- define "harbor.tokenServiceURL" -}} - {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} -{{- end -}} - -{{/* TRIVY_ADAPTER_URL */}} -{{- define "harbor.trivyAdapterURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} -{{- end -}} - -{{- define "harbor.internalTLS.chartmuseum.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.chartmuseum.secretName -}} - {{- else -}} - {{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.clair.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.clair.secretName -}} - {{- else -}} - {{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.core.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.core.secretName -}} - {{- else -}} - {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.jobservice.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.jobservice.secretName -}} - {{- else -}} - {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.portal.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.portal.secretName -}} - {{- else -}} - {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.registry.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.registry.secretName -}} - {{- else -}} - {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.trivy.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.trivy.secretName -}} - {{- else -}} - {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsCoreSecretForIngress" -}} - {{- if eq .Values.expose.tls.certSource "none" -}} - {{- printf "" -}} - {{- else if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.secretName -}} - {{- else -}} - {{- include "harbor.ingress" . -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsNotarySecretForIngress" -}} - {{- if eq .Values.expose.tls.certSource "none" -}} - {{- printf "" -}} - {{- else if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.notarySecretName -}} - {{- else -}} - {{- include "harbor.ingress" . -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsSecretForNginx" -}} - {{- if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.secretName -}} - {{- else -}} - {{- include "harbor.nginx" . -}} - {{- end -}} -{{- end -}} diff --git a/charts/harbor/templates/auto-tls.yaml b/charts/harbor/templates/auto-tls.yaml deleted file mode 100644 index cbeeeced..00000000 --- a/charts/harbor/templates/auto-tls.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} -{{- $ca := genCA "harbor-internal-ca" 365 }} -{{- $coreCN := (include "harbor.core" .) }} -{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} -{{- $jsCN := (include "harbor.jobservice" .) }} -{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} -{{- $regCN := (include "harbor.registry" .) }} -{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} -{{- $portalCN := (include "harbor.portal" .) }} -{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.core.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $coreCrt.Cert | b64enc | quote }} - tls.key: {{ $coreCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $jsCrt.Cert | b64enc | quote }} - tls.key: {{ $jsCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.registry.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $regCrt.Cert | b64enc | quote }} - tls.key: {{ $regCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.portal.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $portalCrt.Cert | b64enc | quote }} - tls.key: {{ $portalCrt.Key | b64enc | quote }} - -{{- if .Values.chartmuseum.enabled }} ---- -{{- $chartCN := (include "harbor.chartmuseum" .) }} -{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $chartCrt.Cert | b64enc | quote }} - tls.key: {{ $chartCrt.Key | b64enc | quote }} -{{- end }} - -{{- if .Values.clair.enabled }} ---- -{{- $clairCN := (include "harbor.clair" .) }} -{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.clair.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $clairCrt.Cert | b64enc | quote }} - tls.key: {{ $clairCrt.Key | b64enc | quote }} -{{- end }} - -{{- if and .Values.trivy.enabled}} ---- -{{- $trivyCN := (include "harbor.trivy" .) }} -{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} - tls.key: {{ $trivyCrt.Key | b64enc | quote }} -{{- end }} - -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/chartmuseum-cm.yaml b/charts/harbor/templates/chartmuseum-cm.yaml deleted file mode 100644 index ce8902c3..00000000 --- a/charts/harbor/templates/chartmuseum-cm.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - PORT: "{{ template "harbor.chartmuseum.containerPort" . }}" -{{- if .Values.internalTLS.enabled }} - TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt" - TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key" -{{- end }} - {{- if eq "redis" (include "harbor.redis.scheme" .) }} - CACHE: "redis" - {{- else }} - CACHE: "redis_sentinel" - CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}" - {{- end }} - CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}" - CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}" - BASIC_AUTH_USER: "chart_controller" -{{- if .Values.chartmuseum.absoluteUrl }} - CHART_URL: {{ .Values.externalURL }}/chartrepo -{{- end }} - DEPTH: "1" -{{- if eq .Values.logLevel "debug" }} - DEBUG: "true" -{{- else }} - DEBUG: "false" -{{- end }} - LOG_JSON: "true" - DISABLE_METRICS: "false" - DISABLE_API: "false" - DISABLE_STATEFILES: "false" - ALLOW_OVERWRITE: "true" - AUTH_ANONYMOUS_GET: "false" - CONTEXT_PATH: "" - INDEX_LIMIT: "0" - MAX_STORAGE_OBJECTS: "0" - MAX_UPLOAD_SIZE: "20971520" - CHART_POST_FORM_FIELD_NAME: "chart" - PROV_POST_FORM_FIELD_NAME: "prov" -{{- $storage := .Values.persistence.imageChartStorage }} -{{- $storageType := $storage.type }} -{{- if eq $storageType "filesystem" }} - STORAGE: "local" - STORAGE_LOCAL_ROOTDIR: "/chart_storage" -{{- else if eq $storageType "azure" }} - STORAGE: "microsoft" - STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }} - AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }} - AZURE_BASE_URL: {{ $storage.azure.realm }} - STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts" -{{- else if eq $storageType "gcs" }} - STORAGE: "google" - STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json - {{- if $storage.gcs.rootdirectory }} - STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} - {{- end }} -{{- else if eq $storageType "s3" }} - STORAGE: "amazon" - STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }} - {{- if $storage.s3.rootdirectory }} - STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }} - {{- end }} - STORAGE_AMAZON_REGION: {{ $storage.s3.region }} - {{- if $storage.s3.regionendpoint }} - STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.accesskey }} - AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }} - {{- end }} - {{- if $storage.s3.keyid }} - STORAGE_AMAZON_SSE: aws:kms - {{- end }} -{{- else if eq $storageType "swift" }} - STORAGE: "openstack" - STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }} - {{- if $storage.swift.prefix }} - STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.region }} - STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }} - {{- end }} - OS_AUTH_URL: {{ $storage.swift.authurl }} - OS_USERNAME: {{ $storage.swift.username }} - {{- if $storage.swift.tenantid }} - OS_PROJECT_ID: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.tenant }} - OS_PROJECT_NAME: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.domainid }} - OS_DOMAIN_ID: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.domain }} - OS_DOMAIN_NAME: {{ $storage.swift.domain }} - {{- end }} -{{- else if eq $storageType "oss" }} - STORAGE: "alibaba" - STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }} - {{- if $storage.oss.rootdirectory }} - STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- if $storage.oss.endpoint }} - STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }} - {{- end }} - ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/chartmuseum-dpl.yaml b/charts/harbor/templates/chartmuseum-dpl.yaml deleted file mode 100644 index 5fb3f06a..00000000 --- a/charts/harbor/templates/chartmuseum-dpl.yaml +++ /dev/null @@ -1,165 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: chartmuseum -spec: - replicas: {{ .Values.chartmuseum.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: chartmuseum - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: chartmuseum - annotations: - checksum/configmap: {{ print "chartmuseum-cm.yaml" . | sha256sum }} - checksum/secret: {{ print "chartmuseum-secret.yaml" . | sha256sum }} - checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "chartmuseum-tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.chartmuseum.podAnnotations }} -{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.chartmuseum.serviceAccountName }} - serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: chartmuseum - image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.chartmuseum.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.chartmuseum.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.chartmuseum.resources }} - resources: -{{ toYaml .Values.chartmuseum.resources | indent 10 }} -{{- end }} - envFrom: - - configMapRef: - name: "{{ template "harbor.chartmuseum" . }}" - - secretRef: - name: "{{ template "harbor.chartmuseum" . }}" - env: - {{- if has "chartmuseum" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/chartmuseum/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/chartmuseum/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/chartmuseum/ca.crt - {{- end }} - - name: BASIC_AUTH_PASS - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280) - name: AWS_SDK_LOAD_CONFIG - value: "1" - ports: - - containerPort: {{ template "harbor.chartmuseum.containerPort" . }} - volumeMounts: - - name: chartmuseum-data - mountPath: /chart_storage - subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} - {{- if .Values.internalTLS.enabled }} - - name: chart-internal-certs - mountPath: /etc/harbor/ssl/chartmuseum - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/chartmuseum/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: chartmuseum-data - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: chart-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }} - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: GCS_KEY_DATA - path: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - secret: - secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.chartmuseum.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- end }} diff --git a/charts/harbor/templates/chartmuseum-pvc.yaml b/charts/harbor/templates/chartmuseum-pvc.yaml deleted file mode 100644 index 61a08cca..00000000 --- a/charts/harbor/templates/chartmuseum-pvc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -{{- $persistence := .Values.persistence -}} -{{- if $persistence.enabled }} -{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}} -{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.chartmuseum" . }} - {{- if eq $persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: chartmuseum -spec: - accessModes: - - {{ $chartmuseum.accessMode }} - resources: - requests: - storage: {{ $chartmuseum.size }} - {{- if $chartmuseum.storageClass }} - {{- if eq "-" $chartmuseum.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $chartmuseum.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/chartmuseum-secret.yaml b/charts/harbor/templates/chartmuseum-secret.yaml deleted file mode 100644 index eefdf793..00000000 --- a/charts/harbor/templates/chartmuseum-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} -{{- $storage := .Values.persistence.imageChartStorage }} -{{- $storageType := $storage.type }} -{{- if eq $storageType "azure" }} - AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }} -{{- else if eq $storageType "gcs" }} - # TODO support the keyfile of gcs -{{- else if eq $storageType "s3" }} - {{- if $storage.s3.secretkey }} - AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} -{{- else if eq $storageType "swift" }} - OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }} -{{- else if eq $storageType "oss" }} - ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/chartmuseum-svc.yaml b/charts/harbor/templates/chartmuseum-svc.yaml deleted file mode 100644 index df584754..00000000 --- a/charts/harbor/templates/chartmuseum-svc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.chartmuseum.servicePort" . }} - targetPort: {{ template "harbor.chartmuseum.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: chartmuseum -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/chartmuseum-tls.yaml b/charts/harbor/templates/chartmuseum-tls.yaml deleted file mode 100644 index cda17c33..00000000 --- a/charts/harbor/templates/chartmuseum-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/clair-dpl.yaml b/charts/harbor/templates/clair-dpl.yaml deleted file mode 100644 index 6de58f1a..00000000 --- a/charts/harbor/templates/clair-dpl.yaml +++ /dev/null @@ -1,166 +0,0 @@ -{{ if .Values.clair.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.clair" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: clair -spec: - replicas: {{ .Values.clair.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: clair - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: clair - annotations: - checksum/secret: {{ print "clair-secret.yaml" . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "clair-tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.clair.podAnnotations }} -{{ toYaml .Values.clair.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.clair.serviceAccountName }} - serviceAccountName: {{ .Values.clair.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: clair - image: {{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /health - port: 6061 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: 6061 - initialDelaySeconds: 30 - periodSeconds: 10 - args: ["-log-level", "{{ .Values.logLevel }}"] - env: - {{- if has "clair" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} -{{- if .Values.clair.clair.resources }} - resources: -{{ toYaml .Values.clair.clair.resources | indent 10 }} -{{- end }} - ports: - - containerPort: 6060 - volumeMounts: - - name: config - mountPath: /etc/clair/config.yaml - subPath: config.yaml - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - mountPath: /etc/harbor/ssl/clair - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - - name: adapter - image: {{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /probe/healthy - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.clairAdapter.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /probe/ready - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.clairAdapter.containerPort" . }} - initialDelaySeconds: 30 - periodSeconds: 10 - env: - - name: SCANNER_CLAIR_URL - # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin - value: "http://127.0.0.1:6060" - - name: SCANNER_STORE_REDIS_URL - valueFrom: - secretKeyRef: - name: {{ template "harbor.clair" . }} - key: redis - - name: SCANNER_CLAIR_DATABASE_URL - valueFrom: - secretKeyRef: - name: {{ template "harbor.clair" . }} - key: database - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: SCANNER_API_SERVER_ADDR - value: ":8443" - - name: SCANNER_API_SERVER_TLS_KEY - value: /etc/harbor/ssl/clair/tls.key - - name: SCANNER_API_SERVER_TLS_CERTIFICATE - value: /etc/harbor/ssl/clair/tls.crt - {{- end }} - - name: SCANNER_LOG_LEVEL - value: "{{ .Values.logLevel }}" -{{- if .Values.clair.adapter.resources }} - resources: -{{ toYaml .Values.clair.adapter.resources | indent 10 }} -{{- end }} - ports: - - containerPort: {{ template "harbor.clairAdapter.containerPort" . }} - {{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }} - volumeMounts: - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - mountPath: /etc/harbor/ssl/clair - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - {{- end }} - volumes: - - name: config - secret: - secretName: "{{ template "harbor.clair" . }}" - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.clair.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.clair.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/charts/harbor/templates/clair-secret.yaml b/charts/harbor/templates/clair-secret.yaml deleted file mode 100644 index e687d58c..00000000 --- a/charts/harbor/templates/clair-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.clair.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.clair" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }} - redis: {{ include "harbor.redis.urlForClair" . | b64enc }} - database: {{ include "harbor.database.clair" . | b64enc }} -{{- end }} diff --git a/charts/harbor/templates/clair-svc.yaml b/charts/harbor/templates/clair-svc.yaml deleted file mode 100644 index 3d730c65..00000000 --- a/charts/harbor/templates/clair-svc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Values.clair.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.clair" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: adapter - port: {{ include "harbor.clairAdapter.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: clair -{{ end }} diff --git a/charts/harbor/templates/clair-tls.yaml b/charts/harbor/templates/clair-tls.yaml deleted file mode 100644 index af81eec1..00000000 --- a/charts/harbor/templates/clair-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.clair.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.clair.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/configmap-http.yaml b/charts/harbor/templates/configmap-http.yaml deleted file mode 100644 index 89470a4b..00000000 --- a/charts/harbor/templates/configmap-http.yaml +++ /dev/null @@ -1,150 +0,0 @@ -{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} -{{- $scheme := (include "harbor.component.scheme" .) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; - } - - upstream portal { - server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; - } - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - server { - listen 8080; - server_tokens off; - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # Add extra headers - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass {{ $scheme }}://portal/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass {{ $scheme }}://core/api/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass {{ $scheme }}://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass {{ $scheme }}://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass {{ $scheme }}://core/service/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - } -{{- end }} diff --git a/charts/harbor/templates/configmap-https.yaml b/charts/harbor/templates/configmap-https.yaml deleted file mode 100644 index 00e34fa4..00000000 --- a/charts/harbor/templates/configmap-https.yaml +++ /dev/null @@ -1,221 +0,0 @@ -{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} -{{- $scheme := (include "harbor.component.scheme" .) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; - } - - upstream portal { - server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; - } - - {{- if .Values.notary.enabled }} - upstream notary-server { - server {{ template "harbor.notary-server" . }}:4443; - } - {{- end }} - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - {{- if .Values.notary.enabled }} - server { - listen 4443 ssl; - server_tokens off; - # ssl - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html - ssl_protocols tlsv1.1 tlsv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:ssl:10m; - - # disable any limits to avoid http 413 for large image uploads - client_max_body_size 0; - - # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - location /v2/ { - proxy_pass http://notary-server/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - } - {{- end }} - - server { - listen 8443 ssl; - # server_name harbordomain.com; - server_tokens off; - # SSL - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - # Add extra headers - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass {{ $scheme }}://portal/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; HttpOnly; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass {{ $scheme }}://core/api/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass {{ $scheme }}://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass {{ $scheme }}://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass {{ $scheme }}://core/service/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - server { - listen 8080; - #server_name harbordomain.com; - return 301 https://$host$request_uri; - } - } -{{- end }} diff --git a/charts/harbor/templates/configmap.yaml b/charts/harbor/templates/configmap.yaml deleted file mode 100644 index fed5ac04..00000000 --- a/charts/harbor/templates/configmap.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - server { - {{- if .Values.internalTLS.enabled }} - listen {{ template "harbor.portal.containerPort" . }} ssl; - # SSL - ssl_certificate /etc/harbor/ssl/portal/tls.crt; - ssl_certificate_key /etc/harbor/ssl/portal/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - {{- else }} - listen {{ template "harbor.portal.containerPort" . }}; - {{- end }} - server_name localhost; - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; - location / { - try_files $uri $uri/ /index.html; - } - location = /index.html { - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - } - } diff --git a/charts/harbor/templates/core-cm.yaml b/charts/harbor/templates/core-cm.yaml deleted file mode 100644 index d339ee28..00000000 --- a/charts/harbor/templates/core-cm.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - app.conf: |+ - appname = Harbor - runmode = prod - enablegzip = true - - [prod] - httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} - PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" - DATABASE_TYPE: "postgresql" - POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" - POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" - POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" - POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" - POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" - POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" - EXT_ENDPOINT: "{{ .Values.externalURL }}" - CORE_URL: "{{ template "harbor.coreURL" . }}" - JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" - REGISTRY_URL: "{{ template "harbor.registryURL" . }}" - TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" - WITH_NOTARY: "{{ .Values.notary.enabled }}" - NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" - CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" - WITH_CLAIR: "{{ .Values.clair.enabled }}" - CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}" - WITH_TRIVY: {{ .Values.trivy.enabled | quote }} - TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" - REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" - WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" - CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}" - LOG_LEVEL: "{{ .Values.logLevel }}" - CONFIG_PATH: "/etc/core/app.conf" - CHART_CACHE_DRIVER: "redis" - _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" - _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" - PORTAL_URL: "{{ template "harbor.portalURL" . }}" - REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" - REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" - {{- if .Values.uaaSecretName }} - UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" - {{- end }} - {{- if has "core" .Values.proxy.components }} - HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" - HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" - NO_PROXY: "{{ template "harbor.noProxy" . }}" - {{- end }} - PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor" - {{- if hasKey .Values.core "gcTimeWindowHours" }} - #make the GC time window configurable for testing - GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" - {{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/core-dpl.yaml b/charts/harbor/templates/core-dpl.yaml deleted file mode 100644 index b0ca3698..00000000 --- a/charts/harbor/templates/core-dpl.yaml +++ /dev/null @@ -1,179 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: core -spec: - replicas: {{ .Values.core.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: core - template: - metadata: - labels: -{{ include "harbor.matchLabels" . | indent 8 }} - component: core - annotations: - checksum/configmap: {{ print "core-cm.yaml" . | sha256sum }} - checksum/secret: {{ print "core-secret.yaml" . | sha256sum }} - checksum/secret-jobservice: {{ print "jobservice-secrets.yaml" . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "core-tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.core.podAnnotations }} -{{ toYaml .Values.core.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.core.serviceAccountName }} - serviceAccountName: {{ .Values.core.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: core - image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - initialDelaySeconds: {{ .Values.core.livenessProbe.initialDelaySeconds }} - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - initialDelaySeconds: 20 - periodSeconds: 10 - envFrom: - - configMapRef: - name: "{{ template "harbor.core" . }}" - - secretRef: - name: "{{ template "harbor.core" . }}" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" - key: JOBSERVICE_SECRET - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/core/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/core/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/core/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.core.containerPort" . }} - volumeMounts: - - name: config - mountPath: /etc/core/app.conf - subPath: app.conf - - name: secret-key - mountPath: /etc/core/key - subPath: key - - name: token-service-private-key - mountPath: /etc/core/private_key.pem - subPath: tls.key - {{- if .Values.expose.tls.enabled }} - - name: ca-download - mountPath: /etc/core/ca - {{- end }} - {{- if .Values.uaaSecretName }} - - name: auth-ca-cert - mountPath: /etc/core/auth-ca/auth-ca.crt - subPath: auth-ca.crt - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: core-internal-certs - mountPath: /etc/harbor/ssl/core - {{- end }} - - name: psc - mountPath: /etc/core/token - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} -{{- if .Values.core.resources }} - resources: -{{ toYaml .Values.core.resources | indent 10 }} -{{- end }} - volumes: - - name: config - configMap: - name: {{ template "harbor.core" . }} - items: - - key: app.conf - path: app.conf - - name: secret-key - secret: - secretName: {{ template "harbor.core" . }} - items: - - key: secretKey - path: key - - name: token-service-private-key - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - {{- if .Values.expose.tls.enabled }} - - name: ca-download - secret: - {{- if .Values.caSecretName }} - secretName: {{ .Values.caSecretName }} - {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} - secretName: "{{ template "harbor.ingress" . }}" - {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} - secretName: {{ template "harbor.tlsSecretForNginx" . }} - {{- end }} - {{- end }} - {{- if .Values.uaaSecretName }} - - name: auth-ca-cert - secret: - secretName: {{ .Values.uaaSecretName }} - items: - - key: ca.crt - path: auth-ca.crt - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: core-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.core.secretName" . }} - {{- end }} - - name: psc - emptyDir: {} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.core.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.core.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.core.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/charts/harbor/templates/core-secret.yaml b/charts/harbor/templates/core-secret.yaml deleted file mode 100644 index ba4b7678..00000000 --- a/charts/harbor/templates/core-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} -{{- if not .Values.core.secretName }} - tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} - tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} -{{- end }} - HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} - POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} - REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} - CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} diff --git a/charts/harbor/templates/core-svc.yaml b/charts/harbor/templates/core-svc.yaml deleted file mode 100644 index dcdb3344..00000000 --- a/charts/harbor/templates/core-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: -{{- if (eq .Values.expose.ingress.controller "gce") }} - type: NodePort -{{- end }} - ports: - - port: {{ template "harbor.core.servicePort" . }} - targetPort: {{ template "harbor.core.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: core diff --git a/charts/harbor/templates/core-tls.yaml b/charts/harbor/templates/core-tls.yaml deleted file mode 100644 index c52148f0..00000000 --- a/charts/harbor/templates/core-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.core.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/database-secret.yaml b/charts/harbor/templates/database-secret.yaml deleted file mode 100644 index 864aff4a..00000000 --- a/charts/harbor/templates/database-secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} -{{- end -}} diff --git a/charts/harbor/templates/database-ss.yaml b/charts/harbor/templates/database-ss.yaml deleted file mode 100644 index bc3e33b8..00000000 --- a/charts/harbor/templates/database-ss.yaml +++ /dev/null @@ -1,123 +0,0 @@ -{{- if eq .Values.database.type "internal" -}} -{{- $database := .Values.persistence.persistentVolumeClaim.database -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: database -spec: - replicas: 1 - serviceName: "{{ template "harbor.database" . }}" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: database - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: database - annotations: - checksum/secret: {{ print "database-secret.yaml" . | sha256sum }} -{{- if .Values.database.podAnnotations }} -{{ toYaml .Values.database.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- if .Values.database.internal.serviceAccountName }} - serviceAccountName: {{ .Values.database.internal.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: "change-permission-of-directory" - securityContext: - runAsUser: 0 - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - command: ["/bin/sh"] - args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"] - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - - name: "remove-lost-found" - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - containers: - - name: database - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - exec: - command: - - /docker-healthcheck.sh - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /docker-healthcheck.sh - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.database.internal.resources }} - resources: -{{ toYaml .Values.database.internal.resources | indent 10 }} -{{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.database" . }}" - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - {{- if not .Values.persistence.enabled }} - volumes: - - name: "database-data" - emptyDir: {} - {{- else if $database.existingClaim }} - volumes: - - name: "database-data" - persistentVolumeClaim: - claimName: {{ $database.existingClaim }} - {{- end -}} - {{- with .Values.database.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if and .Values.persistence.enabled (not $database.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: "database-data" - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $database.accessMode | quote }}] - {{- if $database.storageClass }} - {{- if (eq "-" $database.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $database.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $database.size | quote }} - {{- end -}} - {{- end -}} diff --git a/charts/harbor/templates/database-svc.yaml b/charts/harbor/templates/database-svc.yaml deleted file mode 100644 index 6475048c..00000000 --- a/charts/harbor/templates/database-svc.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 5432 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: database -{{- end -}} \ No newline at end of file diff --git a/charts/harbor/templates/deployment.yaml b/charts/harbor/templates/deployment.yaml deleted file mode 100644 index 5fb09320..00000000 --- a/charts/harbor/templates/deployment.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: portal -spec: - replicas: {{ .Values.portal.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: portal - template: - metadata: - labels: -{{ include "harbor.matchLabels" . | indent 8 }} - component: portal - annotations: -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.portal.podAnnotations }} -{{ toYaml .Values.portal.podAnnotations | indent 8 }} -{{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- if .Values.portal.serviceAccountName }} - serviceAccountName: {{ .Values.portal.serviceAccountName }} -{{- end }} - containers: - - name: portal - image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- if .Values.portal.resources }} - resources: -{{ toYaml .Values.portal.resources | indent 10 }} -{{- end }} - livenessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.portal.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.portal.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 - ports: - - containerPort: {{ template "harbor.portal.containerPort" . }} - volumeMounts: - - name: portal-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - {{- if .Values.internalTLS.enabled }} - - name: portal-internal-certs - mountPath: /etc/harbor/ssl/portal - {{- end }} - volumes: - - name: portal-config - configMap: - name: "{{ template "harbor.portal" . }}" - {{- if .Values.internalTLS.enabled }} - - name: portal-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.portal.secretName" . }} - {{- end }} - {{- with .Values.portal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.portal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.portal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/charts/harbor/templates/ingress-secret.yaml b/charts/harbor/templates/ingress-secret.yaml deleted file mode 100644 index 0d89af99..00000000 --- a/charts/harbor/templates/ingress-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} -{{- $ca := genCA "harbor-ca" 365 }} -{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.ingress" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/ingress.yaml b/charts/harbor/templates/ingress.yaml deleted file mode 100644 index 863e91f3..00000000 --- a/charts/harbor/templates/ingress.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{- if eq .Values.expose.type "ingress" }} -{{- $ingress := .Values.expose.ingress -}} -{{- $tls := .Values.expose.tls -}} -{{- if eq .Values.expose.ingress.controller "gce" }} - {{- $_ := set . "portal_path" "/*" -}} - {{- $_ := set . "api_path" "/api/*" -}} - {{- $_ := set . "service_path" "/service/*" -}} - {{- $_ := set . "v2_path" "/v2/*" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} - {{- $_ := set . "controller_path" "/c/*" -}} - {{- $_ := set . "notary_path" "/" -}} -{{- else if eq .Values.expose.ingress.controller "ncp" }} - {{- $_ := set . "portal_path" "/.*" -}} - {{- $_ := set . "api_path" "/api/.*" -}} - {{- $_ := set . "service_path" "/service/.*" -}} - {{- $_ := set . "v2_path" "/v2/.*" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} - {{- $_ := set . "controller_path" "/c/.*" -}} - {{- $_ := set . "notary_path" "/.*" -}} -{{- else }} - {{- $_ := set . "portal_path" "/" -}} - {{- $_ := set . "api_path" "/api/" -}} - {{- $_ := set . "service_path" "/service/" -}} - {{- $_ := set . "v2_path" "/v2/" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} - {{- $_ := set . "controller_path" "/c/" -}} - {{- $_ := set . "notary_path" "/" -}} -{{- end }} - ---- -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: extensions/v1beta1 -{{- else }} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: "{{ template "harbor.ingress" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - annotations: -{{ toYaml $ingress.annotations | indent 4 }} -{{- if .Values.internalTLS.enabled }} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -{{- end }} -{{- if eq .Values.expose.ingress.controller "ncp" }} - ncp/use-regex: "true" - {{- if $tls.enabled }} - ncp/http-redirect: "true" - {{- end }} -{{- end }} -spec: - {{- if $tls.enabled }} - tls: - - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} - {{- if $ingress.hosts.core }} - hosts: - - {{ $ingress.hosts.core }} - {{- end }} - {{- end }} - rules: - - http: - paths: - - path: {{ .portal_path }} - backend: - serviceName: {{ template "harbor.portal" . }} - servicePort: {{ template "harbor.portal.servicePort" . }} - - path: {{ .api_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .service_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .v2_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .chartrepo_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .controller_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - {{- if $ingress.hosts.core }} - host: {{ $ingress.hosts.core }} - {{- end }} - -{{- if .Values.notary.enabled }} ---- -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: extensions/v1beta1 -{{- else }} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: "{{ template "harbor.ingress-notary" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - annotations: -{{ toYaml $ingress.annotations | indent 4 }} -{{- if eq .Values.expose.ingress.controller "ncp" }} - ncp/use-regex: "true" - {{- if $tls.enabled }} - ncp/http-redirect: "true" - {{- end }} -{{- end }} -spec: - {{- if $tls.enabled }} - tls: - - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} - {{- if $ingress.hosts.notary }} - hosts: - - {{ $ingress.hosts.notary }} - {{- end }} - {{- end }} - rules: - - http: - paths: - - path: {{ .notary_path }} - backend: - serviceName: {{ template "harbor.notary-server" . }} - servicePort: 4443 - {{- if $ingress.hosts.notary }} - host: {{ $ingress.hosts.notary }} - {{- end }} -{{- end }} - -{{- end }} diff --git a/charts/harbor/templates/jobservice-cm-env.yaml b/charts/harbor/templates/jobservice-cm-env.yaml deleted file mode 100644 index 1f79f97a..00000000 --- a/charts/harbor/templates/jobservice-cm-env.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.jobservice" . }}-env" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - CORE_URL: "{{ template "harbor.coreURL" . }}" - TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" - REGISTRY_URL: "{{ template "harbor.registryURL" . }}" - REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" - REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" - {{- if has "jobservice" .Values.proxy.components }} - HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" - HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" - NO_PROXY: "{{ template "harbor.noProxy" . }}" - {{- end }} diff --git a/charts/harbor/templates/jobservice-cm.yaml b/charts/harbor/templates/jobservice-cm.yaml deleted file mode 100644 index f9eb51bd..00000000 --- a/charts/harbor/templates/jobservice-cm.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - #Server listening port - protocol: "{{ template "harbor.component.scheme" . }}" - port: {{ template "harbor.jobservice.containerPort". }} - {{- if .Values.internalTLS.enabled }} - https_config: - cert: "/etc/harbor/ssl/jobservice/tls.crt" - key: "/etc/harbor/ssl/jobservice/tls.key" - {{- end }} - worker_pool: - workers: {{ .Values.jobservice.maxJobWorkers }} - backend: "redis" - redis_pool: - redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" - namespace: "harbor_job_service_namespace" - idle_timeout_second: 3600 - job_loggers: - {{- if eq .Values.jobservice.jobLogger "file" }} - - name: "FILE" - level: {{ .Values.logLevel | upper }} - settings: # Customized settings of logger - base_dir: "/var/log/jobs" - sweeper: - duration: 14 #days - settings: # Customized settings of sweeper - work_dir: "/var/log/jobs" - {{- else if eq .Values.jobservice.jobLogger "database" }} - - name: "DB" - level: {{ .Values.logLevel | upper }} - sweeper: - duration: 14 #days - {{- else }} - - name: "STD_OUTPUT" - level: {{ .Values.logLevel | upper }} - {{- end }} - #Loggers for the job service - loggers: - - name: "STD_OUTPUT" - level: {{ .Values.logLevel | upper }} \ No newline at end of file diff --git a/charts/harbor/templates/jobservice-dpl.yaml b/charts/harbor/templates/jobservice-dpl.yaml deleted file mode 100644 index 2eb221c2..00000000 --- a/charts/harbor/templates/jobservice-dpl.yaml +++ /dev/null @@ -1,136 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: jobservice -spec: - replicas: {{ .Values.jobservice.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: jobservice - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: jobservice - annotations: - checksum/configmap: {{ print "jobservice-cm.yaml" . | sha256sum }} - checksum/configmap-env: {{ print "jobservice-cm-env.yaml" . | sha256sum }} - checksum/secret: {{ print "jobservice-secrets.yaml" . | sha256sum }} - checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "jobservice-tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.jobservice.podAnnotations }} -{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.jobservice.serviceAccountName }} - serviceAccountName: {{ .Values.jobservice.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: jobservice - image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /api/v1/stats - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.jobservice.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v1/stats - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.jobservice.containerPort" . }} - initialDelaySeconds: 20 - periodSeconds: 10 -{{- if .Values.jobservice.resources }} - resources: -{{ toYaml .Values.jobservice.resources | indent 10 }} -{{- end }} - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/jobservice/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/jobservice/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/jobservice/ca.crt - {{- end }} - envFrom: - - configMapRef: - name: "{{ template "harbor.jobservice" . }}-env" - - secretRef: - name: "{{ template "harbor.jobservice" . }}" - ports: - - containerPort: {{ template "harbor.jobservice.containerPort" . }} - volumeMounts: - - name: jobservice-config - mountPath: /etc/jobservice/config.yml - subPath: config.yml - - name: job-logs - mountPath: /var/log/jobs - subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} - {{- if .Values.internalTLS.enabled }} - - name: jobservice-internal-certs - mountPath: /etc/harbor/ssl/jobservice - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: jobservice-config - configMap: - name: "{{ template "harbor.jobservice" . }}" - - name: job-logs - {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: jobservice-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.jobservice.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/charts/harbor/templates/jobservice-pvc.yaml b/charts/harbor/templates/jobservice-pvc.yaml deleted file mode 100644 index dc65675a..00000000 --- a/charts/harbor/templates/jobservice-pvc.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}} -{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }} -{{- if eq .Values.jobservice.jobLogger "file" }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.jobservice" . }} - {{- if eq .Values.persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: jobservice -spec: - accessModes: - - {{ $jobservice.accessMode }} - resources: - requests: - storage: {{ $jobservice.size }} - {{- if $jobservice.storageClass }} - {{- if eq "-" $jobservice.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $jobservice.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/jobservice-secrets.yaml b/charts/harbor/templates/jobservice-secrets.yaml deleted file mode 100644 index a4750d2f..00000000 --- a/charts/harbor/templates/jobservice-secrets.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} diff --git a/charts/harbor/templates/jobservice-svc.yaml b/charts/harbor/templates/jobservice-svc.yaml deleted file mode 100644 index e1aa0914..00000000 --- a/charts/harbor/templates/jobservice-svc.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.jobservice.servicePort" . }} - targetPort: {{ template "harbor.jobservice.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: jobservice diff --git a/charts/harbor/templates/jobservice-tls.yaml b/charts/harbor/templates/jobservice-tls.yaml deleted file mode 100644 index 234cb399..00000000 --- a/charts/harbor/templates/jobservice-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/nginx-dpl.yaml b/charts/harbor/templates/nginx-dpl.yaml deleted file mode 100644 index f3af4328..00000000 --- a/charts/harbor/templates/nginx-dpl.yaml +++ /dev/null @@ -1,104 +0,0 @@ -{{- if ne .Values.expose.type "ingress" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: nginx -spec: - replicas: {{ .Values.nginx.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: nginx - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: nginx - annotations: - {{- if not .Values.expose.tls.enabled }} - checksum/configmap: {{ print "configmap-http.yaml" . | sha256sum }} - {{- else }} - checksum/configmap: {{ print "configmap-https.yaml" . | sha256sum }} - {{- end }} - {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} - checksum/secret: {{ print "nginx-secret.yaml" . | sha256sum }} - {{- end }} -{{- if .Values.nginx.podAnnotations }} -{{ toYaml .Values.nginx.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- if .Values.nginx.serviceAccountName }} - serviceAccountName: {{ .Values.nginx.serviceAccountName }} -{{- end }} - securityContext: - runAsUser: 10000 - fsGroup: 10000 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: nginx - image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - {{- $_ := set . "scheme" "HTTP" -}} - {{- $_ := set . "port" "8080" -}} - {{- if .Values.expose.tls.enabled }} - {{- $_ := set . "scheme" "HTTPS" -}} - {{- $_ := set . "port" "8443" -}} - {{- end }} - livenessProbe: - httpGet: - scheme: {{ .scheme }} - path: / - port: {{ .port }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - scheme: {{ .scheme }} - path: / - port: {{ .port }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.nginx.resources }} - resources: -{{ toYaml .Values.nginx.resources | indent 10 }} -{{- end }} - ports: - - containerPort: 8080 - - containerPort: 8443 - - containerPort: 4443 - volumeMounts: - - name: config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - {{- if .Values.expose.tls.enabled }} - - name: certificate - mountPath: /etc/nginx/cert - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "harbor.nginx" . }} - {{- if .Values.expose.tls.enabled }} - - name: certificate - secret: - secretName: {{ template "harbor.tlsSecretForNginx" . }} - {{- end }} - {{- with .Values.nginx.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- end }} diff --git a/charts/harbor/templates/nginx-secret.yaml b/charts/harbor/templates/nginx-secret.yaml deleted file mode 100644 index c819c556..00000000 --- a/charts/harbor/templates/nginx-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} -{{- $ca := genCA "harbor-ca" 365 }} -{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} - {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- else }} - {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/nginx-svc.yaml b/charts/harbor/templates/nginx-svc.yaml deleted file mode 100644 index e3e35705..00000000 --- a/charts/harbor/templates/nginx-svc.yaml +++ /dev/null @@ -1,92 +0,0 @@ -{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} -apiVersion: v1 -kind: Service -metadata: -{{- if eq .Values.expose.type "clusterIP" }} -{{- $clusterIP := .Values.expose.clusterIP }} - name: {{ $clusterIP.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - type: ClusterIP - ports: - - name: http - port: {{ $clusterIP.ports.httpPort }} - targetPort: 8080 - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $clusterIP.ports.httpsPort }} - targetPort: 8443 - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $clusterIP.ports.notaryPort }} - targetPort: 4443 - {{- end }} -{{- else if eq .Values.expose.type "nodePort" }} -{{- $nodePort := .Values.expose.nodePort }} - name: {{ $nodePort.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - type: NodePort - ports: - - name: http - port: {{ $nodePort.ports.http.port }} - targetPort: 8080 - {{- if $nodePort.ports.http.nodePort }} - nodePort: {{ $nodePort.ports.http.nodePort }} - {{- end }} - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $nodePort.ports.https.port }} - targetPort: 8443 - {{- if $nodePort.ports.https.nodePort }} - nodePort: {{ $nodePort.ports.https.nodePort }} - {{- end }} - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $nodePort.ports.notary.port }} - targetPort: 4443 - {{- if $nodePort.ports.notary.nodePort }} - nodePort: {{ $nodePort.ports.notary.nodePort }} - {{- end }} - {{- end }} -{{- else if eq .Values.expose.type "loadBalancer" }} -{{- $loadBalancer := .Values.expose.loadBalancer }} - name: {{ $loadBalancer.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -{{- with $loadBalancer.annotations }} - annotations: - {{- toYaml . | nindent 4 }} -{{- end }} -spec: - type: LoadBalancer - {{- with $loadBalancer.sourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if $loadBalancer.IP }} - loadBalancerIP: {{ $loadBalancer.IP }} - {{- end }} - ports: - - name: http - port: {{ $loadBalancer.ports.httpPort }} - targetPort: 8080 - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $loadBalancer.ports.httpsPort }} - targetPort: 8443 - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $loadBalancer.ports.notaryPort }} - targetPort: 4443 - {{- end }} -{{- end }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: nginx -{{- end }} diff --git a/charts/harbor/templates/notary-secret.yaml b/charts/harbor/templates/notary-secret.yaml deleted file mode 100644 index 65b47195..00000000 --- a/charts/harbor/templates/notary-secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.notary.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary -type: Opaque -data: - {{- if not .Values.notary.secretName }} - {{- $ca := genCA "harbor-notary-ca" 365 }} - {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - {{- end }} - server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }} - signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }} -{{- end }} diff --git a/charts/harbor/templates/notary-server.yaml b/charts/harbor/templates/notary-server.yaml deleted file mode 100644 index a724d58d..00000000 --- a/charts/harbor/templates/notary-server.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{ if .Values.notary.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary-server -spec: - replicas: {{ .Values.notary.server.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: notary-server - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: notary-server - annotations: - checksum/secret: {{ print "notary-secret.yaml" . | sha256sum }} - checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }} -{{- if .Values.notary.podAnnotations }} -{{ toYaml .Values.notary.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.notary.server.serviceAccountName }} - serviceAccountName: {{ .Values.notary.server.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: notary-server - image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- if .Values.notary.server.resources }} - resources: -{{ toYaml .Values.notary.server.resources | indent 10 }} -{{- end }} - env: - - name: MIGRATIONS_PATH - value: migrations/server/postgresql - - name: DB_URL - value: {{ template "harbor.database.notaryServer" . }} - volumeMounts: - - name: config - mountPath: /etc/notary/server-config.postgres.json - subPath: server.json - - name: token-service-certificate - mountPath: /root.crt - subPath: tls.crt - - name: signer-certificate - mountPath: /etc/ssl/notary/ca.crt - subPath: ca.crt - volumes: - - name: config - secret: - secretName: "{{ template "harbor.notary-server" . }}" - - name: token-service-certificate - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - - name: signer-certificate - secret: - {{- if .Values.notary.secretName }} - secretName: {{ .Values.notary.secretName }} - {{- else }} - secretName: {{ template "harbor.notary-server" . }} - {{- end }} - {{- with .Values.notary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/charts/harbor/templates/notary-signer.yaml b/charts/harbor/templates/notary-signer.yaml deleted file mode 100644 index 9cf1a308..00000000 --- a/charts/harbor/templates/notary-signer.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{ if .Values.notary.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.notary-signer" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary-signer -spec: - replicas: {{ .Values.notary.signer.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: notary-signer - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: notary-signer - annotations: - checksum/secret: {{ print "notary-secret.yaml" . | sha256sum }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.notary.signer.serviceAccountName }} - serviceAccountName: {{ .Values.notary.signer.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: notary-signer - image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- if .Values.notary.signer.resources }} - resources: -{{ toYaml .Values.notary.signer.resources | indent 10 }} -{{- end }} - env: - - name: MIGRATIONS_PATH - value: migrations/signer/postgresql - - name: DB_URL - value: {{ template "harbor.database.notarySigner" . }} - - name: NOTARY_SIGNER_DEFAULTALIAS - value: defaultalias - volumeMounts: - - name: config - mountPath: /etc/notary/signer-config.postgres.json - subPath: signer.json - - name: signer-certificate - mountPath: /etc/ssl/notary/tls.crt - subPath: tls.crt - - name: signer-certificate - mountPath: /etc/ssl/notary/tls.key - subPath: tls.key - volumes: - - name: config - secret: - secretName: "{{ template "harbor.notary-server" . }}" - - name: signer-certificate - secret: - {{- if .Values.notary.secretName }} - secretName: {{ .Values.notary.secretName }} - {{- else }} - secretName: {{ template "harbor.notary-server" . }} - {{- end }} - {{- with .Values.notary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/charts/harbor/templates/notary-svc.yaml b/charts/harbor/templates/notary-svc.yaml deleted file mode 100644 index f02ba3c1..00000000 --- a/charts/harbor/templates/notary-svc.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.notary.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: -{{- if (eq .Values.expose.ingress.controller "gce") }} - type: NodePort -{{- end }} - ports: - - port: 4443 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: notary-server - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.notary-signer" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 7899 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: notary-signer -{{ end }} \ No newline at end of file diff --git a/charts/harbor/templates/portal-svc.yaml b/charts/harbor/templates/portal-svc.yaml deleted file mode 100644 index a87fa567..00000000 --- a/charts/harbor/templates/portal-svc.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.portal.servicePort" . }} - targetPort: {{ template "harbor.portal.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: portal diff --git a/charts/harbor/templates/redis-ss.yaml b/charts/harbor/templates/redis-ss.yaml deleted file mode 100644 index be710afe..00000000 --- a/charts/harbor/templates/redis-ss.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{- if eq .Values.redis.type "internal" -}} -{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "harbor.redis" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: redis -spec: - replicas: 1 - serviceName: {{ template "harbor.redis" . }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: redis - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: redis -{{- if .Values.redis.podAnnotations }} - annotations: -{{ toYaml .Values.redis.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 999 -{{- if .Values.redis.internal.serviceAccountName }} - serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: redis - image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - tcpSocket: - port: 6379 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 6379 - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.redis.internal.resources }} - resources: -{{ toYaml .Values.redis.internal.resources | indent 10 }} -{{- end }} - volumeMounts: - - name: data - mountPath: /var/lib/redis - subPath: {{ $redis.subPath }} - {{- if not .Values.persistence.enabled }} - volumes: - - name: data - emptyDir: {} - {{- else if $redis.existingClaim }} - volumes: - - name: data - persistentVolumeClaim: - claimName: {{ $redis.existingClaim }} - {{- end -}} - {{- with .Values.redis.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.redis.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.redis.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $redis.accessMode | quote }}] - {{- if $redis.storageClass }} - {{- if (eq "-" $redis.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $redis.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $redis.size | quote }} - {{- end -}} - {{- end -}} diff --git a/charts/harbor/templates/redis-svc.yaml b/charts/harbor/templates/redis-svc.yaml deleted file mode 100644 index 79c95c3e..00000000 --- a/charts/harbor/templates/redis-svc.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if eq .Values.redis.type "internal" -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.redis" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 6379 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: redis -{{- end -}} \ No newline at end of file diff --git a/charts/harbor/templates/registry-cm.yaml b/charts/harbor/templates/registry-cm.yaml deleted file mode 100644 index 1a35f1da..00000000 --- a/charts/harbor/templates/registry-cm.yaml +++ /dev/null @@ -1,224 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - version: 0.1 - log: - {{- if eq .Values.logLevel "warning" }} - level: warn - {{- else if eq .Values.logLevel "fatal" }} - level: error - {{- else }} - level: {{ .Values.logLevel }} - {{- end }} - fields: - service: registry - storage: - {{- $storage := .Values.persistence.imageChartStorage }} - {{- $type := $storage.type }} - {{- if eq $type "filesystem" }} - filesystem: - rootdirectory: {{ $storage.filesystem.rootdirectory }} - {{- if $storage.filesystem.maxthreads }} - maxthreads: {{ $storage.filesystem.maxthreads }} - {{- end }} - {{- else if eq $type "azure" }} - azure: - accountname: {{ $storage.azure.accountname }} - container: {{ $storage.azure.container }} - {{- if $storage.azure.realm }} - realm: {{ $storage.azure.realm }} - {{- end }} - {{- else if eq $type "gcs" }} - gcs: - bucket: {{ $storage.gcs.bucket }} - keyfile: /etc/registry/gcs-key.json - {{- if $storage.gcs.rootdirectory }} - rootdirectory: {{ $storage.gcs.rootdirectory }} - {{- end }} - {{- if $storage.gcs.chunksize }} - chunksize: {{ $storage.gcs.chunksize }} - {{- end }} - {{- else if eq $type "s3" }} - s3: - region: {{ $storage.s3.region }} - bucket: {{ $storage.s3.bucket }} - {{- if $storage.s3.regionendpoint }} - regionendpoint: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.encrypt }} - encrypt: {{ $storage.s3.encrypt }} - {{- end }} - {{- if $storage.s3.keyid }} - keyid: {{ $storage.s3.keyid }} - {{- end }} - {{- if $storage.s3.secure }} - secure: {{ $storage.s3.secure }} - {{- end }} - {{- if and $storage.s3.secure $storage.s3.skipverify }} - skipverify: {{ $storage.s3.skipverify }} - {{- end }} - {{- if $storage.s3.v4auth }} - v4auth: {{ $storage.s3.v4auth }} - {{- end }} - {{- if $storage.s3.chunksize }} - chunksize: {{ $storage.s3.chunksize }} - {{- end }} - {{- if $storage.s3.rootdirectory }} - rootdirectory: {{ $storage.s3.rootdirectory }} - {{- end }} - {{- if $storage.s3.storageclass }} - storageclass: {{ $storage.s3.storageclass }} - {{- end }} - {{- if $storage.s3.multipartcopychunksize }} - multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} - {{- end }} - {{- if $storage.s3.multipartcopymaxconcurrency }} - multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} - {{- end }} - {{- if $storage.s3.multipartcopythresholdsize }} - multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} - {{- end }} - {{- else if eq $type "swift" }} - swift: - authurl: {{ $storage.swift.authurl }} - username: {{ $storage.swift.username }} - container: {{ $storage.swift.container }} - {{- if $storage.swift.region }} - region: {{ $storage.swift.region }} - {{- end }} - {{- if $storage.swift.tenant }} - tenant: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.tenantid }} - tenantid: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.domain }} - domain: {{ $storage.swift.domain }} - {{- end }} - {{- if $storage.swift.domainid }} - domainid: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.trustid }} - trustid: {{ $storage.swift.trustid }} - {{- end }} - {{- if $storage.swift.insecureskipverify }} - insecureskipverify: {{ $storage.swift.insecureskipverify }} - {{- end }} - {{- if $storage.swift.chunksize }} - chunksize: {{ $storage.swift.chunksize }} - {{- end }} - {{- if $storage.swift.prefix }} - prefix: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.authversion }} - authversion: {{ $storage.swift.authversion }} - {{- end }} - {{- if $storage.swift.endpointtype }} - endpointtype: {{ $storage.swift.endpointtype }} - {{- end }} - {{- if $storage.swift.tempurlcontainerkey }} - tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} - {{- end }} - {{- if $storage.swift.tempurlmethods }} - tempurlmethods: {{ $storage.swift.tempurlmethods }} - {{- end }} - {{- else if eq $type "oss" }} - oss: - accesskeyid: {{ $storage.oss.accesskeyid }} - region: {{ $storage.oss.region }} - bucket: {{ $storage.oss.bucket }} - {{- if $storage.oss.endpoint }} - endpoint: {{ $storage.oss.endpoint }} - {{- end }} - {{- if $storage.oss.internal }} - internal: {{ $storage.oss.internal }} - {{- end }} - {{- if $storage.oss.encrypt }} - encrypt: {{ $storage.oss.encrypt }} - {{- end }} - {{- if $storage.oss.secure }} - secure: {{ $storage.oss.secure }} - {{- end }} - {{- if $storage.oss.chunksize }} - chunksize: {{ $storage.oss.chunksize }} - {{- end }} - {{- if $storage.oss.rootdirectory }} - rootdirectory: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- end }} - cache: - layerinfo: redis - maintenance: - uploadpurging: - enabled: false - delete: - enabled: true - redirect: - disable: {{ $storage.disableredirect }} - redis: - addr: {{ template "harbor.redis.addr" . }} - {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} - sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} - {{- end }} - db: {{ template "harbor.redis.dbForRegistry" . }} - password: {{ template "harbor.redis.password" . }} - readtimeout: 10s - writetimeout: 10s - dialtimeout: 10s - http: - addr: :{{ template "harbor.registry.containerPort" . }} - relativeurls: {{ .Values.registry.relativeurls }} - {{- if .Values.internalTLS.enabled }} - tls: - certificate: /etc/harbor/ssl/registry/tls.crt - key: /etc/harbor/ssl/registry/tls.key - minimumtls: tls1.2 - {{- end }} - # set via environment variable - # secret: placeholder - debug: - addr: localhost:5001 - auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd - validation: - disabled: true - compatibility: - schema1: - enabled: true - - {{- if .Values.registry.middleware.enabled }} - {{- $middleware := .Values.registry.middleware }} - {{- $middlewareType := $middleware.type }} - {{- if eq $middlewareType "cloudFront" }} - middleware: - storage: - - name: cloudfront - options: - baseurl: {{ $middleware.cloudFront.baseurl }} - privatekey: /etc/registry/pk.pem - keypairid: {{ $middleware.cloudFront.keypairid }} - duration: {{ $middleware.cloudFront.duration }} - ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} - {{- end }} - {{- end }} - ctl-config.yml: |+ - --- - {{- if .Values.internalTLS.enabled }} - protocol: "https" - port: 8443 - https_config: - cert: "/etc/harbor/ssl/registry/tls.crt" - key: "/etc/harbor/ssl/registry/tls.key" - {{- else }} - protocol: "http" - port: 8080 - {{- end }} - log_level: {{ .Values.logLevel }} - registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/templates/registry-dpl.yaml b/charts/harbor/templates/registry-dpl.yaml deleted file mode 100644 index f42f24bf..00000000 --- a/charts/harbor/templates/registry-dpl.yaml +++ /dev/null @@ -1,272 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: registry -spec: - replicas: {{ .Values.registry.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: registry - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: registry - annotations: - checksum/configmap: {{ print "registry-cm.yaml" . | sha256sum }} - checksum/secret: {{ print "registry-secret.yaml" . | sha256sum }} - checksum/secret-jobservice: {{ print "jobservice-secrets.yaml" . | sha256sum }} - checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "registry-tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.registry.podAnnotations }} -{{ toYaml .Values.registry.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.registry.serviceAccountName }} - serviceAccountName: {{ .Values.registry.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: registry - image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registry.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registry.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.registry.registry.resources }} - resources: -{{ toYaml .Values.registry.registry.resources | indent 10 }} -{{- end }} - args: ["serve", "/etc/registry/config.yml"] - envFrom: - - secretRef: - name: "{{ template "harbor.registry" . }}" - env: - {{- if has "registry" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/registry/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/registry/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/registry/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.registry.containerPort" . }} - - containerPort: 5001 - volumeMounts: - - name: registry-data - mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} - subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} - - name: registry-root-certificate - mountPath: /etc/registry/root.crt - subPath: tls.crt - - name: registry-htpasswd - mountPath: /etc/registry/passwd - subPath: passwd - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - mountPath: /etc/harbor/ssl/registry - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/registry/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if .Values.registry.middleware.enabled }} - {{- if eq .Values.registry.middleware.type "cloudFront" }} - - name: cloudfront-key - mountPath: /etc/registry/pk.pem - subPath: pk.pem - {{- end }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - - name: registryctl - image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /api/health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registryctl.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registryctl.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.registry.controller.resources }} - resources: -{{ toYaml .Values.registry.controller.resources | indent 10 }} -{{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.registry" . }}" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.jobservice" . }} - key: JOBSERVICE_SECRET - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/registry/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/registry/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/registry/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.registryctl.containerPort" . }} - volumeMounts: - - name: registry-data - mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} - subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registry-config - mountPath: /etc/registryctl/config.yml - subPath: ctl-config.yml - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - mountPath: /etc/harbor/ssl/registry - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/registry/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: registry-htpasswd - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: REGISTRY_HTPASSWD - path: passwd - - name: registry-root-certificate - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - - name: registry-config - configMap: - name: "{{ template "harbor.registry" . }}" - - name: registry-data - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.registry.secretName" . }} - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: GCS_KEY_DATA - path: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - secret: - secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} - {{- end }} - {{- if .Values.registry.middleware.enabled }} - {{- if eq .Values.registry.middleware.type "cloudFront" }} - - name: cloudfront-key - secret: - secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} - items: - - key: CLOUDFRONT_KEY_DATA - path: pk.pem - {{- end }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.registry.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/charts/harbor/templates/registry-pvc.yaml b/charts/harbor/templates/registry-pvc.yaml deleted file mode 100644 index e7f11cd6..00000000 --- a/charts/harbor/templates/registry-pvc.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.persistence.enabled }} -{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} -{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.registry" . }} - {{- if eq .Values.persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: registry -spec: - accessModes: - - {{ $registry.accessMode }} - resources: - requests: - storage: {{ $registry.size }} - {{- if $registry.storageClass }} - {{- if eq "-" $registry.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $registry.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/registry-secret.yaml b/charts/harbor/templates/registry-secret.yaml deleted file mode 100644 index 96ad7b91..00000000 --- a/charts/harbor/templates/registry-secret.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }} - REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }} - {{- $storage := .Values.persistence.imageChartStorage }} - {{- $type := $storage.type }} - {{- if eq $type "azure" }} - REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} - {{- else if eq $type "gcs" }} - GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} - {{- else if eq $type "s3" }} - {{- if $storage.s3.accesskey }} - REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} - {{- end }} - {{- if $storage.s3.secretkey }} - REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} - {{- else if eq $type "swift" }} - REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} - {{- if $storage.swift.secretkey }} - REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} - {{- end }} - {{- if $storage.swift.accesskey }} - REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} - {{- end }} - {{- else if eq $type "oss" }} - REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} - {{- end }} diff --git a/charts/harbor/templates/registry-svc.yaml b/charts/harbor/templates/registry-svc.yaml deleted file mode 100644 index d6d3b312..00000000 --- a/charts/harbor/templates/registry-svc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: registry - port: {{ template "harbor.registry.servicePort" . }} - - name: controller - port: {{ template "harbor.registryctl.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: registry \ No newline at end of file diff --git a/charts/harbor/templates/registry-tls.yaml b/charts/harbor/templates/registry-tls.yaml deleted file mode 100644 index 9d1862c4..00000000 --- a/charts/harbor/templates/registry-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.registry.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/harbor/templates/tests/pod-helm-test.yaml b/charts/harbor/templates/tests/pod-helm-test.yaml deleted file mode 100644 index 3b6ad0a3..00000000 --- a/charts/harbor/templates/tests/pod-helm-test.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{/* -Test that the API is up and the health endpoint returns a 2XX code */}} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Pod -metadata: - name: "{{.Release.Name}}-test" - annotations: - "helm.sh/hook": "test-success" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: core -spec: - securityContext: - fsGroup: 10000 - restartPolicy: Never - containers: - - name: harbor-helm-tests - env: - - name: 'CORE_URL' - value: {{ template "harbor.coreURL" . }} - image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - command: ["/bin/bash", "-c", "curl -v -k -X GET --fail ${CORE_URL}/api/v2.0/health"] - {{- with .Values.core.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} -... diff --git a/charts/harbor/templates/tls.yaml b/charts/harbor/templates/tls.yaml deleted file mode 100644 index de63f4e8..00000000 --- a/charts/harbor/templates/tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.portal.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/trivy-secret.yaml b/charts/harbor/templates/trivy-secret.yaml deleted file mode 100644 index 84652c74..00000000 --- a/charts/harbor/templates/trivy-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.trivy.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.trivy" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} - gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} -{{- end }} diff --git a/charts/harbor/templates/trivy-sts.yaml b/charts/harbor/templates/trivy-sts.yaml deleted file mode 100644 index 864c8132..00000000 --- a/charts/harbor/templates/trivy-sts.yaml +++ /dev/null @@ -1,194 +0,0 @@ -{{- if .Values.trivy.enabled }} -{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "harbor.trivy" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: trivy -spec: - replicas: {{ .Values.trivy.replicas }} - serviceName: {{ template "harbor.trivy" . }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: trivy - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: trivy - annotations: - checksum/secret: {{ print "trivy-secret.yaml" . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ print "trivy-tls.yaml" . | sha256sum }} -{{- end }} -{{- if .Values.trivy.podAnnotations }} -{{ toYaml .Values.trivy.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} -{{- if .Values.trivy.serviceAccountName }} - serviceAccountName: {{ .Values.trivy.serviceAccountName }} -{{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: trivy - image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - privileged: false - allowPrivilegeEscalation: false - env: - {{- if has "trivy" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - - name: "SCANNER_LOG_LEVEL" - value: {{ .Values.logLevel | quote }} - - name: "SCANNER_TRIVY_CACHE_DIR" - value: "/home/scanner/.cache/trivy" - - name: "SCANNER_TRIVY_REPORTS_DIR" - value: "/home/scanner/.cache/reports" - - name: "SCANNER_TRIVY_DEBUG_MODE" - value: {{ .Values.trivy.debugMode | quote }} - - name: "SCANNER_TRIVY_VULN_TYPE" - value: {{ .Values.trivy.vulnType | quote }} - - name: "SCANNER_TRIVY_GITHUB_TOKEN" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: gitHubToken - - name: "SCANNER_TRIVY_SEVERITY" - value: {{ .Values.trivy.severity | quote }} - - name: "SCANNER_TRIVY_IGNORE_UNFIXED" - value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} - - name: "SCANNER_TRIVY_SKIP_UPDATE" - value: {{ .Values.trivy.skipUpdate | default false | quote }} - - name: "SCANNER_TRIVY_INSECURE" - value: {{ .Values.trivy.insecure | default false | quote }} - - name: SCANNER_API_SERVER_ADDR - value: ":{{ template "harbor.trivy.containerPort" . }}" - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: SCANNER_API_SERVER_TLS_KEY - value: /etc/harbor/ssl/trivy/tls.key - - name: SCANNER_API_SERVER_TLS_CERTIFICATE - value: /etc/harbor/ssl/trivy/tls.crt - {{- end }} - - name: "SCANNER_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - - name: "SCANNER_STORE_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - - name: "SCANNER_JOB_QUEUE_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - ports: - - name: api-server - containerPort: {{ template "harbor.trivy.containerPort" . }} - volumeMounts: - - name: data - mountPath: /home/scanner/.cache - subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} - readOnly: false - {{- if .Values.internalTLS.enabled }} - - name: trivy-internal-certs - mountPath: /etc/harbor/ssl/trivy - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 10 }} - {{- end }} - livenessProbe: - httpGet: - scheme: {{ include "harbor.component.scheme" . | upper }} - path: /probe/healthy - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - scheme: {{ include "harbor.component.scheme" . | upper }} - path: /probe/ready - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: -{{ toYaml .Values.trivy.resources | indent 12 }} - {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} - volumes: - {{- if .Values.internalTLS.enabled }} - - name: trivy-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: "data" - emptyDir: {} - {{- else if $trivy.existingClaim }} - - name: "data" - persistentVolumeClaim: - claimName: {{ $trivy.existingClaim }} - {{- end }} - {{- end }} - {{- with .Values.trivy.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.trivy.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.trivy.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $trivy.accessMode | quote }}] - {{- if $trivy.storageClass }} - {{- if (eq "-" $trivy.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $trivy.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $trivy.size | quote }} -{{- end }} -{{- end }} diff --git a/charts/harbor/templates/trivy-svc.yaml b/charts/harbor/templates/trivy-svc.yaml deleted file mode 100644 index 7dac6708..00000000 --- a/charts/harbor/templates/trivy-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Values.trivy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.trivy" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: api-server - protocol: TCP - port: {{ template "harbor.trivy.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: trivy -{{ end }} diff --git a/charts/harbor/templates/trivy-tls.yaml b/charts/harbor/templates/trivy-tls.yaml deleted file mode 100644 index a9c8330c..00000000 --- a/charts/harbor/templates/trivy-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/charts/harbor/values.yaml b/charts/harbor/values.yaml deleted file mode 100644 index a4ce7a11..00000000 --- a/charts/harbor/values.yaml +++ /dev/null @@ -1,743 +0,0 @@ -expose: - # Set the way how to expose the service. Set the type as "ingress", - # "clusterIP", "nodePort" or "loadBalancer" and fill the information - # in the corresponding section - type: ingress - tls: - # Enable the tls or not. Note: if the type is "ingress" and the tls - # is disabled, the port must be included in the command when pull/push - # images. Refer to https://github.com/goharbor/harbor/issues/5291 - # for the detail. - enabled: true - # The source of the tls certificate. Set it as "auto", "secret" - # or "none" and fill the information in the corresponding section - # 1) auto: generate the tls certificate automatically - # 2) secret: read the tls certificate from the specified secret. - # The tls certificate can be generated manually or by cert manager - # 3) none: configure no tls certificate for the ingress. If the default - # tls certificate is configured in the ingress controller, choose this option - certSource: auto - auto: - # The common name used to generate the certificate, it's necessary - # when the type isn't "ingress" - commonName: "" - secret: - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - secretName: "" - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # Only needed when the "expose.type" is "ingress". - notarySecretName: "" - ingress: - hosts: - core: core.harbor.domain - notary: notary.harbor.domain - # set to the type of ingress controller if it has specific requirements. - # leave as `default` for most ingress controllers. - # set to `gce` if using the GCE ingress controller - # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller - controller: default - annotations: - ingress.kubernetes.io/ssl-redirect: "true" - ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - clusterIP: - # The name of ClusterIP service - name: harbor - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - nodePort: - # The name of NodePort service - name: harbor - ports: - http: - # The service port Harbor listens on when serving with HTTP - port: 80 - # The node port Harbor listens on when serving with HTTP - nodePort: 30002 - https: - # The service port Harbor listens on when serving with HTTPS - port: 443 - # The node port Harbor listens on when serving with HTTPS - nodePort: 30003 - # Only needed when notary.enabled is set to true - notary: - # The service port Notary listens on - port: 4443 - # The node port Notary listens on - nodePort: 30004 - loadBalancer: - # The name of LoadBalancer service - name: harbor - # Set the IP if the LoadBalancer supports assigning IP - IP: "" - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - annotations: {} - sourceRanges: [] - -# The external URL for Harbor core service. It is used to -# 1) populate the docker/helm commands showed on portal -# 2) populate the token service URL returned to docker/notary client -# -# Format: protocol://domain[:port]. Usually: -# 1) if "expose.type" is "ingress", the "domain" should be -# the value of "expose.ingress.hosts.core" -# 2) if "expose.type" is "clusterIP", the "domain" should be -# the value of "expose.clusterIP.name" -# 3) if "expose.type" is "nodePort", the "domain" should be -# the IP address of k8s node -# -# If Harbor is deployed behind the proxy, set it as the URL of proxy -externalURL: https://core.harbor.domain - -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each components tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: "auto" - # The content of trust ca, only available when `certSource` is "manual" - trustCa: "" - # core related cert configuration - core: - # secret name for core's tls certs - secretName: "" - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: "" - # Content of core's TLS key file, only available when `certSource` is "manual" - key: "" - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: "" - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: "" - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: "" - # chartmuseum related cert configuration - chartmuseum: - # secret name for chartmuseum's tls certs - secretName: "" - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - key: "" - # clair related cert configuration - clair: - # secret name for clair's tls certs - secretName: "" - # Content of clair's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of clair's TLS key file, only available when `certSource` is "manual" - key: "" - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: "" - -# The persistence is enabled by default and a default StorageClass -# is needed in the k8s cluster to provision volumes dynamicly. -# Specify another StorageClass in the "storageClass" or set "existingClaim" -# if you have already existing persistent volumes to use -# -# For storing images and charts, you can also use "azure", "gcs", "s3", -# "swift" or "oss". Set it in the "imageChartStorage" section -persistence: - enabled: true - # Setting it to "keep" to avoid removing PVCs during a helm delete - # operation. Leaving it empty will delete PVCs after the chart deleted - # (this does not apply for PVCs that are created for internal database - # and redis components, i.e. they are never deleted automatically) - resourcePolicy: "keep" - persistentVolumeClaim: - registry: - # Use the existing PVC which must be created manually before bound, - # and specify the "subPath" if the PVC is shared with other components - existingClaim: "" - # Specify the "storageClass" used to provision the volume. Or the default - # StorageClass will be used(the default). - # Set it to "-" to disable dynamic provisioning - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - # If external database is used, the following settings for database will - # be ignored - database: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - # If external Redis is used, the following settings for Redis will - # be ignored - redis: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - # Define which storage backend is used for registry and chartmuseum to store - # images and charts. Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage - # for the detail. - imageChartStorage: - # Specify whether to disable `redirect` for images and chart storage, for - # backends which not supported it (such as using minio for `s3` storage type), please disable - # it. To disable redirects, simply set `disableredirect` to `true` instead. - # Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect - # for the detail. - disableredirect: false - # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. - # The secret must contain keys named "ca.crt" which will be injected into the trust store - # of registry's and chartmuseum's containers. - # caBundleSecretName: - - # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", - # "oss" and fill the information needed in the corresponding section. The type - # must be "filesystem" if you want to use persistent volumes for registry - # and chartmuseum - type: filesystem - filesystem: - rootdirectory: /storage - #maxthreads: 100 - azure: - accountname: accountname - accountkey: base64encodedaccountkey - container: containername - #realm: core.windows.net - gcs: - bucket: bucketname - # The base64 encoded json file which contains the key - encodedkey: base64-encoded-json-key-file - #rootdirectory: /gcs/object/name/prefix - #chunksize: "5242880" - s3: - region: us-west-1 - bucket: bucketname - #accesskey: awsaccesskey - #secretkey: awssecretkey - #regionendpoint: http://myobjects.local - #encrypt: false - #keyid: mykeyid - #secure: true - #skipverify: false - #v4auth: true - #chunksize: "5242880" - #rootdirectory: /s3/object/name/prefix - #storageclass: STANDARD - #multipartcopychunksize: "33554432" - #multipartcopymaxconcurrency: 100 - #multipartcopythresholdsize: "33554432" - swift: - authurl: https://storage.myprovider.com/v3/auth - username: username - password: password - container: containername - #region: fr - #tenant: tenantname - #tenantid: tenantid - #domain: domainname - #domainid: domainid - #trustid: trustid - #insecureskipverify: false - #chunksize: 5M - #prefix: - #secretkey: secretkey - #accesskey: accesskey - #authversion: 3 - #endpointtype: public - #tempurlcontainerkey: false - #tempurlmethods: - oss: - accesskeyid: accesskeyid - accesskeysecret: accesskeysecret - region: regionname - bucket: bucketname - #endpoint: endpoint - #internal: false - #encrypt: false - #secure: true - #chunksize: 10M - #rootdirectory: rootdirectory - -imagePullPolicy: IfNotPresent - -# Use this set to assign a list of default pullSecrets -imagePullSecrets: -# - name: docker-registry-secret -# - name: internal-registry-secret - -# The update strategy for deployments with persistent volumes(jobservice, registry -# and chartmuseum): "RollingUpdate" or "Recreate" -# Set it as "Recreate" when "RWM" for volumes isn't supported -updateStrategy: - type: RollingUpdate - -# debug, info, warning, error or fatal -logLevel: info - -# The initial password of Harbor admin. Change it from portal after launching Harbor -harborAdminPassword: "Harbor12345" - -# The name of the secret which contains key named "ca.crt". Setting this enables the -# download link on portal to download the certificate of CA when the certificate isn't -# generated automatically -caSecretName: "" - -# The secret key used for encryption. Must be a string of 16 chars. -secretKey: "not-a-secure-key" - -# The proxy settings for updating clair vulnerabilities from the Internet and replicating -# artifacts from/to the registries that cannot be reached directly -proxy: - httpProxy: - httpsProxy: - noProxy: 127.0.0.1,localhost,.local,.internal - components: - - core - - jobservice - - clair - - trivy - -# The custom ca bundle secret, the secret must contain key named "ca.crt" -# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components -# caBundleSecretName: "" - -## UAA Authentication Options -# If you're using UAA for authentication behind a self-signed -# certificate you will need to provide the CA Cert. -# Set uaaSecretName below to provide a pre-created secret that -# contains a base64 encoded CA Certificate named `ca.crt`. -# uaaSecretName: - -# If expose the service via "ingress", the Nginx will not be used -nginx: - image: - repository: goharbor/nginx-photon - tag: dev - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -portal: - image: - repository: goharbor/harbor-portal - tag: dev - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -core: - image: - repository: goharbor/harbor-core - tag: dev - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - ## Liveness probe values - livenessProbe: - initialDelaySeconds: 300 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when core server communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate and private key for token encryption/decryption. - # The secret must contain keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # The default key pair will be used if it isn't set - secretName: "" - # The XSRF key. Will be generated automatically if it isn't specified - xsrfKey: "" - -jobservice: - image: - repository: goharbor/harbor-jobservice - tag: dev - replicas: 1 - # set the service account to be used, default if left empty - serviceAccountName: "" - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLogger: file - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when job service communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - -registry: - # set the service account to be used, default if left empty - serviceAccountName: "" - registry: - image: - repository: goharbor/registry-photon - tag: dev - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - controller: - image: - repository: goharbor/harbor-registryctl - tag: dev - - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used to secure the upload state from client - # and registry storage backend. - # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. - relativeurls: false - credentials: - username: "harbor_registry_user" - password: "harbor_registry_password" - # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash - # e.g. "htpasswd -nbBC10 $username $password" - htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" - - middleware: - enabled: false - type: cloudFront - cloudFront: - baseurl: example.cloudfront.net - keypairid: KEYPAIRID - duration: 3000s - ipfilteredby: none - # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key - # that allows access to CloudFront - privateKeySecret: "my-secret" - -chartmuseum: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: "" - # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' - absoluteUrl: false - image: - repository: goharbor/chartmuseum-photon - tag: dev - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -clair: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: "" - clair: - image: - repository: goharbor/clair-photon - tag: dev - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - adapter: - image: - repository: goharbor/clair-adapter-photon - tag: dev - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - # The interval of clair updaters, the unit is hour, set to 0 to - # disable the updaters - updatersInterval: 12 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -trivy: - # enabled the flag to enable Trivy scanner - enabled: true - image: - # repository the repository for Trivy adapter image - repository: goharbor/trivy-adapter-photon - # tag the tag for Trivy adapter image - tag: dev - # set the service account to be used, default if left empty - serviceAccountName: "" - # replicas the number of Pod replicas - replicas: 1 - # debugMode the flag to enable Trivy debug mode with more verbose scanning log - debugMode: false - # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. - vulnType: "os,library" - # severity a comma-separated list of severities to be checked - severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - # ignoreUnfixed the flag to display only fixed vulnerabilities - ignoreUnfixed: false - # insecure the flag to skip verifying registry certificate - insecure: false - # gitHubToken the GitHub access token to download Trivy DB - # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. - # - # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough - # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 - # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult - # https://developer.github.com/v3/#rate-limiting - # - # You can create a GitHub token by following the instructions in - # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line - gitHubToken: "" - # skipUpdate the flag to disable Trivy DB downloads from GitHub - # - # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. - # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the - # `/home/scanner/.cache/trivy/db/trivy.db` path. - skipUpdate: false - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -notary: - enabled: true - server: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/notary-server-photon - tag: dev - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - signer: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/notary-signer-photon - tag: dev - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate authority, certificate and private key for notary - # communications. - # The secret must contain keys named ca.crt, tls.crt and tls.key that - # contain the CA, certificate and private key. - # They will be generated if not set. - secretName: "" - -database: - # if external database is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/harbor-db - tag: dev - # The initial superuser password for internal database - password: "changeit" - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - host: "192.168.0.1" - port: "5432" - username: "user" - password: "password" - coreDatabase: "registry" - clairDatabase: "clair" - notaryServerDatabase: "notary_server" - notarySignerDatabase: "notary_signer" - # "disable" - No SSL - # "require" - Always SSL (skip verification) - # "verify-ca" - Always SSL (verify that the certificate presented by the - # server was signed by a trusted CA) - # "verify-full" - Always SSL (verify that the certification presented by the - # server was signed by a trusted CA and the server host name matches the one - # in the certificate) - sslmode: "disable" - # The maximum number of connections in the idle connection pool. - # If it <=0, no idle connections are retained. - maxIdleConns: 50 - # The maximum number of open connections to the database. - # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. - maxOpenConns: 1000 - ## Additional deployment annotations - podAnnotations: {} - -redis: - # if external Redis is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/redis-photon - tag: dev - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - # support redis, redis+sentinel - # addr for redis: : - # addr for redis+sentinel: :,:,: - addr: "192.168.0.2:6379" - # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel - sentinelMasterSet: "" - # The "coreDatabaseIndex" must be "0" as the library Harbor - # used doesn't support configuring it - coreDatabaseIndex: "0" - jobserviceDatabaseIndex: "1" - registryDatabaseIndex: "2" - chartmuseumDatabaseIndex: "3" - clairAdapterIndex: "4" - trivyAdapterIndex: "5" - password: "" - ## Additional deployment annotations - podAnnotations: {} diff --git a/charts/harbor/values_overrides/default.yaml b/charts/harbor/values_overrides/default.yaml new file mode 100644 index 00000000..4332ecf2 --- /dev/null +++ b/charts/harbor/values_overrides/default.yaml @@ -0,0 +1,17 @@ +harborAdminPassword: Harbor12345 +secretKey: not-a-secure-key +externalURL: https://harbor-core.jarvis.local +expose: + ingress: + hosts: + core: harbor-core.jarvis.local + notary: harbor-notary.jarvis.local + annotations: + cert-manager.io/cluster-issuer: jarvis-ca-issuer + tls: + certSource: secret + secret: + secretName: harbor-core-tls + notarySecretName: harbor-notary-tls +internalTLS: + enabled: true \ No newline at end of file diff --git a/charts/harbor/values_overrides/storageclass.yaml b/charts/harbor/values_overrides/storageclass.yaml deleted file mode 100644 index e26eadee..00000000 --- a/charts/harbor/values_overrides/storageclass.yaml +++ /dev/null @@ -1,15 +0,0 @@ -persistence: - persistentVolumeClaim: - registry: - storageClass: nfs-provisioner - chartmuseum: - storageClass: nfs-provisioner - jobservice: - storageClass: nfs-provisioner - database: - storageClass: nfs-provisioner - size: 2Gi - redis: - storageClass: nfs-provisioner - trivy: - storageClass: nfs-provisioner diff --git a/charts/harbor/values_overrides/tls.yaml b/charts/harbor/values_overrides/tls.yaml deleted file mode 100644 index c02f3d84..00000000 --- a/charts/harbor/values_overrides/tls.yaml +++ /dev/null @@ -1,5 +0,0 @@ -expose: - tls: - enabled: false -internalTLS: - enabled: false diff --git a/charts/loki/values_overrides/default.yaml b/charts/loki/values_overrides/default.yaml new file mode 100644 index 00000000..32a3fe8b --- /dev/null +++ b/charts/loki/values_overrides/default.yaml @@ -0,0 +1,35 @@ +loki: + enabled: true + persistence: + enabled: true + ingress: + enabled: true + hosts: + - host: loki.jarvis.local + paths: ["/"] + annotations: + cert-manager.io/cluster-issuer: jarvis-ca-issuer + tls: + - secretName: lokistack-loki-tls + hosts: + - loki.jarvis.local + +promtail: + enabled: true + +grafana: + adminPassword: password + enabled: true + persistence: + enabled: true + ingress: + enabled: true + path: / + hosts: + - grafana.jarvis.local + annotations: + cert-manager.io/cluster-issuer: jarvis-ca-issuer + tls: + - secretName: lokistack-grafana-tls + hosts: + - grafana.jarvis.local \ No newline at end of file diff --git a/charts/loki/values_overrides/loki-stack.yaml b/charts/loki/values_overrides/loki-stack.yaml deleted file mode 100644 index 9214b498..00000000 --- a/charts/loki/values_overrides/loki-stack.yaml +++ /dev/null @@ -1,19 +0,0 @@ -loki: - enabled: true - ingress: - enabled: true - hosts: - - host: loki.jarvis.local - paths: ["/"] - public: true - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "X-Frame-Options: deny"; - more_set_headers "X-XSS-Protection: 1; mode=block"; - nginx.ingress.kubernetes.io/rewrite-target: / - -promtail: - enabled: true - -grafana: - enabled: false diff --git a/charts/nfs/values_overrides/nfs.yaml b/charts/nfs/values_overrides/nfs.yaml deleted file mode 100644 index c203ab6b..00000000 --- a/charts/nfs/values_overrides/nfs.yaml +++ /dev/null @@ -1,5 +0,0 @@ -storage: - persistentVolumeClaim: - size: 10Gi - persistentVolumeClaim: - class_name: nfs-provisioner \ No newline at end of file diff --git a/charts/tekton-dashboard/.helmignore b/charts/tekton-dashboard/.helmignore index 50af0317..51ccab8d 100644 --- a/charts/tekton-dashboard/.helmignore +++ b/charts/tekton-dashboard/.helmignore @@ -1,22 +1 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +values_overrides \ No newline at end of file diff --git a/charts/tekton-dashboard/templates/deployment-dashboard.yaml b/charts/tekton-dashboard/templates/deployment-dashboard.yaml index 67edd734..32d5de90 100644 --- a/charts/tekton-dashboard/templates/deployment-dashboard.yaml +++ b/charts/tekton-dashboard/templates/deployment-dashboard.yaml @@ -30,7 +30,7 @@ spec: image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "tekton_dashboard" ) }} imagePullPolicy: {{ $.Values.images.pull.policy | quote }} args: - - --port={{ $.Values.params.endpoints.ports.web.port }} + - --port=8080 - --logout-url={{ $.Values.config.args.logout_url }} - --pipelines-namespace={{ $.Release.Namespace }} - --triggers-namespace={{ $.Release.Namespace }} @@ -49,19 +49,19 @@ spec: fieldPath: metadata.namespace ports: - name: web - containerPort: {{ $.Values.params.endpoints.ports.web.port }} + containerPort: 8080 readinessProbe: httpGet: - scheme: {{ $.Values.params.endpoints.ports.web.scheme | upper }} + scheme: HTTP path: /readiness - port: {{ $.Values.params.endpoints.ports.web.port }} + port: 8080 initialDelaySeconds: 15 periodSeconds: 10 livenessProbe: httpGet: - scheme: {{ $.Values.params.endpoints.ports.web.scheme | upper }} + scheme: HTTP path: /health - port: {{ $.Values.params.endpoints.ports.web.port }} + port: 8080 initialDelaySeconds: 50 periodSeconds: 20 timeoutSeconds: 5 diff --git a/charts/tekton-dashboard/templates/ingress-dashboard.yaml b/charts/tekton-dashboard/templates/ingress-dashboard.yaml new file mode 100644 index 00000000..cf870085 --- /dev/null +++ b/charts/tekton-dashboard/templates/ingress-dashboard.yaml @@ -0,0 +1,35 @@ +{{- define "ingress-dashboard" -}} +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: {{ template "helpers.labels.fullname" $ }} + labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "dashboard") | nindent 4 }} + annotations: + {{- if and $.Values.params.endpoints.tls.enabled $.Values.params.endpoints.tls.issuer.enabled }} + {{- if $.Values.params.endpoints.tls.issuer.cluster }} + cert-manager.io/cluster-issuer: {{ $.Values.params.endpoints.tls.issuer.name }} + {{- else }} + cert-manager.io/issuer: {{ $.Values.params.endpoints.tls.issuer.name }} + {{- end }} + {{- end }} +spec: + rules: + - host: {{ $.Values.params.endpoints.hostname }} + http: + paths: + - backend: + serviceName: tekton-dashboard + servicePort: web + path: / + {{- if and $.Values.params.endpoints.tls.enabled }} + tls: + - hosts: + - {{ $.Values.params.endpoints.hostname }} + secretName: {{ $.Values.params.endpoints.tls.secret.name | default ( include "helpers.labels.fullname" $ ) }}-cert + {{- end }} +... +{{- end -}} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "ingress-dashboard" ) }} + + diff --git a/charts/tekton-dashboard/templates/service-dashboard.yaml b/charts/tekton-dashboard/templates/service-dashboard.yaml index 773c271c..1b704f3b 100644 --- a/charts/tekton-dashboard/templates/service-dashboard.yaml +++ b/charts/tekton-dashboard/templates/service-dashboard.yaml @@ -10,8 +10,7 @@ spec: ports: - name: web protocol: TCP - port: {{ $.Values.params.endpoints.ports.web.port }} - targetPort: {{ $.Values.params.endpoints.ports.web.port }} + port: 8080 ... {{- end -}} {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "service-deployment" ) }} diff --git a/charts/tekton-dashboard/values.yaml b/charts/tekton-dashboard/values.yaml index 09d1d058..18848514 100644 --- a/charts/tekton-dashboard/values.yaml +++ b/charts/tekton-dashboard/values.yaml @@ -27,9 +27,14 @@ node_labels: params: endpoints: - ports: - web: - port: 9097 - scheme: http + hostname: tekton.jarvis.local + tls: + enabled: false + issuer: + enabled: false + cluster: false + name: null + secret: + name: null over_rides: {} diff --git a/charts/tekton-dashboard/values_overrides/default.yaml b/charts/tekton-dashboard/values_overrides/default.yaml new file mode 100644 index 00000000..eb945103 --- /dev/null +++ b/charts/tekton-dashboard/values_overrides/default.yaml @@ -0,0 +1,8 @@ +params: + endpoints: + tls: + enabled: true + issuer: + enabled: true + cluster: true + name: jarvis-ca-issuer diff --git a/charts/tekton-pipelines/.helmignore b/charts/tekton-pipelines/.helmignore index 0e8a0eb3..51ccab8d 100644 --- a/charts/tekton-pipelines/.helmignore +++ b/charts/tekton-pipelines/.helmignore @@ -1,23 +1 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +values_overrides \ No newline at end of file diff --git a/charts/tekton-triggers/.helmignore b/charts/tekton-triggers/.helmignore index 50af0317..51ccab8d 100644 --- a/charts/tekton-triggers/.helmignore +++ b/charts/tekton-triggers/.helmignore @@ -1,22 +1 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +values_overrides \ No newline at end of file diff --git a/charts/tekton-triggers/templates/rolebinding-controller_admin.yaml b/charts/tekton-triggers/templates/rolebinding-controller_admin.yaml index f8a7965f..177be572 100644 --- a/charts/tekton-triggers/templates/rolebinding-controller_admin.yaml +++ b/charts/tekton-triggers/templates/rolebinding-controller_admin.yaml @@ -5,7 +5,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-triggers-controller-admin - namespace: tekton-pipelines + namespace: {{ $.Release.Namespace }} labels: app.kubernetes.io/instance: tekton-triggers app.kubernetes.io/part-of: tekton-triggers diff --git a/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml b/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml index b50464c2..8ecc6f48 100644 --- a/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml +++ b/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml @@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-triggers-webhook-admin - namespace: tekton-pipelines + namespace: {{ $.Release.Namespace }} labels: app.kubernetes.io/instance: tekton-triggers app.kubernetes.io/part-of: tekton-triggers diff --git a/doc/source/install/cicd/aio-detail.rst b/doc/source/install/cicd/aio-detail.rst deleted file mode 100644 index a0ddcb95..00000000 --- a/doc/source/install/cicd/aio-detail.rst +++ /dev/null @@ -1,37 +0,0 @@ -================== -All-In-One Details -================== - -Override-able Variables -======================= - -The all-in-one script provides a number of environment variables that users -can alter the behavior. - -- ``DEPLOY_K8S``. Default value: ``true``. Setting this value to ``false`` will - cause the script to not execute the Kubernetes deployment script. User is - expected to have a Kubernetes cluster running, with ``kubectl`` and ``helm`` - (version 3) available that interact with said cluster. -- **Namespaces**: the Kubernetes and helm namespaces the charts will deploy to. - - - ``TEKTON_NS``. Default value: ``tekton-pipelines``. - - ``HARBOR_NS``. Default value: ``harbor``. - - ``LOKI_NS``. Default value: ``loki-stack``. - - ``GRAFANA_NS``. Default value: ``grafana``. - - ``NFS_NS``. Default value: ``nfs``. - -- ``HARBOR_VERSION``. Default value: ``1.5.2``. The version of the upstream - goharbor helm chart is pinned to a specific version to avoid unintended - upgrade conflict. -- ``CHART_ROOT_PATH``. Default value: ``./charts`` This specify the path - of the charts. If this path is relative, it is relative the root - of the cloned repository. -- Chart installation override variables. The following are provided: - - - ``EXTRA_HELM_ARGS_NFS`` - - ``EXTRA_HELM_ARGS_HARBOR`` - - ``EXTRA_HELM_ARGS_TEKTON_PIPELINES`` - - ``EXTRA_HELM_ARGS_TEKTON_TRIGGERS`` - - ``EXTRA_HELM_ARGS_TEKTON_DASHBOARD`` - - ``EXTRA_HELM_ARGS_GRAFANA`` - - ``EXTRA_HELM_ARGS_LOKI_STACK`` diff --git a/doc/source/install/cicd/aio-proxy.rst b/doc/source/install/cicd/aio-proxy.rst deleted file mode 100644 index 15e540b2..00000000 --- a/doc/source/install/cicd/aio-proxy.rst +++ /dev/null @@ -1,38 +0,0 @@ -=============================== -All-In-One Behind HTTP(S) Proxy -=============================== - -.. note:: - If you are **not** deploying the All-In-One (AIO) behind a proxy, you - can skip this page. - -.. hint:: - Set the environment variables: ``HTTP_PROXY``, ``HTTPS_PROXY``, and ``NO_PROXY``. - -By default, AIO will use Google DNS Server IPs (``8.8.8.8`` and ``8.8.4.4``) -and will update ``/etc/resolv.conf`` as a result. If those IPs are blocked by -your proxy, running the AIO script will result in the inability to connect to -anything on the network. - -.. literalinclude:: ../../../../tools/gate/deploy-k8s.sh - :language: shell - :lines: 33-43 - :caption: ``resolv.conf`` setting - -In the case this is run behind a proxy, specifying the proxy informatin -in the environment variable ``$HTTP_PROXY`` will reserve the nameserver -in ``/etc/resolv.conf``. - -To ensure minikube has the appropriate proxy information, set the environment -variables: ``HTTP_PROXY``, ``HTTPS_PROXY``, and ``NO_PROXY`` with the -appropriate strings. Minikube would be started with the correct docker -environment variable set. - -.. literalinclude:: ../../../../tools/gate/deploy-k8s.sh - :language: shell - :lines: 112-118 - :caption: minikube proxy setting - -.. note:: - Depending on your specific proxy, ``https_proxy`` may be the same as ``http_proxy``. - Refer to your specific proxy documentation. diff --git a/doc/source/install/cicd/aio-quick-start.rst b/doc/source/install/cicd/aio-quick-start.rst deleted file mode 100644 index 5e0b441d..00000000 --- a/doc/source/install/cicd/aio-quick-start.rst +++ /dev/null @@ -1,115 +0,0 @@ -====================== -All-In-One Quick Start -====================== - -Initial Setup -============= - -It is strongly recommended that the following be performed in a virtual -machine (VM). - -Run AIO Setup Script -==================== - -Clone the `Airship Charts repository `_ by: - -.. code:: bash - - git clone https://opendev.org/airship/charts.git airship-charts - -Go into the directory and run: - -.. code:: bash - - ./tools/utils/aio-setup.sh - -.. note:: You can set ``DEPLOY_K8S`` environment variable to ``false`` if you - have a Kubernetes cluster and do not wish to deploy a new cluster when - running the script. - -.. note:: The script sets up a ``none``-driver minikube Kubernetes cluster and - installs a version 3 ``helm`` executable. If you want to use your own cluster - by setting ``DEPLOY_K8S`` to ``false``, you will need to ensure ``kubectl`` - and ``helm`` are available. - - -Script Completion -================= - -The script should deploy a minikube Kubernetes node with Calico support enabled. -Further, it should deploy the following charts into its respective namespace: - -+------------------------+-----------------------------+ -| Chart | Namespace | -+========================+=============================+ -| ``harbor`` | harbor | -+------------------------+-----------------------------+ -| ``tekton-pipelines`` | tekton-pipelines | -+------------------------+-----------------------------+ -| ``tekton-dashboard`` | tekton-pipelines | -+------------------------+-----------------------------+ -| ``tekton-triggers`` | tekton-pipelines | -+------------------------+-----------------------------+ -| ``nfs-provisioner`` | nfs | -+------------------------+-----------------------------+ -| ``grafana`` | grafana | -+------------------------+-----------------------------+ -| ``loki`` | loki-stack | -+------------------------+-----------------------------+ - -.. code:: bash - - $ helm ls -A - NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION - grafana grafana 1 2020-12-18 10:05:44.266366139 -0600 CST deployed grafana-6.1.15 7.3.3 - harbor harbor 1 2020-12-17 16:22:37.606705989 -0600 CST deployed harbor-1.5.2 2.1.2 - loki loki-stack 1 2020-12-18 10:04:17.473045347 -0600 CST deployed loki-stack-2.2.0 v2.0.0 - nfs-provisioner nfs 1 2020-12-17 16:22:34.450821264 -0600 CST deployed nfs-provisioner-0.1.1 v2.2.1 - tekton-dashboard tekton-pipelines 1 2020-12-17 16:22:42.038851986 -0600 CST deployed tekton-dashboard-0.1.0 v0.10.1 - tekton-pipelines tekton-pipelines 1 2020-12-17 16:22:39.78742555 -0600 CST deployed tekton-pipelines-0.1.0 v0.16.3 - tekton-triggers tekton-pipelines 1 2020-12-17 16:22:40.750189048 -0600 CST deployed tekton-triggers-0.1.0 v0.9.1 - -You can also inspect the pods and ensure they are all running: - -.. code:: bash - - $ kubectl get pod -A - NAMESPACE NAME READY STATUS RESTARTS AGE - grafana grafana-58485fc6d5-s45d6 1/1 Running 0 74s - harbor harbor-harbor-chartmuseum-5f7dccc958-kqq6n 1/1 Running 0 17h - harbor harbor-harbor-clair-b56498fcd-2tfl4 2/2 Running 4 17h - harbor harbor-harbor-core-7ccc475687-n9cbh 1/1 Running 0 17h - harbor harbor-harbor-database-0 1/1 Running 0 17h - harbor harbor-harbor-jobservice-ddc4f6b49-c9cdz 1/1 Running 0 17h - harbor harbor-harbor-notary-server-6fd6567fc8-nb7zf 1/1 Running 1 17h - harbor harbor-harbor-notary-signer-7895b57c78-gw2tm 1/1 Running 1 17h - harbor harbor-harbor-portal-7d69b5598f-mj99d 1/1 Running 0 17h - harbor harbor-harbor-redis-0 1/1 Running 0 17h - harbor harbor-harbor-registry-6755d8586b-p5mtp 2/2 Running 0 17h - harbor harbor-harbor-trivy-0 1/1 Running 0 17h - kube-system calico-kube-controllers-675b7c9569-lntn4 1/1 Running 0 3d19h - kube-system calico-node-kpt5k 1/1 Running 0 3d19h - kube-system coredns-f9fd979d6-zl5gp 1/1 Running 0 3d19h - kube-system etcd-minikube 1/1 Running 0 3d19h - kube-system kube-apiserver-minikube 1/1 Running 0 3d19h - kube-system kube-controller-manager-minikube 1/1 Running 0 3d19h - kube-system kube-proxy-pdpd9 1/1 Running 0 3d19h - kube-system kube-scheduler-minikube 1/1 Running 0 3d19h - kube-system storage-provisioner 1/1 Running 0 3d19h - loki-stack loki-0 1/1 Running 0 2m41s - loki-stack loki-promtail-lmh7s 1/1 Running 0 2m41s - nfs nfs-provisioner-7d749795c6-nbdzj 1/1 Running 0 17h - tekton-pipelines tekton-dashboard-5f8947b4cc-xhq4l 1/1 Running 0 17h - tekton-pipelines tekton-pipelines-controller-57866c7f56-4wkzt 1/1 Running 0 17h - tekton-pipelines tekton-pipelines-webhook-84c5494b44-cwmjx 1/1 Running 0 17h - tekton-pipelines tekton-triggers-controller-5f5dd8c885-jsv9k 1/1 Running 0 17h - tekton-pipelines tekton-triggers-webhook-55c6579868-8gcbf 1/1 Running 0 17h - -Testing -======= - -A basic suite of tests and helm tests can be executed by running: - -.. code:: bash - - ./tools/gate/pipelines/run-test.sh diff --git a/doc/source/install/cicd/index.rst b/doc/source/install/cicd/index.rst deleted file mode 100644 index 89e32a9e..00000000 --- a/doc/source/install/cicd/index.rst +++ /dev/null @@ -1,12 +0,0 @@ -CICD (Harbor, Tekton, Loki-Stack) -================================= - -Contents: - -.. toctree:: - :maxdepth: 2 - - aio-quick-start - aio-detail - aio-proxy - terms-and-def diff --git a/doc/source/install/cicd/terms-and-def.rst b/doc/source/install/cicd/terms-and-def.rst deleted file mode 100644 index 18357e88..00000000 --- a/doc/source/install/cicd/terms-and-def.rst +++ /dev/null @@ -1,18 +0,0 @@ -=========================== -Terminology and Definitions -=========================== - -This page defines terms and their definitions used in this document. - -.. list-table:: - :widths: 10 20 - :header-rows: 1 - - * - Term - - Definition - * - CI - - **Continuous Integration**. - * - Gerrit - - Gerrit is a free, web-based team code collaboration tool. Developers can review each - other's modifications on their source code using a Web browser and approve or reject those - changes. It integrates closely with Git. diff --git a/doc/source/install/index.rst b/doc/source/install/index.rst index 992a0fe7..1d55b66a 100644 --- a/doc/source/install/index.rst +++ b/doc/source/install/index.rst @@ -6,4 +6,4 @@ Installation :maxdepth: 2 :caption: Contents: - cicd/index + jarvis/index diff --git a/doc/source/install/jarvis/index.rst b/doc/source/install/jarvis/index.rst new file mode 100644 index 00000000..fd935e3b --- /dev/null +++ b/doc/source/install/jarvis/index.rst @@ -0,0 +1,11 @@ +Jarvis (Harbor, Tekton, Loki-Stack) +=================================== + +Contents: + +.. toctree:: + :maxdepth: 2 + + introduction + requirements-and-host-config + vagrant diff --git a/doc/source/install/jarvis/introduction.rst b/doc/source/install/jarvis/introduction.rst new file mode 100644 index 00000000..193c0ddc --- /dev/null +++ b/doc/source/install/jarvis/introduction.rst @@ -0,0 +1,12 @@ +=================== +Jarvis Introduction +=================== + +Scope +===== + +Tools +===== + +Examples +======== \ No newline at end of file diff --git a/doc/source/install/jarvis/requirements-and-host-config.rst b/doc/source/install/jarvis/requirements-and-host-config.rst new file mode 100644 index 00000000..f6225266 --- /dev/null +++ b/doc/source/install/jarvis/requirements-and-host-config.rst @@ -0,0 +1,45 @@ +=================================== +Requirements and Host Configuration +=================================== + +Overview +======== + +Below are some instructions and suggestions to help you get started with a All-in-One environment on Ubuntu 20.04. +Other supported versions of Linux can also be used, with the appropriate changes to package installation. + +Requirements +============ + +System Requirements +------------------- + +The recommended minimum system requirements for a full deployment are: + +- 8GB of RAM +- 4 Cores +- 48GB HDD + +This guide covers the minimum number of requirements to get started. + +All commands below should be run as a normal user, not as root. +Appropriate versions of Docker, Kubernetes, and Helm will be installed +by the scripts used below, so there's no need to install them ahead of time. + +.. warning:: By default the Calico CNI will use ``192.168.0.0/16`` and + Kubernetes services will use ``10.96.0.0/16`` as the CIDR for services. Check + that these CIDRs are not in use on the development node before proceeding, or + adjust as required. + +Host Configuration +------------------ + +Utilities on the hosts, need to be able to resolve kubernetes services correctly. +Ubuntu Desktop and some other distributions make use of ``mdns4_minimal`` which +does not operate as Kubernetes expects with its default TLD of ``.local``. To operate +as expected either change the ``hosts`` line in the ``/etc/nsswitch.conf``, or confirm +that it matches: + +.. code-block:: ini + + hosts: files dns \ No newline at end of file diff --git a/doc/source/install/jarvis/vagrant.rst b/doc/source/install/jarvis/vagrant.rst new file mode 100644 index 00000000..f00f3ec6 --- /dev/null +++ b/doc/source/install/jarvis/vagrant.rst @@ -0,0 +1,5 @@ +================== +Jarvis AIO Vagrant +================== + +A vagrant file is provided under `tools/deployment/vagrant`, running `vagrant up` from this directory should bring up and deploy a copy of the Jarvis AIO. \ No newline at end of file diff --git a/tools/deployment/common/env-variables.sh b/tools/deployment/common/env-variables.sh index f4f407f8..f86495a2 100755 --- a/tools/deployment/common/env-variables.sh +++ b/tools/deployment/common/env-variables.sh @@ -13,5 +13,5 @@ # under the License. set -e -export API_ADDR=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].addresses[0].ip') -export API_PORT=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].port') +export API_ADDR=$(kubectl get endpoints kubernetes -o 'jsonpath={.subsets[0].addresses[0].ip}') +export API_PORT=$(kubectl get endpoints kubernetes -o 'jsonpath={.subsets[0].ports[0].port}') diff --git a/tools/deployment/common/get-values-overrides.sh b/tools/deployment/common/get-values-overrides.sh index da8b1a45..c0496122 100755 --- a/tools/deployment/common/get-values-overrides.sh +++ b/tools/deployment/common/get-values-overrides.sh @@ -16,10 +16,13 @@ set -e HELM_CHART="$1" -: "${HELM_CHART_ROOT_PATH:="../charts/charts"}" +: "${HELM_CHART_ROOT_PATH:="./charts"}" : "${FEATURE_GATES:=""}" -CHARTS_FEATURE_MIX="${FEATURE_GATES}" +: "${CONTAINER_DISTRO_NAME:="default"}" +: "${CONTAINER_DISTRO_VERSION:="default"}" +CHARTS_FEATURE_MIX="${FEATURE_GATES} ${CONTAINER_DISTRO_NAME} ${CONTAINER_DISTRO_VERSION}" +values_location="$(mktemp -d)" function echoerr () { echo "$@" 1>&2; } @@ -57,10 +60,13 @@ function override_file_args () { echoerr "We will attempt to use values-override files with the following paths:" for FILE in $(combination ${1//,/ } | uniq | tac); do FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml" - if [ -f "${FILE_PATH}" ]; then replace_variables ${FILE_PATH} - OVERRIDE_ARGS+=" --values=${FILE_PATH} " + echoerr "${FILE_PATH}" + if [ -f "${FILE_PATH}" ]; then + file_location=$(mktemp -d --tmpdir="${values_location}") + cp ${FILE_PATH} ${file_location}/${FILE_PATH##*/} + replace_variables ${file_location}/${FILE_PATH##*/} + OVERRIDE_ARGS+=" --values=${file_location}/${FILE_PATH##*/} " fi - echoerr "${FILE_PATH}" done echo "${OVERRIDE_ARGS}" } diff --git a/tools/deployment/vagrant/Vagrantfile b/tools/deployment/vagrant/Vagrantfile new file mode 100644 index 00000000..d3eaec9c --- /dev/null +++ b/tools/deployment/vagrant/Vagrantfile @@ -0,0 +1,26 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "generic/ubuntu2004" + + config.vm.synced_folder "../../../", "/airship_charts", type: '9p', disabled: false + + config.vm.provider "libvirt" do |libvirt| + libvirt.cpus = 4 + libvirt.memory = 8192 + end + + config.vm.provision "shell", inline: <<-SHELL + set -ex + cd /airship_charts/ + ./tools/gate/jarvis/050-setup-development-ca.sh + ./tools/gate/jarvis/100-deploy-k8s.sh + ./tools/gate/jarvis/200-deploy-support.sh + ./tools/gate/jarvis/300-deploy-loki.sh + ./tools/gate/jarvis/400-deploy-harbor.sh + ./tools/gate/jarvis/500-deploy-gerrit.sh + ./tools/gate/jarvis/600-deploy-tekton.sh + + SHELL +end diff --git a/tools/gate/deploy-k8s.sh b/tools/gate/deploy-k8s.sh index e56df34e..107c5535 100755 --- a/tools/gate/deploy-k8s.sh +++ b/tools/gate/deploy-k8s.sh @@ -1,16 +1,17 @@ #!/bin/bash - set -ex -: ${HELM_VERSION:="v3.4.2"} -: ${KUBE_VERSION:="v1.19.6"} -: ${MINIKUBE_VERSION:="v1.16.0"} -: ${CALICO_VERSION:="v3.17"} +: "${HELM_VERSION:="v3.4.2"}" +: "${KUBE_VERSION:="v1.19.6"}" +: "${MINIKUBE_VERSION:="v1.16.0"}" +: "${CALICO_VERSION:="v3.17"}" : "${HTTP_PROXY:=""}" : "${HTTPS_PROXY:=""}" : "${NO_PROXY:=""}" +: "${LOOPBACK_DOMAIN_TO_HOST:="jarvis.local"}" + export DEBCONF_NONINTERACTIVE_SEEN=true export DEBIAN_FRONTEND=noninteractive @@ -18,46 +19,49 @@ export DEBIAN_FRONTEND=noninteractive echo "DefaultLimitMEMLOCK=16384" | sudo tee -a /etc/systemd/system.conf sudo systemctl daemon-reexec -function configure_resolvconf { - # Setup resolv.conf to use the k8s api server, which is required for the - # kubelet to resolve cluster services. - sudo mv /etc/resolv.conf /etc/resolv.conf.backup - - # Create symbolic link to the resolv.conf file managed by systemd-resolved, as - # the kubelet.resolv-conf extra-config flag is automatically executed by the - # minikube start command, regardless of being passed in here - sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf - - sudo bash -c "echo 'nameserver 10.96.0.10' >> /etc/resolv.conf" - - # NOTE(drewwalters96): Use the Google DNS servers to prevent local addresses in - # the resolv.conf file unless using a proxy, then use the existing DNS servers, - # as custom DNS nameservers are commonly required when using a proxy server. - if [ -z "${HTTP_PROXY}" ]; then - sudo bash -c "echo 'nameserver 8.8.8.8' >> /etc/resolv.conf" - sudo bash -c "echo 'nameserver 8.8.4.4' >> /etc/resolv.conf" - else - sed -ne "s/nameserver //p" /etc/resolv.conf.backup | while read -r ns; do - sudo bash -c "echo 'nameserver ${ns}' >> /etc/resolv.conf" - done +# Function to help generate a resolv.conf formatted file. +# Arguments are positional: + # 1st is location of file to be generated + # 2nd is a custom nameserver that should be used exclusively if avalible. +function generate_resolvconf() { + local target + target="${1}" + local priority_nameserver + priority_nameserver="${2}" + if [[ ${priority_nameserver} ]]; then + sudo -E tee "${target}" <> /etc/resolv.conf" - sudo bash -c "echo 'options ndots:5 timeout:1 attempts:1' >> /etc/resolv.conf" - - sudo rm /etc/resolv.conf.backup } # NOTE: Clean Up hosts file sudo sed -i '/^127.0.0.1/c\127.0.0.1 localhost localhost.localdomain localhost4localhost4.localdomain4' /etc/hosts sudo sed -i '/^::1/c\::1 localhost6 localhost6.localdomain6' /etc/hosts -# Install required packages for K8s on host -wget -q -O- 'https://download.ceph.com/keys/release.asc' | sudo apt-key add - -RELEASE_NAME=$(grep 'CODENAME' /etc/lsb-release | awk -F= '{print $2}') -sudo add-apt-repository "deb https://download.ceph.com/debian-nautilus/ ${RELEASE_NAME} main" - +# shellcheck disable=SC1091 . /etc/os-release + +# NOTE: Add docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo apt-key fingerprint 0EBFCD88 sudo add-apt-repository \ @@ -65,6 +69,24 @@ sudo add-apt-repository \ $(lsb_release -cs) \ stable" +# NOTE: Configure docker +docker_resolv="$(mktemp -d)/resolv.conf" +generate_resolvconf "${docker_resolv}" +docker_dns_list="$(awk '/^nameserver/ { printf "%s%s",sep,"\"" $NF "\""; sep=", "} END{print ""}' "${docker_resolv}")" +sudo -E mkdir -p /etc/docker +sudo -E tee /etc/docker/daemon.json </dev/null|| sudo docker pull $IMAGE - done - fi -done diff --git a/tools/utils/aio-setup.sh b/tools/utils/aio-setup.sh deleted file mode 100755 index 7a700096..00000000 --- a/tools/utils/aio-setup.sh +++ /dev/null @@ -1,97 +0,0 @@ -#!/bin/bash - -set -ex - -: ${TEKTON_NS:="tekton-pipelines"} -: ${HARBOR_NS:="harbor"} -: ${LOKI_NS:="loki-stack"} -: ${NFS_NS:="nfs"} -: ${GRAFANA_NS:="grafana"} -: ${CHART_ROOT_PATH:="./charts"} -: ${CLONE_REPO:="false"} -: ${DEPLOY_K8S:="true"} -: ${HARBOR_VERSION:="1.5.2"} - -# ensures we have git -sudo -E apt install -y git bc jq - -: ${EXTRA_HELM_ARGS_TEKTON_PIPELINES:="$(./tools/deployment/common/get-values-overrides.sh tekton-pipelines)"} -: ${EXTRA_HELM_ARGS_TEKTON_TRIGGERS:="$(./tools/deployment/common/get-values-overrides.sh tekton-triggers)"} -: ${EXTRA_HELM_ARGS_TEKTON_DASHBOARD:="$(./tools/deployment/common/get-values-overrides.sh tekton-dashboard)"} -: ${EXTRA_HELM_ARGS_HARBOR:="$(./tools/deployment/common/get-values-overrides.sh harbor)"} -: ${EXTRA_HELM_ARGS_LOKI_STACK:="$(./tools/deployment/common/get-values-overrides.sh loki)"} -: ${EXTRA_HELM_ARGS_GRAFANA:="$(./tools/deployment/common/get-values-overrides.sh grafana)"} -: ${EXTRA_HELM_ARGS_NFS:="$(./tools/deployment/common/get-values-overrides.sh nfs)"} - -# clones upstream rep -if [ $CLONE_REPO == "true" ]; then - git clone "https://review.opendev.org/airship/charts" airship-charts - cd airship-charts -fi - -# deploys k8s locally on machine, this also deploys calico -if [ $DEPLOY_K8S == "true" ]; then - ./tools/gate/deploy-k8s.sh -fi - -# creates namespaces -kubectl create namespace $NFS_NS || true -kubectl create namespace $HARBOR_NS || true -kubectl create namespace $TEKTON_NS || true -kubectl create namespace $GRAFANA_NS || true -kubectl create namespace $LOKI_NS || true - -# adds all the necessary repo here and update -helm repo add osh https://tarballs.opendev.org/openstack/openstack-helm-infra -helm repo add harbor https://helm.goharbor.io -helm repo add loki https://grafana.github.io/loki/charts -helm repo add grafana https://grafana.github.io/helm-charts -helm repo update - -# adds label here so the OSH chart can be target the node -kubectl label nodes --all openstack-control-plane=enabled --overwrite - -# deploys nfs -helm upgrade --install nfs-provisioner osh/nfs-provisioner \ - --namespace=$NFS_NS \ - ${EXTRA_HELM_ARGS_NFS} - -# waits for the pods to get ready -./tools/deployment/common/wait-for-pods.sh $NFS_NS - -# deploys harbor -helm upgrade --install harbor harbor/harbor \ - --namespace=$HARBOR_NS \ - --version=${HARBOR_VERSION} \ - ${EXTRA_HELM_ARGS_HARBOR} - -# deploys tekton -helm upgrade --install tekton-pipelines ${CHART_ROOT_PATH}/tekton-pipelines \ - --namespace=${TEKTON_NS} \ - ${EXTRA_HELM_ARGS_TEKTON_PIPELINES} - -helm upgrade --install tekton-triggers ${CHART_ROOT_PATH}/tekton-triggers \ - --namespace=${TEKTON_NS} \ - ${EXTRA_HELM_ARGS_TEKTON_TRIGGERS} - -helm upgrade --install tekton-dashboard ${CHART_ROOT_PATH}/tekton-dashboard \ - --namespace=${TEKTON_NS} \ - ${EXTRA_HELM_ARGS_TEKTON_DASHBOARD} - -# waits for the pods to get ready -./tools/deployment/common/wait-for-pods.sh ${TEKTON_NS} -./tools/deployment/common/wait-for-pods.sh ${HARBOR_NS} - -# install loki-stack with Loki and Promtail from Grafana helm charts repo -helm upgrade --install loki grafana/loki-stack \ - --namespace=${LOKI_NS} \ - ${EXTRA_HELM_ARGS_LOKI_STACK} - -./tools/deployment/common/wait-for-pods.sh ${LOKI_NS} - -# install Grafana from Grafana helm charts repo -helm upgrade --install grafana grafana/grafana \ - --namespace=${GRAFANA_NS} \ - ${EXTRA_HELM_ARGS_GRAFANA} - -./tools/deployment/common/wait-for-pods.sh ${GRAFANA_NS} diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 3df21328..511e6d37 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -17,21 +17,26 @@ nodeset: airship-charts-single-node - job: - name: airship-harbor-tekton + name: airship-jarvis timeout: 7200 pre-run: - playbooks/airship-setup.yaml run: playbooks/gate-runner.yaml post-run: playbooks/gather-logs.yaml - description: Runs Tekton charts + description: Perform CI on the Jarvis Suite of applications nodeset: airship-charts-single-node vars: aio_params: - feature_gates: "tls storageclass nfs harbor readonly loki-stack grafana" + feature_gates: "" collect_kubernetes_logs_namespace: tekton-pipelines gate_scripts: - - ./tools/utils/aio-setup.sh - - ./tools/gate/pipelines/run-test.sh + - ./tools/gate/jarvis/050-setup-development-ca.sh + - ./tools/gate/jarvis/100-deploy-k8s.sh + - ./tools/gate/jarvis/200-deploy-support.sh + - ./tools/gate/jarvis/300-deploy-loki.sh + - ./tools/gate/jarvis/400-deploy-harbor.sh + - ./tools/gate/jarvis/500-deploy-gerrit.sh + - ./tools/gate/jarvis/600-deploy-tekton.sh - job: name: airship-charts-upload-git-mirror diff --git a/zuul.d/nodesets.yaml b/zuul.d/nodesets.yaml index f434e04d..7fd54ed6 100644 --- a/zuul.d/nodesets.yaml +++ b/zuul.d/nodesets.yaml @@ -15,7 +15,7 @@ name: airship-charts-single-node nodes: - name: primary - label: ubuntu-bionic + label: ubuntu-focal groups: - name: primary nodes: diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 3e4990f3..e1abfa88 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -17,12 +17,12 @@ files: - ^doc/.*$ - airship-charts-lint-and-build - - airship-harbor-tekton + - airship-jarvis gate: jobs: - openstack-tox-docs: *docs - airship-charts-lint-and-build - - airship-harbor-tekton + - airship-jarvis post: jobs: - airship-charts-upload-git-mirror