Rework AIO
1) Removes unused/duplicate deployment/gate scripts 2) Removes unrequired NFS deployment 3) Adds Ingress controller 4) Adds Cert-Manager 5) Removes unrequired harbor chart, and replaces with upstream 6) Adds ingress rules to tekton 7) Fix linting issues with newer k8s versions and dex-aio chart 8) Add Gerrit Chart 9) Fixes hardcoded namespace references in tekton-triggers chart. 10) Sets up CA certs on host to anble validation of tls backed services. 11) TLS in tekton dashboard via cert-manager 12) TLS in loki and grafana via cert-manager 13) TLS in harbor & notary ingres via cert-manager 14) TLS for all internal harbor components via self signed certs 15) TLS for gerrit via cert-manager 16) Rework DNS config to fix resolving k8s services from host 17) Update kube deployment script to configure /etc/resolv.conf to direct jarvis.local to ingress 18) Add docker push test for harbor 19) Reset documentation Change-Id: I71850770ba46d7635b950da60ec59c0b08208c70 Signed-off-by: intlabs <pete@port.direct>
This commit is contained in:
parent
2a04062b3d
commit
b94014be52
4
.gitignore
vendored
4
.gitignore
vendored
@ -2,4 +2,8 @@
|
|||||||
|
|
||||||
# doc build environment and artifacts
|
# doc build environment and artifacts
|
||||||
doc/build
|
doc/build
|
||||||
|
doc/source/_build
|
||||||
.tox/
|
.tox/
|
||||||
|
.vscode/
|
||||||
|
|
||||||
|
tools/deployment/vagrant/.vagrant
|
@ -15,9 +15,8 @@ SHELL := /bin/bash
|
|||||||
TASK := build
|
TASK := build
|
||||||
|
|
||||||
EXCLUDES := playbooks roles doc tests tools logs tmp zuul.d releasenotes
|
EXCLUDES := playbooks roles doc tests tools logs tmp zuul.d releasenotes
|
||||||
# FIXME(lamt): Excluding the dex-aio as there are linting errors and should be
|
# NOTE(Portdirect): Exlude chart directories that are presnt only for the purposes of housing over-rides
|
||||||
# fixed in follow on patch. Once that's done, this can be removed.
|
EXCLUDES += harbor loki gerrit
|
||||||
EXCLUDES += dex-aio loki grafana nfs
|
|
||||||
CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
||||||
|
|
||||||
.PHONY: $(EXCLUDES) $(CHARTS)
|
.PHONY: $(EXCLUDES) $(CHARTS)
|
||||||
@ -47,11 +46,5 @@ clean:
|
|||||||
rm -f *tgz */charts/*tgz */requirements.lock
|
rm -f *tgz */charts/*tgz */requirements.lock
|
||||||
rm -rf */charts */tmpcharts
|
rm -rf */charts */tmpcharts
|
||||||
|
|
||||||
pull-all-images:
|
|
||||||
@./tools/pull-images.sh
|
|
||||||
|
|
||||||
pull-images:
|
|
||||||
@./tools/pull-images.sh $(filter-out $@,$(MAKECMDGOALS))
|
|
||||||
|
|
||||||
%:
|
%:
|
||||||
@:
|
@:
|
||||||
|
@ -1,23 +1 @@
|
|||||||
# Patterns to ignore when building packages.
|
values_overrides
|
||||||
# This supports shell glob matching, relative path matching, and
|
|
||||||
# negation (prefixed with !). Only one pattern per line.
|
|
||||||
.DS_Store
|
|
||||||
# Common VCS dirs
|
|
||||||
.git/
|
|
||||||
.gitignore
|
|
||||||
.bzr/
|
|
||||||
.bzrignore
|
|
||||||
.hg/
|
|
||||||
.hgignore
|
|
||||||
.svn/
|
|
||||||
# Common backup files
|
|
||||||
*.swp
|
|
||||||
*.bak
|
|
||||||
*.tmp
|
|
||||||
*.orig
|
|
||||||
*~
|
|
||||||
# Various IDEs
|
|
||||||
.project
|
|
||||||
.idea/
|
|
||||||
*.tmproj
|
|
||||||
.vscode/
|
|
@ -1,6 +1,6 @@
|
|||||||
{{- define "ClusterRole-dex" -}}
|
{{- define "ClusterRole-dex" -}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "helpers.labels.fullname" . }}
|
name: {{ template "helpers.labels.fullname" . }}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{{- define "ClusterRoleBinding-dex" -}}
|
{{- define "ClusterRoleBinding-dex" -}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "helpers.labels.fullname" . }}
|
name: {{ template "helpers.labels.fullname" . }}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{{- define "Role-dex" -}}
|
{{- define "Role-dex" -}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "helpers.labels.fullname" . }}
|
name: {{ template "helpers.labels.fullname" . }}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{{- define "RoleBinding-dex" -}}
|
{{- define "RoleBinding-dex" -}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "helpers.labels.fullname" . }}
|
name: {{ template "helpers.labels.fullname" . }}
|
||||||
|
@ -9,26 +9,20 @@
|
|||||||
{{- $_ := set $local "merge_same_named" $.merge_same_named -}}
|
{{- $_ := set $local "merge_same_named" $.merge_same_named -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- $_ := set $local "input" ( fromYaml ( toString ( include $.template_definition $.Global ) ) ) -}}
|
{{- $_ := set $local "input" ( fromYaml ( toString ( include $.template_definition $.Global ) ) ) -}}
|
||||||
|
|
||||||
{{- $target := dict -}}
|
{{- $target := dict -}}
|
||||||
|
{{- $overlay_keys := regexSplit "-+" ( trimSuffix ".yaml" ( lower ( base $.Global.Template.Name ) ) ) 2 }}
|
||||||
{{ $overlay_keys := regexSplit "-+" ( trimSuffix ".yaml" ( lower ( base $.Global.Template.Name ) ) ) 2 }}
|
|
||||||
|
|
||||||
{{- $_ := set $local "overlay" dict -}}
|
{{- $_ := set $local "overlay" dict -}}
|
||||||
{{- if hasKey $.Global.Values.over_rides ( index $overlay_keys 0 ) -}}
|
{{- if hasKey $.Global.Values.over_rides ( index $overlay_keys 0 ) -}}
|
||||||
{{- if hasKey ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ) ( index $overlay_keys 1 ) -}}
|
{{- if hasKey ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ) ( index $overlay_keys 1 ) -}}
|
||||||
{{- $_ := set $local "overlay" ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ( index $overlay_keys 1 ) ) -}}
|
{{- $_ := set $local "overlay" ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ( index $overlay_keys 1 ) ) -}}
|
||||||
{{ end }}
|
{{- end }}
|
||||||
{{ end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- range $item := tuple $local.input $local.overlay -}}
|
{{- range $item := tuple $local.input $local.overlay -}}
|
||||||
{{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
|
{{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
|
||||||
{{- $_ := include "helpers._merge" $call -}}
|
{{- $_ := include "helpers._merge" $call -}}
|
||||||
{{- $_ := set $local "result" $call.result -}}
|
{{- $_ := set $local "result" $call.result -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- if kindIs "map" $ -}}
|
{{- if kindIs "map" $ -}}
|
||||||
{{- $_ := set $ "result" $local.result -}}
|
{{- $_ := set $ "result" $local.result -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
@ -37,14 +31,11 @@
|
|||||||
|
|
||||||
{{- define "helpers._merge" -}}
|
{{- define "helpers._merge" -}}
|
||||||
{{- $local := dict -}}
|
{{- $local := dict -}}
|
||||||
|
|
||||||
{{- $_ := set $ "result" $.source -}}
|
{{- $_ := set $ "result" $.source -}}
|
||||||
|
|
||||||
{{/*
|
{{/*
|
||||||
TODO: Should we `fail` when trying to merge a collection (map or slice) with
|
TODO: Should we `fail` when trying to merge a collection (map or slice) with
|
||||||
either a different kind of collection or a scalar?
|
either a different kind of collection or a scalar?
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
|
{{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
|
||||||
{{- range $key, $sourceValue := $.source -}}
|
{{- range $key, $sourceValue := $.source -}}
|
||||||
{{- if not (hasKey $.target $key) -}}
|
{{- if not (hasKey $.target $key) -}}
|
||||||
@ -77,7 +68,6 @@
|
|||||||
{{- $_ := set $local "has_name_key" true -}}
|
{{- $_ := set $local "has_name_key" true -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- if $local.has_name_key -}}
|
{{- if $local.has_name_key -}}
|
||||||
{{- if hasKey $local.named_items $item.name -}}
|
{{- if hasKey $local.named_items $item.name -}}
|
||||||
{{- $named_item := index $local.named_items $item.name -}}
|
{{- $named_item := index $local.named_items $item.name -}}
|
||||||
|
11
charts/gerrit/values_overrides/default-default.yaml
Normal file
11
charts/gerrit/values_overrides/default-default.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#NOTE(portdirect): we use the following images, untill https://gerrit-review.googlesource.com/c/k8s-gerrit/+/230465 is resolved.
|
||||||
|
images:
|
||||||
|
registry:
|
||||||
|
name: quay.io
|
||||||
|
version: v0.1-191-g251041b-dirty-3.3.0
|
||||||
|
gerrit:
|
||||||
|
images:
|
||||||
|
gerritInit: port/gerrit-init
|
||||||
|
gerrit: port/gerrit
|
||||||
|
gitGC:
|
||||||
|
image: port/git-gc
|
76
charts/gerrit/values_overrides/default.yaml
Normal file
76
charts/gerrit/values_overrides/default.yaml
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
|
||||||
|
storageClasses:
|
||||||
|
default:
|
||||||
|
name: standard
|
||||||
|
shared:
|
||||||
|
name: standard
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
host: gerrit.jarvis.local
|
||||||
|
additionalAnnotations:
|
||||||
|
cert-manager.io/cluster-issuer: jarvis-ca-issuer
|
||||||
|
tls:
|
||||||
|
enabled: true
|
||||||
|
secret:
|
||||||
|
create: false
|
||||||
|
name: gerrit-tls
|
||||||
|
|
||||||
|
gerrit:
|
||||||
|
service:
|
||||||
|
ssh:
|
||||||
|
enabled: true
|
||||||
|
port: 29418
|
||||||
|
|
||||||
|
etc:
|
||||||
|
# Some values are expected to have a specific value for the deployment installed
|
||||||
|
# by this chart to work. These are marked with `# FIXED`.
|
||||||
|
# Do not change them!
|
||||||
|
config:
|
||||||
|
gerrit.config: |-
|
||||||
|
[gerrit]
|
||||||
|
basePath = git # FIXED
|
||||||
|
serverId = gerrit-1
|
||||||
|
# The canonical web URL has to be set to the Ingress host, if an Ingress
|
||||||
|
# is used. If a LoadBalancer-service is used, this should be set to the
|
||||||
|
# LoadBalancer's external IP. This can only be done manually after installing
|
||||||
|
# the chart, when you know the external IP the LoadBalancer got from the
|
||||||
|
# cluster.
|
||||||
|
canonicalWebUrl = http://gerrit.jarvis.local/
|
||||||
|
disableReverseDnsLookup = true
|
||||||
|
[index]
|
||||||
|
type = LUCENE
|
||||||
|
onlineUpgrade = false # FIXED
|
||||||
|
[auth]
|
||||||
|
type = DEVELOPMENT_BECOME_ANY_ACCOUNT
|
||||||
|
[httpd]
|
||||||
|
# If using an ingress use proxy-http or proxy-https
|
||||||
|
listenUrl = proxy-http://*:8080/
|
||||||
|
requestLog = true
|
||||||
|
[sshd]
|
||||||
|
listenAddress = off
|
||||||
|
[transfer]
|
||||||
|
timeout = 120 s
|
||||||
|
[user]
|
||||||
|
name = Gerrit Code Review
|
||||||
|
email = gerrit@example.com
|
||||||
|
anonymousCoward = Unnamed User
|
||||||
|
[cache]
|
||||||
|
directory = cache
|
||||||
|
[container]
|
||||||
|
user = gerrit # FIXED
|
||||||
|
javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
|
||||||
|
javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
|
||||||
|
javaOptions = -Xms200m
|
||||||
|
# Has to be lower than 'gerrit.resources.limits.memory'. Also
|
||||||
|
# consider memories used by other applications in the container.
|
||||||
|
javaOptions = -Xmx4g
|
||||||
|
replication.config: |-
|
||||||
|
[gerrit]
|
||||||
|
autoReload = false
|
||||||
|
replicateOnStartup = true
|
||||||
|
defaultForceUpdate = true
|
||||||
|
# [remote "replica"]
|
||||||
|
# url = http://gerrit-replica.example.com/git/${name}.git
|
||||||
|
# replicationDelay = 0
|
||||||
|
# timeout = 30
|
@ -1,79 +0,0 @@
|
|||||||
ingress:
|
|
||||||
enabled: true
|
|
||||||
hosts: ["grafana","grafana.jarvis","grafana.jarvis.svc.cluster.local"]
|
|
||||||
public: true
|
|
||||||
annotations:
|
|
||||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
|
||||||
more_set_headers "X-Frame-Options: deny";
|
|
||||||
more_set_headers "X-XSS-Protection: 1; mode=block";
|
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
||||||
labels: {}
|
|
||||||
path: /
|
|
||||||
hosts:
|
|
||||||
- grafana-jarvis.domain
|
|
||||||
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
|
|
||||||
extraPaths: []
|
|
||||||
# - path: /*
|
|
||||||
# backend:
|
|
||||||
# serviceName: ssl-redirect
|
|
||||||
# servicePort: use-annotation
|
|
||||||
tls: []
|
|
||||||
# - secretName: chart-example-tls
|
|
||||||
# hosts:
|
|
||||||
# - chart-example.local
|
|
||||||
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 128Mi
|
|
||||||
requests:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 128Mi
|
|
||||||
|
|
||||||
## Enable persistence using Persistent Volume Claims
|
|
||||||
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
|
||||||
##
|
|
||||||
persistence:
|
|
||||||
type: pvc
|
|
||||||
enabled: false
|
|
||||||
storageClassName: nfs-provisioner
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteOnce
|
|
||||||
size: 10Gi
|
|
||||||
# annotations: {}
|
|
||||||
finalizers:
|
|
||||||
- kubernetes.io/pvc-protection
|
|
||||||
# selectorLabels: {}
|
|
||||||
# subPath: ""
|
|
||||||
# existingClaim:
|
|
||||||
|
|
||||||
|
|
||||||
# Administrator credentials when not using an existing secret (see below)
|
|
||||||
adminUser: admin
|
|
||||||
# adminPassword: strongpassword
|
|
||||||
|
|
||||||
# Use an existing secret for the admin user.
|
|
||||||
admin:
|
|
||||||
existingSecret: ""
|
|
||||||
userKey: admin-user
|
|
||||||
passwordKey: admin-password
|
|
||||||
|
|
||||||
## Define command to be executed at startup by grafana container
|
|
||||||
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
|
|
||||||
## Default is "run.sh" as defined in grafana's Dockerfile
|
|
||||||
# command:
|
|
||||||
# - "sh"
|
|
||||||
# - "/run.sh"
|
|
||||||
|
|
||||||
## Configure grafana datasources
|
|
||||||
## ref: http://docs.grafana.org/administration/provisioning/#datasources
|
|
||||||
##
|
|
||||||
datasources:
|
|
||||||
datasources.yaml:
|
|
||||||
apiVersion: 1
|
|
||||||
datasources:
|
|
||||||
- name: Loki
|
|
||||||
type: loki
|
|
||||||
access: proxy
|
|
||||||
url: http://loki.loki-stack:3100
|
|
||||||
version: 1
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: v2
|
|
||||||
name: harbor
|
|
||||||
version: 1.4.0-dev
|
|
||||||
appVersion: dev
|
|
||||||
description: An open source trusted cloud native registry that stores, signs, and scans content
|
|
||||||
keywords:
|
|
||||||
- docker
|
|
||||||
- registry
|
|
||||||
- harbor
|
|
||||||
home: https://goharbor.io
|
|
||||||
icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png
|
|
||||||
sources:
|
|
||||||
- https://github.com/goharbor/harbor
|
|
||||||
- https://github.com/goharbor/harbor-helm
|
|
||||||
engine: gotpl
|
|
@ -1,28 +0,0 @@
|
|||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw
|
|
||||||
NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC
|
|
||||||
Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o
|
|
||||||
F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr
|
|
||||||
PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT
|
|
||||||
RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q
|
|
||||||
LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp
|
|
||||||
UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q
|
|
||||||
w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc
|
|
||||||
jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr
|
|
||||||
vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d
|
|
||||||
1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN
|
|
||||||
2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA
|
|
||||||
AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA
|
|
||||||
FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
|
|
||||||
BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS
|
|
||||||
Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA
|
|
||||||
er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY
|
|
||||||
Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ
|
|
||||||
qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n
|
|
||||||
KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB
|
|
||||||
Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2
|
|
||||||
52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1
|
|
||||||
2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F
|
|
||||||
5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX
|
|
||||||
jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe
|
|
||||||
-----END CERTIFICATE-----
|
|
@ -1,51 +0,0 @@
|
|||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o
|
|
||||||
F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr
|
|
||||||
PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT
|
|
||||||
RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q
|
|
||||||
LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp
|
|
||||||
UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q
|
|
||||||
w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc
|
|
||||||
jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr
|
|
||||||
vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d
|
|
||||||
1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN
|
|
||||||
2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA
|
|
||||||
AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/
|
|
||||||
k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4
|
|
||||||
MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu
|
|
||||||
XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz
|
|
||||||
ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5
|
|
||||||
F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K
|
|
||||||
F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97
|
|
||||||
b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5
|
|
||||||
fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ
|
|
||||||
yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um
|
|
||||||
lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW
|
|
||||||
YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+
|
|
||||||
viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1
|
|
||||||
pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+
|
|
||||||
/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA
|
|
||||||
So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt
|
|
||||||
DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3
|
|
||||||
YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn
|
|
||||||
IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW
|
|
||||||
gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf
|
|
||||||
Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC
|
|
||||||
oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb
|
|
||||||
FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN
|
|
||||||
c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn
|
|
||||||
YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf
|
|
||||||
Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl
|
|
||||||
IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ
|
|
||||||
rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi
|
|
||||||
vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj
|
|
||||||
yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g
|
|
||||||
1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil
|
|
||||||
u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M
|
|
||||||
BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK
|
|
||||||
OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y
|
|
||||||
AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e
|
|
||||||
Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh
|
|
||||||
cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q
|
|
||||||
OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04
|
|
||||||
-----END RSA PRIVATE KEY-----
|
|
@ -1,16 +0,0 @@
|
|||||||
clair:
|
|
||||||
database:
|
|
||||||
type: pgsql
|
|
||||||
options:
|
|
||||||
source: "{{ template "harbor.database.clair" . }}"
|
|
||||||
# Number of elements kept in the cache
|
|
||||||
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
|
|
||||||
cachesize: 16384
|
|
||||||
api:
|
|
||||||
# API server port
|
|
||||||
port: 6060
|
|
||||||
healthport: 6061
|
|
||||||
# Deadline before an API request will respond with a 503
|
|
||||||
timeout: 300s
|
|
||||||
updater:
|
|
||||||
interval: {{ .Values.clair.updatersInterval }}h
|
|
@ -1,28 +0,0 @@
|
|||||||
{
|
|
||||||
"server": {
|
|
||||||
"http_addr": ":4443"
|
|
||||||
},
|
|
||||||
"trust_service": {
|
|
||||||
"type": "remote",
|
|
||||||
"hostname": "{{ template "harbor.notary-signer" . }}",
|
|
||||||
"port": "7899",
|
|
||||||
"tls_ca_file": "/etc/ssl/notary/ca.crt",
|
|
||||||
"key_algorithm": "ecdsa"
|
|
||||||
},
|
|
||||||
"logging": {
|
|
||||||
"level": "{{ .Values.logLevel }}"
|
|
||||||
},
|
|
||||||
"storage": {
|
|
||||||
"backend": "postgres",
|
|
||||||
"db_url": "{{ template "harbor.database.notaryServer" . }}"
|
|
||||||
},
|
|
||||||
"auth": {
|
|
||||||
"type": "token",
|
|
||||||
"options": {
|
|
||||||
"realm": "{{ .Values.externalURL }}/service/token",
|
|
||||||
"service": "harbor-notary",
|
|
||||||
"issuer": "harbor-token-issuer",
|
|
||||||
"rootcertbundle": "/root.crt"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
{
|
|
||||||
"server": {
|
|
||||||
"grpc_addr": ":7899",
|
|
||||||
"tls_cert_file": "/etc/ssl/notary/tls.crt",
|
|
||||||
"tls_key_file": "/etc/ssl/notary/tls.key"
|
|
||||||
},
|
|
||||||
"logging": {
|
|
||||||
"level": "{{ .Values.logLevel }}"
|
|
||||||
},
|
|
||||||
"storage": {
|
|
||||||
"backend": "postgres",
|
|
||||||
"db_url": "{{ template "harbor.database.notarySigner" . }}",
|
|
||||||
"default_alias": "defaultalias"
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,583 +0,0 @@
|
|||||||
{{/* vim: set filetype=mustache: */}}
|
|
||||||
{{/*
|
|
||||||
Expand the name of the chart.
|
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
||||||
*/}}
|
|
||||||
{{- define "harbor.name" -}}
|
|
||||||
{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create a default fully qualified app name.
|
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
||||||
*/}}
|
|
||||||
{{- define "harbor.fullname" -}}
|
|
||||||
{{- $name := default "harbor" .Values.nameOverride -}}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* Helm required labels */}}
|
|
||||||
{{- define "harbor.labels" -}}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
chart: {{ .Chart.Name }}
|
|
||||||
app: "{{ template "harbor.name" . }}"
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* matchLabels */}}
|
|
||||||
{{- define "harbor.matchLabels" -}}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
app: "{{ template "harbor.name" . }}"
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.autoGenCert" -}}
|
|
||||||
{{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
|
|
||||||
{{- printf "true" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "false" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.autoGenCertForIngress" -}}
|
|
||||||
{{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}}
|
|
||||||
{{- printf "true" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "false" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.autoGenCertForNginx" -}}
|
|
||||||
{{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}}
|
|
||||||
{{- printf "true" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "false" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.host" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- template "harbor.database" . }}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.host -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.port" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "5432" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.port -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.username" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "postgres" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.username -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.rawPassword" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- .Values.database.internal.password -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.password -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.escapedRawPassword" -}}
|
|
||||||
{{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.encryptedPassword" -}}
|
|
||||||
{{- include "harbor.database.rawPassword" . | b64enc | quote -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.coreDatabase" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "registry" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.coreDatabase -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.clairDatabase" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "postgres" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.clairDatabase -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.notaryServerDatabase" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "notaryserver" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.notaryServerDatabase -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.notarySignerDatabase" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "notarysigner" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.notarySignerDatabase -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.sslmode" -}}
|
|
||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- printf "%s" "disable" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.database.external.sslmode -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.clair" -}}
|
|
||||||
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.notaryServer" -}}
|
|
||||||
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database.notarySigner" -}}
|
|
||||||
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.redis.scheme" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*host:port*/
|
|
||||||
{{- define "harbor.redis.addr" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.redis.masterSet" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.redis.password" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- ternary "" .external.password (eq .type "internal") }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*scheme://[redis:password@]host:port[/master_set]*/
|
|
||||||
{{- define "harbor.redis.url" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
|
|
||||||
{{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
|
|
||||||
{{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
|
|
||||||
{{- define "harbor.redis.urlForCore" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }}
|
|
||||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*scheme://[redis:password@]addr/db_index*/
|
|
||||||
{{- define "harbor.redis.urlForJobservice" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }}
|
|
||||||
{{- printf "%s/%s" (include "harbor.redis.url" $) $index -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
|
|
||||||
{{- define "harbor.redis.urlForRegistry" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }}
|
|
||||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
|
|
||||||
{{- define "harbor.redis.urlForClair" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }}
|
|
||||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
|
|
||||||
{{- define "harbor.redis.urlForTrivy" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }}
|
|
||||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.redis.dbForRegistry" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.redis.dbForChartmuseum" -}}
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
{{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.portal" -}}
|
|
||||||
{{- printf "%s-portal" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.core" -}}
|
|
||||||
{{- printf "%s-core" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.redis" -}}
|
|
||||||
{{- printf "%s-redis" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.jobservice" -}}
|
|
||||||
{{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.registry" -}}
|
|
||||||
{{- printf "%s-registry" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.chartmuseum" -}}
|
|
||||||
{{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.database" -}}
|
|
||||||
{{- printf "%s-database" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.clair" -}}
|
|
||||||
{{- printf "%s-clair" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.trivy" -}}
|
|
||||||
{{- printf "%s-trivy" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.notary-server" -}}
|
|
||||||
{{- printf "%s-notary-server" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.notary-signer" -}}
|
|
||||||
{{- printf "%s-notary-signer" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.nginx" -}}
|
|
||||||
{{- printf "%s-nginx" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.ingress" -}}
|
|
||||||
{{- printf "%s-ingress" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.ingress-notary" -}}
|
|
||||||
{{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.noProxy" -}}
|
|
||||||
{{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.caBundleVolume" -}}
|
|
||||||
- name: ca-bundle-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ .Values.caBundleSecretName }}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.caBundleVolumeMount" -}}
|
|
||||||
- name: ca-bundle-certs
|
|
||||||
mountPath: /harbor_cust_cert/custom-ca.crt
|
|
||||||
subPath: ca.crt
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* scheme for all components except notary because it only support http mode */}}
|
|
||||||
{{- define "harbor.component.scheme" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "https" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "http" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* chartmuseum component container port */}}
|
|
||||||
{{- define "harbor.chartmuseum.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "9443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "9999" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* chartmuseum component service port */}}
|
|
||||||
{{- define "harbor.chartmuseum.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "80" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* clair adapter component container port */}}
|
|
||||||
{{- define "harbor.clairAdapter.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* clair adapter component service port */}}
|
|
||||||
{{- define "harbor.clairAdapter.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* core component container port */}}
|
|
||||||
{{- define "harbor.core.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* core component service port */}}
|
|
||||||
{{- define "harbor.core.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "80" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* jobservice component container port */}}
|
|
||||||
{{- define "harbor.jobservice.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* jobservice component service port */}}
|
|
||||||
{{- define "harbor.jobservice.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "80" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* portal component container port */}}
|
|
||||||
{{- define "harbor.portal.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* portal component service port */}}
|
|
||||||
{{- define "harbor.portal.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "80" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* registry component container port */}}
|
|
||||||
{{- define "harbor.registry.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "5443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "5000" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* registry component service port */}}
|
|
||||||
{{- define "harbor.registry.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "5443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "5000" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* registryctl component container port */}}
|
|
||||||
{{- define "harbor.registryctl.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* registryctl component service port */}}
|
|
||||||
{{- define "harbor.registryctl.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* trivy component container port */}}
|
|
||||||
{{- define "harbor.trivy.containerPort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* trivy component service port */}}
|
|
||||||
{{- define "harbor.trivy.servicePort" -}}
|
|
||||||
{{- if .Values.internalTLS.enabled -}}
|
|
||||||
{{- printf "8443" -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "8080" -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* CLAIR_ADAPTER_URL */}}
|
|
||||||
{{- define "harbor.clairAdapterURL" -}}
|
|
||||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* CORE_URL */}}
|
|
||||||
{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}}
|
|
||||||
{{- define "harbor.coreURL" -}}
|
|
||||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* JOBSERVICE_URL */}}
|
|
||||||
{{- define "harbor.jobserviceURL" -}}
|
|
||||||
{{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* PORTAL_URL */}}
|
|
||||||
{{- define "harbor.portalURL" -}}
|
|
||||||
{{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* REGISTRY_URL */}}
|
|
||||||
{{- define "harbor.registryURL" -}}
|
|
||||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* REGISTRY_CONTROLLER_URL */}}
|
|
||||||
{{- define "harbor.registryControllerURL" -}}
|
|
||||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* TOKEN_SERVICE_URL */}}
|
|
||||||
{{- define "harbor.tokenServiceURL" -}}
|
|
||||||
{{- printf "%s/service/token" (include "harbor.coreURL" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* TRIVY_ADAPTER_URL */}}
|
|
||||||
{{- define "harbor.trivyAdapterURL" -}}
|
|
||||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.chartmuseum.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.chartmuseum.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.clair.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.clair.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.core.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.core.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.jobservice.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.jobservice.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.portal.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.portal.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.registry.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.registry.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.internalTLS.trivy.secretName" -}}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
|
||||||
{{- .Values.internalTLS.trivy.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.tlsCoreSecretForIngress" -}}
|
|
||||||
{{- if eq .Values.expose.tls.certSource "none" -}}
|
|
||||||
{{- printf "" -}}
|
|
||||||
{{- else if eq .Values.expose.tls.certSource "secret" -}}
|
|
||||||
{{- .Values.expose.tls.secret.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- include "harbor.ingress" . -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.tlsNotarySecretForIngress" -}}
|
|
||||||
{{- if eq .Values.expose.tls.certSource "none" -}}
|
|
||||||
{{- printf "" -}}
|
|
||||||
{{- else if eq .Values.expose.tls.certSource "secret" -}}
|
|
||||||
{{- .Values.expose.tls.secret.notarySecretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- include "harbor.ingress" . -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{- define "harbor.tlsSecretForNginx" -}}
|
|
||||||
{{- if eq .Values.expose.tls.certSource "secret" -}}
|
|
||||||
{{- .Values.expose.tls.secret.secretName -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- include "harbor.nginx" . -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
@ -1,115 +0,0 @@
|
|||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
{{- $ca := genCA "harbor-internal-ca" 365 }}
|
|
||||||
{{- $coreCN := (include "harbor.core" .) }}
|
|
||||||
{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
|
|
||||||
{{- $jsCN := (include "harbor.jobservice" .) }}
|
|
||||||
{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
|
|
||||||
{{- $regCN := (include "harbor.registry" .) }}
|
|
||||||
{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
|
|
||||||
{{- $portalCN := (include "harbor.portal" .) }}
|
|
||||||
{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $coreCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $coreCrt.Key | b64enc | quote }}
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $jsCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $jsCrt.Key | b64enc | quote }}
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $regCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $regCrt.Key | b64enc | quote }}
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $portalCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $portalCrt.Key | b64enc | quote }}
|
|
||||||
|
|
||||||
{{- if .Values.chartmuseum.enabled }}
|
|
||||||
---
|
|
||||||
{{- $chartCN := (include "harbor.chartmuseum" .) }}
|
|
||||||
{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $chartCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $chartCrt.Key | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if .Values.clair.enabled }}
|
|
||||||
---
|
|
||||||
{{- $clairCN := (include "harbor.clair" .) }}
|
|
||||||
{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $clairCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $clairCrt.Key | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if and .Values.trivy.enabled}}
|
|
||||||
---
|
|
||||||
{{- $trivyCN := (include "harbor.trivy" .) }}
|
|
||||||
{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $trivyCrt.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $trivyCrt.Key | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,112 +0,0 @@
|
|||||||
{{- if .Values.chartmuseum.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.chartmuseum" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
PORT: "{{ template "harbor.chartmuseum.containerPort" . }}"
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt"
|
|
||||||
TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key"
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq "redis" (include "harbor.redis.scheme" .) }}
|
|
||||||
CACHE: "redis"
|
|
||||||
{{- else }}
|
|
||||||
CACHE: "redis_sentinel"
|
|
||||||
CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}"
|
|
||||||
{{- end }}
|
|
||||||
CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}"
|
|
||||||
CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}"
|
|
||||||
BASIC_AUTH_USER: "chart_controller"
|
|
||||||
{{- if .Values.chartmuseum.absoluteUrl }}
|
|
||||||
CHART_URL: {{ .Values.externalURL }}/chartrepo
|
|
||||||
{{- end }}
|
|
||||||
DEPTH: "1"
|
|
||||||
{{- if eq .Values.logLevel "debug" }}
|
|
||||||
DEBUG: "true"
|
|
||||||
{{- else }}
|
|
||||||
DEBUG: "false"
|
|
||||||
{{- end }}
|
|
||||||
LOG_JSON: "true"
|
|
||||||
DISABLE_METRICS: "false"
|
|
||||||
DISABLE_API: "false"
|
|
||||||
DISABLE_STATEFILES: "false"
|
|
||||||
ALLOW_OVERWRITE: "true"
|
|
||||||
AUTH_ANONYMOUS_GET: "false"
|
|
||||||
CONTEXT_PATH: ""
|
|
||||||
INDEX_LIMIT: "0"
|
|
||||||
MAX_STORAGE_OBJECTS: "0"
|
|
||||||
MAX_UPLOAD_SIZE: "20971520"
|
|
||||||
CHART_POST_FORM_FIELD_NAME: "chart"
|
|
||||||
PROV_POST_FORM_FIELD_NAME: "prov"
|
|
||||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
|
||||||
{{- $storageType := $storage.type }}
|
|
||||||
{{- if eq $storageType "filesystem" }}
|
|
||||||
STORAGE: "local"
|
|
||||||
STORAGE_LOCAL_ROOTDIR: "/chart_storage"
|
|
||||||
{{- else if eq $storageType "azure" }}
|
|
||||||
STORAGE: "microsoft"
|
|
||||||
STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }}
|
|
||||||
AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }}
|
|
||||||
AZURE_BASE_URL: {{ $storage.azure.realm }}
|
|
||||||
STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts"
|
|
||||||
{{- else if eq $storageType "gcs" }}
|
|
||||||
STORAGE: "google"
|
|
||||||
STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
|
|
||||||
GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
|
|
||||||
{{- if $storage.gcs.rootdirectory }}
|
|
||||||
STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $storageType "s3" }}
|
|
||||||
STORAGE: "amazon"
|
|
||||||
STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }}
|
|
||||||
{{- if $storage.s3.rootdirectory }}
|
|
||||||
STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }}
|
|
||||||
{{- end }}
|
|
||||||
STORAGE_AMAZON_REGION: {{ $storage.s3.region }}
|
|
||||||
{{- if $storage.s3.regionendpoint }}
|
|
||||||
STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.accesskey }}
|
|
||||||
AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.keyid }}
|
|
||||||
STORAGE_AMAZON_SSE: aws:kms
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $storageType "swift" }}
|
|
||||||
STORAGE: "openstack"
|
|
||||||
STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }}
|
|
||||||
{{- if $storage.swift.prefix }}
|
|
||||||
STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.region }}
|
|
||||||
STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }}
|
|
||||||
{{- end }}
|
|
||||||
OS_AUTH_URL: {{ $storage.swift.authurl }}
|
|
||||||
OS_USERNAME: {{ $storage.swift.username }}
|
|
||||||
{{- if $storage.swift.tenantid }}
|
|
||||||
OS_PROJECT_ID: {{ $storage.swift.tenantid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.tenant }}
|
|
||||||
OS_PROJECT_NAME: {{ $storage.swift.tenant }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.domainid }}
|
|
||||||
OS_DOMAIN_ID: {{ $storage.swift.domainid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.domain }}
|
|
||||||
OS_DOMAIN_NAME: {{ $storage.swift.domain }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $storageType "oss" }}
|
|
||||||
STORAGE: "alibaba"
|
|
||||||
STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }}
|
|
||||||
{{- if $storage.oss.rootdirectory }}
|
|
||||||
STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.oss.endpoint }}
|
|
||||||
STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }}
|
|
||||||
{{- end }}
|
|
||||||
ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,165 +0,0 @@
|
|||||||
{{- if .Values.chartmuseum.enabled }}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.chartmuseum" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: chartmuseum
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.chartmuseum.replicas }}
|
|
||||||
strategy:
|
|
||||||
type: {{ .Values.updateStrategy.type }}
|
|
||||||
{{- if eq .Values.updateStrategy.type "Recreate" }}
|
|
||||||
rollingUpdate: null
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: chartmuseum
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: chartmuseum
|
|
||||||
annotations:
|
|
||||||
checksum/configmap: {{ print "chartmuseum-cm.yaml" . | sha256sum }}
|
|
||||||
checksum/secret: {{ print "chartmuseum-secret.yaml" . | sha256sum }}
|
|
||||||
checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "chartmuseum-tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.chartmuseum.podAnnotations }}
|
|
||||||
{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.chartmuseum.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: chartmuseum
|
|
||||||
image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.chartmuseum.containerPort" . }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.chartmuseum.containerPort" . }}
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.chartmuseum.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.chartmuseum.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: "{{ template "harbor.chartmuseum" . }}"
|
|
||||||
- secretRef:
|
|
||||||
name: "{{ template "harbor.chartmuseum" . }}"
|
|
||||||
env:
|
|
||||||
{{- if has "chartmuseum" .Values.proxy.components }}
|
|
||||||
- name: HTTP_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpProxy }}"
|
|
||||||
- name: HTTPS_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpsProxy }}"
|
|
||||||
- name: NO_PROXY
|
|
||||||
value: "{{ template "harbor.noProxy" . }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: INTERNAL_TLS_KEY_PATH
|
|
||||||
value: /etc/harbor/ssl/chartmuseum/tls.key
|
|
||||||
- name: INTERNAL_TLS_CERT_PATH
|
|
||||||
value: /etc/harbor/ssl/chartmuseum/tls.crt
|
|
||||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
|
||||||
value: /etc/harbor/ssl/chartmuseum/ca.crt
|
|
||||||
{{- end }}
|
|
||||||
- name: BASIC_AUTH_PASS
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
key: secret
|
|
||||||
- # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
|
|
||||||
name: AWS_SDK_LOAD_CONFIG
|
|
||||||
value: "1"
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.chartmuseum.containerPort" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: chartmuseum-data
|
|
||||||
mountPath: /chart_storage
|
|
||||||
subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: chart-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/chartmuseum
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
|
|
||||||
- name: gcs-key
|
|
||||||
mountPath: /etc/chartmuseum/gcs-key.json
|
|
||||||
subPath: gcs-key.json
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
- name: storage-service-ca
|
|
||||||
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
|
|
||||||
subPath: ca.crt
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: chartmuseum-data
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }}
|
|
||||||
{{- else }}
|
|
||||||
emptyDir: {}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: chart-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
|
|
||||||
- name: gcs-key
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.registry" . }}
|
|
||||||
items:
|
|
||||||
- key: GCS_KEY_DATA
|
|
||||||
path: gcs-key.json
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
- name: storage-service-ca
|
|
||||||
secret:
|
|
||||||
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.chartmuseum.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.chartmuseum.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.chartmuseum.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,32 +0,0 @@
|
|||||||
{{- if .Values.chartmuseum.enabled }}
|
|
||||||
{{- $persistence := .Values.persistence -}}
|
|
||||||
{{- if $persistence.enabled }}
|
|
||||||
{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}}
|
|
||||||
{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }}
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.chartmuseum" . }}
|
|
||||||
{{- if eq $persistence.resourcePolicy "keep" }}
|
|
||||||
annotations:
|
|
||||||
helm.sh/resource-policy: keep
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: chartmuseum
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- {{ $chartmuseum.accessMode }}
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: {{ $chartmuseum.size }}
|
|
||||||
{{- if $chartmuseum.storageClass }}
|
|
||||||
{{- if eq "-" $chartmuseum.storageClass }}
|
|
||||||
storageClassName: ""
|
|
||||||
{{- else }}
|
|
||||||
storageClassName: {{ $chartmuseum.storageClass }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,26 +0,0 @@
|
|||||||
{{- if .Values.chartmuseum.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.chartmuseum" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
|
|
||||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
|
||||||
{{- $storageType := $storage.type }}
|
|
||||||
{{- if eq $storageType "azure" }}
|
|
||||||
AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }}
|
|
||||||
{{- else if eq $storageType "gcs" }}
|
|
||||||
# TODO support the keyfile of gcs
|
|
||||||
{{- else if eq $storageType "s3" }}
|
|
||||||
{{- if $storage.s3.secretkey }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $storageType "swift" }}
|
|
||||||
OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
|
|
||||||
{{- else if eq $storageType "oss" }}
|
|
||||||
ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if .Values.chartmuseum.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.chartmuseum" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: {{ template "harbor.chartmuseum.servicePort" . }}
|
|
||||||
targetPort: {{ template "harbor.chartmuseum.containerPort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: chartmuseum
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,166 +0,0 @@
|
|||||||
{{ if .Values.clair.enabled }}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.clair" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: clair
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.clair.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: clair
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: clair
|
|
||||||
annotations:
|
|
||||||
checksum/secret: {{ print "clair-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "clair-tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.clair.podAnnotations }}
|
|
||||||
{{ toYaml .Values.clair.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.clair.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.clair.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: clair
|
|
||||||
image: {{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health
|
|
||||||
port: 6061
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health
|
|
||||||
port: 6061
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 10
|
|
||||||
args: ["-log-level", "{{ .Values.logLevel }}"]
|
|
||||||
env:
|
|
||||||
{{- if has "clair" .Values.proxy.components }}
|
|
||||||
- name: HTTP_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpProxy }}"
|
|
||||||
- name: HTTPS_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpsProxy }}"
|
|
||||||
- name: NO_PROXY
|
|
||||||
value: "{{ template "harbor.noProxy" . }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.clair.clair.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.clair.clair.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: 6060
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/clair/config.yaml
|
|
||||||
subPath: config.yaml
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: clair-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/clair
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
- name: adapter
|
|
||||||
image: {{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /probe/healthy
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.clairAdapter.containerPort" . }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /probe/ready
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.clairAdapter.containerPort" . }}
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 10
|
|
||||||
env:
|
|
||||||
- name: SCANNER_CLAIR_URL
|
|
||||||
# To avoid a pod cannot reach itself via service IP when the clusters disable hairpin
|
|
||||||
value: "http://127.0.0.1:6060"
|
|
||||||
- name: SCANNER_STORE_REDIS_URL
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.clair" . }}
|
|
||||||
key: redis
|
|
||||||
- name: SCANNER_CLAIR_DATABASE_URL
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.clair" . }}
|
|
||||||
key: database
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: SCANNER_API_SERVER_ADDR
|
|
||||||
value: ":8443"
|
|
||||||
- name: SCANNER_API_SERVER_TLS_KEY
|
|
||||||
value: /etc/harbor/ssl/clair/tls.key
|
|
||||||
- name: SCANNER_API_SERVER_TLS_CERTIFICATE
|
|
||||||
value: /etc/harbor/ssl/clair/tls.crt
|
|
||||||
{{- end }}
|
|
||||||
- name: SCANNER_LOG_LEVEL
|
|
||||||
value: "{{ .Values.logLevel }}"
|
|
||||||
{{- if .Values.clair.adapter.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.clair.adapter.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.clairAdapter.containerPort" . }}
|
|
||||||
{{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }}
|
|
||||||
volumeMounts:
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: clair-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/clair
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
secret:
|
|
||||||
secretName: "{{ template "harbor.clair" . }}"
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: clair-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.clair.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.clair.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.clair.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.clair.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{ end }}
|
|
@ -1,13 +0,0 @@
|
|||||||
{{- if .Values.clair.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.clair" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }}
|
|
||||||
redis: {{ include "harbor.redis.urlForClair" . | b64enc }}
|
|
||||||
database: {{ include "harbor.database.clair" . | b64enc }}
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
{{ if .Values.clair.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.clair" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- name: adapter
|
|
||||||
port: {{ include "harbor.clairAdapter.servicePort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: clair
|
|
||||||
{{ end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.clair.enabled .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,150 +0,0 @@
|
|||||||
{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }}
|
|
||||||
{{- $scheme := (include "harbor.component.scheme" .) -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.nginx" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
nginx.conf: |+
|
|
||||||
worker_processes auto;
|
|
||||||
pid /tmp/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
use epoll;
|
|
||||||
multi_accept on;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
client_body_temp_path /tmp/client_body_temp;
|
|
||||||
proxy_temp_path /tmp/proxy_temp;
|
|
||||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
||||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
||||||
scgi_temp_path /tmp/scgi_temp;
|
|
||||||
tcp_nodelay on;
|
|
||||||
|
|
||||||
# this is necessary for us to be able to disable request buffering in all cases
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
|
|
||||||
upstream core {
|
|
||||||
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
|
|
||||||
}
|
|
||||||
|
|
||||||
upstream portal {
|
|
||||||
server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }};
|
|
||||||
}
|
|
||||||
|
|
||||||
log_format timed_combined '[$time_local]:$remote_addr - '
|
|
||||||
'"$request" $status $body_bytes_sent '
|
|
||||||
'"$http_referer" "$http_user_agent" '
|
|
||||||
'$request_time $upstream_response_time $pipe';
|
|
||||||
|
|
||||||
access_log /dev/stdout timed_combined;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 8080;
|
|
||||||
server_tokens off;
|
|
||||||
# disable any limits to avoid HTTP 413 for large image uploads
|
|
||||||
client_max_body_size 0;
|
|
||||||
|
|
||||||
# Add extra headers
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass {{ $scheme }}://portal/;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /api/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/api/;
|
|
||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_ssl_session_reuse on;
|
|
||||||
{{- end }}
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /chartrepo/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/chartrepo/;
|
|
||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_ssl_session_reuse on;
|
|
||||||
{{- end }}
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /c/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/c/;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v1/ {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v2/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/v2/;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /service/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/service/;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /service/notifications {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
{{- end }}
|
|
@ -1,221 +0,0 @@
|
|||||||
{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
|
|
||||||
{{- $scheme := (include "harbor.component.scheme" .) -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.nginx" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
nginx.conf: |+
|
|
||||||
worker_processes auto;
|
|
||||||
pid /tmp/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
use epoll;
|
|
||||||
multi_accept on;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
client_body_temp_path /tmp/client_body_temp;
|
|
||||||
proxy_temp_path /tmp/proxy_temp;
|
|
||||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
||||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
||||||
scgi_temp_path /tmp/scgi_temp;
|
|
||||||
tcp_nodelay on;
|
|
||||||
|
|
||||||
# this is necessary for us to be able to disable request buffering in all cases
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
|
|
||||||
upstream core {
|
|
||||||
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
|
|
||||||
}
|
|
||||||
|
|
||||||
upstream portal {
|
|
||||||
server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
|
|
||||||
}
|
|
||||||
|
|
||||||
{{- if .Values.notary.enabled }}
|
|
||||||
upstream notary-server {
|
|
||||||
server {{ template "harbor.notary-server" . }}:4443;
|
|
||||||
}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
log_format timed_combined '[$time_local]:$remote_addr - '
|
|
||||||
'"$request" $status $body_bytes_sent '
|
|
||||||
'"$http_referer" "$http_user_agent" '
|
|
||||||
'$request_time $upstream_response_time $pipe';
|
|
||||||
|
|
||||||
access_log /dev/stdout timed_combined;
|
|
||||||
|
|
||||||
{{- if .Values.notary.enabled }}
|
|
||||||
server {
|
|
||||||
listen 4443 ssl;
|
|
||||||
server_tokens off;
|
|
||||||
# ssl
|
|
||||||
ssl_certificate /etc/nginx/cert/tls.crt;
|
|
||||||
ssl_certificate_key /etc/nginx/cert/tls.key;
|
|
||||||
|
|
||||||
# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
|
|
||||||
ssl_protocols tlsv1.1 tlsv1.2;
|
|
||||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_session_cache shared:ssl:10m;
|
|
||||||
|
|
||||||
# disable any limits to avoid http 413 for large image uploads
|
|
||||||
client_max_body_size 0;
|
|
||||||
|
|
||||||
# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
||||||
chunked_transfer_encoding on;
|
|
||||||
|
|
||||||
location /v2/ {
|
|
||||||
proxy_pass http://notary-server/v2/;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 8443 ssl;
|
|
||||||
# server_name harbordomain.com;
|
|
||||||
server_tokens off;
|
|
||||||
# SSL
|
|
||||||
ssl_certificate /etc/nginx/cert/tls.crt;
|
|
||||||
ssl_certificate_key /etc/nginx/cert/tls.key;
|
|
||||||
|
|
||||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2;
|
|
||||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
|
|
||||||
# disable any limits to avoid HTTP 413 for large image uploads
|
|
||||||
client_max_body_size 0;
|
|
||||||
|
|
||||||
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
||||||
chunked_transfer_encoding on;
|
|
||||||
|
|
||||||
# Add extra headers
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass {{ $scheme }}://portal/;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_cookie_path / "/; HttpOnly; Secure";
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /api/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/api/;
|
|
||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_ssl_session_reuse on;
|
|
||||||
{{- end }}
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_cookie_path / "/; Secure";
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /chartrepo/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/chartrepo/;
|
|
||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_ssl_session_reuse on;
|
|
||||||
{{- end }}
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_cookie_path / "/; Secure";
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /c/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/c/;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_cookie_path / "/; Secure";
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v1/ {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v2/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/v2/;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /service/ {
|
|
||||||
proxy_pass {{ $scheme }}://core/service/;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_cookie_path / "/; Secure";
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /service/notifications {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 8080;
|
|
||||||
#server_name harbordomain.com;
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
{{- end }}
|
|
@ -1,50 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.portal" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
nginx.conf: |+
|
|
||||||
worker_processes auto;
|
|
||||||
pid /tmp/nginx.pid;
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
http {
|
|
||||||
client_body_temp_path /tmp/client_body_temp;
|
|
||||||
proxy_temp_path /tmp/proxy_temp;
|
|
||||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
||||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
||||||
scgi_temp_path /tmp/scgi_temp;
|
|
||||||
server {
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
listen {{ template "harbor.portal.containerPort" . }} ssl;
|
|
||||||
# SSL
|
|
||||||
ssl_certificate /etc/harbor/ssl/portal/tls.crt;
|
|
||||||
ssl_certificate_key /etc/harbor/ssl/portal/tls.key;
|
|
||||||
|
|
||||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
{{- else }}
|
|
||||||
listen {{ template "harbor.portal.containerPort" . }};
|
|
||||||
{{- end }}
|
|
||||||
server_name localhost;
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
index index.html index.htm;
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
gzip on;
|
|
||||||
gzip_min_length 1000;
|
|
||||||
gzip_proxied expired no-cache no-store private auth;
|
|
||||||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.html;
|
|
||||||
}
|
|
||||||
location = /index.html {
|
|
||||||
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,59 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
app.conf: |+
|
|
||||||
appname = Harbor
|
|
||||||
runmode = prod
|
|
||||||
enablegzip = true
|
|
||||||
|
|
||||||
[prod]
|
|
||||||
httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }}
|
|
||||||
PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}"
|
|
||||||
DATABASE_TYPE: "postgresql"
|
|
||||||
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
|
|
||||||
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
|
|
||||||
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
|
|
||||||
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
|
|
||||||
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
|
|
||||||
POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
|
|
||||||
POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
|
|
||||||
EXT_ENDPOINT: "{{ .Values.externalURL }}"
|
|
||||||
CORE_URL: "{{ template "harbor.coreURL" . }}"
|
|
||||||
JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
|
|
||||||
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
|
|
||||||
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
|
|
||||||
WITH_NOTARY: "{{ .Values.notary.enabled }}"
|
|
||||||
NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
|
|
||||||
CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}"
|
|
||||||
WITH_CLAIR: "{{ .Values.clair.enabled }}"
|
|
||||||
CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}"
|
|
||||||
WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
|
|
||||||
TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}"
|
|
||||||
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
|
|
||||||
WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
|
|
||||||
CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}"
|
|
||||||
LOG_LEVEL: "{{ .Values.logLevel }}"
|
|
||||||
CONFIG_PATH: "/etc/core/app.conf"
|
|
||||||
CHART_CACHE_DRIVER: "redis"
|
|
||||||
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
|
|
||||||
_REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}"
|
|
||||||
PORTAL_URL: "{{ template "harbor.portalURL" . }}"
|
|
||||||
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
|
|
||||||
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
|
|
||||||
{{- if .Values.uaaSecretName }}
|
|
||||||
UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt"
|
|
||||||
{{- end }}
|
|
||||||
{{- if has "core" .Values.proxy.components }}
|
|
||||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
|
||||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
|
||||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
|
||||||
{{- end }}
|
|
||||||
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor"
|
|
||||||
{{- if hasKey .Values.core "gcTimeWindowHours" }}
|
|
||||||
#make the GC time window configurable for testing
|
|
||||||
GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}"
|
|
||||||
{{- end }}
|
|
@ -1,179 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: core
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.core.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: core
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 8 }}
|
|
||||||
component: core
|
|
||||||
annotations:
|
|
||||||
checksum/configmap: {{ print "core-cm.yaml" . | sha256sum }}
|
|
||||||
checksum/secret: {{ print "core-secret.yaml" . | sha256sum }}
|
|
||||||
checksum/secret-jobservice: {{ print "jobservice-secrets.yaml" . | sha256sum }}
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "core-tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.core.podAnnotations }}
|
|
||||||
{{ toYaml .Values.core.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.core.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.core.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: core
|
|
||||||
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/v2.0/ping
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.core.containerPort" . }}
|
|
||||||
initialDelaySeconds: {{ .Values.core.livenessProbe.initialDelaySeconds }}
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/v2.0/ping
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.core.containerPort" . }}
|
|
||||||
initialDelaySeconds: 20
|
|
||||||
periodSeconds: 10
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: "{{ template "harbor.core" . }}"
|
|
||||||
- secretRef:
|
|
||||||
name: "{{ template "harbor.core" . }}"
|
|
||||||
env:
|
|
||||||
- name: CORE_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
key: secret
|
|
||||||
- name: JOBSERVICE_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
key: JOBSERVICE_SECRET
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: INTERNAL_TLS_KEY_PATH
|
|
||||||
value: /etc/harbor/ssl/core/tls.key
|
|
||||||
- name: INTERNAL_TLS_CERT_PATH
|
|
||||||
value: /etc/harbor/ssl/core/tls.crt
|
|
||||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
|
||||||
value: /etc/harbor/ssl/core/ca.crt
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.core.containerPort" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/core/app.conf
|
|
||||||
subPath: app.conf
|
|
||||||
- name: secret-key
|
|
||||||
mountPath: /etc/core/key
|
|
||||||
subPath: key
|
|
||||||
- name: token-service-private-key
|
|
||||||
mountPath: /etc/core/private_key.pem
|
|
||||||
subPath: tls.key
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: ca-download
|
|
||||||
mountPath: /etc/core/ca
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.uaaSecretName }}
|
|
||||||
- name: auth-ca-cert
|
|
||||||
mountPath: /etc/core/auth-ca/auth-ca.crt
|
|
||||||
subPath: auth-ca.crt
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: core-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/core
|
|
||||||
{{- end }}
|
|
||||||
- name: psc
|
|
||||||
mountPath: /etc/core/token
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.core.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.core.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
items:
|
|
||||||
- key: app.conf
|
|
||||||
path: app.conf
|
|
||||||
- name: secret-key
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.core" . }}
|
|
||||||
items:
|
|
||||||
- key: secretKey
|
|
||||||
path: key
|
|
||||||
- name: token-service-private-key
|
|
||||||
secret:
|
|
||||||
{{- if .Values.core.secretName }}
|
|
||||||
secretName: {{ .Values.core.secretName }}
|
|
||||||
{{- else }}
|
|
||||||
secretName: {{ template "harbor.core" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: ca-download
|
|
||||||
secret:
|
|
||||||
{{- if .Values.caSecretName }}
|
|
||||||
secretName: {{ .Values.caSecretName }}
|
|
||||||
{{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }}
|
|
||||||
secretName: "{{ template "harbor.ingress" . }}"
|
|
||||||
{{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
|
||||||
secretName: {{ template "harbor.tlsSecretForNginx" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.uaaSecretName }}
|
|
||||||
- name: auth-ca-cert
|
|
||||||
secret:
|
|
||||||
secretName: {{ .Values.uaaSecretName }}
|
|
||||||
items:
|
|
||||||
- key: ca.crt
|
|
||||||
path: auth-ca.crt
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: core-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.core.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
- name: psc
|
|
||||||
emptyDir: {}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.core.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.core.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.core.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
@ -1,18 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
secretKey: {{ .Values.secretKey | b64enc | quote }}
|
|
||||||
secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
|
|
||||||
{{- if not .Values.core.secretName }}
|
|
||||||
tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
|
|
||||||
tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
|
|
||||||
{{- end }}
|
|
||||||
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
|
|
||||||
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
|
||||||
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
|
|
||||||
CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
|
|
@ -1,16 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
{{- if (eq .Values.expose.ingress.controller "gce") }}
|
|
||||||
type: NodePort
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- port: {{ template "harbor.core.servicePort" . }}
|
|
||||||
targetPort: {{ template "harbor.core.containerPort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: core
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,11 +0,0 @@
|
|||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.database" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
|
||||||
{{- end -}}
|
|
@ -1,123 +0,0 @@
|
|||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
{{- $database := .Values.persistence.persistentVolumeClaim.database -}}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: StatefulSet
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.database" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: database
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
serviceName: "{{ template "harbor.database" . }}"
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: database
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: database
|
|
||||||
annotations:
|
|
||||||
checksum/secret: {{ print "database-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if .Values.database.podAnnotations }}
|
|
||||||
{{ toYaml .Values.database.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if .Values.database.internal.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
initContainers:
|
|
||||||
- name: "change-permission-of-directory"
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 0
|
|
||||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
command: ["/bin/sh"]
|
|
||||||
args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"]
|
|
||||||
volumeMounts:
|
|
||||||
- name: database-data
|
|
||||||
mountPath: /var/lib/postgresql/data
|
|
||||||
subPath: {{ $database.subPath }}
|
|
||||||
- name: "remove-lost-found"
|
|
||||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
|
|
||||||
volumeMounts:
|
|
||||||
- name: database-data
|
|
||||||
mountPath: /var/lib/postgresql/data
|
|
||||||
subPath: {{ $database.subPath }}
|
|
||||||
containers:
|
|
||||||
- name: database
|
|
||||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- /docker-healthcheck.sh
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- /docker-healthcheck.sh
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.database.internal.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.database.internal.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: "{{ template "harbor.database" . }}"
|
|
||||||
volumeMounts:
|
|
||||||
- name: database-data
|
|
||||||
mountPath: /var/lib/postgresql/data
|
|
||||||
subPath: {{ $database.subPath }}
|
|
||||||
{{- if not .Values.persistence.enabled }}
|
|
||||||
volumes:
|
|
||||||
- name: "database-data"
|
|
||||||
emptyDir: {}
|
|
||||||
{{- else if $database.existingClaim }}
|
|
||||||
volumes:
|
|
||||||
- name: "database-data"
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ $database.existingClaim }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.database.internal.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.database.internal.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.database.internal.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (not $database.existingClaim) }}
|
|
||||||
volumeClaimTemplates:
|
|
||||||
- metadata:
|
|
||||||
name: "database-data"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
spec:
|
|
||||||
accessModes: [{{ $database.accessMode | quote }}]
|
|
||||||
{{- if $database.storageClass }}
|
|
||||||
{{- if (eq "-" $database.storageClass) }}
|
|
||||||
storageClassName: ""
|
|
||||||
{{- else }}
|
|
||||||
storageClassName: "{{ $database.storageClass }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: {{ $database.size | quote }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
@ -1,14 +0,0 @@
|
|||||||
{{- if eq .Values.database.type "internal" -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.database" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 5432
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: database
|
|
||||||
{{- end -}}
|
|
@ -1,88 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.portal" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: portal
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.portal.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: portal
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 8 }}
|
|
||||||
component: portal
|
|
||||||
annotations:
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.portal.podAnnotations }}
|
|
||||||
{{ toYaml .Values.portal.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.portal.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.portal.serviceAccountName }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: portal
|
|
||||||
image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
{{- if .Values.portal.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.portal.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.portal.containerPort" . }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.portal.containerPort" . }}
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.portal.containerPort" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: portal-config
|
|
||||||
mountPath: /etc/nginx/nginx.conf
|
|
||||||
subPath: nginx.conf
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: portal-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/portal
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: portal-config
|
|
||||||
configMap:
|
|
||||||
name: "{{ template "harbor.portal" . }}"
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: portal-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.portal.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.portal.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.portal.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.portal.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
|
|
||||||
{{- $ca := genCA "harbor-ca" 365 }}
|
|
||||||
{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.ingress" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
@ -1,133 +0,0 @@
|
|||||||
{{- if eq .Values.expose.type "ingress" }}
|
|
||||||
{{- $ingress := .Values.expose.ingress -}}
|
|
||||||
{{- $tls := .Values.expose.tls -}}
|
|
||||||
{{- if eq .Values.expose.ingress.controller "gce" }}
|
|
||||||
{{- $_ := set . "portal_path" "/*" -}}
|
|
||||||
{{- $_ := set . "api_path" "/api/*" -}}
|
|
||||||
{{- $_ := set . "service_path" "/service/*" -}}
|
|
||||||
{{- $_ := set . "v2_path" "/v2/*" -}}
|
|
||||||
{{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
|
|
||||||
{{- $_ := set . "controller_path" "/c/*" -}}
|
|
||||||
{{- $_ := set . "notary_path" "/" -}}
|
|
||||||
{{- else if eq .Values.expose.ingress.controller "ncp" }}
|
|
||||||
{{- $_ := set . "portal_path" "/.*" -}}
|
|
||||||
{{- $_ := set . "api_path" "/api/.*" -}}
|
|
||||||
{{- $_ := set . "service_path" "/service/.*" -}}
|
|
||||||
{{- $_ := set . "v2_path" "/v2/.*" -}}
|
|
||||||
{{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
|
|
||||||
{{- $_ := set . "controller_path" "/c/.*" -}}
|
|
||||||
{{- $_ := set . "notary_path" "/.*" -}}
|
|
||||||
{{- else }}
|
|
||||||
{{- $_ := set . "portal_path" "/" -}}
|
|
||||||
{{- $_ := set . "api_path" "/api/" -}}
|
|
||||||
{{- $_ := set . "service_path" "/service/" -}}
|
|
||||||
{{- $_ := set . "v2_path" "/v2/" -}}
|
|
||||||
{{- $_ := set . "chartrepo_path" "/chartrepo/" -}}
|
|
||||||
{{- $_ := set . "controller_path" "/c/" -}}
|
|
||||||
{{- $_ := set . "notary_path" "/" -}}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
---
|
|
||||||
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
|
|
||||||
apiVersion: extensions/v1beta1
|
|
||||||
{{- else }}
|
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
{{- end }}
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.ingress" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
annotations:
|
|
||||||
{{ toYaml $ingress.annotations | indent 4 }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq .Values.expose.ingress.controller "ncp" }}
|
|
||||||
ncp/use-regex: "true"
|
|
||||||
{{- if $tls.enabled }}
|
|
||||||
ncp/http-redirect: "true"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if $tls.enabled }}
|
|
||||||
tls:
|
|
||||||
- secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
|
|
||||||
{{- if $ingress.hosts.core }}
|
|
||||||
hosts:
|
|
||||||
- {{ $ingress.hosts.core }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
rules:
|
|
||||||
- http:
|
|
||||||
paths:
|
|
||||||
- path: {{ .portal_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.portal" . }}
|
|
||||||
servicePort: {{ template "harbor.portal.servicePort" . }}
|
|
||||||
- path: {{ .api_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.core" . }}
|
|
||||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
|
||||||
- path: {{ .service_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.core" . }}
|
|
||||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
|
||||||
- path: {{ .v2_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.core" . }}
|
|
||||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
|
||||||
- path: {{ .chartrepo_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.core" . }}
|
|
||||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
|
||||||
- path: {{ .controller_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.core" . }}
|
|
||||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
|
||||||
{{- if $ingress.hosts.core }}
|
|
||||||
host: {{ $ingress.hosts.core }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if .Values.notary.enabled }}
|
|
||||||
---
|
|
||||||
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
|
|
||||||
apiVersion: extensions/v1beta1
|
|
||||||
{{- else }}
|
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
{{- end }}
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.ingress-notary" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
annotations:
|
|
||||||
{{ toYaml $ingress.annotations | indent 4 }}
|
|
||||||
{{- if eq .Values.expose.ingress.controller "ncp" }}
|
|
||||||
ncp/use-regex: "true"
|
|
||||||
{{- if $tls.enabled }}
|
|
||||||
ncp/http-redirect: "true"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if $tls.enabled }}
|
|
||||||
tls:
|
|
||||||
- secretName: {{ template "harbor.tlsNotarySecretForIngress" . }}
|
|
||||||
{{- if $ingress.hosts.notary }}
|
|
||||||
hosts:
|
|
||||||
- {{ $ingress.hosts.notary }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
rules:
|
|
||||||
- http:
|
|
||||||
paths:
|
|
||||||
- path: {{ .notary_path }}
|
|
||||||
backend:
|
|
||||||
serviceName: {{ template "harbor.notary-server" . }}
|
|
||||||
servicePort: 4443
|
|
||||||
{{- if $ingress.hosts.notary }}
|
|
||||||
host: {{ $ingress.hosts.notary }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,17 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}-env"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
CORE_URL: "{{ template "harbor.coreURL" . }}"
|
|
||||||
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
|
|
||||||
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
|
|
||||||
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
|
|
||||||
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
|
|
||||||
{{- if has "jobservice" .Values.proxy.components }}
|
|
||||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
|
||||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
|
||||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
|
||||||
{{- end }}
|
|
@ -1,46 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
config.yml: |+
|
|
||||||
#Server listening port
|
|
||||||
protocol: "{{ template "harbor.component.scheme" . }}"
|
|
||||||
port: {{ template "harbor.jobservice.containerPort". }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
https_config:
|
|
||||||
cert: "/etc/harbor/ssl/jobservice/tls.crt"
|
|
||||||
key: "/etc/harbor/ssl/jobservice/tls.key"
|
|
||||||
{{- end }}
|
|
||||||
worker_pool:
|
|
||||||
workers: {{ .Values.jobservice.maxJobWorkers }}
|
|
||||||
backend: "redis"
|
|
||||||
redis_pool:
|
|
||||||
redis_url: "{{ template "harbor.redis.urlForJobservice" . }}"
|
|
||||||
namespace: "harbor_job_service_namespace"
|
|
||||||
idle_timeout_second: 3600
|
|
||||||
job_loggers:
|
|
||||||
{{- if eq .Values.jobservice.jobLogger "file" }}
|
|
||||||
- name: "FILE"
|
|
||||||
level: {{ .Values.logLevel | upper }}
|
|
||||||
settings: # Customized settings of logger
|
|
||||||
base_dir: "/var/log/jobs"
|
|
||||||
sweeper:
|
|
||||||
duration: 14 #days
|
|
||||||
settings: # Customized settings of sweeper
|
|
||||||
work_dir: "/var/log/jobs"
|
|
||||||
{{- else if eq .Values.jobservice.jobLogger "database" }}
|
|
||||||
- name: "DB"
|
|
||||||
level: {{ .Values.logLevel | upper }}
|
|
||||||
sweeper:
|
|
||||||
duration: 14 #days
|
|
||||||
{{- else }}
|
|
||||||
- name: "STD_OUTPUT"
|
|
||||||
level: {{ .Values.logLevel | upper }}
|
|
||||||
{{- end }}
|
|
||||||
#Loggers for the job service
|
|
||||||
loggers:
|
|
||||||
- name: "STD_OUTPUT"
|
|
||||||
level: {{ .Values.logLevel | upper }}
|
|
@ -1,136 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: jobservice
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.jobservice.replicas }}
|
|
||||||
strategy:
|
|
||||||
type: {{ .Values.updateStrategy.type }}
|
|
||||||
{{- if eq .Values.updateStrategy.type "Recreate" }}
|
|
||||||
rollingUpdate: null
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: jobservice
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: jobservice
|
|
||||||
annotations:
|
|
||||||
checksum/configmap: {{ print "jobservice-cm.yaml" . | sha256sum }}
|
|
||||||
checksum/configmap-env: {{ print "jobservice-cm-env.yaml" . | sha256sum }}
|
|
||||||
checksum/secret: {{ print "jobservice-secrets.yaml" . | sha256sum }}
|
|
||||||
checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "jobservice-tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.jobservice.podAnnotations }}
|
|
||||||
{{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.jobservice.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: jobservice
|
|
||||||
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/v1/stats
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.jobservice.containerPort" . }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/v1/stats
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.jobservice.containerPort" . }}
|
|
||||||
initialDelaySeconds: 20
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.jobservice.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.jobservice.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
- name: CORE_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
key: secret
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: INTERNAL_TLS_KEY_PATH
|
|
||||||
value: /etc/harbor/ssl/jobservice/tls.key
|
|
||||||
- name: INTERNAL_TLS_CERT_PATH
|
|
||||||
value: /etc/harbor/ssl/jobservice/tls.crt
|
|
||||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
|
||||||
value: /etc/harbor/ssl/jobservice/ca.crt
|
|
||||||
{{- end }}
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}-env"
|
|
||||||
- secretRef:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.jobservice.containerPort" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: jobservice-config
|
|
||||||
mountPath: /etc/jobservice/config.yml
|
|
||||||
subPath: config.yml
|
|
||||||
- name: job-logs
|
|
||||||
mountPath: /var/log/jobs
|
|
||||||
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: jobservice-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/jobservice
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: jobservice-config
|
|
||||||
configMap:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
- name: job-logs
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }}
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
|
|
||||||
{{- else }}
|
|
||||||
emptyDir: {}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: jobservice-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.jobservice.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.jobservice.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.jobservice.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
@ -1,29 +0,0 @@
|
|||||||
{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}}
|
|
||||||
{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }}
|
|
||||||
{{- if eq .Values.jobservice.jobLogger "file" }}
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.jobservice" . }}
|
|
||||||
{{- if eq .Values.persistence.resourcePolicy "keep" }}
|
|
||||||
annotations:
|
|
||||||
helm.sh/resource-policy: keep
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: jobservice
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- {{ $jobservice.accessMode }}
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: {{ $jobservice.size }}
|
|
||||||
{{- if $jobservice.storageClass }}
|
|
||||||
{{- if eq "-" $jobservice.storageClass }}
|
|
||||||
storageClassName: ""
|
|
||||||
{{- else }}
|
|
||||||
storageClassName: {{ $jobservice.storageClass }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,10 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
|
|
||||||
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
|
|
@ -1,13 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.jobservice" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: {{ template "harbor.jobservice.servicePort" . }}
|
|
||||||
targetPort: {{ template "harbor.jobservice.containerPort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: jobservice
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,104 +0,0 @@
|
|||||||
{{- if ne .Values.expose.type "ingress" }}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.nginx" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: nginx
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.nginx.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: nginx
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: nginx
|
|
||||||
annotations:
|
|
||||||
{{- if not .Values.expose.tls.enabled }}
|
|
||||||
checksum/configmap: {{ print "configmap-http.yaml" . | sha256sum }}
|
|
||||||
{{- else }}
|
|
||||||
checksum/configmap: {{ print "configmap-https.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
|
||||||
checksum/secret: {{ print "nginx-secret.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.nginx.podAnnotations }}
|
|
||||||
{{ toYaml .Values.nginx.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if .Values.nginx.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.nginx.serviceAccountName }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 10000
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: nginx
|
|
||||||
image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
|
|
||||||
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
|
|
||||||
{{- $_ := set . "scheme" "HTTP" -}}
|
|
||||||
{{- $_ := set . "port" "8080" -}}
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
{{- $_ := set . "scheme" "HTTPS" -}}
|
|
||||||
{{- $_ := set . "port" "8443" -}}
|
|
||||||
{{- end }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
scheme: {{ .scheme }}
|
|
||||||
path: /
|
|
||||||
port: {{ .port }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
scheme: {{ .scheme }}
|
|
||||||
path: /
|
|
||||||
port: {{ .port }}
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.nginx.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.nginx.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: 8080
|
|
||||||
- containerPort: 8443
|
|
||||||
- containerPort: 4443
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/nginx/nginx.conf
|
|
||||||
subPath: nginx.conf
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: certificate
|
|
||||||
mountPath: /etc/nginx/cert
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: {{ template "harbor.nginx" . }}
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: certificate
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.tlsSecretForNginx" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.nginx.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.nginx.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.nginx.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,23 +0,0 @@
|
|||||||
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
|
||||||
{{- $ca := genCA "harbor-ca" 365 }}
|
|
||||||
{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.nginx" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
{{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
|
|
||||||
{{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
|
|
||||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
{{- else }}
|
|
||||||
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
|
|
||||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,92 +0,0 @@
|
|||||||
{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
{{- if eq .Values.expose.type "clusterIP" }}
|
|
||||||
{{- $clusterIP := .Values.expose.clusterIP }}
|
|
||||||
name: {{ $clusterIP.name }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
type: ClusterIP
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
port: {{ $clusterIP.ports.httpPort }}
|
|
||||||
targetPort: 8080
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: https
|
|
||||||
port: {{ $clusterIP.ports.httpsPort }}
|
|
||||||
targetPort: 8443
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.notary.enabled }}
|
|
||||||
- name: notary
|
|
||||||
port: {{ $clusterIP.ports.notaryPort }}
|
|
||||||
targetPort: 4443
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq .Values.expose.type "nodePort" }}
|
|
||||||
{{- $nodePort := .Values.expose.nodePort }}
|
|
||||||
name: {{ $nodePort.name }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
type: NodePort
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
port: {{ $nodePort.ports.http.port }}
|
|
||||||
targetPort: 8080
|
|
||||||
{{- if $nodePort.ports.http.nodePort }}
|
|
||||||
nodePort: {{ $nodePort.ports.http.nodePort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: https
|
|
||||||
port: {{ $nodePort.ports.https.port }}
|
|
||||||
targetPort: 8443
|
|
||||||
{{- if $nodePort.ports.https.nodePort }}
|
|
||||||
nodePort: {{ $nodePort.ports.https.nodePort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.notary.enabled }}
|
|
||||||
- name: notary
|
|
||||||
port: {{ $nodePort.ports.notary.port }}
|
|
||||||
targetPort: 4443
|
|
||||||
{{- if $nodePort.ports.notary.nodePort }}
|
|
||||||
nodePort: {{ $nodePort.ports.notary.nodePort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq .Values.expose.type "loadBalancer" }}
|
|
||||||
{{- $loadBalancer := .Values.expose.loadBalancer }}
|
|
||||||
name: {{ $loadBalancer.name }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
{{- with $loadBalancer.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
type: LoadBalancer
|
|
||||||
{{- with $loadBalancer.sourceRanges }}
|
|
||||||
loadBalancerSourceRanges:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $loadBalancer.IP }}
|
|
||||||
loadBalancerIP: {{ $loadBalancer.IP }}
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
port: {{ $loadBalancer.ports.httpPort }}
|
|
||||||
targetPort: 8080
|
|
||||||
{{- if .Values.expose.tls.enabled }}
|
|
||||||
- name: https
|
|
||||||
port: {{ $loadBalancer.ports.httpsPort }}
|
|
||||||
targetPort: 8443
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.notary.enabled }}
|
|
||||||
- name: notary
|
|
||||||
port: {{ $loadBalancer.ports.notaryPort }}
|
|
||||||
targetPort: 4443
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: nginx
|
|
||||||
{{- end }}
|
|
@ -1,20 +0,0 @@
|
|||||||
{{- if and .Values.notary.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.notary-server" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: notary
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
{{- if not .Values.notary.secretName }}
|
|
||||||
{{- $ca := genCA "harbor-notary-ca" 365 }}
|
|
||||||
{{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }}
|
|
||||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
|
||||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
|
||||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }}
|
|
||||||
signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }}
|
|
||||||
{{- end }}
|
|
@ -1,89 +0,0 @@
|
|||||||
{{ if .Values.notary.enabled }}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.notary-server" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: notary-server
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.notary.server.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: notary-server
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: notary-server
|
|
||||||
annotations:
|
|
||||||
checksum/secret: {{ print "notary-secret.yaml" . | sha256sum }}
|
|
||||||
checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if .Values.notary.podAnnotations }}
|
|
||||||
{{ toYaml .Values.notary.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.notary.server.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.notary.server.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: notary-server
|
|
||||||
image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
{{- if .Values.notary.server.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.notary.server.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
- name: MIGRATIONS_PATH
|
|
||||||
value: migrations/server/postgresql
|
|
||||||
- name: DB_URL
|
|
||||||
value: {{ template "harbor.database.notaryServer" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/notary/server-config.postgres.json
|
|
||||||
subPath: server.json
|
|
||||||
- name: token-service-certificate
|
|
||||||
mountPath: /root.crt
|
|
||||||
subPath: tls.crt
|
|
||||||
- name: signer-certificate
|
|
||||||
mountPath: /etc/ssl/notary/ca.crt
|
|
||||||
subPath: ca.crt
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
secret:
|
|
||||||
secretName: "{{ template "harbor.notary-server" . }}"
|
|
||||||
- name: token-service-certificate
|
|
||||||
secret:
|
|
||||||
{{- if .Values.core.secretName }}
|
|
||||||
secretName: {{ .Values.core.secretName }}
|
|
||||||
{{- else }}
|
|
||||||
secretName: {{ template "harbor.core" . }}
|
|
||||||
{{- end }}
|
|
||||||
- name: signer-certificate
|
|
||||||
secret:
|
|
||||||
{{- if .Values.notary.secretName }}
|
|
||||||
secretName: {{ .Values.notary.secretName }}
|
|
||||||
{{- else }}
|
|
||||||
secretName: {{ template "harbor.notary-server" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.notary.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.notary.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.notary.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{ end }}
|
|
@ -1,80 +0,0 @@
|
|||||||
{{ if .Values.notary.enabled }}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.notary-signer" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: notary-signer
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.notary.signer.replicas }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: notary-signer
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: notary-signer
|
|
||||||
annotations:
|
|
||||||
checksum/secret: {{ print "notary-secret.yaml" . | sha256sum }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.notary.signer.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.notary.signer.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: notary-signer
|
|
||||||
image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
{{- if .Values.notary.signer.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.notary.signer.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
- name: MIGRATIONS_PATH
|
|
||||||
value: migrations/signer/postgresql
|
|
||||||
- name: DB_URL
|
|
||||||
value: {{ template "harbor.database.notarySigner" . }}
|
|
||||||
- name: NOTARY_SIGNER_DEFAULTALIAS
|
|
||||||
value: defaultalias
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/notary/signer-config.postgres.json
|
|
||||||
subPath: signer.json
|
|
||||||
- name: signer-certificate
|
|
||||||
mountPath: /etc/ssl/notary/tls.crt
|
|
||||||
subPath: tls.crt
|
|
||||||
- name: signer-certificate
|
|
||||||
mountPath: /etc/ssl/notary/tls.key
|
|
||||||
subPath: tls.key
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
secret:
|
|
||||||
secretName: "{{ template "harbor.notary-server" . }}"
|
|
||||||
- name: signer-certificate
|
|
||||||
secret:
|
|
||||||
{{- if .Values.notary.secretName }}
|
|
||||||
secretName: {{ .Values.notary.secretName }}
|
|
||||||
{{- else }}
|
|
||||||
secretName: {{ template "harbor.notary-server" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.notary.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.notary.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.notary.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{ end }}
|
|
@ -1,31 +0,0 @@
|
|||||||
{{ if .Values.notary.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.notary-server" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
{{- if (eq .Values.expose.ingress.controller "gce") }}
|
|
||||||
type: NodePort
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- port: 4443
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: notary-server
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.notary-signer" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 7899
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: notary-signer
|
|
||||||
{{ end }}
|
|
@ -1,13 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.portal" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: {{ template "harbor.portal.servicePort" . }}
|
|
||||||
targetPort: {{ template "harbor.portal.containerPort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: portal
|
|
@ -1,99 +0,0 @@
|
|||||||
{{- if eq .Values.redis.type "internal" -}}
|
|
||||||
{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: StatefulSet
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.redis" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: redis
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
serviceName: {{ template "harbor.redis" . }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: redis
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: redis
|
|
||||||
{{- if .Values.redis.podAnnotations }}
|
|
||||||
annotations:
|
|
||||||
{{ toYaml .Values.redis.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 999
|
|
||||||
{{- if .Values.redis.internal.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.redis.internal.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: redis
|
|
||||||
image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: 6379
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: 6379
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.redis.internal.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.redis.internal.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: data
|
|
||||||
mountPath: /var/lib/redis
|
|
||||||
subPath: {{ $redis.subPath }}
|
|
||||||
{{- if not .Values.persistence.enabled }}
|
|
||||||
volumes:
|
|
||||||
- name: data
|
|
||||||
emptyDir: {}
|
|
||||||
{{- else if $redis.existingClaim }}
|
|
||||||
volumes:
|
|
||||||
- name: data
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ $redis.existingClaim }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.redis.internal.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.redis.internal.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.redis.internal.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (not $redis.existingClaim) }}
|
|
||||||
volumeClaimTemplates:
|
|
||||||
- metadata:
|
|
||||||
name: data
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
spec:
|
|
||||||
accessModes: [{{ $redis.accessMode | quote }}]
|
|
||||||
{{- if $redis.storageClass }}
|
|
||||||
{{- if (eq "-" $redis.storageClass) }}
|
|
||||||
storageClassName: ""
|
|
||||||
{{- else }}
|
|
||||||
storageClassName: "{{ $redis.storageClass }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: {{ $redis.size | quote }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
@ -1,14 +0,0 @@
|
|||||||
{{- if eq .Values.redis.type "internal" -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.redis" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 6379
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: redis
|
|
||||||
{{- end -}}
|
|
@ -1,224 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
data:
|
|
||||||
config.yml: |+
|
|
||||||
version: 0.1
|
|
||||||
log:
|
|
||||||
{{- if eq .Values.logLevel "warning" }}
|
|
||||||
level: warn
|
|
||||||
{{- else if eq .Values.logLevel "fatal" }}
|
|
||||||
level: error
|
|
||||||
{{- else }}
|
|
||||||
level: {{ .Values.logLevel }}
|
|
||||||
{{- end }}
|
|
||||||
fields:
|
|
||||||
service: registry
|
|
||||||
storage:
|
|
||||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
|
||||||
{{- $type := $storage.type }}
|
|
||||||
{{- if eq $type "filesystem" }}
|
|
||||||
filesystem:
|
|
||||||
rootdirectory: {{ $storage.filesystem.rootdirectory }}
|
|
||||||
{{- if $storage.filesystem.maxthreads }}
|
|
||||||
maxthreads: {{ $storage.filesystem.maxthreads }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "azure" }}
|
|
||||||
azure:
|
|
||||||
accountname: {{ $storage.azure.accountname }}
|
|
||||||
container: {{ $storage.azure.container }}
|
|
||||||
{{- if $storage.azure.realm }}
|
|
||||||
realm: {{ $storage.azure.realm }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "gcs" }}
|
|
||||||
gcs:
|
|
||||||
bucket: {{ $storage.gcs.bucket }}
|
|
||||||
keyfile: /etc/registry/gcs-key.json
|
|
||||||
{{- if $storage.gcs.rootdirectory }}
|
|
||||||
rootdirectory: {{ $storage.gcs.rootdirectory }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.gcs.chunksize }}
|
|
||||||
chunksize: {{ $storage.gcs.chunksize }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "s3" }}
|
|
||||||
s3:
|
|
||||||
region: {{ $storage.s3.region }}
|
|
||||||
bucket: {{ $storage.s3.bucket }}
|
|
||||||
{{- if $storage.s3.regionendpoint }}
|
|
||||||
regionendpoint: {{ $storage.s3.regionendpoint }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.encrypt }}
|
|
||||||
encrypt: {{ $storage.s3.encrypt }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.keyid }}
|
|
||||||
keyid: {{ $storage.s3.keyid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.secure }}
|
|
||||||
secure: {{ $storage.s3.secure }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if and $storage.s3.secure $storage.s3.skipverify }}
|
|
||||||
skipverify: {{ $storage.s3.skipverify }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.v4auth }}
|
|
||||||
v4auth: {{ $storage.s3.v4auth }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.chunksize }}
|
|
||||||
chunksize: {{ $storage.s3.chunksize }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.rootdirectory }}
|
|
||||||
rootdirectory: {{ $storage.s3.rootdirectory }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.storageclass }}
|
|
||||||
storageclass: {{ $storage.s3.storageclass }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.multipartcopychunksize }}
|
|
||||||
multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.multipartcopymaxconcurrency }}
|
|
||||||
multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.multipartcopythresholdsize }}
|
|
||||||
multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "swift" }}
|
|
||||||
swift:
|
|
||||||
authurl: {{ $storage.swift.authurl }}
|
|
||||||
username: {{ $storage.swift.username }}
|
|
||||||
container: {{ $storage.swift.container }}
|
|
||||||
{{- if $storage.swift.region }}
|
|
||||||
region: {{ $storage.swift.region }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.tenant }}
|
|
||||||
tenant: {{ $storage.swift.tenant }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.tenantid }}
|
|
||||||
tenantid: {{ $storage.swift.tenantid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.domain }}
|
|
||||||
domain: {{ $storage.swift.domain }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.domainid }}
|
|
||||||
domainid: {{ $storage.swift.domainid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.trustid }}
|
|
||||||
trustid: {{ $storage.swift.trustid }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.insecureskipverify }}
|
|
||||||
insecureskipverify: {{ $storage.swift.insecureskipverify }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.chunksize }}
|
|
||||||
chunksize: {{ $storage.swift.chunksize }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.prefix }}
|
|
||||||
prefix: {{ $storage.swift.prefix }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.authversion }}
|
|
||||||
authversion: {{ $storage.swift.authversion }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.endpointtype }}
|
|
||||||
endpointtype: {{ $storage.swift.endpointtype }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.tempurlcontainerkey }}
|
|
||||||
tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.tempurlmethods }}
|
|
||||||
tempurlmethods: {{ $storage.swift.tempurlmethods }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "oss" }}
|
|
||||||
oss:
|
|
||||||
accesskeyid: {{ $storage.oss.accesskeyid }}
|
|
||||||
region: {{ $storage.oss.region }}
|
|
||||||
bucket: {{ $storage.oss.bucket }}
|
|
||||||
{{- if $storage.oss.endpoint }}
|
|
||||||
endpoint: {{ $storage.oss.endpoint }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.oss.internal }}
|
|
||||||
internal: {{ $storage.oss.internal }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.oss.encrypt }}
|
|
||||||
encrypt: {{ $storage.oss.encrypt }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.oss.secure }}
|
|
||||||
secure: {{ $storage.oss.secure }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.oss.chunksize }}
|
|
||||||
chunksize: {{ $storage.oss.chunksize }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.oss.rootdirectory }}
|
|
||||||
rootdirectory: {{ $storage.oss.rootdirectory }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
cache:
|
|
||||||
layerinfo: redis
|
|
||||||
maintenance:
|
|
||||||
uploadpurging:
|
|
||||||
enabled: false
|
|
||||||
delete:
|
|
||||||
enabled: true
|
|
||||||
redirect:
|
|
||||||
disable: {{ $storage.disableredirect }}
|
|
||||||
redis:
|
|
||||||
addr: {{ template "harbor.redis.addr" . }}
|
|
||||||
{{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }}
|
|
||||||
sentinelMasterSet: {{ template "harbor.redis.masterSet" . }}
|
|
||||||
{{- end }}
|
|
||||||
db: {{ template "harbor.redis.dbForRegistry" . }}
|
|
||||||
password: {{ template "harbor.redis.password" . }}
|
|
||||||
readtimeout: 10s
|
|
||||||
writetimeout: 10s
|
|
||||||
dialtimeout: 10s
|
|
||||||
http:
|
|
||||||
addr: :{{ template "harbor.registry.containerPort" . }}
|
|
||||||
relativeurls: {{ .Values.registry.relativeurls }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
tls:
|
|
||||||
certificate: /etc/harbor/ssl/registry/tls.crt
|
|
||||||
key: /etc/harbor/ssl/registry/tls.key
|
|
||||||
minimumtls: tls1.2
|
|
||||||
{{- end }}
|
|
||||||
# set via environment variable
|
|
||||||
# secret: placeholder
|
|
||||||
debug:
|
|
||||||
addr: localhost:5001
|
|
||||||
auth:
|
|
||||||
htpasswd:
|
|
||||||
realm: harbor-registry-basic-realm
|
|
||||||
path: /etc/registry/passwd
|
|
||||||
validation:
|
|
||||||
disabled: true
|
|
||||||
compatibility:
|
|
||||||
schema1:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
{{- if .Values.registry.middleware.enabled }}
|
|
||||||
{{- $middleware := .Values.registry.middleware }}
|
|
||||||
{{- $middlewareType := $middleware.type }}
|
|
||||||
{{- if eq $middlewareType "cloudFront" }}
|
|
||||||
middleware:
|
|
||||||
storage:
|
|
||||||
- name: cloudfront
|
|
||||||
options:
|
|
||||||
baseurl: {{ $middleware.cloudFront.baseurl }}
|
|
||||||
privatekey: /etc/registry/pk.pem
|
|
||||||
keypairid: {{ $middleware.cloudFront.keypairid }}
|
|
||||||
duration: {{ $middleware.cloudFront.duration }}
|
|
||||||
ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
ctl-config.yml: |+
|
|
||||||
---
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
protocol: "https"
|
|
||||||
port: 8443
|
|
||||||
https_config:
|
|
||||||
cert: "/etc/harbor/ssl/registry/tls.crt"
|
|
||||||
key: "/etc/harbor/ssl/registry/tls.key"
|
|
||||||
{{- else }}
|
|
||||||
protocol: "http"
|
|
||||||
port: 8080
|
|
||||||
{{- end }}
|
|
||||||
log_level: {{ .Values.logLevel }}
|
|
||||||
registry_config: "/etc/registry/config.yml"
|
|
@ -1,272 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: registry
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.registry.replicas }}
|
|
||||||
strategy:
|
|
||||||
type: {{ .Values.updateStrategy.type }}
|
|
||||||
{{- if eq .Values.updateStrategy.type "Recreate" }}
|
|
||||||
rollingUpdate: null
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: registry
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: registry
|
|
||||||
annotations:
|
|
||||||
checksum/configmap: {{ print "registry-cm.yaml" . | sha256sum }}
|
|
||||||
checksum/secret: {{ print "registry-secret.yaml" . | sha256sum }}
|
|
||||||
checksum/secret-jobservice: {{ print "jobservice-secrets.yaml" . | sha256sum }}
|
|
||||||
checksum/secret-core: {{ print "core-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "registry-tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.registry.podAnnotations }}
|
|
||||||
{{ toYaml .Values.registry.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
{{- if .Values.registry.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.registry.serviceAccountName }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: registry
|
|
||||||
image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.registry.containerPort" . }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.registry.containerPort" . }}
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.registry.registry.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.registry.registry.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
args: ["serve", "/etc/registry/config.yml"]
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
env:
|
|
||||||
{{- if has "registry" .Values.proxy.components }}
|
|
||||||
- name: HTTP_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpProxy }}"
|
|
||||||
- name: HTTPS_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpsProxy }}"
|
|
||||||
- name: NO_PROXY
|
|
||||||
value: "{{ template "harbor.noProxy" . }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: INTERNAL_TLS_KEY_PATH
|
|
||||||
value: /etc/harbor/ssl/registry/tls.key
|
|
||||||
- name: INTERNAL_TLS_CERT_PATH
|
|
||||||
value: /etc/harbor/ssl/registry/tls.crt
|
|
||||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
|
||||||
value: /etc/harbor/ssl/registry/ca.crt
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.registry.containerPort" . }}
|
|
||||||
- containerPort: 5001
|
|
||||||
volumeMounts:
|
|
||||||
- name: registry-data
|
|
||||||
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
|
|
||||||
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
|
|
||||||
- name: registry-root-certificate
|
|
||||||
mountPath: /etc/registry/root.crt
|
|
||||||
subPath: tls.crt
|
|
||||||
- name: registry-htpasswd
|
|
||||||
mountPath: /etc/registry/passwd
|
|
||||||
subPath: passwd
|
|
||||||
- name: registry-config
|
|
||||||
mountPath: /etc/registry/config.yml
|
|
||||||
subPath: config.yml
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: registry-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/registry
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
|
|
||||||
- name: gcs-key
|
|
||||||
mountPath: /etc/registry/gcs-key.json
|
|
||||||
subPath: gcs-key.json
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
- name: storage-service-ca
|
|
||||||
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
|
|
||||||
subPath: ca.crt
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.registry.middleware.enabled }}
|
|
||||||
{{- if eq .Values.registry.middleware.type "cloudFront" }}
|
|
||||||
- name: cloudfront-key
|
|
||||||
mountPath: /etc/registry/pk.pem
|
|
||||||
subPath: pk.pem
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
- name: registryctl
|
|
||||||
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/health
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.registryctl.containerPort" . }}
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/health
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
port: {{ template "harbor.registryctl.containerPort" . }}
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 10
|
|
||||||
{{- if .Values.registry.controller.resources }}
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.registry.controller.resources | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
env:
|
|
||||||
- name: CORE_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.core" . }}
|
|
||||||
key: secret
|
|
||||||
- name: JOBSERVICE_SECRET
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.jobservice" . }}
|
|
||||||
key: JOBSERVICE_SECRET
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: INTERNAL_TLS_KEY_PATH
|
|
||||||
value: /etc/harbor/ssl/registry/tls.key
|
|
||||||
- name: INTERNAL_TLS_CERT_PATH
|
|
||||||
value: /etc/harbor/ssl/registry/tls.crt
|
|
||||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
|
||||||
value: /etc/harbor/ssl/registry/ca.crt
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: {{ template "harbor.registryctl.containerPort" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: registry-data
|
|
||||||
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
|
|
||||||
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
|
|
||||||
- name: registry-config
|
|
||||||
mountPath: /etc/registry/config.yml
|
|
||||||
subPath: config.yml
|
|
||||||
- name: registry-config
|
|
||||||
mountPath: /etc/registryctl/config.yml
|
|
||||||
subPath: ctl-config.yml
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: registry-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/registry
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
- name: storage-service-ca
|
|
||||||
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
|
|
||||||
subPath: ca.crt
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
|
|
||||||
- name: gcs-key
|
|
||||||
mountPath: /etc/registry/gcs-key.json
|
|
||||||
subPath: gcs-key.json
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: registry-htpasswd
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.registry" . }}
|
|
||||||
items:
|
|
||||||
- key: REGISTRY_HTPASSWD
|
|
||||||
path: passwd
|
|
||||||
- name: registry-root-certificate
|
|
||||||
secret:
|
|
||||||
{{- if .Values.core.secretName }}
|
|
||||||
secretName: {{ .Values.core.secretName }}
|
|
||||||
{{- else }}
|
|
||||||
secretName: {{ template "harbor.core" . }}
|
|
||||||
{{- end }}
|
|
||||||
- name: registry-config
|
|
||||||
configMap:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
- name: registry-data
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }}
|
|
||||||
{{- else }}
|
|
||||||
emptyDir: {}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: registry-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.registry.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
|
|
||||||
- name: gcs-key
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.registry" . }}
|
|
||||||
items:
|
|
||||||
- key: GCS_KEY_DATA
|
|
||||||
path: gcs-key.json
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
- name: storage-service-ca
|
|
||||||
secret:
|
|
||||||
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.registry.middleware.enabled }}
|
|
||||||
{{- if eq .Values.registry.middleware.type "cloudFront" }}
|
|
||||||
- name: cloudfront-key
|
|
||||||
secret:
|
|
||||||
secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }}
|
|
||||||
items:
|
|
||||||
- key: CLOUDFRONT_KEY_DATA
|
|
||||||
path: pk.pem
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.registry.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.registry.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.registry.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
@ -1,29 +0,0 @@
|
|||||||
{{- if .Values.persistence.enabled }}
|
|
||||||
{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}}
|
|
||||||
{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.registry" . }}
|
|
||||||
{{- if eq .Values.persistence.resourcePolicy "keep" }}
|
|
||||||
annotations:
|
|
||||||
helm.sh/resource-policy: keep
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: registry
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- {{ $registry.accessMode }}
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: {{ $registry.size }}
|
|
||||||
{{- if $registry.storageClass }}
|
|
||||||
{{- if eq "-" $registry.storageClass }}
|
|
||||||
storageClassName: ""
|
|
||||||
{{- else }}
|
|
||||||
storageClassName: {{ $registry.storageClass }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,35 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }}
|
|
||||||
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
|
|
||||||
REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }}
|
|
||||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
|
||||||
{{- $type := $storage.type }}
|
|
||||||
{{- if eq $type "azure" }}
|
|
||||||
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
|
|
||||||
{{- else if eq $type "gcs" }}
|
|
||||||
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
|
|
||||||
{{- else if eq $type "s3" }}
|
|
||||||
{{- if $storage.s3.accesskey }}
|
|
||||||
REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.s3.secretkey }}
|
|
||||||
REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "swift" }}
|
|
||||||
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
|
|
||||||
{{- if $storage.swift.secretkey }}
|
|
||||||
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $storage.swift.accesskey }}
|
|
||||||
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq $type "oss" }}
|
|
||||||
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.registry" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- name: registry
|
|
||||||
port: {{ template "harbor.registry.servicePort" . }}
|
|
||||||
- name: controller
|
|
||||||
port: {{ template "harbor.registryctl.servicePort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: registry
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,43 +0,0 @@
|
|||||||
{{/*
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
*/}}
|
|
||||||
{{/*
|
|
||||||
Test that the API is up and the health endpoint returns a 2XX code */}}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: "{{.Release.Name}}-test"
|
|
||||||
annotations:
|
|
||||||
"helm.sh/hook": "test-success"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: core
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 10000
|
|
||||||
restartPolicy: Never
|
|
||||||
containers:
|
|
||||||
- name: harbor-helm-tests
|
|
||||||
env:
|
|
||||||
- name: 'CORE_URL'
|
|
||||||
value: {{ template "harbor.coreURL" . }}
|
|
||||||
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
command: ["/bin/bash", "-c", "curl -v -k -X GET --fail ${CORE_URL}/api/v2.0/health"]
|
|
||||||
{{- with .Values.core.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
...
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,12 +0,0 @@
|
|||||||
{{- if .Values.trivy.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.trivy" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }}
|
|
||||||
gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
@ -1,194 +0,0 @@
|
|||||||
{{- if .Values.trivy.enabled }}
|
|
||||||
{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }}
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: StatefulSet
|
|
||||||
metadata:
|
|
||||||
name: {{ template "harbor.trivy" . }}
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
component: trivy
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.trivy.replicas }}
|
|
||||||
serviceName: {{ template "harbor.trivy" . }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
|
||||||
component: trivy
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
component: trivy
|
|
||||||
annotations:
|
|
||||||
checksum/secret: {{ print "trivy-secret.yaml" . | sha256sum }}
|
|
||||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
|
||||||
checksum/tls: {{ print "auto-tls.yaml" . | sha256sum }}
|
|
||||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
|
||||||
checksum/tls: {{ print "trivy-tls.yaml" . | sha256sum }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.trivy.podAnnotations }}
|
|
||||||
{{ toYaml .Values.trivy.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.trivy.serviceAccountName }}
|
|
||||||
serviceAccountName: {{ .Values.trivy.serviceAccountName }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 10000
|
|
||||||
fsGroup: 10000
|
|
||||||
automountServiceAccountToken: false
|
|
||||||
containers:
|
|
||||||
- name: trivy
|
|
||||||
image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
||||||
securityContext:
|
|
||||||
privileged: false
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
env:
|
|
||||||
{{- if has "trivy" .Values.proxy.components }}
|
|
||||||
- name: HTTP_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpProxy }}"
|
|
||||||
- name: HTTPS_PROXY
|
|
||||||
value: "{{ .Values.proxy.httpsProxy }}"
|
|
||||||
- name: NO_PROXY
|
|
||||||
value: "{{ template "harbor.noProxy" . }}"
|
|
||||||
{{- end }}
|
|
||||||
- name: "SCANNER_LOG_LEVEL"
|
|
||||||
value: {{ .Values.logLevel | quote }}
|
|
||||||
- name: "SCANNER_TRIVY_CACHE_DIR"
|
|
||||||
value: "/home/scanner/.cache/trivy"
|
|
||||||
- name: "SCANNER_TRIVY_REPORTS_DIR"
|
|
||||||
value: "/home/scanner/.cache/reports"
|
|
||||||
- name: "SCANNER_TRIVY_DEBUG_MODE"
|
|
||||||
value: {{ .Values.trivy.debugMode | quote }}
|
|
||||||
- name: "SCANNER_TRIVY_VULN_TYPE"
|
|
||||||
value: {{ .Values.trivy.vulnType | quote }}
|
|
||||||
- name: "SCANNER_TRIVY_GITHUB_TOKEN"
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.trivy" . }}
|
|
||||||
key: gitHubToken
|
|
||||||
- name: "SCANNER_TRIVY_SEVERITY"
|
|
||||||
value: {{ .Values.trivy.severity | quote }}
|
|
||||||
- name: "SCANNER_TRIVY_IGNORE_UNFIXED"
|
|
||||||
value: {{ .Values.trivy.ignoreUnfixed | default false | quote }}
|
|
||||||
- name: "SCANNER_TRIVY_SKIP_UPDATE"
|
|
||||||
value: {{ .Values.trivy.skipUpdate | default false | quote }}
|
|
||||||
- name: "SCANNER_TRIVY_INSECURE"
|
|
||||||
value: {{ .Values.trivy.insecure | default false | quote }}
|
|
||||||
- name: SCANNER_API_SERVER_ADDR
|
|
||||||
value: ":{{ template "harbor.trivy.containerPort" . }}"
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: INTERNAL_TLS_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: SCANNER_API_SERVER_TLS_KEY
|
|
||||||
value: /etc/harbor/ssl/trivy/tls.key
|
|
||||||
- name: SCANNER_API_SERVER_TLS_CERTIFICATE
|
|
||||||
value: /etc/harbor/ssl/trivy/tls.crt
|
|
||||||
{{- end }}
|
|
||||||
- name: "SCANNER_REDIS_URL"
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.trivy" . }}
|
|
||||||
key: redisURL
|
|
||||||
- name: "SCANNER_STORE_REDIS_URL"
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.trivy" . }}
|
|
||||||
key: redisURL
|
|
||||||
- name: "SCANNER_JOB_QUEUE_REDIS_URL"
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ template "harbor.trivy" . }}
|
|
||||||
key: redisURL
|
|
||||||
ports:
|
|
||||||
- name: api-server
|
|
||||||
containerPort: {{ template "harbor.trivy.containerPort" . }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: data
|
|
||||||
mountPath: /home/scanner/.cache
|
|
||||||
subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }}
|
|
||||||
readOnly: false
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: trivy-internal-certs
|
|
||||||
mountPath: /etc/harbor/ssl/trivy
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolumeMount" . | indent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
path: /probe/healthy
|
|
||||||
port: api-server
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
successThreshold: 1
|
|
||||||
failureThreshold: 10
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
|
||||||
path: /probe/ready
|
|
||||||
port: api-server
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
successThreshold: 1
|
|
||||||
failureThreshold: 3
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.trivy.resources | indent 12 }}
|
|
||||||
{{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
|
|
||||||
volumes:
|
|
||||||
{{- if .Values.internalTLS.enabled }}
|
|
||||||
- name: trivy-internal-certs
|
|
||||||
secret:
|
|
||||||
secretName: {{ template "harbor.internalTLS.trivy.secretName" . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.caBundleSecretName }}
|
|
||||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if not .Values.persistence.enabled }}
|
|
||||||
- name: "data"
|
|
||||||
emptyDir: {}
|
|
||||||
{{- else if $trivy.existingClaim }}
|
|
||||||
- name: "data"
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ $trivy.existingClaim }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.trivy.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.trivy.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.trivy.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }}
|
|
||||||
volumeClaimTemplates:
|
|
||||||
- metadata:
|
|
||||||
name: data
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 8 }}
|
|
||||||
spec:
|
|
||||||
accessModes: [{{ $trivy.accessMode | quote }}]
|
|
||||||
{{- if $trivy.storageClass }}
|
|
||||||
{{- if (eq "-" $trivy.storageClass) }}
|
|
||||||
storageClassName: ""
|
|
||||||
{{- else }}
|
|
||||||
storageClassName: "{{ $trivy.storageClass }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: {{ $trivy.size | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,16 +0,0 @@
|
|||||||
{{ if .Values.trivy.enabled }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.trivy" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- name: api-server
|
|
||||||
protocol: TCP
|
|
||||||
port: {{ template "harbor.trivy.servicePort" . }}
|
|
||||||
selector:
|
|
||||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
|
||||||
component: trivy
|
|
||||||
{{ end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }}
|
|
||||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
|
|
||||||
labels:
|
|
||||||
{{ include "harbor.labels" . | indent 4 }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
|
||||||
tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }}
|
|
||||||
tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,743 +0,0 @@
|
|||||||
expose:
|
|
||||||
# Set the way how to expose the service. Set the type as "ingress",
|
|
||||||
# "clusterIP", "nodePort" or "loadBalancer" and fill the information
|
|
||||||
# in the corresponding section
|
|
||||||
type: ingress
|
|
||||||
tls:
|
|
||||||
# Enable the tls or not. Note: if the type is "ingress" and the tls
|
|
||||||
# is disabled, the port must be included in the command when pull/push
|
|
||||||
# images. Refer to https://github.com/goharbor/harbor/issues/5291
|
|
||||||
# for the detail.
|
|
||||||
enabled: true
|
|
||||||
# The source of the tls certificate. Set it as "auto", "secret"
|
|
||||||
# or "none" and fill the information in the corresponding section
|
|
||||||
# 1) auto: generate the tls certificate automatically
|
|
||||||
# 2) secret: read the tls certificate from the specified secret.
|
|
||||||
# The tls certificate can be generated manually or by cert manager
|
|
||||||
# 3) none: configure no tls certificate for the ingress. If the default
|
|
||||||
# tls certificate is configured in the ingress controller, choose this option
|
|
||||||
certSource: auto
|
|
||||||
auto:
|
|
||||||
# The common name used to generate the certificate, it's necessary
|
|
||||||
# when the type isn't "ingress"
|
|
||||||
commonName: ""
|
|
||||||
secret:
|
|
||||||
# The name of secret which contains keys named:
|
|
||||||
# "tls.crt" - the certificate
|
|
||||||
# "tls.key" - the private key
|
|
||||||
secretName: ""
|
|
||||||
# The name of secret which contains keys named:
|
|
||||||
# "tls.crt" - the certificate
|
|
||||||
# "tls.key" - the private key
|
|
||||||
# Only needed when the "expose.type" is "ingress".
|
|
||||||
notarySecretName: ""
|
|
||||||
ingress:
|
|
||||||
hosts:
|
|
||||||
core: core.harbor.domain
|
|
||||||
notary: notary.harbor.domain
|
|
||||||
# set to the type of ingress controller if it has specific requirements.
|
|
||||||
# leave as `default` for most ingress controllers.
|
|
||||||
# set to `gce` if using the GCE ingress controller
|
|
||||||
# set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
|
|
||||||
controller: default
|
|
||||||
annotations:
|
|
||||||
ingress.kubernetes.io/ssl-redirect: "true"
|
|
||||||
ingress.kubernetes.io/proxy-body-size: "0"
|
|
||||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
||||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
|
||||||
clusterIP:
|
|
||||||
# The name of ClusterIP service
|
|
||||||
name: harbor
|
|
||||||
ports:
|
|
||||||
# The service port Harbor listens on when serving with HTTP
|
|
||||||
httpPort: 80
|
|
||||||
# The service port Harbor listens on when serving with HTTPS
|
|
||||||
httpsPort: 443
|
|
||||||
# The service port Notary listens on. Only needed when notary.enabled
|
|
||||||
# is set to true
|
|
||||||
notaryPort: 4443
|
|
||||||
nodePort:
|
|
||||||
# The name of NodePort service
|
|
||||||
name: harbor
|
|
||||||
ports:
|
|
||||||
http:
|
|
||||||
# The service port Harbor listens on when serving with HTTP
|
|
||||||
port: 80
|
|
||||||
# The node port Harbor listens on when serving with HTTP
|
|
||||||
nodePort: 30002
|
|
||||||
https:
|
|
||||||
# The service port Harbor listens on when serving with HTTPS
|
|
||||||
port: 443
|
|
||||||
# The node port Harbor listens on when serving with HTTPS
|
|
||||||
nodePort: 30003
|
|
||||||
# Only needed when notary.enabled is set to true
|
|
||||||
notary:
|
|
||||||
# The service port Notary listens on
|
|
||||||
port: 4443
|
|
||||||
# The node port Notary listens on
|
|
||||||
nodePort: 30004
|
|
||||||
loadBalancer:
|
|
||||||
# The name of LoadBalancer service
|
|
||||||
name: harbor
|
|
||||||
# Set the IP if the LoadBalancer supports assigning IP
|
|
||||||
IP: ""
|
|
||||||
ports:
|
|
||||||
# The service port Harbor listens on when serving with HTTP
|
|
||||||
httpPort: 80
|
|
||||||
# The service port Harbor listens on when serving with HTTPS
|
|
||||||
httpsPort: 443
|
|
||||||
# The service port Notary listens on. Only needed when notary.enabled
|
|
||||||
# is set to true
|
|
||||||
notaryPort: 4443
|
|
||||||
annotations: {}
|
|
||||||
sourceRanges: []
|
|
||||||
|
|
||||||
# The external URL for Harbor core service. It is used to
|
|
||||||
# 1) populate the docker/helm commands showed on portal
|
|
||||||
# 2) populate the token service URL returned to docker/notary client
|
|
||||||
#
|
|
||||||
# Format: protocol://domain[:port]. Usually:
|
|
||||||
# 1) if "expose.type" is "ingress", the "domain" should be
|
|
||||||
# the value of "expose.ingress.hosts.core"
|
|
||||||
# 2) if "expose.type" is "clusterIP", the "domain" should be
|
|
||||||
# the value of "expose.clusterIP.name"
|
|
||||||
# 3) if "expose.type" is "nodePort", the "domain" should be
|
|
||||||
# the IP address of k8s node
|
|
||||||
#
|
|
||||||
# If Harbor is deployed behind the proxy, set it as the URL of proxy
|
|
||||||
externalURL: https://core.harbor.domain
|
|
||||||
|
|
||||||
# The internal TLS used for harbor components secure communicating. In order to enable https
|
|
||||||
# in each components tls cert files need to provided in advance.
|
|
||||||
internalTLS:
|
|
||||||
# If internal TLS enabled
|
|
||||||
enabled: false
|
|
||||||
# There are three ways to provide tls
|
|
||||||
# 1) "auto" will generate cert automatically
|
|
||||||
# 2) "manual" need provide cert file manually in following value
|
|
||||||
# 3) "secret" internal certificates from secret
|
|
||||||
certSource: "auto"
|
|
||||||
# The content of trust ca, only available when `certSource` is "manual"
|
|
||||||
trustCa: ""
|
|
||||||
# core related cert configuration
|
|
||||||
core:
|
|
||||||
# secret name for core's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of core's TLS cert file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of core's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
# jobservice related cert configuration
|
|
||||||
jobservice:
|
|
||||||
# secret name for jobservice's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
# registry related cert configuration
|
|
||||||
registry:
|
|
||||||
# secret name for registry's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of registry's TLS key file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of registry's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
# portal related cert configuration
|
|
||||||
portal:
|
|
||||||
# secret name for portal's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of portal's TLS key file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of portal's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
# chartmuseum related cert configuration
|
|
||||||
chartmuseum:
|
|
||||||
# secret name for chartmuseum's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
# clair related cert configuration
|
|
||||||
clair:
|
|
||||||
# secret name for clair's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of clair's TLS key file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of clair's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
# trivy related cert configuration
|
|
||||||
trivy:
|
|
||||||
# secret name for trivy's tls certs
|
|
||||||
secretName: ""
|
|
||||||
# Content of trivy's TLS key file, only available when `certSource` is "manual"
|
|
||||||
crt: ""
|
|
||||||
# Content of trivy's TLS key file, only available when `certSource` is "manual"
|
|
||||||
key: ""
|
|
||||||
|
|
||||||
# The persistence is enabled by default and a default StorageClass
|
|
||||||
# is needed in the k8s cluster to provision volumes dynamicly.
|
|
||||||
# Specify another StorageClass in the "storageClass" or set "existingClaim"
|
|
||||||
# if you have already existing persistent volumes to use
|
|
||||||
#
|
|
||||||
# For storing images and charts, you can also use "azure", "gcs", "s3",
|
|
||||||
# "swift" or "oss". Set it in the "imageChartStorage" section
|
|
||||||
persistence:
|
|
||||||
enabled: true
|
|
||||||
# Setting it to "keep" to avoid removing PVCs during a helm delete
|
|
||||||
# operation. Leaving it empty will delete PVCs after the chart deleted
|
|
||||||
# (this does not apply for PVCs that are created for internal database
|
|
||||||
# and redis components, i.e. they are never deleted automatically)
|
|
||||||
resourcePolicy: "keep"
|
|
||||||
persistentVolumeClaim:
|
|
||||||
registry:
|
|
||||||
# Use the existing PVC which must be created manually before bound,
|
|
||||||
# and specify the "subPath" if the PVC is shared with other components
|
|
||||||
existingClaim: ""
|
|
||||||
# Specify the "storageClass" used to provision the volume. Or the default
|
|
||||||
# StorageClass will be used(the default).
|
|
||||||
# Set it to "-" to disable dynamic provisioning
|
|
||||||
storageClass: ""
|
|
||||||
subPath: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 5Gi
|
|
||||||
chartmuseum:
|
|
||||||
existingClaim: ""
|
|
||||||
storageClass: ""
|
|
||||||
subPath: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 5Gi
|
|
||||||
jobservice:
|
|
||||||
existingClaim: ""
|
|
||||||
storageClass: ""
|
|
||||||
subPath: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 1Gi
|
|
||||||
# If external database is used, the following settings for database will
|
|
||||||
# be ignored
|
|
||||||
database:
|
|
||||||
existingClaim: ""
|
|
||||||
storageClass: ""
|
|
||||||
subPath: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 1Gi
|
|
||||||
# If external Redis is used, the following settings for Redis will
|
|
||||||
# be ignored
|
|
||||||
redis:
|
|
||||||
existingClaim: ""
|
|
||||||
storageClass: ""
|
|
||||||
subPath: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 1Gi
|
|
||||||
trivy:
|
|
||||||
existingClaim: ""
|
|
||||||
storageClass: ""
|
|
||||||
subPath: ""
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 5Gi
|
|
||||||
# Define which storage backend is used for registry and chartmuseum to store
|
|
||||||
# images and charts. Refer to
|
|
||||||
# https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
|
|
||||||
# for the detail.
|
|
||||||
imageChartStorage:
|
|
||||||
# Specify whether to disable `redirect` for images and chart storage, for
|
|
||||||
# backends which not supported it (such as using minio for `s3` storage type), please disable
|
|
||||||
# it. To disable redirects, simply set `disableredirect` to `true` instead.
|
|
||||||
# Refer to
|
|
||||||
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
|
|
||||||
# for the detail.
|
|
||||||
disableredirect: false
|
|
||||||
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
|
|
||||||
# The secret must contain keys named "ca.crt" which will be injected into the trust store
|
|
||||||
# of registry's and chartmuseum's containers.
|
|
||||||
# caBundleSecretName:
|
|
||||||
|
|
||||||
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
|
|
||||||
# "oss" and fill the information needed in the corresponding section. The type
|
|
||||||
# must be "filesystem" if you want to use persistent volumes for registry
|
|
||||||
# and chartmuseum
|
|
||||||
type: filesystem
|
|
||||||
filesystem:
|
|
||||||
rootdirectory: /storage
|
|
||||||
#maxthreads: 100
|
|
||||||
azure:
|
|
||||||
accountname: accountname
|
|
||||||
accountkey: base64encodedaccountkey
|
|
||||||
container: containername
|
|
||||||
#realm: core.windows.net
|
|
||||||
gcs:
|
|
||||||
bucket: bucketname
|
|
||||||
# The base64 encoded json file which contains the key
|
|
||||||
encodedkey: base64-encoded-json-key-file
|
|
||||||
#rootdirectory: /gcs/object/name/prefix
|
|
||||||
#chunksize: "5242880"
|
|
||||||
s3:
|
|
||||||
region: us-west-1
|
|
||||||
bucket: bucketname
|
|
||||||
#accesskey: awsaccesskey
|
|
||||||
#secretkey: awssecretkey
|
|
||||||
#regionendpoint: http://myobjects.local
|
|
||||||
#encrypt: false
|
|
||||||
#keyid: mykeyid
|
|
||||||
#secure: true
|
|
||||||
#skipverify: false
|
|
||||||
#v4auth: true
|
|
||||||
#chunksize: "5242880"
|
|
||||||
#rootdirectory: /s3/object/name/prefix
|
|
||||||
#storageclass: STANDARD
|
|
||||||
#multipartcopychunksize: "33554432"
|
|
||||||
#multipartcopymaxconcurrency: 100
|
|
||||||
#multipartcopythresholdsize: "33554432"
|
|
||||||
swift:
|
|
||||||
authurl: https://storage.myprovider.com/v3/auth
|
|
||||||
username: username
|
|
||||||
password: password
|
|
||||||
container: containername
|
|
||||||
#region: fr
|
|
||||||
#tenant: tenantname
|
|
||||||
#tenantid: tenantid
|
|
||||||
#domain: domainname
|
|
||||||
#domainid: domainid
|
|
||||||
#trustid: trustid
|
|
||||||
#insecureskipverify: false
|
|
||||||
#chunksize: 5M
|
|
||||||
#prefix:
|
|
||||||
#secretkey: secretkey
|
|
||||||
#accesskey: accesskey
|
|
||||||
#authversion: 3
|
|
||||||
#endpointtype: public
|
|
||||||
#tempurlcontainerkey: false
|
|
||||||
#tempurlmethods:
|
|
||||||
oss:
|
|
||||||
accesskeyid: accesskeyid
|
|
||||||
accesskeysecret: accesskeysecret
|
|
||||||
region: regionname
|
|
||||||
bucket: bucketname
|
|
||||||
#endpoint: endpoint
|
|
||||||
#internal: false
|
|
||||||
#encrypt: false
|
|
||||||
#secure: true
|
|
||||||
#chunksize: 10M
|
|
||||||
#rootdirectory: rootdirectory
|
|
||||||
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
|
|
||||||
# Use this set to assign a list of default pullSecrets
|
|
||||||
imagePullSecrets:
|
|
||||||
# - name: docker-registry-secret
|
|
||||||
# - name: internal-registry-secret
|
|
||||||
|
|
||||||
# The update strategy for deployments with persistent volumes(jobservice, registry
|
|
||||||
# and chartmuseum): "RollingUpdate" or "Recreate"
|
|
||||||
# Set it as "Recreate" when "RWM" for volumes isn't supported
|
|
||||||
updateStrategy:
|
|
||||||
type: RollingUpdate
|
|
||||||
|
|
||||||
# debug, info, warning, error or fatal
|
|
||||||
logLevel: info
|
|
||||||
|
|
||||||
# The initial password of Harbor admin. Change it from portal after launching Harbor
|
|
||||||
harborAdminPassword: "Harbor12345"
|
|
||||||
|
|
||||||
# The name of the secret which contains key named "ca.crt". Setting this enables the
|
|
||||||
# download link on portal to download the certificate of CA when the certificate isn't
|
|
||||||
# generated automatically
|
|
||||||
caSecretName: ""
|
|
||||||
|
|
||||||
# The secret key used for encryption. Must be a string of 16 chars.
|
|
||||||
secretKey: "not-a-secure-key"
|
|
||||||
|
|
||||||
# The proxy settings for updating clair vulnerabilities from the Internet and replicating
|
|
||||||
# artifacts from/to the registries that cannot be reached directly
|
|
||||||
proxy:
|
|
||||||
httpProxy:
|
|
||||||
httpsProxy:
|
|
||||||
noProxy: 127.0.0.1,localhost,.local,.internal
|
|
||||||
components:
|
|
||||||
- core
|
|
||||||
- jobservice
|
|
||||||
- clair
|
|
||||||
- trivy
|
|
||||||
|
|
||||||
# The custom ca bundle secret, the secret must contain key named "ca.crt"
|
|
||||||
# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
|
|
||||||
# caBundleSecretName: ""
|
|
||||||
|
|
||||||
## UAA Authentication Options
|
|
||||||
# If you're using UAA for authentication behind a self-signed
|
|
||||||
# certificate you will need to provide the CA Cert.
|
|
||||||
# Set uaaSecretName below to provide a pre-created secret that
|
|
||||||
# contains a base64 encoded CA Certificate named `ca.crt`.
|
|
||||||
# uaaSecretName:
|
|
||||||
|
|
||||||
# If expose the service via "ingress", the Nginx will not be used
|
|
||||||
nginx:
|
|
||||||
image:
|
|
||||||
repository: goharbor/nginx-photon
|
|
||||||
tag: dev
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
replicas: 1
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
portal:
|
|
||||||
image:
|
|
||||||
repository: goharbor/harbor-portal
|
|
||||||
tag: dev
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
replicas: 1
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
core:
|
|
||||||
image:
|
|
||||||
repository: goharbor/harbor-core
|
|
||||||
tag: dev
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
replicas: 1
|
|
||||||
## Liveness probe values
|
|
||||||
livenessProbe:
|
|
||||||
initialDelaySeconds: 300
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
# Secret is used when core server communicates with other components.
|
|
||||||
# If a secret key is not specified, Helm will generate one.
|
|
||||||
# Must be a string of 16 chars.
|
|
||||||
secret: ""
|
|
||||||
# Fill the name of a kubernetes secret if you want to use your own
|
|
||||||
# TLS certificate and private key for token encryption/decryption.
|
|
||||||
# The secret must contain keys named:
|
|
||||||
# "tls.crt" - the certificate
|
|
||||||
# "tls.key" - the private key
|
|
||||||
# The default key pair will be used if it isn't set
|
|
||||||
secretName: ""
|
|
||||||
# The XSRF key. Will be generated automatically if it isn't specified
|
|
||||||
xsrfKey: ""
|
|
||||||
|
|
||||||
jobservice:
|
|
||||||
image:
|
|
||||||
repository: goharbor/harbor-jobservice
|
|
||||||
tag: dev
|
|
||||||
replicas: 1
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
maxJobWorkers: 10
|
|
||||||
# The logger for jobs: "file", "database" or "stdout"
|
|
||||||
jobLogger: file
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
# Secret is used when job service communicates with other components.
|
|
||||||
# If a secret key is not specified, Helm will generate one.
|
|
||||||
# Must be a string of 16 chars.
|
|
||||||
secret: ""
|
|
||||||
|
|
||||||
registry:
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
registry:
|
|
||||||
image:
|
|
||||||
repository: goharbor/registry-photon
|
|
||||||
tag: dev
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
controller:
|
|
||||||
image:
|
|
||||||
repository: goharbor/harbor-registryctl
|
|
||||||
tag: dev
|
|
||||||
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
replicas: 1
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
# Secret is used to secure the upload state from client
|
|
||||||
# and registry storage backend.
|
|
||||||
# See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
|
|
||||||
# If a secret key is not specified, Helm will generate one.
|
|
||||||
# Must be a string of 16 chars.
|
|
||||||
secret: ""
|
|
||||||
# If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
|
|
||||||
relativeurls: false
|
|
||||||
credentials:
|
|
||||||
username: "harbor_registry_user"
|
|
||||||
password: "harbor_registry_password"
|
|
||||||
# If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
|
|
||||||
# e.g. "htpasswd -nbBC10 $username $password"
|
|
||||||
htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
|
|
||||||
|
|
||||||
middleware:
|
|
||||||
enabled: false
|
|
||||||
type: cloudFront
|
|
||||||
cloudFront:
|
|
||||||
baseurl: example.cloudfront.net
|
|
||||||
keypairid: KEYPAIRID
|
|
||||||
duration: 3000s
|
|
||||||
ipfilteredby: none
|
|
||||||
# The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
|
|
||||||
# that allows access to CloudFront
|
|
||||||
privateKeySecret: "my-secret"
|
|
||||||
|
|
||||||
chartmuseum:
|
|
||||||
enabled: true
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
# Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
|
|
||||||
absoluteUrl: false
|
|
||||||
image:
|
|
||||||
repository: goharbor/chartmuseum-photon
|
|
||||||
tag: dev
|
|
||||||
replicas: 1
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
clair:
|
|
||||||
enabled: true
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
clair:
|
|
||||||
image:
|
|
||||||
repository: goharbor/clair-photon
|
|
||||||
tag: dev
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
adapter:
|
|
||||||
image:
|
|
||||||
repository: goharbor/clair-adapter-photon
|
|
||||||
tag: dev
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
replicas: 1
|
|
||||||
# The interval of clair updaters, the unit is hour, set to 0 to
|
|
||||||
# disable the updaters
|
|
||||||
updatersInterval: 12
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
trivy:
|
|
||||||
# enabled the flag to enable Trivy scanner
|
|
||||||
enabled: true
|
|
||||||
image:
|
|
||||||
# repository the repository for Trivy adapter image
|
|
||||||
repository: goharbor/trivy-adapter-photon
|
|
||||||
# tag the tag for Trivy adapter image
|
|
||||||
tag: dev
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
# replicas the number of Pod replicas
|
|
||||||
replicas: 1
|
|
||||||
# debugMode the flag to enable Trivy debug mode with more verbose scanning log
|
|
||||||
debugMode: false
|
|
||||||
# vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
|
|
||||||
vulnType: "os,library"
|
|
||||||
# severity a comma-separated list of severities to be checked
|
|
||||||
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
|
|
||||||
# ignoreUnfixed the flag to display only fixed vulnerabilities
|
|
||||||
ignoreUnfixed: false
|
|
||||||
# insecure the flag to skip verifying registry certificate
|
|
||||||
insecure: false
|
|
||||||
# gitHubToken the GitHub access token to download Trivy DB
|
|
||||||
#
|
|
||||||
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
|
|
||||||
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
|
|
||||||
# in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
|
|
||||||
# timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
|
|
||||||
# Currently, the database is updated every 12 hours and published as a new release to GitHub.
|
|
||||||
#
|
|
||||||
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
|
|
||||||
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
|
|
||||||
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
|
|
||||||
# https://developer.github.com/v3/#rate-limiting
|
|
||||||
#
|
|
||||||
# You can create a GitHub token by following the instructions in
|
|
||||||
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
|
|
||||||
gitHubToken: ""
|
|
||||||
# skipUpdate the flag to disable Trivy DB downloads from GitHub
|
|
||||||
#
|
|
||||||
# You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
|
|
||||||
# If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
|
|
||||||
# `/home/scanner/.cache/trivy/db/trivy.db` path.
|
|
||||||
skipUpdate: false
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 200m
|
|
||||||
memory: 512Mi
|
|
||||||
limits:
|
|
||||||
cpu: 1
|
|
||||||
memory: 1Gi
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
notary:
|
|
||||||
enabled: true
|
|
||||||
server:
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
image:
|
|
||||||
repository: goharbor/notary-server-photon
|
|
||||||
tag: dev
|
|
||||||
replicas: 1
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
signer:
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
image:
|
|
||||||
repository: goharbor/notary-signer-photon
|
|
||||||
tag: dev
|
|
||||||
replicas: 1
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
# Fill the name of a kubernetes secret if you want to use your own
|
|
||||||
# TLS certificate authority, certificate and private key for notary
|
|
||||||
# communications.
|
|
||||||
# The secret must contain keys named ca.crt, tls.crt and tls.key that
|
|
||||||
# contain the CA, certificate and private key.
|
|
||||||
# They will be generated if not set.
|
|
||||||
secretName: ""
|
|
||||||
|
|
||||||
database:
|
|
||||||
# if external database is used, set "type" to "external"
|
|
||||||
# and fill the connection informations in "external" section
|
|
||||||
type: internal
|
|
||||||
internal:
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
image:
|
|
||||||
repository: goharbor/harbor-db
|
|
||||||
tag: dev
|
|
||||||
# The initial superuser password for internal database
|
|
||||||
password: "changeit"
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
external:
|
|
||||||
host: "192.168.0.1"
|
|
||||||
port: "5432"
|
|
||||||
username: "user"
|
|
||||||
password: "password"
|
|
||||||
coreDatabase: "registry"
|
|
||||||
clairDatabase: "clair"
|
|
||||||
notaryServerDatabase: "notary_server"
|
|
||||||
notarySignerDatabase: "notary_signer"
|
|
||||||
# "disable" - No SSL
|
|
||||||
# "require" - Always SSL (skip verification)
|
|
||||||
# "verify-ca" - Always SSL (verify that the certificate presented by the
|
|
||||||
# server was signed by a trusted CA)
|
|
||||||
# "verify-full" - Always SSL (verify that the certification presented by the
|
|
||||||
# server was signed by a trusted CA and the server host name matches the one
|
|
||||||
# in the certificate)
|
|
||||||
sslmode: "disable"
|
|
||||||
# The maximum number of connections in the idle connection pool.
|
|
||||||
# If it <=0, no idle connections are retained.
|
|
||||||
maxIdleConns: 50
|
|
||||||
# The maximum number of open connections to the database.
|
|
||||||
# If it <= 0, then there is no limit on the number of open connections.
|
|
||||||
# Note: the default number of connections is 1024 for postgre of harbor.
|
|
||||||
maxOpenConns: 1000
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
redis:
|
|
||||||
# if external Redis is used, set "type" to "external"
|
|
||||||
# and fill the connection informations in "external" section
|
|
||||||
type: internal
|
|
||||||
internal:
|
|
||||||
# set the service account to be used, default if left empty
|
|
||||||
serviceAccountName: ""
|
|
||||||
image:
|
|
||||||
repository: goharbor/redis-photon
|
|
||||||
tag: dev
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# memory: 256Mi
|
|
||||||
# cpu: 100m
|
|
||||||
nodeSelector: {}
|
|
||||||
tolerations: []
|
|
||||||
affinity: {}
|
|
||||||
external:
|
|
||||||
# support redis, redis+sentinel
|
|
||||||
# addr for redis: <host_redis>:<port_redis>
|
|
||||||
# addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
|
|
||||||
addr: "192.168.0.2:6379"
|
|
||||||
# The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
|
|
||||||
sentinelMasterSet: ""
|
|
||||||
# The "coreDatabaseIndex" must be "0" as the library Harbor
|
|
||||||
# used doesn't support configuring it
|
|
||||||
coreDatabaseIndex: "0"
|
|
||||||
jobserviceDatabaseIndex: "1"
|
|
||||||
registryDatabaseIndex: "2"
|
|
||||||
chartmuseumDatabaseIndex: "3"
|
|
||||||
clairAdapterIndex: "4"
|
|
||||||
trivyAdapterIndex: "5"
|
|
||||||
password: ""
|
|
||||||
## Additional deployment annotations
|
|
||||||
podAnnotations: {}
|
|
17
charts/harbor/values_overrides/default.yaml
Normal file
17
charts/harbor/values_overrides/default.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
harborAdminPassword: Harbor12345
|
||||||
|
secretKey: not-a-secure-key
|
||||||
|
externalURL: https://harbor-core.jarvis.local
|
||||||
|
expose:
|
||||||
|
ingress:
|
||||||
|
hosts:
|
||||||
|
core: harbor-core.jarvis.local
|
||||||
|
notary: harbor-notary.jarvis.local
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: jarvis-ca-issuer
|
||||||
|
tls:
|
||||||
|
certSource: secret
|
||||||
|
secret:
|
||||||
|
secretName: harbor-core-tls
|
||||||
|
notarySecretName: harbor-notary-tls
|
||||||
|
internalTLS:
|
||||||
|
enabled: true
|
@ -1,15 +0,0 @@
|
|||||||
persistence:
|
|
||||||
persistentVolumeClaim:
|
|
||||||
registry:
|
|
||||||
storageClass: nfs-provisioner
|
|
||||||
chartmuseum:
|
|
||||||
storageClass: nfs-provisioner
|
|
||||||
jobservice:
|
|
||||||
storageClass: nfs-provisioner
|
|
||||||
database:
|
|
||||||
storageClass: nfs-provisioner
|
|
||||||
size: 2Gi
|
|
||||||
redis:
|
|
||||||
storageClass: nfs-provisioner
|
|
||||||
trivy:
|
|
||||||
storageClass: nfs-provisioner
|
|
@ -1,5 +0,0 @@
|
|||||||
expose:
|
|
||||||
tls:
|
|
||||||
enabled: false
|
|
||||||
internalTLS:
|
|
||||||
enabled: false
|
|
35
charts/loki/values_overrides/default.yaml
Normal file
35
charts/loki/values_overrides/default.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
loki:
|
||||||
|
enabled: true
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
hosts:
|
||||||
|
- host: loki.jarvis.local
|
||||||
|
paths: ["/"]
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: jarvis-ca-issuer
|
||||||
|
tls:
|
||||||
|
- secretName: lokistack-loki-tls
|
||||||
|
hosts:
|
||||||
|
- loki.jarvis.local
|
||||||
|
|
||||||
|
promtail:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
grafana:
|
||||||
|
adminPassword: password
|
||||||
|
enabled: true
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
path: /
|
||||||
|
hosts:
|
||||||
|
- grafana.jarvis.local
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: jarvis-ca-issuer
|
||||||
|
tls:
|
||||||
|
- secretName: lokistack-grafana-tls
|
||||||
|
hosts:
|
||||||
|
- grafana.jarvis.local
|
@ -1,19 +0,0 @@
|
|||||||
loki:
|
|
||||||
enabled: true
|
|
||||||
ingress:
|
|
||||||
enabled: true
|
|
||||||
hosts:
|
|
||||||
- host: loki.jarvis.local
|
|
||||||
paths: ["/"]
|
|
||||||
public: true
|
|
||||||
annotations:
|
|
||||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
|
||||||
more_set_headers "X-Frame-Options: deny";
|
|
||||||
more_set_headers "X-XSS-Protection: 1; mode=block";
|
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
||||||
|
|
||||||
promtail:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
grafana:
|
|
||||||
enabled: false
|
|
@ -1,5 +0,0 @@
|
|||||||
storage:
|
|
||||||
persistentVolumeClaim:
|
|
||||||
size: 10Gi
|
|
||||||
persistentVolumeClaim:
|
|
||||||
class_name: nfs-provisioner
|
|
@ -1,22 +1 @@
|
|||||||
# Patterns to ignore when building packages.
|
values_overrides
|
||||||
# This supports shell glob matching, relative path matching, and
|
|
||||||
# negation (prefixed with !). Only one pattern per line.
|
|
||||||
.DS_Store
|
|
||||||
# Common VCS dirs
|
|
||||||
.git/
|
|
||||||
.gitignore
|
|
||||||
.bzr/
|
|
||||||
.bzrignore
|
|
||||||
.hg/
|
|
||||||
.hgignore
|
|
||||||
.svn/
|
|
||||||
# Common backup files
|
|
||||||
*.swp
|
|
||||||
*.bak
|
|
||||||
*.tmp
|
|
||||||
*~
|
|
||||||
# Various IDEs
|
|
||||||
.project
|
|
||||||
.idea/
|
|
||||||
*.tmproj
|
|
||||||
.vscode/
|
|
@ -30,7 +30,7 @@ spec:
|
|||||||
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "tekton_dashboard" ) }}
|
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "tekton_dashboard" ) }}
|
||||||
imagePullPolicy: {{ $.Values.images.pull.policy | quote }}
|
imagePullPolicy: {{ $.Values.images.pull.policy | quote }}
|
||||||
args:
|
args:
|
||||||
- --port={{ $.Values.params.endpoints.ports.web.port }}
|
- --port=8080
|
||||||
- --logout-url={{ $.Values.config.args.logout_url }}
|
- --logout-url={{ $.Values.config.args.logout_url }}
|
||||||
- --pipelines-namespace={{ $.Release.Namespace }}
|
- --pipelines-namespace={{ $.Release.Namespace }}
|
||||||
- --triggers-namespace={{ $.Release.Namespace }}
|
- --triggers-namespace={{ $.Release.Namespace }}
|
||||||
@ -49,19 +49,19 @@ spec:
|
|||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
ports:
|
ports:
|
||||||
- name: web
|
- name: web
|
||||||
containerPort: {{ $.Values.params.endpoints.ports.web.port }}
|
containerPort: 8080
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: {{ $.Values.params.endpoints.ports.web.scheme | upper }}
|
scheme: HTTP
|
||||||
path: /readiness
|
path: /readiness
|
||||||
port: {{ $.Values.params.endpoints.ports.web.port }}
|
port: 8080
|
||||||
initialDelaySeconds: 15
|
initialDelaySeconds: 15
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: {{ $.Values.params.endpoints.ports.web.scheme | upper }}
|
scheme: HTTP
|
||||||
path: /health
|
path: /health
|
||||||
port: {{ $.Values.params.endpoints.ports.web.port }}
|
port: 8080
|
||||||
initialDelaySeconds: 50
|
initialDelaySeconds: 50
|
||||||
periodSeconds: 20
|
periodSeconds: 20
|
||||||
timeoutSeconds: 5
|
timeoutSeconds: 5
|
||||||
|
35
charts/tekton-dashboard/templates/ingress-dashboard.yaml
Normal file
35
charts/tekton-dashboard/templates/ingress-dashboard.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
{{- define "ingress-dashboard" -}}
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: {{ template "helpers.labels.fullname" $ }}
|
||||||
|
labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "dashboard") | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
{{- if and $.Values.params.endpoints.tls.enabled $.Values.params.endpoints.tls.issuer.enabled }}
|
||||||
|
{{- if $.Values.params.endpoints.tls.issuer.cluster }}
|
||||||
|
cert-manager.io/cluster-issuer: {{ $.Values.params.endpoints.tls.issuer.name }}
|
||||||
|
{{- else }}
|
||||||
|
cert-manager.io/issuer: {{ $.Values.params.endpoints.tls.issuer.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: {{ $.Values.params.endpoints.hostname }}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- backend:
|
||||||
|
serviceName: tekton-dashboard
|
||||||
|
servicePort: web
|
||||||
|
path: /
|
||||||
|
{{- if and $.Values.params.endpoints.tls.enabled }}
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- {{ $.Values.params.endpoints.hostname }}
|
||||||
|
secretName: {{ $.Values.params.endpoints.tls.secret.name | default ( include "helpers.labels.fullname" $ ) }}-cert
|
||||||
|
{{- end }}
|
||||||
|
...
|
||||||
|
{{- end -}}
|
||||||
|
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "ingress-dashboard" ) }}
|
||||||
|
|
||||||
|
|
@ -10,8 +10,7 @@ spec:
|
|||||||
ports:
|
ports:
|
||||||
- name: web
|
- name: web
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
port: {{ $.Values.params.endpoints.ports.web.port }}
|
port: 8080
|
||||||
targetPort: {{ $.Values.params.endpoints.ports.web.port }}
|
|
||||||
...
|
...
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "service-deployment" ) }}
|
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "service-deployment" ) }}
|
||||||
|
@ -27,9 +27,14 @@ node_labels:
|
|||||||
|
|
||||||
params:
|
params:
|
||||||
endpoints:
|
endpoints:
|
||||||
ports:
|
hostname: tekton.jarvis.local
|
||||||
web:
|
tls:
|
||||||
port: 9097
|
enabled: false
|
||||||
scheme: http
|
issuer:
|
||||||
|
enabled: false
|
||||||
|
cluster: false
|
||||||
|
name: null
|
||||||
|
secret:
|
||||||
|
name: null
|
||||||
|
|
||||||
over_rides: {}
|
over_rides: {}
|
||||||
|
8
charts/tekton-dashboard/values_overrides/default.yaml
Normal file
8
charts/tekton-dashboard/values_overrides/default.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
params:
|
||||||
|
endpoints:
|
||||||
|
tls:
|
||||||
|
enabled: true
|
||||||
|
issuer:
|
||||||
|
enabled: true
|
||||||
|
cluster: true
|
||||||
|
name: jarvis-ca-issuer
|
@ -1,23 +1 @@
|
|||||||
# Patterns to ignore when building packages.
|
values_overrides
|
||||||
# This supports shell glob matching, relative path matching, and
|
|
||||||
# negation (prefixed with !). Only one pattern per line.
|
|
||||||
.DS_Store
|
|
||||||
# Common VCS dirs
|
|
||||||
.git/
|
|
||||||
.gitignore
|
|
||||||
.bzr/
|
|
||||||
.bzrignore
|
|
||||||
.hg/
|
|
||||||
.hgignore
|
|
||||||
.svn/
|
|
||||||
# Common backup files
|
|
||||||
*.swp
|
|
||||||
*.bak
|
|
||||||
*.tmp
|
|
||||||
*.orig
|
|
||||||
*~
|
|
||||||
# Various IDEs
|
|
||||||
.project
|
|
||||||
.idea/
|
|
||||||
*.tmproj
|
|
||||||
.vscode/
|
|
@ -1,22 +1 @@
|
|||||||
# Patterns to ignore when building packages.
|
values_overrides
|
||||||
# This supports shell glob matching, relative path matching, and
|
|
||||||
# negation (prefixed with !). Only one pattern per line.
|
|
||||||
.DS_Store
|
|
||||||
# Common VCS dirs
|
|
||||||
.git/
|
|
||||||
.gitignore
|
|
||||||
.bzr/
|
|
||||||
.bzrignore
|
|
||||||
.hg/
|
|
||||||
.hgignore
|
|
||||||
.svn/
|
|
||||||
# Common backup files
|
|
||||||
*.swp
|
|
||||||
*.bak
|
|
||||||
*.tmp
|
|
||||||
*~
|
|
||||||
# Various IDEs
|
|
||||||
.project
|
|
||||||
.idea/
|
|
||||||
*.tmproj
|
|
||||||
.vscode/
|
|
@ -5,7 +5,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: tekton-triggers-controller-admin
|
name: tekton-triggers-controller-admin
|
||||||
namespace: tekton-pipelines
|
namespace: {{ $.Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/instance: tekton-triggers
|
app.kubernetes.io/instance: tekton-triggers
|
||||||
app.kubernetes.io/part-of: tekton-triggers
|
app.kubernetes.io/part-of: tekton-triggers
|
||||||
|
@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: tekton-triggers-webhook-admin
|
name: tekton-triggers-webhook-admin
|
||||||
namespace: tekton-pipelines
|
namespace: {{ $.Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/instance: tekton-triggers
|
app.kubernetes.io/instance: tekton-triggers
|
||||||
app.kubernetes.io/part-of: tekton-triggers
|
app.kubernetes.io/part-of: tekton-triggers
|
||||||
|
@ -1,37 +0,0 @@
|
|||||||
==================
|
|
||||||
All-In-One Details
|
|
||||||
==================
|
|
||||||
|
|
||||||
Override-able Variables
|
|
||||||
=======================
|
|
||||||
|
|
||||||
The all-in-one script provides a number of environment variables that users
|
|
||||||
can alter the behavior.
|
|
||||||
|
|
||||||
- ``DEPLOY_K8S``. Default value: ``true``. Setting this value to ``false`` will
|
|
||||||
cause the script to not execute the Kubernetes deployment script. User is
|
|
||||||
expected to have a Kubernetes cluster running, with ``kubectl`` and ``helm``
|
|
||||||
(version 3) available that interact with said cluster.
|
|
||||||
- **Namespaces**: the Kubernetes and helm namespaces the charts will deploy to.
|
|
||||||
|
|
||||||
- ``TEKTON_NS``. Default value: ``tekton-pipelines``.
|
|
||||||
- ``HARBOR_NS``. Default value: ``harbor``.
|
|
||||||
- ``LOKI_NS``. Default value: ``loki-stack``.
|
|
||||||
- ``GRAFANA_NS``. Default value: ``grafana``.
|
|
||||||
- ``NFS_NS``. Default value: ``nfs``.
|
|
||||||
|
|
||||||
- ``HARBOR_VERSION``. Default value: ``1.5.2``. The version of the upstream
|
|
||||||
goharbor helm chart is pinned to a specific version to avoid unintended
|
|
||||||
upgrade conflict.
|
|
||||||
- ``CHART_ROOT_PATH``. Default value: ``./charts`` This specify the path
|
|
||||||
of the charts. If this path is relative, it is relative the root
|
|
||||||
of the cloned repository.
|
|
||||||
- Chart installation override variables. The following are provided:
|
|
||||||
|
|
||||||
- ``EXTRA_HELM_ARGS_NFS``
|
|
||||||
- ``EXTRA_HELM_ARGS_HARBOR``
|
|
||||||
- ``EXTRA_HELM_ARGS_TEKTON_PIPELINES``
|
|
||||||
- ``EXTRA_HELM_ARGS_TEKTON_TRIGGERS``
|
|
||||||
- ``EXTRA_HELM_ARGS_TEKTON_DASHBOARD``
|
|
||||||
- ``EXTRA_HELM_ARGS_GRAFANA``
|
|
||||||
- ``EXTRA_HELM_ARGS_LOKI_STACK``
|
|
@ -1,38 +0,0 @@
|
|||||||
===============================
|
|
||||||
All-In-One Behind HTTP(S) Proxy
|
|
||||||
===============================
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
If you are **not** deploying the All-In-One (AIO) behind a proxy, you
|
|
||||||
can skip this page.
|
|
||||||
|
|
||||||
.. hint::
|
|
||||||
Set the environment variables: ``HTTP_PROXY``, ``HTTPS_PROXY``, and ``NO_PROXY``.
|
|
||||||
|
|
||||||
By default, AIO will use Google DNS Server IPs (``8.8.8.8`` and ``8.8.4.4``)
|
|
||||||
and will update ``/etc/resolv.conf`` as a result. If those IPs are blocked by
|
|
||||||
your proxy, running the AIO script will result in the inability to connect to
|
|
||||||
anything on the network.
|
|
||||||
|
|
||||||
.. literalinclude:: ../../../../tools/gate/deploy-k8s.sh
|
|
||||||
:language: shell
|
|
||||||
:lines: 33-43
|
|
||||||
:caption: ``resolv.conf`` setting
|
|
||||||
|
|
||||||
In the case this is run behind a proxy, specifying the proxy informatin
|
|
||||||
in the environment variable ``$HTTP_PROXY`` will reserve the nameserver
|
|
||||||
in ``/etc/resolv.conf``.
|
|
||||||
|
|
||||||
To ensure minikube has the appropriate proxy information, set the environment
|
|
||||||
variables: ``HTTP_PROXY``, ``HTTPS_PROXY``, and ``NO_PROXY`` with the
|
|
||||||
appropriate strings. Minikube would be started with the correct docker
|
|
||||||
environment variable set.
|
|
||||||
|
|
||||||
.. literalinclude:: ../../../../tools/gate/deploy-k8s.sh
|
|
||||||
:language: shell
|
|
||||||
:lines: 112-118
|
|
||||||
:caption: minikube proxy setting
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
Depending on your specific proxy, ``https_proxy`` may be the same as ``http_proxy``.
|
|
||||||
Refer to your specific proxy documentation.
|
|
@ -1,115 +0,0 @@
|
|||||||
======================
|
|
||||||
All-In-One Quick Start
|
|
||||||
======================
|
|
||||||
|
|
||||||
Initial Setup
|
|
||||||
=============
|
|
||||||
|
|
||||||
It is strongly recommended that the following be performed in a virtual
|
|
||||||
machine (VM).
|
|
||||||
|
|
||||||
Run AIO Setup Script
|
|
||||||
====================
|
|
||||||
|
|
||||||
Clone the `Airship Charts repository <https://opendev.org/airship/charts>`_ by:
|
|
||||||
|
|
||||||
.. code:: bash
|
|
||||||
|
|
||||||
git clone https://opendev.org/airship/charts.git airship-charts
|
|
||||||
|
|
||||||
Go into the directory and run:
|
|
||||||
|
|
||||||
.. code:: bash
|
|
||||||
|
|
||||||
./tools/utils/aio-setup.sh
|
|
||||||
|
|
||||||
.. note:: You can set ``DEPLOY_K8S`` environment variable to ``false`` if you
|
|
||||||
have a Kubernetes cluster and do not wish to deploy a new cluster when
|
|
||||||
running the script.
|
|
||||||
|
|
||||||
.. note:: The script sets up a ``none``-driver minikube Kubernetes cluster and
|
|
||||||
installs a version 3 ``helm`` executable. If you want to use your own cluster
|
|
||||||
by setting ``DEPLOY_K8S`` to ``false``, you will need to ensure ``kubectl``
|
|
||||||
and ``helm`` are available.
|
|
||||||
|
|
||||||
|
|
||||||
Script Completion
|
|
||||||
=================
|
|
||||||
|
|
||||||
The script should deploy a minikube Kubernetes node with Calico support enabled.
|
|
||||||
Further, it should deploy the following charts into its respective namespace:
|
|
||||||
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| Chart | Namespace |
|
|
||||||
+========================+=============================+
|
|
||||||
| ``harbor`` | harbor |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| ``tekton-pipelines`` | tekton-pipelines |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| ``tekton-dashboard`` | tekton-pipelines |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| ``tekton-triggers`` | tekton-pipelines |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| ``nfs-provisioner`` | nfs |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| ``grafana`` | grafana |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
| ``loki`` | loki-stack |
|
|
||||||
+------------------------+-----------------------------+
|
|
||||||
|
|
||||||
.. code:: bash
|
|
||||||
|
|
||||||
$ helm ls -A
|
|
||||||
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
|
|
||||||
grafana grafana 1 2020-12-18 10:05:44.266366139 -0600 CST deployed grafana-6.1.15 7.3.3
|
|
||||||
harbor harbor 1 2020-12-17 16:22:37.606705989 -0600 CST deployed harbor-1.5.2 2.1.2
|
|
||||||
loki loki-stack 1 2020-12-18 10:04:17.473045347 -0600 CST deployed loki-stack-2.2.0 v2.0.0
|
|
||||||
nfs-provisioner nfs 1 2020-12-17 16:22:34.450821264 -0600 CST deployed nfs-provisioner-0.1.1 v2.2.1
|
|
||||||
tekton-dashboard tekton-pipelines 1 2020-12-17 16:22:42.038851986 -0600 CST deployed tekton-dashboard-0.1.0 v0.10.1
|
|
||||||
tekton-pipelines tekton-pipelines 1 2020-12-17 16:22:39.78742555 -0600 CST deployed tekton-pipelines-0.1.0 v0.16.3
|
|
||||||
tekton-triggers tekton-pipelines 1 2020-12-17 16:22:40.750189048 -0600 CST deployed tekton-triggers-0.1.0 v0.9.1
|
|
||||||
|
|
||||||
You can also inspect the pods and ensure they are all running:
|
|
||||||
|
|
||||||
.. code:: bash
|
|
||||||
|
|
||||||
$ kubectl get pod -A
|
|
||||||
NAMESPACE NAME READY STATUS RESTARTS AGE
|
|
||||||
grafana grafana-58485fc6d5-s45d6 1/1 Running 0 74s
|
|
||||||
harbor harbor-harbor-chartmuseum-5f7dccc958-kqq6n 1/1 Running 0 17h
|
|
||||||
harbor harbor-harbor-clair-b56498fcd-2tfl4 2/2 Running 4 17h
|
|
||||||
harbor harbor-harbor-core-7ccc475687-n9cbh 1/1 Running 0 17h
|
|
||||||
harbor harbor-harbor-database-0 1/1 Running 0 17h
|
|
||||||
harbor harbor-harbor-jobservice-ddc4f6b49-c9cdz 1/1 Running 0 17h
|
|
||||||
harbor harbor-harbor-notary-server-6fd6567fc8-nb7zf 1/1 Running 1 17h
|
|
||||||
harbor harbor-harbor-notary-signer-7895b57c78-gw2tm 1/1 Running 1 17h
|
|
||||||
harbor harbor-harbor-portal-7d69b5598f-mj99d 1/1 Running 0 17h
|
|
||||||
harbor harbor-harbor-redis-0 1/1 Running 0 17h
|
|
||||||
harbor harbor-harbor-registry-6755d8586b-p5mtp 2/2 Running 0 17h
|
|
||||||
harbor harbor-harbor-trivy-0 1/1 Running 0 17h
|
|
||||||
kube-system calico-kube-controllers-675b7c9569-lntn4 1/1 Running 0 3d19h
|
|
||||||
kube-system calico-node-kpt5k 1/1 Running 0 3d19h
|
|
||||||
kube-system coredns-f9fd979d6-zl5gp 1/1 Running 0 3d19h
|
|
||||||
kube-system etcd-minikube 1/1 Running 0 3d19h
|
|
||||||
kube-system kube-apiserver-minikube 1/1 Running 0 3d19h
|
|
||||||
kube-system kube-controller-manager-minikube 1/1 Running 0 3d19h
|
|
||||||
kube-system kube-proxy-pdpd9 1/1 Running 0 3d19h
|
|
||||||
kube-system kube-scheduler-minikube 1/1 Running 0 3d19h
|
|
||||||
kube-system storage-provisioner 1/1 Running 0 3d19h
|
|
||||||
loki-stack loki-0 1/1 Running 0 2m41s
|
|
||||||
loki-stack loki-promtail-lmh7s 1/1 Running 0 2m41s
|
|
||||||
nfs nfs-provisioner-7d749795c6-nbdzj 1/1 Running 0 17h
|
|
||||||
tekton-pipelines tekton-dashboard-5f8947b4cc-xhq4l 1/1 Running 0 17h
|
|
||||||
tekton-pipelines tekton-pipelines-controller-57866c7f56-4wkzt 1/1 Running 0 17h
|
|
||||||
tekton-pipelines tekton-pipelines-webhook-84c5494b44-cwmjx 1/1 Running 0 17h
|
|
||||||
tekton-pipelines tekton-triggers-controller-5f5dd8c885-jsv9k 1/1 Running 0 17h
|
|
||||||
tekton-pipelines tekton-triggers-webhook-55c6579868-8gcbf 1/1 Running 0 17h
|
|
||||||
|
|
||||||
Testing
|
|
||||||
=======
|
|
||||||
|
|
||||||
A basic suite of tests and helm tests can be executed by running:
|
|
||||||
|
|
||||||
.. code:: bash
|
|
||||||
|
|
||||||
./tools/gate/pipelines/run-test.sh
|
|
@ -1,12 +0,0 @@
|
|||||||
CICD (Harbor, Tekton, Loki-Stack)
|
|
||||||
=================================
|
|
||||||
|
|
||||||
Contents:
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 2
|
|
||||||
|
|
||||||
aio-quick-start
|
|
||||||
aio-detail
|
|
||||||
aio-proxy
|
|
||||||
terms-and-def
|
|
@ -1,18 +0,0 @@
|
|||||||
===========================
|
|
||||||
Terminology and Definitions
|
|
||||||
===========================
|
|
||||||
|
|
||||||
This page defines terms and their definitions used in this document.
|
|
||||||
|
|
||||||
.. list-table::
|
|
||||||
:widths: 10 20
|
|
||||||
:header-rows: 1
|
|
||||||
|
|
||||||
* - Term
|
|
||||||
- Definition
|
|
||||||
* - CI
|
|
||||||
- **Continuous Integration**.
|
|
||||||
* - Gerrit
|
|
||||||
- Gerrit is a free, web-based team code collaboration tool. Developers can review each
|
|
||||||
other's modifications on their source code using a Web browser and approve or reject those
|
|
||||||
changes. It integrates closely with Git.
|
|
@ -6,4 +6,4 @@ Installation
|
|||||||
:maxdepth: 2
|
:maxdepth: 2
|
||||||
:caption: Contents:
|
:caption: Contents:
|
||||||
|
|
||||||
cicd/index
|
jarvis/index
|
||||||
|
11
doc/source/install/jarvis/index.rst
Normal file
11
doc/source/install/jarvis/index.rst
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
Jarvis (Harbor, Tekton, Loki-Stack)
|
||||||
|
===================================
|
||||||
|
|
||||||
|
Contents:
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 2
|
||||||
|
|
||||||
|
introduction
|
||||||
|
requirements-and-host-config
|
||||||
|
vagrant
|
12
doc/source/install/jarvis/introduction.rst
Normal file
12
doc/source/install/jarvis/introduction.rst
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
===================
|
||||||
|
Jarvis Introduction
|
||||||
|
===================
|
||||||
|
|
||||||
|
Scope
|
||||||
|
=====
|
||||||
|
|
||||||
|
Tools
|
||||||
|
=====
|
||||||
|
|
||||||
|
Examples
|
||||||
|
========
|
45
doc/source/install/jarvis/requirements-and-host-config.rst
Normal file
45
doc/source/install/jarvis/requirements-and-host-config.rst
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
===================================
|
||||||
|
Requirements and Host Configuration
|
||||||
|
===================================
|
||||||
|
|
||||||
|
Overview
|
||||||
|
========
|
||||||
|
|
||||||
|
Below are some instructions and suggestions to help you get started with a All-in-One environment on Ubuntu 20.04.
|
||||||
|
Other supported versions of Linux can also be used, with the appropriate changes to package installation.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
============
|
||||||
|
|
||||||
|
System Requirements
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
The recommended minimum system requirements for a full deployment are:
|
||||||
|
|
||||||
|
- 8GB of RAM
|
||||||
|
- 4 Cores
|
||||||
|
- 48GB HDD
|
||||||
|
|
||||||
|
This guide covers the minimum number of requirements to get started.
|
||||||
|
|
||||||
|
All commands below should be run as a normal user, not as root.
|
||||||
|
Appropriate versions of Docker, Kubernetes, and Helm will be installed
|
||||||
|
by the scripts used below, so there's no need to install them ahead of time.
|
||||||
|
|
||||||
|
.. warning:: By default the Calico CNI will use ``192.168.0.0/16`` and
|
||||||
|
Kubernetes services will use ``10.96.0.0/16`` as the CIDR for services. Check
|
||||||
|
that these CIDRs are not in use on the development node before proceeding, or
|
||||||
|
adjust as required.
|
||||||
|
|
||||||
|
Host Configuration
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Utilities on the hosts, need to be able to resolve kubernetes services correctly.
|
||||||
|
Ubuntu Desktop and some other distributions make use of ``mdns4_minimal`` which
|
||||||
|
does not operate as Kubernetes expects with its default TLD of ``.local``. To operate
|
||||||
|
as expected either change the ``hosts`` line in the ``/etc/nsswitch.conf``, or confirm
|
||||||
|
that it matches:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
hosts: files dns
|
5
doc/source/install/jarvis/vagrant.rst
Normal file
5
doc/source/install/jarvis/vagrant.rst
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
==================
|
||||||
|
Jarvis AIO Vagrant
|
||||||
|
==================
|
||||||
|
|
||||||
|
A vagrant file is provided under `tools/deployment/vagrant`, running `vagrant up` from this directory should bring up and deploy a copy of the Jarvis AIO.
|
@ -13,5 +13,5 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
export API_ADDR=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].addresses[0].ip')
|
export API_ADDR=$(kubectl get endpoints kubernetes -o 'jsonpath={.subsets[0].addresses[0].ip}')
|
||||||
export API_PORT=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].port')
|
export API_PORT=$(kubectl get endpoints kubernetes -o 'jsonpath={.subsets[0].ports[0].port}')
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user