From 007cbd96dce05cebffccb17dcedccfa160e0f5e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=88=92=E6=88=90?= Date: Wed, 31 Mar 2021 19:25:47 +0800 Subject: [PATCH] update --- conf/notary-server.json | 2 +- values-aliyun.yaml => raws/values-aliyun.yaml | 22 +- values-arm.yaml => raws/values-arm.yaml | 22 +- values-pg.yaml => raws/values-pg.yaml | 0 .../values-ppc64le.yaml | 0 values-stolon.yaml => raws/values-stolon.yaml | 0 raws/values.yaml | 747 ++++++++++++++++++ templates/NOTES.txt | 2 +- templates/_helpers.tpl | 11 + templates/chartmuseum/chartmuseum-cm.yaml | 2 +- templates/chartmuseum/chartmuseum-dpl.yaml | 8 +- templates/clair/clair-dpl.yaml | 8 +- templates/core/core-cm.yaml | 2 +- templates/core/core-dpl.yaml | 8 +- templates/database/database-ss.yaml | 24 +- templates/ingress/ingress.yaml | 10 +- templates/ingress/ingresshost.yaml | 4 +- templates/ingress/ingressroute.yaml | 28 +- templates/jobservice/jobservice-dpl.yaml | 8 +- templates/nginx/deployment.yaml | 8 +- templates/notary/notary-server.yaml | 8 +- templates/notary/notary-signer.yaml | 8 +- templates/portal/deployment.yaml | 8 +- templates/redis/statefulset.yaml | 6 + templates/registry/registry-dpl.yaml | 8 +- templates/trivy/trivy-sts.yaml | 8 +- values-operator.yaml | 5 + values.yaml | 85 +- 28 files changed, 941 insertions(+), 111 deletions(-) rename values-aliyun.yaml => raws/values-aliyun.yaml (94%) rename values-arm.yaml => raws/values-arm.yaml (92%) rename values-pg.yaml => raws/values-pg.yaml (100%) rename values-ppc64le.yaml => raws/values-ppc64le.yaml (100%) rename values-stolon.yaml => raws/values-stolon.yaml (100%) create mode 100644 raws/values.yaml create mode 100644 values-operator.yaml diff --git a/conf/notary-server.json b/conf/notary-server.json index b3c2624..29a741b 100644 --- a/conf/notary-server.json +++ b/conf/notary-server.json @@ -19,7 +19,7 @@ "auth": { "type": "token", "options": { - "realm": "{{ .Values.externalURL }}/service/token", + "realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token", "service": "harbor-notary", "issuer": "harbor-token-issuer", "rootcertbundle": "/root.crt" diff --git a/values-aliyun.yaml b/raws/values-aliyun.yaml similarity index 94% rename from values-aliyun.yaml rename to raws/values-aliyun.yaml index 40a4298..e2745d9 100644 --- a/values-aliyun.yaml +++ b/raws/values-aliyun.yaml @@ -73,17 +73,17 @@ secretKey: "IpTIscRIgmerlare" portal: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.1 + tag: v2.1.3 core: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.1 + tag: v2.1.3 jobservice: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.1 + tag: v2.1.3 registry: registry: @@ -98,12 +98,12 @@ registry: controller: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.1 + tag: v2.1.3 chartmuseum: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum - tag: v2.1.1 + tag: v2.1.3 nodeSelector: {} # nodeSelector: # harbor: enabled @@ -117,33 +117,33 @@ clair: clair: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair - tag: v2.1.1 + tag: v2.1.3 adapter: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter - tag: v2.1.1 + tag: v2.1.3 trivy: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter - tag: v2.1.1 + tag: v2.1.3 notary: server: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server - tag: v2.1.1 + tag: v2.1.3 signer: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer - tag: v2.1.1 + tag: v2.1.3 database: type: internal internal: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.1 + tag: v2.1.3 password: "spaceIN511" resources: limits: diff --git a/values-arm.yaml b/raws/values-arm.yaml similarity index 92% rename from values-arm.yaml rename to raws/values-arm.yaml index 826dc59..33d3b81 100644 --- a/values-arm.yaml +++ b/raws/values-arm.yaml @@ -73,17 +73,17 @@ secretKey: "IpTIscRIgmerlare" portal: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 core: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 jobservice: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 registry: registry: @@ -98,12 +98,12 @@ registry: controller: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 chartmuseum: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 nodeSelector: {} # nodeSelector: # harbor: enabled @@ -117,33 +117,33 @@ clair: clair: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 adapter: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 trivy: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 notary: server: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 signer: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 database: type: internal internal: image: repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.1-arm64 + tag: v2.1.3-arm64 password: "spaceIN511" resources: limits: diff --git a/values-pg.yaml b/raws/values-pg.yaml similarity index 100% rename from values-pg.yaml rename to raws/values-pg.yaml diff --git a/values-ppc64le.yaml b/raws/values-ppc64le.yaml similarity index 100% rename from values-ppc64le.yaml rename to raws/values-ppc64le.yaml diff --git a/values-stolon.yaml b/raws/values-stolon.yaml similarity index 100% rename from values-stolon.yaml rename to raws/values-stolon.yaml diff --git a/raws/values.yaml b/raws/values.yaml new file mode 100644 index 0000000..17a66ee --- /dev/null +++ b/raws/values.yaml @@ -0,0 +1,747 @@ +expose: + # Set the way how to expose the service. Set the type as "ingress", + # "clusterIP", "nodePort" or "loadBalancer" and fill the information + # in the corresponding section + type: ingress + tls: + # Enable the tls or not. Note: if the type is "ingress" and the tls + # is disabled, the port must be included in the command when pull/push + # images. Refer to https://github.com/goharbor/harbor/issues/5291 + # for the detail. + enabled: true + # The source of the tls certificate. Set it as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # Only needed when the "expose.type" is "ingress". + notarySecretName: "" + ingress: + hosts: + core: core.harbor.domain + notary: notary.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + controller: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + clusterIP: + # The name of ClusterIP service + name: harbor + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving with HTTP + port: 80 + # The node port Harbor listens on when serving with HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving with HTTPS + port: 443 + # The node port Harbor listens on when serving with HTTPS + nodePort: 30003 + # Only needed when notary.enabled is set to true + notary: + # The service port Notary listens on + port: 4443 + # The node port Notary listens on + nodePort: 30004 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker/notary client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each components tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # chartmuseum related cert configuration + chartmuseum: + # secret name for chartmuseum's tls certs + secretName: "" + # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" + key: "" + # clair related cert configuration + clair: + # secret name for clair's tls certs + secretName: "" + # Content of clair's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of clair's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamicly. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you have already existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used(the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + # Define which storage backend is used for registry and chartmuseum to store + # images and charts. Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's and chartmuseum's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + # and chartmuseum + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + s3: + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry +# and chartmuseum): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the certificate of CA when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" + +# The proxy settings for updating clair vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - clair + - trivy + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If expose the service via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +core: + image: + repository: goharbor/harbor-core + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # The default key pair will be used if it isn't set + secretName: "" + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.1.3 + replicas: 1 + # set the service account to be used, default if left empty + serviceAccountName: "" + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLogger: file + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + registry: + image: + repository: goharbor/registry-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.1.3 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash + # e.g. "htpasswd -nbBC10 $username $password" + htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" + + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + +chartmuseum: + enabled: true + # set the service account to be used, default if left empty + serviceAccountName: "" + # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' + absoluteUrl: false + image: + repository: goharbor/chartmuseum-photon + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +clair: + enabled: true + # set the service account to be used, default if left empty + serviceAccountName: "" + clair: + image: + repository: goharbor/clair-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + adapter: + image: + repository: goharbor/clair-adapter-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + # The interval of clair updaters, the unit is hour, set to 0 to + # disable the updaters + updatersInterval: 12 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +notary: + enabled: true + server: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/notary-server-photon + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + signer: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/notary-signer-photon + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named ca.crt, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" + +database: + # if external database is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/harbor-db + tag: v2.1.3 + # The initial superuser password for internal database + password: "changeit" + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + clairDatabase: "clair" + notaryServerDatabase: "notary_server" + notarySignerDatabase: "notary_signer" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool. + # If it <=0, no idle connections are retained. + maxIdleConns: 50 + # The maximum number of open connections to the database. + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 1000 + ## Additional deployment annotations + podAnnotations: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/redis-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + chartmuseumDatabaseIndex: "3" + clairAdapterIndex: "4" + trivyAdapterIndex: "5" + password: "" + ## Additional deployment annotations + podAnnotations: {} + +commonLabels: + app.bd-apaas.com/cluster-component: registry \ No newline at end of file diff --git a/templates/NOTES.txt b/templates/NOTES.txt index 0980c08..7a45c99 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,3 +1,3 @@ Please wait for several minutes for Harbor deployment to complete. -Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.{{ $.Values.global.host }} For more details, please visit https://github.com/goharbor/harbor diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 122afad..59c8b4b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -1,3 +1,14 @@ +{{/* +Create chart arch suffix. +*/}} +{{- define "beagle.arch" -}} +{{- if not (eq "amd64" .Values.global.arch) -}} +{{- print "-" .Values.global.arch -}} +{{- else -}} +{{- print "" -}} +{{- end -}} +{{- end }} + {{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. diff --git a/templates/chartmuseum/chartmuseum-cm.yaml b/templates/chartmuseum/chartmuseum-cm.yaml index 9777ca2..3eb3868 100644 --- a/templates/chartmuseum/chartmuseum-cm.yaml +++ b/templates/chartmuseum/chartmuseum-cm.yaml @@ -21,7 +21,7 @@ data: CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}" BASIC_AUTH_USER: "chart_controller" {{- if .Values.chartmuseum.absoluteUrl }} - CHART_URL: {{ .Values.externalURL }}/chartrepo + CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo {{- end }} DEPTH: "1" {{- if eq .Values.logLevel "debug" }} diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index dc0157f..c0f61b3 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -46,8 +46,12 @@ spec: {{- end }} containers: - name: chartmuseum - image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.chartmuseum.image.repository }} + image: "{{ .Values.chartmuseum.image.repository }}" +{{- else }} + image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" livenessProbe: httpGet: path: /health diff --git a/templates/clair/clair-dpl.yaml b/templates/clair/clair-dpl.yaml index 35005e8..2c6b64e 100644 --- a/templates/clair/clair-dpl.yaml +++ b/templates/clair/clair-dpl.yaml @@ -39,8 +39,12 @@ spec: {{- end }} containers: - name: clair - image: {{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.clair.clair.image.repository }} + image: "{{ .Values.clair.clair.image.repository }}" +{{- else }} + image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" livenessProbe: httpGet: path: /health diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index d339ee2..545b43b 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -21,7 +21,7 @@ data: POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" - EXT_ENDPOINT: "{{ .Values.externalURL }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}" CORE_URL: "{{ template "harbor.coreURL" . }}" JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" REGISTRY_URL: "{{ template "harbor.registryURL" . }}" diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 2967e00..23a8316 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -40,8 +40,12 @@ spec: {{- end }} containers: - name: core - image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.core.image.repository }} + image: "{{ .Values.core.image.repository }}" +{{- else }} + image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" {{- if .Values.core.startupProbe.enabled }} startupProbe: httpGet: diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index fe29b31..51bf4ce 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -36,8 +36,12 @@ spec: - name: "change-permission-of-directory" securityContext: runAsUser: 0 - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.database.internal.image.repository }} + image: "{{ .Values.database.internal.image.repository }}" +{{- else }} + image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" command: ["/bin/sh"] args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"] volumeMounts: @@ -45,8 +49,12 @@ spec: mountPath: /var/lib/postgresql/data subPath: {{ $database.subPath }} - name: "remove-lost-found" - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.database.internal.image.repository }} + image: "{{ .Values.database.internal.image.repository }}" +{{- else }} + image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] volumeMounts: - name: database-data @@ -54,8 +62,12 @@ spec: subPath: {{ $database.subPath }} containers: - name: database - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.database.internal.image.repository }} + image: "{{ .Values.database.internal.image.repository }}" +{{- else }} + image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" livenessProbe: exec: command: diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index b0080dc..b74dc8d 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -28,6 +28,7 @@ {{- end }} --- +{{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}} {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} apiVersion: extensions/v1beta1 {{- else }} @@ -55,7 +56,7 @@ spec: - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} {{- if $ingress.hosts.core }} hosts: - - {{ $ingress.hosts.core }} + - {{ $ingress.hosts.core }}.{{ $.Values.global.host }} {{- end }} {{- end }} rules: @@ -86,7 +87,7 @@ spec: serviceName: {{ template "harbor.core" . }} servicePort: {{ template "harbor.core.servicePort" . }} {{- if $ingress.hosts.core }} - host: {{ $ingress.hosts.core }} + host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }} {{- end }} {{- if .Values.notary.enabled }} @@ -115,7 +116,7 @@ spec: - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} {{- if $ingress.hosts.notary }} hosts: - - {{ $ingress.hosts.notary }} + - {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} {{- end }} {{- end }} rules: @@ -126,8 +127,9 @@ spec: serviceName: {{ template "harbor.notary-server" . }} servicePort: 4443 {{- if $ingress.hosts.notary }} - host: {{ $ingress.hosts.notary }} + host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/ingress/ingresshost.yaml b/templates/ingress/ingresshost.yaml index 875d431..e36a186 100644 --- a/templates/ingress/ingresshost.yaml +++ b/templates/ingress/ingresshost.yaml @@ -11,7 +11,7 @@ metadata: labels: {{ include "harbor.labels" . | nindent 4 }} spec: - host: "{{ .Values.expose.ingress.hosts.core }}" + host: "{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}" --- apiVersion: bcc.bd-apaas.com/v1alpha1 kind: IngressHost @@ -24,5 +24,5 @@ metadata: labels: {{ include "harbor.labels" . | nindent 4 }} spec: - host: "{{ .Values.expose.ingress.hosts.notary }}" + host: "{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}" {{- end -}} diff --git a/templates/ingress/ingressroute.yaml b/templates/ingress/ingressroute.yaml index f5ea7ac..ff0c317 100644 --- a/templates/ingress/ingressroute.yaml +++ b/templates/ingress/ingressroute.yaml @@ -14,39 +14,39 @@ spec: entryPoints: - websecure routes: - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) kind: Rule services: - name: {{ template "harbor.portal" . }} port: {{ template "harbor.portal.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/api/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/service/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/v2/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`) kind: Rule middlewares: - name: "{{ template "harbor.ingress" . }}-https" services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/chartrepo/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/c/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.notary }}`) && PathPrefix(`/`) + - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) kind: Rule services: - name: {{ template "harbor.notary-server" . }} @@ -68,37 +68,37 @@ spec: entryPoints: - web routes: - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) kind: Rule services: - name: {{ template "harbor.portal" . }} port: {{ template "harbor.portal.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/api/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/service/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/v2/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/chartrepo/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/c/`) + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`) kind: Rule services: - name: {{ template "harbor.core" . }} port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.notary }}`) && PathPrefix(`/`) + - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) kind: Rule services: - name: {{ template "harbor.notary-server" . }} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index cafc6fb..5981c64 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -46,8 +46,12 @@ spec: {{- end }} containers: - name: jobservice - image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.jobservice.image.repository }} + image: "{{ .Values.jobservice.image.repository }}" +{{- else }} + image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" livenessProbe: httpGet: path: /api/v1/stats diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 50dcff7..621b6d3 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -41,8 +41,12 @@ spec: {{- end }} containers: - name: nginx - image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" +{{- if contains "/" .Values.nginx.image.repository }} + image: "{{ .Values.nginx.image.repository }}" +{{- else }} + image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" {{- $_ := set . "scheme" "HTTP" -}} {{- $_ := set . "port" "8080" -}} {{- if .Values.expose.tls.enabled }} diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index 6cb8023..abfa3a0 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -35,8 +35,12 @@ spec: {{- end }} containers: - name: notary-server - image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.notary.server.image.repository }} + image: "{{ .Values.notary.server.image.repository }}" +{{- else }} + image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" {{- if .Values.notary.server.resources }} resources: {{ toYaml .Values.notary.server.resources | indent 10 }} diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml index f4ee98e..cc702cd 100644 --- a/templates/notary/notary-signer.yaml +++ b/templates/notary/notary-signer.yaml @@ -31,8 +31,12 @@ spec: {{- end }} containers: - name: notary-signer - image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.notary.signer.image.repository }} + image: "{{ .Values.notary.signer.image.repository }}" +{{- else }} + image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" {{- if .Values.notary.signer.resources }} resources: {{ toYaml .Values.notary.signer.resources | indent 10 }} diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 7b022c6..73fd641 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -35,8 +35,12 @@ spec: {{- end }} containers: - name: portal - image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.portal.image.repository }} + image: "{{ .Values.portal.image.repository }}" +{{- else }} + image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" {{- if .Values.portal.resources }} resources: {{ toYaml .Values.portal.resources | indent 10 }} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index be710af..56a94b2 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -37,6 +37,12 @@ spec: - name: redis image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.chartmuseum.image.repository }} + image: "{{ .Values.chartmuseum.image.repository }}" +{{- else }} + image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" livenessProbe: tcpSocket: port: 6379 diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 24b6b60..cf98138 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -46,8 +46,12 @@ spec: {{- end }} containers: - name: registry - image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.registry.image.repository }} + image: "{{ .Values.registry.image.repository }}" +{{- else }} + image: "{{ .Values.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.image.repository }}:{{ .Values.registry.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" livenessProbe: httpGet: path: / diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index 9e8e08a..432100e 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -44,8 +44,12 @@ spec: automountServiceAccountToken: false containers: - name: trivy - image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if contains "/" .Values.trivy.image.repository }} + image: "{{ .Values.trivy.image.repository }}" +{{- else }} + image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" securityContext: privileged: false allowPrivilegeEscalation: false diff --git a/values-operator.yaml b/values-operator.yaml new file mode 100644 index 0000000..b9f3521 --- /dev/null +++ b/values-operator.yaml @@ -0,0 +1,5 @@ +global: + hub: registry.cn-qingdao.aliyuncs.com/wod + imagePullPolicy: "IfNotPresent" + arch: amd64 + host: wodcloud.local \ No newline at end of file diff --git a/values.yaml b/values.yaml index 17a66ee..a8e0e0e 100644 --- a/values.yaml +++ b/values.yaml @@ -8,7 +8,7 @@ expose: # is disabled, the port must be included in the command when pull/push # images. Refer to https://github.com/goharbor/harbor/issues/5291 # for the detail. - enabled: true + enabled: false # The source of the tls certificate. Set it as "auto", "secret" # or "none" and fill the information in the corresponding section # 1) auto: generate the tls certificate automatically @@ -33,8 +33,8 @@ expose: notarySecretName: "" ingress: hosts: - core: core.harbor.domain - notary: notary.harbor.domain + core: hub + notary: notary # set to the type of ingress controller if it has specific requirements. # leave as `default` for most ingress controllers. # set to `gce` if using the GCE ingress controller @@ -105,7 +105,7 @@ expose: # the IP address of k8s node # # If Harbor is deployed behind the proxy, set it as the URL of proxy -externalURL: https://core.harbor.domain +externalURL: https://hub # The internal TLS used for harbor components secure communicating. In order to enable https # in each components tls cert files need to provided in advance. @@ -198,19 +198,19 @@ persistence: # Specify the "storageClass" used to provision the volume. Or the default # StorageClass will be used(the default). # Set it to "-" to disable dynamic provisioning - storageClass: "" + storageClass: "hostpath" subPath: "" accessMode: ReadWriteOnce - size: 5Gi + size: 500Gi chartmuseum: existingClaim: "" - storageClass: "" + storageClass: "hostpath" subPath: "" accessMode: ReadWriteOnce size: 5Gi jobservice: existingClaim: "" - storageClass: "" + storageClass: "hostpath" subPath: "" accessMode: ReadWriteOnce size: 1Gi @@ -218,21 +218,21 @@ persistence: # be ignored database: existingClaim: "" - storageClass: "" + storageClass: "hostpath" subPath: "" accessMode: ReadWriteOnce - size: 1Gi + size: 10Gi # If external Redis is used, the following settings for Redis will # be ignored redis: existingClaim: "" - storageClass: "" + storageClass: "hostpath" subPath: "" accessMode: ReadWriteOnce size: 1Gi trivy: existingClaim: "" - storageClass: "" + storageClass: "hostpath" subPath: "" accessMode: ReadWriteOnce size: 5Gi @@ -338,7 +338,7 @@ updateStrategy: logLevel: info # The initial password of Harbor admin. Change it from portal after launching Harbor -harborAdminPassword: "Harbor12345" +harborAdminPassword: "spaceIN511" # The name of the secret which contains key named "ca.crt". Setting this enables the # download link on portal to download the certificate of CA when the certificate isn't @@ -346,7 +346,7 @@ harborAdminPassword: "Harbor12345" caSecretName: "" # The secret key used for encryption. Must be a string of 16 chars. -secretKey: "not-a-secure-key" +secretKey: "IpTIscRIgmerlare" # The proxy settings for updating clair vulnerabilities from the Internet and replicating # artifacts from/to the registries that cannot be reached directly @@ -374,7 +374,7 @@ proxy: # If expose the service via "ingress", the Nginx will not be used nginx: image: - repository: goharbor/nginx-photon + repository: nginx tag: v2.1.3 # set the service account to be used, default if left empty serviceAccountName: "" @@ -391,7 +391,7 @@ nginx: portal: image: - repository: goharbor/harbor-portal + repository: harbor-portal tag: v2.1.3 # set the service account to be used, default if left empty serviceAccountName: "" @@ -408,7 +408,7 @@ portal: core: image: - repository: goharbor/harbor-core + repository: harbor-core tag: v2.1.3 # set the service account to be used, default if left empty serviceAccountName: "" @@ -442,7 +442,7 @@ core: jobservice: image: - repository: goharbor/harbor-jobservice + repository: harbor-jobservice tag: v2.1.3 replicas: 1 # set the service account to be used, default if left empty @@ -469,15 +469,16 @@ registry: serviceAccountName: "" registry: image: - repository: goharbor/registry-photon - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m + repository: registry + tag: 2.7.1 + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi controller: image: - repository: goharbor/harbor-registryctl + repository: harbor-registryctl tag: v2.1.3 # resources: @@ -524,8 +525,13 @@ chartmuseum: # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' absoluteUrl: false image: - repository: goharbor/chartmuseum-photon + repository: harbor-chartmuseum tag: v2.1.3 + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data replicas: 1 # resources: # requests: @@ -543,7 +549,7 @@ clair: serviceAccountName: "" clair: image: - repository: goharbor/clair-photon + repository: harbor-clair tag: v2.1.3 # resources: # requests: @@ -551,7 +557,7 @@ clair: # cpu: 100m adapter: image: - repository: goharbor/clair-adapter-photon + repository: harbor-clair-adapter tag: v2.1.3 # resources: # requests: @@ -572,7 +578,7 @@ trivy: enabled: true image: # repository the repository for Trivy adapter image - repository: goharbor/trivy-adapter-photon + repository: harbor-trivy-adapter # tag the tag for Trivy adapter image tag: v2.1.3 # set the service account to be used, default if left empty @@ -630,7 +636,7 @@ notary: # set the service account to be used, default if left empty serviceAccountName: "" image: - repository: goharbor/notary-server-photon + repository: harbor-notary-server tag: v2.1.3 replicas: 1 # resources: @@ -641,7 +647,7 @@ notary: # set the service account to be used, default if left empty serviceAccountName: "" image: - repository: goharbor/notary-signer-photon + repository: harbor-notary-signer tag: v2.1.3 replicas: 1 # resources: @@ -669,14 +675,15 @@ database: # set the service account to be used, default if left empty serviceAccountName: "" image: - repository: goharbor/harbor-db + repository: harbor-db tag: v2.1.3 # The initial superuser password for internal database - password: "changeit" - # resources: - # requests: - # memory: 256Mi - # cpu: 100m + password: "spaceIN511" + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi nodeSelector: {} tolerations: [] affinity: {} @@ -715,8 +722,8 @@ redis: # set the service account to be used, default if left empty serviceAccountName: "" image: - repository: goharbor/redis-photon - tag: v2.1.3 + repository: redis + tag: 6.0.9 # resources: # requests: # memory: 256Mi -- 2.26.0