From 07226806555fc0fe5e774cea89535bd4327b2d62 Mon Sep 17 00:00:00 2001 From: mengkzhaoyun Date: Sat, 17 Aug 2019 18:31:35 +0800 Subject: [PATCH] update 1.9 --- .gitignore | 2 +- .helmignore | 6 +- Chart.yaml | 4 +- LICENSE | 402 ++++++++-------- cert/tls.crt | 28 ++ cert/tls.key | 51 ++ docs/High Availability.md | 2 +- readme.md | 445 ++++++++++-------- templates/_helpers.tpl | 34 +- templates/adminserver/adminserver-cm.yaml | 50 -- templates/adminserver/adminserver-dpl.yaml | 97 ---- .../adminserver/adminserver-secrets.yaml | 15 - templates/adminserver/adminserver-svc.yaml | 11 - templates/chartmuseum/chartmuseum-cm.yaml | 11 +- templates/chartmuseum/chartmuseum-dpl.yaml | 32 +- templates/chartmuseum/chartmuseum-pvc.yaml | 32 ++ templates/clair/clair-dpl.yaml | 2 + templates/clair/clair-svc.yaml | 5 +- templates/common/certificate-secret.yaml | 23 - templates/core/core-cm.yaml | 37 +- templates/core/core-dpl.yaml | 43 +- templates/core/core-secret.yaml | 15 +- templates/core/core-svc.yaml | 3 + templates/database/database-ss.yaml | 56 ++- templates/ingress/ingress.yaml | 73 ++- templates/jobservice/jobservice-cm.yaml | 3 +- templates/jobservice/jobservice-dpl.yaml | 13 +- templates/jobservice/jobservice-pvc.yaml | 29 ++ templates/jobservice/jobservice-secrets.yaml | 2 +- templates/nginx/configmap-http.yaml | 13 + templates/nginx/configmap-https.yaml | 13 + templates/nginx/deployment.yaml | 2 + templates/nginx/service.yaml | 26 +- templates/notary/notary-cm.yaml | 15 +- templates/notary/notary-server.yaml | 23 +- templates/notary/notary-signer.yaml | 22 +- templates/notary/notary-svc.yaml | 3 + templates/portal/service.yaml | 3 + templates/redis/statefulset.yaml | 22 + templates/registry/registry-cm.yaml | 124 ++++- templates/registry/registry-secret.yaml | 7 +- values.yaml | 148 ++++-- 42 files changed, 1165 insertions(+), 782 deletions(-) create mode 100644 cert/tls.crt create mode 100644 cert/tls.key delete mode 100644 templates/adminserver/adminserver-cm.yaml delete mode 100644 templates/adminserver/adminserver-dpl.yaml delete mode 100644 templates/adminserver/adminserver-secrets.yaml delete mode 100644 templates/adminserver/adminserver-svc.yaml create mode 100644 templates/chartmuseum/chartmuseum-pvc.yaml delete mode 100644 templates/common/certificate-secret.yaml create mode 100644 templates/jobservice/jobservice-pvc.yaml diff --git a/.gitignore b/.gitignore index abc98e0..79bd21b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -charts/* +charts/* requirements.lock \ No newline at end of file diff --git a/.helmignore b/.helmignore index 632a574..ca8d4fc 100644 --- a/.helmignore +++ b/.helmignore @@ -1,4 +1,4 @@ -docs/* -.git/* -.gitignore +docs/* +.git/* +.gitignore CONTRIBUTING.md \ No newline at end of file diff --git a/Chart.yaml b/Chart.yaml index 01174c6..8980837 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ name: harbor -version: 1.0.0 -appVersion: v1.7.5 +version: 1.1.1 +appVersion: 1.8.1 description: An open source trusted cloud native registry that stores, signs, and scans content keywords: - docker diff --git a/LICENSE b/LICENSE index 261eeb9..29f81d8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,201 +1,201 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cert/tls.crt b/cert/tls.crt new file mode 100644 index 0000000..de4aa3e --- /dev/null +++ b/cert/tls.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw +NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o +F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr +PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT +RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q +LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp +UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q +w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc +jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr +vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d +1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN +2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA +AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA +FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS +Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA +er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY +Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ +qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n +KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB +Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2 +52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1 +2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F +5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX +jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe +-----END CERTIFICATE----- diff --git a/cert/tls.key b/cert/tls.key new file mode 100644 index 0000000..014e2fa --- /dev/null +++ b/cert/tls.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o +F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr +PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT +RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q +LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp +UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q +w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc +jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr +vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d +1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN +2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA +AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/ +k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4 +MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu +XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz +ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5 +F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K +F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97 +b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5 +fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ +yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um +lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW +YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+ +viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1 +pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+ +/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA +So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt +DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3 +YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn +IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW +gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf +Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC +oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb +FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN +c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn +YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf +Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl +IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ +rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi +vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj +yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g +1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil +u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M +BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK +OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y +AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e +Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh +cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q +OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04 +-----END RSA PRIVATE KEY----- diff --git a/docs/High Availability.md b/docs/High Availability.md index e651673..6bd48f1 100644 --- a/docs/High Availability.md +++ b/docs/High Availability.md @@ -53,7 +53,7 @@ Configure the followings items in `values.yaml`, you can also set them as parame If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. - **Replica** - Set `portal.replicas`, `adminserver.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). + Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). ### Installation Install the Harbor helm chart with a release name `my-release`: diff --git a/readme.md b/readme.md index 62e53e2..dfbef06 100644 --- a/readme.md +++ b/readme.md @@ -1,60 +1,80 @@ # Helm Chart for Harbor -**Notes:** The master branch is in heavy development, please use the codes on other branch instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. ## Introduction + This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. ## Prerequisites + - Kubernetes cluster 1.10+ - Helm 2.8.0+ ## Installation -### Download the chart -Download Harbor helm chart code. -```bash -git clone https://github.com/goharbor/harbor-helm -``` -Checkout the branch. + +### Add Helm repository + ```bash -cd harbor-helm -git checkout branch_name +helm repo add harbor https://helm.goharbor.io ``` + ### Configure the chart -The following items can be configured in `values.yaml` or set via `--set` flag during installation. + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly(need to download the chart first). #### Configure the way how to expose Harbor service: + - **Ingress**: The ingress controller must be installed in the Kubernetes cluster. -**Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. -- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. -- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. + **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. #### Configure the external URL -The external URL for Harbor core service is used to: -1) populate the docker/helm commands showed on portal -2) populate the token service URL returned to docker/notary client -Format: `protocol://domain[:port]`. Usually: -- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` -- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` -- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker/notary client + +Format: `protocol://domain[:port]`. Usually: -If Harbor is deployed behind the proxy, set it as the URL of proxy. +- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. #### Configure the way how to persistent data: + - **Disable**: The data does not survive the termination of a pod. - **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. -- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the secrets + +- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure. +- **Certificates**: + - *notary*: Used for authentication during communications. Fill `notary.secretName` to configure. Notary server certificate must be issued with notary service name as subject alternative name. + - *core*: Used for token encryption/decryption. Fill `core.secretName` to configure. + +Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)). + #### Configure the other items listed in [configuration](#configuration) section. ### Install the chart + Install the Harbor helm chart with a release name `my-release`: + ```bash -helm install --name my-release . +helm install --name my-release harbor/harbor ``` ## Uninstallation + To uninstall/delete the `my-release` deployment: ```bash @@ -62,190 +82,199 @@ helm delete --purge my-release ``` ## Configuration + The following table lists the configurable parameters of the Harbor chart and the default values. -| Parameter | Description | Default | -| ----------------------- | ---------------------------------- | ----------------------- | -| **Expose** | -|`expose.type`|The way how to expose the service: `ingress`, `clusterIP` or `nodePort`|`ingress`| -|`expose.tls.enabled`|Enable the tls or not|`true`| -|`expose.tls.secretName`|Fill the name of secret if you want to use your own TLS certificate and private key. The secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. The certificate and private key will be generated automatically if it is not set|| -|`expose.tls.notarySecretName`|By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the `expose.type` is `ingress`.|| -|`expose.tls.commonName`|The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null|| -| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | -| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | -| `expose.ingress.annotations` | The annotations used in ingress || -| `expose.clusterIP.name` | The name of ClusterIP service |`harbor`| -| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP |`80`| -| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS |`443`| -| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` |`4443`| -| `expose.nodePort.name` | The name of NodePort service |`harbor`| -| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP |`80`| -| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP |`30002`| -| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS |`443`| -| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS |`30003`| -| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` |`4443`| -| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` |`30004`| -| **Persistence** | -| `persistence.enabled` | Enable the data persistence or not | `true` | -| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` | -| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound | | -|`persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -|`persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | -|`persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | -|`persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | -|`persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound | | -|`persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -|`persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | -|`persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | -|`persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | -|`persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound | | -|`persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -|`persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | -|`persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | -|`persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | -|`persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound. If external database is used, the setting will be ignored | | -|`persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | -|`persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | -|`persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | -|`persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | -|`persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound. If external Redis is used, the setting will be ignored | | -|`persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | -|`persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | -|`persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | -|`persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | -|`persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | -| | -| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | -| `imagePullPolicy` | The image pull policy | `IfNotPresent` | -| `logLevel` | The log level | `debug` | -| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | -| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | -| **Nginx**(if expose the service via `ingress`, the Nginx will not be used) | -| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | -| `nginx.image.tag` | Image tag | `dev` | -| `nginx.replicas` | The replica count | `1` | -| `nginx.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | -| `nginx.tolerations` | Tolerations for pod assignment | `[]` | -| `nginx.affinity` | Node/Pod affinities | `{}` | -| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | -| **Portal** | -| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | -| `portal.image.tag` | Tag for portal image | `dev` | -| `portal.replicas` | The replica count | `1` | -| `portal.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `portal.nodeSelector` | Node labels for pod assignment | `{}` | -| `portal.tolerations` | Tolerations for pod assignment | `[]` | -| `portal.affinity` | Node/Pod affinities | `{}` | -| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | -| **Core** | -| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | -| `core.image.tag` | Tag for Harbor core image | `dev` | -| `core.replicas` | The replica count | `1` | -| `core.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `core.nodeSelector` | Node labels for pod assignment | `{}` | -| `core.tolerations` | Tolerations for pod assignment | `[]` | -| `core.affinity` | Node/Pod affinities | `{}` | -| `core.podAnnotations` | Annotations to add to the core pod | `{}` | -| **Adminserver** | -| `adminserver.image.repository` | Repository for adminserver image | `goharbor/harbor-adminserver` | -| `adminserver.image.tag` | Tag for adminserver image | `dev` | -| `adminserver.replicas` | The replica count | `1` | -| `adminserver.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `adminserver.nodeSelector` | Node labels for pod assignment | `{}` | -| `adminserver.tolerations` | Tolerations for pod assignment | `[]` | -| `adminserver.affinity` | Node/Pod affinities | `{}` | -| `adminserver.podAnnotations` | Annotations to add to the adminserver pod | `{}` | -| **Jobservice** | -| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | -| `jobservice.image.tag` | Tag for jobservice image | `dev` | -| `jobservice.replicas` | The replica count | `1` | -| `jobservice.maxJobWorkers` | The max job workers | `10` | -| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | -| `jobservice.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | -| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | -| `jobservice.affinity` | Node/Pod affinities | `{}` | -| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | -| **Registry** | -| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | -| `registry.registry.image.tag` | Tag for registry image | `dev` | -| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | -| `registry.controller.image.tag` | Tag for registry controller image | `dev` | -| `registry.replicas` | The replica count | `1` | -| `registry.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `registry.nodeSelector` | Node labels for pod assignment | `{}` | -| `registry.tolerations` | Tolerations for pod assignment | `[]` | -| `registry.affinity` | Node/Pod affinities | `{}` | -| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | -| **Chartmuseum** | -| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | -| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | -| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | -| `chartmuseum.replicas` | The replica count | `1` | -| `chartmuseum.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | -| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | -| `chartmuseum.affinity` | Node/Pod affinities | `{}` | -| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | -| **Clair** | -| `clair.enabled` | Enable Clair | `true` | -| `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | -| `clair.image.tag` | Tag for clair image | `dev` -| `clair.replicas` | The replica count | `1` | -| `clair.httpProxy` | The HTTP proxy used to update vulnerabilities database from internet || -| `clair.httpsProxy` | The HTTPS proxy used to update vulnerabilities database from internet || -| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | -| `clair.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined -| `clair.nodeSelector` | Node labels for pod assignment | `{}` | -| `clair.tolerations` | Tolerations for pod assignment | `[]` | -| `clair.affinity` | Node/Pod affinities | `{}` | -| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | -| **Notary** | -| `notary.enabled` | Enable Notary? | `true` | -| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | -| `notary.server.image.tag` | Tag for notary server image | `dev` -| `notary.server.replicas` | The replica count | `1` | -| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | -| `notary.signer.image.tag` | Tag for notary signer image | `dev` -| `notary.signer.replicas` | The replica count | `1` | -| `notary.nodeSelector` | Node labels for pod assignment | `{}` | -| `notary.tolerations` | Tolerations for pod assignment | `[]` | -| `notary.affinity` | Node/Pod affinities | `{}` | -| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | -| **Database** | -| `database.type` | If external database is used, set it to `external` | `internal` | -| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | -| `database.internal.image.tag` | Tag for database image | `dev` | -| `database.internal.password` | The password for database | `changeit` | -| `database.internal.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `database.internal.affinity` | Node/Pod affinities | `{}` | -| `database.external.host` | The hostname of external database | `192.168.0.1` | -| `database.external.port` | The port of external database | `5432` | -| `database.external.username` | The username of external database | `user` | -| `database.external.password` | The password of external database | `password` | -| `database.external.coreDatabase` | The database used by core service | `registry` | -| `database.external.clairDatabase` | The database used by clair | `clair` | -| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | -| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | -| `database.external.sslmode` | Connection method of external database (require|prefer|disable) | `disable`| -| `database.podAnnotations` | Annotations to add to the database pod | `{}` | -| **Redis** | -| `redis.type` | If external redis is used, set it to `external` | `internal` | -| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | -| `redis.internal.image.tag` | Tag for redis image | `dev` | -| `redis.internal.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | -| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.internal.affinity` | Node/Pod affinities | `{}` | -| `redis.external.host` | The hostname of external Redis | `192.168.0.2` | -| `redis.external.port` | The port of external Redis | `6379` | -| `redis.external.coreDatabaseIndex` | The database index for core | `0` | -| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | -| `redis.external.password` | The password of external Redis | | -| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| Parameter | Description | Default | +| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | +| **Expose** | +| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable the tls or not | `true` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` | +| `expose.tls.secretName` | Fill the name of secret if you want to use your own TLS certificate and private key. The secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. The certificate and private key will be generated automatically if it is not set | | +| `expose.tls.notarySecretName` | By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the `expose.type` is `ingress`. | | +| `expose.tls.commonName` | The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | +| `expose.ingress.annotations` | The annotations used in ingress | | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` | +| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` | +| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` | +| `expose.loadBalancer.name` | The name of service |`harbor`| +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It works only when loadBalancer support assigning IP |`""`| +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving with HTTP |`80`| +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving with HTTP |`30002`| +| `expose.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true`| +| **Persistence** | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | +| **General** | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `imagePullPolicy` | The image pull policy | `IfNotPresent` | +| `logLevel` | The log level | `debug` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| **Portal** | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| **Core** | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| **Jobservice** | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` | +| `registry.replicas` | The replica count | `1` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Chartmuseum** | +| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | +| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | +| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | +| `chartmuseum.replicas` | The replica count | `1` | +| `chartmuseum.resources` | The [resources] to allocate for container | undefined | +| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | +| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | +| `chartmuseum.affinity` | Node/Pod affinities | `{}` | +| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | +| **Clair** | +| `clair.enabled` | Enable Clair | `true` | +| `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | +| `clair.image.tag` | Tag for clair image | `dev` | +| `clair.replicas` | The replica count | `1` | +| `clair.httpProxy` | The HTTP proxy used to update vulnerabilities database from internet | | +| `clair.httpsProxy` | The HTTPS proxy used to update vulnerabilities database from internet | | +| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | +| `clair.resources` | The [resources] to allocate for container | undefined | +| `clair.nodeSelector` | Node labels for pod assignment | `{}` | +| `clair.tolerations` | Tolerations for pod assignment | `[]` | +| `clair.affinity` | Node/Pod affinities | `{}` | +| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | +| **Notary** | +| `notary.enabled` | Enable Notary? | `true` | +| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | +| `notary.server.image.tag` | Tag for notary server image | `dev` | +| `notary.server.replicas` | The replica count | +| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` | +| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | +| `notary.signer.image.tag` | Tag for notary signer image | `dev` | +| `notary.signer.replicas` | The replica count | +| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` | +| `notary.nodeSelector` | Node labels for pod assignment | `{}` | +| `notary.tolerations` | Tolerations for pod assignment | `[]` | +| `notary.affinity` | Node/Pod affinities | `{}` | +| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | +| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | +| **Database** | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.clairDatabase` | The database used by clair | `clair` | +| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | +| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | +| `database.external.sslmode` | Connection method of external database (require | prefer | disable) | `disable` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.external.host` | The hostname of external Redis | `192.168.0.2` | +| `redis.external.port` | The port of external Redis | `6379` | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | +| `redis.external.password` | The password of external Redis | | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 55288f3..ffe0142 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -13,7 +13,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this */}} {{- define "harbor.fullname" -}} {{- $name := default "harbor" .Values.nameOverride -}} -{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Helm required labels */}} @@ -21,11 +21,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this heritage: {{ .Release.Service }} release: {{ .Release.Name }} chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" {{- end -}} {{/* matchLabels */}} {{- define "harbor.matchLabels" -}} release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" {{- end -}} {{- define "harbor.autoGenCert" -}} @@ -84,6 +86,10 @@ release: {{ .Release.Name }} {{- end -}} {{- end -}} +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + {{- define "harbor.database.encryptedPassword" -}} {{- include "harbor.database.rawPassword" . | b64enc | quote -}} {{- end -}} @@ -129,15 +135,15 @@ release: {{ .Release.Name }} {{- end -}} {{- define "harbor.database.clair" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} {{- define "harbor.database.notaryServer" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} {{- define "harbor.database.notarySigner" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} {{- define "harbor.redis.host" -}} @@ -194,10 +200,16 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab {{- end -}} {{- end -}} +{{- define "harbor.redis.escapedRawPassword" -}} + {{- if (include "harbor.redis.rawPassword" . ) -}} + {{- include "harbor.redis.rawPassword" . | urlquery | replace "+" "%20" -}} + {{- end -}} +{{- end -}} + {{/*the username redis is used for a placeholder as no username needed in redis*/}} {{- define "harbor.redisForJobservice" -}} - {{- if (include "harbor.redis.rawPassword" . ) -}} - {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.rawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.jobserviceDatabaseIndex" . ) }} + {{- if (include "harbor.redis.escapedRawPassword" . ) -}} + {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.escapedRawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.jobserviceDatabaseIndex" . ) }} {{- else }} {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.jobserviceDatabaseIndex" . }} {{- end -}} @@ -205,8 +217,8 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab {{/*the username redis is used for a placeholder as no username needed in redis*/}} {{- define "harbor.redisForGC" -}} - {{- if (include "harbor.redis.rawPassword" . ) -}} - {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.rawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) }} + {{- if (include "harbor.redis.escapedRawPassword" . ) -}} + {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.escapedRawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) }} {{- else }} {{- printf "redis://%s:%s/%s" (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) -}} {{- end -}} @@ -232,10 +244,6 @@ host:port,pool_size,password {{- printf "%s-redis" (include "harbor.fullname" .) -}} {{- end -}} -{{- define "harbor.adminserver" -}} - {{- printf "%s-adminserver" (include "harbor.fullname" .) -}} -{{- end -}} - {{- define "harbor.jobservice" -}} {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} {{- end -}} @@ -269,5 +277,5 @@ host:port,pool_size,password {{- end -}} {{- define "harbor.ingress" -}} - {{- printf "%s" (include "harbor.fullname" .) -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} {{- end -}} \ No newline at end of file diff --git a/templates/adminserver/adminserver-cm.yaml b/templates/adminserver/adminserver-cm.yaml deleted file mode 100644 index ae40999..0000000 --- a/templates/adminserver/adminserver-cm.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.adminserver" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: adminserver -data: - DATABASE_TYPE: "postgresql" - POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" - POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" - POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" - POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" - EXT_ENDPOINT: "{{ .Values.externalURL }}" - CORE_URL: "http://{{ template "harbor.core" . }}" - JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" - REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000" - TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token" - WITH_NOTARY: "{{ .Values.notary.enabled }}" - NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" - LOG_LEVEL: "{{ .Values.logLevel }}" - IMAGE_STORE_PATH: "/" # This is a temporary hack. - CFG_EXPIRATION: "5" - ADMIRAL_URL: "NA" - RESET: "false" - WITH_CLAIR: "{{ .Values.clair.enabled }}" - CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}" - CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}" - CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}" - CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}" - CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060" - CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}" - UAA_ENDPOINT: "" - UAA_CLIENTID: "" - UAA_CLIENTSECRET: "" - UAA_VERIFY_CERT: "True" - REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" - WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" - CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}" - # The following properties have no default value in Harbor core if not - # set via env. They should be removed after the refactoring: - # AUTH_MODE, SELF_REGISTRATION, PROJECT_CREATION_RESTRICTION - AUTH_MODE: "db_auth" - SELF_REGISTRATION: "on" - PROJECT_CREATION_RESTRICTION: "everyone" - TOKEN_EXPIRATION: "30" - EMAIL_HOST: "smtp.mydomain.com" - EMAIL_FROM: "admin " - EMAIL_PORT: "25" \ No newline at end of file diff --git a/templates/adminserver/adminserver-dpl.yaml b/templates/adminserver/adminserver-dpl.yaml deleted file mode 100644 index f7429de..0000000 --- a/templates/adminserver/adminserver-dpl.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.adminserver" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: adminserver -spec: - replicas: {{ .Values.adminserver.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - app: adminserver - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: adminserver - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/adminserver/adminserver-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/adminserver/adminserver-secrets.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} - checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} -{{- if .Values.adminserver.podAnnotations }} -{{ toYaml .Values.adminserver.podAnnotations | indent 8 }} -{{- end }} - spec: - containers: - - name: adminserver - image: "{{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /api/ping - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/ping - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 10 - resources: -{{ toYaml .Values.adminserver.resources | indent 10 }} - envFrom: - - configMapRef: - name: "{{ template "harbor.adminserver" . }}" - - secretRef: - name: "{{ template "harbor.adminserver" . }}" - env: - - name: PORT - value: "8080" - - name: JSON_CFG_STORE_PATH - value: /etc/adminserver/config/config.json - - name: KEY_PATH - value: /etc/adminserver/key - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.core" . }}" - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" - key: secret - ports: - - containerPort: 8080 - volumeMounts: - - name: adminserver-key - mountPath: /etc/adminserver/key - subPath: key - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - - name: adminserver-key - secret: - secretName: "{{ template "harbor.adminserver" . }}" - items: - - key: secretKey - path: key - {{- with .Values.adminserver.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.adminserver.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.adminserver.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} \ No newline at end of file diff --git a/templates/adminserver/adminserver-secrets.yaml b/templates/adminserver/adminserver-secrets.yaml deleted file mode 100644 index 62bf3d2..0000000 --- a/templates/adminserver/adminserver-secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.adminserver" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: adminserver -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} - POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} -{{ if .Values.clair.enabled }} - CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} -{{ end }} diff --git a/templates/adminserver/adminserver-svc.yaml b/templates/adminserver/adminserver-svc.yaml deleted file mode 100644 index f2f7249..0000000 --- a/templates/adminserver/adminserver-svc.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.adminserver" . }}" -spec: - ports: - - port: 80 - targetPort: 8080 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - app: adminserver \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-cm.yaml b/templates/chartmuseum/chartmuseum-cm.yaml index 52482ef..7498b66 100644 --- a/templates/chartmuseum/chartmuseum-cm.yaml +++ b/templates/chartmuseum/chartmuseum-cm.yaml @@ -22,11 +22,11 @@ data: DISABLE_API: "false" DISABLE_STATEFILES: "false" ALLOW_OVERWRITE: "true" - CHART_URL: + #CHART_URL: {{ .Values.externalURL }}/chartrepo AUTH_ANONYMOUS_GET: "false" - TLS_CERT: - TLS_KEY: - CONTEXT_PATH: + TLS_CERT: "" + TLS_KEY: "" + CONTEXT_PATH: "" INDEX_LIMIT: "0" MAX_STORAGE_OBJECTS: "0" MAX_UPLOAD_SIZE: "20971520" @@ -45,6 +45,7 @@ data: {{- else if eq $storageType "gcs" }} STORAGE: "google" STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} + GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json {{- if $storage.gcs.rootdirectory }} STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} {{- end }} @@ -95,4 +96,4 @@ data: {{- end }} ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index 5560d3b..cda9155 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -20,13 +20,11 @@ spec: annotations: checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} {{- if .Values.chartmuseum.podAnnotations }} {{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} {{- end }} spec: - tolerations: - - effect: NoSchedule - operator: Exists containers: - name: chartmuseum image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }} @@ -43,8 +41,10 @@ spec: port: 9999 initialDelaySeconds: 1 periodSeconds: 10 +{{- if .Values.chartmuseum.resources }} resources: {{ toYaml .Values.chartmuseum.resources | indent 10 }} +{{- end }} envFrom: - configMapRef: name: "{{ template "harbor.chartmuseum" . }}" @@ -61,15 +61,33 @@ spec: volumeMounts: - name: chartmuseum-data mountPath: /chart_storage + subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} - name: etc-localtime - mountPath: /etc/localtime + mountPath: /etc/localtime + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + mountPath: /etc/chartmuseum/gcs-key.json + subPath: gcs-key.json + {{- end }} volumes: - name: etc-localtime hostPath: - path: /etc/localtime + path: /etc/localtime - name: chartmuseum-data - hostPath: - path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/chartmuseum + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + secret: + secretName: {{ template "harbor.registry" . }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} {{- with .Values.chartmuseum.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/templates/chartmuseum/chartmuseum-pvc.yaml b/templates/chartmuseum/chartmuseum-pvc.yaml new file mode 100644 index 0000000..a4c5527 --- /dev/null +++ b/templates/chartmuseum/chartmuseum-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.chartmuseum.enabled }} +{{- $persistence := .Values.persistence -}} +{{- if $persistence.enabled }} +{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}} +{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.chartmuseum" . }} + {{- if eq $persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + app: chartmuseum +spec: + accessModes: + - {{ $chartmuseum.accessMode }} + resources: + requests: + storage: {{ $chartmuseum.size }} + {{- if $chartmuseum.storageClass }} + {{- if eq "-" $chartmuseum.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $chartmuseum.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/clair/clair-dpl.yaml b/templates/clair/clair-dpl.yaml index c12492e..7d5f134 100644 --- a/templates/clair/clair-dpl.yaml +++ b/templates/clair/clair-dpl.yaml @@ -51,8 +51,10 @@ spec: {{- end }} - name: NO_PROXY value: "{{ template "harbor.registry" . }},{{ template "harbor.core" . }}" +{{- if .Values.clair.resources }} resources: {{ toYaml .Values.clair.resources | indent 10 }} +{{- end }} ports: - containerPort: 6060 volumeMounts: diff --git a/templates/clair/clair-svc.yaml b/templates/clair/clair-svc.yaml index 9a2a805..ced23e0 100644 --- a/templates/clair/clair-svc.yaml +++ b/templates/clair/clair-svc.yaml @@ -7,7 +7,10 @@ metadata: {{ include "harbor.labels" . | indent 4 }} spec: ports: - - port: 6060 + - name: clair + port: 6060 + - name: health + port: 6061 selector: {{ include "harbor.matchLabels" . | indent 4 }} app: clair diff --git a/templates/common/certificate-secret.yaml b/templates/common/certificate-secret.yaml deleted file mode 100644 index a93dd2f..0000000 --- a/templates/common/certificate-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if eq (include "harbor.autoGenCert" .) "true" }} -{{- $cn := (required "The \"expose.tls.commonName\" is required!" (include "harbor.common-name" .)) }} -{{- $ca := genCA "harbor-ca" 365 }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.certificate" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} - {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- else }} - {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index f584502..e7508bb 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -7,8 +7,41 @@ metadata: data: app.conf: |+ appname = Harbor - runmode = prod + runmode = dev enablegzip = true - [prod] + [dev] httpport = 8080 + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "http://{{ template "harbor.core" . }}" + JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" + REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000" + TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token" + WITH_NOTARY: "{{ .Values.notary.enabled }}" + NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" + CFG_EXPIRATION: "5" + WITH_CLAIR: "{{ .Values.clair.enabled }}" + CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}" + CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}" + CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}" + CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}" + CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" + CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + SYNC_REGISTRY: "false" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL: "{{ template "harbor.redisForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redisForGC" . }}" + PORTAL_URL: "http://{{ template "harbor.portal" . }}" + REGISTRYCTL_URL: "http://{{ template "harbor.registry" . }}:8080" + CLAIR_HEALTH_CHECK_SERVER_URL: "http://{{ template "harbor.clair" . }}:6061" \ No newline at end of file diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 81e86f5..0b0397b 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -19,6 +19,7 @@ spec: annotations: checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} {{- if .Values.core.podAnnotations }} {{ toYaml .Values.core.podAnnotations | indent 8 }} {{- end }} @@ -39,6 +40,11 @@ spec: port: 8080 initialDelaySeconds: 20 periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" env: - name: CORE_SECRET valueFrom: @@ -50,20 +56,6 @@ spec: secretKeyRef: name: "{{ template "harbor.jobservice" . }}" key: secret - - name: _REDIS_URL - value: {{ template "harbor.redisForCore" . }} - - name: _REDIS_URL_REG - value: {{ template "harbor.redisForGC" . }} - - name: LOG_LEVEL - value: {{ .Values.logLevel }} - - name: CONFIG_PATH - value: /etc/core/app.conf - - name: SYNC_REGISTRY - value: "false" - - name: ADMINSERVER_URL - value: "http://{{ template "harbor.adminserver" . }}" - - name: CHART_CACHE_DRIVER - value: "redis" ports: - containerPort: 8080 volumeMounts: @@ -75,20 +67,19 @@ spec: subPath: key - name: token-service-private-key mountPath: /etc/core/private_key.pem - subPath: tokenServicePrivateKey - - name: etc-localtime - mountPath: /etc/localtime - {{- if eq (include "harbor.autoGenCert" .) "true" }} + subPath: tls.key + {{- if .Values.expose.tls.enabled }} - name: ca-download mountPath: /etc/core/ca/ca.crt subPath: ca.crt {{- end }} - name: psc mountPath: /etc/core/token +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ template "harbor.core" . }} @@ -100,14 +91,20 @@ spec: path: key - name: token-service-private-key secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} secretName: {{ template "harbor.core" . }} - {{- if eq (include "harbor.autoGenCert" .) "true" }} + {{- end }} + {{- if .Values.expose.tls.enabled }} - name: ca-download secret: {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} secretName: "{{ template "harbor.ingress" . }}" - {{- else }} + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} secretName: {{ template "harbor.nginx" . }} + {{- else }} + secretName: {{ .Values.expose.tls.secretName }} {{- end }} items: - key: ca.crt diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index d84c8f5..543b870 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -1,4 +1,3 @@ -{{- $cert := genSelfSignedCert "harbor" nil nil 365 }} apiVersion: v1 kind: Secret metadata: @@ -8,7 +7,13 @@ metadata: type: Opaque data: secretKey: {{ .Values.secretKey | b64enc | quote }} - secret: {{ randAlphaNum 16 | b64enc | quote }} - tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} - tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} - \ No newline at end of file + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} +{{- if not .Values.core.secretName }} + tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} + tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} +{{- end }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- if .Values.clair.enabled }} + CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} \ No newline at end of file diff --git a/templates/core/core-svc.yaml b/templates/core/core-svc.yaml index 3bc43e2..c2aee80 100644 --- a/templates/core/core-svc.yaml +++ b/templates/core/core-svc.yaml @@ -5,6 +5,9 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} ports: - port: 80 targetPort: 8080 diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index b2ac8f5..dfc2ee7 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -1,4 +1,5 @@ {{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -30,6 +31,7 @@ spec: initContainers: - name: "remove-lost-found" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] volumeMounts: - name: data @@ -42,7 +44,7 @@ spec: exec: command: - /docker-healthcheck.sh - initialDelaySeconds: 1 + initialDelaySeconds: 60 periodSeconds: 10 readinessProbe: exec: @@ -50,16 +52,32 @@ spec: - /docker-healthcheck.sh initialDelaySeconds: 1 periodSeconds: 10 +{{- if .Values.database.internal.resources }} resources: {{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} envFrom: - secretRef: name: "{{ template "harbor.database" . }}" volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - name: etc-localtime mountPath: /etc/localtime + - name: data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $database.existingClaim }} + volumes: + - name: "data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} {{- with .Values.database.internal.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} @@ -71,26 +89,24 @@ spec: {{- with .Values.database.internal.tolerations }} tolerations: {{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - {{- if .Values.database.internal.storageSpec.hostPath }} - - name: data - hostPath: - path: {{.Values.database.internal.storageSpec.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/database - {{- else if .Values.database.internal.storageSpec.emptyDir }} - - name: data - emptyDir: {} - {{- else if .Values.database.internal.storageSpec.volumeClaimTemplate }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} volumeClaimTemplates: - metadata: name: "data" - labels: + labels: {{ include "harbor.labels" . | indent 8 }} - app: database spec: -{{ toYaml $.Values.database.internal.storageSpec.volumeClaimTemplate.spec | indent 6 }} + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} {{- end }} -{{- end -}} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index 8c358b2..d72bc92 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -1,6 +1,28 @@ {{- if eq .Values.expose.type "ingress" }} {{- $ingress := .Values.expose.ingress -}} {{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -12,60 +34,73 @@ metadata: spec: {{- if $tls.enabled }} tls: - - hosts: - - {{ $ingress.hosts.core }} {{- if $tls.secretName }} - secretName: {{ $tls.secretName }} + - secretName: {{ $tls.secretName }} {{- else }} - secretName: "{{ template "harbor.ingress" . }}" + - secretName: "{{ template "harbor.ingress" . }}" + {{- end }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} {{- end }} {{- if .Values.notary.enabled }} - - hosts: - - {{ $ingress.hosts.notary }} {{- if $tls.notarySecretName }} - secretName: {{ $tls.notarySecretName }} + - secretName: {{ $tls.notarySecretName }} {{- else if $tls.secretName }} - secretName: {{ $tls.secretName }} + - secretName: {{ $tls.secretName }} {{- else }} - secretName: "{{ template "harbor.ingress" . }}" + - secretName: "{{ template "harbor.ingress" . }}" + {{- end }} + {{- if $ingress.hosts.notary }} + hosts: + - {{ $ingress.hosts.notary }} {{- end }} {{- end }} {{- end }} + {{- if eq .Values.expose.ingress.controller "ncp" }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: 80 + {{- end }} rules: - - host: {{ $ingress.hosts.core }} - http: + - http: paths: - - path: / + - path: {{ .portal_path }} backend: serviceName: {{ template "harbor.portal" . }} servicePort: 80 - - path: /api/ + - path: {{ .api_path }} backend: serviceName: {{ template "harbor.core" . }} servicePort: 80 - - path: /service/ + - path: {{ .service_path }} backend: serviceName: {{ template "harbor.core" . }} servicePort: 80 - - path: /v2/ + - path: {{ .v2_path }} backend: serviceName: {{ template "harbor.core" . }} servicePort: 80 - - path: /chartrepo/ + - path: {{ .chartrepo_path }} backend: serviceName: {{ template "harbor.core" . }} servicePort: 80 - - path: /c/ + - path: {{ .controller_path }} backend: serviceName: {{ template "harbor.core" . }} servicePort: 80 + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} {{- if .Values.notary.enabled }} - - host: {{ $ingress.hosts.notary }} - http: + - http: paths: - path: / backend: serviceName: {{ template "harbor.notary-server" . }} servicePort: 4443 + {{- if $ingress.hosts.notary }} + host: {{ $ingress.hosts.notary }} + {{- end }} {{- end }} {{- end }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-cm.yaml b/templates/jobservice/jobservice-cm.yaml index ee1ad52..2faa9cc 100644 --- a/templates/jobservice/jobservice-cm.yaml +++ b/templates/jobservice/jobservice-cm.yaml @@ -36,5 +36,4 @@ data: #Loggers for the job service loggers: - name: "STD_OUTPUT" - level: {{ .Values.logLevel | upper }} - admin_server: "http://{{ template "harbor.adminserver" . }}" + level: {{ .Values.logLevel | upper }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 9cc75f9..17ae35d 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -19,6 +19,7 @@ spec: annotations: checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} {{- if .Values.jobservice.podAnnotations }} {{ toYaml .Values.jobservice.podAnnotations | indent 8 }} {{- end }} @@ -39,8 +40,10 @@ spec: port: 8080 initialDelaySeconds: 20 periodSeconds: 10 +{{- if .Values.jobservice.resources }} resources: {{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} env: - name: CORE_SECRET valueFrom: @@ -52,8 +55,8 @@ spec: secretKeyRef: name: "{{ template "harbor.jobservice" . }}" key: secret - - name: ADMINSERVER_URL - value: "http://{{ template "harbor.adminserver" . }}" + - name: CORE_URL + value: "http://{{ template "harbor.core" . }}" - name: REGISTRY_CONTROLLER_URL value: "http://{{ template "harbor.registry" . }}:8080" - name: LOG_LEVEL @@ -66,12 +69,8 @@ spec: subPath: config.yml - name: job-logs mountPath: /var/log/jobs - - name: etc-localtime - mountPath: /etc/localtime + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: jobservice-config configMap: name: "{{ template "harbor.jobservice" . }}" diff --git a/templates/jobservice/jobservice-pvc.yaml b/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000..4525318 --- /dev/null +++ b/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,29 @@ +{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}} +{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }} +{{- if eq .Values.jobservice.jobLogger "file" }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + app: jobservice +spec: + accessModes: + - {{ $jobservice.accessMode }} + resources: + requests: + storage: {{ $jobservice.size }} + {{- if $jobservice.storageClass }} + {{- if eq "-" $jobservice.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobservice.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index cbaad34..e08f7ce 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -6,4 +6,4 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - secret: {{ randAlphaNum 16 | b64enc | quote }} \ No newline at end of file + secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml index f2eb3b5..2cd02fa 100644 --- a/templates/nginx/configmap-http.yaml +++ b/templates/nginx/configmap-http.yaml @@ -67,6 +67,19 @@ data: proxy_buffering off; proxy_request_buffering off; } + + location /chartrepo/ { + proxy_pass http://core/chartrepo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } location /c/ { proxy_pass http://core/c/; diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml index bbdade0..9330824 100644 --- a/templates/nginx/configmap-https.yaml +++ b/templates/nginx/configmap-https.yaml @@ -125,6 +125,19 @@ data: proxy_buffering off; proxy_request_buffering off; } + + location /chartrepo/ { + proxy_pass http://core/chartrepo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } location /c/ { proxy_pass http://core/c/; diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index f4fbfc3..eea8b12 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -46,8 +46,10 @@ spec: port: 80 initialDelaySeconds: 1 periodSeconds: 10 +{{- if .Values.nginx.resources }} resources: {{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} ports: - containerPort: 80 - containerPort: 443 diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml index 8dca83f..f813502 100644 --- a/templates/nginx/service.yaml +++ b/templates/nginx/service.yaml @@ -1,4 +1,4 @@ -{{- if ne .Values.expose.type "ingress" }} +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} apiVersion: v1 kind: Service metadata: @@ -54,6 +54,30 @@ spec: nodePort: {{ $nodePort.ports.notary.nodePort }} {{- end }} {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: LoadBalancer + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 80 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $loadBalancer.ports.notaryPort }} + targetPort: 4443 + {{- end }} {{- end }} selector: {{ include "harbor.matchLabels" . | indent 4 }} diff --git a/templates/notary/notary-cm.yaml b/templates/notary/notary-cm.yaml index 1d9004a..0ced91d 100644 --- a/templates/notary/notary-cm.yaml +++ b/templates/notary/notary-cm.yaml @@ -9,12 +9,14 @@ metadata: data: {{ $ca := genCA "harbor-notary-ca" 365 }} {{ $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} + {{- if not .Values.notary.secretName }} notary-signer-ca.crt: | -{{ $ca.Cert | indent 4 }} +{{ $ca.Cert | indent 4 }} notary-signer.crt: | {{ $cert.Cert | indent 4 }} notary-signer.key: | -{{ $cert.Key | indent 4 }} +{{ $cert.Key | indent 4 }} + {{- end }} server-config.postgres.json: | { "server": { @@ -24,7 +26,11 @@ data: "type": "remote", "hostname": "{{ template "harbor.notary-signer" . }}", "port": "7899", +{{- if not .Values.notary.secretName }} "tls_ca_file": "./notary-signer-ca.crt", +{{- else }} + "tls_ca_file": "/etc/ssl/notary/cert/notary-signer-ca.crt", +{{- end }} "key_algorithm": "ecdsa" }, "logging": { @@ -48,8 +54,13 @@ data: { "server": { "grpc_addr": ":7899", +{{- if not .Values.notary.secretName }} "tls_cert_file": "./notary-signer.crt", "tls_key_file": "./notary-signer.key" +{{- else }} + "tls_cert_file": "/etc/ssl/notary/cert/notary-signer.crt", + "tls_key_file": "/etc/ssl/notary/cert/notary-signer.key" +{{- end }} }, "logging": { "level": "{{ .Values.logLevel }}" diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index 2e188e7..93fb92b 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -19,6 +19,7 @@ spec: app: notary-server annotations: checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} {{- if .Values.notary.podAnnotations }} {{ toYaml .Values.notary.podAnnotations | indent 8 }} {{- end }} @@ -27,8 +28,10 @@ spec: - name: notary-server image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.notary.server.resources }} resources: {{ toYaml .Values.notary.server.resources | indent 10 }} +{{- end }} env: - name: MIGRATIONS_PATH value: migrations/server/postgresql @@ -38,20 +41,34 @@ spec: - name: notary-config mountPath: /etc/notary - name: etc-localtime - mountPath: /etc/localtime + mountPath: /etc/localtime - name: root-certificate mountPath: /root.crt - subPath: tokenServiceRootCertBundle + subPath: tls.crt + {{- if .Values.notary.secretName }} + - name: notary-ca + mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt + subPath: ca + {{- end }} volumes: - name: etc-localtime hostPath: - path: /etc/localtime + path: /etc/localtime - name: notary-config configMap: name: "{{ template "harbor.notary-server" . }}" - name: root-certificate secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.notary.secretName }} + - name: notary-ca + secret: + secretName: {{ .Values.notary.secretName }} + {{- end }} {{- with .Values.notary.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml index ae4b505..b3c5172 100644 --- a/templates/notary/notary-signer.yaml +++ b/templates/notary/notary-signer.yaml @@ -24,8 +24,10 @@ spec: - name: notary-signer image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.notary.signer.resources }} resources: {{ toYaml .Values.notary.signer.resources | indent 10 }} +{{- end }} env: - name: MIGRATIONS_PATH value: migrations/signer/postgresql @@ -37,14 +39,30 @@ spec: - name: notary-config mountPath: /etc/notary - name: etc-localtime - mountPath: /etc/localtime + mountPath: /etc/localtime + {{- if .Values.notary.secretName }} + - name: notary-cert + mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt + subPath: ca + - name: notary-cert + mountPath: /etc/ssl/notary/cert/notary-signer.crt + subPath: crt + - name: notary-cert + mountPath: /etc/ssl/notary/cert/notary-signer.key + subPath: key + {{- end }} volumes: - name: etc-localtime hostPath: - path: /etc/localtime + path: /etc/localtime - name: notary-config configMap: name: "{{ template "harbor.notary-server" . }}" + {{- if .Values.notary.secretName }} + - name: notary-cert + secret: + secretName: {{ .Values.notary.secretName }} + {{- end }} {{- with .Values.notary.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/templates/notary/notary-svc.yaml b/templates/notary/notary-svc.yaml index 7b2267a..c5ea13e 100644 --- a/templates/notary/notary-svc.yaml +++ b/templates/notary/notary-svc.yaml @@ -6,6 +6,9 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} ports: - port: 4443 selector: diff --git a/templates/portal/service.yaml b/templates/portal/service.yaml index be3b843..25bed60 100644 --- a/templates/portal/service.yaml +++ b/templates/portal/service.yaml @@ -5,6 +5,9 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} ports: - port: 80 targetPort: 80 diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index df34459..71d2eac 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -1,4 +1,5 @@ {{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -37,8 +38,10 @@ spec: port: 6379 initialDelaySeconds: 1 periodSeconds: 10 +{{- if .Values.redis.internal.resources }} resources: {{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} volumeMounts: - name: data mountPath: /var/lib/redis @@ -62,4 +65,23 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} {{- end -}} diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml index 387f7fd..d6182bc 100644 --- a/templates/registry/registry-cm.yaml +++ b/templates/registry/registry-cm.yaml @@ -12,17 +12,124 @@ data: fields: service: registry storage: - {{- $storage := .Values.registry.storage }} + {{- $storage := .Values.persistence.imageChartStorage }} {{- $type := $storage.type }} {{- if eq $type "filesystem" }} filesystem: -{{ toYaml $storage.filesystem | indent 8 }} + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + keyfile: /etc/registry/gcs-key.json + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} {{- else if eq $type "s3" }} s3: -{{ toYaml $storage.s3 | indent 8 }} - redirect: - disable: false - {{- end }} + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} cache: layerinfo: redis maintenance: @@ -30,9 +137,10 @@ data: enabled: false delete: enabled: true + redirect: + disable: {{ $storage.disableredirect }} redis: addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}" - password: {{ template "harbor.redis.rawPassword" . }} db: {{ template "harbor.redis.registryDatabaseIndex" . }} http: addr: :5000 @@ -46,6 +154,8 @@ data: realm: "{{ .Values.externalURL }}/service/token" rootcertbundle: /etc/registry/root.crt service: harbor-registry + validation: + disabled: true notifications: endpoints: - name: harbor diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 6b8ce65..ca7e1df 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -6,11 +6,14 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - REGISTRY_HTTP_SECRET: {{ randAlphaNum 16 | b64enc | quote }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.rawPassword" .) | b64enc | quote }} {{- $storage := .Values.persistence.imageChartStorage }} {{- $type := $storage.type }} {{- if eq $type "azure" }} REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if eq $type "gcs" }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} {{- else if eq $type "s3" }} {{- if $storage.s3.accesskey }} REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} @@ -28,4 +31,4 @@ data: {{- end }} {{- else if eq $type "oss" }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/values.yaml b/values.yaml index ef65148..b404482 100644 --- a/values.yaml +++ b/values.yaml @@ -1,7 +1,7 @@ expose: # Set the way how to expose the service. Set the type as "ingress", - # "clusterIP" or "nodePort" and fill the information in the corresponding - # section + # "clusterIP", "nodePort" or "loadBalancer" and fill the information + # in the corresponding section type: ingress tls: # Enable the tls or not. Note: if the type is "ingress" and the tls @@ -9,28 +9,34 @@ expose: # images. Refer to https://github.com/goharbor/harbor/issues/5291 # for the detail. enabled: true - # Fill the name of secret if you want to use your own TLS certificate - # and private key. The secret must contain keys named tls.crt and - # tls.key that contain the certificate and private key to use for TLS - # The certificate and private key will be generated automatically if - # it is not set + # Fill the name of secret if you want to use your own TLS certificate. + # The secret must contain keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # "ca.crt" - the certificate of CA + # These files will be generated automatically if the "secretName" is not set secretName: "" # By default, the Notary service will use the same cert and key as # described above. Fill the name of secret if you want to use a # separated one. Only needed when the type is "ingress". notarySecretName: "" - # The commmon name used to generate the certificate, it's necessary - # when the type is "clusterIP" or "nodePort" and "secretName" is null + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" and "secretName" is null commonName: "" ingress: hosts: core: core.harbor.domain notary: notary.harbor.domain - annotations: {} - # ingress.kubernetes.io/ssl-redirect: "true" - # nginx.ingress.kubernetes.io/ssl-redirect: "true" - # ingress.kubernetes.io/proxy-body-size: "0" - # nginx.ingress.kubernetes.io/proxy-body-size: "0" + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + controller: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" clusterIP: # The name of ClusterIP service name: harbor @@ -62,6 +68,19 @@ expose: port: 4443 # The node port Notary listens on nodePort: 30004 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 # The external URL for Harbor core service. It is used to # 1) populate the docker/helm commands showed on portal @@ -92,7 +111,8 @@ persistence: resourcePolicy: "keep" persistentVolumeClaim: registry: - # Use the existing PVC which must be created manually before bound + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components existingClaim: "" # Specify the "storageClass" used to provision the volume. Or the default # StorageClass will be used(the default). @@ -134,6 +154,13 @@ persistence: # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage # for the detail. imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", # "oss" and fill the information needed in the corresponding section. The type # must be "filesystem" if you want to use persistent volumes for registry @@ -149,8 +176,8 @@ persistence: #realm: core.windows.net gcs: bucket: bucketname - # TODO: support the keyfile of gcs - #keyfile: /path/to/keyfile + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file #rootdirectory: /gcs/object/name/prefix #chunksize: "5242880" s3: @@ -210,7 +237,7 @@ secretKey: "not-a-secure-key" nginx: image: repository: goharbor/nginx-photon - tag: v1.7.0 + tag: v1.8.2-dev replicas: 1 # resources: # requests: @@ -225,7 +252,7 @@ nginx: portal: image: repository: goharbor/harbor-portal - tag: v1.7.0 + tag: v1.8.2-dev replicas: 1 # resources: # requests: @@ -240,7 +267,7 @@ portal: core: image: repository: goharbor/harbor-core - tag: v1.7.0 + tag: v1.8.2-dev replicas: 1 # resources: # requests: @@ -251,26 +278,22 @@ core: affinity: {} ## Additional deployment annotations podAnnotations: {} - -adminserver: - image: - repository: goharbor/harbor-adminserver - tag: v1.7.0 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # The default key pair will be used if it isn't set + secretName: "" jobservice: image: repository: goharbor/harbor-jobservice - tag: v1.7.0 + tag: v1.8.2-dev replicas: 1 maxJobWorkers: 10 # The logger for jobs: "file", "database" or "stdout" @@ -284,32 +307,46 @@ jobservice: affinity: {} ## Additional deployment annotations podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" registry: registry: image: repository: goharbor/registry-photon - tag: v2.6.2-v1.7.0 + tag: v1.8.2-dev + # resources: + # requests: + # memory: 256Mi + # cpu: 100m controller: image: repository: goharbor/harbor-registryctl - tag: v1.7.0 + tag: v1.8.2-dev + # resources: + # requests: + # memory: 256Mi + # cpu: 100m replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} ## Additional deployment annotations podAnnotations: {} + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" chartmuseum: enabled: true image: repository: goharbor/chartmuseum-photon - tag: v0.7.1-v1.7.0 + tag: v1.8.2-dev replicas: 1 # resources: # requests: @@ -325,7 +362,7 @@ clair: enabled: true image: repository: goharbor/clair-photon - tag: v2.0.7-v1.7.0 + tag: v1.8.2-dev replicas: 1 # The http(s) proxy used to update vulnerabilities database from internet httpProxy: @@ -348,18 +385,33 @@ notary: server: image: repository: goharbor/notary-server-photon - tag: v0.6.1-v1.7.0 + tag: v1.8.2-dev replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m signer: image: repository: goharbor/notary-signer-photon - tag: v0.6.1-v1.7.0 + tag: v1.8.2-dev replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} ## Additional deployment annotations podAnnotations: {} + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named tls.ca, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" database: # if external database is used, set "type" to "external" @@ -368,7 +420,7 @@ database: internal: image: repository: goharbor/harbor-db - tag: v1.7.0 + tag: v1.8.2-dev # The initial superuser password for internal database password: "changeit" # resources: @@ -398,7 +450,7 @@ redis: internal: image: repository: goharbor/redis-photon - tag: v1.7.0 + tag: v1.8.2-dev # resources: # requests: # memory: 256Mi -- 2.26.0