diff --git a/.helmignore b/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..632a574800b4a06c6d5b8877a1a36307c845573f --- /dev/null +++ b/.helmignore @@ -0,0 +1,4 @@ +docs/* +.git/* +.gitignore +CONTRIBUTING.md \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 94c83335879469bc3f5c44db3b997c0786d7843b..30ec8bec02c3cf7afe9e0e078b15c265a13b7103 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing to Helm Chart for Harbor -Please follow [Harbor contributing guide](https://github.com/vmware/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution. +Please follow [Harbor contributing guide](https://github.com/goharbor/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution. # Contributers diff --git a/Chart.yaml b/Chart.yaml index f28ab582f316047e46985a3fd874df2940781f3c..41bb684d7d12cec9f173e1e5e339f5084a9ecd10 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,16 +1,16 @@ name: harbor -version: 0.2.0 -appVersion: 1.5.0 -description: An Enterprise-class Docker Registry by VMware +version: dev +appVersion: dev +description: An open source trusted cloud native registry that stores, signs, and scans content keywords: -- vmware - docker - registry - harbor -home: https://github.com/vmware/harbor -icon: https://raw.githubusercontent.com/vmware/harbor/master/docs/img/harbor_logo.png +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/harbor/master/docs/img/harbor_logo.png sources: -- https://github.com/vmware/harbor/tree/master/contrib/helm/harbor +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm maintainers: - name: Jesse Hu email: huh@vmware.com diff --git a/Deploy.md b/Deploy.md new file mode 100644 index 0000000000000000000000000000000000000000..cc8835bad8484c26268c2be3c6d2cec117503f62 --- /dev/null +++ b/Deploy.md @@ -0,0 +1,77 @@ +# harbor + +## install + +```bash +# 1.install + +# label node +kubectl label node harbor=enabled + +helm install \ +/etc/kubernetes/helm/harbor \ +--name=harbor \ +--namespace=devops \ +-f /etc/kubernetes/helm/harbor/values-overrides.yaml + +# uninstall +helm delete harbor --purge + +# update +helm upgrade harbor /etc/kubernetes/helm/harbor \ +-f /etc/kubernetes/helm/harbor/values-overrides.yaml +``` + +## images + +```bash +# goharbor/harbor-portal +docker pull goharbor/harbor-portal:v1.7.5 && \ +docker tag goharbor/harbor-portal:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-portal:v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-portal:v1.7.5 + +# goharbor/harbor-core +docker pull goharbor/harbor-core:v1.7.5 && \ +docker tag goharbor/harbor-core:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5 + +# goharbor/harbor-jobservice +docker pull goharbor/harbor-jobservice:v1.7.5 && \ +docker tag goharbor/harbor-jobservice:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.7.5 + +# goharbor/registry-photon +docker pull goharbor/registry-photon:v2.6.2-v1.7.5 && \ +docker tag goharbor/registry-photon:v2.6.2-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/registry-photon:v2.6.2-v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/registry-photon:v2.6.2-v1.7.5 + +# goharbor/harbor-registryctl +docker pull goharbor/harbor-registryctl:v1.7.5 && \ +docker tag goharbor/harbor-registryctl:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v1.7.5 + +# goharbor/chartmuseum-photon +docker pull goharbor/chartmuseum-photon:v0.8.1-v1.7.5 && \ +docker tag goharbor/chartmuseum-photon:v0.8.1-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon:v0.8.1-v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon:v0.8.1-v1.7.5 + +# goharbor/clair-photon +docker pull goharbor/clair-photon:v2.0.8-v1.7.5 && \ +docker tag goharbor/clair-photon:v2.0.8-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/clair-photon:v2.0.8-v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/clair-photon:v2.0.8-v1.7.5 + +# goharbor/notary-server-photon +docker pull goharbor/notary-server-photon:v0.6.1-v1.7.5 && \ +docker tag goharbor/notary-server-photon:v0.6.1-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server-photon:v0.6.1-v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server-photon:v0.6.1-v1.7.5 + +# goharbor/notary-signer-photon +docker pull goharbor/notary-signer-photon:v0.6.1-v1.7.5 && \ +docker tag goharbor/notary-signer-photon:v0.6.1-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer-photon:v0.6.1-v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer-photon:v0.6.1-v1.7.5 + +# goharbor/harbor-db +docker pull goharbor/harbor-db:v1.7.5 && \ +docker tag goharbor/harbor-db:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.7.5 && \ +docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.7.5 +``` \ No newline at end of file diff --git a/docs/High Availability.md b/docs/High Availability.md new file mode 100644 index 0000000000000000000000000000000000000000..6bd48f13833bb2a032a713d1dc6252d92e3ba97b --- /dev/null +++ b/docs/High Availability.md @@ -0,0 +1,63 @@ +# Harbor High Availability Guide + +## Goal +Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor. + +## Prerequisites +- Kubernetes cluster 1.10+ +- Helm 2.8.0+ +- High available ingress controller (Harbor does not manage the external endpoint) +- High available PostgreSQL database (Harbor does not handle the deployment of HA of database) +- High available Redis (Harbor does not handle the deployment of HA of Redis) +- PVC that can be shared across nodes or external object storage + +## Architecture +Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods. + +As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts. + +![HA](img/ha.png) + +## Installation + +### Download Chart +Download Harbor helm chart code. +```bash +git clone https://github.com/goharbor/harbor-helm +cd harbor-helm +``` + +### Configuration +Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`: +- **Ingress rule** + Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`. +- **External URL** + Configure the `externalURL`. +- **External PostgreSQL** + Set the `database.type` to `external` and fill the information in `database.external` section. + + Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up. +- **External Redis** + Set the `redis.type` to `external` and fill the information in `redis.external` section. + + As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point. +- **Storage** + By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs. + + If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`. + + If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes. + + You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`. + + If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. + +- **Replica** + Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). + +### Installation +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install --name my-release . +``` + diff --git a/docs/Upgrade.md b/docs/Upgrade.md new file mode 100644 index 0000000000000000000000000000000000000000..3ba26898d33d05d4a1994a2dd2717e398abfff8e --- /dev/null +++ b/docs/Upgrade.md @@ -0,0 +1,48 @@ +# Upgrade Guide + +This guide is used to upgrade Harbor deployed by chart since version 0.3.0. + +**Notes**: +- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid +- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported + +## Upgrade +1. **Backup database** +Backup the database used by Harbor in case the upgrade process fails. +2. **Download new chart** +Download the latest version of Harbor chart. +3. **Configure new chart** +Configure the new chart to make sure that the configuration items have the same values with the old one. + + **Note**: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate: + + 1) Get the secret name which certificate is stored in: + ``` + kubectl get secret + ``` + Find the secret whose name ends with `-harbor-ingress`(expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`) + + 2) Export the secret as yaml file: + ``` + kubectl get secret secret-name -o yaml > secret.yaml + ``` + Replace the `secret-name` with the one got in step i + + 3) Rename the secret by setting `metadata.name` in `secret.yaml` + + 4) Create a new secret: + ``` + kubectl create -f secret.yaml + ``` + + 5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step iii + +4. **Upgrade** +Run upgrade command: + ``` + helm upgrade release-name --force . + ``` + The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30). + +## Known issues +- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0. diff --git a/docs/img/ha.png b/docs/img/ha.png new file mode 100644 index 0000000000000000000000000000000000000000..6f063c2bba21e05934307b5c5d699cc2211c7f8f Binary files /dev/null and b/docs/img/ha.png differ diff --git a/logo.png b/logo.png deleted file mode 100644 index 45df310f3df8a2d02038772449ed6bab59ff8891..0000000000000000000000000000000000000000 Binary files a/logo.png and /dev/null differ diff --git a/package.json b/package.json deleted file mode 100644 index 6164fb57a7b290f3edd5fb9fd67043a6260d4ea4..0000000000000000000000000000000000000000 --- a/package.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name": "harbor-chart", - "version": "v1.6.3" -} \ No newline at end of file diff --git a/readme.md b/readme.md index 299463f099b0f598a436cbb2f1834f2b37fba6a4..95173f38048a362eb975c05dbd7e100c10016159 100644 --- a/readme.md +++ b/readme.md @@ -1,98 +1,284 @@ -## setup -```bash -# 1.install +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the codes on other branch instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. -# label node -kubectl label node harbor=enabled +## Prerequisites -helm install \ -/etc/kubernetes/helm/harbor \ ---name=harbor \ ---namespace=devops \ --f /etc/kubernetes/helm/harbor/values-overrides.yaml +- Kubernetes cluster 1.10+ +- Helm 2.8.0+ -# uninstall -helm delete harbor --purge +## Installation -# update -helm upgrade harbor /etc/kubernetes/helm/harbor \ --f /etc/kubernetes/helm/harbor/values-overrides.yaml +### Download the chart + +Download Harbor helm chart code. + +```bash +git clone https://github.com/goharbor/harbor-helm ``` -## overrides +Checkout the branch. ```bash -cat /etc/kubernetes/helm/harbor/values-overrides.yaml +cd harbor-helm +git checkout branch_name ``` -### 有持久化存储Storage +### Configure the chart + +The following items can be configured in `values.yaml` or set via `--set` flag during installation. + +#### Configure the way how to expose Harbor service: + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker/notary client + +Format: `protocol://domain[:port]`. Usually: -参考values-storage.yaml +- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider -### 使用HostPath存储数据 +If Harbor is deployed behind the proxy, set it as the URL of proxy. -在此之前规划一下哪台服务器存储什么内容 +#### Configure the way how to persistent data: +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the secrets + +- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure. +- **Certificates**: + - *notary*: Used for authentication during communications. Fill `notary.secretName` to configure. Notary server certificate must be issued with notary service name as subject alternative name. + - *core*: Used for token encryption/decryption. Fill `core.secretName` to configure. + +Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)). + + +#### Configure the other items listed in [configuration](#configuration) section. + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: + +```bash +helm install --name my-release . ``` -harbor: enabled -kubectl label node harbor=enabled -# kubectl label node harbor- +## Uninstallation + +To uninstall/delete the `my-release` deployment: + +```bash +helm delete --purge my-release ``` -参考values-hostpath.yaml +## Configuration +The following table lists the configurable parameters of the Harbor chart and the default values. -# images +| Parameter | Description | Default | +| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | +| **Expose** | +| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer` | `ingress` | +| `expose.tls.enabled` | Enable the tls or not | `true` | +| `expose.tls.secretName` | Fill the name of secret if you want to use your own TLS certificate. The secret must contain keys named: +`tls.crt` - the certificate, `tls.key` - the private key, `ca.crt` - the certificate of CA.These files will be generated automatically if the `secretName` is not set || +| `expose.tls.commonName` | The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null | | +| `expose.ingress.host` | The host of Harbor service in ingress rule | `harbor.local` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default` and `gce` | `default` | +| `expose.ingress.annotations` | The annotations used in ingress | | +| `expose.ingress.rewriteAnnotation` | The name of the `rewrite-target` annotation| `nginx.ingress.kubernetes.io/rewrite-target` | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.ports.http` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.clusterIP.ports.https` | The service port Harbor listens on when serving with HTTPS | `443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` | +| `expose.loadBalancer.name` | The name of service |`harbor`| +| `expose.loadBalancer.ports.http` | The service port Harbor listens on when serving with HTTP |`80`| +| `expose.loadBalancer.ports.https` | The service port Harbor listens on when serving with HTTP |`30002`| +| **Persistence** | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | +| **General** | +| `externalURL` | The external URL for Harbor service | `https://harbor.local` | +| `imagePullPolicy` | The image pull policy | `IfNotPresent` | +| `logLevel` | The log level | `debug` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| **Portal** | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| **Core** | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secret` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named `tls.tokenServiceRootCertBundle` and `tls.tokenServicePrivateKey` that contain the certificate and private key. They will be automatically generated if not set. | | +| **Jobservice** | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` | +| `registry.replicas` | The replica count | `1` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Chartmuseum** | +| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | +| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | +| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | +| `chartmuseum.replicas` | The replica count | `1` | +| `chartmuseum.resources` | The [resources] to allocate for container | undefined | +| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | +| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | +| `chartmuseum.affinity` | Node/Pod affinities | `{}` | +| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | +| **Clair** | +| `clair.enabled` | Enable Clair | `true` | +| `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | +| `clair.image.tag` | Tag for clair image | `dev` | +| `clair.replicas` | The replica count | `1` | +| `clair.httpProxy` | The HTTP proxy used to update vulnerabilities database from internet | | +| `clair.httpsProxy` | The HTTPS proxy used to update vulnerabilities database from internet | | +| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | +| `clair.resources` | The [resources] to allocate for container | undefined | +| `clair.nodeSelector` | Node labels for pod assignment | `{}` | +| `clair.tolerations` | Tolerations for pod assignment | `[]` | +| `clair.affinity` | Node/Pod affinities | `{}` | +| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | +| **Notary** | +| `notary.enabled` | Enable Notary? | `true` | +| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | +| `notary.server.image.tag` | Tag for notary server image | `dev` | +| `notary.server.replicas` | The replica count | +| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` | +| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | +| `notary.signer.image.tag` | Tag for notary signer image | `dev` | +| `notary.signer.replicas` | The replica count | +| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` | +| `notary.nodeSelector` | Node labels for pod assignment | `{}` | +| `notary.tolerations` | Tolerations for pod assignment | `[]` | +| `notary.affinity` | Node/Pod affinities | `{}` | +| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | +| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | +| **Database** | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.clairDatabase` | The database used by clair | `clair` | +| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | +| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | +| `database.external.sslmode` | Connection method of external database (require | prefer | disable) | `disable` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.external.host` | The hostname of external Redis | `192.168.0.2` | +| `redis.external.port` | The port of external Redis | `6379` | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | +| `redis.external.password` | The password of external Redis | | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | -```bash -# harbor-ui -docker pull goharbor/harbor-ui:v1.6.3 && \ -docker tag goharbor/harbor-ui:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-ui:v1.6.3 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-ui:v1.6.3 - -# harbor-adminserver -docker pull goharbor/harbor-adminserver:v1.6.3 && \ -docker tag goharbor/harbor-adminserver:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-adminserver:v1.6.3 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-adminserver:v1.6.3 - -# harbor-jobservice -docker pull goharbor/harbor-jobservice:v1.6.3 && \ -docker tag goharbor/harbor-jobservice:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.6.3 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.6.3 - -# harbor-db -docker pull goharbor/harbor-db:v1.6.3 && \ -docker tag goharbor/harbor-db:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.6.3 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.6.3 - -# chartmuseum -docker pull chartmuseum/chartmuseum:v0.7.1 && \ -docker tag chartmuseum/chartmuseum:v0.7.1 registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum:v0.7.1 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum:v0.7.1 - -# clair -docker pull quay.io/coreos/clair:v2.0.6 && \ -docker tag quay.io/coreos/clair:v2.0.6 registry-vpc.cn-qingdao.aliyuncs.com/wod/clair:v2.0.6 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/clair:v2.0.6 - -# notary:server -docker pull notary:server-0.5.0 && \ -docker tag notary:server-0.5.0 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server:0.5.0 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server:0.5.0 - -# notary:signer -docker pull notary:signer-0.5.0 && \ -docker tag notary:signer-0.5.0 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer:0.5.0 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer:0.5.0 - -# registry -docker pull registry:2.7.1 && \ -docker tag registry:2.7.1 registry-vpc.cn-qingdao.aliyuncs.com/wod/registry:2.7.1 && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/registry:2.7.1 - -# redis -docker pull redis:4.0.1-alpine && \ -docker tag redis:4.0.1-alpine registry-vpc.cn-qingdao.aliyuncs.com/wod/redis:4.0.1-alpine && \ -docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/redis:4.0.1-alpine -``` \ No newline at end of file +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ diff --git a/templates/NOTES.txt b/templates/NOTES.txt index ce1120810bdc8b484a80f914b79414f31f21096e..6378bf3b7ad9a50353474c8adf14faf4182ef7f8 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,3 +1,3 @@ Please wait for several minutes for Harbor deployment to complete. -Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}. -For more details, please visit https://github.com/vmware/harbor. \ No newline at end of file +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}. +For more details, please visit https://github.com/goharbor/harbor. \ No newline at end of file diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 08e34e451047f5d1be7803b58c97dc30ff21b290..9021d29df6307d4a62f971223684fb4ab49b3da0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -13,52 +13,34 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this */}} {{- define "harbor.fullname" -}} {{- $name := default "harbor" .Values.nameOverride -}} -{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Helm required labels */}} {{- define "harbor.labels" -}} heritage: {{ .Release.Service }} release: {{ .Release.Name }} -chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" {{- end -}} {{/* matchLabels */}} {{- define "harbor.matchLabels" -}} release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" {{- end -}} -{{- define "harbor.externalURL" -}} -{{- if .Values.externalPort -}} -{{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}} -{{- else -}} -{{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}} -{{- end -}} -{{- end -}} - -{{/* -Use *.domain.com as the Common Name in the certificate, -so it can match Harbor service FQDN and Notary service FQDN. -*/}} -{{- define "harbor.certCommonName" -}} -{{- $list := splitList "." .Values.externalDomain -}} -{{- $list := prepend (rest $list) "*" -}} -{{- $cn := join "." $list -}} -{{- printf "%s" $cn -}} -{{- end -}} - -{{/* The external FQDN of Notary server. */}} -{{- define "harbor.notaryFQDN" -}} -{{- printf "notary-%s" .Values.externalDomain -}} -{{- end -}} - -{{- define "harbor.notaryServiceName" -}} -{{- printf "%s-notary-server" (include "harbor.fullname" .) -}} +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (not .Values.expose.tls.secretName) -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} {{- end -}} {{- define "harbor.database.host" -}} {{- if eq .Values.database.type "internal" -}} - {{- template "harbor.fullname" . }}-database + {{- template "harbor.database" . }} {{- else -}} {{- .Values.database.external.host -}} {{- end -}} @@ -80,14 +62,6 @@ so it can match Harbor service FQDN and Notary service FQDN. {{- end -}} {{- end -}} -{{- define "harbor.database.password" -}} - {{- if eq .Values.database.type "internal" -}} - {{- .Values.database.internal.password | b64enc | quote -}} - {{- else -}} - {{- .Values.database.external.password | b64enc | quote -}} - {{- end -}} -{{- end -}} - {{- define "harbor.database.rawPassword" -}} {{- if eq .Values.database.type "internal" -}} {{- .Values.database.internal.password -}} @@ -96,6 +70,10 @@ so it can match Harbor service FQDN and Notary service FQDN. {{- end -}} {{- end -}} +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + {{- define "harbor.database.coreDatabase" -}} {{- if eq .Values.database.type "internal" -}} {{- printf "%s" "registry" -}} @@ -128,58 +106,95 @@ so it can match Harbor service FQDN and Notary service FQDN. {{- end -}} {{- end -}} +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + {{- define "harbor.database.clair" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode=disable +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} {{- define "harbor.database.notaryServer" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode=disable +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} {{- define "harbor.database.notarySigner" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode=disable +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} {{- define "harbor.redis.host" -}} - {{- if .Values.redis.external.enabled -}} - {{- .Values.redis.external.host -}} + {{- if eq .Values.redis.type "internal" -}} + {{- template "harbor.redis" . -}} {{- else -}} - {{- .Release.Name }}-redis + {{- .Values.redis.external.host -}} {{- end -}} {{- end -}} {{- define "harbor.redis.port" -}} - {{- if .Values.redis.external.enabled -}} + {{- if eq .Values.redis.type "internal" -}} + {{- printf "%s" "6379" -}} + {{- else -}} {{- .Values.redis.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.coreDatabaseIndex" -}} + {{- if eq .Values.redis.type "internal" -}} + {{- printf "%s" "0" }} {{- else -}} - 6379 + {{- .Values.redis.external.coreDatabaseIndex -}} {{- end -}} {{- end -}} -{{- define "harbor.redis.databaseIndex" -}} - {{- if .Values.redis.external.enabled -}} - {{- .Values.redis.external.databaseIndex -}} +{{- define "harbor.redis.jobserviceDatabaseIndex" -}} + {{- if eq .Values.redis.type "internal" -}} + {{- printf "%s" "1" }} {{- else -}} - {{- printf "%s" "0" }} + {{- .Values.redis.external.jobserviceDatabaseIndex -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.registryDatabaseIndex" -}} + {{- if eq .Values.redis.type "internal" -}} + {{- printf "%s" "2" }} + {{- else -}} + {{- .Values.redis.external.registryDatabaseIndex -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.chartmuseumDatabaseIndex" -}} + {{- if eq .Values.redis.type "internal" -}} + {{- printf "%s" "3" }} + {{- else -}} + {{- .Values.redis.external.chartmuseumDatabaseIndex -}} {{- end -}} {{- end -}} -{{- define "harbor.redis.password" -}} - {{- if and .Values.redis.external.enabled .Values.redis.external.usePassword -}} +{{- define "harbor.redis.rawPassword" -}} + {{- if and (eq .Values.redis.type "external") .Values.redis.external.password -}} {{- .Values.redis.external.password -}} - {{- else if and (not .Values.redis.external.enabled) .Values.redis.usePassword -}} - {{- .Values.redis.password -}} {{- end -}} {{- end -}} {{/*the username redis is used for a placeholder as no username needed in redis*/}} {{- define "harbor.redisForJobservice" -}} - {{- if and .Values.redis.external.enabled .Values.redis.external.usePassword -}} - redis:{{ template "harbor.redis.password" . }}@{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.databaseIndex" }} - {{- else if and (not .Values.redis.external.enabled) .Values.redis.usePassword -}} - redis:{{ template "harbor.redis.password" . }}@{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.databaseIndex" }} + {{- if (include "harbor.redis.rawPassword" . ) -}} + {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.rawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.jobserviceDatabaseIndex" . ) }} {{- else }} - {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.databaseIndex" }} + {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.jobserviceDatabaseIndex" . }} + {{- end -}} +{{- end -}} + +{{/*the username redis is used for a placeholder as no username needed in redis*/}} +{{- define "harbor.redisForGC" -}} + {{- if (include "harbor.redis.rawPassword" . ) -}} + {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.rawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) }} + {{- else }} + {{- printf "redis://%s:%s/%s" (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) -}} {{- end -}} {{- end -}} @@ -187,6 +202,80 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab host:port,pool_size,password 100 is the default value of pool size */}} -{{- define "harbor.redisForUI" -}} - {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }},100,{{ template "harbor.redis.password" . }} +{{- define "harbor.redisForCore" -}} + {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }},100,{{ template "harbor.redis.rawPassword" . }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.chartmuseum" -}} + {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} {{- end -}} + +{{- define "harbor.clair" -}} + {{- printf "%s-clair" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-server" -}} + {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-signer" -}} + {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress.core" -}} + {{- printf "%s-ingress-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress.notary" -}} + {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.certificate" -}} + {{- printf "%s-certificate" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.certificate-secret" -}} + {{- $tls := .Values.expose.tls -}} + {{- if $tls.secretName }} + {{- printf "%s" $tls.secretName -}} + {{- else }} + {{- printf "%s" (include "harbor.certificate" .) -}} + {{- end }} +{{- end -}} + +{{- define "harbor.common-name" -}} + {{- $expose := .Values.expose }} + {{- if and (eq $expose.type "ingress") $expose.ingress.host }} + {{- printf "%s" $expose.ingress.host -}} + {{- else }} + {{- printf "%s" $expose.tls.commonName -}} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/templates/adminserver/configmap.yaml b/templates/adminserver/configmap.yaml deleted file mode 100644 index 08da284b7e67b2cad5d231867fc89c126774cdaf..0000000000000000000000000000000000000000 --- a/templates/adminserver/configmap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.fullname" . }}-adminserver" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-adminserver -data: - POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" - POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" - POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" - POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - EMAIL_HOST: "{{ .Values.email.host }}" - EMAIL_PORT: "{{ .Values.email.port }}" - EMAIL_USR: "{{ .Values.email.username }}" - EMAIL_SSL: "{{ .Values.email.ssl }}" - EMAIL_FROM: "{{ .Values.email.from }}" - EMAIL_IDENTITY: "{{ .Values.email.identity }}" - EMAIL_INSECURE: "{{ .Values.email.insecure }}" - EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}" - UI_URL: "http://{{ template "harbor.fullname" . }}-ui" - JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" - REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000" - TOKEN_SERVICE_URL: "http://{{ template "harbor.fullname" . }}-ui/service/token" - WITH_NOTARY: "{{ .Values.notary.enabled }}" - NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443" - LOG_LEVEL: "info" - IMAGE_STORE_PATH: "/" # This is a temporary hack. - AUTH_MODE: "{{ .Values.authenticationMode }}" - SELF_REGISTRATION: "{{ .Values.selfRegistration }}" - LDAP_URL: "{{ .Values.ldap.url }}" - LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}" - LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}" - LDAP_FILTER: "{{ .Values.ldap.filter }}" - LDAP_UID: "{{ .Values.ldap.uid }}" - LDAP_SCOPE: "{{ .Values.ldap.scope }}" - LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}" - LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}" - DATABASE_TYPE: "postgresql" - PROJECT_CREATION_RESTRICTION: "everyone" - VERIFY_REMOTE_CERT: "off" - MAX_JOB_WORKERS: "3" - TOKEN_EXPIRATION: "30" - CFG_EXPIRATION: "5" - GODEBUG: "netdns=cgo" - ADMIRAL_URL: "NA" - RESET: "false" - WITH_CLAIR: "{{ .Values.clair.enabled }}" - CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}" - CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}" - CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}" - CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}" - CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060" - UAA_ENDPOINT: "" - UAA_CLIENTID: "" - UAA_CLIENTSECRET: "" - UAA_VERIFY_CERT: "True" - REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.registry.storage.type }}" - WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" - CHART_REPOSITORY_URL: "http://{{ template "harbor.fullname" . }}-chartmuseum" \ No newline at end of file diff --git a/templates/adminserver/secret.yaml b/templates/adminserver/secret.yaml deleted file mode 100644 index fac8645a4df140401a879372cf3f06e8187aea24..0000000000000000000000000000000000000000 --- a/templates/adminserver/secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.fullname" . }}-adminserver" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-adminserver -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - EMAIL_PWD: {{ .Values.email.password | b64enc | quote }} - HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} - POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }} - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }} - UI_SECRET: {{ .Values.ui.secret | b64enc | quote }} -{{- if eq .Values.authenticationMode "ldap_auth" }} - LDAP_SEARCH_PWD: {{ .Values.ldap.searchPassword | b64enc | quote }} -{{- end }} -{{ if .Values.clair.enabled }} - CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }} -{{ end }} diff --git a/templates/adminserver/service.yaml b/templates/adminserver/service.yaml deleted file mode 100644 index 14fd00b5c80e1f595f5a298523525f8f0abf48cc..0000000000000000000000000000000000000000 --- a/templates/adminserver/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.fullname" . }}-adminserver" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: http - port: 80 - targetPort: 8080 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-adminserver \ No newline at end of file diff --git a/templates/adminserver/statefulset.yaml b/templates/adminserver/statefulset.yaml deleted file mode 100644 index e3cd3a2b1f26558c5be7385625718b2dc092e022..0000000000000000000000000000000000000000 --- a/templates/adminserver/statefulset.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.fullname" . }}-adminserver" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-adminserver - version: {{ .Values.adminserver.image.tag }} -spec: - replicas: 1 - serviceName: "{{ template "harbor.fullname" . }}-adminserver" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - app: harbor-adminserver - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-adminserver - version: {{ .Values.adminserver.image.tag }} - spec: - containers: - - name: adminserver - image: "{{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}" - imagePullPolicy: "{{ .Values.adminserver.image.pullPolicy }}" - resources: -{{ toYaml .Values.adminserver.resources | indent 10 }} - envFrom: - - configMapRef: - name: "{{ template "harbor.fullname" . }}-adminserver" - - secretRef: - name: "{{ template "harbor.fullname" . }}-adminserver" - env: - - name: PORT - value: "8080" - - name: JSON_CFG_STORE_PATH - value: /etc/adminserver/config/config.json - - name: KEY_PATH - value: /etc/adminserver/key - ports: - - containerPort: 8080 - volumeMounts: - - name: data - mountPath: /etc/adminserver/config - - name: adminserver-key - mountPath: /etc/adminserver/key - subPath: key - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - {{- if not .Values.persistence.enabled }} - - name: data - hostPath: - path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/adminserver - {{- end }} - - name: adminserver-key - secret: - secretName: "{{ template "harbor.fullname" . }}-adminserver" - items: - - key: secretKey - path: key - {{- with .Values.adminserver.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.adminserver.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.adminserver.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: [{{ .Values.adminserver.volumes.config.accessMode | quote }}] - {{- if .Values.adminserver.volumes.config.storageClass }} - {{- if (eq "-" .Values.adminserver.volumes.config.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.adminserver.volumes.config.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ .Values.adminserver.volumes.config.size | quote }} - {{- end -}} diff --git a/templates/chartmuseum/chartmuseum-cm.yaml b/templates/chartmuseum/chartmuseum-cm.yaml new file mode 100644 index 0000000000000000000000000000000000000000..272c515daa523a49f5287ff8e906f862a9540895 --- /dev/null +++ b/templates/chartmuseum/chartmuseum-cm.yaml @@ -0,0 +1,99 @@ +{{- if .Values.chartmuseum.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + PORT: "9999" + CACHE: "redis" + CACHE_REDIS_ADDR: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}" + CACHE_REDIS_DB: "{{ template "harbor.redis.chartmuseumDatabaseIndex" . }}" + BASIC_AUTH_USER: "chart_controller" + DEPTH: "1" +{{- if eq .Values.logLevel "debug" }} + DEBUG: "true" +{{- else }} + DEBUG: "false" +{{- end }} + LOG_JSON: "true" + DISABLE_METRICS: "false" + DISABLE_API: "false" + DISABLE_STATEFILES: "false" + ALLOW_OVERWRITE: "true" + #CHART_URL: {{ .Values.externalURL }}/chartrepo + AUTH_ANONYMOUS_GET: "false" + TLS_CERT: + TLS_KEY: + CONTEXT_PATH: + INDEX_LIMIT: "0" + MAX_STORAGE_OBJECTS: "0" + MAX_UPLOAD_SIZE: "20971520" + CHART_POST_FORM_FIELD_NAME: "chart" + PROV_POST_FORM_FIELD_NAME: "prov" +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $storageType := $storage.type }} +{{- if eq $storageType "filesystem" }} + STORAGE: "local" + STORAGE_LOCAL_ROOTDIR: "/chart_storage" +{{- else if eq $storageType "azure" }} + STORAGE: "microsoft" + STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }} + AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }} + STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts" +{{- else if eq $storageType "gcs" }} + STORAGE: "google" + STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} + GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json + {{- if $storage.gcs.rootdirectory }} + STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} + {{- end }} +{{- else if eq $storageType "s3" }} + STORAGE: "amazon" + STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }} + {{- if $storage.s3.rootdirectory }} + STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }} + {{- end }} + STORAGE_AMAZON_REGION: {{ $storage.s3.region }} + {{- if $storage.s3.regionendpoint }} + STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.accesskey }} + AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }} + {{- end }} +{{- else if eq $storageType "swift" }} + STORAGE: "openstack" + STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }} + {{- if $storage.swift.secretkey }} + STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.secretkey }} + STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }} + {{- end }} + OS_AUTH_URL: {{ $storage.swift.authurl }} + OS_USERNAME: {{ $storage.swift.username }} + {{- if $storage.swift.secretkey }} + OS_PROJECT_ID: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.secretkey }} + OS_PROJECT_NAME: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.secretkey }} + OS_DOMAIN_ID: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.secretkey }} + OS_DOMAIN_NAME: {{ $storage.swift.domain }} + {{- end }} +{{- else if eq $storageType "oss" }} + STORAGE: "alibaba" + STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }} + {{- if $storage.oss.secretkey }} + STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- if $storage.oss.secretkey }} + STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }} + {{- end }} + ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml new file mode 100644 index 0000000000000000000000000000000000000000..69579787a48953a0c2bf8757ced14a9e66bdd6ce --- /dev/null +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -0,0 +1,85 @@ +{{- if .Values.chartmuseum.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: chartmuseum +spec: + replicas: {{ .Values.chartmuseum.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: chartmuseum + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: chartmuseum + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.chartmuseum.podAnnotations }} +{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: chartmuseum + image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /health + port: 9999 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: 9999 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.chartmuseum.resources }} + resources: +{{ toYaml .Values.chartmuseum.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.chartmuseum" . }}" + - secretRef: + name: "{{ template "harbor.chartmuseum" . }}" + env: + - name: BASIC_AUTH_PASS + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + ports: + - containerPort: 9999 + volumeMounts: + - name: chartmuseum-data + mountPath: /chart_storage + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: chartmuseum-data + hostPath: + path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/chartmuseum + {{- with .Values.chartmuseum.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.chartmuseum.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.chartmuseum.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..cc198671594998cb8326b19e37bd90aebf016b9c --- /dev/null +++ b/templates/chartmuseum/chartmuseum-secret.yaml @@ -0,0 +1,26 @@ +{{- if .Values.chartmuseum.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + CACHE_REDIS_PASSWORD: {{ include "harbor.redis.rawPassword" . | b64enc | quote }} +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $storageType := $storage.type }} +{{- if eq $storageType "azure" }} + AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }} +{{- else if eq $storageType "gcs" }} + # TODO support the keyfile of gcs +{{- else if eq $storageType "s3" }} + {{- if $storage.s3.secretkey }} + AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} +{{- else if eq $storageType "swift" }} + OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }} +{{- else if eq $storageType "oss" }} + ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/service.yaml b/templates/chartmuseum/chartmuseum-svc.yaml similarity index 64% rename from templates/chartmuseum/service.yaml rename to templates/chartmuseum/chartmuseum-svc.yaml index 1034fc1471037984eb30d67698c4c513bca17bd7..49a3bb51dd2b8d85c50cea1624ccb20fae9d05c2 100644 --- a/templates/chartmuseum/service.yaml +++ b/templates/chartmuseum/chartmuseum-svc.yaml @@ -2,15 +2,14 @@ apiVersion: v1 kind: Service metadata: - name: "{{ template "harbor.fullname" . }}-chartmuseum" + name: "{{ template "harbor.chartmuseum" . }}" labels: {{ include "harbor.labels" . | indent 4 }} spec: ports: - - name: http - port: 80 + - port: 80 targetPort: 9999 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-chartmuseum + component: chartmuseum {{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/configmap.yaml b/templates/chartmuseum/configmap.yaml deleted file mode 100644 index a6d2015865c67e1757bb9f7b6fe737c8c9cbf82a..0000000000000000000000000000000000000000 --- a/templates/chartmuseum/configmap.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.fullname" . }}-chartmuseum" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - PORT: "9999" - CACHE: "redis" - CACHE_REDIS_ADDR: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}" - CACHE_REDIS_DB: "{{ template "harbor.redis.databaseIndex" }}" - BASIC_AUTH_USER: "chart_controller" - DEPTH: "1" - STORAGE: "local" - STORAGE_LOCAL_ROOTDIR: "/chart_storage" - DEBUG: "false" - LOG_JSON: "true" - DISABLE_METRICS: "false" - DISABLE_API: "false" - DISABLE_STATEFILES: "false" - ALLOW_OVERWRITE: "true" - CHART_URL: "" - AUTH_ANONYMOUS_GET: "false" - TLS_CERT: "" - TLS_KEY: "" - CONTEXT_PATH: "" - INDEX_LIMIT: "0" - MAX_STORAGE_OBJECTS: "0" - MAX_UPLOAD_SIZE: "20971520" - CHART_POST_FORM_FIELD_NAME: "chart" - PROV_POST_FORM_FIELD_NAME: "prov" -{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/secret.yaml b/templates/chartmuseum/secret.yaml deleted file mode 100644 index 8266171e0ead6354e0343c30bcc6828be711672e..0000000000000000000000000000000000000000 --- a/templates/chartmuseum/secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.fullname" . }}-chartmuseum" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - CACHE_REDIS_PASSWORD: "{{ template "harbor.redis.password" }}" - BASIC_AUTH_PASS: {{ .Values.ui.secret | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/statefulset.yaml b/templates/chartmuseum/statefulset.yaml deleted file mode 100644 index 5699109754d16a322f020f8b227a7d0301e51d69..0000000000000000000000000000000000000000 --- a/templates/chartmuseum/statefulset.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.fullname" . }}-chartmuseum" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-chartmuseum - version: {{ .Values.chartmuseum.image.tag }} -spec: - replicas: 1 - serviceName: "{{ template "harbor.fullname" . }}-chartmuseum" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - app: harbor-chartmuseum - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-chartmuseum - version: {{ .Values.chartmuseum.image.tag }} - spec: - containers: - - name: chartmuseum - image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }} - imagePullPolicy: {{ .Values.chartmuseum.image.pullPolicy }} - resources: -{{ toYaml .Values.chartmuseum.resources | indent 10 }} - envFrom: - - configMapRef: - name: "{{ template "harbor.fullname" . }}-chartmuseum" - - secretRef: - name: "{{ template "harbor.fullname" . }}-chartmuseum" - ports: - - containerPort: 9999 - # TODO: update it after moving the storage out of registry scope - {{- if (.Values.persistence.enabled) and eq .Values.registry.storage.type "filesystem" }} - volumeMounts: - - name: data - mountPath: /chart_storage - {{- end }} - {{- with .Values.chartmuseum.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if (.Values.persistence.enabled) and eq .Values.registry.storage.type "filesystem" }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ .Values.chartmuseum.volumes.data.accessMode | quote }}] - {{- if .Values.chartmuseum.volumes.data.storageClass }} - {{- if (eq "-" .Values.chartmuseum.volumes.data.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.chartmuseum.volumes.data.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ .Values.chartmuseum.volumes.data.size | quote }} - {{- end -}} -{{- end }} \ No newline at end of file diff --git a/templates/clair/configmap.yaml b/templates/clair/clair-cm.yaml similarity index 78% rename from templates/clair/configmap.yaml rename to templates/clair/clair-cm.yaml index f707b283ac4a7d13a504d66d3087a512ae90e052..f2ada30f309e13f417fc36b9a90ddd9cb1b14854 100644 --- a/templates/clair/configmap.yaml +++ b/templates/clair/clair-cm.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "harbor.fullname" . }}-clair + name: {{ template "harbor.clair" . }} labels: {{ include "harbor.labels" . | indent 4 }} - app: harbor-clair + component: clair data: config.yaml: | clair: @@ -25,11 +25,11 @@ data: # Deadline before an API request will respond with a 503 timeout: 300s updater: - interval: 12h + interval: {{ .Values.clair.updatersInterval }}h notifier: attempts: 3 renotifyinterval: 2h http: - endpoint: "http://{{ template "harbor.fullname" . }}-ui/service/notifications/clair" + endpoint: "http://{{ template "harbor.core" . }}/service/notifications/clair" {{ end }} diff --git a/templates/clair/clair-dpl.yaml b/templates/clair/clair-dpl.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4893477241dc6a60d103ab27df02301f9f61d029 --- /dev/null +++ b/templates/clair/clair-dpl.yaml @@ -0,0 +1,88 @@ +{{ if .Values.clair.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.clair" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: clair +spec: + replicas: {{ .Values.clair.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: clair + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: clair + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/clair/clair-cm.yaml") . | sha256sum }} +{{- if .Values.clair.podAnnotations }} +{{ toYaml .Values.clair.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: clair + image: {{ .Values.clair.image.repository }}:{{ .Values.clair.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /health + port: 6061 + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: 6061 + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + env: + {{- if .Values.clair.httpProxy }} + - name: HTTP_PROXY + value: {{ .Values.clair.httpProxy }} + {{- end }} + {{- if .Values.clair.httpsProxy }} + - name: HTTPS_PROXY + value: {{ .Values.clair.httpsProxy }} + {{- end }} + - name: NO_PROXY + value: "{{ template "harbor.registry" . }},{{ template "harbor.core" . }}" +{{- if .Values.clair.resources }} + resources: +{{ toYaml .Values.clair.resources | indent 10 }} +{{- end }} + ports: + - containerPort: 6060 + volumeMounts: + - name: clair-config + mountPath: /etc/clair/config.yaml + subPath: config.yaml + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: clair-config + configMap: + name: "{{ template "harbor.clair" . }}" + items: + - key: config.yaml + path: config.yaml + {{- with .Values.clair.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.clair.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.clair.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{ end }} diff --git a/templates/clair/clair-svc.yaml b/templates/clair/clair-svc.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c4923bff170139d40c6b4397b6936cd408ed098d --- /dev/null +++ b/templates/clair/clair-svc.yaml @@ -0,0 +1,17 @@ +{{ if .Values.clair.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.clair" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: clair + port: 6060 + - name: health + port: 6061 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: clair +{{ end }} diff --git a/templates/clair/deployment.yaml b/templates/clair/deployment.yaml deleted file mode 100644 index 973e2786a7a2a9ef7983e4c0e7ac298d06307742..0000000000000000000000000000000000000000 --- a/templates/clair/deployment.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ if .Values.clair.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.fullname" . }}-clair - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-clair - version: {{ .Values.clair.image.tag }} -spec: - replicas: 1 - selector: - matchLabels: -{{ include "harbor.labels" . | indent 6 }} - app: harbor-clair - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-clair - version: {{ .Values.clair.image.tag }} - spec: - containers: - - name: clair - image: {{ .Values.clair.image.repository }}:{{ .Values.clair.image.tag }} - imagePullPolicy: {{ .Values.clair.image.pullPolicy }} - args: ["-insecure-tls", "-config", "/etc/clair/config.yaml"] - resources: -{{ toYaml .Values.clair.resources | indent 10 }} - ports: - - containerPort: 6060 - volumeMounts: - - name: clair-config - mountPath: /etc/clair/config.yaml - subPath: config.yaml - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - - name: clair-config - configMap: - name: "{{ template "harbor.fullname" . }}-clair" - items: - - key: config.yaml - path: config.yaml - {{- with .Values.clair.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/templates/clair/service.yaml b/templates/clair/service.yaml deleted file mode 100644 index fb9adf567262efdea2dd0a92943582833e91b987..0000000000000000000000000000000000000000 --- a/templates/clair/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if .Values.clair.enabled }} -# clair host isn't configurable yet. this creates a service -# to get it working for now. -# see https://github.com/vmware/harbor/issues/3250 -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.fullname" . }}-clair" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: http - port: 6060 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-clair -{{ end }} diff --git a/templates/common/certificate-secret.yaml b/templates/common/certificate-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a93dd2f7c2b4333b83d491ca42e509eed3287aa9 --- /dev/null +++ b/templates/common/certificate-secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCert" .) "true" }} +{{- $cn := (required "The \"expose.tls.commonName\" is required!" (include "harbor.common-name" .)) }} +{{- $ca := genCA "harbor-ca" 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.certificate" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e7508bbfe05fbb460b3492a5880d76a2f1f723a2 --- /dev/null +++ b/templates/core/core-cm.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = dev + enablegzip = true + + [dev] + httpport = 8080 + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "http://{{ template "harbor.core" . }}" + JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" + REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000" + TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token" + WITH_NOTARY: "{{ .Values.notary.enabled }}" + NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" + CFG_EXPIRATION: "5" + WITH_CLAIR: "{{ .Values.clair.enabled }}" + CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}" + CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}" + CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}" + CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}" + CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" + CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + SYNC_REGISTRY: "false" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL: "{{ template "harbor.redisForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redisForGC" . }}" + PORTAL_URL: "http://{{ template "harbor.portal" . }}" + REGISTRYCTL_URL: "http://{{ template "harbor.registry" . }}:8080" + CLAIR_HEALTH_CHECK_SERVER_URL: "http://{{ template "harbor.clair" . }}:6061" \ No newline at end of file diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5d4d8d03a73f79c969d137c0795fbde43f286102 --- /dev/null +++ b/templates/core/core-dpl.yaml @@ -0,0 +1,125 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/ping + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/ping + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: secret + ports: + - containerPort: 8080 + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tokenServicePrivateKey + - name: etc-localtime + mountPath: /etc/localtime + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca/ca.crt + subPath: ca.crt + {{- end }} + - name: psc + mountPath: /etc/core/token +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: config + configMap: + name: {{ template "harbor.core" . }} + - name: secret-key + secret: + secretName: {{ template "harbor.core" . }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + secretName: "{{ template "harbor.certificate-secret" . }}" + items: + - key: ca.crt + path: ca.crt + {{- end }} + - name: psc + emptyDir: {} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} \ No newline at end of file diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..860f43351da5964291bcddc178319611d8c660d3 --- /dev/null +++ b/templates/core/core-secret.yaml @@ -0,0 +1,20 @@ +{{- $cert := genSelfSignedCert "harbor" nil nil 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + secretKey: {{ .Values.secretKey | b64enc | quote }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} +{{- if not .Values.core.secretName }} + tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} + tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} +{{- end }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{ if .Values.clair.enabled }} + CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{ end }} diff --git a/templates/jobservice/service.yaml b/templates/core/core-svc.yaml similarity index 54% rename from templates/jobservice/service.yaml rename to templates/core/core-svc.yaml index 99cc683dbd5cbb5a4f99ab92fb875bce9278752a..84b68f6c0365cdc6cb539b5387f60c14d39076b1 100644 --- a/templates/jobservice/service.yaml +++ b/templates/core/core-svc.yaml @@ -1,14 +1,16 @@ apiVersion: v1 kind: Service metadata: - name: "{{ template "harbor.fullname" . }}-jobservice" + name: {{ template "harbor.core" . }} labels: {{ include "harbor.labels" . | indent 4 }} spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} ports: - - name: http - port: 80 + - port: 80 targetPort: 8080 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-jobservice + component: core diff --git a/templates/database/secret.yaml b/templates/database/database-secret.yaml similarity index 58% rename from templates/database/secret.yaml rename to templates/database/database-secret.yaml index 0e2e2fec2e9006fee63983afd516ff1e92580672..864aff4a184a5fae06ad6f7a3349d28d8e2bd391 100644 --- a/templates/database/secret.yaml +++ b/templates/database/database-secret.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: Secret metadata: - name: "{{ template "harbor.fullname" . }}-database" + name: "{{ template "harbor.database" . }}" labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - POSTGRES_PASSWORD: {{ template "harbor.database.password" . }} + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end -}} diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0565b6a7b8d0a6d78c9704c2c3df7a242e21bb33 --- /dev/null +++ b/templates/database/database-ss.yaml @@ -0,0 +1,83 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + initContainers: + - name: "remove-lost-found" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: "database-data" + hostPath: + path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/database + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- end -}} diff --git a/templates/database/service.yaml b/templates/database/database-svc.yaml similarity index 62% rename from templates/database/service.yaml rename to templates/database/database-svc.yaml index 27eb417d20e4090e0701037d3ee4e7cf51f411f6..6475048cd97a2945919fcf0558d3fba3d44b4b2b 100644 --- a/templates/database/service.yaml +++ b/templates/database/database-svc.yaml @@ -2,14 +2,13 @@ apiVersion: v1 kind: Service metadata: - name: "{{ template "harbor.fullname" . }}-database" + name: "{{ template "harbor.database" . }}" labels: {{ include "harbor.labels" . | indent 4 }} spec: ports: - - name: postgre - port: 5432 + - port: 5432 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-database + component: database {{- end -}} \ No newline at end of file diff --git a/templates/database/statefulset.yaml b/templates/database/statefulset.yaml deleted file mode 100644 index 9eae891ed85147d14515704652def79d585a498e..0000000000000000000000000000000000000000 --- a/templates/database/statefulset.yaml +++ /dev/null @@ -1,88 +0,0 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.fullname" . }}-database" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-database - version: {{ .Values.database.internal.image.tag }} -spec: - replicas: 1 - serviceName: "{{ template "harbor.fullname" . }}-database" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - app: harbor-database - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-database - version: {{ .Values.database.internal.image.tag }} - spec: - initContainers: - - name: "remove-lost-found" - image: "{{ .Values.busybox.image.repository }}:{{ .Values.busybox.image.tag }}" - command: - - /bin/sh - - "-c" - - "rm -Rf /var/lib/postgresql/data/lost+found" - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - containers: - - name: database - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.database.internal.image.pullPolicy }} - resources: -{{ toYaml .Values.database.internal.resources | indent 10 }} - envFrom: - - secretRef: - name: "{{ template "harbor.fullname" . }}-database" - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - {{- if not .Values.persistence.enabled }} - - name: data - hostPath: - path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/database - {{- end -}} - {{- with .Values.database.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: "data" - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ .Values.database.internal.volumes.data.accessMode | quote }}] - {{- if .Values.database.internal.volumes.data.storageClass }} - {{- if (eq "-" .Values.database.internal.volumes.data.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.database.internal.volumes.data.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ .Values.database.internal.volumes.data.size | quote }} - {{- end -}} - {{- end -}} diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index 3deffa4dd054c4a529c91bcce986fe2374270fbc..d0e891d471eedb996b0726bcb04fc87d6c308cd8 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -1,37 +1,83 @@ -{{ if .Values.ingress.enabled }} +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: "{{ template "harbor.fullname" . }}" + name: "{{ template "harbor.ingress.core" . }}" labels: {{ include "harbor.labels" . | indent 4 }} annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} +{{ toYaml $ingress.annotations | indent 4 }} spec: -# {{ if eq .Values.externalProtocol "https" }} -# tls: -# - hosts: -# - "{{ .Values.externalDomain }}" -# - "{{ template "harbor.notaryFQDN" . }}" -# {{ if eq .Values.ingress.tls.secretName "" }} -# secretName: "{{ template "harbor.fullname" . }}-ingress" -# {{ else }} -# secretName: {{ .Values.ingress.tls.secretName }} -# {{ end }} -# {{ end }} + {{- if .Values.expose.tls.enabled }} + tls: + - secretName: {{ template "harbor.certificate-secret" . }} + {{- if $ingress.host }} + hosts: + - {{ $ingress.host }} + {{- end }} + {{- end }} +{{- if eq .Values.expose.ingress.controller "gce" }} rules: - - host: "{{ .Values.externalDomain }}" - http: + - http: paths: - - path: / + - path: /* + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: 80 + - path: /api/* + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /service/* + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /v2/* + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /chartrepo/* backend: - serviceName: {{ template "harbor.fullname" . }}-ui + serviceName: {{ template "harbor.core" . }} servicePort: 80 - - host: "{{ template "harbor.notaryFQDN" . }}" - http: + - path: /c/* + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + {{- if $ingress.host }} + host: {{ $ingress.host }} + {{- end }} +{{- else }} + rules: + - http: paths: - path: / backend: - serviceName: {{ template "harbor.notaryServiceName" . }} - servicePort: 4443 -{{ end }} \ No newline at end of file + serviceName: {{ template "harbor.portal" . }} + servicePort: 80 + - path: /api/ + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /service/ + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /v2/ + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /chartrepo/ + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + - path: /c/ + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: 80 + {{- if $ingress.host }} + host: {{ $ingress.host }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/ingress/notary-ingress.yaml b/templates/ingress/notary-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..17a436d9678f184661348f538f49a3504d169793 --- /dev/null +++ b/templates/ingress/notary-ingress.yaml @@ -0,0 +1,33 @@ +{{- if .Values.notary.enabled }} +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: "{{ template "harbor.ingress.notary" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} + {{ printf "%s: /" $ingress.rewriteAnnotation }} +spec: + {{- if .Values.expose.tls.enabled }} + tls: + - secretName: {{ template "harbor.certificate-secret" . }} + {{- if $ingress.host }} + hosts: + - {{ $ingress.host }} + {{- end }} + {{- end }} + rules: + - http: + paths: + - path: /notary/ + backend: + serviceName: {{ template "harbor.notary-server" . }} + servicePort: 4443 + {{- if $ingress.host }} + host: {{ $ingress.host }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml deleted file mode 100644 index 33d13ee364ab36b8171b1b88e5727dc3b4153959..0000000000000000000000000000000000000000 --- a/templates/ingress/secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if eq .Values.externalProtocol "https" }} -{{ if .Values.ingress.enabled }} -{{ if eq .Values.ingress.tls.secretName "" }} -{{ $ca := genCA "harbor-ca" 3650 }} -{{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.fullname" . }}-ingress" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ .Values.tlsCrt | default $cert.Cert | b64enc | quote }} - tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }} - ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }} -{{ end }} -{{ end }} -{{ end }} \ No newline at end of file diff --git a/templates/istio/notary.gateway.yaml b/templates/istio/notary.gateway.yaml deleted file mode 100644 index 73bae82b8e9779c2b7588e40d5d4bd665375daae..0000000000000000000000000000000000000000 --- a/templates/istio/notary.gateway.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{ if .Values.istio.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: {{ template "harbor.fullname" . }}-notary -spec: - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "{{ template "harbor.notaryFQDN" . }}" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: {{ template "harbor.fullname" . }}-notary -spec: - hosts: - - "{{ template "harbor.notaryFQDN" . }}" - gateways: - - {{ template "harbor.fullname" . }}-notary - http: - - route: - - destination: - host: {{ template "harbor.notaryServiceName" . }} - port: - number: 4443 -{{ end }} diff --git a/templates/istio/ui.gateway.yaml b/templates/istio/ui.gateway.yaml deleted file mode 100644 index 31be8f5b1e3e2045d3c1efe3f414074367e0006a..0000000000000000000000000000000000000000 --- a/templates/istio/ui.gateway.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{ if .Values.istio.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: {{ template "harbor.fullname" . }}-ui -spec: - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "{{ .Values.externalDomain }}" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: {{ template "harbor.fullname" . }}-ui -spec: - hosts: - - "{{ .Values.externalDomain }}" - gateways: - - {{ template "harbor.fullname" . }}-ui - http: - - route: - - destination: - host: {{ template "harbor.fullname" . }}-ui - port: - number: 80 -{{ end }} diff --git a/templates/jobservice/configmap.yaml b/templates/jobservice/configmap.yaml deleted file mode 100644 index b52c03feddbbdd12f148f9c2e038b2e0e8871d2d..0000000000000000000000000000000000000000 --- a/templates/jobservice/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.fullname" . }}-jobservice" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - protocol: "http" - port: 8080 - worker_pool: - workers: {{ .Values.jobservice.maxWorkers }} - backend: "redis" - redis_pool: - redis_url: "{{ template "harbor.redisForJobservice" . }}" - namespace: "harbor_job_service_namespace" - logger: - path: "/var/log/jobs" - level: "INFO" - archive_period: 14 #days - admin_server: "http://{{ template "harbor.fullname" . }}-adminserver" diff --git a/templates/jobservice/deployment.yaml b/templates/jobservice/deployment.yaml deleted file mode 100644 index ee27e2618f6f860d839746602543a452545a20ce..0000000000000000000000000000000000000000 --- a/templates/jobservice/deployment.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.fullname" . }}-jobservice" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-jobservice - version: {{ .Values.jobservice.image.tag }} -spec: - replicas: 1 - selector: - matchLabels: -{{ include "harbor.labels" . | indent 6 }} - app: harbor-jobservice - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-jobservice - version: {{ .Values.jobservice.image.tag }} - spec: - containers: - - name: jobservice - image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} - imagePullPolicy: {{ .Values.jobservice.image.pullPolicy }} - resources: -{{ toYaml .Values.jobservice.resources | indent 10 }} - envFrom: - - secretRef: - name: "{{ template "harbor.fullname" . }}-jobservice" - env: - - name: LOG_LEVEL - value: debug - - name: GODEBUG - value: netdns=cgo - ports: - - containerPort: 8080 - volumeMounts: - - name: jobservice-config - mountPath: /etc/jobservice/config.yml - subPath: config.yml - - name: job-logs - mountPath: /var/log/jobs - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - - name: jobservice-config - configMap: - name: "{{ template "harbor.fullname" . }}-jobservice" - - name: job-logs - emptyDir: {} - {{- with .Values.jobservice.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/templates/jobservice/jobservice-cm.yaml b/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2faa9ccf3f277d716414f2e0ceeae25a26372184 --- /dev/null +++ b/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + protocol: "http" + port: 8080 + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redisForJobservice" . }}" + namespace: "harbor_job_service_namespace" + job_loggers: + {{- if eq .Values.jobservice.jobLogger "file" }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: 14 #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- else if eq .Values.jobservice.jobLogger "database" }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: 14 #days + {{- else }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000000000000000000000000000000000..58d492a8a253e12c9d9f1a8a40f126152584085f --- /dev/null +++ b/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: secret + - name: CORE_URL + value: "http://{{ template "harbor.core" . }}" + - name: REGISTRY_CONTROLLER_URL + value: "http://{{ template "harbor.registry" . }}:8080" + - name: LOG_LEVEL + value: debug + ports: + - containerPort: 8080 + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + emptyDir: {} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e08f7ce58bbb3b7bfef3f9b61df9d867503f0d63 --- /dev/null +++ b/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} diff --git a/templates/ui/service.yaml b/templates/jobservice/jobservice-svc.yaml similarity index 65% rename from templates/ui/service.yaml rename to templates/jobservice/jobservice-svc.yaml index fbd75ee82e647df340f605774a185ccfbdad2272..2b5d47fd3708f7be81b0c16f31707fd3750f703f 100644 --- a/templates/ui/service.yaml +++ b/templates/jobservice/jobservice-svc.yaml @@ -1,14 +1,13 @@ apiVersion: v1 kind: Service metadata: - name: "{{ template "harbor.fullname" . }}-ui" + name: "{{ template "harbor.jobservice" . }}" labels: {{ include "harbor.labels" . | indent 4 }} spec: ports: - - name: http - port: 80 + - port: 80 targetPort: 8080 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-ui + component: jobservice diff --git a/templates/jobservice/secret.yaml b/templates/jobservice/secret.yaml deleted file mode 100644 index 64264802c6e0e262a0c3e3fae089c67b46cbe4b3..0000000000000000000000000000000000000000 --- a/templates/jobservice/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.fullname" . }}-jobservice" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }} - UI_SECRET: {{ .Values.ui.secret | b64enc | quote }} \ No newline at end of file diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2cd02fa67a3747c0257e574ec9a983c2a0872c3b --- /dev/null +++ b/templates/nginx/configmap-http.yaml @@ -0,0 +1,132 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + + events { + worker_connections 1024; + use epoll; + multi_accept on; + } + + http { + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server {{ template "harbor.core" . }}; + } + + upstream portal { + server {{ template "harbor.portal" . }}; + } + + log_format timed_combined '$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + server { + listen 80; + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + location / { + proxy_pass http://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass http://core/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass http://core/chartrepo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass http://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass http://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass http://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} + \ No newline at end of file diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e962eb24005ba15b90c623f2ea03c18d2c9ab5cc --- /dev/null +++ b/templates/nginx/configmap-https.yaml @@ -0,0 +1,175 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + + events { + worker_connections 1024; + use epoll; + multi_accept on; + } + + http { + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server {{ template "harbor.core" . }}; + } + + upstream portal { + server {{ template "harbor.portal" . }}; + } + + {{- if .Values.notary.enabled }} + upstream notary-server { + server {{ template "harbor.notary-server" . }}:4443; + } + {{- end }} + + log_format timed_combined 'remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + server { + listen 443 ssl; + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + location / { + proxy_pass http://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + # Add Secure flag when serving HTTPS + proxy_cookie_path / "/; secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass http://core/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass http://core/chartrepo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass http://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass http://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass http://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + {{- if .Values.notary.enabled }} + location /notary/ { + proxy_pass http://notary-server; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + + rewrite /notary/(.*) /$1 break; + } + {{- end }} + } + server { + listen 80; + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} \ No newline at end of file diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f8cd6ffcea05caa260bcc0b085a5bd0952f65f72 --- /dev/null +++ b/templates/nginx/deployment.yaml @@ -0,0 +1,85 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: 1 + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCert" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/common/certificate-secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + livenessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} + ports: + - containerPort: 80 + - containerPort: 443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.certificate-secret" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d919d78faa04d6da9f0764e25d8a66d89b7fef85 --- /dev/null +++ b/templates/nginx/service.yaml @@ -0,0 +1,63 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ $clusterIP.ports.http }} + targetPort: 80 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.https }} + targetPort: 443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 80 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: LoadBalancer + ports: + - name: http + port: {{ $loadBalancer.ports.http }} + targetPort: 80 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.https }} + targetPort: 443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} \ No newline at end of file diff --git a/templates/notary/configmap.yaml b/templates/notary/notary-cm.yaml similarity index 58% rename from templates/notary/configmap.yaml rename to templates/notary/notary-cm.yaml index c2b35d0c21ad519363a4520f5e023592b1ba4736..4ba8a3bbbc69cb2fb29f0ac14a9940f81cd6ed48 100644 --- a/templates/notary/configmap.yaml +++ b/templates/notary/notary-cm.yaml @@ -2,19 +2,21 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "harbor.fullname" . }}-notary + name: {{ template "harbor.notary-server" . }} labels: {{ include "harbor.labels" . | indent 4 }} - app: harbor-notary + component: notary data: - {{ $ca := genCA "harbor-notary-ca" 3650 }} - {{ $cert := genSignedCert (printf "%s-notary-signer" (include "harbor.fullname" .)) nil nil 3650 $ca }} + {{ $ca := genCA "harbor-notary-ca" 365 }} + {{ $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} + {{- if not .Values.notary.secretName }} notary-signer-ca.crt: | -{{ .Values.notary.signer.caCrt | default $ca.Cert | indent 4 }} +{{ $ca.Cert | indent 4 }} notary-signer.crt: | -{{ .Values.notary.signer.tlsCrt | default $cert.Cert | indent 4 }} +{{ $cert.Cert | indent 4 }} notary-signer.key: | -{{ .Values.notary.signer.tlsKey | default $cert.Key | indent 4 }} +{{ $cert.Key | indent 4 }} + {{- end }} server-config.postgres.json: | { "server": { @@ -22,13 +24,17 @@ data: }, "trust_service": { "type": "remote", - "hostname": "{{ template "harbor.fullname" . }}-notary-signer", + "hostname": "{{ template "harbor.notary-signer" . }}", "port": "7899", +{{- if not .Values.notary.secretName }} "tls_ca_file": "./notary-signer-ca.crt", +{{- else }} + "tls_ca_file": "/etc/ssl/notary/cert/notary-signer-ca.crt", +{{- end }} "key_algorithm": "ecdsa" }, "logging": { - "level": "debug" + "level": "{{ .Values.logLevel }}" }, "storage": { "backend": "postgres", @@ -37,7 +43,7 @@ data: "auth": { "type": "token", "options": { - "realm": "{{ template "harbor.externalURL" . }}/service/token", + "realm": "{{ .Values.externalURL }}/service/token", "service": "harbor-notary", "issuer": "harbor-token-issuer", "rootcertbundle": "/root.crt" @@ -48,11 +54,16 @@ data: { "server": { "grpc_addr": ":7899", +{{- if not .Values.notary.secretName }} "tls_cert_file": "./notary-signer.crt", "tls_key_file": "./notary-signer.key" +{{- else }} + "tls_cert_file": "/etc/ssl/notary/cert/notary-signer.crt", + "tls_key_file": "/etc/ssl/notary/cert/notary-signer.key" +{{- end }} }, "logging": { - "level": "debug" + "level": "{{ .Values.logLevel }}" }, "storage": { "backend": "postgres", diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index a1befe115f37d2a16be452c737ae098cf90e3923..b96c9dff5b8ebfc332f47a2b0b4699839e4e4c89 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -2,30 +2,36 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "harbor.fullname" . }}-notary-server + name: {{ template "harbor.notary-server" . }} labels: {{ include "harbor.labels" . | indent 4 }} - app: harbor-notary-server - version: {{ .Values.notary.server.image.tag }} + component: notary-server spec: - replicas: 1 + replicas: {{ .Values.notary.server.replicas }} selector: matchLabels: -{{ include "harbor.labels" . | indent 6 }} - app: harbor-notary-server +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-server template: metadata: labels: {{ include "harbor.labels" . | indent 8 }} - app: harbor-notary-server - version: {{ .Values.notary.server.image.tag }} + component: notary-server + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.notary.podAnnotations }} +{{ toYaml .Values.notary.podAnnotations | indent 8 }} +{{- end }} spec: containers: - name: notary-server image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} - imagePullPolicy: {{ .Values.notary.server.image.pullPolicy }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.notary.server.resources }} resources: {{ toYaml .Values.notary.server.resources | indent 10 }} +{{- end }} env: - name: MIGRATIONS_PATH value: migrations/server/postgresql @@ -34,21 +40,35 @@ spec: volumeMounts: - name: notary-config mountPath: /etc/notary + - name: etc-localtime + mountPath: /etc/localtime - name: root-certificate mountPath: /root.crt subPath: tokenServiceRootCertBundle - - name: etc-localtime - mountPath: /etc/localtime + {{- if .Values.notary.secretName }} + - name: notary-ca + mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt + subPath: ca + {{- end }} volumes: - name: etc-localtime hostPath: path: /etc/localtime - name: notary-config configMap: - name: "{{ template "harbor.fullname" . }}-notary" + name: "{{ template "harbor.notary-server" . }}" - name: root-certificate secret: - secretName: "{{ template "harbor.fullname" . }}-ui" + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.notary.secretName }} + - name: notary-ca + secret: + secretName: {{ .Values.notary.secretName }} + {{- end }} {{- with .Values.notary.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml index f56297123b96024157082e82164c3cda4c59b03a..5af3fbe59db36edb8bf602e026c910d67bc4260f 100644 --- a/templates/notary/notary-signer.yaml +++ b/templates/notary/notary-signer.yaml @@ -2,47 +2,77 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "harbor.fullname" . }}-notary-signer + name: {{ template "harbor.notary-signer" . }} labels: {{ include "harbor.labels" . | indent 4 }} - app: harbor-notary-signer - version: {{ .Values.notary.signer.image.tag }} + component: notary-signer spec: - replicas: 1 + replicas: {{ .Values.notary.signer.replicas }} selector: matchLabels: -{{ include "harbor.labels" . | indent 6 }} - app: harbor-notary-signer +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-signer template: metadata: labels: {{ include "harbor.labels" . | indent 8 }} - app: harbor-notary-signer - version: {{ .Values.notary.signer.image.tag }} + component: notary-signer + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }} spec: containers: - name: notary-signer image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} - imagePullPolicy: {{ .Values.notary.signer.image.pullPolicy }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.notary.signer.resources }} resources: {{ toYaml .Values.notary.signer.resources | indent 10 }} +{{- end }} env: - name: MIGRATIONS_PATH value: migrations/signer/postgresql - name: DB_URL value: {{ template "harbor.database.notarySigner" . }} - name: NOTARY_SIGNER_DEFAULTALIAS - value: {{ .Values.notary.signer.env.NOTARY_SIGNER_DEFAULTALIAS }} + value: defaultalias volumeMounts: - name: notary-config mountPath: /etc/notary - name: etc-localtime - mountPath: /etc/localtime + mountPath: /etc/localtime + {{- if .Values.notary.secretName }} + - name: notary-cert + mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt + subPath: ca + - name: notary-cert + mountPath: /etc/ssl/notary/cert/notary-signer.crt + subPath: crt + - name: notary-cert + mountPath: /etc/ssl/notary/cert/notary-signer.key + subPath: key + {{- end }} volumes: - name: etc-localtime hostPath: path: /etc/localtime - name: notary-config configMap: - name: "{{ template "harbor.fullname" . }}-notary" + name: "{{ template "harbor.notary-server" . }}" + {{- if .Values.notary.secretName }} + - name: notary-cert + secret: + secretName: {{ .Values.notary.secretName }} + {{- end }} + {{- with .Values.notary.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} {{ end }} diff --git a/templates/notary/service.yaml b/templates/notary/notary-svc.yaml similarity index 61% rename from templates/notary/service.yaml rename to templates/notary/notary-svc.yaml index 37cda55414955561247591e087c287c4f4cfdb20..f02ba3c14de5a7615db985d2bd38377556af1361 100644 --- a/templates/notary/service.yaml +++ b/templates/notary/notary-svc.yaml @@ -2,21 +2,24 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "harbor.notaryServiceName" . }} + name: {{ template "harbor.notary-server" . }} labels: {{ include "harbor.labels" . | indent 4 }} spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} ports: - port: 4443 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-notary-server + component: notary-server --- apiVersion: v1 kind: Service metadata: - name: {{ template "harbor.fullname" . }}-notary-signer + name: {{ template "harbor.notary-signer" . }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -24,5 +27,5 @@ spec: - port: 7899 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-notary-signer + component: notary-signer {{ end }} \ No newline at end of file diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7ddef5448d11e72b5350953fd72c35ae1683919e --- /dev/null +++ b/templates/portal/deployment.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal + annotations: +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: 80 + volumeMounts: + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/portal/service.yaml b/templates/portal/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..045de36f21f1870cdd7b12dfd7bee3d9c4477102 --- /dev/null +++ b/templates/portal/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} + ports: + - port: 80 + targetPort: 80 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/templates/redis/deployment.yml b/templates/redis/deployment.yml deleted file mode 100644 index 00be599b5ba815ec1d459d9e29bbeffd1c3d6e9f..0000000000000000000000000000000000000000 --- a/templates/redis/deployment.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.fullname" . }}-redis - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-redis - version: {{ .Values.redis.image.tag }} -spec: - replicas: 1 - selector: - matchLabels: -{{ include "harbor.labels" . | indent 6 }} - app: harbor-redis - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-redis - version: {{ .Values.redis.image.tag }} - spec: - containers: - - name: redis - image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }} - imagePullPolicy: {{ .Values.redis.image.pullPolicy }} - args: ["--save","''","--appendonly","no"] - ports: - - name: redis - containerPort: 6379 - volumeMounts: - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime \ No newline at end of file diff --git a/templates/redis/service.yml b/templates/redis/service.yaml similarity index 55% rename from templates/redis/service.yml rename to templates/redis/service.yaml index 0d308d35bd56e6dc2df044089342b4f5f3a053f2..79c95c3e0561844fc590bc3943620af6d45785d4 100644 --- a/templates/redis/service.yml +++ b/templates/redis/service.yaml @@ -1,15 +1,14 @@ ---- +{{- if eq .Values.redis.type "internal" -}} apiVersion: v1 kind: Service metadata: - name: {{ template "harbor.fullname" . }}-redis + name: {{ template "harbor.redis" . }} labels: {{ include "harbor.labels" . | indent 4 }} - app: harbor-redis spec: + ports: + - port: 6379 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-redis - ports: - - name: redis - port: 6379 \ No newline at end of file + component: redis +{{- end -}} \ No newline at end of file diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml new file mode 100644 index 0000000000000000000000000000000000000000..712efdeb82207e9bea232f6cc117b158bd741b41 --- /dev/null +++ b/templates/redis/statefulset.yaml @@ -0,0 +1,67 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: data + emptyDir: {} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end -}} diff --git a/templates/registry/configmap.yaml b/templates/registry/configmap.yaml deleted file mode 100644 index d579f1cf47941e298692e9fbc7f8e9d65ede0f07..0000000000000000000000000000000000000000 --- a/templates/registry/configmap.yaml +++ /dev/null @@ -1,162 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.fullname" . }}-registry" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - version: 0.1 - log: - level: {{ .Values.registry.logLevel }} - fields: - service: registry - storage: - {{- $storage := .Values.registry.storage }} - {{- $type := $storage.type }} - {{- if eq $type "filesystem" }} - filesystem: - rootdirectory: {{ $storage.filesystem.rootdirectory }} - {{- if $storage.filesystem.maxthreads }} - maxthreads: {{ $storage.filesystem.maxthreads }} - {{- end }} - {{- else if eq $type "azure" }} - azure: - accountname: {{ $storage.azure.accountname }} - container: {{ $storage.azure.container }} - {{- if $storage.azure.realm }} - realm: {{ $storage.azure.realm }} - {{- end }} - {{- else if eq $type "gcs" }} - gcs: - bucket: {{ $storage.gcs.bucket }} - {{- if $storage.gcs.rootdirectory }} - rootdirectory: {{ $storage.gcs.rootdirectory }} - {{- end }} - {{- if $storage.gcs.chunksize }} - chunksize: {{ $storage.gcs.chunksize }} - {{- end }} - {{- else if eq $type "s3" }} - s3: - region: {{ $storage.s3.region }} - bucket: {{ $storage.s3.bucket }} - {{- if $storage.s3.regionendpoint }} - regionendpoint: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.encrypt }} - encrypt: {{ $storage.s3.encrypt }} - {{- end }} - {{- if $storage.s3.secure }} - secure: {{ $storage.s3.secure }} - {{- end }} - {{- if $storage.s3.v4auth }} - v4auth: {{ $storage.s3.v4auth }} - {{- end }} - {{- if $storage.s3.chunksize }} - chunksize: {{ $storage.s3.chunksize }} - {{- end }} - {{- if $storage.s3.rootdirectory }} - rootdirectory: {{ $storage.s3.rootdirectory }} - {{- end }} - {{- if $storage.s3.storageclass }} - storageclass: {{ $storage.s3.storageclass }} - {{- end }} - {{- else if eq $type "swift" }} - swift: - authurl: {{ $storage.swift.authurl }} - username: {{ $storage.swift.username }} - container: {{ $storage.swift.container }} - {{- if $storage.swift.region }} - region: {{ $storage.swift.region }} - {{- end }} - {{- if $storage.swift.tenant }} - tenant: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.tenantid }} - tenantid: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.domain }} - domain: {{ $storage.swift.domain }} - {{- end }} - {{- if $storage.swift.domainid }} - domainid: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.trustid }} - trustid: {{ $storage.swift.trustid }} - {{- end }} - {{- if $storage.swift.insecureskipverify }} - insecureskipverify: {{ $storage.swift.insecureskipverify }} - {{- end }} - {{- if $storage.swift.chunksize }} - chunksize: {{ $storage.swift.chunksize }} - {{- end }} - {{- if $storage.swift.prefix }} - prefix: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.authversion }} - authversion: {{ $storage.swift.authversion }} - {{- end }} - {{- if $storage.swift.endpointtype }} - endpointtype: {{ $storage.swift.endpointtype }} - {{- end }} - {{- if $storage.swift.tempurlcontainerkey }} - tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} - {{- end }} - {{- if $storage.swift.tempurlmethods }} - tempurlmethods: {{ $storage.swift.tempurlmethods }} - {{- end }} - {{- else if eq $type "oss" }} - oss: - accesskeyid: {{ $storage.oss.accesskeyid }} - region: {{ $storage.oss.region }} - bucket: {{ $storage.oss.bucket }} - {{- if $storage.oss.endpoint }} - endpoint: {{ $storage.oss.endpoint }} - {{- end }} - {{- if $storage.oss.internal }} - internal: {{ $storage.oss.internal }} - {{- end }} - {{- if $storage.oss.encrypt }} - encrypt: {{ $storage.oss.encrypt }} - {{- end }} - {{- if $storage.oss.secure }} - secure: {{ $storage.oss.secure }} - {{- end }} - {{- if $storage.oss.chunksize }} - chunksize: {{ $storage.oss.chunksize }} - {{- end }} - {{- if $storage.oss.rootdirectory }} - rootdirectory: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- end }} - cache: - layerinfo: redis - maintenance: - uploadpurging: - enabled: false - delete: - enabled: true - redis: - addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}" - password: {{ template "harbor.redis.password" . }} - db: {{ template "harbor.redis.databaseIndex" . }} - http: - addr: :5000 - # set via environment variable - # secret: placeholder - debug: - addr: localhost:5001 - auth: - token: - issuer: harbor-token-issuer - realm: "{{ template "harbor.externalURL" . }}/service/token" - rootcertbundle: /etc/registry/root.crt - service: harbor-registry - notifications: - endpoints: - - name: harbor - disabled: false - url: http://{{ template "harbor.fullname" . }}-ui/service/notifications - timeout: 3000ms - threshold: 5 - backoff: 1s diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9793df7e0806140ef1838428922838daa8131b42 --- /dev/null +++ b/templates/registry/registry-cm.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + level: {{ .Values.logLevel }} + fields: + service: registry + storage: + filesystem: + rootdirectory: /data + cache: + layerinfo: redis + maintenance: + uploadpurging: + enabled: false + delete: + enabled: true + redirect: + disable: false + redis: + addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}" + db: {{ template "harbor.redis.registryDatabaseIndex" . }} + http: + addr: :5000 + # set via environment variable + # secret: placeholder + debug: + addr: localhost:5001 + auth: + token: + issuer: harbor-token-issuer + realm: "{{ .Values.externalURL }}/service/token" + rootcertbundle: /etc/registry/root.crt + service: harbor-registry + validation: + disabled: true + notifications: + endpoints: + - name: harbor + disabled: false + url: http://{{ template "harbor.core" . }}/service/notifications + timeout: 3000ms + threshold: 5 + backoff: 1s + ctl-config.yml: |+ + --- + protocol: "http" + port: 8080 + log_level: {{ .Values.logLevel }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7ac36389df4722d2e391c25095a984b5b91536e5 --- /dev/null +++ b/templates/registry/registry-dpl.yaml @@ -0,0 +1,145 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: 5000 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 5000 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + ports: + - containerPort: 5000 + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: /data + - name: registry-root-certificate + mountPath: /etc/registry/root.crt + subPath: tokenServiceRootCertBundle + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: etc-localtime + mountPath: /etc/localtime + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.jobservice" . }} + key: secret + ports: + - containerPort: 8080 + volumeMounts: + - name: registry-data + mountPath: /data + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + - name: etc-localtime + mountPath: /etc/localtime + volumes: + - name: etc-localtime + hostPath: + path: /etc/localtime + - name: registry-root-certificate + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + hostPath: + {{- if .Values.registry.hostPath }} + path: {{ .Values.registry.hostPath }} + {{- else }} + path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/registry + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ca7e1df96094437f5345c4ad65e92e5a7ad3a532 --- /dev/null +++ b/templates/registry/registry-secret.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.rawPassword" .) | b64enc | quote }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "azure" }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if eq $type "gcs" }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if $storage.s3.accesskey }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if $storage.s3.secretkey }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if eq $type "swift" }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if eq $type "oss" }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} diff --git a/templates/registry/service.yaml b/templates/registry/registry-svc.yaml similarity index 58% rename from templates/registry/service.yaml rename to templates/registry/registry-svc.yaml index 1dc24b6ad135bdcb49a3058e199b37947ea9291c..6ec6ada9956875b3a1f76c9efccd4db092a95c0a 100644 --- a/templates/registry/service.yaml +++ b/templates/registry/registry-svc.yaml @@ -1,13 +1,15 @@ apiVersion: v1 kind: Service metadata: - name: "{{ template "harbor.fullname" . }}-registry" + name: "{{ template "harbor.registry" . }}" labels: {{ include "harbor.labels" . | indent 4 }} spec: ports: - - name: http + - name: registry port: 5000 + - name: controller + port: 8080 selector: {{ include "harbor.matchLabels" . | indent 4 }} - app: harbor-registry \ No newline at end of file + component: registry \ No newline at end of file diff --git a/templates/registry/secret.yaml b/templates/registry/secret.yaml deleted file mode 100644 index e13dbfdbf3ab6cdeb01fafd33e585a1e7e433274..0000000000000000000000000000000000000000 --- a/templates/registry/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.fullname" . }}-registry" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - httpSecret: {{ .Values.registry.httpSecret | b64enc | quote }} - {{- $storage := .Values.registry.storage }} - {{- $type := $storage.type }} - {{- if eq $type "azure" }} - accountkey: {{ $storage.azure.accountkey | b64enc | quote }} - {{- else if eq $type "s3" }} - {{- if $storage.s3.accesskey }} - accesskey: {{ $storage.s3.accesskey | b64enc | quote }} - {{- end }} - {{- if $storage.s3.secretkey }} - secretkey: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} - {{- else if eq $type "swift" }} - password: {{ $storage.swift.password }} - {{- if $storage.swift.secretkey }} - secretkey: {{ $storage.swift.secretkey }} - {{- end }} - {{- if $storage.swift.accesskey }} - accesskey: {{ $storage.swift.accesskey }} - {{- end }} - {{- else if eq $type "oss" }} - accesskeysecret: {{ $storage.oss.accesskeysecret }} - {{- end }} \ No newline at end of file diff --git a/templates/registry/statefulset.yaml b/templates/registry/statefulset.yaml deleted file mode 100644 index a08fa68d886a777f7d3fdd1fe7126537ccac0045..0000000000000000000000000000000000000000 --- a/templates/registry/statefulset.yaml +++ /dev/null @@ -1,126 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.fullname" . }}-registry" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-registry - version: {{ .Values.registry.image.tag }} -spec: - replicas: 1 - serviceName: "{{ template "harbor.fullname" . }}-registry" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - app: harbor-registry - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-registry - version: {{ .Values.registry.image.tag }} - spec: - containers: - - name: registry - image: {{ .Values.registry.image.repository }}:{{ .Values.registry.image.tag }} - imagePullPolicy: {{ .Values.registry.image.pullPolicy }} - resources: -{{ toYaml .Values.registry.resources | indent 10 }} - args: ["serve", "/etc/registry/config.yml"] - env: - - name: REGISTRY_HTTP_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: httpSecret - {{- $storage := .Values.registry.storage }} - {{- $type := $storage.type }} - {{- if eq $type "azure" }} - - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: accountkey - {{- else if eq $type "s3" }} - {{- if $storage.s3.accesskey }} - - name: REGISTRY_STORAGE_S3_ACCESSKEY - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: accesskey - {{- end }} - {{- if $storage.s3.secretkey }} - - name: REGISTRY_STORAGE_S3_SECRETKEY - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: secretkey - {{- end }} - {{- else if eq $type "swift" }} - - name: REGISTRY_STORAGE_SWIFT_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: password - {{- if $storage.swift.secretkey }} - - name: REGISTRY_STORAGE_SWIFT_SECRETKEY - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: secretkey - {{- end }} - {{- if $storage.swift.accesskey }} - - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: accesskey - {{- end }} - {{- else if eq $type "oss" }} - - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-registry" - key: accesskeysecret - {{- end }} - ports: - - containerPort: 5000 - - containerPort: 5001 - volumeMounts: - {{- if eq .Values.registry.storage.type "filesystem" }} - - name: registry-data - mountPath: {{ .Values.registry.storage.filesystem.rootdirectory }} - {{- end }} - - name: registry-root-certificate - mountPath: /etc/registry/root.crt - subPath: tokenServiceRootCertBundle - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - - name: registry-root-certificate - secret: - secretName: "{{ template "harbor.fullname" . }}-ui" - - name: registry-config - configMap: - name: "{{ template "harbor.fullname" . }}-registry" - - name: registry-data - hostPath: - path: {{ .Values.registry.hostpath }} - {{- with .Values.registry.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/templates/ui/configmap.yaml b/templates/ui/configmap.yaml deleted file mode 100644 index 6cd0b05d6a5dd4531112c705449792f7de75e9b7..0000000000000000000000000000000000000000 --- a/templates/ui/configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.fullname" . }}-ui" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - app.conf: |+ - appname = Harbor - runmode = prod - enablegzip = true - - [prod] - httpport = 8080 diff --git a/templates/ui/deployment.yaml b/templates/ui/deployment.yaml deleted file mode 100644 index 6ddabfd8b868d0a97fcdec47daebec5e7819f106..0000000000000000000000000000000000000000 --- a/templates/ui/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.fullname" . }}-ui" - labels: -{{ include "harbor.labels" . | indent 4 }} - app: harbor-ui - version: {{ .Values.ui.image.tag }} -spec: - replicas: 1 - selector: - matchLabels: -{{ include "harbor.labels" . | indent 6 }} - app: harbor-ui - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - app: harbor-ui - version: {{ .Values.ui.image.tag }} - spec: - containers: - - name: ui - image: {{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }} - imagePullPolicy: {{ .Values.ui.image.pullPolicy }} - env: - - name: UI_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-ui" - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.fullname" . }}-ui" - key: jobserviceSecret - - name: _REDIS_URL - value: {{ template "harbor.redisForUI" . }} - - name: GODEBUG - value: netdns=cgo - - name: LOG_LEVEL - value: info - - name: CONFIG_PATH - value: /etc/ui/app.conf - - name: ENABLE_HARBOR_SCAN_ON_PUSH - value: "1" - - name: ADMINSERVER_URL - value: "http://{{ template "harbor.fullname" . }}-adminserver" - - name: CHART_CACHE_DRIVER - value: "redis" - ports: - - containerPort: 8080 - volumeMounts: - - name: ui-config - mountPath: /etc/ui/app.conf - subPath: app.conf - - name: ui-secrets-key - mountPath: /etc/ui/key - subPath: key - - name: ui-secrets-private-key - mountPath: /etc/ui/private_key.pem - subPath: tokenServicePrivateKey - {{- if eq .Values.externalProtocol "https" }} - {{- if .Values.ingress.enabled }} - {{- if eq .Values.ingress.tls.secretName "" }} - - name: ca-download - mountPath: /etc/ui/ca/ca.crt - subPath: ca.crt - {{- end }} - {{- end }} - {{- end }} - - name: psc - mountPath: /etc/ui/token - - name: etc-localtime - mountPath: /etc/localtime - volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - - name: ui-config - configMap: - name: "{{ template "harbor.fullname" . }}-ui" - - name: ui-secrets-key - secret: - secretName: "{{ template "harbor.fullname" . }}-ui" - items: - - key: secretKey - path: key - - name: ui-secrets-private-key - secret: - secretName: "{{ template "harbor.fullname" . }}-ui" - {{- if eq .Values.externalProtocol "https" }} - {{- if .Values.ingress.enabled }} - {{- if eq .Values.ingress.tls.secretName "" }} - - name: ca-download - secret: - secretName: "{{ template "harbor.fullname" . }}-ingress" - items: - - key: ca.crt - path: ca.crt - {{- end }} - {{- end }} - {{- end }} - - name: psc - emptyDir: {} - {{- with .Values.ui.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.ui.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.ui.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/templates/ui/secret.yaml b/templates/ui/secret.yaml deleted file mode 100644 index 743354398975332801fa25b26863cd9539e3f7ce..0000000000000000000000000000000000000000 --- a/templates/ui/secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- $cert := genSelfSignedCert "harbor" nil nil 365 }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.fullname" . }}-ui" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - secret: {{ .Values.ui.secret | b64enc | quote }} - jobserviceSecret: {{ .Values.jobservice.secret | b64enc | quote }} - tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} - tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} - \ No newline at end of file diff --git a/values-aliyun.yaml b/values-aliyun.yaml index 9d722780161a14e2bd54a36f3241b1a28d42db70..f16da711e95e093eb1026acd5028b2d3614fdc0f 100644 --- a/values-aliyun.yaml +++ b/values-aliyun.yaml @@ -1,102 +1,115 @@ +expose: + type: ingress + tls: + enabled: false + ingress: + host: harbor.wodcloud.local + controller: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + rewriteAnnotation: traefik.ingress.kubernetes.io/rewrite-target + +externalURL: https://harbor.wodcloud.local + persistence: enabled: false -externalProtocol: https -externalDomain: hub.wodcloud.local -harborAdminPassword: "passwd" -ingress: - enabled: true +imagePullPolicy: IfNotPresent -adminserver: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-adminserver - tag: v1.6.3 - nodeSelector: - harbor: enabled +logLevel: debug +harborAdminPassword: "changeit" +secretKey: "IpTIscRIgmerlare" -jobservice: +portal: image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v1.6.3 + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v1.7.5 + replicas: 1 -ui: +core: image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-ui - tag: v1.6.3 + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v1.7.5 + replicas: 1 -busybox: +jobservice: image: - repository: registry.cn-qingdao.aliyuncs.com/wod/busybox - tag: "1.30" + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v1.7.5 + replicas: 1 + maxJobWorkers: 10 + jobLogger: file -database: - internal: +registry: + registry: image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v1.6.3 + repository: registry.cn-qingdao.aliyuncs.com/wod/registry + tag: v2.7.1 resources: limits: memory: 4Gi - cpu: 1000m + cpu: 1000m requests: memory: 256Mi - cpu: 100m - password: "passwd" - nodeSelector: - harbor: enabled - -registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: 2.7.1 - hostpath: /data/registry - resources: - limits: - memory: 4Gi - cpu: 1000m - requests: - memory: 256Mi - cpu: 100m + cpu: 100m nodeSelector: harbor: enabled + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v1.7.5 + replicas: 1 chartmuseum: enabled: true image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum - tag: v0.7.1 + repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon + tag: v0.8.1-v1.7.5 + replicas: 1 + nodeSelector: + harbor: enabled clair: enabled: true image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair - tag: v2.0.6 - resources: - limits: - memory: 1Gi - cpu: 1000m - requests: - memory: 128Mi - cpu: 100m - -redis: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis - tag: 4.0.11-alpine - usePassword: false - cluster: - enabled: false - master: - persistence: - enabled: false + repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon + tag: v2.0.8-v1.7.5 + replicas: 1 + updatersInterval: 12 notary: enabled: true server: image: repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon - tag: dev + tag: v0.6.1-v1.7.5 + replicas: 1 signer: image: repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon - tag: dev \ No newline at end of file + tag: v0.6.1-v1.7.5 + replicas: 1 + +database: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db + tag: v1.7.5 + password: "changeit" + resources: + limits: + memory: 4Gi + cpu: 1000m + requests: + memory: 256Mi + cpu: 100m + nodeSelector: + harbor: enabled + +redis: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis + tag: 4.0.11-alpine \ No newline at end of file diff --git a/values.yaml b/values.yaml index 33ef0c49886b44abe7ba9c718cb174cd47328f51..d24bb938fdc1fa694a2228f106e3da4e6d698641 100644 --- a/values.yaml +++ b/values.yaml @@ -1,154 +1,155 @@ -persistence: - enabled: true -externalProtocol: https -# The FQDN for Harbor service -externalDomain: hub.wodcloud.local -# The Port for Harbor service, leave empty if the service -# is to be bound to port 80/443 -externalPort: -harborAdminPassword: "passwd" -authenticationMode: "db_auth" -selfRegistration: "on" -ldap: - url: "ldaps://ldapserver" - searchDN: "" - searchPassword: "" - baseDN: "" - filter: "(objectClass=person)" - uid: "uid" - scope: "2" - timeout: "5" - verifyCert: "True" -email: - host: "smtp.mydomain.com" - port: "25" - username: "sample_admin@mydomain.com" - password: "password" - ssl: "false" - insecure: "false" - from: "admin " - identity: "" - -# The secret key used for encryption. Must be a string of 16 chars. -secretKey: "nQImBn5SVCHL7ehq" - -# These annotations allow the registry to work behind the nginx -# ingress controller. -ingress: - enabled: true - annotations: +expose: + # Set the way how to expose the service. Set the type as "ingress", + # "clusterIP", "nodePort" or "loadBalancer" and fill the information + # in the corresponding section + type: ingress tls: - # Fill the secretName if you want to use the certificate of - # yourself when Harbor serves with HTTPS. A certificate will - # be generated automatically by the chart if leave it empty + # Enable the tls or not. Note: if the type is "ingress" and the tls + # is disabled, the port must be included in the command when pull/push + # images. Refer to https://github.com/goharbor/harbor/issues/5291 + # for the detail. + enabled: true + # Fill the name of secret if you want to use your own TLS certificate. + # The secret must contain keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # "ca.crt" - the certificate of CA + # These files will be generated automatically if the "secretName" is not set secretName: "" + # The commmon name used to generate the certificate, it's necessary + # when the type isn't "ingress" and "secretName" is null + commonName: "" + ingress: + host: harbor.local + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + controller: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + # The annotation name for "rewrite-target", only needed when Notary + # service is enabled + rewriteAnnotation: nginx.ingress.kubernetes.io/rewrite-target + clusterIP: + # The name of ClusterIP service + name: harbor + ports: + # The service port Harbor listens on when serving with HTTP + http: 80 + # The service port Harbor listens on when serving with HTTPS + https: 443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving with HTTP + port: 80 + # The node port Harbor listens on when serving with HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving with HTTPS + port: 443 + # The node port Harbor listens on when serving with HTTPS + nodePort: 30003 + loadBalancer: + # The name of LoadBalancer service + name: harbor + ports: + # The service port Harbor listens on when serving with HTTP + http: 80 + # The service port Harbor listens on when serving with HTTPS + https: 443 -istio: - enabled: false +# The external URL for Harbor service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker/notary client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.host" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://harbor.local -# The tag for Harbor docker images. -harborImageTag: &harbor_image_tag v1.6.3 - -adminserver: - image: - repository: goharbor/harbor-adminserver - tag: *harbor_image_tag - pullPolicy: IfNotPresent - volumes: - config: - storageClass: "storageos" +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamicly. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you have already existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used(the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "" + subPath: "" accessMode: ReadWriteOnce size: 1Gi - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - -jobservice: - image: - repository: goharbor/harbor-jobservice - tag: *harbor_image_tag - pullPolicy: IfNotPresent - secret: "BBRQwySksiHZqJUh" - maxWorkers: 50 -# resources: -# requests: -# memory: 256Mi -# cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - -ui: - image: - repository: goharbor/harbor-ui - tag: *harbor_image_tag - pullPolicy: IfNotPresent - secret: "BBRQwySksiHZqJUh" -# resources: -# requests: -# memory: 256Mi -# cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - -busybox: - image: - repository: busybox - tag: 1.29 - -# TODO: change the style to be same with redis -database: - # if external database is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - image: - repository: goharbor/harbor-db - tag: *harbor_image_tag - pullPolicy: IfNotPresent - # the superuser password of database - password: "passwd" - volumes: - data: - storageClass: "storageos" - accessMode: ReadWriteOnce - size: 5Gi - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - host: "192.168.0.1" - port: "5432" - username: "user" - password: "password" - coreDatabase: "registry" - clairDatabase: "clair" - notaryServerDatabase: "notary_server" - notarySignerDatabase: "notary_signer" - -registry: - image: - repository: registry - tag: 2.7.1 - pullPolicy: IfNotPresent - httpSecret: "BBRQwySksiHZqJUh" - logLevel: info - hostpath: /etc/kubernetes/data/registry - storage: - # specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", - # "oss" and fill the information needed in the corresponding section + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # Define which storage backend is used for registry and chartmuseum to store + # images and charts. Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + # and chartmuseum type: filesystem filesystem: - rootdirectory: /var/lib/registry + rootdirectory: /storage #maxthreads: 100 azure: accountname: accountname @@ -157,10 +158,10 @@ registry: #realm: core.windows.net gcs: bucket: bucketname - # TODO: support the keyfile of gcs - #keyfile: /path/to/keyfile + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file #rootdirectory: /gcs/object/name/prefix - #chunksize: 5242880 + #chunksize: "5242880" s3: region: us-west-1 bucket: bucketname @@ -171,7 +172,7 @@ registry: #keyid: mykeyid #secure: true #v4auth: true - #chunksize: 5242880 + #chunksize: "5242880" #rootdirectory: /s3/object/name/prefix #storageclass: STANDARD swift: @@ -205,32 +206,130 @@ registry: #secure: true #chunksize: 10M #rootdirectory: rootdirectory - ## Persist data to a persistent volume - volumes: - data: - # storageClass: "-" - accessMode: ReadWriteOnce - size: 5Gi + +imagePullPolicy: IfNotPresent + +logLevel: debug +# The initial password of Harbor admin. Change it from portal after launching Harbor +harborAdminPassword: "Harbor12345" +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" + +# If expose the service via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: dev + replicas: 1 # resources: # requests: # memory: 256Mi # cpu: 100m - # nodeSelector: - # kubernetes.io/hostname: 172.31.14.41 + nodeSelector: {} tolerations: [] affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +portal: + image: + repository: goharbor/harbor-portal + tag: dev + replicas: 1 +# resources: +# requests: +# memory: 256Mi +# cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +core: + image: + repository: goharbor/harbor-core + tag: dev + replicas: 1 +# resources: +# requests: +# memory: 256Mi +# cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named tls.tokenServiceRootCertBundle and + # tls.tokenServicePrivateKey that contain the certificate and private key. + # They will be automatically generated if not set + secretName: "" + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: dev + replicas: 1 + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLogger: file +# resources: +# requests: +# memory: 256Mi +# cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + +registry: + registry: + image: + repository: goharbor/registry-photon + tag: dev + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + controller: + image: + repository: goharbor/harbor-registryctl + tag: dev + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" chartmuseum: enabled: true image: - repository: chartmuseum/chartmuseum - tag: v0.7.1 - pullPolicy: IfNotPresent - volumes: - data: - storageClass: "storageos" - accessMode: ReadWriteOnce - size: 5Gi + repository: goharbor/chartmuseum-photon + tag: dev + replicas: 1 # resources: # requests: # memory: 256Mi @@ -238,18 +337,21 @@ chartmuseum: nodeSelector: {} tolerations: [] affinity: {} + ## Additional deployment annotations + podAnnotations: {} clair: enabled: true image: - repository: quay.io/coreos/clair - tag: 2.0.6 - pullPolicy: IfNotPresent - volumes: - pgData: - storageClass: "storageos" - accessMode: ReadWriteOnce - size: 1Gi + repository: goharbor/clair-photon + tag: dev + replicas: 1 + # The http(s) proxy used to update vulnerabilities database from internet + httpProxy: + httpsProxy: + # The interval of clair updaters, the unit is hour, set to 0 to + # disable the updaters + updatersInterval: 12 # resources: # requests: # memory: 256Mi @@ -257,50 +359,96 @@ clair: nodeSelector: {} tolerations: [] affinity: {} - -redis: - image: - repository: redis - tag: 4.0.1-alpine - pullPolicy: IfNotPresent - # if external Redis is used, set "external.enabled" to "true" - # and fill the connection informations in "external" section. - # or the internal Redis will be used - usePassword: false - password: "passwd" - cluster: - enabled: false - master: - persistence: -# TODO: There is a perm issue: Can't open the append-only file: Permission denied -# TODO: Setting it to false is a temp workaround. Will re-visit this problem. - enabled: false - external: - enabled: false - host: "192.168.0.2" - port: "6379" - databaseIndex: "0" - usePassword: false - password: "passwd" + ## Additional deployment annotations + podAnnotations: {} notary: enabled: true server: image: - repository: notary - tag: server-0.5.0 - pullPolicy: IfNotPresent + repository: goharbor/notary-server-photon + tag: dev + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m signer: image: - repository: notary - tag: signer-0.5.0 - pullPolicy: IfNotPresent - env: - NOTARY_SIGNER_DEFAULTALIAS: defaultalias - # The TLS certificate for Notary Signer. Will auto generate them if unspecified here. - caCrt: - tlsCrt: - tlsKey: + repository: goharbor/notary-signer-photon + tag: dev + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named tls.ca, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" + +database: + # if external database is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + image: + repository: goharbor/harbor-db + tag: dev + # The initial superuser password for internal database + password: "changeit" + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + clairDatabase: "clair" + notaryServerDatabase: "notary_server" + notarySignerDatabase: "notary_signer" + sslmode: "disable" + ## Additional deployment annotations + podAnnotations: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + image: + repository: goharbor/redis-photon + tag: dev + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + host: "192.168.0.2" + port: "6379" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + chartmuseumDatabaseIndex: "3" + password: "" + ## Additional deployment annotations + podAnnotations: {} \ No newline at end of file