Skip to content

H
harbor
Commit 276e7c3c authored by root's avatar root
Browse files
Options

update

parent 244413ed
Hide whitespace changes
Inline Side-by-side
Showing with 2878 additions and 1008 deletions
.helmignore 0 → 100644
View file @ 276e7c3c
docs/*
.git/*
.gitignore
CONTRIBUTING.md
\ No newline at end of file
CONTRIBUTING.md
View file @ 276e7c3c
# Contributing to Helm Chart for Harbor # Contributing to Helm Chart for Harbor
Please follow [Harbor contributing guide](https://github.com/vmware/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution. Please follow [Harbor contributing guide](https://github.com/goharbor/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution.
# Contributers # Contributers
......
Chart.yaml
View file @ 276e7c3c
name: harbor name: harbor
version: 0.2.0 version: dev
appVersion: 1.5.0 appVersion: dev
description: An Enterprise-class Docker Registry by VMware description: An open source trusted cloud native registry that stores, signs, and scans content
keywords: keywords:
- vmware
- docker - docker
- registry - registry
- harbor - harbor
home: https://github.com/vmware/harbor home: https://goharbor.io
icon: https://raw.githubusercontent.com/vmware/harbor/master/docs/img/harbor_logo.png icon: https://raw.githubusercontent.com/goharbor/harbor/master/docs/img/harbor_logo.png
sources: sources:
- https://github.com/vmware/harbor/tree/master/contrib/helm/harbor - https://github.com/goharbor/harbor
- https://github.com/goharbor/harbor-helm
maintainers: maintainers:
- name: Jesse Hu - name: Jesse Hu
email: huh@vmware.com email: huh@vmware.com
......
Deploy.md 0 → 100644
View file @ 276e7c3c
# harbor
## install
```bash
# 1.install
# label node
kubectl label node <nodename> harbor=enabled
helm install \
/etc/kubernetes/helm/harbor \
--name=harbor \
--namespace=devops \
-f /etc/kubernetes/helm/harbor/values-overrides.yaml
# uninstall
helm delete harbor --purge
# update
helm upgrade harbor /etc/kubernetes/helm/harbor \
-f /etc/kubernetes/helm/harbor/values-overrides.yaml
```
## images
```bash
# goharbor/harbor-portal
docker pull goharbor/harbor-portal:v1.7.5 && \
docker tag goharbor/harbor-portal:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-portal:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-portal:v1.7.5
# goharbor/harbor-core
docker pull goharbor/harbor-core:v1.7.5 && \
docker tag goharbor/harbor-core:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5
# goharbor/harbor-jobservice
docker pull goharbor/harbor-jobservice:v1.7.5 && \
docker tag goharbor/harbor-jobservice:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.7.5
# goharbor/registry-photon
docker pull goharbor/registry-photon:v2.6.2-v1.7.5 && \
docker tag goharbor/registry-photon:v2.6.2-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/registry-photon:v2.6.2-v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/registry-photon:v2.6.2-v1.7.5
# goharbor/harbor-registryctl
docker pull goharbor/harbor-registryctl:v1.7.5 && \
docker tag goharbor/harbor-registryctl:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v1.7.5
# goharbor/chartmuseum-photon
docker pull goharbor/chartmuseum-photon:v0.8.1-v1.7.5 && \
docker tag goharbor/chartmuseum-photon:v0.8.1-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon:v0.8.1-v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon:v0.8.1-v1.7.5
# goharbor/clair-photon
docker pull goharbor/clair-photon:v2.0.8-v1.7.5 && \
docker tag goharbor/clair-photon:v2.0.8-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/clair-photon:v2.0.8-v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/clair-photon:v2.0.8-v1.7.5
# goharbor/notary-server-photon
docker pull goharbor/notary-server-photon:v0.6.1-v1.7.5 && \
docker tag goharbor/notary-server-photon:v0.6.1-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server-photon:v0.6.1-v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server-photon:v0.6.1-v1.7.5
# goharbor/notary-signer-photon
docker pull goharbor/notary-signer-photon:v0.6.1-v1.7.5 && \
docker tag goharbor/notary-signer-photon:v0.6.1-v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer-photon:v0.6.1-v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer-photon:v0.6.1-v1.7.5
# goharbor/harbor-db
docker pull goharbor/harbor-db:v1.7.5 && \
docker tag goharbor/harbor-db:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.7.5
```
\ No newline at end of file
docs/High Availability.md 0 → 100644
View file @ 276e7c3c
# Harbor High Availability Guide
## Goal
Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor.
## Prerequisites
- Kubernetes cluster 1.10+
- Helm 2.8.0+
- High available ingress controller (Harbor does not manage the external endpoint)
- High available PostgreSQL database (Harbor does not handle the deployment of HA of database)
- High available Redis (Harbor does not handle the deployment of HA of Redis)
- PVC that can be shared across nodes or external object storage
## Architecture
Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods.
As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts.
![HA](img/ha.png)
## Installation
### Download Chart
Download Harbor helm chart code.
```bash
git clone https://github.com/goharbor/harbor-helm
cd harbor-helm
```
### Configuration
Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`:
- **Ingress rule**
Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`.
- **External URL**
Configure the `externalURL`.
- **External PostgreSQL**
Set the `database.type` to `external` and fill the information in `database.external` section.
Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up.
- **External Redis**
Set the `redis.type` to `external` and fill the information in `redis.external` section.
As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point.
- **Storage**
By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs.
If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`.
If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes.
You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`.
If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`.
- **Replica**
Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2).
### Installation
Install the Harbor helm chart with a release name `my-release`:
```bash
helm install --name my-release .
```
docs/Upgrade.md 0 → 100644
View file @ 276e7c3c
# Upgrade Guide
This guide is used to upgrade Harbor deployed by chart since version 0.3.0.
**Notes**:
- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid
- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported
## Upgrade
1. **Backup database**
Backup the database used by Harbor in case the upgrade process fails.
2. **Download new chart**
Download the latest version of Harbor chart.
3. **Configure new chart**
Configure the new chart to make sure that the configuration items have the same values with the old one.
**Note**: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate:
1) Get the secret name which certificate is stored in:
```
kubectl get secret
```
Find the secret whose name ends with `-harbor-ingress`(expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`)
2) Export the secret as yaml file:
```
kubectl get secret secret-name -o yaml > secret.yaml
```
Replace the `secret-name` with the one got in step i
3) Rename the secret by setting `metadata.name` in `secret.yaml`
4) Create a new secret:
```
kubectl create -f secret.yaml
```
5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step iii
4. **Upgrade**
Run upgrade command:
```
helm upgrade release-name --force .
```
The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30).
## Known issues
- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0.
package.json deleted 100644 → 0
View file @ 244413ed
{
"name": "harbor-chart",
"version": "v1.6.3"
}
\ No newline at end of file
readme.md
View file @ 276e7c3c
## setup # Helm Chart for Harbor
```bash
# 1.install **Notes:** The master branch is in heavy development, please use the codes on other branch instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment.
## Introduction
This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor.
# label node ## Prerequisites
kubectl label node <nodename> harbor=enabled
helm install \ - Kubernetes cluster 1.10+
/etc/kubernetes/helm/harbor \ - Helm 2.8.0+
--name=harbor \
--namespace=devops \
-f /etc/kubernetes/helm/harbor/values-overrides.yaml
# uninstall ## Installation
helm delete harbor --purge
# update ### Download the chart
helm upgrade harbor /etc/kubernetes/helm/harbor \
-f /etc/kubernetes/helm/harbor/values-overrides.yaml Download Harbor helm chart code.
```bash
git clone https://github.com/goharbor/harbor-helm
``` ```
## overrides Checkout the branch.
```bash ```bash
cat /etc/kubernetes/helm/harbor/values-overrides.yaml cd harbor-helm
git checkout branch_name
``` ```
### 有持久化存储Storage ### Configure the chart
The following items can be configured in `values.yaml` or set via `--set` flag during installation.
#### Configure the way how to expose Harbor service:
- **Ingress**: The ingress controller must be installed in the Kubernetes cluster.
**Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail.
- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer.
#### Configure the external URL
The external URL for Harbor core service is used to:
1. populate the docker/helm commands showed on portal
2. populate the token service URL returned to docker/notary client
Format: `protocol://domain[:port]`. Usually:
参考values-storage.yaml - if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core`
- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name`
- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node
- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider
### 使用HostPath存储数据 If Harbor is deployed behind the proxy, set it as the URL of proxy.
在此之前规划一下哪台服务器存储什么内容 #### Configure the way how to persistent data:
- **Disable**: The data does not survive the termination of a pod.
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use.
- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`.
#### Configure the secrets
- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure.
- **Certificates**:
- *notary*: Used for authentication during communications. Fill `notary.secretName` to configure. Notary server certificate must be issued with notary service name as subject alternative name.
- *core*: Used for token encryption/decryption. Fill `core.secretName` to configure.
Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)).
#### Configure the other items listed in [configuration](#configuration) section.
### Install the chart
Install the Harbor helm chart with a release name `my-release`:
```bash
helm install --name my-release .
``` ```
harbor: enabled
kubectl label node <nodename> harbor=enabled ## Uninstallation
# kubectl label node <nodename> harbor-
To uninstall/delete the `my-release` deployment:
```bash
helm delete --purge my-release
``` ```
参考values-hostpath.yaml ## Configuration
The following table lists the configurable parameters of the Harbor chart and the default values.
# images | Parameter | Description | Default |
| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| **Expose** |
| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer` | `ingress` |
| `expose.tls.enabled` | Enable the tls or not | `true` |
| `expose.tls.secretName` | Fill the name of secret if you want to use your own TLS certificate. The secret must contain keys named:
`tls.crt` - the certificate, `tls.key` - the private key, `ca.crt` - the certificate of CA.These files will be generated automatically if the `secretName` is not set ||
| `expose.tls.commonName` | The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null | |
| `expose.ingress.host` | The host of Harbor service in ingress rule | `harbor.local` |
| `expose.ingress.controller` | The ingress controller type. Currently supports `default` and `gce` | `default` |
| `expose.ingress.annotations` | The annotations used in ingress | |
| `expose.ingress.rewriteAnnotation` | The name of the `rewrite-target` annotation| `nginx.ingress.kubernetes.io/rewrite-target` |
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
| `expose.clusterIP.ports.http` | The service port Harbor listens on when serving with HTTP | `80` |
| `expose.clusterIP.ports.https` | The service port Harbor listens on when serving with HTTPS | `443` |
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` |
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` |
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` |
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` |
| `expose.loadBalancer.name` | The name of service |`harbor`|
| `expose.loadBalancer.ports.http` | The service port Harbor listens on when serving with HTTP |`80`|
| `expose.loadBalancer.ports.https` | The service port Harbor listens on when serving with HTTP |`30002`|
| **Persistence** |
| `persistence.enabled` | Enable the data persistence or not | `true` |
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` |
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` |
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` |
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` |
| **General** |
| `externalURL` | The external URL for Harbor service | `https://harbor.local` |
| `imagePullPolicy` | The image pull policy | `IfNotPresent` |
| `logLevel` | The log level | `debug` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) |
| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` |
| `nginx.image.tag` | Image tag | `dev` |
| `nginx.replicas` | The replica count | `1` |
| `nginx.resources` | The [resources] to allocate for container | undefined |
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` |
| `nginx.tolerations` | Tolerations for pod assignment | `[]` |
| `nginx.affinity` | Node/Pod affinities | `{}` |
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
| **Portal** |
| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` |
| `portal.image.tag` | Tag for portal image | `dev` |
| `portal.replicas` | The replica count | `1` |
| `portal.resources` | The [resources] to allocate for container | undefined |
| `portal.nodeSelector` | Node labels for pod assignment | `{}` |
| `portal.tolerations` | Tolerations for pod assignment | `[]` |
| `portal.affinity` | Node/Pod affinities | `{}` |
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
| **Core** |
| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` |
| `core.image.tag` | Tag for Harbor core image | `dev` |
| `core.replicas` | The replica count | `1` |
| `core.resources` | The [resources] to allocate for container | undefined |
| `core.nodeSelector` | Node labels for pod assignment | `{}` |
| `core.tolerations` | Tolerations for pod assignment | `[]` |
| `core.affinity` | Node/Pod affinities | `{}` |
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `core.secret` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named `tls.tokenServiceRootCertBundle` and `tls.tokenServicePrivateKey` that contain the certificate and private key. They will be automatically generated if not set. | |
| **Jobservice** |
| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` |
| `jobservice.image.tag` | Tag for jobservice image | `dev` |
| `jobservice.replicas` | The replica count | `1` |
| `jobservice.maxJobWorkers` | The max job workers | `10` |
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
| `jobservice.resources` | The [resources] to allocate for container | undefined |
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` |
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` |
| `jobservice.affinity` | Node/Pod affinities | `{}` |
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| **Registry** |
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
| `registry.registry.image.tag` | Tag for registry image |
| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` |
| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` |
| `registry.controller.image.tag` | Tag for registry controller image |
| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` |
| `registry.replicas` | The replica count | `1` |
| `registry.nodeSelector` | Node labels for pod assignment | `{}` |
| `registry.tolerations` | Tolerations for pod assignment | `[]` |
| `registry.affinity` | Node/Pod affinities | `{}` |
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| **Chartmuseum** |
| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` |
| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` |
| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` |
| `chartmuseum.replicas` | The replica count | `1` |
| `chartmuseum.resources` | The [resources] to allocate for container | undefined |
| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` |
| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` |
| `chartmuseum.affinity` | Node/Pod affinities | `{}` |
| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` |
| **Clair** |
| `clair.enabled` | Enable Clair | `true` |
| `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` |
| `clair.image.tag` | Tag for clair image | `dev` |
| `clair.replicas` | The replica count | `1` |
| `clair.httpProxy` | The HTTP proxy used to update vulnerabilities database from internet | |
| `clair.httpsProxy` | The HTTPS proxy used to update vulnerabilities database from internet | |
| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` |
| `clair.resources` | The [resources] to allocate for container | undefined |
| `clair.nodeSelector` | Node labels for pod assignment | `{}` |
| `clair.tolerations` | Tolerations for pod assignment | `[]` |
| `clair.affinity` | Node/Pod affinities | `{}` |
| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` |
| **Notary** |
| `notary.enabled` | Enable Notary? | `true` |
| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` |
| `notary.server.image.tag` | Tag for notary server image | `dev` |
| `notary.server.replicas` | The replica count |
| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` |
| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` |
| `notary.signer.image.tag` | Tag for notary signer image | `dev` |
| `notary.signer.replicas` | The replica count |
| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` |
| `notary.nodeSelector` | Node labels for pod assignment | `{}` |
| `notary.tolerations` | Tolerations for pod assignment | `[]` |
| `notary.affinity` | Node/Pod affinities | `{}` |
| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` |
| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | |
| **Database** |
| `database.type` | If external database is used, set it to `external` | `internal` |
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.password` | The password for database | `changeit` |
| `database.internal.resources` | The [resources] to allocate for container | undefined |
| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `database.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `database.internal.affinity` | Node/Pod affinities | `{}` |
| `database.external.host` | The hostname of external database | `192.168.0.1` |
| `database.external.port` | The port of external database | `5432` |
| `database.external.username` | The username of external database | `user` |
| `database.external.password` | The password of external database | `password` |
| `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.clairDatabase` | The database used by clair | `clair` |
| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` |
| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` |
| `database.external.sslmode` | Connection method of external database (require | prefer | disable) | `disable` |
| `database.podAnnotations` | Annotations to add to the database pod | `{}` |
| **Redis** |
| `redis.type` | If external redis is used, set it to `external` | `internal` |
| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` |
| `redis.internal.image.tag` | Tag for redis image | `dev` |
| `redis.internal.resources` | The [resources] to allocate for container | undefined |
| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `redis.internal.affinity` | Node/Pod affinities | `{}` |
| `redis.external.host` | The hostname of external Redis | `192.168.0.2` |
| `redis.external.port` | The port of external Redis | `6379` |
| `redis.external.coreDatabaseIndex` | The database index for core | `0` |
| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
| `redis.external.registryDatabaseIndex` | The database index for registry | `2` |
| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` |
| `redis.external.password` | The password of external Redis | |
| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
```bash [resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
# harbor-ui
docker pull goharbor/harbor-ui:v1.6.3 && \
docker tag goharbor/harbor-ui:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-ui:v1.6.3 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-ui:v1.6.3
# harbor-adminserver
docker pull goharbor/harbor-adminserver:v1.6.3 && \
docker tag goharbor/harbor-adminserver:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-adminserver:v1.6.3 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-adminserver:v1.6.3
# harbor-jobservice
docker pull goharbor/harbor-jobservice:v1.6.3 && \
docker tag goharbor/harbor-jobservice:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.6.3 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.6.3
# harbor-db
docker pull goharbor/harbor-db:v1.6.3 && \
docker tag goharbor/harbor-db:v1.6.3 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.6.3 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-db:v1.6.3
# chartmuseum
docker pull chartmuseum/chartmuseum:v0.7.1 && \
docker tag chartmuseum/chartmuseum:v0.7.1 registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum:v0.7.1 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/chartmuseum:v0.7.1
# clair
docker pull quay.io/coreos/clair:v2.0.6 && \
docker tag quay.io/coreos/clair:v2.0.6 registry-vpc.cn-qingdao.aliyuncs.com/wod/clair:v2.0.6 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/clair:v2.0.6
# notary:server
docker pull notary:server-0.5.0 && \
docker tag notary:server-0.5.0 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server:0.5.0 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-server:0.5.0
# notary:signer
docker pull notary:signer-0.5.0 && \
docker tag notary:signer-0.5.0 registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer:0.5.0 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/notary-signer:0.5.0
# registry
docker pull registry:2.7.1 && \
docker tag registry:2.7.1 registry-vpc.cn-qingdao.aliyuncs.com/wod/registry:2.7.1 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/registry:2.7.1
# redis
docker pull redis:4.0.1-alpine && \
docker tag redis:4.0.1-alpine registry-vpc.cn-qingdao.aliyuncs.com/wod/redis:4.0.1-alpine && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/redis:4.0.1-alpine
```
\ No newline at end of file
templates/NOTES.txt
View file @ 276e7c3c
Please wait for several minutes for Harbor deployment to complete. Please wait for several minutes for Harbor deployment to complete.
Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}. Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.
For more details, please visit https://github.com/vmware/harbor. For more details, please visit https://github.com/goharbor/harbor.
\ No newline at end of file \ No newline at end of file
templates/_helpers.tpl
View file @ 276e7c3c
...@@ -13,52 +13,34 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this ...@@ -13,52 +13,34 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
*/}} */}}
{{- define "harbor.fullname" -}} {{- define "harbor.fullname" -}}
{{- $name := default "harbor" .Values.nameOverride -}} {{- $name := default "harbor" .Values.nameOverride -}}
{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/* Helm required labels */}} {{/* Helm required labels */}}
{{- define "harbor.labels" -}} {{- define "harbor.labels" -}}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} chart: {{ .Chart.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}} {{- end -}}
{{/* matchLabels */}} {{/* matchLabels */}}
{{- define "harbor.matchLabels" -}} {{- define "harbor.matchLabels" -}}
release: {{ .Release.Name }} release: {{ .Release.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}} {{- end -}}
{{- define "harbor.externalURL" -}} {{- define "harbor.autoGenCert" -}}
{{- if .Values.externalPort -}} {{- if and .Values.expose.tls.enabled (not .Values.expose.tls.secretName) -}}
{{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}} {{- printf "true" -}}
{{- else -}} {{- else -}}
{{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}} {{- printf "false" -}}
{{- end -}} {{- end -}}
{{- end -}}
{{/*
Use *.domain.com as the Common Name in the certificate,
so it can match Harbor service FQDN and Notary service FQDN.
*/}}
{{- define "harbor.certCommonName" -}}
{{- $list := splitList "." .Values.externalDomain -}}
{{- $list := prepend (rest $list) "*" -}}
{{- $cn := join "." $list -}}
{{- printf "%s" $cn -}}
{{- end -}}
{{/* The external FQDN of Notary server. */}}
{{- define "harbor.notaryFQDN" -}}
{{- printf "notary-%s" .Values.externalDomain -}}
{{- end -}}
{{- define "harbor.notaryServiceName" -}}
{{- printf "%s-notary-server" (include "harbor.fullname" .) -}}
{{- end -}} {{- end -}}
{{- define "harbor.database.host" -}} {{- define "harbor.database.host" -}}
{{- if eq .Values.database.type "internal" -}} {{- if eq .Values.database.type "internal" -}}
{{- template "harbor.fullname" . }}-database {{- template "harbor.database" . }}
{{- else -}} {{- else -}}
{{- .Values.database.external.host -}} {{- .Values.database.external.host -}}
{{- end -}} {{- end -}}
...@@ -80,14 +62,6 @@ so it can match Harbor service FQDN and Notary service FQDN. ...@@ -80,14 +62,6 @@ so it can match Harbor service FQDN and Notary service FQDN.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.database.password" -}}
{{- if eq .Values.database.type "internal" -}}
{{- .Values.database.internal.password | b64enc | quote -}}
{{- else -}}
{{- .Values.database.external.password | b64enc | quote -}}
{{- end -}}
{{- end -}}
{{- define "harbor.database.rawPassword" -}} {{- define "harbor.database.rawPassword" -}}
{{- if eq .Values.database.type "internal" -}} {{- if eq .Values.database.type "internal" -}}
{{- .Values.database.internal.password -}} {{- .Values.database.internal.password -}}
...@@ -96,6 +70,10 @@ so it can match Harbor service FQDN and Notary service FQDN. ...@@ -96,6 +70,10 @@ so it can match Harbor service FQDN and Notary service FQDN.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.database.encryptedPassword" -}}
{{- include "harbor.database.rawPassword" . | b64enc | quote -}}
{{- end -}}
{{- define "harbor.database.coreDatabase" -}} {{- define "harbor.database.coreDatabase" -}}
{{- if eq .Values.database.type "internal" -}} {{- if eq .Values.database.type "internal" -}}
{{- printf "%s" "registry" -}} {{- printf "%s" "registry" -}}
...@@ -128,58 +106,95 @@ so it can match Harbor service FQDN and Notary service FQDN. ...@@ -128,58 +106,95 @@ so it can match Harbor service FQDN and Notary service FQDN.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.database.sslmode" -}}
{{- if eq .Values.database.type "internal" -}}
{{- printf "%s" "disable" -}}
{{- else -}}
{{- .Values.database.external.sslmode -}}
{{- end -}}
{{- end -}}
{{- define "harbor.database.clair" -}} {{- define "harbor.database.clair" -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode=disable postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}} {{- end -}}
{{- define "harbor.database.notaryServer" -}} {{- define "harbor.database.notaryServer" -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode=disable postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}} {{- end -}}
{{- define "harbor.database.notarySigner" -}} {{- define "harbor.database.notarySigner" -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode=disable postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}} {{- end -}}
{{- define "harbor.redis.host" -}} {{- define "harbor.redis.host" -}}
{{- if .Values.redis.external.enabled -}} {{- if eq .Values.redis.type "internal" -}}
{{- .Values.redis.external.host -}} {{- template "harbor.redis" . -}}
{{- else -}} {{- else -}}
{{- .Release.Name }}-redis {{- .Values.redis.external.host -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.redis.port" -}} {{- define "harbor.redis.port" -}}
{{- if .Values.redis.external.enabled -}} {{- if eq .Values.redis.type "internal" -}}
{{- printf "%s" "6379" -}}
{{- else -}}
{{- .Values.redis.external.port -}} {{- .Values.redis.external.port -}}
{{- end -}}
{{- end -}}
{{- define "harbor.redis.coreDatabaseIndex" -}}
{{- if eq .Values.redis.type "internal" -}}
{{- printf "%s" "0" }}
{{- else -}} {{- else -}}
6379 {{- .Values.redis.external.coreDatabaseIndex -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.redis.databaseIndex" -}} {{- define "harbor.redis.jobserviceDatabaseIndex" -}}
{{- if .Values.redis.external.enabled -}} {{- if eq .Values.redis.type "internal" -}}
{{- .Values.redis.external.databaseIndex -}} {{- printf "%s" "1" }}
{{- else -}} {{- else -}}
{{- printf "%s" "0" }} {{- .Values.redis.external.jobserviceDatabaseIndex -}}
{{- end -}}
{{- end -}}
{{- define "harbor.redis.registryDatabaseIndex" -}}
{{- if eq .Values.redis.type "internal" -}}
{{- printf "%s" "2" }}
{{- else -}}
{{- .Values.redis.external.registryDatabaseIndex -}}
{{- end -}}
{{- end -}}
{{- define "harbor.redis.chartmuseumDatabaseIndex" -}}
{{- if eq .Values.redis.type "internal" -}}
{{- printf "%s" "3" }}
{{- else -}}
{{- .Values.redis.external.chartmuseumDatabaseIndex -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.redis.password" -}} {{- define "harbor.redis.rawPassword" -}}
{{- if and .Values.redis.external.enabled .Values.redis.external.usePassword -}} {{- if and (eq .Values.redis.type "external") .Values.redis.external.password -}}
{{- .Values.redis.external.password -}} {{- .Values.redis.external.password -}}
{{- else if and (not .Values.redis.external.enabled) .Values.redis.usePassword -}}
{{- .Values.redis.password -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*the username redis is used for a placeholder as no username needed in redis*/}} {{/*the username redis is used for a placeholder as no username needed in redis*/}}
{{- define "harbor.redisForJobservice" -}} {{- define "harbor.redisForJobservice" -}}
{{- if and .Values.redis.external.enabled .Values.redis.external.usePassword -}} {{- if (include "harbor.redis.rawPassword" . ) -}}
redis:{{ template "harbor.redis.password" . }}@{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.databaseIndex" }} {{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.rawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.jobserviceDatabaseIndex" . ) }}
{{- else if and (not .Values.redis.external.enabled) .Values.redis.usePassword -}}
redis:{{ template "harbor.redis.password" . }}@{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.databaseIndex" }}
{{- else }} {{- else }}
{{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.databaseIndex" }} {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}/{{ template "harbor.redis.jobserviceDatabaseIndex" . }}
{{- end -}}
{{- end -}}
{{/*the username redis is used for a placeholder as no username needed in redis*/}}
{{- define "harbor.redisForGC" -}}
{{- if (include "harbor.redis.rawPassword" . ) -}}
{{- printf "redis://redis:%s@%s:%s/%s" (include "harbor.redis.rawPassword" . ) (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) }}
{{- else }}
{{- printf "redis://%s:%s/%s" (include "harbor.redis.host" . ) (include "harbor.redis.port" . ) (include "harbor.redis.registryDatabaseIndex" . ) -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
...@@ -187,6 +202,80 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab ...@@ -187,6 +202,80 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
host:port,pool_size,password host:port,pool_size,password
100 is the default value of pool size 100 is the default value of pool size
*/}} */}}
{{- define "harbor.redisForUI" -}} {{- define "harbor.redisForCore" -}}
{{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }},100,{{ template "harbor.redis.password" . }} {{- template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }},100,{{ template "harbor.redis.rawPassword" . }}
{{- end -}}
{{- define "harbor.portal" -}}
{{- printf "%s-portal" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.core" -}}
{{- printf "%s-core" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.redis" -}}
{{- printf "%s-redis" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.jobservice" -}}
{{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.registry" -}}
{{- printf "%s-registry" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.chartmuseum" -}}
{{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.database" -}}
{{- printf "%s-database" (include "harbor.fullname" .) -}}
{{- end -}} {{- end -}}
{{- define "harbor.clair" -}}
{{- printf "%s-clair" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.notary-server" -}}
{{- printf "%s-notary-server" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.notary-signer" -}}
{{- printf "%s-notary-signer" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.nginx" -}}
{{- printf "%s-nginx" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.ingress.core" -}}
{{- printf "%s-ingress-core" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.ingress.notary" -}}
{{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.certificate" -}}
{{- printf "%s-certificate" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.certificate-secret" -}}
{{- $tls := .Values.expose.tls -}}
{{- if $tls.secretName }}
{{- printf "%s" $tls.secretName -}}
{{- else }}
{{- printf "%s" (include "harbor.certificate" .) -}}
{{- end }}
{{- end -}}
{{- define "harbor.common-name" -}}
{{- $expose := .Values.expose }}
{{- if and (eq $expose.type "ingress") $expose.ingress.host }}
{{- printf "%s" $expose.ingress.host -}}
{{- else }}
{{- printf "%s" $expose.tls.commonName -}}
{{- end }}
{{- end -}}
\ No newline at end of file
templates/adminserver/secret.yaml deleted 100644 → 0
View file @ 244413ed
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "harbor.labels" . | indent 4 }}
app: harbor-adminserver
type: Opaque
data:
secretKey: {{ .Values.secretKey | b64enc | quote }}
EMAIL_PWD: {{ .Values.email.password | b64enc | quote }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
{{- if eq .Values.authenticationMode "ldap_auth" }}
LDAP_SEARCH_PWD: {{ .Values.ldap.searchPassword | b64enc | quote }}
{{- end }}
{{ if .Values.clair.enabled }}
CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }}
{{ end }}
templates/adminserver/service.yaml deleted 100644 → 0
View file @ 244413ed
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-adminserver
\ No newline at end of file
templates/adminserver/statefulset.yaml deleted 100644 → 0
View file @ 244413ed
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "harbor.labels" . | indent 4 }}
app: harbor-adminserver
version: {{ .Values.adminserver.image.tag }}
spec:
replicas: 1
serviceName: "{{ template "harbor.fullname" . }}-adminserver"
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-adminserver
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
app: harbor-adminserver
version: {{ .Values.adminserver.image.tag }}
spec:
containers:
- name: adminserver
image: "{{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}"
imagePullPolicy: "{{ .Values.adminserver.image.pullPolicy }}"
resources:
{{ toYaml .Values.adminserver.resources | indent 10 }}
envFrom:
- configMapRef:
name: "{{ template "harbor.fullname" . }}-adminserver"
- secretRef:
name: "{{ template "harbor.fullname" . }}-adminserver"
env:
- name: PORT
value: "8080"
- name: JSON_CFG_STORE_PATH
value: /etc/adminserver/config/config.json
- name: KEY_PATH
value: /etc/adminserver/key
ports:
- containerPort: 8080
volumeMounts:
- name: data
mountPath: /etc/adminserver/config
- name: adminserver-key
mountPath: /etc/adminserver/key
subPath: key
- name: etc-localtime
mountPath: /etc/localtime
volumes:
- name: etc-localtime
hostPath:
path: /etc/localtime
{{- if not .Values.persistence.enabled }}
- name: data
hostPath:
path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/adminserver
{{- end }}
- name: adminserver-key
secret:
secretName: "{{ template "harbor.fullname" . }}-adminserver"
items:
- key: secretKey
path: key
{{- with .Values.adminserver.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.adminserver.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.adminserver.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [{{ .Values.adminserver.volumes.config.accessMode | quote }}]
{{- if .Values.adminserver.volumes.config.storageClass }}
{{- if (eq "-" .Values.adminserver.volumes.config.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.adminserver.volumes.config.storageClass }}"
{{- end }}
{{- end }}
resources:
requests:
storage: {{ .Values.adminserver.volumes.config.size | quote }}
{{- end -}}
templates/chartmuseum/chartmuseum-cm.yaml 0 → 100644
View file @ 276e7c3c
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.chartmuseum" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
PORT: "9999"
CACHE: "redis"
CACHE_REDIS_ADDR: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}"
CACHE_REDIS_DB: "{{ template "harbor.redis.chartmuseumDatabaseIndex" . }}"
BASIC_AUTH_USER: "chart_controller"
DEPTH: "1"
{{- if eq .Values.logLevel "debug" }}
DEBUG: "true"
{{- else }}
DEBUG: "false"
{{- end }}
LOG_JSON: "true"
DISABLE_METRICS: "false"
DISABLE_API: "false"
DISABLE_STATEFILES: "false"
ALLOW_OVERWRITE: "true"
#CHART_URL: {{ .Values.externalURL }}/chartrepo
AUTH_ANONYMOUS_GET: "false"
TLS_CERT:
TLS_KEY:
CONTEXT_PATH:
INDEX_LIMIT: "0"
MAX_STORAGE_OBJECTS: "0"
MAX_UPLOAD_SIZE: "20971520"
CHART_POST_FORM_FIELD_NAME: "chart"
PROV_POST_FORM_FIELD_NAME: "prov"
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $storageType := $storage.type }}
{{- if eq $storageType "filesystem" }}
STORAGE: "local"
STORAGE_LOCAL_ROOTDIR: "/chart_storage"
{{- else if eq $storageType "azure" }}
STORAGE: "microsoft"
STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }}
AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }}
STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts"
{{- else if eq $storageType "gcs" }}
STORAGE: "google"
STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
{{- if $storage.gcs.rootdirectory }}
STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
{{- end }}
{{- else if eq $storageType "s3" }}
STORAGE: "amazon"
STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }}
{{- if $storage.s3.rootdirectory }}
STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }}
{{- end }}
STORAGE_AMAZON_REGION: {{ $storage.s3.region }}
{{- if $storage.s3.regionendpoint }}
STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }}
{{- end }}
{{- if $storage.s3.accesskey }}
AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }}
{{- end }}
{{- else if eq $storageType "swift" }}
STORAGE: "openstack"
STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }}
{{- if $storage.swift.secretkey }}
STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }}
{{- end }}
{{- if $storage.swift.secretkey }}
STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }}
{{- end }}
OS_AUTH_URL: {{ $storage.swift.authurl }}
OS_USERNAME: {{ $storage.swift.username }}
{{- if $storage.swift.secretkey }}
OS_PROJECT_ID: {{ $storage.swift.tenantid }}
{{- end }}
{{- if $storage.swift.secretkey }}
OS_PROJECT_NAME: {{ $storage.swift.tenant }}
{{- end }}
{{- if $storage.swift.secretkey }}
OS_DOMAIN_ID: {{ $storage.swift.domainid }}
{{- end }}
{{- if $storage.swift.secretkey }}
OS_DOMAIN_NAME: {{ $storage.swift.domain }}
{{- end }}
{{- else if eq $storageType "oss" }}
STORAGE: "alibaba"
STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }}
{{- if $storage.oss.secretkey }}
STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }}
{{- end }}
{{- if $storage.oss.secretkey }}
STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }}
{{- end }}
ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/chartmuseum/statefulset.yaml templates/chartmuseum/chartmuseum-dpl.yaml
View file @ 276e7c3c
{{- if .Values.chartmuseum.enabled }} {{- if .Values.chartmuseum.enabled }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-chartmuseum" name: "{{ template "harbor.chartmuseum" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-chartmuseum component: chartmuseum
version: {{ .Values.chartmuseum.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.chartmuseum.replicas }}
serviceName: "{{ template "harbor.fullname" . }}-chartmuseum"
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-chartmuseum component: chartmuseum
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-chartmuseum component: chartmuseum
version: {{ .Values.chartmuseum.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.chartmuseum.podAnnotations }}
{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
containers: containers:
- name: chartmuseum - name: chartmuseum
image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }} image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }}
imagePullPolicy: {{ .Values.chartmuseum.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /health
port: 9999
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 9999
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.chartmuseum.resources }}
resources: resources:
{{ toYaml .Values.chartmuseum.resources | indent 10 }} {{ toYaml .Values.chartmuseum.resources | indent 10 }}
{{- end }}
envFrom: envFrom:
- configMapRef: - configMapRef:
name: "{{ template "harbor.fullname" . }}-chartmuseum" name: "{{ template "harbor.chartmuseum" . }}"
- secretRef: - secretRef:
name: "{{ template "harbor.fullname" . }}-chartmuseum" name: "{{ template "harbor.chartmuseum" . }}"
env:
- name: BASIC_AUTH_PASS
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
key: secret
ports: ports:
- containerPort: 9999 - containerPort: 9999
# TODO: update it after moving the storage out of registry scope
{{- if (.Values.persistence.enabled) and eq .Values.registry.storage.type "filesystem" }}
volumeMounts: volumeMounts:
- name: data - name: chartmuseum-data
mountPath: /chart_storage mountPath: /chart_storage
{{- end }} - name: etc-localtime
mountPath: /etc/localtime
volumes:
- name: etc-localtime
hostPath:
path: /etc/localtime
- name: chartmuseum-data
hostPath:
path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/chartmuseum
{{- with .Values.chartmuseum.nodeSelector }} {{- with .Values.chartmuseum.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
...@@ -52,23 +82,4 @@ spec: ...@@ -52,23 +82,4 @@ spec:
tolerations: tolerations:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
{{- if (.Values.persistence.enabled) and eq .Values.registry.storage.type "filesystem" }} {{- end }}
volumeClaimTemplates:
- metadata:
name: data
labels:
{{ include "harbor.labels" . | indent 8 }}
spec:
accessModes: [{{ .Values.chartmuseum.volumes.data.accessMode | quote }}]
{{- if .Values.chartmuseum.volumes.data.storageClass }}
{{- if (eq "-" .Values.chartmuseum.volumes.data.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.chartmuseum.volumes.data.storageClass }}"
{{- end }}
{{- end }}
resources:
requests:
storage: {{ .Values.chartmuseum.volumes.data.size | quote }}
{{- end -}}
{{- end }}
\ No newline at end of file
templates/chartmuseum/chartmuseum-secret.yaml 0 → 100644
View file @ 276e7c3c
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.chartmuseum" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
CACHE_REDIS_PASSWORD: {{ include "harbor.redis.rawPassword" . | b64enc | quote }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $storageType := $storage.type }}
{{- if eq $storageType "azure" }}
AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if eq $storageType "gcs" }}
# TODO support the keyfile of gcs
{{- else if eq $storageType "s3" }}
{{- if $storage.s3.secretkey }}
AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $storageType "swift" }}
OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- else if eq $storageType "oss" }}
ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/chartmuseum/service.yaml templates/chartmuseum/chartmuseum-svc.yaml
View file @ 276e7c3c
...@@ -2,15 +2,14 @@ ...@@ -2,15 +2,14 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-chartmuseum" name: "{{ template "harbor.chartmuseum" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
ports: ports:
- name: http - port: 80
port: 80
targetPort: 9999 targetPort: 9999
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-chartmuseum component: chartmuseum
{{- end }} {{- end }}
\ No newline at end of file
templates/chartmuseum/configmap.yaml deleted 100644 → 0
View file @ 244413ed
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-chartmuseum"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
PORT: "9999"
CACHE: "redis"
CACHE_REDIS_ADDR: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}"
CACHE_REDIS_DB: "{{ template "harbor.redis.databaseIndex" }}"
BASIC_AUTH_USER: "chart_controller"
DEPTH: "1"
STORAGE: "local"
STORAGE_LOCAL_ROOTDIR: "/chart_storage"
DEBUG: "false"
LOG_JSON: "true"
DISABLE_METRICS: "false"
DISABLE_API: "false"
DISABLE_STATEFILES: "false"
ALLOW_OVERWRITE: "true"
CHART_URL: ""
AUTH_ANONYMOUS_GET: "false"
TLS_CERT: ""
TLS_KEY: ""
CONTEXT_PATH: ""
INDEX_LIMIT: "0"
MAX_STORAGE_OBJECTS: "0"
MAX_UPLOAD_SIZE: "20971520"
CHART_POST_FORM_FIELD_NAME: "chart"
PROV_POST_FORM_FIELD_NAME: "prov"
{{- end }}
\ No newline at end of file
templates/chartmuseum/secret.yaml deleted 100644 → 0
View file @ 244413ed
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-chartmuseum"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
CACHE_REDIS_PASSWORD: "{{ template "harbor.redis.password" }}"
BASIC_AUTH_PASS: {{ .Values.ui.secret | b64enc | quote }}
{{- end }}
\ No newline at end of file
templates/clair/configmap.yaml templates/clair/clair-cm.yaml
View file @ 276e7c3c
...@@ -2,10 +2,10 @@ ...@@ -2,10 +2,10 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ template "harbor.fullname" . }}-clair name: {{ template "harbor.clair" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-clair component: clair
data: data:
config.yaml: | config.yaml: |
clair: clair:
...@@ -25,11 +25,11 @@ data: ...@@ -25,11 +25,11 @@ data:
# Deadline before an API request will respond with a 503 # Deadline before an API request will respond with a 503
timeout: 300s timeout: 300s
updater: updater:
interval: 12h interval: {{ .Values.clair.updatersInterval }}h
notifier: notifier:
attempts: 3 attempts: 3
renotifyinterval: 2h renotifyinterval: 2h
http: http:
endpoint: "http://{{ template "harbor.fullname" . }}-ui/service/notifications/clair" endpoint: "http://{{ template "harbor.core" . }}/service/notifications/clair"
{{ end }} {{ end }}
templates/clair/deployment.yaml templates/clair/clair-dpl.yaml
View file @ 276e7c3c
...@@ -2,31 +2,59 @@ ...@@ -2,31 +2,59 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "harbor.fullname" . }}-clair name: {{ template "harbor.clair" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-clair component: clair
version: {{ .Values.clair.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.clair.replicas }}
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.labels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-clair component: clair
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-clair component: clair
version: {{ .Values.clair.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/clair/clair-cm.yaml") . | sha256sum }}
{{- if .Values.clair.podAnnotations }}
{{ toYaml .Values.clair.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
containers: containers:
- name: clair - name: clair
image: {{ .Values.clair.image.repository }}:{{ .Values.clair.image.tag }} image: {{ .Values.clair.image.repository }}:{{ .Values.clair.image.tag }}
imagePullPolicy: {{ .Values.clair.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
args: ["-insecure-tls", "-config", "/etc/clair/config.yaml"] livenessProbe:
httpGet:
path: /health
port: 6061
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 6061
initialDelaySeconds: 30
periodSeconds: 10
args: ["-log-level", "{{ .Values.logLevel }}"]
env:
{{- if .Values.clair.httpProxy }}
- name: HTTP_PROXY
value: {{ .Values.clair.httpProxy }}
{{- end }}
{{- if .Values.clair.httpsProxy }}
- name: HTTPS_PROXY
value: {{ .Values.clair.httpsProxy }}
{{- end }}
- name: NO_PROXY
value: "{{ template "harbor.registry" . }},{{ template "harbor.core" . }}"
{{- if .Values.clair.resources }}
resources: resources:
{{ toYaml .Values.clair.resources | indent 10 }} {{ toYaml .Values.clair.resources | indent 10 }}
{{- end }}
ports: ports:
- containerPort: 6060 - containerPort: 6060
volumeMounts: volumeMounts:
...@@ -34,14 +62,14 @@ spec: ...@@ -34,14 +62,14 @@ spec:
mountPath: /etc/clair/config.yaml mountPath: /etc/clair/config.yaml
subPath: config.yaml subPath: config.yaml
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: clair-config - name: clair-config
configMap: configMap:
name: "{{ template "harbor.fullname" . }}-clair" name: "{{ template "harbor.clair" . }}"
items: items:
- key: config.yaml - key: config.yaml
path: config.yaml path: config.yaml
......
templates/clair/service.yaml templates/clair/clair-svc.yaml
View file @ 276e7c3c
{{ if .Values.clair.enabled }} {{ if .Values.clair.enabled }}
# clair host isn't configurable yet. this creates a service
# to get it working for now.
# see https://github.com/vmware/harbor/issues/3250
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-clair" name: "{{ template "harbor.clair" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
ports: ports:
- name: http - name: clair
port: 6060 port: 6060
- name: health
port: 6061
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-clair component: clair
{{ end }} {{ end }}
templates/common/certificate-secret.yaml 0 → 100644
View file @ 276e7c3c
{{- if eq (include "harbor.autoGenCert" .) "true" }}
{{- $cn := (required "The \"expose.tls.commonName\" is required!" (include "harbor.common-name" .)) }}
{{- $ca := genCA "harbor-ca" 365 }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.certificate" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
{{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
{{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- else }}
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/adminserver/configmap.yaml templates/core/core-cm.yaml
View file @ 276e7c3c
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-adminserver" name: {{ template "harbor.core" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-adminserver
data: data:
app.conf: |+
appname = Harbor
runmode = dev
enablegzip = true
[dev]
httpport = 8080
DATABASE_TYPE: "postgresql"
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
EMAIL_HOST: "{{ .Values.email.host }}" POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
EMAIL_PORT: "{{ .Values.email.port }}" EXT_ENDPOINT: "{{ .Values.externalURL }}"
EMAIL_USR: "{{ .Values.email.username }}" CORE_URL: "http://{{ template "harbor.core" . }}"
EMAIL_SSL: "{{ .Values.email.ssl }}"
EMAIL_FROM: "{{ .Values.email.from }}"
EMAIL_IDENTITY: "{{ .Values.email.identity }}"
EMAIL_INSECURE: "{{ .Values.email.insecure }}"
EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}"
UI_URL: "http://{{ template "harbor.fullname" . }}-ui"
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000" REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000"
TOKEN_SERVICE_URL: "http://{{ template "harbor.fullname" . }}-ui/service/token" TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token"
WITH_NOTARY: "{{ .Values.notary.enabled }}" WITH_NOTARY: "{{ .Values.notary.enabled }}"
NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443" NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
LOG_LEVEL: "info"
IMAGE_STORE_PATH: "/" # This is a temporary hack.
AUTH_MODE: "{{ .Values.authenticationMode }}"
SELF_REGISTRATION: "{{ .Values.selfRegistration }}"
LDAP_URL: "{{ .Values.ldap.url }}"
LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}"
LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}"
LDAP_FILTER: "{{ .Values.ldap.filter }}"
LDAP_UID: "{{ .Values.ldap.uid }}"
LDAP_SCOPE: "{{ .Values.ldap.scope }}"
LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}"
LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}"
DATABASE_TYPE: "postgresql"
PROJECT_CREATION_RESTRICTION: "everyone"
VERIFY_REMOTE_CERT: "off"
MAX_JOB_WORKERS: "3"
TOKEN_EXPIRATION: "30"
CFG_EXPIRATION: "5" CFG_EXPIRATION: "5"
GODEBUG: "netdns=cgo"
ADMIRAL_URL: "NA"
RESET: "false"
WITH_CLAIR: "{{ .Values.clair.enabled }}" WITH_CLAIR: "{{ .Values.clair.enabled }}"
CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}" CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}"
CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}" CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}"
CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}" CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}"
CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}" CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}"
CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060" CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060"
UAA_ENDPOINT: "" REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
UAA_CLIENTID: ""
UAA_CLIENTSECRET: ""
UAA_VERIFY_CERT: "True"
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.registry.storage.type }}"
WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
CHART_REPOSITORY_URL: "http://{{ template "harbor.fullname" . }}-chartmuseum" CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}"
\ No newline at end of file LOG_LEVEL: "{{ .Values.logLevel }}"
CONFIG_PATH: "/etc/core/app.conf"
SYNC_REGISTRY: "false"
CHART_CACHE_DRIVER: "redis"
_REDIS_URL: "{{ template "harbor.redisForCore" . }}"
_REDIS_URL_REG: "{{ template "harbor.redisForGC" . }}"
PORTAL_URL: "http://{{ template "harbor.portal" . }}"
REGISTRYCTL_URL: "http://{{ template "harbor.registry" . }}:8080"
CLAIR_HEALTH_CHECK_SERVER_URL: "http://{{ template "harbor.clair" . }}:6061"
\ No newline at end of file
templates/ui/deployment.yaml templates/core/core-dpl.yaml
View file @ 276e7c3c
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-ui" name: {{ template "harbor.core" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-ui component: core
version: {{ .Values.ui.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.core.replicas }}
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.labels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-ui component: core
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.matchLabels" . | indent 8 }}
app: harbor-ui component: core
version: {{ .Values.ui.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
{{- if .Values.core.podAnnotations }}
{{ toYaml .Values.core.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
containers: containers:
- name: ui - name: core
image: {{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }} image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
imagePullPolicy: {{ .Values.ui.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /api/ping
port: 8080
initialDelaySeconds: 20
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/ping
port: 8080
initialDelaySeconds: 20
periodSeconds: 10
envFrom:
- configMapRef:
name: "{{ template "harbor.core" . }}"
- secretRef:
name: "{{ template "harbor.core" . }}"
env: env:
- name: UI_SECRET - name: CORE_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: "{{ template "harbor.fullname" . }}-ui" name: {{ template "harbor.core" . }}
key: secret key: secret
- name: JOBSERVICE_SECRET - name: JOBSERVICE_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: "{{ template "harbor.fullname" . }}-ui" name: "{{ template "harbor.jobservice" . }}"
key: jobserviceSecret key: secret
- name: _REDIS_URL
value: {{ template "harbor.redisForUI" . }}
- name: GODEBUG
value: netdns=cgo
- name: LOG_LEVEL
value: info
- name: CONFIG_PATH
value: /etc/ui/app.conf
- name: ENABLE_HARBOR_SCAN_ON_PUSH
value: "1"
- name: ADMINSERVER_URL
value: "http://{{ template "harbor.fullname" . }}-adminserver"
- name: CHART_CACHE_DRIVER
value: "redis"
ports: ports:
- containerPort: 8080 - containerPort: 8080
volumeMounts: volumeMounts:
- name: ui-config - name: config
mountPath: /etc/ui/app.conf mountPath: /etc/core/app.conf
subPath: app.conf subPath: app.conf
- name: ui-secrets-key - name: secret-key
mountPath: /etc/ui/key mountPath: /etc/core/key
subPath: key subPath: key
- name: ui-secrets-private-key - name: token-service-private-key
mountPath: /etc/ui/private_key.pem mountPath: /etc/core/private_key.pem
subPath: tokenServicePrivateKey subPath: tokenServicePrivateKey
{{- if eq .Values.externalProtocol "https" }} - name: etc-localtime
{{- if .Values.ingress.enabled }} mountPath: /etc/localtime
{{- if eq .Values.ingress.tls.secretName "" }} {{- if .Values.expose.tls.enabled }}
- name: ca-download - name: ca-download
mountPath: /etc/ui/ca/ca.crt mountPath: /etc/core/ca/ca.crt
subPath: ca.crt subPath: ca.crt
{{- end }} {{- end }}
{{- end }}
{{- end }}
- name: psc - name: psc
mountPath: /etc/ui/token mountPath: /etc/core/token
- name: etc-localtime {{- if .Values.core.resources }}
mountPath: /etc/localtime resources:
{{ toYaml .Values.core.resources | indent 10 }}
{{- end }}
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: ui-config - name: config
configMap: configMap:
name: "{{ template "harbor.fullname" . }}-ui" name: {{ template "harbor.core" . }}
- name: ui-secrets-key - name: secret-key
secret: secret:
secretName: "{{ template "harbor.fullname" . }}-ui" secretName: {{ template "harbor.core" . }}
items: items:
- key: secretKey - key: secretKey
path: key path: key
- name: ui-secrets-private-key - name: token-service-private-key
secret: secret:
secretName: "{{ template "harbor.fullname" . }}-ui" {{- if .Values.core.secretName }}
{{- if eq .Values.externalProtocol "https" }} secretName: {{ .Values.core.secretName }}
{{- if .Values.ingress.enabled }} {{- else }}
{{- if eq .Values.ingress.tls.secretName "" }} secretName: {{ template "harbor.core" . }}
{{- end }}
{{- if .Values.expose.tls.enabled }}
- name: ca-download - name: ca-download
secret: secret:
secretName: "{{ template "harbor.fullname" . }}-ingress" secretName: "{{ template "harbor.certificate-secret" . }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt
{{- end }} {{- end }}
{{- end }}
{{- end }}
- name: psc - name: psc
emptyDir: {} emptyDir: {}
{{- with .Values.ui.nodeSelector }} {{- with .Values.core.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
{{- with .Values.ui.affinity }} {{- with .Values.core.affinity }}
affinity: affinity:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
{{- with .Values.ui.tolerations }} {{- with .Values.core.tolerations }}
tolerations: tolerations:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
\ No newline at end of file
templates/ui/secret.yaml templates/core/core-secret.yaml
View file @ 276e7c3c
...@@ -2,14 +2,19 @@ ...@@ -2,14 +2,19 @@
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-ui" name: {{ template "harbor.core" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
type: Opaque type: Opaque
data: data:
secretKey: {{ .Values.secretKey | b64enc | quote }} secretKey: {{ .Values.secretKey | b64enc | quote }}
secret: {{ .Values.ui.secret | b64enc | quote }} secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
jobserviceSecret: {{ .Values.jobservice.secret | b64enc | quote }} {{- if not .Values.core.secretName }}
tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }}
tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }}
{{- end }}
\ No newline at end of file HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{ if .Values.clair.enabled }}
CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{ end }}
templates/jobservice/service.yaml templates/core/core-svc.yaml
View file @ 276e7c3c
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-jobservice" name: {{ template "harbor.core" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports: ports:
- name: http - port: 80
port: 80
targetPort: 8080 targetPort: 8080
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-jobservice component: core
templates/database/secret.yaml templates/database/database-secret.yaml
View file @ 276e7c3c
...@@ -2,10 +2,10 @@ ...@@ -2,10 +2,10 @@
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-database" name: "{{ template "harbor.database" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
type: Opaque type: Opaque
data: data:
POSTGRES_PASSWORD: {{ template "harbor.database.password" . }} POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end -}} {{- end -}}
templates/database/statefulset.yaml templates/database/database-ss.yaml
View file @ 276e7c3c
{{- if eq .Values.database.type "internal" -}} {{- if eq .Values.database.type "internal" -}}
{{- $database := .Values.persistence.persistentVolumeClaim.database -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-database" name: "{{ template "harbor.database" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-database component: database
version: {{ .Values.database.internal.image.tag }}
spec: spec:
replicas: 1 replicas: 1
serviceName: "{{ template "harbor.fullname" . }}-database" serviceName: "{{ template "harbor.database" . }}"
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-database component: database
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-database component: database
version: {{ .Values.database.internal.image.tag }} annotations:
checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }}
{{- if .Values.database.podAnnotations }}
{{ toYaml .Values.database.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
initContainers: initContainers:
- name: "remove-lost-found" - name: "remove-lost-found"
image: "{{ .Values.busybox.image.repository }}:{{ .Values.busybox.image.tag }}" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
command: imagePullPolicy: {{ .Values.imagePullPolicy }}
- /bin/sh command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
- "-c"
- "rm -Rf /var/lib/postgresql/data/lost+found"
volumeMounts: volumeMounts:
- name: data - name: database-data
mountPath: /var/lib/postgresql/data mountPath: /var/lib/postgresql/data
containers: containers:
- name: database - name: database
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.database.internal.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
exec:
command:
- /docker-healthcheck.sh
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
exec:
command:
- /docker-healthcheck.sh
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.database.internal.resources }}
resources: resources:
{{ toYaml .Values.database.internal.resources | indent 10 }} {{ toYaml .Values.database.internal.resources | indent 10 }}
{{- end }}
envFrom: envFrom:
- secretRef: - secretRef:
name: "{{ template "harbor.fullname" . }}-database" name: "{{ template "harbor.database" . }}"
volumeMounts: volumeMounts:
- name: data - name: database-data
mountPath: /var/lib/postgresql/data mountPath: /var/lib/postgresql/data
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
{{- if not .Values.persistence.enabled }} - name: "database-data"
- name: data
hostPath: hostPath:
path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/database path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/database
{{- end -}}
{{- with .Values.database.internal.nodeSelector }} {{- with .Values.database.internal.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
...@@ -66,23 +80,4 @@ spec: ...@@ -66,23 +80,4 @@ spec:
tolerations: tolerations:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: "data"
labels:
{{ include "harbor.labels" . | indent 8 }}
spec:
accessModes: [{{ .Values.database.internal.volumes.data.accessMode | quote }}]
{{- if .Values.database.internal.volumes.data.storageClass }}
{{- if (eq "-" .Values.database.internal.volumes.data.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.database.internal.volumes.data.storageClass }}"
{{- end }}
{{- end }}
resources:
requests:
storage: {{ .Values.database.internal.volumes.data.size | quote }}
{{- end -}}
{{- end -}} {{- end -}}
templates/database/service.yaml templates/database/database-svc.yaml
View file @ 276e7c3c
...@@ -2,14 +2,13 @@ ...@@ -2,14 +2,13 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-database" name: "{{ template "harbor.database" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
ports: ports:
- name: postgre - port: 5432
port: 5432
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-database component: database
{{- end -}} {{- end -}}
\ No newline at end of file
templates/ingress/ingress.yaml
View file @ 276e7c3c
{{ if .Values.ingress.enabled }} {{- if eq .Values.expose.type "ingress" }}
{{- $ingress := .Values.expose.ingress -}}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
name: "{{ template "harbor.fullname" . }}" name: "{{ template "harbor.ingress.core" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
annotations: annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }} {{ toYaml $ingress.annotations | indent 4 }}
spec: spec:
# {{ if eq .Values.externalProtocol "https" }} {{- if .Values.expose.tls.enabled }}
# tls: tls:
# - hosts: - secretName: {{ template "harbor.certificate-secret" . }}
# - "{{ .Values.externalDomain }}" {{- if $ingress.host }}
# - "{{ template "harbor.notaryFQDN" . }}" hosts:
# {{ if eq .Values.ingress.tls.secretName "" }} - {{ $ingress.host }}
# secretName: "{{ template "harbor.fullname" . }}-ingress" {{- end }}
# {{ else }} {{- end }}
# secretName: {{ .Values.ingress.tls.secretName }} {{- if eq .Values.expose.ingress.controller "gce" }}
# {{ end }}
# {{ end }}
rules: rules:
- host: "{{ .Values.externalDomain }}" - http:
http:
paths: paths:
- path: / - path: /*
backend:
serviceName: {{ template "harbor.portal" . }}
servicePort: 80
- path: /api/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /service/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /v2/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /chartrepo/*
backend: backend:
serviceName: {{ template "harbor.fullname" . }}-ui serviceName: {{ template "harbor.core" . }}
servicePort: 80 servicePort: 80
- host: "{{ template "harbor.notaryFQDN" . }}" - path: /c/*
http: backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
{{- if $ingress.host }}
host: {{ $ingress.host }}
{{- end }}
{{- else }}
rules:
- http:
paths: paths:
- path: / - path: /
backend: backend:
serviceName: {{ template "harbor.notaryServiceName" . }} serviceName: {{ template "harbor.portal" . }}
servicePort: 4443 servicePort: 80
{{ end }} - path: /api/
\ No newline at end of file backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /service/
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /v2/
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /chartrepo/
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /c/
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
{{- if $ingress.host }}
host: {{ $ingress.host }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/ingress/notary-ingress.yaml 0 → 100644
View file @ 276e7c3c
{{- if .Values.notary.enabled }}
{{- if eq .Values.expose.type "ingress" }}
{{- $ingress := .Values.expose.ingress -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: "{{ template "harbor.ingress.notary" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
annotations:
{{ toYaml $ingress.annotations | indent 4 }}
{{ printf "%s: /" $ingress.rewriteAnnotation }}
spec:
{{- if .Values.expose.tls.enabled }}
tls:
- secretName: {{ template "harbor.certificate-secret" . }}
{{- if $ingress.host }}
hosts:
- {{ $ingress.host }}
{{- end }}
{{- end }}
rules:
- http:
paths:
- path: /notary/
backend:
serviceName: {{ template "harbor.notary-server" . }}
servicePort: 4443
{{- if $ingress.host }}
host: {{ $ingress.host }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/ingress/secret.yaml deleted 100644 → 0
View file @ 244413ed
{{ if eq .Values.externalProtocol "https" }}
{{ if .Values.ingress.enabled }}
{{ if eq .Values.ingress.tls.secretName "" }}
{{ $ca := genCA "harbor-ca" 3650 }}
{{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-ingress"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.tlsCrt | default $cert.Cert | b64enc | quote }}
tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }}
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
{{ end }}
{{ end }}
{{ end }}
\ No newline at end of file
templates/istio/notary.gateway.yaml deleted 100644 → 0
View file @ 244413ed
{{ if .Values.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: {{ template "harbor.fullname" . }}-notary
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "{{ template "harbor.notaryFQDN" . }}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ template "harbor.fullname" . }}-notary
spec:
hosts:
- "{{ template "harbor.notaryFQDN" . }}"
gateways:
- {{ template "harbor.fullname" . }}-notary
http:
- route:
- destination:
host: {{ template "harbor.notaryServiceName" . }}
port:
number: 4443
{{ end }}
templates/istio/ui.gateway.yaml deleted 100644 → 0
View file @ 244413ed
{{ if .Values.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: {{ template "harbor.fullname" . }}-ui
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "{{ .Values.externalDomain }}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ template "harbor.fullname" . }}-ui
spec:
hosts:
- "{{ .Values.externalDomain }}"
gateways:
- {{ template "harbor.fullname" . }}-ui
http:
- route:
- destination:
host: {{ template "harbor.fullname" . }}-ui
port:
number: 80
{{ end }}
templates/jobservice/configmap.yaml deleted 100644 → 0
View file @ 244413ed
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-jobservice"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
config.yml: |+
protocol: "http"
port: 8080
worker_pool:
workers: {{ .Values.jobservice.maxWorkers }}
backend: "redis"
redis_pool:
redis_url: "{{ template "harbor.redisForJobservice" . }}"
namespace: "harbor_job_service_namespace"
logger:
path: "/var/log/jobs"
level: "INFO"
archive_period: 14 #days
admin_server: "http://{{ template "harbor.fullname" . }}-adminserver"
templates/jobservice/jobservice-cm.yaml 0 → 100644
View file @ 276e7c3c
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.jobservice" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
config.yml: |+
protocol: "http"
port: 8080
worker_pool:
workers: {{ .Values.jobservice.maxJobWorkers }}
backend: "redis"
redis_pool:
redis_url: "{{ template "harbor.redisForJobservice" . }}"
namespace: "harbor_job_service_namespace"
job_loggers:
{{- if eq .Values.jobservice.jobLogger "file" }}
- name: "FILE"
level: {{ .Values.logLevel | upper }}
settings: # Customized settings of logger
base_dir: "/var/log/jobs"
sweeper:
duration: 14 #days
settings: # Customized settings of sweeper
work_dir: "/var/log/jobs"
{{- else if eq .Values.jobservice.jobLogger "database" }}
- name: "DB"
level: {{ .Values.logLevel | upper }}
sweeper:
duration: 14 #days
{{- else }}
- name: "STD_OUTPUT"
level: {{ .Values.logLevel | upper }}
{{- end }}
#Loggers for the job service
loggers:
- name: "STD_OUTPUT"
level: {{ .Values.logLevel | upper }}
\ No newline at end of file
templates/jobservice/deployment.yaml templates/jobservice/jobservice-dpl.yaml
View file @ 276e7c3c
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-jobservice" name: "{{ template "harbor.jobservice" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-jobservice component: jobservice
version: {{ .Values.jobservice.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.jobservice.replicas }}
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.labels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-jobservice component: jobservice
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-jobservice component: jobservice
version: {{ .Values.jobservice.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.jobservice.podAnnotations }}
{{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
containers: containers:
- name: jobservice - name: jobservice
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
imagePullPolicy: {{ .Values.jobservice.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /api/v1/stats
port: 8080
initialDelaySeconds: 20
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/v1/stats
port: 8080
initialDelaySeconds: 20
periodSeconds: 10
{{- if .Values.jobservice.resources }}
resources: resources:
{{ toYaml .Values.jobservice.resources | indent 10 }} {{ toYaml .Values.jobservice.resources | indent 10 }}
envFrom: {{- end }}
- secretRef:
name: "{{ template "harbor.fullname" . }}-jobservice"
env: env:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.jobservice" . }}"
key: secret
- name: CORE_URL
value: "http://{{ template "harbor.core" . }}"
- name: REGISTRY_CONTROLLER_URL
value: "http://{{ template "harbor.registry" . }}:8080"
- name: LOG_LEVEL - name: LOG_LEVEL
value: debug value: debug
- name: GODEBUG
value: netdns=cgo
ports: ports:
- containerPort: 8080 - containerPort: 8080
volumeMounts: volumeMounts:
...@@ -42,14 +70,14 @@ spec: ...@@ -42,14 +70,14 @@ spec:
- name: job-logs - name: job-logs
mountPath: /var/log/jobs mountPath: /var/log/jobs
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: jobservice-config - name: jobservice-config
configMap: configMap:
name: "{{ template "harbor.fullname" . }}-jobservice" name: "{{ template "harbor.jobservice" . }}"
- name: job-logs - name: job-logs
emptyDir: {} emptyDir: {}
{{- with .Values.jobservice.nodeSelector }} {{- with .Values.jobservice.nodeSelector }}
......
templates/ui/configmap.yaml templates/jobservice/jobservice-secrets.yaml
View file @ 276e7c3c
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: Secret
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-ui" name: "{{ template "harbor.jobservice" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
type: Opaque
data: data:
app.conf: |+ secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
appname = Harbor
runmode = prod
enablegzip = true
[prod]
httpport = 8080
templates/ui/service.yaml templates/jobservice/jobservice-svc.yaml
View file @ 276e7c3c
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-ui" name: "{{ template "harbor.jobservice" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
ports: ports:
- name: http - port: 80
port: 80
targetPort: 8080 targetPort: 8080
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-ui component: jobservice
templates/jobservice/secret.yaml deleted 100644 → 0
View file @ 244413ed
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-jobservice"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
secretKey: {{ .Values.secretKey | b64enc | quote }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
\ No newline at end of file
templates/nginx/configmap-http.yaml 0 → 100644
View file @ 276e7c3c
{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.nginx" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
nginx.conf: |+
worker_processes auto;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server {{ template "harbor.core" . }};
}
upstream portal {
server {{ template "harbor.portal" . }};
}
log_format timed_combined '$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
server {
listen 80;
server_tokens off;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
location / {
proxy_pass http://portal/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ {
proxy_pass http://core/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ {
proxy_pass http://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://core/service/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
}
}
{{- end }}
\ No newline at end of file
templates/nginx/configmap-https.yaml 0 → 100644
View file @ 276e7c3c
{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.nginx" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
nginx.conf: |+
worker_processes auto;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server {{ template "harbor.core" . }};
}
upstream portal {
server {{ template "harbor.portal" . }};
}
{{- if .Values.notary.enabled }}
upstream notary-server {
server {{ template "harbor.notary-server" . }}:4443;
}
{{- end }}
log_format timed_combined 'remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
server {
listen 443 ssl;
# server_name harbordomain.com;
server_tokens off;
# SSL
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
proxy_pass http://portal/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
# Add Secure flag when serving HTTPS
proxy_cookie_path / "/; secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ {
proxy_pass http://core/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ {
proxy_pass http://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://core/service/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
{{- if .Values.notary.enabled }}
location /notary/ {
proxy_pass http://notary-server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
rewrite /notary/(.*) /$1 break;
}
{{- end }}
}
server {
listen 80;
#server_name harbordomain.com;
return 301 https://$host$request_uri;
}
}
{{- end }}
\ No newline at end of file
templates/nginx/deployment.yaml 0 → 100644
View file @ 276e7c3c
{{- if ne .Values.expose.type "ingress" }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "harbor.nginx" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: nginx
spec:
replicas: 1
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: nginx
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: nginx
annotations:
{{- if not .Values.expose.tls.enabled }}
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }}
{{- else }}
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }}
{{- end }}
{{- if eq (include "harbor.autoGenCert" .) "true" }}
checksum/secret: {{ include (print $.Template.BasePath "/common/certificate-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.nginx.podAnnotations }}
{{ toYaml .Values.nginx.podAnnotations | indent 8 }}
{{- end }}
spec:
containers:
- name: nginx
image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.nginx.resources }}
resources:
{{ toYaml .Values.nginx.resources | indent 10 }}
{{- end }}
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
{{- if .Values.expose.tls.enabled }}
- name: certificate
mountPath: /etc/nginx/cert
{{- end }}
volumes:
- name: config
configMap:
name: {{ template "harbor.nginx" . }}
{{- if .Values.expose.tls.enabled }}
- name: certificate
secret:
secretName: {{ template "harbor.certificate-secret" . }}
{{- end }}
{{- with .Values.nginx.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.nginx.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.nginx.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/nginx/service.yaml 0 → 100644
View file @ 276e7c3c
{{- if ne .Values.expose.type "ingress" }}
apiVersion: v1
kind: Service
metadata:
{{- if eq .Values.expose.type "clusterIP" }}
{{- $clusterIP := .Values.expose.clusterIP }}
name: {{ $clusterIP.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
type: ClusterIP
ports:
- name: http
port: {{ $clusterIP.ports.http }}
targetPort: 80
{{- if .Values.expose.tls.enabled }}
- name: https
port: {{ $clusterIP.ports.https }}
targetPort: 443
{{- end }}
{{- else if eq .Values.expose.type "nodePort" }}
{{- $nodePort := .Values.expose.nodePort }}
name: {{ $nodePort.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
type: NodePort
ports:
- name: http
port: {{ $nodePort.ports.http.port }}
targetPort: 80
{{- if $nodePort.ports.http.nodePort }}
nodePort: {{ $nodePort.ports.http.nodePort }}
{{- end }}
{{- if .Values.expose.tls.enabled }}
- name: https
port: {{ $nodePort.ports.https.port }}
targetPort: 443
{{- if $nodePort.ports.https.nodePort }}
nodePort: {{ $nodePort.ports.https.nodePort }}
{{- end }}
{{- end }}
{{- else if eq .Values.expose.type "loadBalancer" }}
{{- $loadBalancer := .Values.expose.loadBalancer }}
name: {{ $loadBalancer.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
type: LoadBalancer
ports:
- name: http
port: {{ $loadBalancer.ports.http }}
targetPort: 80
{{- if .Values.expose.tls.enabled }}
- name: https
port: {{ $loadBalancer.ports.https }}
targetPort: 443
{{- end }}
{{- end }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: nginx
{{- end }}
\ No newline at end of file
templates/notary/configmap.yaml templates/notary/notary-cm.yaml
View file @ 276e7c3c
...@@ -2,19 +2,21 @@ ...@@ -2,19 +2,21 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ template "harbor.fullname" . }}-notary name: {{ template "harbor.notary-server" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-notary component: notary
data: data:
{{ $ca := genCA "harbor-notary-ca" 3650 }} {{ $ca := genCA "harbor-notary-ca" 365 }}
{{ $cert := genSignedCert (printf "%s-notary-signer" (include "harbor.fullname" .)) nil nil 3650 $ca }} {{ $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }}
{{- if not .Values.notary.secretName }}
notary-signer-ca.crt: | notary-signer-ca.crt: |
{{ .Values.notary.signer.caCrt | default $ca.Cert | indent 4 }} {{ $ca.Cert | indent 4 }}
notary-signer.crt: | notary-signer.crt: |
{{ .Values.notary.signer.tlsCrt | default $cert.Cert | indent 4 }} {{ $cert.Cert | indent 4 }}
notary-signer.key: | notary-signer.key: |
{{ .Values.notary.signer.tlsKey | default $cert.Key | indent 4 }} {{ $cert.Key | indent 4 }}
{{- end }}
server-config.postgres.json: | server-config.postgres.json: |
{ {
"server": { "server": {
...@@ -22,13 +24,17 @@ data: ...@@ -22,13 +24,17 @@ data:
}, },
"trust_service": { "trust_service": {
"type": "remote", "type": "remote",
"hostname": "{{ template "harbor.fullname" . }}-notary-signer", "hostname": "{{ template "harbor.notary-signer" . }}",
"port": "7899", "port": "7899",
{{- if not .Values.notary.secretName }}
"tls_ca_file": "./notary-signer-ca.crt", "tls_ca_file": "./notary-signer-ca.crt",
{{- else }}
"tls_ca_file": "/etc/ssl/notary/cert/notary-signer-ca.crt",
{{- end }}
"key_algorithm": "ecdsa" "key_algorithm": "ecdsa"
}, },
"logging": { "logging": {
"level": "debug" "level": "{{ .Values.logLevel }}"
}, },
"storage": { "storage": {
"backend": "postgres", "backend": "postgres",
...@@ -37,7 +43,7 @@ data: ...@@ -37,7 +43,7 @@ data:
"auth": { "auth": {
"type": "token", "type": "token",
"options": { "options": {
"realm": "{{ template "harbor.externalURL" . }}/service/token", "realm": "{{ .Values.externalURL }}/service/token",
"service": "harbor-notary", "service": "harbor-notary",
"issuer": "harbor-token-issuer", "issuer": "harbor-token-issuer",
"rootcertbundle": "/root.crt" "rootcertbundle": "/root.crt"
...@@ -48,11 +54,16 @@ data: ...@@ -48,11 +54,16 @@ data:
{ {
"server": { "server": {
"grpc_addr": ":7899", "grpc_addr": ":7899",
{{- if not .Values.notary.secretName }}
"tls_cert_file": "./notary-signer.crt", "tls_cert_file": "./notary-signer.crt",
"tls_key_file": "./notary-signer.key" "tls_key_file": "./notary-signer.key"
{{- else }}
"tls_cert_file": "/etc/ssl/notary/cert/notary-signer.crt",
"tls_key_file": "/etc/ssl/notary/cert/notary-signer.key"
{{- end }}
}, },
"logging": { "logging": {
"level": "debug" "level": "{{ .Values.logLevel }}"
}, },
"storage": { "storage": {
"backend": "postgres", "backend": "postgres",
......
templates/notary/notary-server.yaml
View file @ 276e7c3c
...@@ -2,30 +2,36 @@ ...@@ -2,30 +2,36 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "harbor.fullname" . }}-notary-server name: {{ template "harbor.notary-server" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-notary-server component: notary-server
version: {{ .Values.notary.server.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.notary.server.replicas }}
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.labels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-notary-server component: notary-server
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-notary-server component: notary-server
version: {{ .Values.notary.server.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.notary.podAnnotations }}
{{ toYaml .Values.notary.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
containers: containers:
- name: notary-server - name: notary-server
image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
imagePullPolicy: {{ .Values.notary.server.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.server.resources }}
resources: resources:
{{ toYaml .Values.notary.server.resources | indent 10 }} {{ toYaml .Values.notary.server.resources | indent 10 }}
{{- end }}
env: env:
- name: MIGRATIONS_PATH - name: MIGRATIONS_PATH
value: migrations/server/postgresql value: migrations/server/postgresql
...@@ -34,21 +40,35 @@ spec: ...@@ -34,21 +40,35 @@ spec:
volumeMounts: volumeMounts:
- name: notary-config - name: notary-config
mountPath: /etc/notary mountPath: /etc/notary
- name: etc-localtime
mountPath: /etc/localtime
- name: root-certificate - name: root-certificate
mountPath: /root.crt mountPath: /root.crt
subPath: tokenServiceRootCertBundle subPath: tokenServiceRootCertBundle
- name: etc-localtime {{- if .Values.notary.secretName }}
mountPath: /etc/localtime - name: notary-ca
mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt
subPath: ca
{{- end }}
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: notary-config - name: notary-config
configMap: configMap:
name: "{{ template "harbor.fullname" . }}-notary" name: "{{ template "harbor.notary-server" . }}"
- name: root-certificate - name: root-certificate
secret: secret:
secretName: "{{ template "harbor.fullname" . }}-ui" {{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }}
{{- end }}
{{- if .Values.notary.secretName }}
- name: notary-ca
secret:
secretName: {{ .Values.notary.secretName }}
{{- end }}
{{- with .Values.notary.nodeSelector }} {{- with .Values.notary.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/notary/notary-signer.yaml
View file @ 276e7c3c
...@@ -2,47 +2,77 @@ ...@@ -2,47 +2,77 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "harbor.fullname" . }}-notary-signer name: {{ template "harbor.notary-signer" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-notary-signer component: notary-signer
version: {{ .Values.notary.signer.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.notary.signer.replicas }}
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.labels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-notary-signer component: notary-signer
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-notary-signer component: notary-signer
version: {{ .Values.notary.signer.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }}
spec: spec:
containers: containers:
- name: notary-signer - name: notary-signer
image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }}
imagePullPolicy: {{ .Values.notary.signer.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.signer.resources }}
resources: resources:
{{ toYaml .Values.notary.signer.resources | indent 10 }} {{ toYaml .Values.notary.signer.resources | indent 10 }}
{{- end }}
env: env:
- name: MIGRATIONS_PATH - name: MIGRATIONS_PATH
value: migrations/signer/postgresql value: migrations/signer/postgresql
- name: DB_URL - name: DB_URL
value: {{ template "harbor.database.notarySigner" . }} value: {{ template "harbor.database.notarySigner" . }}
- name: NOTARY_SIGNER_DEFAULTALIAS - name: NOTARY_SIGNER_DEFAULTALIAS
value: {{ .Values.notary.signer.env.NOTARY_SIGNER_DEFAULTALIAS }} value: defaultalias
volumeMounts: volumeMounts:
- name: notary-config - name: notary-config
mountPath: /etc/notary mountPath: /etc/notary
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
{{- if .Values.notary.secretName }}
- name: notary-cert
mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt
subPath: ca
- name: notary-cert
mountPath: /etc/ssl/notary/cert/notary-signer.crt
subPath: crt
- name: notary-cert
mountPath: /etc/ssl/notary/cert/notary-signer.key
subPath: key
{{- end }}
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: notary-config - name: notary-config
configMap: configMap:
name: "{{ template "harbor.fullname" . }}-notary" name: "{{ template "harbor.notary-server" . }}"
{{- if .Values.notary.secretName }}
- name: notary-cert
secret:
secretName: {{ .Values.notary.secretName }}
{{- end }}
{{- with .Values.notary.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{ end }} {{ end }}
templates/notary/service.yaml templates/notary/notary-svc.yaml
View file @ 276e7c3c
...@@ -2,21 +2,24 @@ ...@@ -2,21 +2,24 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "harbor.notaryServiceName" . }} name: {{ template "harbor.notary-server" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports: ports:
- port: 4443 - port: 4443
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-notary-server component: notary-server
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "harbor.fullname" . }}-notary-signer name: {{ template "harbor.notary-signer" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
...@@ -24,5 +27,5 @@ spec: ...@@ -24,5 +27,5 @@ spec:
- port: 7899 - port: 7899
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-notary-signer component: notary-signer
{{ end }} {{ end }}
\ No newline at end of file
templates/portal/deployment.yaml 0 → 100644
View file @ 276e7c3c
apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.portal" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
component: portal
spec:
replicas: {{ .Values.portal.replicas }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: portal
template:
metadata:
labels:
{{ include "harbor.matchLabels" . | indent 8 }}
component: portal
annotations:
{{- if .Values.portal.podAnnotations }}
{{ toYaml .Values.portal.podAnnotations | indent 8 }}
{{- end }}
spec:
containers:
- name: portal
image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.portal.resources }}
resources:
{{ toYaml .Values.portal.resources | indent 10 }}
{{- end }}
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 1
periodSeconds: 10
ports:
- containerPort: 80
volumeMounts:
- name: etc-localtime
mountPath: /etc/localtime
volumes:
- name: etc-localtime
hostPath:
path: /etc/localtime
{{- with .Values.portal.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.portal.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.portal.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
templates/portal/service.yaml 0 → 100644
View file @ 276e7c3c
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.portal" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports:
- port: 80
targetPort: 80
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: portal
templates/redis/deployment.yml deleted 100644 → 0
View file @ 244413ed
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.fullname" . }}-redis
labels:
{{ include "harbor.labels" . | indent 4 }}
app: harbor-redis
version: {{ .Values.redis.image.tag }}
spec:
replicas: 1
selector:
matchLabels:
{{ include "harbor.labels" . | indent 6 }}
app: harbor-redis
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
app: harbor-redis
version: {{ .Values.redis.image.tag }}
spec:
containers:
- name: redis
image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}
imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
args: ["--save","''","--appendonly","no"]
ports:
- name: redis
containerPort: 6379
volumeMounts:
- name: etc-localtime
mountPath: /etc/localtime
volumes:
- name: etc-localtime
hostPath:
path: /etc/localtime
\ No newline at end of file
templates/redis/service.yml templates/redis/service.yaml
View file @ 276e7c3c
--- {{- if eq .Values.redis.type "internal" -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "harbor.fullname" . }}-redis name: {{ template "harbor.redis" . }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-redis
spec: spec:
ports:
- port: 6379
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-redis component: redis
ports: {{- end -}}
- name: redis \ No newline at end of file
port: 6379
\ No newline at end of file
templates/redis/statefulset.yaml 0 → 100644
View file @ 276e7c3c
{{- if eq .Values.redis.type "internal" -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "harbor.redis" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: redis
spec:
replicas: 1
serviceName: {{ template "harbor.redis" . }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: redis
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: redis
{{- if .Values.redis.podAnnotations }}
annotations:
{{ toYaml .Values.redis.podAnnotations | indent 8 }}
{{- end }}
spec:
containers:
- name: redis
image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.redis.internal.resources }}
resources:
{{ toYaml .Values.redis.internal.resources | indent 10 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /var/lib/redis
- name: etc-localtime
mountPath: /etc/localtime
volumes:
- name: etc-localtime
hostPath:
path: /etc/localtime
- name: data
emptyDir: {}
{{- with .Values.redis.internal.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.redis.internal.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.redis.internal.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end -}}
templates/registry/configmap.yaml deleted 100644 → 0
View file @ 244413ed
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-registry"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
config.yml: |+
version: 0.1
log:
level: {{ .Values.registry.logLevel }}
fields:
service: registry
storage:
{{- $storage := .Values.registry.storage }}
{{- $type := $storage.type }}
{{- if eq $type "filesystem" }}
filesystem:
rootdirectory: {{ $storage.filesystem.rootdirectory }}
{{- if $storage.filesystem.maxthreads }}
maxthreads: {{ $storage.filesystem.maxthreads }}
{{- end }}
{{- else if eq $type "azure" }}
azure:
accountname: {{ $storage.azure.accountname }}
container: {{ $storage.azure.container }}
{{- if $storage.azure.realm }}
realm: {{ $storage.azure.realm }}
{{- end }}
{{- else if eq $type "gcs" }}
gcs:
bucket: {{ $storage.gcs.bucket }}
{{- if $storage.gcs.rootdirectory }}
rootdirectory: {{ $storage.gcs.rootdirectory }}
{{- end }}
{{- if $storage.gcs.chunksize }}
chunksize: {{ $storage.gcs.chunksize }}
{{- end }}
{{- else if eq $type "s3" }}
s3:
region: {{ $storage.s3.region }}
bucket: {{ $storage.s3.bucket }}
{{- if $storage.s3.regionendpoint }}
regionendpoint: {{ $storage.s3.regionendpoint }}
{{- end }}
{{- if $storage.s3.encrypt }}
encrypt: {{ $storage.s3.encrypt }}
{{- end }}
{{- if $storage.s3.secure }}
secure: {{ $storage.s3.secure }}
{{- end }}
{{- if $storage.s3.v4auth }}
v4auth: {{ $storage.s3.v4auth }}
{{- end }}
{{- if $storage.s3.chunksize }}
chunksize: {{ $storage.s3.chunksize }}
{{- end }}
{{- if $storage.s3.rootdirectory }}
rootdirectory: {{ $storage.s3.rootdirectory }}
{{- end }}
{{- if $storage.s3.storageclass }}
storageclass: {{ $storage.s3.storageclass }}
{{- end }}
{{- else if eq $type "swift" }}
swift:
authurl: {{ $storage.swift.authurl }}
username: {{ $storage.swift.username }}
container: {{ $storage.swift.container }}
{{- if $storage.swift.region }}
region: {{ $storage.swift.region }}
{{- end }}
{{- if $storage.swift.tenant }}
tenant: {{ $storage.swift.tenant }}
{{- end }}
{{- if $storage.swift.tenantid }}
tenantid: {{ $storage.swift.tenantid }}
{{- end }}
{{- if $storage.swift.domain }}
domain: {{ $storage.swift.domain }}
{{- end }}
{{- if $storage.swift.domainid }}
domainid: {{ $storage.swift.domainid }}
{{- end }}
{{- if $storage.swift.trustid }}
trustid: {{ $storage.swift.trustid }}
{{- end }}
{{- if $storage.swift.insecureskipverify }}
insecureskipverify: {{ $storage.swift.insecureskipverify }}
{{- end }}
{{- if $storage.swift.chunksize }}
chunksize: {{ $storage.swift.chunksize }}
{{- end }}
{{- if $storage.swift.prefix }}
prefix: {{ $storage.swift.prefix }}
{{- end }}
{{- if $storage.swift.authversion }}
authversion: {{ $storage.swift.authversion }}
{{- end }}
{{- if $storage.swift.endpointtype }}
endpointtype: {{ $storage.swift.endpointtype }}
{{- end }}
{{- if $storage.swift.tempurlcontainerkey }}
tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }}
{{- end }}
{{- if $storage.swift.tempurlmethods }}
tempurlmethods: {{ $storage.swift.tempurlmethods }}
{{- end }}
{{- else if eq $type "oss" }}
oss:
accesskeyid: {{ $storage.oss.accesskeyid }}
region: {{ $storage.oss.region }}
bucket: {{ $storage.oss.bucket }}
{{- if $storage.oss.endpoint }}
endpoint: {{ $storage.oss.endpoint }}
{{- end }}
{{- if $storage.oss.internal }}
internal: {{ $storage.oss.internal }}
{{- end }}
{{- if $storage.oss.encrypt }}
encrypt: {{ $storage.oss.encrypt }}
{{- end }}
{{- if $storage.oss.secure }}
secure: {{ $storage.oss.secure }}
{{- end }}
{{- if $storage.oss.chunksize }}
chunksize: {{ $storage.oss.chunksize }}
{{- end }}
{{- if $storage.oss.rootdirectory }}
rootdirectory: {{ $storage.oss.rootdirectory }}
{{- end }}
{{- end }}
cache:
layerinfo: redis
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
redis:
addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}"
password: {{ template "harbor.redis.password" . }}
db: {{ template "harbor.redis.databaseIndex" . }}
http:
addr: :5000
# set via environment variable
# secret: placeholder
debug:
addr: localhost:5001
auth:
token:
issuer: harbor-token-issuer
realm: "{{ template "harbor.externalURL" . }}/service/token"
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
notifications:
endpoints:
- name: harbor
disabled: false
url: http://{{ template "harbor.fullname" . }}-ui/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s
templates/registry/registry-cm.yaml 0 → 100644
View file @ 276e7c3c
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.registry" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
config.yml: |+
version: 0.1
log:
level: {{ .Values.logLevel }}
fields:
service: registry
storage:
filesystem:
rootdirectory: /data
cache:
layerinfo: redis
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
redirect:
disable: false
redis:
addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}"
db: {{ template "harbor.redis.registryDatabaseIndex" . }}
http:
addr: :5000
# set via environment variable
# secret: placeholder
debug:
addr: localhost:5001
auth:
token:
issuer: harbor-token-issuer
realm: "{{ .Values.externalURL }}/service/token"
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
validation:
disabled: true
notifications:
endpoints:
- name: harbor
disabled: false
url: http://{{ template "harbor.core" . }}/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s
ctl-config.yml: |+
---
protocol: "http"
port: 8080
log_level: {{ .Values.logLevel }}
templates/registry/statefulset.yaml templates/registry/registry-dpl.yaml
View file @ 276e7c3c
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-registry" name: "{{ template "harbor.registry" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
app: harbor-registry component: registry
version: {{ .Values.registry.image.tag }}
spec: spec:
replicas: 1 replicas: {{ .Values.registry.replicas }}
serviceName: "{{ template "harbor.fullname" . }}-registry"
selector: selector:
matchLabels: matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }} {{ include "harbor.matchLabels" . | indent 6 }}
app: harbor-registry component: registry
template: template:
metadata: metadata:
labels: labels:
{{ include "harbor.labels" . | indent 8 }} {{ include "harbor.labels" . | indent 8 }}
app: harbor-registry component: registry
version: {{ .Values.registry.image.tag }} annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.registry.podAnnotations }}
{{ toYaml .Values.registry.podAnnotations | indent 8 }}
{{- end }}
spec: spec:
containers: containers:
- name: registry - name: registry
image: {{ .Values.registry.image.repository }}:{{ .Values.registry.image.tag }} image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
imagePullPolicy: {{ .Values.registry.image.pullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /
port: 5000
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 5000
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.registry.registry.resources }}
resources: resources:
{{ toYaml .Values.registry.resources | indent 10 }} {{ toYaml .Values.registry.registry.resources | indent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"] args: ["serve", "/etc/registry/config.yml"]
env: envFrom:
- name: REGISTRY_HTTP_SECRET - secretRef:
valueFrom: name: "{{ template "harbor.registry" . }}"
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: httpSecret
{{- $storage := .Values.registry.storage }}
{{- $type := $storage.type }}
{{- if eq $type "azure" }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: accountkey
{{- else if eq $type "s3" }}
{{- if $storage.s3.accesskey }}
- name: REGISTRY_STORAGE_S3_ACCESSKEY
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: accesskey
{{- end }}
{{- if $storage.s3.secretkey }}
- name: REGISTRY_STORAGE_S3_SECRETKEY
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: secretkey
{{- end }}
{{- else if eq $type "swift" }}
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: password
{{- if $storage.swift.secretkey }}
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: secretkey
{{- end }}
{{- if $storage.swift.accesskey }}
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: accesskey
{{- end }}
{{- else if eq $type "oss" }}
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.fullname" . }}-registry"
key: accesskeysecret
{{- end }}
ports: ports:
- containerPort: 5000 - containerPort: 5000
- containerPort: 5001 - containerPort: 5001
volumeMounts: volumeMounts:
{{- if eq .Values.registry.storage.type "filesystem" }}
- name: registry-data - name: registry-data
mountPath: {{ .Values.registry.storage.filesystem.rootdirectory }} mountPath: /data
{{- end }}
- name: registry-root-certificate - name: registry-root-certificate
mountPath: /etc/registry/root.crt mountPath: /etc/registry/root.crt
subPath: tokenServiceRootCertBundle subPath: tokenServiceRootCertBundle
...@@ -99,19 +63,74 @@ spec: ...@@ -99,19 +63,74 @@ spec:
subPath: config.yml subPath: config.yml
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
- name: registryctl
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /api/health
port: 8080
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/health
port: 8080
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.registry.controller.resources }}
resources:
{{ toYaml .Values.registry.controller.resources | indent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"]
envFrom:
- secretRef:
name: "{{ template "harbor.registry" . }}"
env:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.jobservice" . }}
key: secret
ports:
- containerPort: 8080
volumeMounts:
- name: registry-data
mountPath: /data
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
- name: registry-config
mountPath: /etc/registryctl/config.yml
subPath: ctl-config.yml
- name: etc-localtime
mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: registry-root-certificate - name: registry-root-certificate
secret: secret:
secretName: "{{ template "harbor.fullname" . }}-ui" {{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }}
{{- end }}
- name: registry-config - name: registry-config
configMap: configMap:
name: "{{ template "harbor.fullname" . }}-registry" name: "{{ template "harbor.registry" . }}"
- name: registry-data - name: registry-data
hostPath: hostPath:
path: {{ .Values.registry.hostpath }} {{- if .Values.registry.hostPath }}
path: {{ .Values.registry.hostPath }}
{{- else }}
path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/registry
{{- end }}
{{- with .Values.registry.nodeSelector }} {{- with .Values.registry.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/registry/secret.yaml templates/registry/registry-secret.yaml
View file @ 276e7c3c
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-registry" name: "{{ template "harbor.registry" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
type: Opaque type: Opaque
data: data:
httpSecret: {{ .Values.registry.httpSecret | b64enc | quote }} REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- $storage := .Values.registry.storage }} REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.rawPassword" .) | b64enc | quote }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }} {{- $type := $storage.type }}
{{- if eq $type "azure" }} {{- if eq $type "azure" }}
accountkey: {{ $storage.azure.accountkey | b64enc | quote }} REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if eq $type "gcs" }}
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
{{- else if eq $type "s3" }} {{- else if eq $type "s3" }}
{{- if $storage.s3.accesskey }} {{- if $storage.s3.accesskey }}
accesskey: {{ $storage.s3.accesskey | b64enc | quote }} REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
{{- end }} {{- end }}
{{- if $storage.s3.secretkey }} {{- if $storage.s3.secretkey }}
secretkey: {{ $storage.s3.secretkey | b64enc | quote }} REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- end }} {{- end }}
{{- else if eq $type "swift" }} {{- else if eq $type "swift" }}
password: {{ $storage.swift.password }} REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- if $storage.swift.secretkey }} {{- if $storage.swift.secretkey }}
secretkey: {{ $storage.swift.secretkey }} REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
{{- end }} {{- end }}
{{- if $storage.swift.accesskey }} {{- if $storage.swift.accesskey }}
accesskey: {{ $storage.swift.accesskey }} REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
{{- end }} {{- end }}
{{- else if eq $type "oss" }} {{- else if eq $type "oss" }}
accesskeysecret: {{ $storage.oss.accesskeysecret }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }} {{- end }}
\ No newline at end of file
templates/registry/service.yaml templates/registry/registry-svc.yaml
View file @ 276e7c3c
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: "{{ template "harbor.fullname" . }}-registry" name: "{{ template "harbor.registry" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
ports: ports:
- name: http - name: registry
port: 5000 port: 5000
- name: controller
port: 8080
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: harbor-registry component: registry
\ No newline at end of file \ No newline at end of file
values-aliyun.yaml
View file @ 276e7c3c
expose:
type: ingress
tls:
enabled: false
ingress:
host: harbor.wodcloud.local
controller: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
rewriteAnnotation: traefik.ingress.kubernetes.io/rewrite-target
externalURL: https://harbor.wodcloud.local
persistence: persistence:
enabled: false enabled: false
externalProtocol: https
externalDomain: hub.wodcloud.local
harborAdminPassword: "passwd"
ingress: imagePullPolicy: IfNotPresent
enabled: true
adminserver: logLevel: debug
image: harborAdminPassword: "changeit"
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-adminserver secretKey: "IpTIscRIgmerlare"
tag: v1.6.3
nodeSelector:
harbor: enabled
jobservice: portal:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v1.6.3 tag: v1.7.5
replicas: 1
ui: core:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-ui repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v1.6.3 tag: v1.7.5
replicas: 1
busybox: jobservice:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/busybox repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: "1.30" tag: v1.7.5
replicas: 1
maxJobWorkers: 10
jobLogger: file
database: registry:
internal: registry:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: v1.6.3 tag: v2.7.1
resources: resources:
limits: limits:
memory: 4Gi memory: 4Gi
cpu: 1000m cpu: 1000m
requests: requests:
memory: 256Mi memory: 256Mi
cpu: 100m cpu: 100m
password: "passwd"
nodeSelector:
harbor: enabled
registry:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: 2.7.1
hostpath: /data/registry
resources:
limits:
memory: 4Gi
cpu: 1000m
requests:
memory: 256Mi
cpu: 100m
nodeSelector: nodeSelector:
harbor: enabled harbor: enabled
controller:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v1.7.5
replicas: 1
chartmuseum: chartmuseum:
enabled: true enabled: true
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon
tag: v0.7.1 tag: v0.8.1-v1.7.5
replicas: 1
nodeSelector:
harbor: enabled
clair: clair:
enabled: true enabled: true
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/clair repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon
tag: v2.0.6 tag: v2.0.8-v1.7.5
resources: replicas: 1
limits: updatersInterval: 12
memory: 1Gi
cpu: 1000m
requests:
memory: 128Mi
cpu: 100m
redis:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 4.0.11-alpine
usePassword: false
cluster:
enabled: false
master:
persistence:
enabled: false
notary: notary:
enabled: true enabled: true
server: server:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon
tag: dev tag: v0.6.1-v1.7.5
replicas: 1
signer: signer:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon
tag: dev tag: v0.6.1-v1.7.5
\ No newline at end of file replicas: 1
database:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
tag: v1.7.5
password: "changeit"
resources:
limits:
memory: 4Gi
cpu: 1000m
requests:
memory: 256Mi
cpu: 100m
nodeSelector:
harbor: enabled
redis:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 4.0.11-alpine
\ No newline at end of file
values.yaml
View file @ 276e7c3c
persistence: expose:
enabled: true # Set the way how to expose the service. Set the type as "ingress",
externalProtocol: https # "clusterIP", "nodePort" or "loadBalancer" and fill the information
# The FQDN for Harbor service # in the corresponding section
externalDomain: hub.wodcloud.local type: ingress
# The Port for Harbor service, leave empty if the service
# is to be bound to port 80/443
externalPort:
harborAdminPassword: "passwd"
authenticationMode: "db_auth"
selfRegistration: "on"
ldap:
url: "ldaps://ldapserver"
searchDN: ""
searchPassword: ""
baseDN: ""
filter: "(objectClass=person)"
uid: "uid"
scope: "2"
timeout: "5"
verifyCert: "True"
email:
host: "smtp.mydomain.com"
port: "25"
username: "sample_admin@mydomain.com"
password: "password"
ssl: "false"
insecure: "false"
from: "admin <sample_admin@mydomain.com>"
identity: ""
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: "nQImBn5SVCHL7ehq"
# These annotations allow the registry to work behind the nginx
# ingress controller.
ingress:
enabled: true
annotations:
tls: tls:
# Fill the secretName if you want to use the certificate of # Enable the tls or not. Note: if the type is "ingress" and the tls
# yourself when Harbor serves with HTTPS. A certificate will # is disabled, the port must be included in the command when pull/push
# be generated automatically by the chart if leave it empty # images. Refer to https://github.com/goharbor/harbor/issues/5291
# for the detail.
enabled: true
# Fill the name of secret if you want to use your own TLS certificate.
# The secret must contain keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# "ca.crt" - the certificate of CA
# These files will be generated automatically if the "secretName" is not set
secretName: "" secretName: ""
# The commmon name used to generate the certificate, it's necessary
# when the type isn't "ingress" and "secretName" is null
commonName: ""
ingress:
host: harbor.local
# set to the type of ingress controller if it has specific requirements.
# leave as `default` for most ingress controllers.
# set to `gce` if using the GCE ingress controller
controller: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
# The annotation name for "rewrite-target", only needed when Notary
# service is enabled
rewriteAnnotation: nginx.ingress.kubernetes.io/rewrite-target
clusterIP:
# The name of ClusterIP service
name: harbor
ports:
# The service port Harbor listens on when serving with HTTP
http: 80
# The service port Harbor listens on when serving with HTTPS
https: 443
nodePort:
# The name of NodePort service
name: harbor
ports:
http:
# The service port Harbor listens on when serving with HTTP
port: 80
# The node port Harbor listens on when serving with HTTP
nodePort: 30002
https:
# The service port Harbor listens on when serving with HTTPS
port: 443
# The node port Harbor listens on when serving with HTTPS
nodePort: 30003
loadBalancer:
# The name of LoadBalancer service
name: harbor
ports:
# The service port Harbor listens on when serving with HTTP
http: 80
# The service port Harbor listens on when serving with HTTPS
https: 443
istio: # The external URL for Harbor service. It is used to
enabled: false # 1) populate the docker/helm commands showed on portal
# 2) populate the token service URL returned to docker/notary client
#
# Format: protocol://domain[:port]. Usually:
# 1) if "expose.type" is "ingress", the "domain" should be
# the value of "expose.ingress.host"
# 2) if "expose.type" is "clusterIP", the "domain" should be
# the value of "expose.clusterIP.name"
# 3) if "expose.type" is "nodePort", the "domain" should be
# the IP address of k8s node
#
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://harbor.local
# The tag for Harbor docker images. # The persistence is enabled by default and a default StorageClass
harborImageTag: &harbor_image_tag v1.6.3 # is needed in the k8s cluster to provision volumes dynamicly.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
adminserver: # if you have already existing persistent volumes to use
image: #
repository: goharbor/harbor-adminserver # For storing images and charts, you can also use "azure", "gcs", "s3",
tag: *harbor_image_tag # "swift" or "oss". Set it in the "imageChartStorage" section
pullPolicy: IfNotPresent persistence:
volumes: enabled: true
config: # Setting it to "keep" to avoid removing PVCs during a helm delete
storageClass: "storageos" # operation. Leaving it empty will delete PVCs after the chart deleted
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 1Gi size: 1Gi
# resources: # If external database is used, the following settings for database will
# requests: # be ignored
# memory: 256Mi database:
# cpu: 100m existingClaim: ""
nodeSelector: {} storageClass: ""
tolerations: [] subPath: ""
affinity: {} accessMode: ReadWriteOnce
size: 1Gi
jobservice: # If external Redis is used, the following settings for Redis will
image: # be ignored
repository: goharbor/harbor-jobservice redis:
tag: *harbor_image_tag existingClaim: ""
pullPolicy: IfNotPresent storageClass: ""
secret: "BBRQwySksiHZqJUh" subPath: ""
maxWorkers: 50 accessMode: ReadWriteOnce
# resources: size: 1Gi
# requests: # Define which storage backend is used for registry and chartmuseum to store
# memory: 256Mi # images and charts. Refer to
# cpu: 100m # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
nodeSelector: {} # for the detail.
tolerations: [] imageChartStorage:
affinity: {} # Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
ui: # it. To disable redirects, simply set `disableredirect` to `true` instead.
image: # Refer to
repository: goharbor/harbor-ui # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
tag: *harbor_image_tag # for the detail.
pullPolicy: IfNotPresent disableredirect: false
secret: "BBRQwySksiHZqJUh" # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# resources: # "oss" and fill the information needed in the corresponding section. The type
# requests: # must be "filesystem" if you want to use persistent volumes for registry
# memory: 256Mi # and chartmuseum
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
busybox:
image:
repository: busybox
tag: 1.29
# TODO: change the style to be same with redis
database:
# if external database is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
image:
repository: goharbor/harbor-db
tag: *harbor_image_tag
pullPolicy: IfNotPresent
# the superuser password of database
password: "passwd"
volumes:
data:
storageClass: "storageos"
accessMode: ReadWriteOnce
size: 5Gi
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
clairDatabase: "clair"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
registry:
image:
repository: registry
tag: 2.7.1
pullPolicy: IfNotPresent
httpSecret: "BBRQwySksiHZqJUh"
logLevel: info
hostpath: /etc/kubernetes/data/registry
storage:
# specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section
type: filesystem type: filesystem
filesystem: filesystem:
rootdirectory: /var/lib/registry rootdirectory: /storage
#maxthreads: 100 #maxthreads: 100
azure: azure:
accountname: accountname accountname: accountname
...@@ -157,10 +158,10 @@ registry: ...@@ -157,10 +158,10 @@ registry:
#realm: core.windows.net #realm: core.windows.net
gcs: gcs:
bucket: bucketname bucket: bucketname
# TODO: support the keyfile of gcs # The base64 encoded json file which contains the key
#keyfile: /path/to/keyfile encodedkey: base64-encoded-json-key-file
#rootdirectory: /gcs/object/name/prefix #rootdirectory: /gcs/object/name/prefix
#chunksize: 5242880 #chunksize: "5242880"
s3: s3:
region: us-west-1 region: us-west-1
bucket: bucketname bucket: bucketname
...@@ -171,7 +172,7 @@ registry: ...@@ -171,7 +172,7 @@ registry:
#keyid: mykeyid #keyid: mykeyid
#secure: true #secure: true
#v4auth: true #v4auth: true
#chunksize: 5242880 #chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix #rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD #storageclass: STANDARD
swift: swift:
...@@ -205,32 +206,130 @@ registry: ...@@ -205,32 +206,130 @@ registry:
#secure: true #secure: true
#chunksize: 10M #chunksize: 10M
#rootdirectory: rootdirectory #rootdirectory: rootdirectory
## Persist data to a persistent volume
volumes: imagePullPolicy: IfNotPresent
data:
# storageClass: "-" logLevel: debug
accessMode: ReadWriteOnce # The initial password of Harbor admin. Change it from portal after launching Harbor
size: 5Gi harborAdminPassword: "Harbor12345"
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: "not-a-secure-key"
# If expose the service via "ingress", the Nginx will not be used
nginx:
image:
repository: goharbor/nginx-photon
tag: dev
replicas: 1
# resources: # resources:
# requests: # requests:
# memory: 256Mi # memory: 256Mi
# cpu: 100m # cpu: 100m
# nodeSelector: nodeSelector: {}
# kubernetes.io/hostname: 172.31.14.41
tolerations: [] tolerations: []
affinity: {} affinity: {}
## Additional deployment annotations
podAnnotations: {}
portal:
image:
repository: goharbor/harbor-portal
tag: dev
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
core:
image:
repository: goharbor/harbor-core
tag: dev
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used when core server communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate and private key for token encryption/decryption.
# The secret must contain keys named tls.tokenServiceRootCertBundle and
# tls.tokenServicePrivateKey that contain the certificate and private key.
# They will be automatically generated if not set
secretName: ""
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: dev
replicas: 1
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLogger: file
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
registry:
registry:
image:
repository: goharbor/registry-photon
tag: dev
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
controller:
image:
repository: goharbor/harbor-registryctl
tag: dev
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used to secure the upload state from client
# and registry storage backend.
# See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
chartmuseum: chartmuseum:
enabled: true enabled: true
image: image:
repository: chartmuseum/chartmuseum repository: goharbor/chartmuseum-photon
tag: v0.7.1 tag: dev
pullPolicy: IfNotPresent replicas: 1
volumes:
data:
storageClass: "storageos"
accessMode: ReadWriteOnce
size: 5Gi
# resources: # resources:
# requests: # requests:
# memory: 256Mi # memory: 256Mi
...@@ -238,18 +337,21 @@ chartmuseum: ...@@ -238,18 +337,21 @@ chartmuseum:
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
## Additional deployment annotations
podAnnotations: {}
clair: clair:
enabled: true enabled: true
image: image:
repository: quay.io/coreos/clair repository: goharbor/clair-photon
tag: 2.0.6 tag: dev
pullPolicy: IfNotPresent replicas: 1
volumes: # The http(s) proxy used to update vulnerabilities database from internet
pgData: httpProxy:
storageClass: "storageos" httpsProxy:
accessMode: ReadWriteOnce # The interval of clair updaters, the unit is hour, set to 0 to
size: 1Gi # disable the updaters
updatersInterval: 12
# resources: # resources:
# requests: # requests:
# memory: 256Mi # memory: 256Mi
...@@ -257,50 +359,96 @@ clair: ...@@ -257,50 +359,96 @@ clair:
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
## Additional deployment annotations
redis: podAnnotations: {}
image:
repository: redis
tag: 4.0.1-alpine
pullPolicy: IfNotPresent
# if external Redis is used, set "external.enabled" to "true"
# and fill the connection informations in "external" section.
# or the internal Redis will be used
usePassword: false
password: "passwd"
cluster:
enabled: false
master:
persistence:
# TODO: There is a perm issue: Can't open the append-only file: Permission denied
# TODO: Setting it to false is a temp workaround. Will re-visit this problem.
enabled: false
external:
enabled: false
host: "192.168.0.2"
port: "6379"
databaseIndex: "0"
usePassword: false
password: "passwd"
notary: notary:
enabled: true enabled: true
server: server:
image: image:
repository: notary repository: goharbor/notary-server-photon
tag: server-0.5.0 tag: dev
pullPolicy: IfNotPresent replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
signer: signer:
image: image:
repository: notary repository: goharbor/notary-signer-photon
tag: signer-0.5.0 tag: dev
pullPolicy: IfNotPresent replicas: 1
env: # resources:
NOTARY_SIGNER_DEFAULTALIAS: defaultalias # requests:
# The TLS certificate for Notary Signer. Will auto generate them if unspecified here. # memory: 256Mi
caCrt: # cpu: 100m
tlsCrt:
tlsKey:
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate authority, certificate and private key for notary
# communications.
# The secret must contain keys named tls.ca, tls.crt and tls.key that
# contain the CA, certificate and private key.
# They will be generated if not set.
secretName: ""
database:
# if external database is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
image:
repository: goharbor/harbor-db
tag: dev
# The initial superuser password for internal database
password: "changeit"
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
clairDatabase: "clair"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
sslmode: "disable"
## Additional deployment annotations
podAnnotations: {}
redis:
# if external Redis is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
image:
repository: goharbor/redis-photon
tag: dev
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.2"
port: "6379"
# The "coreDatabaseIndex" must be "0" as the library Harbor
# used doesn't support configuring it
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
chartmuseumDatabaseIndex: "3"
password: ""
## Additional deployment annotations
podAnnotations: {}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment