From 3c9152418b7752ae6a8df8e59554a8d763d32961 Mon Sep 17 00:00:00 2001 From: lvyongxin Date: Wed, 28 Oct 2020 14:01:11 +0800 Subject: [PATCH] update --- .github/workflows/integration.yaml | 58 ------ .github/workflows/lint.yaml | 46 ----- .github/workflows/unittest.yaml | 35 ---- templates/chartmuseum/chartmuseum-dpl.yaml | 14 +- templates/chartmuseum/chartmuseum-pvc.yaml | 32 ++++ templates/chartmuseum/chartmuseum-tls.yaml | 15 ++ templates/clair/clair-dpl.yaml | 5 - templates/clair/clair-tls.yaml | 15 ++ templates/core/core-dpl.yaml | 5 - templates/core/core-tls.yaml | 15 ++ templates/database/database-ss.yaml | 32 ++-- templates/jobservice/jobservice-dpl.yaml | 11 +- templates/jobservice/jobservice-pvc.yaml | 29 +++ templates/jobservice/jobservice-tls.yaml | 15 ++ templates/notary/notary-server.yaml | 5 - templates/notary/notary-signer.yaml | 5 - templates/portal/deployment.yaml | 5 - templates/portal/tls.yaml | 15 ++ templates/redis/statefulset.yaml | 5 - templates/registry/registry-dpl.yaml | 26 +-- templates/registry/registry-pvc.yaml | 29 +++ templates/registry/registry-tls.yaml | 15 ++ templates/trivy/trivy-sts.yaml | 5 - templates/trivy/trivy-tls.yaml | 15 ++ values-overrides.yaml | 201 +++++++++++++++------ 25 files changed, 377 insertions(+), 276 deletions(-) delete mode 100644 .github/workflows/integration.yaml delete mode 100644 .github/workflows/lint.yaml delete mode 100644 .github/workflows/unittest.yaml create mode 100644 templates/chartmuseum/chartmuseum-pvc.yaml create mode 100644 templates/chartmuseum/chartmuseum-tls.yaml create mode 100644 templates/clair/clair-tls.yaml create mode 100644 templates/core/core-tls.yaml create mode 100644 templates/jobservice/jobservice-pvc.yaml create mode 100644 templates/jobservice/jobservice-tls.yaml create mode 100644 templates/portal/tls.yaml create mode 100644 templates/registry/registry-pvc.yaml create mode 100644 templates/registry/registry-tls.yaml create mode 100644 templates/trivy/trivy-tls.yaml diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml deleted file mode 100644 index 10d3aa1..0000000 --- a/.github/workflows/integration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -name: Integration test - -on: - pull_request: - push: - -jobs: - integration-test: - runs-on: ubuntu-latest - strategy: - matrix: - k8s_version: [v1.18.2, v1.17.5, v1.16.9] - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Setup Docker - uses: docker-practice/actions-setup-docker@0.0.1 - with: - docker_version: 18.09 - docker_channel: stable - docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}' - - - name: Create kind cluster - uses: helm/kind-action@v1.0.0-rc.1 - with: - version: v0.8.1 - node_image: kindest/node:${{ matrix.k8s_version }} - cluster_name: kind-cluster-${{ matrix.k8s_version }} - config: test/integration/kind-cluster.yaml - - - name: Install Nginx ingress controller - run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml - kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s - - - name: Set up Go 1.13 - uses: actions/setup-go@v2 - with: - go-version: 1.13 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Set /etc/hosts - run: | - sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts" - sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts" - - - name: Run integration tests - working-directory: ./test - run: - go test -v -timeout 30m github.com/goharbor/harbor-helm/integration \ No newline at end of file diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index 02ea6ac..0000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Lint - -on: - pull_request: - push: - -jobs: - lint: - runs-on: ubuntu-latest - strategy: - matrix: - helm_version: [3.2.3, 2.16.8] - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: harbor - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: '${{ matrix.helm_version }}' - - - name: Helm version - run: - helm version -c - - - name: Run lint - working-directory: ./harbor - run: - helm lint . - - - name: Update dependency - working-directory: ./harbor - run: - helm dependency update . - - - name: Run template for ingress expose - working-directory: ./harbor - run: - helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . - - - name: Run template for nodePort expose - working-directory: ./harbor - run: - helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . \ No newline at end of file diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml deleted file mode 100644 index 263de0a..0000000 --- a/.github/workflows/unittest.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: Unit test - -on: - pull_request: - push: - -jobs: - unit-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Helm 3.2.3 - uses: azure/setup-helm@v1 - with: - version: '3.2.3' - - - name: Set up Go 1.13 - uses: actions/setup-go@v2 - with: - go-version: 1.13 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Run unit tests - working-directory: ./test - run: - go test -v github.com/goharbor/harbor-helm/unittest diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index f762e50..dc0157f 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -103,8 +103,6 @@ spec: volumeMounts: - name: chartmuseum-data mountPath: /chart_storage - - name: etc-localtime - mountPath: /etc/localtime subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} {{- if .Values.internalTLS.enabled }} - name: chart-internal-certs @@ -124,15 +122,11 @@ spec: {{ include "harbor.caBundleVolumeMount" . | indent 8 }} {{- end }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - {{- if eq .Values.chartmuseum.storageSpec.type "hostPath" }} - - name: chartmuseum-data - hostPath: - path: {{.Values.chartmuseum.storageSpec.hostPath.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/chartmuseum - {{- else if eq .Values.chartmuseum.storageSpec.type "emptyDir" }} - name: chartmuseum-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }} + {{- else }} emptyDir: {} {{- end }} {{- if .Values.internalTLS.enabled }} diff --git a/templates/chartmuseum/chartmuseum-pvc.yaml b/templates/chartmuseum/chartmuseum-pvc.yaml new file mode 100644 index 0000000..5a221c0 --- /dev/null +++ b/templates/chartmuseum/chartmuseum-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.chartmuseum.enabled }} +{{- $persistence := .Values.persistence -}} +{{- if $persistence.enabled }} +{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}} +{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.chartmuseum" . }} + {{- if eq $persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: chartmuseum +spec: + accessModes: + - {{ $chartmuseum.accessMode }} + resources: + requests: + storage: {{ $chartmuseum.size }} + {{- if $chartmuseum.storageClass }} + {{- if eq "-" $chartmuseum.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $chartmuseum.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-tls.yaml b/templates/chartmuseum/chartmuseum-tls.yaml new file mode 100644 index 0000000..cda17c3 --- /dev/null +++ b/templates/chartmuseum/chartmuseum-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/clair/clair-dpl.yaml b/templates/clair/clair-dpl.yaml index c9690e1..35005e8 100644 --- a/templates/clair/clair-dpl.yaml +++ b/templates/clair/clair-dpl.yaml @@ -139,12 +139,7 @@ spec: {{ include "harbor.caBundleVolumeMount" . | indent 8 }} {{- end }} {{- end }} - - name: etc-localtime - mountPath: /etc/localtime volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: config secret: secretName: "{{ template "harbor.clair" . }}" diff --git a/templates/clair/clair-tls.yaml b/templates/clair/clair-tls.yaml new file mode 100644 index 0000000..af81eec --- /dev/null +++ b/templates/clair/clair-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.clair.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.clair.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index b76c02c..10002f1 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -93,8 +93,6 @@ spec: ports: - containerPort: {{ template "harbor.core.containerPort" . }} volumeMounts: - - name: etc-localtime - mountPath: /etc/localtime - name: config mountPath: /etc/core/app.conf subPath: app.conf @@ -127,9 +125,6 @@ spec: {{ toYaml .Values.core.resources | indent 10 }} {{- end }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ template "harbor.core" . }} diff --git a/templates/core/core-tls.yaml b/templates/core/core-tls.yaml new file mode 100644 index 0000000..c52148f --- /dev/null +++ b/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index aefdf6b..fe29b31 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -76,24 +76,19 @@ spec: - secretRef: name: "{{ template "harbor.database" . }}" volumeMounts: - - name: etc-localtime - mountPath: /etc/localtime - name: database-data mountPath: /var/lib/postgresql/data subPath: {{ $database.subPath }} {{- if not .Values.persistence.enabled }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - {{- if eq .Values.database.internal.storageSpec.type "hostPath" }} - - name: "database-data" - hostPath: - path: {{.Values.database.internal.storageSpec.hostPath.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/database - {{- else if eq .Values.database.internal.storageSpec.type "emptyDir" }} - name: "database-data" emptyDir: {} - {{- end }} + {{- else if $database.existingClaim }} + volumes: + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} {{- with .Values.database.internal.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} @@ -106,14 +101,23 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} - {{- if eq .Values.database.internal.storageSpec.type "volumeClaimTemplate" }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} volumeClaimTemplates: - metadata: name: "database-data" labels: {{ include "harbor.labels" . | indent 8 }} - app: database spec: -{{ toYaml $.Values.database.internal.storageSpec.volumeClaimTemplate.spec | indent 6 }} + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} {{- end -}} {{- end -}} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 724aa63..cafc6fb 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -95,6 +95,7 @@ spec: subPath: config.yml - name: job-logs mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} {{- if .Values.internalTLS.enabled }} - name: jobservice-internal-certs mountPath: /etc/harbor/ssl/jobservice @@ -102,17 +103,17 @@ spec: {{- if .Values.caBundleSecretName }} {{ include "harbor.caBundleVolumeMount" . | indent 8 }} {{- end }} - - name: etc-localtime - mountPath: /etc/localtime volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: jobservice-config configMap: name: "{{ template "harbor.jobservice" . }}" - name: job-logs + {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} emptyDir: {} + {{- end }} {{- if .Values.internalTLS.enabled }} - name: jobservice-internal-certs secret: diff --git a/templates/jobservice/jobservice-pvc.yaml b/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000..04cc64d --- /dev/null +++ b/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,29 @@ +{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}} +{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }} +{{- if eq .Values.jobservice.jobLogger "file" }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobservice.accessMode }} + resources: + requests: + storage: {{ $jobservice.size }} + {{- if $jobservice.storageClass }} + {{- if eq "-" $jobservice.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobservice.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-tls.yaml b/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000..234cb39 --- /dev/null +++ b/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index 62b21f9..6cb8023 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -56,12 +56,7 @@ spec: - name: signer-certificate mountPath: /etc/ssl/notary/ca.crt subPath: ca.crt - - name: etc-localtime - mountPath: /etc/localtime volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: config secret: secretName: "{{ template "harbor.notary-server" . }}" diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml index 75c045c..f4ee98e 100644 --- a/templates/notary/notary-signer.yaml +++ b/templates/notary/notary-signer.yaml @@ -54,12 +54,7 @@ spec: - name: signer-certificate mountPath: /etc/ssl/notary/tls.key subPath: tls.key - - name: etc-localtime - mountPath: /etc/localtime volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: config secret: secretName: "{{ template "harbor.notary-server" . }}" diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index f4bfe24..855830f 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -65,12 +65,7 @@ spec: - name: portal-internal-certs mountPath: /etc/harbor/ssl/portal {{- end }} - - name: etc-localtime - mountPath: /etc/localtime volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: portal-config configMap: name: "{{ template "harbor.portal" . }}" diff --git a/templates/portal/tls.yaml b/templates/portal/tls.yaml new file mode 100644 index 0000000..de63f4e --- /dev/null +++ b/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 15a67d6..be710af 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -52,16 +52,11 @@ spec: {{ toYaml .Values.redis.internal.resources | indent 10 }} {{- end }} volumeMounts: - - name: etc-localtime - mountPath: /etc/localtime - name: data mountPath: /var/lib/redis subPath: {{ $redis.subPath }} {{- if not .Values.persistence.enabled }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: data emptyDir: {} {{- else if $redis.existingClaim }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 3a118a7..24b6b60 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -129,8 +129,6 @@ spec: {{- if .Values.caBundleSecretName }} {{ include "harbor.caBundleVolumeMount" . | indent 8 }} {{- end }} - - name: etc-localtime - mountPath: /etc/localtime - name: registryctl image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -205,12 +203,7 @@ spec: {{- if .Values.caBundleSecretName }} {{ include "harbor.caBundleVolumeMount" . | indent 8 }} {{- end }} - - name: etc-localtime - mountPath: /etc/localtime volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime - name: registry-htpasswd secret: secretName: {{ template "harbor.registry" . }} @@ -227,24 +220,13 @@ spec: - name: registry-config configMap: name: "{{ template "harbor.registry" . }}" - {{- if eq .Values.registry.storageSpec.type "hostPath" }} - - name: registry-data - hostPath: - path: {{.Values.registry.storageSpec.hostPath.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/registry - {{- else if eq .Values.registry.storageSpec.type "emptyDir" }} - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} emptyDir: {} {{- end }} - {{- if eq .Values.registry.storageSpec.type "volumeClaimTemplate" }} - volumeClaimTemplates: - - metadata: - name: registry-data - labels: -{{ include "harbor.labels" . | indent 8 }} - app: registry - spec: -{{ toYaml $.Values.registry.storageSpec.volumeClaimTemplate.spec | indent 6 }} - {{- end }} {{- if .Values.internalTLS.enabled }} - name: registry-internal-certs secret: diff --git a/templates/registry/registry-pvc.yaml b/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000..7340fa6 --- /dev/null +++ b/templates/registry/registry-pvc.yaml @@ -0,0 +1,29 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/registry/registry-tls.yaml b/templates/registry/registry-tls.yaml new file mode 100644 index 0000000..9d1862c --- /dev/null +++ b/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index c519793..9e8e08a 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -110,8 +110,6 @@ spec: - name: api-server containerPort: {{ template "harbor.trivy.containerPort" . }} volumeMounts: - - name: etc-localtime - mountPath: /etc/localtime - name: data mountPath: /home/scanner/.cache subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} @@ -145,9 +143,6 @@ spec: {{ toYaml .Values.trivy.resources | indent 12 }} {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} volumes: - - name: etc-localtime - hostPath: - path: /etc/localtime {{- if .Values.internalTLS.enabled }} - name: trivy-internal-certs secret: diff --git a/templates/trivy/trivy-tls.yaml b/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000..a9c8330 --- /dev/null +++ b/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/values-overrides.yaml b/values-overrides.yaml index 242a685..95e99bf 100644 --- a/values-overrides.yaml +++ b/values-overrides.yaml @@ -6,6 +6,10 @@ expose: hosts: core: hub.ywtest.wodcloud.com notary: notary.ywtest.wodcloud.com + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller controller: default annotations: ingress.kubernetes.io/ssl-redirect: "true" @@ -18,7 +22,8 @@ expose: httpPort: 80 httpsPort: 443 notaryPort: 4443 - + annotations: {} + sourceRanges: [] externalURL: https://hub.ywtest.wodcloud.com internalTLS: @@ -26,6 +31,57 @@ internalTLS: persistence: enabled: false + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used(the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi # Define which storage backend is used for registry and chartmuseum to store imageChartStorage: disableredirect: false @@ -36,6 +92,8 @@ persistence: imagePullPolicy: IfNotPresent +imagePullSecrets: + updateStrategy: type: RollingUpdate logLevel: info @@ -43,6 +101,8 @@ logLevel: info harborAdminPassword: "spaceIN511" secretKey: "not-a-secure-key" +caSecretName: "" + proxy: httpProxy: httpsProxy: @@ -53,31 +113,61 @@ proxy: - clair - trivy +# If expose the service via "ingress", the Nginx will not be used +nginx: + image: + repository: reg.local:5000/wod/nginx-photon + tag: v2.1.0 + serviceAccountName: "" + replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} + portal: image: repository: reg.local:5000/wod/harbor-portal tag: v2.1.0 + serviceAccountName: "" replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} core: image: repository: reg.local:5000/wod/harbor-core tag: v2.1.0 + serviceAccountName: "" replicas: 1 startupProbe: initialDelaySeconds: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} + secret: "" + secretName: "" + xsrfKey: "" jobservice: image: repository: reg.local:5000/wod/harbor-jobservice tag: v2.1.0 replicas: 1 + serviceAccountName: "" maxJobWorkers: 10 jobLogger: file - nodeSelector: - harbor: enabled + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} + secret: "" registry: + serviceAccountName: "" registry: image: repository: reg.local:5000/wod/registry-photon @@ -86,48 +176,47 @@ registry: image: repository: reg.local:5000/wod/harbor-registryctl tag: v2.1.0 + replicas: 1 - nodeSelector: - harbor: enabled - storageSpec: - # type: emptyDir , hostPath , volumeClaimTemplate - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 100Gi - selector: {} + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} + secret: "" relativeurls: false credentials: username: "harbor_registry_user" password: "harbor_registry_password" htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" + middleware: enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" chartmuseum: enabled: true + serviceAccountName: "" absoluteUrl: false image: repository: reg.local:5000/wod/chartmuseum-photon tag: v2.1.0 replicas: 1 - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} clair: enabled: true + serviceAccountName: "" clair: image: repository: reg.local:5000/wod/clair-photon @@ -138,21 +227,24 @@ clair: tag: v2.1.0 replicas: 1 updatersInterval: 12 - nodeSelector: - harbor: enabled - + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} trivy: enabled: true image: repository: reg.local:5000/wod/trivy-adapter-photon tag: v2.1.0 + serviceAccountName: "" replicas: 1 debugMode: false vulnType: "os,library" severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" ignoreUnfixed: false insecure: false + gitHubToken: "" skipUpdate: false resources: requests: @@ -161,22 +253,32 @@ trivy: limits: cpu: 1 memory: 1Gi + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} notary: enabled: true server: + serviceAccountName: "" image: repository: reg.local:5000/wod/notary-server-photon tag: v2.1.0 replicas: 1 signer: + serviceAccountName: "" image: repository: reg.local:5000/wod/notary-signer-photon tag: v2.1.0 replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + podAnnotations: {} + secretName: "" database: -# if external database is used, set "type" to "external" and fill the connection informations in "external" section type: internal internal: serviceAccountName: "" @@ -184,28 +286,11 @@ database: repository: reg.local:5000/wod/harbor-db tag: v2.1.0 password: "spaceIN511" - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 20Gi - selector: {} + nodeSelector: {} + tolerations: [] + affinity: {} external: - host: "harbor-harbor-database.devops" + host: "harbor-db.devops" port: "5432" username: "postgres" password: "spaceIN511" @@ -213,10 +298,24 @@ database: clairDatabase: "clair" notaryServerDatabase: "notary_server" notarySignerDatabase: "notary_signer" + podAnnotations: {} redis: type: internal internal: + serviceAccountName: "" image: repository: reg.local:5000/wod/redis-photon tag: v2.1.0 + nodeSelector: {} + tolerations: [] + affinity: {} + external: + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + chartmuseumDatabaseIndex: "3" + clairAdapterIndex: "4" + trivyAdapterIndex: "5" + password: "" + podAnnotations: {} -- 2.26.0