diff --git a/.beagle.yml b/.beagle.yml index a63422a9153dda25389ff870e287749a8b899989..e25bc0384615c57d1ff6759e6cafed697f113a74 100644 --- a/.beagle.yml +++ b/.beagle.yml @@ -1,82 +1,82 @@ -kind: pipeline -name: docker - -trigger: - branch: - - release-v2.1 - -platform: - runner: 10.11.92.34 - -volumes: - - name: charts - host: - path: /data/downloads/k8s/charts - - name: docker - host: - path: /var/run/docker.sock - -steps: - - name: charts - image: registry.cn-qingdao.aliyuncs.com/wod/helm:v3.6.0 - volumes: - - name: charts - path: /charts - commands: - - helm package . -d /charts/ - - - name: ansible-amd64 - image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0 - commands: - - >- - ansible-playbook /etc/ansible/linux/main.yml - --extra-vars - '{ - "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}", - "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz", - "TARGET_ARCH":"amd64", - "TARGET_VERSION":"v2.1.3" - }' - --extra-vars "@ansible/images.yaml" - - - name: ansible-arm64 - image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0 - commands: - - >- - ansible-playbook /etc/ansible/linux/main.yml - --extra-vars - '{ - "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}", - "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz", - "TARGET_ARCH":"arm64", - "TARGET_VERSION":"v2.1.3" - }' - --extra-vars "@ansible/images.yaml" - - - name: ansible-ppc64le - image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0 - commands: - - >- - ansible-playbook /etc/ansible/linux/main.yml - --extra-vars - '{ - "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}", - "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz", - "TARGET_ARCH":"ppc64le", - "TARGET_VERSION":"v2.1.3" - }' - --extra-vars "@ansible/images.yaml" - ---- -kind: secret -name: REGISTRY_USER_ALIYUN -get: - name: USERNAME - path: devops-registry-aliyun - ---- -kind: secret -name: REGISTRY_PASSWORD_ALIYUN -get: - name: PASSWORD - path: devops-registry-aliyun +kind: pipeline +name: docker + +trigger: + branch: + - release-v2.1 + +platform: + runner: 10.11.92.34 + +volumes: + - name: charts + host: + path: /data/downloads/k8s/charts + - name: docker + host: + path: /var/run/docker.sock + +steps: + - name: charts + image: registry.cn-qingdao.aliyuncs.com/wod/helm:v3.6.0 + volumes: + - name: charts + path: /charts + commands: + - helm package . -d /charts/ + + - name: ansible-amd64 + image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0 + commands: + - >- + ansible-playbook /etc/ansible/linux/main.yml + --extra-vars + '{ + "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}", + "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz", + "TARGET_ARCH":"amd64", + "TARGET_VERSION":"v2.1.3" + }' + --extra-vars "@ansible/images.yaml" + + - name: ansible-arm64 + image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0 + commands: + - >- + ansible-playbook /etc/ansible/linux/main.yml + --extra-vars + '{ + "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}", + "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz", + "TARGET_ARCH":"arm64", + "TARGET_VERSION":"v2.1.3" + }' + --extra-vars "@ansible/images.yaml" + + - name: ansible-ppc64le + image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0 + commands: + - >- + ansible-playbook /etc/ansible/linux/main.yml + --extra-vars + '{ + "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}", + "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz", + "TARGET_ARCH":"ppc64le", + "TARGET_VERSION":"v2.1.3" + }' + --extra-vars "@ansible/images.yaml" + +--- +kind: secret +name: REGISTRY_USER_ALIYUN +get: + name: USERNAME + path: devops-registry-aliyun + +--- +kind: secret +name: REGISTRY_PASSWORD_ALIYUN +get: + name: PASSWORD + path: devops-registry-aliyun diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 10d3aa104676a321e27caa36979809d5af6cdc56..82f7ef900f96e01dcc8a50ee9c514c946ef78163 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -1,58 +1,58 @@ -name: Integration test - -on: - pull_request: - push: - -jobs: - integration-test: - runs-on: ubuntu-latest - strategy: - matrix: - k8s_version: [v1.18.2, v1.17.5, v1.16.9] - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Setup Docker - uses: docker-practice/actions-setup-docker@0.0.1 - with: - docker_version: 18.09 - docker_channel: stable - docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}' - - - name: Create kind cluster - uses: helm/kind-action@v1.0.0-rc.1 - with: - version: v0.8.1 - node_image: kindest/node:${{ matrix.k8s_version }} - cluster_name: kind-cluster-${{ matrix.k8s_version }} - config: test/integration/kind-cluster.yaml - - - name: Install Nginx ingress controller - run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml - kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s - - - name: Set up Go 1.13 - uses: actions/setup-go@v2 - with: - go-version: 1.13 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Set /etc/hosts - run: | - sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts" - sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts" - - - name: Run integration tests - working-directory: ./test - run: +name: Integration test + +on: + pull_request: + push: + +jobs: + integration-test: + runs-on: ubuntu-latest + strategy: + matrix: + k8s_version: [v1.18.2, v1.17.5, v1.16.9] + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Docker + uses: docker-practice/actions-setup-docker@0.0.1 + with: + docker_version: 18.09 + docker_channel: stable + docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}' + + - name: Create kind cluster + uses: helm/kind-action@v1.0.0-rc.1 + with: + version: v0.8.1 + node_image: kindest/node:${{ matrix.k8s_version }} + cluster_name: kind-cluster-${{ matrix.k8s_version }} + config: test/integration/kind-cluster.yaml + + - name: Install Nginx ingress controller + run: | + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml + kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s + + - name: Set up Go 1.13 + uses: actions/setup-go@v2 + with: + go-version: 1.13 + + - name: Cache go mod + uses: actions/cache@v2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Set /etc/hosts + run: | + sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts" + sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts" + + - name: Run integration tests + working-directory: ./test + run: go test -v -timeout 30m github.com/goharbor/harbor-helm/integration \ No newline at end of file diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 02ea6ac2ff3808942062fc3cb55176ca424551b7..e9f8111b192d1718c13a6f33135ad9eb88cc6c64 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,46 +1,46 @@ -name: Lint - -on: - pull_request: - push: - -jobs: - lint: - runs-on: ubuntu-latest - strategy: - matrix: - helm_version: [3.2.3, 2.16.8] - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: harbor - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: '${{ matrix.helm_version }}' - - - name: Helm version - run: - helm version -c - - - name: Run lint - working-directory: ./harbor - run: - helm lint . - - - name: Update dependency - working-directory: ./harbor - run: - helm dependency update . - - - name: Run template for ingress expose - working-directory: ./harbor - run: - helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . - - - name: Run template for nodePort expose - working-directory: ./harbor - run: +name: Lint + +on: + pull_request: + push: + +jobs: + lint: + runs-on: ubuntu-latest + strategy: + matrix: + helm_version: [3.2.3, 2.16.8] + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + path: harbor + + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: '${{ matrix.helm_version }}' + + - name: Helm version + run: + helm version -c + + - name: Run lint + working-directory: ./harbor + run: + helm lint . + + - name: Update dependency + working-directory: ./harbor + run: + helm dependency update . + + - name: Run template for ingress expose + working-directory: ./harbor + run: + helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . + + - name: Run template for nodePort expose + working-directory: ./harbor + run: helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . \ No newline at end of file diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml index 263de0ab0bd1665ee8eb2b0011c3be2e994b3ae7..70e1d064ca75507b8d53f0a3427f82e9b6c27842 100644 --- a/.github/workflows/unittest.yaml +++ b/.github/workflows/unittest.yaml @@ -1,35 +1,35 @@ -name: Unit test - -on: - pull_request: - push: - -jobs: - unit-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Helm 3.2.3 - uses: azure/setup-helm@v1 - with: - version: '3.2.3' - - - name: Set up Go 1.13 - uses: actions/setup-go@v2 - with: - go-version: 1.13 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Run unit tests - working-directory: ./test - run: - go test -v github.com/goharbor/harbor-helm/unittest +name: Unit test + +on: + pull_request: + push: + +jobs: + unit-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up Helm 3.2.3 + uses: azure/setup-helm@v1 + with: + version: '3.2.3' + + - name: Set up Go 1.13 + uses: actions/setup-go@v2 + with: + go-version: 1.13 + + - name: Cache go mod + uses: actions/cache@v2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Run unit tests + working-directory: ./test + run: + go test -v github.com/goharbor/harbor-helm/unittest diff --git a/.gitignore b/.gitignore index abc98e0f59f97b2abe896676e0c678613699584f..79bd21bac969424a42625b9c29cd4a6c94b90941 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -charts/* +charts/* requirements.lock \ No newline at end of file diff --git a/.helmignore b/.helmignore index a59815eab6a5358320dedc91f806d83c973ddd98..15c71f077902192ed6880af34b1ef7b1f7920dbd 100644 --- a/.helmignore +++ b/.helmignore @@ -1,12 +1,12 @@ -docs/* -.git/* -.gitignore -CONTRIBUTING.md -.travis.yaml -test/* -raws/* -.beagle.yml -CONTRIBUTING.md -Deploy.md -.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +.travis.yaml +test/* +raws/* +.beagle.yml +CONTRIBUTING.md +Deploy.md +.github/* values-operator.yaml \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 92e472e8ac3c8a7841bede448690a4a6527eea57..9c711d4af631fb1147e20fd89f7b2e368a08111b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,13 +1,13 @@ -# Contributing to Helm Chart for Harbor - -Please follow [Harbor contributing guide](https://github.com/goharbor/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution. - -## Contributers - -Thanks very much to all contributers who submitted pull requests to Helm Chart for Harbor. - -- [Paul Czarkowski @paulczar](https://github.com/paulczar) -- [Luca Innocenti Mirri @lucaim](https://github.com/lucaim) -- [Steven Arnott @ArcticSnowman](https://github.com/ArcticSnowman) -- [Alex M @draeron](https://github.com/draeron) -- [SangJun Yun](https://github.com/YunSangJun) +# Contributing to Helm Chart for Harbor + +Please follow [Harbor contributing guide](https://github.com/goharbor/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution. + +## Contributers + +Thanks very much to all contributers who submitted pull requests to Helm Chart for Harbor. + +- [Paul Czarkowski @paulczar](https://github.com/paulczar) +- [Luca Innocenti Mirri @lucaim](https://github.com/lucaim) +- [Steven Arnott @ArcticSnowman](https://github.com/ArcticSnowman) +- [Alex M @draeron](https://github.com/draeron) +- [SangJun Yun](https://github.com/YunSangJun) diff --git a/Chart.yaml b/Chart.yaml index e10c73b37a1c2b60f4366883c40fb252c4193676..508e0d94c08b7f64a1aba49eb4a844c647813578 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,22 +1,22 @@ -apiVersion: v1 -name: beagle-harbor -version: 2.1.3 -appVersion: 2.1.3 -description: An open source trusted cloud native registry that stores, signs, and scans content -keywords: - - docker - - registry - - harbor -home: https://goharbor.io -icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png -sources: - - https://github.com/goharbor/harbor - - https://github.com/goharbor/harbor-helm -maintainers: - - name: Wenkai Yin - email: yinw@vmware.com - - name: Weiwei He - email: hweiwei@vmware.com - - name: Qian Deng - email: dengq@vmware.com -engine: gotpl +apiVersion: v1 +name: beagle-harbor +version: 2.1.3 +appVersion: 2.1.3 +description: An open source trusted cloud native registry that stores, signs, and scans content +keywords: + - docker + - registry + - harbor +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png +sources: + - https://github.com/goharbor/harbor + - https://github.com/goharbor/harbor-helm +maintainers: + - name: Wenkai Yin + email: yinw@vmware.com + - name: Weiwei He + email: hweiwei@vmware.com + - name: Qian Deng + email: dengq@vmware.com +engine: gotpl diff --git a/Deploy.md b/Deploy.md index d2f1b678d42ab521315e59be238890c48d30bbb2..ba604c7350063ba50b8248c0872490ee027228f8 100644 --- a/Deploy.md +++ b/Deploy.md @@ -1,106 +1,106 @@ -# harbor - -## install - -```bash -# 1.install -kubectl create ns devops - -helm install \ ---namespace=devops \ -harbor \ -/etc/kubernetes/helm/beagle-harbor \ --f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml - -# uninstall -helm uninstall \ ---namespace=devops \ -harbor - -# update -helm upgrade \ ---namespace=devops \ -harbor \ -/etc/kubernetes/helm/beagle-harbor \ --f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml - -# template -helm template \ ---namespace=devops \ -harbor \ -/etc/kubernetes/helm/beagle-harbor \ --f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml > /etc/kubernetes/helm/beagle-harbor/dist.yaml - -# package -helm package . -d C:/Tmp/Charts -``` - -## images x86_64 - -```bash -# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor -registry.cn-qingdao.aliyuncs.com/wod/harbor-portal:v2.1.3 -registry.cn-qingdao.aliyuncs.com/wod/harbor-core:v2.1.3 -registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v2.1.3 -registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v2.1.3 - -# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-db -registry.cn-qingdao.aliyuncs.com/wod/harbor-db:v2.1.3 - -# registry -registry.cn-qingdao.aliyuncs.com/wod/registry:2.7.1 - -# gitlab.wodcloud.com/cloud/chartmuseum -registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum:v2.1.3 - -# gitlab.wodcloud.com/cloud/clair -registry.cn-qingdao.aliyuncs.com/wod/harbor-clair:v2.1.3 - -# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-scanner-clair -registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter:v2.1.3 - -# gitlab.wodcloud.com/cloud/harbor-scanner-trivy -registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter:v2.1.3 - -# gitlab.wodcloud.com/cloud/notary -registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server:v2.1.3 -registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer:v2.1.3 - -# redis -registry.cn-qingdao.aliyuncs.com/wod/redis:6.0.9 -``` - -## images arm64 - -```bash -# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor -registry.cn-qingdao.aliyuncs.com/wod/harbor-portal:v2.1.3-arm64 -registry.cn-qingdao.aliyuncs.com/wod/harbor-core:v2.1.3-arm64 -registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v2.1.3-arm64 -registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v2.1.3-arm64 - -# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-db -registry.cn-qingdao.aliyuncs.com/wod/harbor-db:v2.1.3-arm64 - -# registry -registry.cn-qingdao.aliyuncs.com/wod/registry:2.7.1-arm64 - -# gitlab.wodcloud.com/cloud/chartmuseum -registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum:v2.1.3-arm64 - -# gitlab.wodcloud.com/cloud/clair -registry.cn-qingdao.aliyuncs.com/wod/harbor-clair:v2.1.3-arm64 - -# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-scanner-clair -registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter:v2.1.3-arm64 - -# gitlab.wodcloud.com/cloud/harbor-scanner-trivy -registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter:v2.1.3-arm64 - -# gitlab.wodcloud.com/cloud/notary -registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server:v2.1.3-arm64 -registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer:v2.1.3-arm64 - -# redis -registry.cn-qingdao.aliyuncs.com/wod/redis:6.0.9-arm64 -``` +# harbor + +## install + +```bash +# 1.install +kubectl create ns devops + +helm install \ +--namespace=devops \ +harbor \ +/etc/kubernetes/helm/beagle-harbor \ +-f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml + +# uninstall +helm uninstall \ +--namespace=devops \ +harbor + +# update +helm upgrade \ +--namespace=devops \ +harbor \ +/etc/kubernetes/helm/beagle-harbor \ +-f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml + +# template +helm template \ +--namespace=devops \ +harbor \ +/etc/kubernetes/helm/beagle-harbor \ +-f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml > /etc/kubernetes/helm/beagle-harbor/dist.yaml + +# package +helm package . -d C:/Tmp/Charts +``` + +## images x86_64 + +```bash +# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor +registry.cn-qingdao.aliyuncs.com/wod/harbor-portal:v2.1.3 +registry.cn-qingdao.aliyuncs.com/wod/harbor-core:v2.1.3 +registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v2.1.3 +registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v2.1.3 + +# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-db +registry.cn-qingdao.aliyuncs.com/wod/harbor-db:v2.1.3 + +# registry +registry.cn-qingdao.aliyuncs.com/wod/registry:2.7.1 + +# gitlab.wodcloud.com/cloud/chartmuseum +registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum:v2.1.3 + +# gitlab.wodcloud.com/cloud/clair +registry.cn-qingdao.aliyuncs.com/wod/harbor-clair:v2.1.3 + +# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-scanner-clair +registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter:v2.1.3 + +# gitlab.wodcloud.com/cloud/harbor-scanner-trivy +registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter:v2.1.3 + +# gitlab.wodcloud.com/cloud/notary +registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server:v2.1.3 +registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer:v2.1.3 + +# redis +registry.cn-qingdao.aliyuncs.com/wod/redis:6.0.9 +``` + +## images arm64 + +```bash +# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor +registry.cn-qingdao.aliyuncs.com/wod/harbor-portal:v2.1.3-arm64 +registry.cn-qingdao.aliyuncs.com/wod/harbor-core:v2.1.3-arm64 +registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v2.1.3-arm64 +registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v2.1.3-arm64 + +# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-db +registry.cn-qingdao.aliyuncs.com/wod/harbor-db:v2.1.3-arm64 + +# registry +registry.cn-qingdao.aliyuncs.com/wod/registry:2.7.1-arm64 + +# gitlab.wodcloud.com/cloud/chartmuseum +registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum:v2.1.3-arm64 + +# gitlab.wodcloud.com/cloud/clair +registry.cn-qingdao.aliyuncs.com/wod/harbor-clair:v2.1.3-arm64 + +# gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-scanner-clair +registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter:v2.1.3-arm64 + +# gitlab.wodcloud.com/cloud/harbor-scanner-trivy +registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter:v2.1.3-arm64 + +# gitlab.wodcloud.com/cloud/notary +registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server:v2.1.3-arm64 +registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer:v2.1.3-arm64 + +# redis +registry.cn-qingdao.aliyuncs.com/wod/redis:6.0.9-arm64 +``` diff --git a/LICENSE b/LICENSE index 261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64..29f81d812f3e768fa89638d1f72920dbfd1413a8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,201 +1,201 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/REAME.md b/REAME.md index cc9016164f5fb876d8feda9b6614898af55edb77..db5a5812641974a6e7e1b2a94e4455f3aa66fb6a 100644 --- a/REAME.md +++ b/REAME.md @@ -1,354 +1,354 @@ -# Helm Chart for Harbor - -**Notes:** The master branch is in heavy development, please use the other stable versions instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. - -This repository, including the issues, focus on deploying Harbor chart via helm. So for the functionality issues or questions of Harbor, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) - -## Introduction - -This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. - -## Prerequisites - -- Kubernetes cluster 1.16+ -- Helm 2.10.0+ - -## Installation - -### Add Helm repository - -```bash -helm repo add harbor https://helm.goharbor.io -``` - -### Configure the chart - -The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly(need to download the chart first). - -#### Configure the way how to expose Harbor service - -- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. - **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. -- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. -- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. -- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. - -#### Configure the external URL - -The external URL for Harbor core service is used to: - -1. populate the docker/helm commands showed on portal -2. populate the token service URL returned to docker/notary client - -Format: `protocol://domain[:port]`. Usually: - -- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` -- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` -- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node -- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider - -If Harbor is deployed behind the proxy, set it as the URL of proxy. - -#### Configure the way how to persistent data - -- **Disable**: The data does not survive the termination of a pod. -- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. -- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. - -#### Configure the other items listed in [configuration](#configuration) section - -### Install the chart - -Install the Harbor helm chart with a release name `my-release`: - -helm 2: - -```bash -helm install --name my-release harbor/harbor -``` - -helm 3: - -```bash -helm install my-release harbor/harbor -``` - -## Uninstallation - -To uninstall/delete the `my-release` deployment: - -helm 2: - -```bash -helm delete --purge my-release -``` - -helm 3: - -``` -helm uninstall my-release -``` - -## Configuration - -The following table lists the configurable parameters of the Harbor chart and the default values. - -| Parameter | Description | Default | -| --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | --- | ----- | -| **Expose** | -| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | -| `expose.tls.enabled` | Enable the tls or not | `true` | -| `expose.tls.certSource` | The source of the tls certificate. Set it as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the tls certificate automatically 2) secret: read the tls certificate from the specified secret. The tls certificate can be generated manually or by cert manager 3) none: configure no tls certificate for the ingress. If the default tls certificate is configured in the ingress controller, choose this option | `auto` | -| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | -| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | -| `expose.tls.secret.notarySecretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key. Only needed when the `expose.type` is `ingress` | | -| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | -| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | -| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` | -| `expose.ingress.annotations` | The annotations used in ingress | | -| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | -| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | -| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` | -| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | -| `expose.nodePort.name` | The name of NodePort service | `harbor` | -| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` | -| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` | -| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` | -| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` | -| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | -| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` | -| `expose.loadBalancer.name` | The name of service | `harbor` | -| `expose.loadBalancer.IP` | The IP of the loadBalancer. It works only when loadBalancer support assigning IP | `""` | -| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | -| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `30002` | -| `expose.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | -| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | -| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | -| **Internal TLS** | -| `internalTLS.enabled` | Enable the tls for the components (chartmuseum, clair, core, jobservice, portal, registry, trivy) | `false` | -| `internalTLS.certSource` | Method to provide tls for the components, options is `auto`, `manual`, `secret`. | `auto` | -| `internalTLS.trustCa` | The content of trust ca, only available when `certSrouce` is `manual`. **Note**: all the internal certificates of the components must be issued by this ca | | -| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.chartmuseum.secretName` | The secret name for chartmuseum component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.chartmuseum.crt` | Content of chartmuseum's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.chartmuseum.key` | Content of chartmuseum's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.clair.secretName` | The secret name for clair component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.clair.crt` | Content of clair's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.clair.key` | Content of clair's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | -| **Persistence** | -| `persistence.enabled` | Enable the data persistence or not | `true` | -| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | -| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | -| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | -| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | -| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | -| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | -| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` | -| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and chartmuseum's containers. | | -| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | -| **General** | -| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | -| `caBundleSecretName` | The custom ca bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components. | | -| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | -| `imagePullPolicy` | The image pull policy | | -| `imagePullSecrets` | The imagePullSecrets names for all deployments | | -| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry and chartmuseum): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | -| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | -| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | -| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the certificate of CA when the certificate isn't generated automatically | | -| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | -| `proxy.httpProxy` | The URL of the HTTP proxy server | | -| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | -| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | -| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, clair | -| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | -| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | -| `nginx.image.tag` | Image tag | `dev` | -| `nginx.replicas` | The replica count | `1` | -| `nginx.resources` | The [resources] to allocate for container | undefined | -| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | -| `nginx.tolerations` | Tolerations for pod assignment | `[]` | -| `nginx.affinity` | Node/Pod affinities | `{}` | -| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | -| **Portal** | -| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | -| `portal.image.tag` | Tag for portal image | `dev` | -| `portal.replicas` | The replica count | `1` | -| `portal.resources` | The [resources] to allocate for container | undefined | -| `portal.nodeSelector` | Node labels for pod assignment | `{}` | -| `portal.tolerations` | Tolerations for pod assignment | `[]` | -| `portal.affinity` | Node/Pod affinities | `{}` | -| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | -| **Core** | -| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | -| `core.image.tag` | Tag for Harbor core image | `dev` | -| `core.replicas` | The replica count | `1` | -| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | -| `core.resources` | The [resources] to allocate for container | undefined | -| `core.nodeSelector` | Node labels for pod assignment | `{}` | -| `core.tolerations` | Tolerations for pod assignment | `[]` | -| `core.affinity` | Node/Pod affinities | `{}` | -| `core.podAnnotations` | Annotations to add to the core pod | `{}` | -| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | -| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | -| **Jobservice** | -| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | -| `jobservice.image.tag` | Tag for jobservice image | `dev` | -| `jobservice.replicas` | The replica count | `1` | -| `jobservice.maxJobWorkers` | The max job workers | `10` | -| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | -| `jobservice.resources` | The [resources] to allocate for container | undefined | -| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | -| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | -| `jobservice.affinity` | Node/Pod affinities | `{}` | -| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | -| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| **Registry** | -| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | -| `registry.registry.image.tag` | Tag for registry image | -| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` | -| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | -| `registry.controller.image.tag` | Tag for registry controller image | -| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` | -| `registry.replicas` | The replica count | `1` | -| `registry.nodeSelector` | Node labels for pod assignment | `{}` | -| `registry.tolerations` | Tolerations for pod assignment | `[]` | -| `registry.affinity` | Node/Pod affinities | `{}` | -| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | -| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | -| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | -| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | -| `registry.credentials.htpasswd` | The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html): `htpasswd -nbBC10 $username $password`. More details see [official_docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m` | -| **Chartmuseum** | -| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | -| `chartmuseum.absoluteUrl` | If true, ChartMuseum will return absolute URLs. The default behavior is to return relative URLs | `false` | -| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | -| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | -| `chartmuseum.replicas` | The replica count | `1` | -| `chartmuseum.resources` | The [resources] to allocate for container | undefined | -| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | -| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | -| `chartmuseum.affinity` | Node/Pod affinities | `{}` | -| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | -| **Clair** | -| `clair.enabled` | Enable Clair | `true` | -| `clair.clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | -| `clair.clair.image.tag` | Tag for clair image | `dev` | -| `clair.clair.resources` | The [resources] to allocate for clair container | | -| `clair.adapter.image.repository` | Repository for clair adapter image | `goharbor/clair-adapter-photon` | -| `clair.adapter.image.tag` | Tag for clair adapter image | `dev` | -| `clair.adapter.resources` | The [resources] to allocate for clair adapter container | | -| `clair.replicas` | The replica count | `1` | -| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | -| `clair.nodeSelector` | Node labels for pod assignment | `{}` | -| `clair.tolerations` | Tolerations for pod assignment | `[]` | -| `clair.affinity` | Node/Pod affinities | `{}` | -| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | -| **[Trivy][trivy]** | -| `trivy.enabled` | The flag to enable Trivy scanner | `true` | -| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | -| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | -| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | -| `trivy.replicas` | The number of Pod replicas | `1` | -| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | -| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | -| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | -| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | -| **Notary** | -| `notary.enabled` | Enable Notary? | `true` | -| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | -| `notary.server.image.tag` | Tag for notary server image | `dev` | -| `notary.server.replicas` | The replica count | -| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` | -| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | -| `notary.signer.image.tag` | Tag for notary signer image | `dev` | -| `notary.signer.replicas` | The replica count | -| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` | -| `notary.nodeSelector` | Node labels for pod assignment | `{}` | -| `notary.tolerations` | Tolerations for pod assignment | `[]` | -| `notary.affinity` | Node/Pod affinities | `{}` | -| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | -| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | -| **Database** | -| `database.type` | If external database is used, set it to `external` | `internal` | -| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | -| `database.internal.image.tag` | Tag for database image | `dev` | -| `database.internal.password` | The password for database | `changeit` | -| `database.internal.resources` | The [resources] to allocate for container | undefined | -| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `database.internal.affinity` | Node/Pod affinities | `{}` | -| `database.external.host` | The hostname of external database | `192.168.0.1` | -| `database.external.port` | The port of external database | `5432` | -| `database.external.username` | The username of external database | `user` | -| `database.external.password` | The password of external database | `password` | -| `database.external.coreDatabase` | The database used by core service | `registry` | -| `database.external.clairDatabase` | The database used by clair | `clair` | -| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | -| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | -| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | -| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | -| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | -| `database.podAnnotations` | Annotations to add to the database pod | `{}` | -| **Redis** | -| `redis.type` | If external redis is used, set it to `external` | `internal` | -| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | -| `redis.internal.image.tag` | Tag for redis image | `dev` | -| `redis.internal.resources` | The [resources] to allocate for container | undefined | -| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.internal.affinity` | Node/Pod affinities | `{}` | -| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | -| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | -| `redis.external.coreDatabaseIndex` | The database index for core | `0` | -| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | -| `redis.external.clairAdapterIndex` | The database index for clair adapter | `4` | -| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | -| `redis.external.password` | The password of external Redis | | -| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | - -[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -[trivy]: https://github.com/aquasecurity/trivy -[trivy-db]: https://github.com/aquasecurity/trivy-db -[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focus on deploying Harbor chart via helm. So for the functionality issues or questions of Harbor, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.16+ +- Helm 2.10.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly(need to download the chart first). + +#### Configure the way how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker/notary client + +Format: `protocol://domain[:port]`. Usually: + +- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure the way how to persistent data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: + +helm 2: + +```bash +helm install --name my-release harbor/harbor +``` + +helm 3: + +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: + +helm 2: + +```bash +helm delete --purge my-release +``` + +helm 3: + +``` +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | --- | ----- | +| **Expose** | +| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable the tls or not | `true` | +| `expose.tls.certSource` | The source of the tls certificate. Set it as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the tls certificate automatically 2) secret: read the tls certificate from the specified secret. The tls certificate can be generated manually or by cert manager 3) none: configure no tls certificate for the ingress. If the default tls certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.tls.secret.notarySecretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key. Only needed when the `expose.type` is `ingress` | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` | +| `expose.ingress.annotations` | The annotations used in ingress | | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` | +| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` | +| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It works only when loadBalancer support assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `30002` | +| `expose.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | +| `internalTLS.enabled` | Enable the tls for the components (chartmuseum, clair, core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.certSource` | Method to provide tls for the components, options is `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust ca, only available when `certSrouce` is `manual`. **Note**: all the internal certificates of the components must be issued by this ca | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.chartmuseum.secretName` | The secret name for chartmuseum component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.chartmuseum.crt` | Content of chartmuseum's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.chartmuseum.key` | Content of chartmuseum's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.clair.secretName` | The secret name for clair component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.clair.crt` | Content of clair's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.clair.key` | Content of clair's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **Persistence** | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and chartmuseum's containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | +| **General** | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom ca bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry and chartmuseum): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the certificate of CA when the certificate isn't generated automatically | | +| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, clair | +| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| **Portal** | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| **Core** | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| **Jobservice** | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` | +| `registry.replicas` | The replica count | `1` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.htpasswd` | The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html): `htpasswd -nbBC10 $username $password`. More details see [official_docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m` | +| **Chartmuseum** | +| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | +| `chartmuseum.absoluteUrl` | If true, ChartMuseum will return absolute URLs. The default behavior is to return relative URLs | `false` | +| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | +| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | +| `chartmuseum.replicas` | The replica count | `1` | +| `chartmuseum.resources` | The [resources] to allocate for container | undefined | +| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | +| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | +| `chartmuseum.affinity` | Node/Pod affinities | `{}` | +| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | +| **Clair** | +| `clair.enabled` | Enable Clair | `true` | +| `clair.clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | +| `clair.clair.image.tag` | Tag for clair image | `dev` | +| `clair.clair.resources` | The [resources] to allocate for clair container | | +| `clair.adapter.image.repository` | Repository for clair adapter image | `goharbor/clair-adapter-photon` | +| `clair.adapter.image.tag` | Tag for clair adapter image | `dev` | +| `clair.adapter.resources` | The [resources] to allocate for clair adapter container | | +| `clair.replicas` | The replica count | `1` | +| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | +| `clair.nodeSelector` | Node labels for pod assignment | `{}` | +| `clair.tolerations` | Tolerations for pod assignment | `[]` | +| `clair.affinity` | Node/Pod affinities | `{}` | +| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | +| **[Trivy][trivy]** | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| **Notary** | +| `notary.enabled` | Enable Notary? | `true` | +| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | +| `notary.server.image.tag` | Tag for notary server image | `dev` | +| `notary.server.replicas` | The replica count | +| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` | +| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | +| `notary.signer.image.tag` | Tag for notary signer image | `dev` | +| `notary.signer.replicas` | The replica count | +| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` | +| `notary.nodeSelector` | Node labels for pod assignment | `{}` | +| `notary.tolerations` | Tolerations for pod assignment | `[]` | +| `notary.affinity` | Node/Pod affinities | `{}` | +| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | +| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | +| **Database** | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.clairDatabase` | The database used by clair | `clair` | +| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | +| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | +| `redis.external.clairAdapterIndex` | The database index for clair adapter | `4` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.password` | The password of external Redis | | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/ansible/images.yaml b/ansible/images.yaml index d88bf930d7fede79658ad146482aad922a210c32..520a315c76d3bbf8d1decfc02a36999e9b446b02 100644 --- a/ansible/images.yaml +++ b/ansible/images.yaml @@ -1,27 +1,27 @@ -IMAGES: - - repo: harbor-portal - tag: "v2.1.3" - - repo: harbor-core - tag: "v2.1.3" - - repo: harbor-jobservice - tag: "v2.1.3" - - repo: harbor-db - tag: "v2.1.3" - - repo: harbor-registryctl - tag: "v2.1.3" - - repo: harbor-chartmuseum - tag: "v2.1.3" - - repo: harbor-clair - tag: "v2.1.3" - - repo: harbor-clair-adapter - tag: "v2.1.3" - - repo: harbor-trivy-adapter - tag: "v2.1.3" - - repo: harbor-notary-server - tag: "v2.1.3" - - repo: harbor-notary-signer - tag: "v2.1.3" - - repo: registry - tag: "2.7.1" - - repo: redis +IMAGES: + - repo: harbor-portal + tag: "v2.1.3" + - repo: harbor-core + tag: "v2.1.3" + - repo: harbor-jobservice + tag: "v2.1.3" + - repo: harbor-db + tag: "v2.1.3" + - repo: harbor-registryctl + tag: "v2.1.3" + - repo: harbor-chartmuseum + tag: "v2.1.3" + - repo: harbor-clair + tag: "v2.1.3" + - repo: harbor-clair-adapter + tag: "v2.1.3" + - repo: harbor-trivy-adapter + tag: "v2.1.3" + - repo: harbor-notary-server + tag: "v2.1.3" + - repo: harbor-notary-signer + tag: "v2.1.3" + - repo: registry + tag: "2.7.1" + - repo: redis tag: "6.0.9" \ No newline at end of file diff --git a/cert/tls.crt b/cert/tls.crt index de4aa3e098c95e1953a58cedfde73684aa204d9c..7a481cb5e96efb1773ad29ac415601b884e18732 100644 --- a/cert/tls.crt +++ b/cert/tls.crt @@ -1,28 +1,28 @@ ------BEGIN CERTIFICATE----- -MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw -NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o -F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr -PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT -RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q -LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp -UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q -w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc -jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr -vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d -1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN -2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA -AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA -FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL -BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS -Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA -er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY -Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ -qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n -KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB -Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2 -52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1 -2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F -5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX -jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe ------END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw +NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o +F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr +PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT +RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q +LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp +UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q +w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc +jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr +vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d +1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN +2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA +AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA +FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS +Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA +er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY +Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ +qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n +KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB +Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2 +52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1 +2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F +5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX +jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe +-----END CERTIFICATE----- diff --git a/cert/tls.key b/cert/tls.key index 014e2fafb6fa68e6919accd623fa94071140e4e1..5ba90f8530b1d2b4e7a8554260f2540db266f61f 100644 --- a/cert/tls.key +++ b/cert/tls.key @@ -1,51 +1,51 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o -F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr -PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT -RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q -LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp -UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q -w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc -jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr -vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d -1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN -2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA -AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/ -k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4 -MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu -XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz -ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5 -F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K -F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97 -b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5 -fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ -yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um -lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW -YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+ -viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1 -pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+ -/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA -So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt -DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3 -YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn -IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW -gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf -Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC -oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb -FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN -c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn -YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf -Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl -IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ -rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi -vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj -yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g -1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil -u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M -BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK -OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y -AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e -Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh -cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q -OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04 ------END RSA PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o +F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr +PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT +RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q +LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp +UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q +w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc +jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr +vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d +1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN +2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA +AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/ +k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4 +MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu +XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz +ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5 +F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K +F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97 +b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5 +fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ +yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um +lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW +YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+ +viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1 +pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+ +/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA +So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt +DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3 +YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn +IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW +gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf +Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC +oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb +FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN +c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn +YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf +Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl +IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ +rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi +vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj +yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g +1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil +u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M +BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK +OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y +AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e +Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh +cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q +OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04 +-----END RSA PRIVATE KEY----- diff --git a/conf/clair.yaml b/conf/clair.yaml index 1cdac9086914ffca661d9333b56d8e56367e208a..e44790eedbedd6b3934928c9ae1d8a27e828005e 100644 --- a/conf/clair.yaml +++ b/conf/clair.yaml @@ -1,16 +1,16 @@ -clair: - database: - type: pgsql - options: - source: "{{ template "harbor.database.clair" . }}" - # Number of elements kept in the cache - # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. - cachesize: 16384 - api: - # API server port - port: 6060 - healthport: 6061 - # Deadline before an API request will respond with a 503 - timeout: 300s - updater: - interval: {{ .Values.clair.updatersInterval }}h +clair: + database: + type: pgsql + options: + source: "{{ template "harbor.database.clair" . }}" + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + api: + # API server port + port: 6060 + healthport: 6061 + # Deadline before an API request will respond with a 503 + timeout: 300s + updater: + interval: {{ .Values.clair.updatersInterval }}h diff --git a/conf/notary-server.json b/conf/notary-server.json index 29a741bdb4fe952cf6550221967691101fcbc5d1..8d87f0a9fb35cf5d220c7120979edfc38a54b919 100644 --- a/conf/notary-server.json +++ b/conf/notary-server.json @@ -1,28 +1,28 @@ -{ - "server": { - "http_addr": ":4443" - }, - "trust_service": { - "type": "remote", - "hostname": "{{ template "harbor.notary-signer" . }}", - "port": "7899", - "tls_ca_file": "/etc/ssl/notary/ca.crt", - "key_algorithm": "ecdsa" - }, - "logging": { - "level": "{{ .Values.logLevel }}" - }, - "storage": { - "backend": "postgres", - "db_url": "{{ template "harbor.database.notaryServer" . }}" - }, - "auth": { - "type": "token", - "options": { - "realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token", - "service": "harbor-notary", - "issuer": "harbor-token-issuer", - "rootcertbundle": "/root.crt" - } - } +{ + "server": { + "http_addr": ":4443" + }, + "trust_service": { + "type": "remote", + "hostname": "{{ template "harbor.notary-signer" . }}", + "port": "7899", + "tls_ca_file": "/etc/ssl/notary/ca.crt", + "key_algorithm": "ecdsa" + }, + "logging": { + "level": "{{ .Values.logLevel }}" + }, + "storage": { + "backend": "postgres", + "db_url": "{{ template "harbor.database.notaryServer" . }}" + }, + "auth": { + "type": "token", + "options": { + "realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token", + "service": "harbor-notary", + "issuer": "harbor-token-issuer", + "rootcertbundle": "/root.crt" + } + } } \ No newline at end of file diff --git a/conf/notary-signer.json b/conf/notary-signer.json index 75a4d68bdbb0626ebac7f5c3a8bb2588c4645def..f7c560834ff6973700464bb6ba200eadb4e3500a 100644 --- a/conf/notary-signer.json +++ b/conf/notary-signer.json @@ -1,15 +1,15 @@ -{ - "server": { - "grpc_addr": ":7899", - "tls_cert_file": "/etc/ssl/notary/tls.crt", - "tls_key_file": "/etc/ssl/notary/tls.key" - }, - "logging": { - "level": "{{ .Values.logLevel }}" - }, - "storage": { - "backend": "postgres", - "db_url": "{{ template "harbor.database.notarySigner" . }}", - "default_alias": "defaultalias" - } +{ + "server": { + "grpc_addr": ":7899", + "tls_cert_file": "/etc/ssl/notary/tls.crt", + "tls_key_file": "/etc/ssl/notary/tls.key" + }, + "logging": { + "level": "{{ .Values.logLevel }}" + }, + "storage": { + "backend": "postgres", + "db_url": "{{ template "harbor.database.notarySigner" . }}", + "default_alias": "defaultalias" + } } \ No newline at end of file diff --git a/docs/High Availability.md b/docs/High Availability.md index 01c66e0142e97cf24ed6f6ae6a406be8be93f2c1..506fb2fb8279b65e87e1a67b4b8ef6569fe6e330 100644 --- a/docs/High Availability.md +++ b/docs/High Availability.md @@ -1,78 +1,78 @@ ---- -title: Harbor High Availability Guide ---- - -## Goal - -Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor. - -## Prerequisites - -- Kubernetes cluster 1.10+ -- Helm 2.10.0+ -- High available ingress controller (Harbor does not manage the external endpoint) -- High available PostgreSQL database (Harbor does not handle the deployment of HA of database) -- High available Redis (Harbor does not handle the deployment of HA of Redis) -- PVC that can be shared across nodes or external object storage - -## Architecture - -Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods. - -As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts. - -![HA](img/ha.png) - -## Usage - -### Download Chart - -Download Harbor helm chart: - -```bash -helm repo add harbor https://helm.goharbor.io -helm fetch harbor/harbor --untar -``` - -### Configuration - -Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`: - -- **Ingress rule** - Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`. -- **External URL** - Configure the `externalURL`. -- **External PostgreSQL** - Set the `database.type` to `external` and fill the information in `database.external` section. - - Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up. -- **External Redis** - Set the `redis.type` to `external` and fill the information in `redis.external` section. - - As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point. -- **Storage** - By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs. - - If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`. - - If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes. - - You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`. - - If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. - -- **Replica** - Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). - -### Installation - -Install the Harbor helm chart with a release name `my-release`: - -helm 2: -```bash -helm install --name my-release . -``` -helm 3: -``` -helm install my-release . -``` +--- +title: Harbor High Availability Guide +--- + +## Goal + +Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor. + +## Prerequisites + +- Kubernetes cluster 1.10+ +- Helm 2.10.0+ +- High available ingress controller (Harbor does not manage the external endpoint) +- High available PostgreSQL database (Harbor does not handle the deployment of HA of database) +- High available Redis (Harbor does not handle the deployment of HA of Redis) +- PVC that can be shared across nodes or external object storage + +## Architecture + +Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods. + +As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts. + +![HA](img/ha.png) + +## Usage + +### Download Chart + +Download Harbor helm chart: + +```bash +helm repo add harbor https://helm.goharbor.io +helm fetch harbor/harbor --untar +``` + +### Configuration + +Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`: + +- **Ingress rule** + Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`. +- **External URL** + Configure the `externalURL`. +- **External PostgreSQL** + Set the `database.type` to `external` and fill the information in `database.external` section. + + Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up. +- **External Redis** + Set the `redis.type` to `external` and fill the information in `redis.external` section. + + As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point. +- **Storage** + By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs. + + If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`. + + If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes. + + You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`. + + If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. + +- **Replica** + Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). + +### Installation + +Install the Harbor helm chart with a release name `my-release`: + +helm 2: +```bash +helm install --name my-release . +``` +helm 3: +``` +helm install my-release . +``` diff --git a/docs/Upgrade.md b/docs/Upgrade.md index cf07a3e95243ef57e17906c4418ed6c42bc7ac12..f84a4d1c4d958599586ee3e632124c24bf5b0841 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -1,67 +1,67 @@ ---- -title: Upgrade Guide ---- - -This guide is used to upgrade Harbor deployed by chart since version 0.3.0. - -## Notes - -- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid -- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported - -## Upgrade - -### 1. Backup database - -Backup the database used by Harbor in case the upgrade process fails. - -### 2. Download new chart - -Download the latest version of Harbor chart. - -### 3. Configure new chart - -Configure the new chart to make sure that the configuration items have the same values with the old one. - -> Note: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate: - -1) Get the secret name which certificate is stored in: - - ```bash - kubectl get secret - ``` - - Find the secret whose name ends with `-harbor-ingress` (expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`) - -2) Export the secret as yaml file: - - - ```bash - kubectl get secret -o yaml > secret.yaml - ``` - - - -3) Rename the secret by setting `metadata.name` in `secret.yaml` - -4) Create a new secret: - - ```bash - kubectl create -f secret.yaml - ``` - -5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step **3** - -### 4. Upgrade - -Run upgrade command: - -```bash -helm upgrade release-name --force . -``` - -> The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30). - -## Known issues - -- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0. +--- +title: Upgrade Guide +--- + +This guide is used to upgrade Harbor deployed by chart since version 0.3.0. + +## Notes + +- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid +- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported + +## Upgrade + +### 1. Backup database + +Backup the database used by Harbor in case the upgrade process fails. + +### 2. Download new chart + +Download the latest version of Harbor chart. + +### 3. Configure new chart + +Configure the new chart to make sure that the configuration items have the same values with the old one. + +> Note: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate: + +1) Get the secret name which certificate is stored in: + + ```bash + kubectl get secret + ``` + + Find the secret whose name ends with `-harbor-ingress` (expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`) + +2) Export the secret as yaml file: + + + ```bash + kubectl get secret -o yaml > secret.yaml + ``` + + + +3) Rename the secret by setting `metadata.name` in `secret.yaml` + +4) Create a new secret: + + ```bash + kubectl create -f secret.yaml + ``` + +5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step **3** + +### 4. Upgrade + +Run upgrade command: + +```bash +helm upgrade release-name --force . +``` + +> The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30). + +## Known issues + +- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0. diff --git a/docs/_index.md b/docs/_index.md index 16785fe82a6e0b588c48e1821d444bd8d4e972e4..f4b9166b328b09634beda6de332cf511d18d98d9 100644 --- a/docs/_index.md +++ b/docs/_index.md @@ -1,6 +1,6 @@ ---- -title: Managing Harbor with Helm -weight: 50 ---- - +--- +title: Managing Harbor with Helm +weight: 50 +--- + This documentation focuses on deploying and managing Harbor via [Helm](https://helm.sh). For general documentation for Harbor, please see the [Harbor docs](https://goharbor.io/docs). \ No newline at end of file diff --git a/raws/values-aliyun.yaml b/raws/values-aliyun.yaml index e2745d910f6d52c74e5a5caf191359dc5956cf6c..5078a0b34f3fb1fb0c45b78b582291edc68a2b1d 100644 --- a/raws/values-aliyun.yaml +++ b/raws/values-aliyun.yaml @@ -1,159 +1,159 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.wodcloud.local - notary: notary.wodcloud.local - annotations: - ingress.kubernetes.io/proxy-body-size: "0" - -externalURL: https://hub.wodcloud.local - -persistence: - enabled: true - persistentVolumeClaim: - registry: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - database: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - redis: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - imageChartStorage: - # s3 , filesystem - type: filesystem - s3: - accesskey: AKIAIOSFODNN7EXAMPLE - secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - region: us-east-1 - regionendpoint: http://minio.wodcloud.local - bucket: registry - encrypt: false - v4auth: true - chunksize: '5242880' - rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: "spaceIN511" -secretKey: "IpTIscRIgmerlare" - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.3 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.3 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.3 - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: 2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.3 - -chartmuseum: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum - tag: v2.1.3 - nodeSelector: {} - # nodeSelector: - # harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - clair: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair - tag: v2.1.3 - adapter: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter - tag: v2.1.3 - -trivy: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter - tag: v2.1.3 - -notary: - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server - tag: v2.1.3 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer - tag: v2.1.3 - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.3 - password: "spaceIN511" - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis +expose: + type: ingress + tls: + enabled: false + ingress: + hosts: + core: hub.wodcloud.local + notary: notary.wodcloud.local + annotations: + ingress.kubernetes.io/proxy-body-size: "0" + +externalURL: https://hub.wodcloud.local + +persistence: + enabled: true + persistentVolumeClaim: + registry: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + database: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + redis: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + imageChartStorage: + # s3 , filesystem + type: filesystem + s3: + accesskey: AKIAIOSFODNN7EXAMPLE + secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + region: us-east-1 + regionendpoint: http://minio.wodcloud.local + bucket: registry + encrypt: false + v4auth: true + chunksize: '5242880' + rootdirectory: / + +imagePullPolicy: IfNotPresent + +logLevel: info +harborAdminPassword: "spaceIN511" +secretKey: "IpTIscRIgmerlare" + +portal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v2.1.3 + +core: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v2.1.3 + +jobservice: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v2.1.3 + +registry: + registry: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/registry + tag: 2.7.1 + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v2.1.3 + +chartmuseum: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum + tag: v2.1.3 + nodeSelector: {} + # nodeSelector: + # harbor: enabled + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + +clair: + clair: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair + tag: v2.1.3 + adapter: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter + tag: v2.1.3 + +trivy: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter + tag: v2.1.3 + +notary: + server: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server + tag: v2.1.3 + signer: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer + tag: v2.1.3 + +database: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db + tag: v2.1.3 + password: "spaceIN511" + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + +redis: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis tag: 6.0.9 \ No newline at end of file diff --git a/raws/values-arm.yaml b/raws/values-arm.yaml index 33d3b8185915f93b843c5cac20a719312daa21e6..4ccc29faf47851e661f8352e9172a566cc8f7321 100644 --- a/raws/values-arm.yaml +++ b/raws/values-arm.yaml @@ -1,159 +1,159 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.wodcloud.local - notary: notary.wodcloud.local - annotations: - ingress.kubernetes.io/proxy-body-size: "0" - -externalURL: https://hub.wodcloud.local - -persistence: - enabled: true - persistentVolumeClaim: - registry: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - database: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - redis: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - imageChartStorage: - # s3 , filesystem - type: filesystem - s3: - accesskey: AKIAIOSFODNN7EXAMPLE - secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - region: us-east-1 - regionendpoint: http://minio.wodcloud.local - bucket: registry - encrypt: false - v4auth: true - chunksize: '5242880' - rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: "spaceIN511" -secretKey: "IpTIscRIgmerlare" - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.3-arm64 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.3-arm64 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.3-arm64 - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: 2.7.1-arm64 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.3-arm64 - -chartmuseum: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum - tag: v2.1.3-arm64 - nodeSelector: {} - # nodeSelector: - # harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - clair: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair - tag: v2.1.3-arm64 - adapter: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter - tag: v2.1.3-arm64 - -trivy: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter - tag: v2.1.3-arm64 - -notary: - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server - tag: v2.1.3-arm64 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer - tag: v2.1.3-arm64 - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.3-arm64 - password: "spaceIN511" - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis +expose: + type: ingress + tls: + enabled: false + ingress: + hosts: + core: hub.wodcloud.local + notary: notary.wodcloud.local + annotations: + ingress.kubernetes.io/proxy-body-size: "0" + +externalURL: https://hub.wodcloud.local + +persistence: + enabled: true + persistentVolumeClaim: + registry: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + database: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + redis: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + imageChartStorage: + # s3 , filesystem + type: filesystem + s3: + accesskey: AKIAIOSFODNN7EXAMPLE + secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + region: us-east-1 + regionendpoint: http://minio.wodcloud.local + bucket: registry + encrypt: false + v4auth: true + chunksize: '5242880' + rootdirectory: / + +imagePullPolicy: IfNotPresent + +logLevel: info +harborAdminPassword: "spaceIN511" +secretKey: "IpTIscRIgmerlare" + +portal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v2.1.3-arm64 + +core: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v2.1.3-arm64 + +jobservice: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v2.1.3-arm64 + +registry: + registry: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/registry + tag: 2.7.1-arm64 + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v2.1.3-arm64 + +chartmuseum: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum + tag: v2.1.3-arm64 + nodeSelector: {} + # nodeSelector: + # harbor: enabled + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + +clair: + clair: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair + tag: v2.1.3-arm64 + adapter: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter + tag: v2.1.3-arm64 + +trivy: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter + tag: v2.1.3-arm64 + +notary: + server: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server + tag: v2.1.3-arm64 + signer: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer + tag: v2.1.3-arm64 + +database: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db + tag: v2.1.3-arm64 + password: "spaceIN511" + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + +redis: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis tag: 6.0.9-arm64 \ No newline at end of file diff --git a/raws/values-pg.yaml b/raws/values-pg.yaml index 6d4f8a92e22c1bae422eb7ed01e72a26a601b3a3..7c44aafd3fab0e0744077f3cc38414059aeccaa1 100644 --- a/raws/values-pg.yaml +++ b/raws/values-pg.yaml @@ -1,158 +1,158 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.test.wodcloud.com - notary: notary.test.wodcloud.com - annotations: - ingress.kubernetes.io/proxy-body-size: "0" - -externalURL: https://hub.test.wodcloud.com - -persistence: - enabled: true - imageChartStorage: - # s3 , filesystem - type: filesystem - filesystem: - rootdirectory: /data - #s3: - # accesskey: AKIAIOSFODNN7EXAMPLE - # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - # region: us-east-1 - # regionendpoint: https://minio.sxwh.local - # bucket: registry - # encrypt: false - # v4auth: true - # chunksize: '5242880' - # rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: "spaceIN511" -secretKey: "IpTIscRIgmerlare" - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v1.8.2 - replicas: 1 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v1.8.2 - replicas: 1 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v1.8.2 - replicas: 1 - maxJobWorkers: 10 - jobLogger: file - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: 2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - # type: emptyDir , hostPath , volumeClaimTemplate - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 100Gi - selector: {} - - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v1.8.2 - replicas: 1 - -chartmuseum: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon - tag: v0.9.0-v1.8.2 - replicas: 1 - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon - tag: v2.0.8-v1.8.2 - replicas: 1 - -notary: - enabled: true - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v1.8.2 - password: "spaceIN511" - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 20Gi - selector: {} - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis +expose: + type: ingress + tls: + enabled: false + ingress: + hosts: + core: hub.test.wodcloud.com + notary: notary.test.wodcloud.com + annotations: + ingress.kubernetes.io/proxy-body-size: "0" + +externalURL: https://hub.test.wodcloud.com + +persistence: + enabled: true + imageChartStorage: + # s3 , filesystem + type: filesystem + filesystem: + rootdirectory: /data + #s3: + # accesskey: AKIAIOSFODNN7EXAMPLE + # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + # region: us-east-1 + # regionendpoint: https://minio.sxwh.local + # bucket: registry + # encrypt: false + # v4auth: true + # chunksize: '5242880' + # rootdirectory: / + +imagePullPolicy: IfNotPresent + +logLevel: info +harborAdminPassword: "spaceIN511" +secretKey: "IpTIscRIgmerlare" + +portal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v1.8.2 + replicas: 1 + +core: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v1.8.2 + replicas: 1 + +jobservice: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v1.8.2 + replicas: 1 + maxJobWorkers: 10 + jobLogger: file + +registry: + registry: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/registry + tag: 2.7.1 + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + nodeSelector: + harbor: enabled + storageSpec: + # type: emptyDir , hostPath , volumeClaimTemplate + type: hostPath + emptyDir: {} + hostPath: + root: /data + volumeClaimTemplate: + spec: + storageClassName: rook-ceph-block + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 100Gi + selector: {} + + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v1.8.2 + replicas: 1 + +chartmuseum: + enabled: true + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon + tag: v0.9.0-v1.8.2 + replicas: 1 + nodeSelector: + harbor: enabled + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + +clair: + enabled: true + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon + tag: v2.0.8-v1.8.2 + replicas: 1 + +notary: + enabled: true + server: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon + tag: v0.6.1-v1.8.2 + replicas: 1 + signer: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon + tag: v0.6.1-v1.8.2 + replicas: 1 + +database: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db + tag: v1.8.2 + password: "spaceIN511" + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + nodeSelector: + harbor: enabled + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + volumeClaimTemplate: + spec: + storageClassName: rook-ceph-block + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 20Gi + selector: {} + +redis: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis tag: 4.0.14-alpine \ No newline at end of file diff --git a/raws/values-ppc64le.yaml b/raws/values-ppc64le.yaml index a2f0a3dd3bcdc94d6cb6c57aef7756ed2497f15a..f3f9209beaabd3fea6b39c9d3c5bb45b0726e292 100644 --- a/raws/values-ppc64le.yaml +++ b/raws/values-ppc64le.yaml @@ -1,159 +1,159 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.wodcloud.local - notary: notary.wodcloud.local - annotations: - ingress.kubernetes.io/proxy-body-size: "0" - -externalURL: https://hub.wodcloud.local - -persistence: - enabled: true - persistentVolumeClaim: - registry: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - database: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - redis: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - imageChartStorage: - # s3 , filesystem - type: filesystem - s3: - accesskey: AKIAIOSFODNN7EXAMPLE - secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - region: us-east-1 - regionendpoint: http://minio.wodcloud.local - bucket: registry - encrypt: false - v4auth: true - chunksize: '5242880' - rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: "spaceIN511" -secretKey: "IpTIscRIgmerlare" - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.3-ppc64le - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.3-ppc64le - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.3-ppc64le - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: 2.7.1-ppc64le - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.3-ppc64le - -chartmuseum: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum - tag: v2.1.1-ppc64le - nodeSelector: {} - # nodeSelector: - # harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - clair: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair - tag: v2.1.1-ppc64le - adapter: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter - tag: v2.1.1-ppc64le - -trivy: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter - tag: v2.1.1-ppc64le - -notary: - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server - tag: v2.1.1-ppc64le - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer - tag: v2.1.1-ppc64le - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.3-ppc64le - password: "spaceIN511" - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis +expose: + type: ingress + tls: + enabled: false + ingress: + hosts: + core: hub.wodcloud.local + notary: notary.wodcloud.local + annotations: + ingress.kubernetes.io/proxy-body-size: "0" + +externalURL: https://hub.wodcloud.local + +persistence: + enabled: true + persistentVolumeClaim: + registry: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + database: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + redis: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + imageChartStorage: + # s3 , filesystem + type: filesystem + s3: + accesskey: AKIAIOSFODNN7EXAMPLE + secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + region: us-east-1 + regionendpoint: http://minio.wodcloud.local + bucket: registry + encrypt: false + v4auth: true + chunksize: '5242880' + rootdirectory: / + +imagePullPolicy: IfNotPresent + +logLevel: info +harborAdminPassword: "spaceIN511" +secretKey: "IpTIscRIgmerlare" + +portal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v2.1.3-ppc64le + +core: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v2.1.3-ppc64le + +jobservice: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v2.1.3-ppc64le + +registry: + registry: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/registry + tag: 2.7.1-ppc64le + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v2.1.3-ppc64le + +chartmuseum: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum + tag: v2.1.1-ppc64le + nodeSelector: {} + # nodeSelector: + # harbor: enabled + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + +clair: + clair: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair + tag: v2.1.1-ppc64le + adapter: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter + tag: v2.1.1-ppc64le + +trivy: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter + tag: v2.1.1-ppc64le + +notary: + server: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server + tag: v2.1.1-ppc64le + signer: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer + tag: v2.1.1-ppc64le + +database: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db + tag: v2.1.3-ppc64le + password: "spaceIN511" + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + +redis: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis tag: 6.0.9-ppc64le \ No newline at end of file diff --git a/raws/values-stolon.yaml b/raws/values-stolon.yaml index cf640ab027a5733ebd445577c828e9db21330bbb..fd20086f930c8f55609be828584571b9263c8e51 100644 --- a/raws/values-stolon.yaml +++ b/raws/values-stolon.yaml @@ -1,143 +1,143 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.test.wodcloud.com - notary: notary.test.wodcloud.com - annotations: - ingress.kubernetes.io/proxy-body-size: "0" - -externalURL: https://hub.test.wodcloud.com - -persistence: - enabled: true - imageChartStorage: - # s3 , filesystem - type: filesystem - filesystem: - rootdirectory: /data - #s3: - # accesskey: AKIAIOSFODNN7EXAMPLE - # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - # region: us-east-1 - # regionendpoint: https://minio.sxwh.local - # bucket: registry - # encrypt: false - # v4auth: true - # chunksize: '5242880' - # rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: "spaceIN511" -secretKey: "IpTIscRIgmerlare" - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v1.8.2 - replicas: 1 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v1.8.2 - replicas: 1 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v1.8.2 - replicas: 1 - maxJobWorkers: 10 - jobLogger: file - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: 2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - # type: emptyDir , hostPath , volumeClaimTemplate - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 100Gi - selector: {} - - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v1.8.2 - replicas: 1 - -chartmuseum: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon - tag: v0.9.0-v1.8.2 - replicas: 1 - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon - tag: v2.0.8-v1.8.2 - replicas: 1 - -notary: - enabled: true - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - -database: - type: external - external: - host: "stolon-proxy.devops" - port: "5432" - username: "postgres" - password: "spaceIN511" - coreDatabase: "hub_registry" - clairDatabase: "hub_clair" - notaryServerDatabase: "hub_notary_server" - notarySignerDatabase: "hub_notary_signer" - sslmode: "disable" - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis +expose: + type: ingress + tls: + enabled: false + ingress: + hosts: + core: hub.test.wodcloud.com + notary: notary.test.wodcloud.com + annotations: + ingress.kubernetes.io/proxy-body-size: "0" + +externalURL: https://hub.test.wodcloud.com + +persistence: + enabled: true + imageChartStorage: + # s3 , filesystem + type: filesystem + filesystem: + rootdirectory: /data + #s3: + # accesskey: AKIAIOSFODNN7EXAMPLE + # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + # region: us-east-1 + # regionendpoint: https://minio.sxwh.local + # bucket: registry + # encrypt: false + # v4auth: true + # chunksize: '5242880' + # rootdirectory: / + +imagePullPolicy: IfNotPresent + +logLevel: info +harborAdminPassword: "spaceIN511" +secretKey: "IpTIscRIgmerlare" + +portal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v1.8.2 + replicas: 1 + +core: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v1.8.2 + replicas: 1 + +jobservice: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v1.8.2 + replicas: 1 + maxJobWorkers: 10 + jobLogger: file + +registry: + registry: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/registry + tag: 2.7.1 + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + nodeSelector: + harbor: enabled + storageSpec: + # type: emptyDir , hostPath , volumeClaimTemplate + type: hostPath + emptyDir: {} + hostPath: + root: /data + volumeClaimTemplate: + spec: + storageClassName: rook-ceph-block + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 100Gi + selector: {} + + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v1.8.2 + replicas: 1 + +chartmuseum: + enabled: true + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon + tag: v0.9.0-v1.8.2 + replicas: 1 + nodeSelector: + harbor: enabled + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + +clair: + enabled: true + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon + tag: v2.0.8-v1.8.2 + replicas: 1 + +notary: + enabled: true + server: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon + tag: v0.6.1-v1.8.2 + replicas: 1 + signer: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon + tag: v0.6.1-v1.8.2 + replicas: 1 + +database: + type: external + external: + host: "stolon-proxy.devops" + port: "5432" + username: "postgres" + password: "spaceIN511" + coreDatabase: "hub_registry" + clairDatabase: "hub_clair" + notaryServerDatabase: "hub_notary_server" + notarySignerDatabase: "hub_notary_signer" + sslmode: "disable" + +redis: + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis tag: 4.0.14-alpine \ No newline at end of file diff --git a/raws/values.yaml b/raws/values.yaml index 17a66ee71af57daac2307c65e0b1ef572dc27892..2329fb3cacdf9391e5638ad3e0bd3e2e2d9f827b 100644 --- a/raws/values.yaml +++ b/raws/values.yaml @@ -1,747 +1,747 @@ -expose: - # Set the way how to expose the service. Set the type as "ingress", - # "clusterIP", "nodePort" or "loadBalancer" and fill the information - # in the corresponding section - type: ingress - tls: - # Enable the tls or not. Note: if the type is "ingress" and the tls - # is disabled, the port must be included in the command when pull/push - # images. Refer to https://github.com/goharbor/harbor/issues/5291 - # for the detail. - enabled: true - # The source of the tls certificate. Set it as "auto", "secret" - # or "none" and fill the information in the corresponding section - # 1) auto: generate the tls certificate automatically - # 2) secret: read the tls certificate from the specified secret. - # The tls certificate can be generated manually or by cert manager - # 3) none: configure no tls certificate for the ingress. If the default - # tls certificate is configured in the ingress controller, choose this option - certSource: auto - auto: - # The common name used to generate the certificate, it's necessary - # when the type isn't "ingress" - commonName: "" - secret: - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - secretName: "" - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # Only needed when the "expose.type" is "ingress". - notarySecretName: "" - ingress: - hosts: - core: core.harbor.domain - notary: notary.harbor.domain - # set to the type of ingress controller if it has specific requirements. - # leave as `default` for most ingress controllers. - # set to `gce` if using the GCE ingress controller - # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller - controller: default - annotations: - ingress.kubernetes.io/ssl-redirect: "true" - ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - clusterIP: - # The name of ClusterIP service - name: harbor - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - nodePort: - # The name of NodePort service - name: harbor - ports: - http: - # The service port Harbor listens on when serving with HTTP - port: 80 - # The node port Harbor listens on when serving with HTTP - nodePort: 30002 - https: - # The service port Harbor listens on when serving with HTTPS - port: 443 - # The node port Harbor listens on when serving with HTTPS - nodePort: 30003 - # Only needed when notary.enabled is set to true - notary: - # The service port Notary listens on - port: 4443 - # The node port Notary listens on - nodePort: 30004 - loadBalancer: - # The name of LoadBalancer service - name: harbor - # Set the IP if the LoadBalancer supports assigning IP - IP: "" - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - annotations: {} - sourceRanges: [] - -# The external URL for Harbor core service. It is used to -# 1) populate the docker/helm commands showed on portal -# 2) populate the token service URL returned to docker/notary client -# -# Format: protocol://domain[:port]. Usually: -# 1) if "expose.type" is "ingress", the "domain" should be -# the value of "expose.ingress.hosts.core" -# 2) if "expose.type" is "clusterIP", the "domain" should be -# the value of "expose.clusterIP.name" -# 3) if "expose.type" is "nodePort", the "domain" should be -# the IP address of k8s node -# -# If Harbor is deployed behind the proxy, set it as the URL of proxy -externalURL: https://core.harbor.domain - -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each components tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: "auto" - # The content of trust ca, only available when `certSource` is "manual" - trustCa: "" - # core related cert configuration - core: - # secret name for core's tls certs - secretName: "" - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: "" - # Content of core's TLS key file, only available when `certSource` is "manual" - key: "" - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: "" - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: "" - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: "" - # chartmuseum related cert configuration - chartmuseum: - # secret name for chartmuseum's tls certs - secretName: "" - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - key: "" - # clair related cert configuration - clair: - # secret name for clair's tls certs - secretName: "" - # Content of clair's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of clair's TLS key file, only available when `certSource` is "manual" - key: "" - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: "" - -# The persistence is enabled by default and a default StorageClass -# is needed in the k8s cluster to provision volumes dynamicly. -# Specify another StorageClass in the "storageClass" or set "existingClaim" -# if you have already existing persistent volumes to use -# -# For storing images and charts, you can also use "azure", "gcs", "s3", -# "swift" or "oss". Set it in the "imageChartStorage" section -persistence: - enabled: true - # Setting it to "keep" to avoid removing PVCs during a helm delete - # operation. Leaving it empty will delete PVCs after the chart deleted - # (this does not apply for PVCs that are created for internal database - # and redis components, i.e. they are never deleted automatically) - resourcePolicy: "keep" - persistentVolumeClaim: - registry: - # Use the existing PVC which must be created manually before bound, - # and specify the "subPath" if the PVC is shared with other components - existingClaim: "" - # Specify the "storageClass" used to provision the volume. Or the default - # StorageClass will be used(the default). - # Set it to "-" to disable dynamic provisioning - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - # If external database is used, the following settings for database will - # be ignored - database: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - # If external Redis is used, the following settings for Redis will - # be ignored - redis: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: "" - storageClass: "" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - # Define which storage backend is used for registry and chartmuseum to store - # images and charts. Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage - # for the detail. - imageChartStorage: - # Specify whether to disable `redirect` for images and chart storage, for - # backends which not supported it (such as using minio for `s3` storage type), please disable - # it. To disable redirects, simply set `disableredirect` to `true` instead. - # Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect - # for the detail. - disableredirect: false - # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. - # The secret must contain keys named "ca.crt" which will be injected into the trust store - # of registry's and chartmuseum's containers. - # caBundleSecretName: - - # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", - # "oss" and fill the information needed in the corresponding section. The type - # must be "filesystem" if you want to use persistent volumes for registry - # and chartmuseum - type: filesystem - filesystem: - rootdirectory: /storage - #maxthreads: 100 - azure: - accountname: accountname - accountkey: base64encodedaccountkey - container: containername - #realm: core.windows.net - gcs: - bucket: bucketname - # The base64 encoded json file which contains the key - encodedkey: base64-encoded-json-key-file - #rootdirectory: /gcs/object/name/prefix - #chunksize: "5242880" - s3: - region: us-west-1 - bucket: bucketname - #accesskey: awsaccesskey - #secretkey: awssecretkey - #regionendpoint: http://myobjects.local - #encrypt: false - #keyid: mykeyid - #secure: true - #skipverify: false - #v4auth: true - #chunksize: "5242880" - #rootdirectory: /s3/object/name/prefix - #storageclass: STANDARD - #multipartcopychunksize: "33554432" - #multipartcopymaxconcurrency: 100 - #multipartcopythresholdsize: "33554432" - swift: - authurl: https://storage.myprovider.com/v3/auth - username: username - password: password - container: containername - #region: fr - #tenant: tenantname - #tenantid: tenantid - #domain: domainname - #domainid: domainid - #trustid: trustid - #insecureskipverify: false - #chunksize: 5M - #prefix: - #secretkey: secretkey - #accesskey: accesskey - #authversion: 3 - #endpointtype: public - #tempurlcontainerkey: false - #tempurlmethods: - oss: - accesskeyid: accesskeyid - accesskeysecret: accesskeysecret - region: regionname - bucket: bucketname - #endpoint: endpoint - #internal: false - #encrypt: false - #secure: true - #chunksize: 10M - #rootdirectory: rootdirectory - -imagePullPolicy: IfNotPresent - -# Use this set to assign a list of default pullSecrets -imagePullSecrets: -# - name: docker-registry-secret -# - name: internal-registry-secret - -# The update strategy for deployments with persistent volumes(jobservice, registry -# and chartmuseum): "RollingUpdate" or "Recreate" -# Set it as "Recreate" when "RWM" for volumes isn't supported -updateStrategy: - type: RollingUpdate - -# debug, info, warning, error or fatal -logLevel: info - -# The initial password of Harbor admin. Change it from portal after launching Harbor -harborAdminPassword: "Harbor12345" - -# The name of the secret which contains key named "ca.crt". Setting this enables the -# download link on portal to download the certificate of CA when the certificate isn't -# generated automatically -caSecretName: "" - -# The secret key used for encryption. Must be a string of 16 chars. -secretKey: "not-a-secure-key" - -# The proxy settings for updating clair vulnerabilities from the Internet and replicating -# artifacts from/to the registries that cannot be reached directly -proxy: - httpProxy: - httpsProxy: - noProxy: 127.0.0.1,localhost,.local,.internal - components: - - core - - jobservice - - clair - - trivy - -# The custom ca bundle secret, the secret must contain key named "ca.crt" -# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components -# caBundleSecretName: "" - -## UAA Authentication Options -# If you're using UAA for authentication behind a self-signed -# certificate you will need to provide the CA Cert. -# Set uaaSecretName below to provide a pre-created secret that -# contains a base64 encoded CA Certificate named `ca.crt`. -# uaaSecretName: - -# If expose the service via "ingress", the Nginx will not be used -nginx: - image: - repository: goharbor/nginx-photon - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -portal: - image: - repository: goharbor/harbor-portal - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -core: - image: - repository: goharbor/harbor-core - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - ## Startup probe values - startupProbe: - enabled: true - initialDelaySeconds: 10 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when core server communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate and private key for token encryption/decryption. - # The secret must contain keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # The default key pair will be used if it isn't set - secretName: "" - # The XSRF key. Will be generated automatically if it isn't specified - xsrfKey: "" - -jobservice: - image: - repository: goharbor/harbor-jobservice - tag: v2.1.3 - replicas: 1 - # set the service account to be used, default if left empty - serviceAccountName: "" - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLogger: file - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when job service communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - -registry: - # set the service account to be used, default if left empty - serviceAccountName: "" - registry: - image: - repository: goharbor/registry-photon - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - controller: - image: - repository: goharbor/harbor-registryctl - tag: v2.1.3 - - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used to secure the upload state from client - # and registry storage backend. - # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. - relativeurls: false - credentials: - username: "harbor_registry_user" - password: "harbor_registry_password" - # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash - # e.g. "htpasswd -nbBC10 $username $password" - htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" - - middleware: - enabled: false - type: cloudFront - cloudFront: - baseurl: example.cloudfront.net - keypairid: KEYPAIRID - duration: 3000s - ipfilteredby: none - # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key - # that allows access to CloudFront - privateKeySecret: "my-secret" - -chartmuseum: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: "" - # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' - absoluteUrl: false - image: - repository: goharbor/chartmuseum-photon - tag: v2.1.3 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -clair: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: "" - clair: - image: - repository: goharbor/clair-photon - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - adapter: - image: - repository: goharbor/clair-adapter-photon - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - # The interval of clair updaters, the unit is hour, set to 0 to - # disable the updaters - updatersInterval: 12 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -trivy: - # enabled the flag to enable Trivy scanner - enabled: true - image: - # repository the repository for Trivy adapter image - repository: goharbor/trivy-adapter-photon - # tag the tag for Trivy adapter image - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - # replicas the number of Pod replicas - replicas: 1 - # debugMode the flag to enable Trivy debug mode with more verbose scanning log - debugMode: false - # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. - vulnType: "os,library" - # severity a comma-separated list of severities to be checked - severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - # ignoreUnfixed the flag to display only fixed vulnerabilities - ignoreUnfixed: false - # insecure the flag to skip verifying registry certificate - insecure: false - # gitHubToken the GitHub access token to download Trivy DB - # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. - # - # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough - # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 - # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult - # https://developer.github.com/v3/#rate-limiting - # - # You can create a GitHub token by following the instructions in - # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line - gitHubToken: "" - # skipUpdate the flag to disable Trivy DB downloads from GitHub - # - # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. - # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the - # `/home/scanner/.cache/trivy/db/trivy.db` path. - skipUpdate: false - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -notary: - enabled: true - server: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/notary-server-photon - tag: v2.1.3 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - signer: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/notary-signer-photon - tag: v2.1.3 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate authority, certificate and private key for notary - # communications. - # The secret must contain keys named ca.crt, tls.crt and tls.key that - # contain the CA, certificate and private key. - # They will be generated if not set. - secretName: "" - -database: - # if external database is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/harbor-db - tag: v2.1.3 - # The initial superuser password for internal database - password: "changeit" - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - host: "192.168.0.1" - port: "5432" - username: "user" - password: "password" - coreDatabase: "registry" - clairDatabase: "clair" - notaryServerDatabase: "notary_server" - notarySignerDatabase: "notary_signer" - # "disable" - No SSL - # "require" - Always SSL (skip verification) - # "verify-ca" - Always SSL (verify that the certificate presented by the - # server was signed by a trusted CA) - # "verify-full" - Always SSL (verify that the certification presented by the - # server was signed by a trusted CA and the server host name matches the one - # in the certificate) - sslmode: "disable" - # The maximum number of connections in the idle connection pool. - # If it <=0, no idle connections are retained. - maxIdleConns: 50 - # The maximum number of open connections to the database. - # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. - maxOpenConns: 1000 - ## Additional deployment annotations - podAnnotations: {} - -redis: - # if external Redis is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: goharbor/redis-photon - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - # support redis, redis+sentinel - # addr for redis: : - # addr for redis+sentinel: :,:,: - addr: "192.168.0.2:6379" - # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel - sentinelMasterSet: "" - # The "coreDatabaseIndex" must be "0" as the library Harbor - # used doesn't support configuring it - coreDatabaseIndex: "0" - jobserviceDatabaseIndex: "1" - registryDatabaseIndex: "2" - chartmuseumDatabaseIndex: "3" - clairAdapterIndex: "4" - trivyAdapterIndex: "5" - password: "" - ## Additional deployment annotations - podAnnotations: {} - -commonLabels: +expose: + # Set the way how to expose the service. Set the type as "ingress", + # "clusterIP", "nodePort" or "loadBalancer" and fill the information + # in the corresponding section + type: ingress + tls: + # Enable the tls or not. Note: if the type is "ingress" and the tls + # is disabled, the port must be included in the command when pull/push + # images. Refer to https://github.com/goharbor/harbor/issues/5291 + # for the detail. + enabled: true + # The source of the tls certificate. Set it as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # Only needed when the "expose.type" is "ingress". + notarySecretName: "" + ingress: + hosts: + core: core.harbor.domain + notary: notary.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + controller: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + clusterIP: + # The name of ClusterIP service + name: harbor + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving with HTTP + port: 80 + # The node port Harbor listens on when serving with HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving with HTTPS + port: 443 + # The node port Harbor listens on when serving with HTTPS + nodePort: 30003 + # Only needed when notary.enabled is set to true + notary: + # The service port Notary listens on + port: 4443 + # The node port Notary listens on + nodePort: 30004 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker/notary client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each components tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # chartmuseum related cert configuration + chartmuseum: + # secret name for chartmuseum's tls certs + secretName: "" + # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" + key: "" + # clair related cert configuration + clair: + # secret name for clair's tls certs + secretName: "" + # Content of clair's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of clair's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamicly. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you have already existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used(the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + # Define which storage backend is used for registry and chartmuseum to store + # images and charts. Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's and chartmuseum's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + # and chartmuseum + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + s3: + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry +# and chartmuseum): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the certificate of CA when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" + +# The proxy settings for updating clair vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - clair + - trivy + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If expose the service via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +core: + image: + repository: goharbor/harbor-core + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # The default key pair will be used if it isn't set + secretName: "" + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.1.3 + replicas: 1 + # set the service account to be used, default if left empty + serviceAccountName: "" + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLogger: file + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + registry: + image: + repository: goharbor/registry-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.1.3 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash + # e.g. "htpasswd -nbBC10 $username $password" + htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" + + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + +chartmuseum: + enabled: true + # set the service account to be used, default if left empty + serviceAccountName: "" + # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' + absoluteUrl: false + image: + repository: goharbor/chartmuseum-photon + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +clair: + enabled: true + # set the service account to be used, default if left empty + serviceAccountName: "" + clair: + image: + repository: goharbor/clair-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + adapter: + image: + repository: goharbor/clair-adapter-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + # The interval of clair updaters, the unit is hour, set to 0 to + # disable the updaters + updatersInterval: 12 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +notary: + enabled: true + server: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/notary-server-photon + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + signer: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/notary-signer-photon + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named ca.crt, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" + +database: + # if external database is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/harbor-db + tag: v2.1.3 + # The initial superuser password for internal database + password: "changeit" + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + clairDatabase: "clair" + notaryServerDatabase: "notary_server" + notarySignerDatabase: "notary_signer" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool. + # If it <=0, no idle connections are retained. + maxIdleConns: 50 + # The maximum number of open connections to the database. + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 1000 + ## Additional deployment annotations + podAnnotations: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: goharbor/redis-photon + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + chartmuseumDatabaseIndex: "3" + clairAdapterIndex: "4" + trivyAdapterIndex: "5" + password: "" + ## Additional deployment annotations + podAnnotations: {} + +commonLabels: app.bd-apaas.com/cluster-component: registry \ No newline at end of file diff --git a/templates/NOTES.txt b/templates/NOTES.txt index 7a45c99da15a14da2e177490b8b8b3765e31da1b..d32387ef2e60765da408527d1c66c78a6bf32617 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,3 +1,3 @@ -Please wait for several minutes for Harbor deployment to complete. -Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.{{ $.Values.global.host }} -For more details, please visit https://github.com/goharbor/harbor +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.{{ $.Values.global.host }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f9e79d581cd124289a7498508cfc901312f4662b..b1d119b68f3e89228f6d840b697884569260ecb9 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -1,597 +1,597 @@ -{{/* -Create chart imageArch suffix. -*/}} -{{- define ".beagle.imageArch" -}} -{{- if not (eq "amd64" .Values.global.imageArch) -}} -{{- print "-" .Values.global.imageArch -}} -{{- else -}} -{{- print "" -}} -{{- end -}} -{{- end }} - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "harbor.name" -}} -{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "harbor.fullname" -}} -{{- $name := default "harbor" .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Helm required labels */}} -{{- define "harbor.labels" -}} -heritage: {{ .Release.Service }} -release: {{ .Release.Name }} -chart: {{ .Chart.Name }} -app: "{{ template "harbor.name" . }}" -{{- if .Values.commonLabels}} -{{ toYaml .Values.commonLabels }} -{{- end }} -{{- end -}} - -{{/* matchLabels */}} -{{- define "harbor.matchLabels" -}} -release: {{ .Release.Name }} -app: "{{ template "harbor.name" . }}" -{{- end -}} - -{{- define "harbor.autoGenCert" -}} - {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.autoGenCertForIngress" -}} - {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.autoGenCertForNginx" -}} - {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.host" -}} - {{- if eq .Values.database.type "internal" -}} - {{- template "harbor.database" . }} - {{- else -}} - {{- .Values.database.external.host -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.port" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "5432" -}} - {{- else -}} - {{- .Values.database.external.port -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.username" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "postgres" -}} - {{- else -}} - {{- .Values.database.external.username -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.rawPassword" -}} - {{- if eq .Values.database.type "internal" -}} - {{- .Values.database.internal.password -}} - {{- else -}} - {{- .Values.database.external.password -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.escapedRawPassword" -}} - {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} -{{- end -}} - -{{- define "harbor.database.encryptedPassword" -}} - {{- include "harbor.database.rawPassword" . | b64enc | quote -}} -{{- end -}} - -{{- define "harbor.database.coreDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "registry" -}} - {{- else -}} - {{- .Values.database.external.coreDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.clairDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "postgres" -}} - {{- else -}} - {{- .Values.database.external.clairDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.notaryServerDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "notaryserver" -}} - {{- else -}} - {{- .Values.database.external.notaryServerDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.notarySignerDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "notarysigner" -}} - {{- else -}} - {{- .Values.database.external.notarySignerDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.sslmode" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "disable" -}} - {{- else -}} - {{- .Values.database.external.sslmode -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.clair" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.database.notaryServer" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.database.notarySigner" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.redis.scheme" -}} - {{- with .Values.redis }} - {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} - {{- end }} -{{- end -}} - -/*host:port*/ -{{- define "harbor.redis.addr" -}} - {{- with .Values.redis }} - {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.masterSet" -}} - {{- with .Values.redis }} - {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.password" -}} - {{- with .Values.redis }} - {{- ternary "" .external.password (eq .type "internal") }} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]host:port[/master_set]*/ -{{- define "harbor.redis.url" -}} - {{- with .Values.redis }} - {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} - {{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} - {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForCore" -}} - {{- with .Values.redis }} - {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index*/ -{{- define "harbor.redis.urlForJobservice" -}} - {{- with .Values.redis }} - {{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForRegistry" -}} - {{- with .Values.redis }} - {{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForClair" -}} - {{- with .Values.redis }} - {{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForTrivy" -}} - {{- with .Values.redis }} - {{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.dbForRegistry" -}} - {{- with .Values.redis }} - {{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.dbForChartmuseum" -}} - {{- with .Values.redis }} - {{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.portal" -}} - {{- printf "%s-portal" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.core" -}} - {{- printf "%s-core" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.redis" -}} - {{- printf "%s-redis" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.jobservice" -}} - {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.registry" -}} - {{- printf "%s-registry" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.chartmuseum" -}} - {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.database" -}} - {{- printf "%s-database" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.clair" -}} - {{- printf "%s-clair" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.trivy" -}} - {{- printf "%s-trivy" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.notary-server" -}} - {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.notary-signer" -}} - {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.nginx" -}} - {{- printf "%s-nginx" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.ingress" -}} - {{- printf "%s-ingress" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.ingress-notary" -}} - {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.noProxy" -}} - {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}} -{{- end -}} - -{{- define "harbor.caBundleVolume" -}} -- name: ca-bundle-certs - secret: - secretName: {{ .Values.caBundleSecretName }} -{{- end -}} - -{{- define "harbor.caBundleVolumeMount" -}} -- name: ca-bundle-certs - mountPath: /harbor_cust_cert/custom-ca.crt - subPath: ca.crt -{{- end -}} - -{{/* scheme for all components except notary because it only support http mode */}} -{{- define "harbor.component.scheme" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "https" -}} - {{- else -}} - {{- printf "http" -}} - {{- end -}} -{{- end -}} - -{{/* chartmuseum component container port */}} -{{- define "harbor.chartmuseum.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "9443" -}} - {{- else -}} - {{- printf "9999" -}} - {{- end -}} -{{- end -}} - -{{/* chartmuseum component service port */}} -{{- define "harbor.chartmuseum.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* clair adapter component container port */}} -{{- define "harbor.clairAdapter.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* clair adapter component service port */}} -{{- define "harbor.clairAdapter.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* core component container port */}} -{{- define "harbor.core.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* core component service port */}} -{{- define "harbor.core.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* jobservice component container port */}} -{{- define "harbor.jobservice.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* jobservice component service port */}} -{{- define "harbor.jobservice.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* portal component container port */}} -{{- define "harbor.portal.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* portal component service port */}} -{{- define "harbor.portal.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* registry component container port */}} -{{- define "harbor.registry.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "5443" -}} - {{- else -}} - {{- printf "5000" -}} - {{- end -}} -{{- end -}} - -{{/* registry component service port */}} -{{- define "harbor.registry.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "5443" -}} - {{- else -}} - {{- printf "5000" -}} - {{- end -}} -{{- end -}} - -{{/* registryctl component container port */}} -{{- define "harbor.registryctl.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* registryctl component service port */}} -{{- define "harbor.registryctl.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* trivy component container port */}} -{{- define "harbor.trivy.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* trivy component service port */}} -{{- define "harbor.trivy.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* CLAIR_ADAPTER_URL */}} -{{- define "harbor.clairAdapterURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}} -{{- end -}} - -{{/* CORE_URL */}} -{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} -{{- define "harbor.coreURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} -{{- end -}} - -{{/* JOBSERVICE_URL */}} -{{- define "harbor.jobserviceURL" -}} - {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} -{{- end -}} - -{{/* PORTAL_URL */}} -{{- define "harbor.portalURL" -}} - {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} -{{- end -}} - -{{/* REGISTRY_URL */}} -{{- define "harbor.registryURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} -{{- end -}} - -{{/* REGISTRY_CONTROLLER_URL */}} -{{- define "harbor.registryControllerURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} -{{- end -}} - -{{/* TOKEN_SERVICE_URL */}} -{{- define "harbor.tokenServiceURL" -}} - {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} -{{- end -}} - -{{/* TRIVY_ADAPTER_URL */}} -{{- define "harbor.trivyAdapterURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} -{{- end -}} - -{{- define "harbor.internalTLS.chartmuseum.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.chartmuseum.secretName -}} - {{- else -}} - {{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.clair.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.clair.secretName -}} - {{- else -}} - {{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.core.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.core.secretName -}} - {{- else -}} - {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.jobservice.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.jobservice.secretName -}} - {{- else -}} - {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.portal.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.portal.secretName -}} - {{- else -}} - {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.registry.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.registry.secretName -}} - {{- else -}} - {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.trivy.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.trivy.secretName -}} - {{- else -}} - {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsCoreSecretForIngress" -}} - {{- if eq .Values.expose.tls.certSource "none" -}} - {{- printf "" -}} - {{- else if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.secretName -}} - {{- else -}} - {{- include "harbor.ingress" . -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsNotarySecretForIngress" -}} - {{- if eq .Values.expose.tls.certSource "none" -}} - {{- printf "" -}} - {{- else if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.notarySecretName -}} - {{- else -}} - {{- include "harbor.ingress" . -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsSecretForNginx" -}} - {{- if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.secretName -}} - {{- else -}} - {{- include "harbor.nginx" . -}} - {{- end -}} -{{- end -}} +{{/* +Create chart imageArch suffix. +*/}} +{{- define ".beagle.imageArch" -}} +{{- if not (eq "amd64" .Values.global.imageArch) -}} +{{- print "-" .Values.global.imageArch -}} +{{- else -}} +{{- print "" -}} +{{- end -}} +{{- end }} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.fullname" -}} +{{- $name := default "harbor" .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- if .Values.commonLabels}} +{{ toYaml .Values.commonLabels }} +{{- end }} +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- .Values.database.internal.password -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.clairDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.clairDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notaryServerDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "notaryserver" -}} + {{- else -}} + {{- .Values.database.external.notaryServerDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notarySignerDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "notarysigner" -}} + {{- else -}} + {{- .Values.database.external.notarySignerDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.clair" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.database.notaryServer" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.database.notarySigner" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + +/*scheme://[redis:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[redis:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForClair" -}} + {{- with .Values.redis }} + {{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForChartmuseum" -}} + {{- with .Values.redis }} + {{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.chartmuseum" -}} + {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.clair" -}} + {{- printf "%s-clair" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-server" -}} + {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-signer" -}} + {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress-notary" -}} + {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components except notary because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* chartmuseum component container port */}} +{{- define "harbor.chartmuseum.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "9443" -}} + {{- else -}} + {{- printf "9999" -}} + {{- end -}} +{{- end -}} + +{{/* chartmuseum component service port */}} +{{- define "harbor.chartmuseum.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* clair adapter component container port */}} +{{- define "harbor.clairAdapter.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* clair adapter component service port */}} +{{- define "harbor.clairAdapter.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CLAIR_ADAPTER_URL */}} +{{- define "harbor.clairAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.chartmuseum.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.chartmuseum.secretName -}} + {{- else -}} + {{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.clair.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.clair.secretName -}} + {{- else -}} + {{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsNotarySecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.notarySecretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} diff --git a/templates/chartmuseum/chartmuseum-cm.yaml b/templates/chartmuseum/chartmuseum-cm.yaml index 3eb38685f8be05a9267f298d75119a3cd8103f1f..97c46da2397f3998e5fcd5e060d42e77149ef36d 100644 --- a/templates/chartmuseum/chartmuseum-cm.yaml +++ b/templates/chartmuseum/chartmuseum-cm.yaml @@ -1,113 +1,113 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - PORT: "{{ template "harbor.chartmuseum.containerPort" . }}" -{{- if .Values.internalTLS.enabled }} - TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt" - TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key" -{{- end }} - {{- if eq "redis" (include "harbor.redis.scheme" .) }} - CACHE: "redis" - {{- else }} - CACHE: "redis_sentinel" - CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}" - {{- end }} - CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}" - CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}" - BASIC_AUTH_USER: "chart_controller" -{{- if .Values.chartmuseum.absoluteUrl }} - CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo -{{- end }} - DEPTH: "1" -{{- if eq .Values.logLevel "debug" }} - DEBUG: "true" -{{- else }} - DEBUG: "false" -{{- end }} - LOG_JSON: "true" - DISABLE_METRICS: "false" - DISABLE_API: "false" - DISABLE_STATEFILES: "false" - ALLOW_OVERWRITE: "true" - AUTH_ANONYMOUS_GET: "false" - CONTEXT_PATH: "" - INDEX_LIMIT: "0" - MAX_STORAGE_OBJECTS: "0" - MAX_UPLOAD_SIZE: "20971520" - CHART_POST_FORM_FIELD_NAME: "chart" - PROV_POST_FORM_FIELD_NAME: "prov" -{{- $storage := .Values.persistence.imageChartStorage }} -{{- $storageType := $storage.type }} -{{- if eq $storageType "filesystem" }} - STORAGE: "local" - STORAGE_LOCAL_ROOTDIR: "/chart_storage" -{{- else if eq $storageType "azure" }} - STORAGE: "microsoft" - STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }} - AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }} - AZURE_BASE_URL: {{ $storage.azure.realm }} - STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts" -{{- else if eq $storageType "gcs" }} - STORAGE: "google" - STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json - {{- if $storage.gcs.rootdirectory }} - STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} - {{- end }} -{{- else if eq $storageType "s3" }} - STORAGE: "amazon" - STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }} - {{- if $storage.s3.rootdirectory }} - STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }} - {{- end }} - STORAGE_AMAZON_REGION: {{ $storage.s3.region }} - {{- if $storage.s3.regionendpoint }} - STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.accesskey }} - AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }} - {{- end }} - {{- if $storage.s3.keyid }} - STORAGE_AMAZON_SSE: aws:kms - {{- end }} -{{- else if eq $storageType "swift" }} - STORAGE: "openstack" - STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }} - {{- if $storage.swift.prefix }} - STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.region }} - STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }} - {{- end }} - OS_AUTH_URL: {{ $storage.swift.authurl }} - OS_USERNAME: {{ $storage.swift.username }} - {{- if $storage.swift.tenantid }} - OS_PROJECT_ID: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.tenant }} - OS_PROJECT_NAME: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.domainid }} - OS_DOMAIN_ID: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.domain }} - OS_DOMAIN_NAME: {{ $storage.swift.domain }} - {{- end }} -{{- else if eq $storageType "oss" }} - STORAGE: "alibaba" - STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }} - {{- if $storage.oss.rootdirectory }} - STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- if $storage.oss.endpoint }} - STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }} - {{- end }} - ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }} -{{- end }} - STORAGE_TIMESTAMP_TOLERANCE: 1s -{{- end }} +{{- if .Values.chartmuseum.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + PORT: "{{ template "harbor.chartmuseum.containerPort" . }}" +{{- if .Values.internalTLS.enabled }} + TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt" + TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key" +{{- end }} + {{- if eq "redis" (include "harbor.redis.scheme" .) }} + CACHE: "redis" + {{- else }} + CACHE: "redis_sentinel" + CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}" + {{- end }} + CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}" + CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}" + BASIC_AUTH_USER: "chart_controller" +{{- if .Values.chartmuseum.absoluteUrl }} + CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo +{{- end }} + DEPTH: "1" +{{- if eq .Values.logLevel "debug" }} + DEBUG: "true" +{{- else }} + DEBUG: "false" +{{- end }} + LOG_JSON: "true" + DISABLE_METRICS: "false" + DISABLE_API: "false" + DISABLE_STATEFILES: "false" + ALLOW_OVERWRITE: "true" + AUTH_ANONYMOUS_GET: "false" + CONTEXT_PATH: "" + INDEX_LIMIT: "0" + MAX_STORAGE_OBJECTS: "0" + MAX_UPLOAD_SIZE: "20971520" + CHART_POST_FORM_FIELD_NAME: "chart" + PROV_POST_FORM_FIELD_NAME: "prov" +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $storageType := $storage.type }} +{{- if eq $storageType "filesystem" }} + STORAGE: "local" + STORAGE_LOCAL_ROOTDIR: "/chart_storage" +{{- else if eq $storageType "azure" }} + STORAGE: "microsoft" + STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }} + AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }} + AZURE_BASE_URL: {{ $storage.azure.realm }} + STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts" +{{- else if eq $storageType "gcs" }} + STORAGE: "google" + STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} + GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json + {{- if $storage.gcs.rootdirectory }} + STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} + {{- end }} +{{- else if eq $storageType "s3" }} + STORAGE: "amazon" + STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }} + {{- if $storage.s3.rootdirectory }} + STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }} + {{- end }} + STORAGE_AMAZON_REGION: {{ $storage.s3.region }} + {{- if $storage.s3.regionendpoint }} + STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.accesskey }} + AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }} + {{- end }} + {{- if $storage.s3.keyid }} + STORAGE_AMAZON_SSE: aws:kms + {{- end }} +{{- else if eq $storageType "swift" }} + STORAGE: "openstack" + STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }} + {{- if $storage.swift.prefix }} + STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.region }} + STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }} + {{- end }} + OS_AUTH_URL: {{ $storage.swift.authurl }} + OS_USERNAME: {{ $storage.swift.username }} + {{- if $storage.swift.tenantid }} + OS_PROJECT_ID: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.tenant }} + OS_PROJECT_NAME: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.domainid }} + OS_DOMAIN_ID: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.domain }} + OS_DOMAIN_NAME: {{ $storage.swift.domain }} + {{- end }} +{{- else if eq $storageType "oss" }} + STORAGE: "alibaba" + STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }} + {{- if $storage.oss.rootdirectory }} + STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- if $storage.oss.endpoint }} + STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }} + {{- end }} + ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }} +{{- end }} + STORAGE_TIMESTAMP_TOLERANCE: 1s +{{- end }} diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index 4c9aeb390f2f5b6731b4efd33cbecb705dec963d..85ac70e256176748eec5c202bc39821bb77435c8 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -1,169 +1,169 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: chartmuseum -spec: - replicas: {{ .Values.chartmuseum.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: chartmuseum - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: chartmuseum - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.chartmuseum.podAnnotations }} -{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.chartmuseum.serviceAccountName }} - serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: chartmuseum -{{- if contains "/" .Values.chartmuseum.image.repository }} - image: "{{ .Values.chartmuseum.image.repository }}" -{{- else }} - image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.chartmuseum.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.chartmuseum.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.chartmuseum.resources }} - resources: -{{ toYaml .Values.chartmuseum.resources | indent 10 }} -{{- end }} - envFrom: - - configMapRef: - name: "{{ template "harbor.chartmuseum" . }}" - - secretRef: - name: "{{ template "harbor.chartmuseum" . }}" - env: - {{- if has "chartmuseum" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/chartmuseum/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/chartmuseum/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/chartmuseum/ca.crt - {{- end }} - - name: BASIC_AUTH_PASS - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280) - name: AWS_SDK_LOAD_CONFIG - value: "1" - ports: - - containerPort: {{ template "harbor.chartmuseum.containerPort" . }} - volumeMounts: - - name: chartmuseum-data - mountPath: /chart_storage - subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} - {{- if .Values.internalTLS.enabled }} - - name: chart-internal-certs - mountPath: /etc/harbor/ssl/chartmuseum - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/chartmuseum/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: chartmuseum-data - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: chart-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }} - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: GCS_KEY_DATA - path: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - secret: - secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.chartmuseum.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- end }} +{{- if .Values.chartmuseum.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: chartmuseum +spec: + replicas: {{ .Values.chartmuseum.replicas }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: chartmuseum + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: chartmuseum + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.chartmuseum.podAnnotations }} +{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.chartmuseum.serviceAccountName }} + serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: chartmuseum +{{- if contains "/" .Values.chartmuseum.image.repository }} + image: "{{ .Values.chartmuseum.image.repository }}" +{{- else }} + image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + livenessProbe: + httpGet: + path: /health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.chartmuseum.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.chartmuseum.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.chartmuseum.resources }} + resources: +{{ toYaml .Values.chartmuseum.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.chartmuseum" . }}" + - secretRef: + name: "{{ template "harbor.chartmuseum" . }}" + env: + {{- if has "chartmuseum" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/chartmuseum/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/chartmuseum/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/chartmuseum/ca.crt + {{- end }} + - name: BASIC_AUTH_PASS + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280) + name: AWS_SDK_LOAD_CONFIG + value: "1" + ports: + - containerPort: {{ template "harbor.chartmuseum.containerPort" . }} + volumeMounts: + - name: chartmuseum-data + mountPath: /chart_storage + subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: chart-internal-certs + mountPath: /etc/harbor/ssl/chartmuseum + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + mountPath: /etc/chartmuseum/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: chartmuseum-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: chart-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }} + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + secret: + secretName: {{ template "harbor.registry" . }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.chartmuseum.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.chartmuseum.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.chartmuseum.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/templates/chartmuseum/chartmuseum-pvc.yaml b/templates/chartmuseum/chartmuseum-pvc.yaml index 5a221c0d22b01abebcbf65e3919bf08c211711d3..814a5d14755a0c07c2a62fc901b37232a98f84a9 100644 --- a/templates/chartmuseum/chartmuseum-pvc.yaml +++ b/templates/chartmuseum/chartmuseum-pvc.yaml @@ -1,32 +1,32 @@ -{{- if .Values.chartmuseum.enabled }} -{{- $persistence := .Values.persistence -}} -{{- if $persistence.enabled }} -{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}} -{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.chartmuseum" . }} - {{- if eq $persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: chartmuseum -spec: - accessModes: - - {{ $chartmuseum.accessMode }} - resources: - requests: - storage: {{ $chartmuseum.size }} - {{- if $chartmuseum.storageClass }} - {{- if eq "-" $chartmuseum.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $chartmuseum.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} +{{- if .Values.chartmuseum.enabled }} +{{- $persistence := .Values.persistence -}} +{{- if $persistence.enabled }} +{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}} +{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.chartmuseum" . }} + {{- if eq $persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: chartmuseum +spec: + accessModes: + - {{ $chartmuseum.accessMode }} + resources: + requests: + storage: {{ $chartmuseum.size }} + {{- if $chartmuseum.storageClass }} + {{- if eq "-" $chartmuseum.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $chartmuseum.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml index eefdf793e0bcdef05cdae8bf1276e78ddc04b766..4647c2187e404d34815111c51f836e2880a142c5 100644 --- a/templates/chartmuseum/chartmuseum-secret.yaml +++ b/templates/chartmuseum/chartmuseum-secret.yaml @@ -1,26 +1,26 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} -{{- $storage := .Values.persistence.imageChartStorage }} -{{- $storageType := $storage.type }} -{{- if eq $storageType "azure" }} - AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }} -{{- else if eq $storageType "gcs" }} - # TODO support the keyfile of gcs -{{- else if eq $storageType "s3" }} - {{- if $storage.s3.secretkey }} - AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} -{{- else if eq $storageType "swift" }} - OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }} -{{- else if eq $storageType "oss" }} - ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} -{{- end }} +{{- if .Values.chartmuseum.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $storageType := $storage.type }} +{{- if eq $storageType "azure" }} + AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }} +{{- else if eq $storageType "gcs" }} + # TODO support the keyfile of gcs +{{- else if eq $storageType "s3" }} + {{- if $storage.s3.secretkey }} + AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} +{{- else if eq $storageType "swift" }} + OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }} +{{- else if eq $storageType "oss" }} + ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-svc.yaml b/templates/chartmuseum/chartmuseum-svc.yaml index df584754dc50c1a6b70946814c252ff504b1e3fa..eb8c2b72909dbbc8fb8109b1139edcb87481ef94 100644 --- a/templates/chartmuseum/chartmuseum-svc.yaml +++ b/templates/chartmuseum/chartmuseum-svc.yaml @@ -1,15 +1,15 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.chartmuseum.servicePort" . }} - targetPort: {{ template "harbor.chartmuseum.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: chartmuseum +{{- if .Values.chartmuseum.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.chartmuseum" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: {{ template "harbor.chartmuseum.servicePort" . }} + targetPort: {{ template "harbor.chartmuseum.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: chartmuseum {{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-tls.yaml b/templates/chartmuseum/chartmuseum-tls.yaml index cda17c33392cead340d24f2841b0118bda796e50..fded09057af7bd27a2f0ed111e029e9749700800 100644 --- a/templates/chartmuseum/chartmuseum-tls.yaml +++ b/templates/chartmuseum/chartmuseum-tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }} -{{- end }} -{{- end }} +{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/clair/clair-dpl.yaml b/templates/clair/clair-dpl.yaml index 039db0d768022ad8c764b6de9d21aa389a8d7697..69ee736ddcab1d7f018e609324ec809451fd7b3c 100644 --- a/templates/clair/clair-dpl.yaml +++ b/templates/clair/clair-dpl.yaml @@ -1,174 +1,174 @@ -{{ if .Values.clair.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.clair" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: clair -spec: - replicas: {{ .Values.clair.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: clair - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: clair - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/clair/clair-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.clair.podAnnotations }} -{{ toYaml .Values.clair.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.clair.serviceAccountName }} - serviceAccountName: {{ .Values.clair.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: clair -{{- if contains "/" .Values.clair.clair.image.repository }} - image: "{{ .Values.clair.clair.image.repository }}" -{{- else }} - image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /health - port: 6061 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: 6061 - initialDelaySeconds: 30 - periodSeconds: 10 - args: ["-log-level", "{{ .Values.logLevel }}"] - env: - {{- if has "clair" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} -{{- if .Values.clair.clair.resources }} - resources: -{{ toYaml .Values.clair.clair.resources | indent 10 }} -{{- end }} - ports: - - containerPort: 6060 - volumeMounts: - - name: config - mountPath: /etc/clair/config.yaml - subPath: config.yaml - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - mountPath: /etc/harbor/ssl/clair - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - - name: adapter -{{- if contains "/" .Values.clair.adapter.image.repository }} - image: "{{ .Values.clair.adapter.image.repository }}" -{{- else }} - image: "{{ .Values.clair.adapter.image.hub | default .Values.global.hub }}/{{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /probe/healthy - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.clairAdapter.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /probe/ready - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.clairAdapter.containerPort" . }} - initialDelaySeconds: 30 - periodSeconds: 10 - env: - - name: SCANNER_CLAIR_URL - # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin - value: "http://127.0.0.1:6060" - - name: SCANNER_STORE_REDIS_URL - valueFrom: - secretKeyRef: - name: {{ template "harbor.clair" . }} - key: redis - - name: SCANNER_CLAIR_DATABASE_URL - valueFrom: - secretKeyRef: - name: {{ template "harbor.clair" . }} - key: database - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: SCANNER_API_SERVER_ADDR - value: ":8443" - - name: SCANNER_API_SERVER_TLS_KEY - value: /etc/harbor/ssl/clair/tls.key - - name: SCANNER_API_SERVER_TLS_CERTIFICATE - value: /etc/harbor/ssl/clair/tls.crt - {{- end }} - - name: SCANNER_LOG_LEVEL - value: "{{ .Values.logLevel }}" -{{- if .Values.clair.adapter.resources }} - resources: -{{ toYaml .Values.clair.adapter.resources | indent 10 }} -{{- end }} - ports: - - containerPort: {{ template "harbor.clairAdapter.containerPort" . }} - {{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }} - volumeMounts: - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - mountPath: /etc/harbor/ssl/clair - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - {{- end }} - volumes: - - name: config - secret: - secretName: "{{ template "harbor.clair" . }}" - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.clair.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.clair.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} +{{ if .Values.clair.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.clair" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: clair +spec: + replicas: {{ .Values.clair.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: clair + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: clair + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/clair/clair-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.clair.podAnnotations }} +{{ toYaml .Values.clair.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.clair.serviceAccountName }} + serviceAccountName: {{ .Values.clair.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: clair +{{- if contains "/" .Values.clair.clair.image.repository }} + image: "{{ .Values.clair.clair.image.repository }}" +{{- else }} + image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + livenessProbe: + httpGet: + path: /health + port: 6061 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: 6061 + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + env: + {{- if has "clair" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} +{{- if .Values.clair.clair.resources }} + resources: +{{ toYaml .Values.clair.clair.resources | indent 10 }} +{{- end }} + ports: + - containerPort: 6060 + volumeMounts: + - name: config + mountPath: /etc/clair/config.yaml + subPath: config.yaml + {{- if .Values.internalTLS.enabled }} + - name: clair-internal-certs + mountPath: /etc/harbor/ssl/clair + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: adapter +{{- if contains "/" .Values.clair.adapter.image.repository }} + image: "{{ .Values.clair.adapter.image.repository }}" +{{- else }} + image: "{{ .Values.clair.adapter.image.hub | default .Values.global.hub }}/{{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + livenessProbe: + httpGet: + path: /probe/healthy + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.clairAdapter.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /probe/ready + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.clairAdapter.containerPort" . }} + initialDelaySeconds: 30 + periodSeconds: 10 + env: + - name: SCANNER_CLAIR_URL + # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin + value: "http://127.0.0.1:6060" + - name: SCANNER_STORE_REDIS_URL + valueFrom: + secretKeyRef: + name: {{ template "harbor.clair" . }} + key: redis + - name: SCANNER_CLAIR_DATABASE_URL + valueFrom: + secretKeyRef: + name: {{ template "harbor.clair" . }} + key: database + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_ADDR + value: ":8443" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/clair/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/clair/tls.crt + {{- end }} + - name: SCANNER_LOG_LEVEL + value: "{{ .Values.logLevel }}" +{{- if .Values.clair.adapter.resources }} + resources: +{{ toYaml .Values.clair.adapter.resources | indent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.clairAdapter.containerPort" . }} + {{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }} + volumeMounts: + {{- if .Values.internalTLS.enabled }} + - name: clair-internal-certs + mountPath: /etc/harbor/ssl/clair + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.clair" . }}" + {{- if .Values.internalTLS.enabled }} + - name: clair-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.clair.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.clair.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.clair.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.clair.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{ end }} diff --git a/templates/clair/clair-secret.yaml b/templates/clair/clair-secret.yaml index fa6e5dcd9aee03a8de29f23f22951528217402bb..0eb3ec63d23e0c8704f1fbbdaeb3454f5e05b9cf 100644 --- a/templates/clair/clair-secret.yaml +++ b/templates/clair/clair-secret.yaml @@ -1,13 +1,13 @@ -{{- if .Values.clair.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.clair" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }} - redis: {{ include "harbor.redis.urlForClair" . | b64enc }} - database: {{ include "harbor.database.clair" . | b64enc }} +{{- if .Values.clair.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.clair" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }} + redis: {{ include "harbor.redis.urlForClair" . | b64enc }} + database: {{ include "harbor.database.clair" . | b64enc }} {{- end }} \ No newline at end of file diff --git a/templates/clair/clair-svc.yaml b/templates/clair/clair-svc.yaml index 3d730c658584af632465a900dd346780d83a8270..dff844043ef1eca54b4cf85973485f15a1cb8cf5 100644 --- a/templates/clair/clair-svc.yaml +++ b/templates/clair/clair-svc.yaml @@ -1,15 +1,15 @@ -{{ if .Values.clair.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.clair" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: adapter - port: {{ include "harbor.clairAdapter.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: clair -{{ end }} +{{ if .Values.clair.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.clair" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: adapter + port: {{ include "harbor.clairAdapter.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: clair +{{ end }} diff --git a/templates/clair/clair-tls.yaml b/templates/clair/clair-tls.yaml index af81eec1f02b2df4a741d07ffb3408f47189dfd0..f4233ee710fb53f58b9a1168f3116ec24ff949e4 100644 --- a/templates/clair/clair-tls.yaml +++ b/templates/clair/clair-tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.clair.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.clair.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }} -{{- end }} +{{- if and .Values.clair.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.clair.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index 545b43bfe3792d52156fa3c1a1013420b34668e0..37465a08de3a7a578bd3f1c5ae10c428c11bbe4f 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -1,59 +1,59 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - app.conf: |+ - appname = Harbor - runmode = prod - enablegzip = true - - [prod] - httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} - PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" - DATABASE_TYPE: "postgresql" - POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" - POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" - POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" - POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" - POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" - POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" - EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}" - CORE_URL: "{{ template "harbor.coreURL" . }}" - JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" - REGISTRY_URL: "{{ template "harbor.registryURL" . }}" - TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" - WITH_NOTARY: "{{ .Values.notary.enabled }}" - NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" - CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" - WITH_CLAIR: "{{ .Values.clair.enabled }}" - CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}" - WITH_TRIVY: {{ .Values.trivy.enabled | quote }} - TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" - REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" - WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" - CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}" - LOG_LEVEL: "{{ .Values.logLevel }}" - CONFIG_PATH: "/etc/core/app.conf" - CHART_CACHE_DRIVER: "redis" - _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" - _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" - PORTAL_URL: "{{ template "harbor.portalURL" . }}" - REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" - REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" - {{- if .Values.uaaSecretName }} - UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" - {{- end }} - {{- if has "core" .Values.proxy.components }} - HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" - HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" - NO_PROXY: "{{ template "harbor.noProxy" . }}" - {{- end }} - PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor" - {{- if hasKey .Values.core "gcTimeWindowHours" }} - #make the GC time window configurable for testing - GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + WITH_NOTARY: "{{ .Values.notary.enabled }}" + NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_CLAIR: "{{ .Values.clair.enabled }}" + CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" + CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor" + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" {{- end }} \ No newline at end of file diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 72c37786b49da7df941c44f3038bd070abe82226..4a913c7fd27f280d9d7eaa4492b6fe3a5bd41bdf 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -1,193 +1,193 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: core -spec: - replicas: {{ .Values.core.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: core - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: core - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} - checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.core.podAnnotations }} -{{ toYaml .Values.core.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.core.serviceAccountName }} - serviceAccountName: {{ .Values.core.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: core -{{- if contains "/" .Values.core.image.repository }} - image: "{{ .Values.core.image.repository }}" -{{- else }} - image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - {{- if .Values.core.startupProbe.enabled }} - startupProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - failureThreshold: 360 - initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} - periodSeconds: 10 - {{- end }} - livenessProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - failureThreshold: 2 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - failureThreshold: 2 - periodSeconds: 10 - envFrom: - - configMapRef: - name: "{{ template "harbor.core" . }}" - - secretRef: - name: "{{ template "harbor.core" . }}" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" - key: JOBSERVICE_SECRET - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/core/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/core/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/core/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.core.containerPort" . }} - volumeMounts: - - name: config - mountPath: /etc/core/app.conf - subPath: app.conf - - name: secret-key - mountPath: /etc/core/key - subPath: key - - name: token-service-private-key - mountPath: /etc/core/private_key.pem - subPath: tls.key - {{- if .Values.expose.tls.enabled }} - - name: ca-download - mountPath: /etc/core/ca - {{- end }} - {{- if .Values.uaaSecretName }} - - name: auth-ca-cert - mountPath: /etc/core/auth-ca/auth-ca.crt - subPath: auth-ca.crt - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: core-internal-certs - mountPath: /etc/harbor/ssl/core - {{- end }} - - name: psc - mountPath: /etc/core/token - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} -{{- if .Values.core.resources }} - resources: -{{ toYaml .Values.core.resources | indent 10 }} -{{- end }} - volumes: - - name: config - configMap: - name: {{ template "harbor.core" . }} - items: - - key: app.conf - path: app.conf - - name: secret-key - secret: - secretName: {{ template "harbor.core" . }} - items: - - key: secretKey - path: key - - name: token-service-private-key - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - {{- if .Values.expose.tls.enabled }} - - name: ca-download - secret: - {{- if .Values.caSecretName }} - secretName: {{ .Values.caSecretName }} - {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} - secretName: "{{ template "harbor.ingress" . }}" - {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} - secretName: {{ template "harbor.tlsSecretForNginx" . }} - {{- end }} - {{- end }} - {{- if .Values.uaaSecretName }} - - name: auth-ca-cert - secret: - secretName: {{ .Values.uaaSecretName }} - items: - - key: ca.crt - path: auth-ca.crt - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: core-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.core.secretName" . }} - {{- end }} - - name: psc - emptyDir: {} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.core.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.core.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.core.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: core + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: core +{{- if contains "/" .Values.core.image.repository }} + image: "{{ .Values.core.image.repository }}" +{{- else }} + image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: JOBSERVICE_SECRET + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + secretName: {{ template "harbor.core" . }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index ba4b7678e2794d53db6003b915daed420524bd45..7ead3f32cd7106d3e22624d4a195f84c890d67e2 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -1,18 +1,18 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} -{{- if not .Values.core.secretName }} - tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} - tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} -{{- end }} - HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} - POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} - REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} - CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + secretKey: {{ .Values.secretKey | b64enc | quote }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} +{{- if not .Values.core.secretName }} + tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} + tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} +{{- end }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} diff --git a/templates/core/core-svc.yaml b/templates/core/core-svc.yaml index dcdb3344a93772ca8809e3ca0496a5ebf8dc8779..de461988a4861840763f94ac2f542c4c77a7b96d 100644 --- a/templates/core/core-svc.yaml +++ b/templates/core/core-svc.yaml @@ -1,16 +1,16 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: -{{- if (eq .Values.expose.ingress.controller "gce") }} - type: NodePort -{{- end }} - ports: - - port: {{ template "harbor.core.servicePort" . }} - targetPort: {{ template "harbor.core.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: core +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/templates/core/core-tls.yaml b/templates/core/core-tls.yaml index c52148f0d9a80bda3204d2a75da49c736f28af46..1c24eeb94c8b49b4d7b85891228d5c010e15d793 100644 --- a/templates/core/core-tls.yaml +++ b/templates/core/core-tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.core.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} -{{- end }} +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml index 864aff4a184a5fae06ad6f7a3349d28d8e2bd391..4b09db1935c88acab2dee9ca25a398754a67829b 100644 --- a/templates/database/database-secret.yaml +++ b/templates/database/database-secret.yaml @@ -1,11 +1,11 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} -{{- end -}} +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index df292581a34a60c76aa4b137ca7e3f35499fbbbf..d4290420b5d60c13e82de2180ecc91af0359aeea 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -1,135 +1,135 @@ -{{- if eq .Values.database.type "internal" -}} -{{- $database := .Values.persistence.persistentVolumeClaim.database -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: database -spec: - replicas: 1 - serviceName: "{{ template "harbor.database" . }}" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: database - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: database - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} -{{- if .Values.database.podAnnotations }} -{{ toYaml .Values.database.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- if .Values.database.internal.serviceAccountName }} - serviceAccountName: {{ .Values.database.internal.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: "change-permission-of-directory" - securityContext: - runAsUser: 0 -{{- if contains "/" .Values.database.internal.image.repository }} - image: "{{ .Values.database.internal.image.repository }}" -{{- else }} - image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - command: ["/bin/sh"] - args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"] - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - - name: "remove-lost-found" -{{- if contains "/" .Values.database.internal.image.repository }} - image: "{{ .Values.database.internal.image.repository }}" -{{- else }} - image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - containers: - - name: database -{{- if contains "/" .Values.database.internal.image.repository }} - image: "{{ .Values.database.internal.image.repository }}" -{{- else }} - image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - livenessProbe: - exec: - command: - - /docker-healthcheck.sh - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /docker-healthcheck.sh - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.database.internal.resources }} - resources: -{{ toYaml .Values.database.internal.resources | indent 10 }} -{{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.database" . }}" - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - {{- if not .Values.persistence.enabled }} - volumes: - - name: "database-data" - emptyDir: {} - {{- else if $database.existingClaim }} - volumes: - - name: "database-data" - persistentVolumeClaim: - claimName: {{ $database.existingClaim }} - {{- end -}} - {{- with .Values.database.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if and .Values.persistence.enabled (not $database.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: "database-data" - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $database.accessMode | quote }}] - {{- if $database.storageClass }} - {{- if (eq "-" $database.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $database.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $database.size | quote }} - {{- end -}} - {{- end -}} +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + initContainers: + - name: "change-permission-of-directory" + securityContext: + runAsUser: 0 +{{- if contains "/" .Values.database.internal.image.repository }} + image: "{{ .Values.database.internal.image.repository }}" +{{- else }} + image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + command: ["/bin/sh"] + args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"] + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: "remove-lost-found" +{{- if contains "/" .Values.database.internal.image.repository }} + image: "{{ .Values.database.internal.image.repository }}" +{{- else }} + image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database +{{- if contains "/" .Values.database.internal.image.repository }} + image: "{{ .Values.database.internal.image.repository }}" +{{- else }} + image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + volumes: + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/templates/database/database-svc.yaml b/templates/database/database-svc.yaml index 6475048cd97a2945919fcf0558d3fba3d44b4b2b..05a51347df9f92b8b0e6241014485aaf1cc13e62 100644 --- a/templates/database/database-svc.yaml +++ b/templates/database/database-svc.yaml @@ -1,14 +1,14 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 5432 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: database +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database {{- end -}} \ No newline at end of file diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index b74dc8d1884fa93a007c2c47a7d7cfa24ae99e5e..e518ba98996b2eb321db91246ded053d7661926a 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -1,135 +1,135 @@ -{{- if eq .Values.expose.type "ingress" }} -{{- $ingress := .Values.expose.ingress -}} -{{- $tls := .Values.expose.tls -}} -{{- if eq .Values.expose.ingress.controller "gce" }} - {{- $_ := set . "portal_path" "/*" -}} - {{- $_ := set . "api_path" "/api/*" -}} - {{- $_ := set . "service_path" "/service/*" -}} - {{- $_ := set . "v2_path" "/v2/*" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} - {{- $_ := set . "controller_path" "/c/*" -}} - {{- $_ := set . "notary_path" "/" -}} -{{- else if eq .Values.expose.ingress.controller "ncp" }} - {{- $_ := set . "portal_path" "/.*" -}} - {{- $_ := set . "api_path" "/api/.*" -}} - {{- $_ := set . "service_path" "/service/.*" -}} - {{- $_ := set . "v2_path" "/v2/.*" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} - {{- $_ := set . "controller_path" "/c/.*" -}} - {{- $_ := set . "notary_path" "/.*" -}} -{{- else }} - {{- $_ := set . "portal_path" "/" -}} - {{- $_ := set . "api_path" "/api" -}} - {{- $_ := set . "service_path" "/service" -}} - {{- $_ := set . "v2_path" "/v2" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo" -}} - {{- $_ := set . "controller_path" "/c" -}} - {{- $_ := set . "notary_path" "/" -}} -{{- end }} - ---- -{{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: extensions/v1beta1 -{{- else }} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: "{{ template "harbor.ingress" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - annotations: -{{ toYaml $ingress.annotations | indent 4 }} -{{- if .Values.internalTLS.enabled }} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -{{- end }} -{{- if eq .Values.expose.ingress.controller "ncp" }} - ncp/use-regex: "true" - {{- if $tls.enabled }} - ncp/http-redirect: "true" - {{- end }} -{{- end }} -spec: - {{- if $tls.enabled }} - tls: - - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} - {{- if $ingress.hosts.core }} - hosts: - - {{ $ingress.hosts.core }}.{{ $.Values.global.host }} - {{- end }} - {{- end }} - rules: - - http: - paths: - - path: {{ .portal_path }} - backend: - serviceName: {{ template "harbor.portal" . }} - servicePort: {{ template "harbor.portal.servicePort" . }} - - path: {{ .api_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .service_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .v2_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .chartrepo_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .controller_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - {{- if $ingress.hosts.core }} - host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }} - {{- end }} - -{{- if .Values.notary.enabled }} ---- -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: extensions/v1beta1 -{{- else }} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: "{{ template "harbor.ingress-notary" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - annotations: -{{ toYaml $ingress.annotations | indent 4 }} -{{- if eq .Values.expose.ingress.controller "ncp" }} - ncp/use-regex: "true" - {{- if $tls.enabled }} - ncp/http-redirect: "true" - {{- end }} -{{- end }} -spec: - {{- if $tls.enabled }} - tls: - - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} - {{- if $ingress.hosts.notary }} - hosts: - - {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} - {{- end }} - {{- end }} - rules: - - http: - paths: - - path: {{ .notary_path }} - backend: - serviceName: {{ template "harbor.notary-server" . }} - servicePort: 4443 - {{- if $ingress.hosts.notary }} - host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} - {{- end }} -{{- end }} - -{{- end }} +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} + {{- $_ := set . "notary_path" "/" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} + {{- $_ := set . "notary_path" "/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api" -}} + {{- $_ := set . "service_path" "/service" -}} + {{- $_ := set . "v2_path" "/v2" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo" -}} + {{- $_ := set . "controller_path" "/c" -}} + {{- $_ := set . "notary_path" "/" -}} +{{- end }} + +--- +{{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: extensions/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +spec: + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }}.{{ $.Values.global.host }} + {{- end }} + {{- end }} + rules: + - http: + paths: + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }} + {{- end }} + +{{- if .Values.notary.enabled }} +--- +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: extensions/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress-notary" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +spec: + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} + {{- if $ingress.hosts.notary }} + hosts: + - {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} + {{- end }} + {{- end }} + rules: + - http: + paths: + - path: {{ .notary_path }} + backend: + serviceName: {{ template "harbor.notary-server" . }} + servicePort: 4443 + {{- if $ingress.hosts.notary }} + host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} + {{- end }} +{{- end }} + +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/ingress/ingresshost.yaml b/templates/ingress/ingresshost.yaml index e36a186ac4297f32bb247064f64f11017954b70d..3ba76aa52e9fb49f998d5d3e47b64b5be6b785c8 100644 --- a/templates/ingress/ingresshost.yaml +++ b/templates/ingress/ingresshost.yaml @@ -1,28 +1,28 @@ -{{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}} ---- -apiVersion: bcc.bd-apaas.com/v1alpha1 -kind: IngressHost -metadata: - name: "{{ template "harbor.ingress" . }}-core" - annotations: - {{- with .Values.expose.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{ include "harbor.labels" . | nindent 4 }} -spec: - host: "{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}" ---- -apiVersion: bcc.bd-apaas.com/v1alpha1 -kind: IngressHost -metadata: - name: "{{ template "harbor.ingress" . }}-notary" - annotations: - {{- with .Values.expose.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{ include "harbor.labels" . | nindent 4 }} -spec: - host: "{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}" -{{- end -}} +{{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}} +--- +apiVersion: bcc.bd-apaas.com/v1alpha1 +kind: IngressHost +metadata: + name: "{{ template "harbor.ingress" . }}-core" + annotations: + {{- with .Values.expose.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{ include "harbor.labels" . | nindent 4 }} +spec: + host: "{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}" +--- +apiVersion: bcc.bd-apaas.com/v1alpha1 +kind: IngressHost +metadata: + name: "{{ template "harbor.ingress" . }}-notary" + annotations: + {{- with .Values.expose.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{ include "harbor.labels" . | nindent 4 }} +spec: + host: "{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}" +{{- end -}} diff --git a/templates/ingress/ingressroute.yaml b/templates/ingress/ingressroute.yaml index ff0c317da9826b82a72b92dbc0edabdaaf67abd6..4bc0d140b0a83dffab1630fcc2b915d550905051 100644 --- a/templates/ingress/ingressroute.yaml +++ b/templates/ingress/ingressroute.yaml @@ -1,106 +1,106 @@ -{{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}} ---- -apiVersion: bcc.bd-apaas.com/v1alpha1 -kind: IngressRoute -metadata: - name: "{{ template "harbor.ingress" . }}" - annotations: - {{- with .Values.expose.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{ include "harbor.labels" . | nindent 4 }} -spec: - entryPoints: - - websecure - routes: - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) - kind: Rule - services: - - name: {{ template "harbor.portal" . }} - port: {{ template "harbor.portal.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`) - kind: Rule - middlewares: - - name: "{{ template "harbor.ingress" . }}-https" - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) - kind: Rule - services: - - name: {{ template "harbor.notary-server" . }} - port: 4443 - tls: - certResolver: default ---- -apiVersion: bcc.bd-apaas.com/v1alpha1 -kind: IngressRoute -metadata: - name: "{{ template "harbor.ingress" . }}-http" - annotations: - {{- with .Values.expose.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{ include "harbor.labels" . | nindent 4 }} -spec: - entryPoints: - - web - routes: - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) - kind: Rule - services: - - name: {{ template "harbor.portal" . }} - port: {{ template "harbor.portal.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`) - kind: Rule - services: - - name: {{ template "harbor.core" . }} - port: {{ template "harbor.core.servicePort" . }} - - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) - kind: Rule - services: - - name: {{ template "harbor.notary-server" . }} - port: 4443 -{{- end -}} +{{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}} +--- +apiVersion: bcc.bd-apaas.com/v1alpha1 +kind: IngressRoute +metadata: + name: "{{ template "harbor.ingress" . }}" + annotations: + {{- with .Values.expose.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{ include "harbor.labels" . | nindent 4 }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) + kind: Rule + services: + - name: {{ template "harbor.portal" . }} + port: {{ template "harbor.portal.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`) + kind: Rule + middlewares: + - name: "{{ template "harbor.ingress" . }}-https" + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) + kind: Rule + services: + - name: {{ template "harbor.notary-server" . }} + port: 4443 + tls: + certResolver: default +--- +apiVersion: bcc.bd-apaas.com/v1alpha1 +kind: IngressRoute +metadata: + name: "{{ template "harbor.ingress" . }}-http" + annotations: + {{- with .Values.expose.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{ include "harbor.labels" . | nindent 4 }} +spec: + entryPoints: + - web + routes: + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) + kind: Rule + services: + - name: {{ template "harbor.portal" . }} + port: {{ template "harbor.portal.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`) + kind: Rule + services: + - name: {{ template "harbor.core" . }} + port: {{ template "harbor.core.servicePort" . }} + - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`) + kind: Rule + services: + - name: {{ template "harbor.notary-server" . }} + port: 4443 +{{- end -}} diff --git a/templates/ingress/middleware.yaml b/templates/ingress/middleware.yaml index bb742070b7c6cdd76c85ff2038f6900871bf25b7..b9b205112dc520eb236cd1a6a5844dcda4a7af43 100644 --- a/templates/ingress/middleware.yaml +++ b/templates/ingress/middleware.yaml @@ -1,10 +1,10 @@ -{{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}} -apiVersion: bcc.bd-apaas.com/v1alpha1 -kind: Middleware -metadata: - name: "{{ template "harbor.ingress" . }}-https" -spec: - headers: - customRequestHeaders: - X-Forwarded-Proto: "https" +{{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}} +apiVersion: bcc.bd-apaas.com/v1alpha1 +kind: Middleware +metadata: + name: "{{ template "harbor.ingress" . }}-https" +spec: + headers: + customRequestHeaders: + X-Forwarded-Proto: "https" {{- end -}} \ No newline at end of file diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml index 0d89af99ac913ec6ec7a31b51cbf10200635456c..de990ed3e37800cf96f0198e1ef219af0cf12eaf 100644 --- a/templates/ingress/secret.yaml +++ b/templates/ingress/secret.yaml @@ -1,15 +1,15 @@ -{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} -{{- $ca := genCA "harbor-ca" 365 }} -{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.ingress" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} {{- end }} \ No newline at end of file diff --git a/templates/internal/auto-tls.yaml b/templates/internal/auto-tls.yaml index cbeeecedce58412aabc51373f87bd9e46b4f39af..8f11d6cdbe16b2a880747864e4a901f3f93cbc67 100644 --- a/templates/internal/auto-tls.yaml +++ b/templates/internal/auto-tls.yaml @@ -1,115 +1,115 @@ -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} -{{- $ca := genCA "harbor-internal-ca" 365 }} -{{- $coreCN := (include "harbor.core" .) }} -{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} -{{- $jsCN := (include "harbor.jobservice" .) }} -{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} -{{- $regCN := (include "harbor.registry" .) }} -{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} -{{- $portalCN := (include "harbor.portal" .) }} -{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.core.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $coreCrt.Cert | b64enc | quote }} - tls.key: {{ $coreCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $jsCrt.Cert | b64enc | quote }} - tls.key: {{ $jsCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.registry.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $regCrt.Cert | b64enc | quote }} - tls.key: {{ $regCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.portal.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $portalCrt.Cert | b64enc | quote }} - tls.key: {{ $portalCrt.Key | b64enc | quote }} - -{{- if .Values.chartmuseum.enabled }} ---- -{{- $chartCN := (include "harbor.chartmuseum" .) }} -{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $chartCrt.Cert | b64enc | quote }} - tls.key: {{ $chartCrt.Key | b64enc | quote }} -{{- end }} - -{{- if .Values.clair.enabled }} ---- -{{- $clairCN := (include "harbor.clair" .) }} -{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.clair.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $clairCrt.Cert | b64enc | quote }} - tls.key: {{ $clairCrt.Key | b64enc | quote }} -{{- end }} - -{{- if and .Values.trivy.enabled}} ---- -{{- $trivyCN := (include "harbor.trivy" .) }} -{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} - tls.key: {{ $trivyCrt.Key | b64enc | quote }} -{{- end }} - +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if .Values.chartmuseum.enabled }} +--- +{{- $chartCN := (include "harbor.chartmuseum" .) }} +{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $chartCrt.Cert | b64enc | quote }} + tls.key: {{ $chartCrt.Key | b64enc | quote }} +{{- end }} + +{{- if .Values.clair.enabled }} +--- +{{- $clairCN := (include "harbor.clair" .) }} +{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.clair.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $clairCrt.Cert | b64enc | quote }} + tls.key: {{ $clairCrt.Key | b64enc | quote }} +{{- end }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + {{- end }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-cm-env.yaml b/templates/jobservice/jobservice-cm-env.yaml index 1f79f97a867febb177c666e42e86012a8f757c25..7a375b80d2cceb624d898d0a40eacce44deff859 100644 --- a/templates/jobservice/jobservice-cm-env.yaml +++ b/templates/jobservice/jobservice-cm-env.yaml @@ -1,17 +1,17 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.jobservice" . }}-env" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - CORE_URL: "{{ template "harbor.coreURL" . }}" - TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" - REGISTRY_URL: "{{ template "harbor.registryURL" . }}" - REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" - REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" - {{- if has "jobservice" .Values.proxy.components }} - HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" - HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" - NO_PROXY: "{{ template "harbor.noProxy" . }}" - {{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} diff --git a/templates/jobservice/jobservice-cm.yaml b/templates/jobservice/jobservice-cm.yaml index f9eb51bdac8df491c67fae2a550e274be8bfb21a..6a109a39f71532961ca144acb05020734001a42d 100644 --- a/templates/jobservice/jobservice-cm.yaml +++ b/templates/jobservice/jobservice-cm.yaml @@ -1,46 +1,46 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - #Server listening port - protocol: "{{ template "harbor.component.scheme" . }}" - port: {{ template "harbor.jobservice.containerPort". }} - {{- if .Values.internalTLS.enabled }} - https_config: - cert: "/etc/harbor/ssl/jobservice/tls.crt" - key: "/etc/harbor/ssl/jobservice/tls.key" - {{- end }} - worker_pool: - workers: {{ .Values.jobservice.maxJobWorkers }} - backend: "redis" - redis_pool: - redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" - namespace: "harbor_job_service_namespace" - idle_timeout_second: 3600 - job_loggers: - {{- if eq .Values.jobservice.jobLogger "file" }} - - name: "FILE" - level: {{ .Values.logLevel | upper }} - settings: # Customized settings of logger - base_dir: "/var/log/jobs" - sweeper: - duration: 14 #days - settings: # Customized settings of sweeper - work_dir: "/var/log/jobs" - {{- else if eq .Values.jobservice.jobLogger "database" }} - - name: "DB" - level: {{ .Values.logLevel | upper }} - sweeper: - duration: 14 #days - {{- else }} - - name: "STD_OUTPUT" - level: {{ .Values.logLevel | upper }} - {{- end }} - #Loggers for the job service - loggers: - - name: "STD_OUTPUT" +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if eq .Values.jobservice.jobLogger "file" }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: 14 #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- else if eq .Values.jobservice.jobLogger "database" }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: 14 #days + {{- else }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" level: {{ .Values.logLevel | upper }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index ba62cbab8c8751f410fef6adddce5e4da5b58e43..cce739592c11c1e8342dfc06bf8b89e13e777a9a 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -1,140 +1,140 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: jobservice -spec: - replicas: {{ .Values.jobservice.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: jobservice - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: jobservice - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} - checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.jobservice.podAnnotations }} -{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.jobservice.serviceAccountName }} - serviceAccountName: {{ .Values.jobservice.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: jobservice -{{- if contains "/" .Values.jobservice.image.repository }} - image: "{{ .Values.jobservice.image.repository }}" -{{- else }} - image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /api/v1/stats - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.jobservice.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v1/stats - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.jobservice.containerPort" . }} - initialDelaySeconds: 20 - periodSeconds: 10 -{{- if .Values.jobservice.resources }} - resources: -{{ toYaml .Values.jobservice.resources | indent 10 }} -{{- end }} - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/jobservice/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/jobservice/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/jobservice/ca.crt - {{- end }} - envFrom: - - configMapRef: - name: "{{ template "harbor.jobservice" . }}-env" - - secretRef: - name: "{{ template "harbor.jobservice" . }}" - ports: - - containerPort: {{ template "harbor.jobservice.containerPort" . }} - volumeMounts: - - name: jobservice-config - mountPath: /etc/jobservice/config.yml - subPath: config.yml - - name: job-logs - mountPath: /var/log/jobs - subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} - {{- if .Values.internalTLS.enabled }} - - name: jobservice-internal-certs - mountPath: /etc/harbor/ssl/jobservice - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: jobservice-config - configMap: - name: "{{ template "harbor.jobservice" . }}" - - name: job-logs - {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: jobservice-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.jobservice.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: jobservice +{{- if contains "/" .Values.jobservice.image.repository }} + image: "{{ .Values.jobservice.image.repository }}" +{{- else }} + image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/jobservice/jobservice-pvc.yaml b/templates/jobservice/jobservice-pvc.yaml index 04cc64d6b3c72fb2a49462de27be62c5a0edb4b7..9c8fc9bb04fe9712b9427bc12f9e701cb8b4abe0 100644 --- a/templates/jobservice/jobservice-pvc.yaml +++ b/templates/jobservice/jobservice-pvc.yaml @@ -1,29 +1,29 @@ -{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}} -{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }} -{{- if eq .Values.jobservice.jobLogger "file" }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.jobservice" . }} - {{- if eq .Values.persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: jobservice -spec: - accessModes: - - {{ $jobservice.accessMode }} - resources: - requests: - storage: {{ $jobservice.size }} - {{- if $jobservice.storageClass }} - {{- if eq "-" $jobservice.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $jobservice.storageClass }} - {{- end }} - {{- end }} -{{- end }} +{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}} +{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }} +{{- if eq .Values.jobservice.jobLogger "file" }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobservice.accessMode }} + resources: + requests: + storage: {{ $jobservice.size }} + {{- if $jobservice.storageClass }} + {{- if eq "-" $jobservice.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobservice.storageClass }} + {{- end }} + {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index a4750d2f521f5829458af47310c32c2b5b6494d0..6cab65ece2102141dab33554dcd04e3c4e08d27d 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -1,10 +1,10 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} diff --git a/templates/jobservice/jobservice-svc.yaml b/templates/jobservice/jobservice-svc.yaml index e1aa0914544bd525d53c2980a30e6e4c2f58a26b..5b98b2179cb7a6e5a6c3228b20db1c50486716eb 100644 --- a/templates/jobservice/jobservice-svc.yaml +++ b/templates/jobservice/jobservice-svc.yaml @@ -1,13 +1,13 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.jobservice.servicePort" . }} - targetPort: {{ template "harbor.jobservice.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: jobservice +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/templates/jobservice/jobservice-tls.yaml b/templates/jobservice/jobservice-tls.yaml index 234cb3999555747a39a30820a5eaa49aa494ff2f..902c3c45b87ec45bd0d68f4c5efbefceb1793207 100644 --- a/templates/jobservice/jobservice-tls.yaml +++ b/templates/jobservice/jobservice-tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} -{{- end }} +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml index 89470a4b7442ef758dbaca8a2b0243dcb44651c8..085aaf6101b2fd8c69e1326d4044eaa01ada4df1 100644 --- a/templates/nginx/configmap-http.yaml +++ b/templates/nginx/configmap-http.yaml @@ -1,150 +1,150 @@ -{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} -{{- $scheme := (include "harbor.component.scheme" .) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; - } - - upstream portal { - server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; - } - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - server { - listen 8080; - server_tokens off; - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # Add extra headers - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass {{ $scheme }}://portal/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass {{ $scheme }}://core/api/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass {{ $scheme }}://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass {{ $scheme }}://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass {{ $scheme }}://core/service/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - } -{{- end }} +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 1024; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + server { + listen 8080; + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml index 00e34fa495bc43edaa8cd2e32bfed4ac3b01b8be..92dd43a4d6edd780696f779490f16a3877ed12da 100644 --- a/templates/nginx/configmap-https.yaml +++ b/templates/nginx/configmap-https.yaml @@ -1,221 +1,221 @@ -{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} -{{- $scheme := (include "harbor.component.scheme" .) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; - } - - upstream portal { - server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; - } - - {{- if .Values.notary.enabled }} - upstream notary-server { - server {{ template "harbor.notary-server" . }}:4443; - } - {{- end }} - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - {{- if .Values.notary.enabled }} - server { - listen 4443 ssl; - server_tokens off; - # ssl - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html - ssl_protocols tlsv1.1 tlsv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:ssl:10m; - - # disable any limits to avoid http 413 for large image uploads - client_max_body_size 0; - - # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - location /v2/ { - proxy_pass http://notary-server/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - } - {{- end }} - - server { - listen 8443 ssl; - # server_name harbordomain.com; - server_tokens off; - # SSL - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - # Add extra headers - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass {{ $scheme }}://portal/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; HttpOnly; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass {{ $scheme }}://core/api/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass {{ $scheme }}://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass {{ $scheme }}://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass {{ $scheme }}://core/service/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - server { - listen 8080; - #server_name harbordomain.com; - return 301 https://$host$request_uri; - } - } -{{- end }} +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 1024; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + {{- if .Values.notary.enabled }} + upstream notary-server { + server {{ template "harbor.notary-server" . }}:4443; + } + {{- end }} + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + {{- if .Values.notary.enabled }} + server { + listen 4443 ssl; + server_tokens off; + # ssl + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html + ssl_protocols tlsv1.1 tlsv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:ssl:10m; + + # disable any limits to avoid http 413 for large image uploads + client_max_body_size 0; + + # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + location /v2/ { + proxy_pass http://notary-server/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + } + {{- end }} + + server { + listen 8443 ssl; + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + listen 8080; + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 337c4473381bf7acd888ec9e7ac86f42ed8df31e..e59ecaad70cc0971cae6c857d768e738c2249b58 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -1,107 +1,107 @@ -{{- if ne .Values.expose.type "ingress" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: nginx -spec: - replicas: {{ .Values.nginx.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: nginx - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: nginx - annotations: - {{- if not .Values.expose.tls.enabled }} - checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} - {{- else }} - checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} - {{- end }} - {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} - checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} - {{- end }} -{{- if .Values.nginx.podAnnotations }} -{{ toYaml .Values.nginx.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- if .Values.nginx.serviceAccountName }} - serviceAccountName: {{ .Values.nginx.serviceAccountName }} -{{- end }} - securityContext: - fsGroup: 10000 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: nginx -{{- if contains "/" .Values.nginx.image.repository }} - image: "{{ .Values.nginx.image.repository }}" -{{- else }} - image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - {{- $_ := set . "scheme" "HTTP" -}} - {{- $_ := set . "port" "8080" -}} - {{- if .Values.expose.tls.enabled }} - {{- $_ := set . "scheme" "HTTPS" -}} - {{- $_ := set . "port" "8443" -}} - {{- end }} - livenessProbe: - httpGet: - scheme: {{ .scheme }} - path: / - port: {{ .port }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - scheme: {{ .scheme }} - path: / - port: {{ .port }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.nginx.resources }} - resources: -{{ toYaml .Values.nginx.resources | indent 10 }} -{{- end }} - ports: - - containerPort: 8080 - - containerPort: 8443 - - containerPort: 4443 - volumeMounts: - - name: config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - {{- if .Values.expose.tls.enabled }} - - name: certificate - mountPath: /etc/nginx/cert - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "harbor.nginx" . }} - {{- if .Values.expose.tls.enabled }} - - name: certificate - secret: - secretName: {{ template "harbor.tlsSecretForNginx" . }} - {{- end }} - {{- with .Values.nginx.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- end }} +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: nginx +{{- if contains "/" .Values.nginx.image.repository }} + image: "{{ .Values.nginx.image.repository }}" +{{- else }} + image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/templates/nginx/secret.yaml b/templates/nginx/secret.yaml index c819c556d9e579aecaf1cf11afb9ed23be05bac1..98121892e422398ccd32144313771abe0072da65 100644 --- a/templates/nginx/secret.yaml +++ b/templates/nginx/secret.yaml @@ -1,23 +1,23 @@ -{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} -{{- $ca := genCA "harbor-ca" 365 }} -{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} - {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- else }} - {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- end }} +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml index e3e35705dbe08a3f5c2351888ace0fac206f3b83..a025a7c4f0e14ab7c1b59c7a156fdf3eb604b1d1 100644 --- a/templates/nginx/service.yaml +++ b/templates/nginx/service.yaml @@ -1,92 +1,92 @@ -{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} -apiVersion: v1 -kind: Service -metadata: -{{- if eq .Values.expose.type "clusterIP" }} -{{- $clusterIP := .Values.expose.clusterIP }} - name: {{ $clusterIP.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - type: ClusterIP - ports: - - name: http - port: {{ $clusterIP.ports.httpPort }} - targetPort: 8080 - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $clusterIP.ports.httpsPort }} - targetPort: 8443 - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $clusterIP.ports.notaryPort }} - targetPort: 4443 - {{- end }} -{{- else if eq .Values.expose.type "nodePort" }} -{{- $nodePort := .Values.expose.nodePort }} - name: {{ $nodePort.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - type: NodePort - ports: - - name: http - port: {{ $nodePort.ports.http.port }} - targetPort: 8080 - {{- if $nodePort.ports.http.nodePort }} - nodePort: {{ $nodePort.ports.http.nodePort }} - {{- end }} - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $nodePort.ports.https.port }} - targetPort: 8443 - {{- if $nodePort.ports.https.nodePort }} - nodePort: {{ $nodePort.ports.https.nodePort }} - {{- end }} - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $nodePort.ports.notary.port }} - targetPort: 4443 - {{- if $nodePort.ports.notary.nodePort }} - nodePort: {{ $nodePort.ports.notary.nodePort }} - {{- end }} - {{- end }} -{{- else if eq .Values.expose.type "loadBalancer" }} -{{- $loadBalancer := .Values.expose.loadBalancer }} - name: {{ $loadBalancer.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -{{- with $loadBalancer.annotations }} - annotations: - {{- toYaml . | nindent 4 }} -{{- end }} -spec: - type: LoadBalancer - {{- with $loadBalancer.sourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if $loadBalancer.IP }} - loadBalancerIP: {{ $loadBalancer.IP }} - {{- end }} - ports: - - name: http - port: {{ $loadBalancer.ports.httpPort }} - targetPort: 8080 - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $loadBalancer.ports.httpsPort }} - targetPort: 8443 - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $loadBalancer.ports.notaryPort }} - targetPort: 4443 - {{- end }} -{{- end }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: nginx -{{- end }} +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $clusterIP.ports.notaryPort }} + targetPort: 4443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $nodePort.ports.notary.port }} + targetPort: 4443 + {{- if $nodePort.ports.notary.nodePort }} + nodePort: {{ $nodePort.ports.notary.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $loadBalancer.ports.notaryPort }} + targetPort: 4443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/templates/notary/notary-secret.yaml b/templates/notary/notary-secret.yaml index 65b471958375c32365e1c27ee02d512f180e3b34..a13185aa6800a2f9e2a1964cbe8733f63281d8af 100644 --- a/templates/notary/notary-secret.yaml +++ b/templates/notary/notary-secret.yaml @@ -1,20 +1,20 @@ -{{- if and .Values.notary.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary -type: Opaque -data: - {{- if not .Values.notary.secretName }} - {{- $ca := genCA "harbor-notary-ca" 365 }} - {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - {{- end }} - server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }} - signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }} -{{- end }} +{{- if and .Values.notary.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary +type: Opaque +data: + {{- if not .Values.notary.secretName }} + {{- $ca := genCA "harbor-notary-ca" 365 }} + {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + {{- end }} + server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }} + signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }} +{{- end }} diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index 306f3658ec41251765809a992bcac9ed6de9cf9b..770950632acc41ce3a426bcf66d31819571cb21e 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -1,93 +1,93 @@ -{{ if .Values.notary.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary-server -spec: - replicas: {{ .Values.notary.server.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: notary-server - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: notary-server - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if .Values.notary.podAnnotations }} -{{ toYaml .Values.notary.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.notary.server.serviceAccountName }} - serviceAccountName: {{ .Values.notary.server.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: notary-server -{{- if contains "/" .Values.notary.server.image.repository }} - image: "{{ .Values.notary.server.image.repository }}" -{{- else }} - image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" -{{- if .Values.notary.server.resources }} - resources: -{{ toYaml .Values.notary.server.resources | indent 10 }} -{{- end }} - env: - - name: MIGRATIONS_PATH - value: migrations/server/postgresql - - name: DB_URL - value: {{ template "harbor.database.notaryServer" . }} - volumeMounts: - - name: config - mountPath: /etc/notary/server-config.postgres.json - subPath: server.json - - name: token-service-certificate - mountPath: /root.crt - subPath: tls.crt - - name: signer-certificate - mountPath: /etc/ssl/notary/ca.crt - subPath: ca.crt - volumes: - - name: config - secret: - secretName: "{{ template "harbor.notary-server" . }}" - - name: token-service-certificate - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - - name: signer-certificate - secret: - {{- if .Values.notary.secretName }} - secretName: {{ .Values.notary.secretName }} - {{- else }} - secretName: {{ template "harbor.notary-server" . }} - {{- end }} - {{- with .Values.notary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} +{{ if .Values.notary.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary-server +spec: + replicas: {{ .Values.notary.server.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-server + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: notary-server + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.notary.podAnnotations }} +{{ toYaml .Values.notary.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.notary.server.serviceAccountName }} + serviceAccountName: {{ .Values.notary.server.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: notary-server +{{- if contains "/" .Values.notary.server.image.repository }} + image: "{{ .Values.notary.server.image.repository }}" +{{- else }} + image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" +{{- if .Values.notary.server.resources }} + resources: +{{ toYaml .Values.notary.server.resources | indent 10 }} +{{- end }} + env: + - name: MIGRATIONS_PATH + value: migrations/server/postgresql + - name: DB_URL + value: {{ template "harbor.database.notaryServer" . }} + volumeMounts: + - name: config + mountPath: /etc/notary/server-config.postgres.json + subPath: server.json + - name: token-service-certificate + mountPath: /root.crt + subPath: tls.crt + - name: signer-certificate + mountPath: /etc/ssl/notary/ca.crt + subPath: ca.crt + volumes: + - name: config + secret: + secretName: "{{ template "harbor.notary-server" . }}" + - name: token-service-certificate + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + - name: signer-certificate + secret: + {{- if .Values.notary.secretName }} + secretName: {{ .Values.notary.secretName }} + {{- else }} + secretName: {{ template "harbor.notary-server" . }} + {{- end }} + {{- with .Values.notary.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{ end }} diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml index b7b955f9e4d4aaa3e7f322a02ac0333beddb5a2e..a3697abe6966a26db2aa95a87fcbfaef35438e84 100644 --- a/templates/notary/notary-signer.yaml +++ b/templates/notary/notary-signer.yaml @@ -1,84 +1,84 @@ -{{ if .Values.notary.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.notary-signer" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary-signer -spec: - replicas: {{ .Values.notary.signer.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: notary-signer - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: notary-signer - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.notary.signer.serviceAccountName }} - serviceAccountName: {{ .Values.notary.signer.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: notary-signer -{{- if contains "/" .Values.notary.signer.image.repository }} - image: "{{ .Values.notary.signer.image.repository }}" -{{- else }} - image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" -{{- if .Values.notary.signer.resources }} - resources: -{{ toYaml .Values.notary.signer.resources | indent 10 }} -{{- end }} - env: - - name: MIGRATIONS_PATH - value: migrations/signer/postgresql - - name: DB_URL - value: {{ template "harbor.database.notarySigner" . }} - - name: NOTARY_SIGNER_DEFAULTALIAS - value: defaultalias - volumeMounts: - - name: config - mountPath: /etc/notary/signer-config.postgres.json - subPath: signer.json - - name: signer-certificate - mountPath: /etc/ssl/notary/tls.crt - subPath: tls.crt - - name: signer-certificate - mountPath: /etc/ssl/notary/tls.key - subPath: tls.key - volumes: - - name: config - secret: - secretName: "{{ template "harbor.notary-server" . }}" - - name: signer-certificate - secret: - {{- if .Values.notary.secretName }} - secretName: {{ .Values.notary.secretName }} - {{- else }} - secretName: {{ template "harbor.notary-server" . }} - {{- end }} - {{- with .Values.notary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} +{{ if .Values.notary.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.notary-signer" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary-signer +spec: + replicas: {{ .Values.notary.signer.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-signer + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: notary-signer + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.notary.signer.serviceAccountName }} + serviceAccountName: {{ .Values.notary.signer.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: notary-signer +{{- if contains "/" .Values.notary.signer.image.repository }} + image: "{{ .Values.notary.signer.image.repository }}" +{{- else }} + image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" +{{- if .Values.notary.signer.resources }} + resources: +{{ toYaml .Values.notary.signer.resources | indent 10 }} +{{- end }} + env: + - name: MIGRATIONS_PATH + value: migrations/signer/postgresql + - name: DB_URL + value: {{ template "harbor.database.notarySigner" . }} + - name: NOTARY_SIGNER_DEFAULTALIAS + value: defaultalias + volumeMounts: + - name: config + mountPath: /etc/notary/signer-config.postgres.json + subPath: signer.json + - name: signer-certificate + mountPath: /etc/ssl/notary/tls.crt + subPath: tls.crt + - name: signer-certificate + mountPath: /etc/ssl/notary/tls.key + subPath: tls.key + volumes: + - name: config + secret: + secretName: "{{ template "harbor.notary-server" . }}" + - name: signer-certificate + secret: + {{- if .Values.notary.secretName }} + secretName: {{ .Values.notary.secretName }} + {{- else }} + secretName: {{ template "harbor.notary-server" . }} + {{- end }} + {{- with .Values.notary.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{ end }} diff --git a/templates/notary/notary-svc.yaml b/templates/notary/notary-svc.yaml index f02ba3c14de5a7615db985d2bd38377556af1361..2bca7ed87fa38de5b2219461642922945e34b9bf 100644 --- a/templates/notary/notary-svc.yaml +++ b/templates/notary/notary-svc.yaml @@ -1,31 +1,31 @@ -{{ if .Values.notary.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: -{{- if (eq .Values.expose.ingress.controller "gce") }} - type: NodePort -{{- end }} - ports: - - port: 4443 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: notary-server - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.notary-signer" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 7899 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: notary-signer +{{ if .Values.notary.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if (eq .Values.expose.ingress.controller "gce") }} + type: NodePort +{{- end }} + ports: + - port: 4443 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: notary-server + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.notary-signer" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 7899 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: notary-signer {{ end }} \ No newline at end of file diff --git a/templates/portal/configmap.yaml b/templates/portal/configmap.yaml index fed5ac04400be6aa79e1a4e2f9062aedfaf2dc3b..773cfe2927aef02483b26056f46520956274c48d 100644 --- a/templates/portal/configmap.yaml +++ b/templates/portal/configmap.yaml @@ -1,50 +1,50 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - server { - {{- if .Values.internalTLS.enabled }} - listen {{ template "harbor.portal.containerPort" . }} ssl; - # SSL - ssl_certificate /etc/harbor/ssl/portal/tls.crt; - ssl_certificate_key /etc/harbor/ssl/portal/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - {{- else }} - listen {{ template "harbor.portal.containerPort" . }}; - {{- end }} - server_name localhost; - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; - location / { - try_files $uri $uri/ /index.html; - } - location = /index.html { - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - } - } +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + listen {{ template "harbor.portal.containerPort" . }} ssl; + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 887fcf8dfe0e4fe8d41ee3347b579cf16fca2dbc..0cd172135f1acdb63e2496a92babf66c2ef478d0 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -1,92 +1,92 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: portal -spec: - replicas: {{ .Values.portal.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: portal - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: portal - annotations: -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.portal.podAnnotations }} -{{ toYaml .Values.portal.podAnnotations | indent 8 }} -{{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- if .Values.portal.serviceAccountName }} - serviceAccountName: {{ .Values.portal.serviceAccountName }} -{{- end }} - containers: - - name: portal -{{- if contains "/" .Values.portal.image.repository }} - image: "{{ .Values.portal.image.repository }}" -{{- else }} - image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" -{{- if .Values.portal.resources }} - resources: -{{ toYaml .Values.portal.resources | indent 10 }} -{{- end }} - livenessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.portal.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.portal.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 - ports: - - containerPort: {{ template "harbor.portal.containerPort" . }} - volumeMounts: - - name: portal-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - {{- if .Values.internalTLS.enabled }} - - name: portal-internal-certs - mountPath: /etc/harbor/ssl/portal - {{- end }} - volumes: - - name: portal-config - configMap: - name: "{{ template "harbor.portal" . }}" - {{- if .Values.internalTLS.enabled }} - - name: portal-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.portal.secretName" . }} - {{- end }} - {{- with .Values.portal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.portal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.portal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: portal + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + containers: + - name: portal +{{- if contains "/" .Values.portal.image.repository }} + image: "{{ .Values.portal.image.repository }}" +{{- else }} + image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/portal/service.yaml b/templates/portal/service.yaml index a87fa5678ab497a05445891232c0642222f6a35d..c1523d8eaa1b4a694bb93909e2c6b898216eebdc 100644 --- a/templates/portal/service.yaml +++ b/templates/portal/service.yaml @@ -1,13 +1,13 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.portal.servicePort" . }} - targetPort: {{ template "harbor.portal.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: portal +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/templates/portal/tls.yaml b/templates/portal/tls.yaml index de63f4e813847ed36bd3985a88d82632570c7546..023143bb3fd52c768fb3027a4441a8452dcda134 100644 --- a/templates/portal/tls.yaml +++ b/templates/portal/tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.portal.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} -{{- end }} -{{- end }} +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/redis/service.yaml b/templates/redis/service.yaml index 79c95c3e0561844fc590bc3943620af6d45785d4..46d466e7ca406712c126d73825b011055a6ac5b8 100644 --- a/templates/redis/service.yaml +++ b/templates/redis/service.yaml @@ -1,14 +1,14 @@ -{{- if eq .Values.redis.type "internal" -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.redis" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 6379 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: redis +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis {{- end -}} \ No newline at end of file diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 93585d746b2b49125cf85486e2c1cc38bc3dbc94..eeb211cca492fb90969a1fc2d4a3555cc39489ff 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -1,103 +1,103 @@ -{{- if eq .Values.redis.type "internal" -}} -{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "harbor.redis" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: redis -spec: - replicas: 1 - serviceName: {{ template "harbor.redis" . }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: redis - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: redis -{{- if .Values.redis.podAnnotations }} - annotations: -{{ toYaml .Values.redis.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 999 -{{- if .Values.redis.internal.serviceAccountName }} - serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: redis -{{- if contains "/" .Values.redis.internal.image.repository }} - image: "{{ .Values.redis.internal.image.repository }}" -{{- else }} - image: "{{ .Values.redis.internal.image.hub | default .Values.global.hub }}/{{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - tcpSocket: - port: 6379 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 6379 - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.redis.internal.resources }} - resources: -{{ toYaml .Values.redis.internal.resources | indent 10 }} -{{- end }} - volumeMounts: - - name: data - mountPath: /var/lib/redis - subPath: {{ $redis.subPath }} - {{- if not .Values.persistence.enabled }} - volumes: - - name: data - emptyDir: {} - {{- else if $redis.existingClaim }} - volumes: - - name: data - persistentVolumeClaim: - claimName: {{ $redis.existingClaim }} - {{- end -}} - {{- with .Values.redis.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.redis.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.redis.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $redis.accessMode | quote }}] - {{- if $redis.storageClass }} - {{- if (eq "-" $redis.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $redis.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $redis.size | quote }} - {{- end -}} - {{- end -}} +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: redis +{{- if contains "/" .Values.redis.internal.image.repository }} + image: "{{ .Values.redis.internal.image.repository }}" +{{- else }} + image: "{{ .Values.redis.internal.image.hub | default .Values.global.hub }}/{{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml index 9a12c07ea6c74c9a84734052a0e69dae033d7850..c1bba9c1e4b34d2eb84ac3ce51356817f85fd17f 100644 --- a/templates/registry/registry-cm.yaml +++ b/templates/registry/registry-cm.yaml @@ -1,224 +1,224 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - version: 0.1 - log: - {{- if eq .Values.logLevel "warning" }} - level: warn - {{- else if eq .Values.logLevel "fatal" }} - level: error - {{- else }} - level: {{ .Values.logLevel }} - {{- end }} - fields: - service: registry - storage: - {{- $storage := .Values.persistence.imageChartStorage }} - {{- $type := $storage.type }} - {{- if eq $type "filesystem" }} - filesystem: - rootdirectory: {{ $storage.filesystem.rootdirectory }} - {{- if $storage.filesystem.maxthreads }} - maxthreads: {{ $storage.filesystem.maxthreads }} - {{- end }} - {{- else if eq $type "azure" }} - azure: - accountname: {{ $storage.azure.accountname }} - container: {{ $storage.azure.container }} - {{- if $storage.azure.realm }} - realm: {{ $storage.azure.realm }} - {{- end }} - {{- else if eq $type "gcs" }} - gcs: - bucket: {{ $storage.gcs.bucket }} - keyfile: /etc/registry/gcs-key.json - {{- if $storage.gcs.rootdirectory }} - rootdirectory: {{ $storage.gcs.rootdirectory }} - {{- end }} - {{- if $storage.gcs.chunksize }} - chunksize: {{ $storage.gcs.chunksize }} - {{- end }} - {{- else if eq $type "s3" }} - s3: - region: {{ $storage.s3.region }} - bucket: {{ $storage.s3.bucket }} - {{- if $storage.s3.regionendpoint }} - regionendpoint: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.encrypt }} - encrypt: {{ $storage.s3.encrypt }} - {{- end }} - {{- if $storage.s3.keyid }} - keyid: {{ $storage.s3.keyid }} - {{- end }} - {{- if $storage.s3.secure }} - secure: {{ $storage.s3.secure }} - {{- end }} - {{- if and $storage.s3.secure $storage.s3.skipverify }} - skipverify: {{ $storage.s3.skipverify }} - {{- end }} - {{- if $storage.s3.v4auth }} - v4auth: {{ $storage.s3.v4auth }} - {{- end }} - {{- if $storage.s3.chunksize }} - chunksize: {{ $storage.s3.chunksize }} - {{- end }} - {{- if $storage.s3.rootdirectory }} - rootdirectory: {{ $storage.s3.rootdirectory }} - {{- end }} - {{- if $storage.s3.storageclass }} - storageclass: {{ $storage.s3.storageclass }} - {{- end }} - {{- if $storage.s3.multipartcopychunksize }} - multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} - {{- end }} - {{- if $storage.s3.multipartcopymaxconcurrency }} - multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} - {{- end }} - {{- if $storage.s3.multipartcopythresholdsize }} - multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} - {{- end }} - {{- else if eq $type "swift" }} - swift: - authurl: {{ $storage.swift.authurl }} - username: {{ $storage.swift.username }} - container: {{ $storage.swift.container }} - {{- if $storage.swift.region }} - region: {{ $storage.swift.region }} - {{- end }} - {{- if $storage.swift.tenant }} - tenant: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.tenantid }} - tenantid: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.domain }} - domain: {{ $storage.swift.domain }} - {{- end }} - {{- if $storage.swift.domainid }} - domainid: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.trustid }} - trustid: {{ $storage.swift.trustid }} - {{- end }} - {{- if $storage.swift.insecureskipverify }} - insecureskipverify: {{ $storage.swift.insecureskipverify }} - {{- end }} - {{- if $storage.swift.chunksize }} - chunksize: {{ $storage.swift.chunksize }} - {{- end }} - {{- if $storage.swift.prefix }} - prefix: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.authversion }} - authversion: {{ $storage.swift.authversion }} - {{- end }} - {{- if $storage.swift.endpointtype }} - endpointtype: {{ $storage.swift.endpointtype }} - {{- end }} - {{- if $storage.swift.tempurlcontainerkey }} - tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} - {{- end }} - {{- if $storage.swift.tempurlmethods }} - tempurlmethods: {{ $storage.swift.tempurlmethods }} - {{- end }} - {{- else if eq $type "oss" }} - oss: - accesskeyid: {{ $storage.oss.accesskeyid }} - region: {{ $storage.oss.region }} - bucket: {{ $storage.oss.bucket }} - {{- if $storage.oss.endpoint }} - endpoint: {{ $storage.oss.endpoint }} - {{- end }} - {{- if $storage.oss.internal }} - internal: {{ $storage.oss.internal }} - {{- end }} - {{- if $storage.oss.encrypt }} - encrypt: {{ $storage.oss.encrypt }} - {{- end }} - {{- if $storage.oss.secure }} - secure: {{ $storage.oss.secure }} - {{- end }} - {{- if $storage.oss.chunksize }} - chunksize: {{ $storage.oss.chunksize }} - {{- end }} - {{- if $storage.oss.rootdirectory }} - rootdirectory: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- end }} - cache: - layerinfo: redis - maintenance: - uploadpurging: - enabled: false - delete: - enabled: true - redirect: - disable: {{ $storage.disableredirect }} - redis: - addr: {{ template "harbor.redis.addr" . }} - {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} - sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} - {{- end }} - db: {{ template "harbor.redis.dbForRegistry" . }} - password: {{ template "harbor.redis.password" . }} - readtimeout: 10s - writetimeout: 10s - dialtimeout: 10s - http: - addr: :{{ template "harbor.registry.containerPort" . }} - relativeurls: {{ .Values.registry.relativeurls }} - {{- if .Values.internalTLS.enabled }} - tls: - certificate: /etc/harbor/ssl/registry/tls.crt - key: /etc/harbor/ssl/registry/tls.key - minimumtls: tls1.2 - {{- end }} - # set via environment variable - # secret: placeholder - debug: - addr: localhost:5001 - auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd - validation: - disabled: true - compatibility: - schema1: - enabled: true - - {{- if .Values.registry.middleware.enabled }} - {{- $middleware := .Values.registry.middleware }} - {{- $middlewareType := $middleware.type }} - {{- if eq $middlewareType "cloudFront" }} - middleware: - storage: - - name: cloudfront - options: - baseurl: {{ $middleware.cloudFront.baseurl }} - privatekey: /etc/registry/pk.pem - keypairid: {{ $middleware.cloudFront.keypairid }} - duration: {{ $middleware.cloudFront.duration }} - ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} - {{- end }} - {{- end }} - ctl-config.yml: |+ - --- - {{- if .Values.internalTLS.enabled }} - protocol: "https" - port: 8443 - https_config: - cert: "/etc/harbor/ssl/registry/tls.crt" - key: "/etc/harbor/ssl/registry/tls.key" - {{- else }} - protocol: "http" - port: 8080 - {{- end }} - log_level: {{ .Values.logLevel }} - registry_config: "/etc/registry/config.yml" +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + keyfile: /etc/registry/gcs-key.json + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + enabled: false + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + password: {{ template "harbor.redis.password" . }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + addr: localhost:5001 + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index dedacdc6f2afcae7b87cf53c4974d1e611ef80a9..316b645a85a8c69b5fc722bbee9f980c088f69dc 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -1,280 +1,280 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: registry -spec: - replicas: {{ .Values.registry.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: registry - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: registry - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} - checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.registry.podAnnotations }} -{{ toYaml .Values.registry.podAnnotations | indent 8 }} -{{- end }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.registry.serviceAccountName }} - serviceAccountName: {{ .Values.registry.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: registry -{{- if contains "/" .Values.registry.registry.image.repository }} - image: "{{ .Values.registry.registry.image.repository }}" -{{- else }} - image: "{{ .Values.registry.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registry.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registry.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.registry.registry.resources }} - resources: -{{ toYaml .Values.registry.registry.resources | indent 10 }} -{{- end }} - args: ["serve", "/etc/registry/config.yml"] - envFrom: - - secretRef: - name: "{{ template "harbor.registry" . }}" - env: - {{- if has "registry" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/registry/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/registry/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/registry/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.registry.containerPort" . }} - - containerPort: 5001 - volumeMounts: - - name: registry-data - mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} - subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} - - name: registry-root-certificate - mountPath: /etc/registry/root.crt - subPath: tls.crt - - name: registry-htpasswd - mountPath: /etc/registry/passwd - subPath: passwd - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - mountPath: /etc/harbor/ssl/registry - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/registry/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if .Values.registry.middleware.enabled }} - {{- if eq .Values.registry.middleware.type "cloudFront" }} - - name: cloudfront-key - mountPath: /etc/registry/pk.pem - subPath: pk.pem - {{- end }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - - name: registryctl -{{- if contains "/" .Values.registry.controller.image.repository }} - image: "{{ .Values.registry.controller.image.repository }}" -{{- else }} - image: "{{ .Values.registry.controller.image.hub | default .Values.global.hub }}/{{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /api/health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registryctl.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registryctl.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.registry.controller.resources }} - resources: -{{ toYaml .Values.registry.controller.resources | indent 10 }} -{{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.registry" . }}" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.jobservice" . }} - key: JOBSERVICE_SECRET - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/registry/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/registry/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/registry/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.registryctl.containerPort" . }} - volumeMounts: - - name: registry-data - mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} - subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registry-config - mountPath: /etc/registryctl/config.yml - subPath: ctl-config.yml - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - mountPath: /etc/harbor/ssl/registry - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/registry/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: registry-htpasswd - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: REGISTRY_HTPASSWD - path: passwd - - name: registry-root-certificate - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - - name: registry-config - configMap: - name: "{{ template "harbor.registry" . }}" - - name: registry-data - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.registry.secretName" . }} - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: GCS_KEY_DATA - path: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - secret: - secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} - {{- end }} - {{- if .Values.registry.middleware.enabled }} - {{- if eq .Values.registry.middleware.type "cloudFront" }} - - name: cloudfront-key - secret: - secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} - items: - - key: CLOUDFRONT_KEY_DATA - path: pk.pem - {{- end }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.registry.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + fsGroup: 10000 +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: registry +{{- if contains "/" .Values.registry.registry.image.repository }} + image: "{{ .Values.registry.registry.image.repository }}" +{{- else }} + image: "{{ .Values.registry.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + env: + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-root-certificate + mountPath: /etc/registry/root.crt + subPath: tls.crt + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl +{{- if contains "/" .Values.registry.controller.image.repository }} + image: "{{ .Values.registry.controller.image.repository }}" +{{- else }} + image: "{{ .Values.registry.controller.image.hub | default .Values.global.hub }}/{{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.jobservice" . }} + key: JOBSERVICE_SECRET + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + secretName: {{ template "harbor.registry" . }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-root-certificate + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + - name: gcs-key + secret: + secretName: {{ template "harbor.registry" . }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/templates/registry/registry-pvc.yaml b/templates/registry/registry-pvc.yaml index 7340fa649115f0ee3367806ef59b3ab839bcc011..26e4d69225c0d1fc432601d665df0661505a9dc5 100644 --- a/templates/registry/registry-pvc.yaml +++ b/templates/registry/registry-pvc.yaml @@ -1,29 +1,29 @@ -{{- if .Values.persistence.enabled }} -{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} -{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.registry" . }} - {{- if eq .Values.persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: registry -spec: - accessModes: - - {{ $registry.accessMode }} - resources: - requests: - storage: {{ $registry.size }} - {{- if $registry.storageClass }} - {{- if eq "-" $registry.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $registry.storageClass }} - {{- end }} - {{- end }} -{{- end }} +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + annotations: + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 96ad7b9165850b679c9e366878f20fafb3ea9ec5..e636080c0aa54b7d5d695e2537bfa609ecf8347e 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -1,35 +1,35 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }} - REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }} - {{- $storage := .Values.persistence.imageChartStorage }} - {{- $type := $storage.type }} - {{- if eq $type "azure" }} - REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} - {{- else if eq $type "gcs" }} - GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} - {{- else if eq $type "s3" }} - {{- if $storage.s3.accesskey }} - REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} - {{- end }} - {{- if $storage.s3.secretkey }} - REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} - {{- else if eq $type "swift" }} - REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} - {{- if $storage.swift.secretkey }} - REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} - {{- end }} - {{- if $storage.swift.accesskey }} - REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} - {{- end }} - {{- else if eq $type "oss" }} - REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} - {{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "azure" }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if eq $type "gcs" }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if $storage.s3.accesskey }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if $storage.s3.secretkey }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if eq $type "swift" }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if eq $type "oss" }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} diff --git a/templates/registry/registry-svc.yaml b/templates/registry/registry-svc.yaml index d6d3b31205c31974e5647a938381e61f73df68bd..64be22663190706b6c34c62b4341e806570c618e 100644 --- a/templates/registry/registry-svc.yaml +++ b/templates/registry/registry-svc.yaml @@ -1,15 +1,15 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: registry - port: {{ template "harbor.registry.servicePort" . }} - - name: controller - port: {{ template "harbor.registryctl.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: registry + port: {{ template "harbor.registry.servicePort" . }} + - name: controller + port: {{ template "harbor.registryctl.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} component: registry \ No newline at end of file diff --git a/templates/registry/registry-tls.yaml b/templates/registry/registry-tls.yaml index 9d1862c417deb29e91b4e328b216c1cb4119ef0c..8a4b1bf866893d37bcd349da5de23e896c16347b 100644 --- a/templates/registry/registry-tls.yaml +++ b/templates/registry/registry-tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.registry.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} -{{- end }} +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/templates/trivy/trivy-secret.yaml b/templates/trivy/trivy-secret.yaml index 84652c7498a2fe435415a3f0b2678ec9d18e5fb7..af588a5403e40963a355fa779dd13b518b034c09 100644 --- a/templates/trivy/trivy-secret.yaml +++ b/templates/trivy/trivy-secret.yaml @@ -1,12 +1,12 @@ -{{- if .Values.trivy.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.trivy" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} - gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} -{{- end }} +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index ae0e0b59fabb020ebd53616639935e3931ac6b6c..273fbb613ab86b45a2f7ba36c0e07f874b903815 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -1,198 +1,198 @@ -{{- if .Values.trivy.enabled }} -{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "harbor.trivy" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: trivy -spec: - replicas: {{ .Values.trivy.replicas }} - serviceName: {{ template "harbor.trivy" . }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: trivy - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: trivy - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.trivy.podAnnotations }} -{{ toYaml .Values.trivy.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} -{{- if .Values.trivy.serviceAccountName }} - serviceAccountName: {{ .Values.trivy.serviceAccountName }} -{{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: trivy -{{- if contains "/" .Values.trivy.image.repository }} - image: "{{ .Values.trivy.image.repository }}" -{{- else }} - image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - securityContext: - privileged: false - allowPrivilegeEscalation: false - env: - {{- if has "trivy" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - - name: "SCANNER_LOG_LEVEL" - value: {{ .Values.logLevel | quote }} - - name: "SCANNER_TRIVY_CACHE_DIR" - value: "/home/scanner/.cache/trivy" - - name: "SCANNER_TRIVY_REPORTS_DIR" - value: "/home/scanner/.cache/reports" - - name: "SCANNER_TRIVY_DEBUG_MODE" - value: {{ .Values.trivy.debugMode | quote }} - - name: "SCANNER_TRIVY_VULN_TYPE" - value: {{ .Values.trivy.vulnType | quote }} - - name: "SCANNER_TRIVY_GITHUB_TOKEN" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: gitHubToken - - name: "SCANNER_TRIVY_SEVERITY" - value: {{ .Values.trivy.severity | quote }} - - name: "SCANNER_TRIVY_IGNORE_UNFIXED" - value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} - - name: "SCANNER_TRIVY_SKIP_UPDATE" - value: {{ .Values.trivy.skipUpdate | default false | quote }} - - name: "SCANNER_TRIVY_INSECURE" - value: {{ .Values.trivy.insecure | default false | quote }} - - name: SCANNER_API_SERVER_ADDR - value: ":{{ template "harbor.trivy.containerPort" . }}" - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: SCANNER_API_SERVER_TLS_KEY - value: /etc/harbor/ssl/trivy/tls.key - - name: SCANNER_API_SERVER_TLS_CERTIFICATE - value: /etc/harbor/ssl/trivy/tls.crt - {{- end }} - - name: "SCANNER_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - - name: "SCANNER_STORE_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - - name: "SCANNER_JOB_QUEUE_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - ports: - - name: api-server - containerPort: {{ template "harbor.trivy.containerPort" . }} - volumeMounts: - - name: data - mountPath: /home/scanner/.cache - subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} - readOnly: false - {{- if .Values.internalTLS.enabled }} - - name: trivy-internal-certs - mountPath: /etc/harbor/ssl/trivy - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 10 }} - {{- end }} - livenessProbe: - httpGet: - scheme: {{ include "harbor.component.scheme" . | upper }} - path: /probe/healthy - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - scheme: {{ include "harbor.component.scheme" . | upper }} - path: /probe/ready - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: -{{ toYaml .Values.trivy.resources | indent 12 }} - {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} - volumes: - {{- if .Values.internalTLS.enabled }} - - name: trivy-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: "data" - emptyDir: {} - {{- else if $trivy.existingClaim }} - - name: "data" - persistentVolumeClaim: - claimName: {{ $trivy.existingClaim }} - {{- end }} - {{- end }} - {{- with .Values.trivy.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.trivy.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.trivy.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $trivy.accessMode | quote }}] - {{- if $trivy.storageClass }} - {{- if (eq "-" $trivy.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $trivy.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $trivy.size | quote }} -{{- end }} -{{- end }} +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + containers: + - name: trivy +{{- if contains "/" .Values.trivy.image.repository }} + image: "{{ .Values.trivy.image.repository }}" +{{- else }} + image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" +{{- end }} + imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/templates/trivy/trivy-svc.yaml b/templates/trivy/trivy-svc.yaml index 7dac67080b6e8dd97ff5c3ac98a3d17840554885..f15c5a3765def3cc110ecf8b6cb968a088550595 100644 --- a/templates/trivy/trivy-svc.yaml +++ b/templates/trivy/trivy-svc.yaml @@ -1,16 +1,16 @@ -{{ if .Values.trivy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.trivy" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: api-server - protocol: TCP - port: {{ template "harbor.trivy.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: trivy -{{ end }} +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: api-server + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/templates/trivy/trivy-tls.yaml b/templates/trivy/trivy-tls.yaml index a9c8330c37070fb74f2ab53505478585caf71b39..7d51eb0118ea9c7d659bfe1756fe5aff3e74b2dd 100644 --- a/templates/trivy/trivy-tls.yaml +++ b/templates/trivy/trivy-tls.yaml @@ -1,15 +1,15 @@ -{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} -{{- end }} -{{- end }} +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/test/go.mod b/test/go.mod index 9432ecf89973bfa25fa44279c6ee863431dcb46f..9a274cd313ab4f568b0712194311b518ec74b123 100644 --- a/test/go.mod +++ b/test/go.mod @@ -1,9 +1,9 @@ -module github.com/goharbor/harbor-helm - -go 1.13 - -require ( - github.com/gruntwork-io/terratest v0.28.2 - github.com/stretchr/testify v1.6.0 - k8s.io/api v0.18.3 -) +module github.com/goharbor/harbor-helm + +go 1.13 + +require ( + github.com/gruntwork-io/terratest v0.28.2 + github.com/stretchr/testify v1.6.0 + k8s.io/api v0.18.3 +) diff --git a/test/go.sum b/test/go.sum index 7ba18632358c96ff12f1ab7b4dfbc65017021551..805e9b22626030edf15bcb39ec742222add47ee9 100644 --- a/test/go.sum +++ b/test/go.sum @@ -1,572 +1,572 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= -cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v38.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= -github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= -github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= -github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= -github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= -github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM= -github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw= -github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= -github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= -github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= -github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= -github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= -github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= -github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= -github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= -github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= -github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= -github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= -github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= -github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= -github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= -github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= -github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= -github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= -github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= -github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= -github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= -github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= -github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= -github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKGUhzj7BQlPSU4OvT6tfOKe3DVHzOA7s= -github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 h1:yY9rWGoXv1U5pl4gxqlULARMQD7x0QG85lqEXTWysik= -github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= -github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 h1:dWB6v3RcOy03t/bUadywsbyrQwCqZeNIEX6M1OtSZOM= -github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= -github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= -github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= -github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= -github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= -github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= -github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= -github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= -github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= -github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= -github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= -github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/gruntwork-io/gruntwork-cli v0.5.1 h1:mVmVsFubUSLSCO8bGigI63HXzvzkC0uWXzm4dd9pXRg= -github.com/gruntwork-io/gruntwork-cli v0.5.1/go.mod h1:IBX21bESC1/LGoV7jhXKUnTQTZgQ6dYRsoj/VqxUSZQ= -github.com/gruntwork-io/terratest v0.28.2 h1:M9CMfS/5unIawxYlz55eRDWH16AH522OAJcUc+zsKv4= -github.com/gruntwork-io/terratest v0.28.2/go.mod h1:lTntpr4gGDzb2YEQ1GTjC5G/xw9ixMwxGmZkPCk1O0A= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= -github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= -github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= -github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= -github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= -github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= -github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= -github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= -github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= -github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= -github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= -github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= -github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= -github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= -github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo= -golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200107162124-548cf772de50 h1:YvQ10rzcqWXLlJZ3XCUoO25savxmscf4+SC+ZqiCHhA= -golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200113040837-eac381796e91/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= -gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= -gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= -k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0= -k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA= -k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= -k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk= -k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= -k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= -k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k= -k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw= -k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= -k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= -k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= -k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= -k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= -k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= -k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= -k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU= -k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= -modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= -modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= -modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= -modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= -sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06 h1:zD2IemQ4LmOcAumeiyDWXKUI2SO0NYDe3H6QGvPOVgU= -sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM= +github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKGUhzj7BQlPSU4OvT6tfOKe3DVHzOA7s= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 h1:yY9rWGoXv1U5pl4gxqlULARMQD7x0QG85lqEXTWysik= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 h1:dWB6v3RcOy03t/bUadywsbyrQwCqZeNIEX6M1OtSZOM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= +github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/gruntwork-cli v0.5.1 h1:mVmVsFubUSLSCO8bGigI63HXzvzkC0uWXzm4dd9pXRg= +github.com/gruntwork-io/gruntwork-cli v0.5.1/go.mod h1:IBX21bESC1/LGoV7jhXKUnTQTZgQ6dYRsoj/VqxUSZQ= +github.com/gruntwork-io/terratest v0.28.2 h1:M9CMfS/5unIawxYlz55eRDWH16AH522OAJcUc+zsKv4= +github.com/gruntwork-io/terratest v0.28.2/go.mod h1:lTntpr4gGDzb2YEQ1GTjC5G/xw9ixMwxGmZkPCk1O0A= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= +github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo= +golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200107162124-548cf772de50 h1:YvQ10rzcqWXLlJZ3XCUoO25savxmscf4+SC+ZqiCHhA= +golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200113040837-eac381796e91/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0= +k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk= +k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k= +k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU= +k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06 h1:zD2IemQ4LmOcAumeiyDWXKUI2SO0NYDe3H6QGvPOVgU= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= +sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E= +sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/test/install_helm.sh b/test/install_helm.sh index 8e97139b0675b2da6bc614527de3fc9e7393083d..7a1264380040db7f9045385f570cea170680bcef 100644 --- a/test/install_helm.sh +++ b/test/install_helm.sh @@ -1,24 +1,24 @@ -#/bin/bash -set -e -version=${HELM_VERSION} -if [ "$version" = "2" ] -then - dist="helm-v2.8.0-linux-amd64.tar.gz" - # as the helm v3 removes tiller, here appends the "-c" option - # to args only when running helm v2 to display the client version - version_args="-c" -elif [ "$version" = "3" ] -then - # the "template" command doesn't work for helm beta3: - # https://github.com/helm/helm/issues/6404, use the beta2 for now - dist="helm-v3.0.0-beta.2-linux-amd64.tar.gz" -else - echo "unsupported helm version: $version" - exit 1 -fi -wget -O /tmp/${dist} https://get.helm.sh/${dist} -tar -zxvf /tmp/${dist} -C /tmp/ - -sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm -helm version $version_args +#/bin/bash +set -e +version=${HELM_VERSION} +if [ "$version" = "2" ] +then + dist="helm-v2.8.0-linux-amd64.tar.gz" + # as the helm v3 removes tiller, here appends the "-c" option + # to args only when running helm v2 to display the client version + version_args="-c" +elif [ "$version" = "3" ] +then + # the "template" command doesn't work for helm beta3: + # https://github.com/helm/helm/issues/6404, use the beta2 for now + dist="helm-v3.0.0-beta.2-linux-amd64.tar.gz" +else + echo "unsupported helm version: $version" + exit 1 +fi +wget -O /tmp/${dist} https://get.helm.sh/${dist} +tar -zxvf /tmp/${dist} -C /tmp/ + +sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm +helm version $version_args echo "Helm installed" \ No newline at end of file diff --git a/test/integration/base.go b/test/integration/base.go index 721789137cd0cf80e76ba09a150e8caaf1c8b067..a488c20b90e478eeb24a37baa819fd747e0b94ae 100644 --- a/test/integration/base.go +++ b/test/integration/base.go @@ -1,145 +1,145 @@ -package integration - -import ( - "crypto/tls" - "encoding/json" - "fmt" - "io/ioutil" - "log" - "net/http" - "os" - "os/exec" - "strings" - "time" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/stretchr/testify/suite" -) - -var ( - client = &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - }, - } -) - -func NewBaseTestSuite(values map[string]string) BaseTestSuite { - if values == nil { - values = map[string]string{} - } - return BaseTestSuite{ - Options: &helm.Options{ - KubectlOptions: &k8s.KubectlOptions{ - Namespace: "default", - }, - SetValues: values, - }, - ReleaseName: "harbor", - URL: values["externalURL"], - } -} - -type BaseTestSuite struct { - suite.Suite - Options *helm.Options - ReleaseName string - URL string // the external URL of Harbor -} - -func (b *BaseTestSuite) SetupSuite() { - helm.Install(b.T(), b.Options, "../..", b.ReleaseName) - b.waitUntilHealthy(b.URL) -} - -type overallStatus struct { - Status string `json:"status"` - Components []*componentStatus `json:"components"` -} - -type componentStatus struct { - Name string `json:"name"` - Status string `json:"status"` - Error string `json:"error,omitempty"` -} - -func (b *BaseTestSuite) waitUntilHealthy(url string) { - url = fmt.Sprintf("%s/api/v2.0/health", url) - log.Printf("wait until Harbor is healthy by calling health check API: %s ...", url) - for i := 0; i < 60; i++ { - time.Sleep(10 * time.Second) - - resp, err := client.Get(url) - if err != nil { - log.Printf("failed to call the health API: %v, retry 10 seconds later...", err) - continue - } - - if resp.StatusCode != http.StatusOK { - log.Printf("the response status code %d != 200, retry 10 seconds later...", resp.StatusCode) - continue - } - - data, err := ioutil.ReadAll(resp.Body) - b.Require().Nil(err) - resp.Body.Close() - status := &overallStatus{} - err = json.Unmarshal(data, status) - b.Require().Nil(err) - if status.Status != "healthy" { - for _, component := range status.Components { - if component.Status == "healthy" { - continue - } - log.Printf("the status of component %s isn't healthy: %s , retry 10 seconds later...", - component.Name, component.Error) - break - } - continue - } - - log.Printf("the status is healthy") - return - } - b.FailNow("the status still isn't healthy after several retries") -} - -func (b *BaseTestSuite) TestPush() { - addr := strings.TrimPrefix(b.URL, "http://") - addr = strings.TrimPrefix(addr, "https://") - - // push image - b.T().Log("pushing the image...") - cmdStr := fmt.Sprintf("docker pull hello-world:latest;docker tag hello-world:latest %s/library/hello-world:latest; docker login %s -u admin -p Harbor12345;docker push %s/library/hello-world:latest", - addr, addr, addr) - cmd := exec.Command("/bin/sh", "-c", cmdStr) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err := cmd.Run() - b.Require().Nil(err) - - // delete image in local - b.T().Log("deleting the image in local") - cmdStr = fmt.Sprintf("docker rmi %s/library/hello-world:latest", addr) - cmd = exec.Command("/bin/sh", "-c", cmdStr) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err = cmd.Run() - b.Require().Nil(err) - - // pull image - b.T().Log("pull the image...") - cmdStr = fmt.Sprintf("docker pull %s/library/hello-world:latest", addr) - cmd = exec.Command("/bin/sh", "-c", cmdStr) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err = cmd.Run() - b.Require().Nil(err) -} - -func (b *BaseTestSuite) TearDownSuite() { - helm.Delete(b.T(), &helm.Options{}, b.ReleaseName, true) -} +package integration + +import ( + "crypto/tls" + "encoding/json" + "fmt" + "io/ioutil" + "log" + "net/http" + "os" + "os/exec" + "strings" + "time" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/stretchr/testify/suite" +) + +var ( + client = &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + }, + } +) + +func NewBaseTestSuite(values map[string]string) BaseTestSuite { + if values == nil { + values = map[string]string{} + } + return BaseTestSuite{ + Options: &helm.Options{ + KubectlOptions: &k8s.KubectlOptions{ + Namespace: "default", + }, + SetValues: values, + }, + ReleaseName: "harbor", + URL: values["externalURL"], + } +} + +type BaseTestSuite struct { + suite.Suite + Options *helm.Options + ReleaseName string + URL string // the external URL of Harbor +} + +func (b *BaseTestSuite) SetupSuite() { + helm.Install(b.T(), b.Options, "../..", b.ReleaseName) + b.waitUntilHealthy(b.URL) +} + +type overallStatus struct { + Status string `json:"status"` + Components []*componentStatus `json:"components"` +} + +type componentStatus struct { + Name string `json:"name"` + Status string `json:"status"` + Error string `json:"error,omitempty"` +} + +func (b *BaseTestSuite) waitUntilHealthy(url string) { + url = fmt.Sprintf("%s/api/v2.0/health", url) + log.Printf("wait until Harbor is healthy by calling health check API: %s ...", url) + for i := 0; i < 60; i++ { + time.Sleep(10 * time.Second) + + resp, err := client.Get(url) + if err != nil { + log.Printf("failed to call the health API: %v, retry 10 seconds later...", err) + continue + } + + if resp.StatusCode != http.StatusOK { + log.Printf("the response status code %d != 200, retry 10 seconds later...", resp.StatusCode) + continue + } + + data, err := ioutil.ReadAll(resp.Body) + b.Require().Nil(err) + resp.Body.Close() + status := &overallStatus{} + err = json.Unmarshal(data, status) + b.Require().Nil(err) + if status.Status != "healthy" { + for _, component := range status.Components { + if component.Status == "healthy" { + continue + } + log.Printf("the status of component %s isn't healthy: %s , retry 10 seconds later...", + component.Name, component.Error) + break + } + continue + } + + log.Printf("the status is healthy") + return + } + b.FailNow("the status still isn't healthy after several retries") +} + +func (b *BaseTestSuite) TestPush() { + addr := strings.TrimPrefix(b.URL, "http://") + addr = strings.TrimPrefix(addr, "https://") + + // push image + b.T().Log("pushing the image...") + cmdStr := fmt.Sprintf("docker pull hello-world:latest;docker tag hello-world:latest %s/library/hello-world:latest; docker login %s -u admin -p Harbor12345;docker push %s/library/hello-world:latest", + addr, addr, addr) + cmd := exec.Command("/bin/sh", "-c", cmdStr) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err := cmd.Run() + b.Require().Nil(err) + + // delete image in local + b.T().Log("deleting the image in local") + cmdStr = fmt.Sprintf("docker rmi %s/library/hello-world:latest", addr) + cmd = exec.Command("/bin/sh", "-c", cmdStr) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + b.Require().Nil(err) + + // pull image + b.T().Log("pull the image...") + cmdStr = fmt.Sprintf("docker pull %s/library/hello-world:latest", addr) + cmd = exec.Command("/bin/sh", "-c", cmdStr) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + b.Require().Nil(err) +} + +func (b *BaseTestSuite) TearDownSuite() { + helm.Delete(b.T(), &helm.Options{}, b.ReleaseName, true) +} diff --git a/test/integration/ingress_test.go b/test/integration/ingress_test.go index 71a24ec23b03f4c8f41fe13f66023e8af13ac7bd..0115e677e5379bd6f68d97d22112ac96dd2389c7 100644 --- a/test/integration/ingress_test.go +++ b/test/integration/ingress_test.go @@ -1,28 +1,28 @@ -package integration - -import ( - "fmt" - "testing" - - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/stretchr/testify/suite" -) - -type IngressTestSuite struct { - BaseTestSuite -} - -func (i *IngressTestSuite) TestIngress() { - k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress", i.ReleaseName)) - k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress-notary", i.ReleaseName)) -} - -func TestIngressTestSuite(t *testing.T) { - suite.Run(t, &IngressTestSuite{ - BaseTestSuite: NewBaseTestSuite(map[string]string{ - "expose.ingress.hosts.core": "harbor.local", - "expose.ingress.hosts.notary": "notary.harbor.local", - "externalURL": "https://harbor.local", - }), - }) -} +package integration + +import ( + "fmt" + "testing" + + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/stretchr/testify/suite" +) + +type IngressTestSuite struct { + BaseTestSuite +} + +func (i *IngressTestSuite) TestIngress() { + k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress", i.ReleaseName)) + k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress-notary", i.ReleaseName)) +} + +func TestIngressTestSuite(t *testing.T) { + suite.Run(t, &IngressTestSuite{ + BaseTestSuite: NewBaseTestSuite(map[string]string{ + "expose.ingress.hosts.core": "harbor.local", + "expose.ingress.hosts.notary": "notary.harbor.local", + "externalURL": "https://harbor.local", + }), + }) +} diff --git a/test/integration/kind-cluster.yaml b/test/integration/kind-cluster.yaml index ca9bf4a187c2f11dbb7a5d237ef1831406840c3b..63e3aa35e06428e801d6fe362b76c45db7c902e6 100644 --- a/test/integration/kind-cluster.yaml +++ b/test/integration/kind-cluster.yaml @@ -1,20 +1,20 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -nodes: -- role: control-plane - kubeadmConfigPatches: - - | - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - containerPort: 30003 - hostPort: 30003 - protocol: TCP +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - containerPort: 30003 + hostPort: 30003 + protocol: TCP diff --git a/test/integration/node_port_test.go b/test/integration/node_port_test.go index 07c2bafe29c0fd1bcf4b7781f50001373ed01cae..134c3db6748efaee06356d75f9420c9d3ba6cc0a 100644 --- a/test/integration/node_port_test.go +++ b/test/integration/node_port_test.go @@ -1,28 +1,28 @@ -package integration - -import ( - "testing" - - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/stretchr/testify/suite" -) - -type NodePortTestSuite struct { - BaseTestSuite -} - -func (n *NodePortTestSuite) TestNodePort() { - service := k8s.GetService(n.T(), n.Options.KubectlOptions, "harbor") - n.Equal("NodePort", string(service.Spec.Type)) -} - -func TestNodePortTestSuite(t *testing.T) { - suite.Run(t, &NodePortTestSuite{ - BaseTestSuite: NewBaseTestSuite(map[string]string{ - "expose.type": "nodePort", - "expose.tls.auto.commonName": "127.0.0.1", - "expose.nodePort.ports.https.nodePort": "30003", - "externalURL": "https://127.0.0.1:30003", - }), - }) -} +package integration + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/stretchr/testify/suite" +) + +type NodePortTestSuite struct { + BaseTestSuite +} + +func (n *NodePortTestSuite) TestNodePort() { + service := k8s.GetService(n.T(), n.Options.KubectlOptions, "harbor") + n.Equal("NodePort", string(service.Spec.Type)) +} + +func TestNodePortTestSuite(t *testing.T) { + suite.Run(t, &NodePortTestSuite{ + BaseTestSuite: NewBaseTestSuite(map[string]string{ + "expose.type": "nodePort", + "expose.tls.auto.commonName": "127.0.0.1", + "expose.nodePort.ports.https.nodePort": "30003", + "externalURL": "https://127.0.0.1:30003", + }), + }) +} diff --git a/test/test.go b/test/test.go index 56e54040790227aab12ae1b2f43991b9f00f87f6..5a3561d605d74696900e4a89191704d1722ede11 100644 --- a/test/test.go +++ b/test/test.go @@ -1 +1 @@ -package test +package test diff --git a/test/unittest/trivy_stateful_set_test.go b/test/unittest/trivy_stateful_set_test.go index c8efa9be8f6b19b8a77c5909ef98e02fdeecd3a1..1e696b5ee6a2d301ac4087d6ec330dd16dc25c73 100644 --- a/test/unittest/trivy_stateful_set_test.go +++ b/test/unittest/trivy_stateful_set_test.go @@ -1,171 +1,171 @@ -package unittest - -import ( - "os" - "testing" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/logger" - "github.com/stretchr/testify/suite" - appsV1 "k8s.io/api/apps/v1" -) - -type TrivyStatefulSetTestSuite struct { - suite.Suite -} - -func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet { - helmChartPath := "../../" - - options := &helm.Options{ - SetValues: values, - } - - debug := os.Getenv("debug") - if debug != "true" { - options.Logger = logger.Discard - } - - output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"}) - - var ss appsV1.StatefulSet - helm.UnmarshalK8SYaml(suite.T(), output, &ss) - - return &ss -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() { - values := map[string]string{ - "persistence.enabled": "false", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() { - values := map[string]string{ - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 0) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) -} - -func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() { - values := map[string]string{ - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim) - suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() { - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func (suite *TrivyStatefulSetTestSuite) TestCustomCA() { - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func TestTrivyStatefulSetTestSuite(t *testing.T) { - suite.Run(t, &TrivyStatefulSetTestSuite{}) -} +package unittest + +import ( + "os" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/gruntwork-io/terratest/modules/logger" + "github.com/stretchr/testify/suite" + appsV1 "k8s.io/api/apps/v1" +) + +type TrivyStatefulSetTestSuite struct { + suite.Suite +} + +func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet { + helmChartPath := "../../" + + options := &helm.Options{ + SetValues: values, + } + + debug := os.Getenv("debug") + if debug != "true" { + options.Logger = logger.Discard + } + + output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"}) + + var ss appsV1.StatefulSet + helm.UnmarshalK8SYaml(suite.T(), output, &ss) + + return &ss +} + +func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() { + values := map[string]string{ + "persistence.enabled": "false", + "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 1) + suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) +} + +func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() { + values := map[string]string{ + "persistence.enabled": "true", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 0) + suite.Len(ss.Spec.VolumeClaimTemplates, 1) +} + +func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() { + values := map[string]string{ + "persistence.enabled": "true", + "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 1) + suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim) + suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) +} + +func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() { + { + values := map[string]string{ + "internalTLS.enabled": "true", + "persistence.enabled": "false", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 2) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) + } + + { + values := map[string]string{ + "internalTLS.enabled": "true", + "persistence.enabled": "true", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 1) + suite.Len(ss.Spec.VolumeClaimTemplates, 1) + } + + { + values := map[string]string{ + "internalTLS.enabled": "true", + "persistence.enabled": "true", + "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 2) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) + } +} + +func (suite *TrivyStatefulSetTestSuite) TestCustomCA() { + { + values := map[string]string{ + "caBundleSecretName": "ca-bundle-secret", + "persistence.enabled": "false", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 2) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) + } + + { + values := map[string]string{ + "caBundleSecretName": "ca-bundle-secret", + "internalTLS.enabled": "true", + "persistence.enabled": "false", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 3) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) + } + + { + values := map[string]string{ + "caBundleSecretName": "ca-bundle-secret", + "internalTLS.enabled": "true", + "persistence.enabled": "true", + "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 3) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) + } + + { + values := map[string]string{ + "caBundleSecretName": "ca-bundle-secret", + "persistence.enabled": "true", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 1) + suite.Len(ss.Spec.VolumeClaimTemplates, 1) + } + + { + values := map[string]string{ + "caBundleSecretName": "ca-bundle-secret", + "persistence.enabled": "true", + "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", + } + + ss := suite.render(values) + suite.Len(ss.Spec.Template.Spec.Volumes, 2) + suite.Len(ss.Spec.VolumeClaimTemplates, 0) + } +} + +func TestTrivyStatefulSetTestSuite(t *testing.T) { + suite.Run(t, &TrivyStatefulSetTestSuite{}) +} diff --git a/test/verify.sh b/test/verify.sh index d84c899f87203f91b8622b5a98687ed75c6e60e3..cf8484dba9344a7ab231a28b81b8636276af94d3 100644 --- a/test/verify.sh +++ b/test/verify.sh @@ -1,8 +1,8 @@ -#/bin/bash -set -e - -helm lint . -# expose the service via ingress, this disables the deployment of nginx -helm template --set "expose.type=ingress" --output-dir /tmp/ . -# expose the service via node port, this enables the deployment of nginx +#/bin/bash +set -e + +helm lint . +# expose the service via ingress, this disables the deployment of nginx +helm template --set "expose.type=ingress" --output-dir /tmp/ . +# expose the service via node port, this enables the deployment of nginx helm template --set "expose.type=nodePort,expose.tls.commonName=127.0.0.1" --output-dir /tmp/ . \ No newline at end of file diff --git a/values-operator.yaml b/values-operator.yaml index 3cce11d6a0f81f78644df7210f4e1550e7d9f023..633bd59d47575cd6605129328f64c594824f200b 100644 --- a/values-operator.yaml +++ b/values-operator.yaml @@ -1,5 +1,5 @@ -global: - hub: registry.cn-qingdao.aliyuncs.com/wod - imagePullPolicy: "IfNotPresent" - imageArch: amd64 +global: + hub: registry.cn-qingdao.aliyuncs.com/wod + imagePullPolicy: "IfNotPresent" + imageArch: amd64 host: wodcloud.local \ No newline at end of file diff --git a/values.yaml b/values.yaml index f96a4b69c75eb891723238650ecb3b34a6d71d74..78568652fcd6c635756ddfbe607ccf422f7cddfe 100644 --- a/values.yaml +++ b/values.yaml @@ -1,754 +1,754 @@ -expose: - # Set the way how to expose the service. Set the type as "ingress", - # "clusterIP", "nodePort" or "loadBalancer" and fill the information - # in the corresponding section - type: ingress - tls: - # Enable the tls or not. Note: if the type is "ingress" and the tls - # is disabled, the port must be included in the command when pull/push - # images. Refer to https://github.com/goharbor/harbor/issues/5291 - # for the detail. - enabled: false - # The source of the tls certificate. Set it as "auto", "secret" - # or "none" and fill the information in the corresponding section - # 1) auto: generate the tls certificate automatically - # 2) secret: read the tls certificate from the specified secret. - # The tls certificate can be generated manually or by cert manager - # 3) none: configure no tls certificate for the ingress. If the default - # tls certificate is configured in the ingress controller, choose this option - certSource: auto - auto: - # The common name used to generate the certificate, it's necessary - # when the type isn't "ingress" - commonName: "" - secret: - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - secretName: "" - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # Only needed when the "expose.type" is "ingress". - notarySecretName: "" - ingress: - hosts: - core: hub - notary: notary - # set to the type of ingress controller if it has specific requirements. - # leave as `default` for most ingress controllers. - # set to `gce` if using the GCE ingress controller - # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller - controller: default - annotations: - ingress.kubernetes.io/ssl-redirect: "true" - ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - clusterIP: - # The name of ClusterIP service - name: harbor - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - nodePort: - # The name of NodePort service - name: harbor - ports: - http: - # The service port Harbor listens on when serving with HTTP - port: 80 - # The node port Harbor listens on when serving with HTTP - nodePort: 30002 - https: - # The service port Harbor listens on when serving with HTTPS - port: 443 - # The node port Harbor listens on when serving with HTTPS - nodePort: 30003 - # Only needed when notary.enabled is set to true - notary: - # The service port Notary listens on - port: 4443 - # The node port Notary listens on - nodePort: 30004 - loadBalancer: - # The name of LoadBalancer service - name: harbor - # Set the IP if the LoadBalancer supports assigning IP - IP: "" - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - annotations: {} - sourceRanges: [] - -# The external URL for Harbor core service. It is used to -# 1) populate the docker/helm commands showed on portal -# 2) populate the token service URL returned to docker/notary client -# -# Format: protocol://domain[:port]. Usually: -# 1) if "expose.type" is "ingress", the "domain" should be -# the value of "expose.ingress.hosts.core" -# 2) if "expose.type" is "clusterIP", the "domain" should be -# the value of "expose.clusterIP.name" -# 3) if "expose.type" is "nodePort", the "domain" should be -# the IP address of k8s node -# -# If Harbor is deployed behind the proxy, set it as the URL of proxy -externalURL: https://hub - -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each components tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: "auto" - # The content of trust ca, only available when `certSource` is "manual" - trustCa: "" - # core related cert configuration - core: - # secret name for core's tls certs - secretName: "" - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: "" - # Content of core's TLS key file, only available when `certSource` is "manual" - key: "" - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: "" - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: "" - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: "" - # chartmuseum related cert configuration - chartmuseum: - # secret name for chartmuseum's tls certs - secretName: "" - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - key: "" - # clair related cert configuration - clair: - # secret name for clair's tls certs - secretName: "" - # Content of clair's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of clair's TLS key file, only available when `certSource` is "manual" - key: "" - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: "" - -# The persistence is enabled by default and a default StorageClass -# is needed in the k8s cluster to provision volumes dynamicly. -# Specify another StorageClass in the "storageClass" or set "existingClaim" -# if you have already existing persistent volumes to use -# -# For storing images and charts, you can also use "azure", "gcs", "s3", -# "swift" or "oss". Set it in the "imageChartStorage" section -persistence: - enabled: true - # Setting it to "keep" to avoid removing PVCs during a helm delete - # operation. Leaving it empty will delete PVCs after the chart deleted - # (this does not apply for PVCs that are created for internal database - # and redis components, i.e. they are never deleted automatically) - resourcePolicy: "keep" - persistentVolumeClaim: - registry: - # Use the existing PVC which must be created manually before bound, - # and specify the "subPath" if the PVC is shared with other components - existingClaim: "" - # Specify the "storageClass" used to provision the volume. Or the default - # StorageClass will be used(the default). - # Set it to "-" to disable dynamic provisioning - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - # If external database is used, the following settings for database will - # be ignored - database: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 10Gi - # If external Redis is used, the following settings for Redis will - # be ignored - redis: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: "" - storageClass: "hostpath" - subPath: "" - accessMode: ReadWriteOnce - size: 5Gi - # Define which storage backend is used for registry and chartmuseum to store - # images and charts. Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage - # for the detail. - imageChartStorage: - # Specify whether to disable `redirect` for images and chart storage, for - # backends which not supported it (such as using minio for `s3` storage type), please disable - # it. To disable redirects, simply set `disableredirect` to `true` instead. - # Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect - # for the detail. - disableredirect: false - # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. - # The secret must contain keys named "ca.crt" which will be injected into the trust store - # of registry's and chartmuseum's containers. - # caBundleSecretName: - - # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", - # "oss" and fill the information needed in the corresponding section. The type - # must be "filesystem" if you want to use persistent volumes for registry - # and chartmuseum - type: filesystem - filesystem: - rootdirectory: /storage - #maxthreads: 100 - azure: - accountname: accountname - accountkey: base64encodedaccountkey - container: containername - #realm: core.windows.net - gcs: - bucket: bucketname - # The base64 encoded json file which contains the key - encodedkey: base64-encoded-json-key-file - #rootdirectory: /gcs/object/name/prefix - #chunksize: "5242880" - s3: - region: us-west-1 - bucket: bucketname - #accesskey: awsaccesskey - #secretkey: awssecretkey - #regionendpoint: http://myobjects.local - #encrypt: false - #keyid: mykeyid - #secure: true - #skipverify: false - #v4auth: true - #chunksize: "5242880" - #rootdirectory: /s3/object/name/prefix - #storageclass: STANDARD - #multipartcopychunksize: "33554432" - #multipartcopymaxconcurrency: 100 - #multipartcopythresholdsize: "33554432" - swift: - authurl: https://storage.myprovider.com/v3/auth - username: username - password: password - container: containername - #region: fr - #tenant: tenantname - #tenantid: tenantid - #domain: domainname - #domainid: domainid - #trustid: trustid - #insecureskipverify: false - #chunksize: 5M - #prefix: - #secretkey: secretkey - #accesskey: accesskey - #authversion: 3 - #endpointtype: public - #tempurlcontainerkey: false - #tempurlmethods: - oss: - accesskeyid: accesskeyid - accesskeysecret: accesskeysecret - region: regionname - bucket: bucketname - #endpoint: endpoint - #internal: false - #encrypt: false - #secure: true - #chunksize: 10M - #rootdirectory: rootdirectory - -imagePullPolicy: IfNotPresent - -# Use this set to assign a list of default pullSecrets -imagePullSecrets: -# - name: docker-registry-secret -# - name: internal-registry-secret - -# The update strategy for deployments with persistent volumes(jobservice, registry -# and chartmuseum): "RollingUpdate" or "Recreate" -# Set it as "Recreate" when "RWM" for volumes isn't supported -updateStrategy: - type: RollingUpdate - -# debug, info, warning, error or fatal -logLevel: info - -# The initial password of Harbor admin. Change it from portal after launching Harbor -harborAdminPassword: "spaceIN511" - -# The name of the secret which contains key named "ca.crt". Setting this enables the -# download link on portal to download the certificate of CA when the certificate isn't -# generated automatically -caSecretName: "" - -# The secret key used for encryption. Must be a string of 16 chars. -secretKey: "IpTIscRIgmerlare" - -# The proxy settings for updating clair vulnerabilities from the Internet and replicating -# artifacts from/to the registries that cannot be reached directly -proxy: - httpProxy: - httpsProxy: - noProxy: 127.0.0.1,localhost,.local,.internal - components: - - core - - jobservice - - clair - - trivy - -# The custom ca bundle secret, the secret must contain key named "ca.crt" -# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components -# caBundleSecretName: "" - -## UAA Authentication Options -# If you're using UAA for authentication behind a self-signed -# certificate you will need to provide the CA Cert. -# Set uaaSecretName below to provide a pre-created secret that -# contains a base64 encoded CA Certificate named `ca.crt`. -# uaaSecretName: - -# If expose the service via "ingress", the Nginx will not be used -nginx: - image: - repository: nginx - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -portal: - image: - repository: harbor-portal - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -core: - image: - repository: harbor-core - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - replicas: 1 - ## Startup probe values - startupProbe: - enabled: true - initialDelaySeconds: 10 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when core server communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate and private key for token encryption/decryption. - # The secret must contain keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # The default key pair will be used if it isn't set - secretName: "" - # The XSRF key. Will be generated automatically if it isn't specified - xsrfKey: "" - -jobservice: - image: - repository: harbor-jobservice - tag: v2.1.3 - replicas: 1 - # set the service account to be used, default if left empty - serviceAccountName: "" - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLogger: file - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when job service communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - -registry: - # set the service account to be used, default if left empty - serviceAccountName: "" - registry: - image: - repository: registry - tag: 2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: harbor-registryctl - tag: v2.1.3 - - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used to secure the upload state from client - # and registry storage backend. - # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: "" - # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. - relativeurls: false - credentials: - username: "harbor_registry_user" - password: "harbor_registry_password" - # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash - # e.g. "htpasswd -nbBC10 $username $password" - htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" - - middleware: - enabled: false - type: cloudFront - cloudFront: - baseurl: example.cloudfront.net - keypairid: KEYPAIRID - duration: 3000s - ipfilteredby: none - # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key - # that allows access to CloudFront - privateKeySecret: "my-secret" - -chartmuseum: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: "" - # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' - absoluteUrl: false - image: - repository: harbor-chartmuseum - tag: v2.1.3 - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -clair: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: "" - clair: - image: - repository: harbor-clair - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - adapter: - image: - repository: harbor-clair-adapter - tag: v2.1.3 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - # The interval of clair updaters, the unit is hour, set to 0 to - # disable the updaters - updatersInterval: 12 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -trivy: - # enabled the flag to enable Trivy scanner - enabled: true - image: - # repository the repository for Trivy adapter image - repository: harbor-trivy-adapter - # tag the tag for Trivy adapter image - tag: v2.1.3 - # set the service account to be used, default if left empty - serviceAccountName: "" - # replicas the number of Pod replicas - replicas: 1 - # debugMode the flag to enable Trivy debug mode with more verbose scanning log - debugMode: false - # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. - vulnType: "os,library" - # severity a comma-separated list of severities to be checked - severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - # ignoreUnfixed the flag to display only fixed vulnerabilities - ignoreUnfixed: false - # insecure the flag to skip verifying registry certificate - insecure: false - # gitHubToken the GitHub access token to download Trivy DB - # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. - # - # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough - # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 - # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult - # https://developer.github.com/v3/#rate-limiting - # - # You can create a GitHub token by following the instructions in - # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line - gitHubToken: "" - # skipUpdate the flag to disable Trivy DB downloads from GitHub - # - # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. - # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the - # `/home/scanner/.cache/trivy/db/trivy.db` path. - skipUpdate: false - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -notary: - enabled: true - server: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: harbor-notary-server - tag: v2.1.3 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - signer: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: harbor-notary-signer - tag: v2.1.3 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate authority, certificate and private key for notary - # communications. - # The secret must contain keys named ca.crt, tls.crt and tls.key that - # contain the CA, certificate and private key. - # They will be generated if not set. - secretName: "" - -database: - # if external database is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: harbor-db - tag: v2.1.3 - # The initial superuser password for internal database - password: "spaceIN511" - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: {} - tolerations: [] - affinity: {} - external: - host: "192.168.0.1" - port: "5432" - username: "user" - password: "password" - coreDatabase: "registry" - clairDatabase: "clair" - notaryServerDatabase: "notary_server" - notarySignerDatabase: "notary_signer" - # "disable" - No SSL - # "require" - Always SSL (skip verification) - # "verify-ca" - Always SSL (verify that the certificate presented by the - # server was signed by a trusted CA) - # "verify-full" - Always SSL (verify that the certification presented by the - # server was signed by a trusted CA and the server host name matches the one - # in the certificate) - sslmode: "disable" - # The maximum number of connections in the idle connection pool. - # If it <=0, no idle connections are retained. - maxIdleConns: 50 - # The maximum number of open connections to the database. - # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. - maxOpenConns: 1000 - ## Additional deployment annotations - podAnnotations: {} - -redis: - # if external Redis is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: "" - image: - repository: redis - tag: 6.0.9 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - # support redis, redis+sentinel - # addr for redis: : - # addr for redis+sentinel: :,:,: - addr: "192.168.0.2:6379" - # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel - sentinelMasterSet: "" - # The "coreDatabaseIndex" must be "0" as the library Harbor - # used doesn't support configuring it - coreDatabaseIndex: "0" - jobserviceDatabaseIndex: "1" - registryDatabaseIndex: "2" - chartmuseumDatabaseIndex: "3" - clairAdapterIndex: "4" - trivyAdapterIndex: "5" - password: "" - ## Additional deployment annotations - podAnnotations: {} - -commonLabels: +expose: + # Set the way how to expose the service. Set the type as "ingress", + # "clusterIP", "nodePort" or "loadBalancer" and fill the information + # in the corresponding section + type: ingress + tls: + # Enable the tls or not. Note: if the type is "ingress" and the tls + # is disabled, the port must be included in the command when pull/push + # images. Refer to https://github.com/goharbor/harbor/issues/5291 + # for the detail. + enabled: false + # The source of the tls certificate. Set it as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # Only needed when the "expose.type" is "ingress". + notarySecretName: "" + ingress: + hosts: + core: hub + notary: notary + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + controller: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + clusterIP: + # The name of ClusterIP service + name: harbor + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving with HTTP + port: 80 + # The node port Harbor listens on when serving with HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving with HTTPS + port: 443 + # The node port Harbor listens on when serving with HTTPS + nodePort: 30003 + # Only needed when notary.enabled is set to true + notary: + # The service port Notary listens on + port: 4443 + # The node port Notary listens on + nodePort: 30004 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving with HTTP + httpPort: 80 + # The service port Harbor listens on when serving with HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker/notary client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://hub + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each components tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # chartmuseum related cert configuration + chartmuseum: + # secret name for chartmuseum's tls certs + secretName: "" + # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" + key: "" + # clair related cert configuration + clair: + # secret name for clair's tls certs + secretName: "" + # Content of clair's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of clair's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamicly. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you have already existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used(the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + chartmuseum: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + jobservice: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 10Gi + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + trivy: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + # Define which storage backend is used for registry and chartmuseum to store + # images and charts. Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's and chartmuseum's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + # and chartmuseum + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + s3: + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry +# and chartmuseum): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +harborAdminPassword: "spaceIN511" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the certificate of CA when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "IpTIscRIgmerlare" + +# The proxy settings for updating clair vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - clair + - trivy + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If expose the service via "ingress", the Nginx will not be used +nginx: + image: + repository: nginx + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +portal: + image: + repository: harbor-portal + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +core: + image: + repository: harbor-core + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + replicas: 1 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # The default key pair will be used if it isn't set + secretName: "" + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + +jobservice: + image: + repository: harbor-jobservice + tag: v2.1.3 + replicas: 1 + # set the service account to be used, default if left empty + serviceAccountName: "" + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLogger: file + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + registry: + image: + repository: registry + tag: 2.7.1 + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + controller: + image: + repository: harbor-registryctl + tag: v2.1.3 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash + # e.g. "htpasswd -nbBC10 $username $password" + htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m" + + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + +chartmuseum: + enabled: true + # set the service account to be used, default if left empty + serviceAccountName: "" + # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' + absoluteUrl: false + image: + repository: harbor-chartmuseum + tag: v2.1.3 + storageSpec: + type: hostPath + emptyDir: {} + hostPath: + root: /data + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +clair: + enabled: true + # set the service account to be used, default if left empty + serviceAccountName: "" + clair: + image: + repository: harbor-clair + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + adapter: + image: + repository: harbor-clair-adapter + tag: v2.1.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + # The interval of clair updaters, the unit is hour, set to 0 to + # disable the updaters + updatersInterval: 12 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: harbor-trivy-adapter + # tag the tag for Trivy adapter image + tag: v2.1.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + +notary: + enabled: true + server: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: harbor-notary-server + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + signer: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: harbor-notary-signer + tag: v2.1.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named ca.crt, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" + +database: + # if external database is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: harbor-db + tag: v2.1.3 + # The initial superuser password for internal database + password: "spaceIN511" + resources: + limits: + memory: 4Gi + requests: + memory: 256Mi + nodeSelector: {} + tolerations: [] + affinity: {} + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + clairDatabase: "clair" + notaryServerDatabase: "notary_server" + notarySignerDatabase: "notary_signer" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool. + # If it <=0, no idle connections are retained. + maxIdleConns: 50 + # The maximum number of open connections to the database. + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 1000 + ## Additional deployment annotations + podAnnotations: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection informations in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + image: + repository: redis + tag: 6.0.9 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + chartmuseumDatabaseIndex: "3" + clairAdapterIndex: "4" + trivyAdapterIndex: "5" + password: "" + ## Additional deployment annotations + podAnnotations: {} + +commonLabels: app.bd-apaas.com/cluster-component: registry \ No newline at end of file