From d68116b6e428b638907c36b21da2d125cbb15896 Mon Sep 17 00:00:00 2001 From: gaoshiyao Date: Wed, 13 Aug 2025 16:48:35 +0800 Subject: [PATCH] 2.13.2 --- .github/workflows/integration.yaml | 58 - .github/workflows/lint.yaml | 46 - .github/workflows/unittest.yaml | 35 - Chart.yaml | 46 +- LICENSE | 402 ++-- REAME.md => README.md | 777 +++---- ansible/images.yaml | 40 - cert/tls.crt | 28 - cert/tls.key | 51 - conf/clair.yaml | 16 - conf/notary-server.json | 28 - conf/notary-signer.json | 15 - docs/High Availability.md | 78 - docs/Upgrade.md | 67 - docs/_index.md | 6 - docs/img/ha.png | Bin 156076 -> 0 bytes raws/values-aliyun.yaml | 159 -- raws/values-arm.yaml | 159 -- raws/values-pg.yaml | 158 -- raws/values-ppc64le.yaml | 159 -- raws/values-stolon.yaml | 143 -- raws/values.yaml | 747 ------- templates/NOTES.txt | 6 +- templates/_helpers.tpl | 1192 ++++++----- templates/chartmuseum/chartmuseum-cm.yaml | 113 - templates/chartmuseum/chartmuseum-dpl.yaml | 173 -- templates/chartmuseum/chartmuseum-pvc.yaml | 32 - templates/chartmuseum/chartmuseum-secret.yaml | 26 - templates/chartmuseum/chartmuseum-svc.yaml | 15 - templates/chartmuseum/chartmuseum-tls.yaml | 15 - templates/clair/clair-dpl.yaml | 178 -- templates/clair/clair-secret.yaml | 13 - templates/clair/clair-svc.yaml | 15 - templates/clair/clair-tls.yaml | 15 - templates/core/core-cm.yaml | 150 +- templates/core/core-dpl.yaml | 455 ++-- templates/core/core-pre-upgrade-job.yaml | 78 + templates/core/core-secret.yaml | 55 +- templates/core/core-svc.yaml | 42 +- templates/core/core-tls.yaml | 31 +- templates/database/database-secret.yaml | 23 +- templates/database/database-ss.yaml | 302 +-- templates/database/database-svc.yaml | 29 +- templates/exporter/exporter-cm-env.yaml | 36 + templates/exporter/exporter-dpl.yaml | 147 ++ templates/exporter/exporter-secret.yaml | 17 + templates/exporter/exporter-svc.yaml | 16 + templates/ingress/ingress.yaml | 267 ++- templates/ingress/secret.yaml | 31 +- templates/internal/auto-tls.yaml | 201 +- templates/jobservice/jobservice-cm-env.yaml | 54 +- templates/jobservice/jobservice-cm.yaml | 104 +- templates/jobservice/jobservice-dpl.yaml | 327 +-- templates/jobservice/jobservice-pvc.yaml | 61 +- templates/jobservice/jobservice-secrets.yaml | 27 +- templates/jobservice/jobservice-svc.yaml | 32 +- templates/jobservice/jobservice-tls.yaml | 31 +- templates/metrics/metrics-svcmon.yaml | 29 + templates/nginx/configmap-http.yaml | 286 ++- templates/nginx/configmap-https.yaml | 392 ++-- templates/nginx/deployment.yaml | 244 ++- templates/nginx/secret.yaml | 47 +- templates/nginx/service.yaml | 187 +- templates/notary/notary-secret.yaml | 20 - templates/notary/notary-server.yaml | 97 - templates/notary/notary-signer.yaml | 84 - templates/notary/notary-svc.yaml | 31 - templates/portal/configmap.yaml | 118 +- templates/portal/deployment.yaml | 220 +- templates/portal/service.yaml | 34 +- templates/portal/tls.yaml | 31 +- templates/redis/service.yaml | 29 +- templates/redis/statefulset.yaml | 233 ++- templates/registry/registry-cm.yaml | 472 +++-- templates/registry/registry-dpl.yaml | 715 ++++--- templates/registry/registry-pvc.yaml | 63 +- templates/registry/registry-secret.yaml | 92 +- templates/registry/registry-svc.yaml | 36 +- templates/registry/registry-tls.yaml | 31 +- templates/registry/registryctl-cm.yaml | 9 + templates/registry/registryctl-secret.yaml | 10 + templates/trivy/trivy-secret.yaml | 25 +- templates/trivy/trivy-sts.yaml | 433 ++-- templates/trivy/trivy-svc.yaml | 33 +- templates/trivy/trivy-tls.yaml | 31 +- test/go.mod | 9 - test/go.sum | 572 ------ test/install_helm.sh | 24 - test/integration/base.go | 145 -- test/integration/ingress_test.go | 28 - test/integration/kind-cluster.yaml | 20 - test/integration/node_port_test.go | 28 - test/test.go | 1 - test/unittest/trivy_stateful_set_test.go | 171 -- test/verify.sh | 8 - values-operator.yaml | 5 +- values.yaml | 1823 ++++++++++------- 97 files changed, 5887 insertions(+), 8506 deletions(-) delete mode 100644 .github/workflows/integration.yaml delete mode 100644 .github/workflows/lint.yaml delete mode 100644 .github/workflows/unittest.yaml rename REAME.md => README.md (55%) delete mode 100644 ansible/images.yaml delete mode 100644 cert/tls.crt delete mode 100644 cert/tls.key delete mode 100644 conf/clair.yaml delete mode 100644 conf/notary-server.json delete mode 100644 conf/notary-signer.json delete mode 100644 docs/High Availability.md delete mode 100644 docs/Upgrade.md delete mode 100644 docs/_index.md delete mode 100644 docs/img/ha.png delete mode 100644 raws/values-aliyun.yaml delete mode 100644 raws/values-arm.yaml delete mode 100644 raws/values-pg.yaml delete mode 100644 raws/values-ppc64le.yaml delete mode 100644 raws/values-stolon.yaml delete mode 100644 raws/values.yaml delete mode 100644 templates/chartmuseum/chartmuseum-cm.yaml delete mode 100644 templates/chartmuseum/chartmuseum-dpl.yaml delete mode 100644 templates/chartmuseum/chartmuseum-pvc.yaml delete mode 100644 templates/chartmuseum/chartmuseum-secret.yaml delete mode 100644 templates/chartmuseum/chartmuseum-svc.yaml delete mode 100644 templates/chartmuseum/chartmuseum-tls.yaml delete mode 100644 templates/clair/clair-dpl.yaml delete mode 100644 templates/clair/clair-secret.yaml delete mode 100644 templates/clair/clair-svc.yaml delete mode 100644 templates/clair/clair-tls.yaml create mode 100644 templates/core/core-pre-upgrade-job.yaml create mode 100644 templates/exporter/exporter-cm-env.yaml create mode 100644 templates/exporter/exporter-dpl.yaml create mode 100644 templates/exporter/exporter-secret.yaml create mode 100644 templates/exporter/exporter-svc.yaml create mode 100644 templates/metrics/metrics-svcmon.yaml delete mode 100644 templates/notary/notary-secret.yaml delete mode 100644 templates/notary/notary-server.yaml delete mode 100644 templates/notary/notary-signer.yaml delete mode 100644 templates/notary/notary-svc.yaml create mode 100644 templates/registry/registryctl-cm.yaml create mode 100644 templates/registry/registryctl-secret.yaml delete mode 100644 test/go.mod delete mode 100644 test/go.sum delete mode 100644 test/install_helm.sh delete mode 100644 test/integration/base.go delete mode 100644 test/integration/ingress_test.go delete mode 100644 test/integration/kind-cluster.yaml delete mode 100644 test/integration/node_port_test.go delete mode 100644 test/test.go delete mode 100644 test/unittest/trivy_stateful_set_test.go delete mode 100644 test/verify.sh diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml deleted file mode 100644 index 82f7ef9..0000000 --- a/.github/workflows/integration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -name: Integration test - -on: - pull_request: - push: - -jobs: - integration-test: - runs-on: ubuntu-latest - strategy: - matrix: - k8s_version: [v1.18.2, v1.17.5, v1.16.9] - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Setup Docker - uses: docker-practice/actions-setup-docker@0.0.1 - with: - docker_version: 18.09 - docker_channel: stable - docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}' - - - name: Create kind cluster - uses: helm/kind-action@v1.0.0-rc.1 - with: - version: v0.8.1 - node_image: kindest/node:${{ matrix.k8s_version }} - cluster_name: kind-cluster-${{ matrix.k8s_version }} - config: test/integration/kind-cluster.yaml - - - name: Install Nginx ingress controller - run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml - kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s - - - name: Set up Go 1.13 - uses: actions/setup-go@v2 - with: - go-version: 1.13 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Set /etc/hosts - run: | - sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts" - sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts" - - - name: Run integration tests - working-directory: ./test - run: - go test -v -timeout 30m github.com/goharbor/harbor-helm/integration \ No newline at end of file diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index e9f8111..0000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Lint - -on: - pull_request: - push: - -jobs: - lint: - runs-on: ubuntu-latest - strategy: - matrix: - helm_version: [3.2.3, 2.16.8] - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: harbor - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: '${{ matrix.helm_version }}' - - - name: Helm version - run: - helm version -c - - - name: Run lint - working-directory: ./harbor - run: - helm lint . - - - name: Update dependency - working-directory: ./harbor - run: - helm dependency update . - - - name: Run template for ingress expose - working-directory: ./harbor - run: - helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . - - - name: Run template for nodePort expose - working-directory: ./harbor - run: - helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) . \ No newline at end of file diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml deleted file mode 100644 index 70e1d06..0000000 --- a/.github/workflows/unittest.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: Unit test - -on: - pull_request: - push: - -jobs: - unit-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Helm 3.2.3 - uses: azure/setup-helm@v1 - with: - version: '3.2.3' - - - name: Set up Go 1.13 - uses: actions/setup-go@v2 - with: - go-version: 1.13 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Run unit tests - working-directory: ./test - run: - go test -v github.com/goharbor/harbor-helm/unittest diff --git a/Chart.yaml b/Chart.yaml index 7554f1b..0f5c527 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,22 +1,24 @@ -apiVersion: v1 -name: beagle-harbor -version: 2.1.7 -appVersion: 2.1.7 -description: An open source trusted cloud native registry that stores, signs, and scans content -keywords: - - docker - - registry - - harbor -home: https://goharbor.io -icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png -sources: - - https://github.com/goharbor/harbor - - https://github.com/goharbor/harbor-helm -maintainers: - - name: Wenkai Yin - email: yinw@vmware.com - - name: Weiwei He - email: hweiwei@vmware.com - - name: Qian Deng - email: dengq@vmware.com -engine: gotpl +apiVersion: v1 +appVersion: 2.13.2 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yan-yw.wang@broadcom.com + name: Yan Wang +- email: wenkai.yin@broadcom.com + name: Wenkai Yin +- email: miner.yang@broadcom.com + name: Miner Yang +- email: shengwen.yu@broadcom.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.17.2 diff --git a/LICENSE b/LICENSE index 29f81d8..261eeb9 100644 --- a/LICENSE +++ b/LICENSE @@ -1,201 +1,201 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/REAME.md b/README.md similarity index 55% rename from REAME.md rename to README.md index 348301e..39b880c 100644 --- a/REAME.md +++ b/README.md @@ -1,354 +1,423 @@ -# Helm Chart for Harbor - -**Notes:** The master branch is in heavy development, please use the other stable versions instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. - -This repository, including the issues, focus on deploying Harbor chart via helm. So for the functionality issues or questions of Harbor, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) - -## Introduction - -This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. - -## Prerequisites - -- Kubernetes cluster 1.16+ -- Helm 2.10.0+ - -## Installation - -### Add Helm repository - -```bash -helm repo add harbor https://helm.goharbor.io -``` - -### Configure the chart - -The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly(need to download the chart first). - -#### Configure the way how to expose Harbor service - -- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. - **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. -- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. -- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. -- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. - -#### Configure the external URL - -The external URL for Harbor core service is used to: - -1. populate the docker/helm commands showed on portal -2. populate the token service URL returned to docker/notary client - -Format: `protocol://domain[:port]`. Usually: - -- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` -- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` -- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node -- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider - -If Harbor is deployed behind the proxy, set it as the URL of proxy. - -#### Configure the way how to persistent data - -- **Disable**: The data does not survive the termination of a pod. -- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. -- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. - -#### Configure the other items listed in [configuration](#configuration) section - -### Install the chart - -Install the Harbor helm chart with a release name `my-release`: - -helm 2: - -```bash -helm install --name my-release harbor/harbor -``` - -helm 3: - -```bash -helm install my-release harbor/harbor -``` - -## Uninstallation - -To uninstall/delete the `my-release` deployment: - -helm 2: - -```bash -helm delete --purge my-release -``` - -helm 3: - -``` -helm uninstall my-release -``` - -## Configuration - -The following table lists the configurable parameters of the Harbor chart and the default values. - -| Parameter | Description | Default | -| --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | --- | ----- | -| **Expose** | -| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | -| `expose.tls.enabled` | Enable the tls or not | `true` | -| `expose.tls.certSource` | The source of the tls certificate. Set it as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the tls certificate automatically 2) secret: read the tls certificate from the specified secret. The tls certificate can be generated manually or by cert manager 3) none: configure no tls certificate for the ingress. If the default tls certificate is configured in the ingress controller, choose this option | `auto` | -| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | -| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | -| `expose.tls.secret.notarySecretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key. Only needed when the `expose.type` is `ingress` | | -| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | -| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | -| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` | -| `expose.ingress.annotations` | The annotations used in ingress | | -| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | -| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | -| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` | -| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | -| `expose.nodePort.name` | The name of NodePort service | `harbor` | -| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` | -| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` | -| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` | -| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` | -| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | -| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` | -| `expose.loadBalancer.name` | The name of service | `harbor` | -| `expose.loadBalancer.IP` | The IP of the loadBalancer. It works only when loadBalancer support assigning IP | `""` | -| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` | -| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `30002` | -| `expose.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | -| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | -| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | -| **Internal TLS** | -| `internalTLS.enabled` | Enable the tls for the components (chartmuseum, clair, core, jobservice, portal, registry, trivy) | `false` | -| `internalTLS.certSource` | Method to provide tls for the components, options is `auto`, `manual`, `secret`. | `auto` | -| `internalTLS.trustCa` | The content of trust ca, only available when `certSrouce` is `manual`. **Note**: all the internal certificates of the components must be issued by this ca | | -| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.chartmuseum.secretName` | The secret name for chartmuseum component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.chartmuseum.crt` | Content of chartmuseum's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.chartmuseum.key` | Content of chartmuseum's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.clair.secretName` | The secret name for clair component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.clair.crt` | Content of clair's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.clair.key` | Content of clair's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the certificate of CA which is used to issue internal key and crt pair for components and all Harbor components must issued by the same CA , `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | -| **Persistence** | -| `persistence.enabled` | Enable the data persistence or not | `true` | -| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | -| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | -| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | -| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | -| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | -| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | -| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` | -| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and chartmuseum's containers. | | -| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | -| **General** | -| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | -| `caBundleSecretName` | The custom ca bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components. | | -| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | -| `imagePullPolicy` | The image pull policy | | -| `imagePullSecrets` | The imagePullSecrets names for all deployments | | -| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry and chartmuseum): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | -| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | -| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | -| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the certificate of CA when the certificate isn't generated automatically | | -| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | -| `proxy.httpProxy` | The URL of the HTTP proxy server | | -| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | -| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | -| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, clair | -| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | -| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | -| `nginx.image.tag` | Image tag | `dev` | -| `nginx.replicas` | The replica count | `1` | -| `nginx.resources` | The [resources] to allocate for container | undefined | -| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | -| `nginx.tolerations` | Tolerations for pod assignment | `[]` | -| `nginx.affinity` | Node/Pod affinities | `{}` | -| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | -| **Portal** | -| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | -| `portal.image.tag` | Tag for portal image | `dev` | -| `portal.replicas` | The replica count | `1` | -| `portal.resources` | The [resources] to allocate for container | undefined | -| `portal.nodeSelector` | Node labels for pod assignment | `{}` | -| `portal.tolerations` | Tolerations for pod assignment | `[]` | -| `portal.affinity` | Node/Pod affinities | `{}` | -| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | -| **Core** | -| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | -| `core.image.tag` | Tag for Harbor core image | `dev` | -| `core.replicas` | The replica count | `1` | -| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | -| `core.resources` | The [resources] to allocate for container | undefined | -| `core.nodeSelector` | Node labels for pod assignment | `{}` | -| `core.tolerations` | Tolerations for pod assignment | `[]` | -| `core.affinity` | Node/Pod affinities | `{}` | -| `core.podAnnotations` | Annotations to add to the core pod | `{}` | -| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | -| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | -| **Jobservice** | -| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | -| `jobservice.image.tag` | Tag for jobservice image | `dev` | -| `jobservice.replicas` | The replica count | `1` | -| `jobservice.maxJobWorkers` | The max job workers | `10` | -| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | -| `jobservice.resources` | The [resources] to allocate for container | undefined | -| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | -| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | -| `jobservice.affinity` | Node/Pod affinities | `{}` | -| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | -| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| **Registry** | -| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | -| `registry.registry.image.tag` | Tag for registry image | -| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` | -| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | -| `registry.controller.image.tag` | Tag for registry controller image | -| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` | -| `registry.replicas` | The replica count | `1` | -| `registry.nodeSelector` | Node labels for pod assignment | `{}` | -| `registry.tolerations` | Tolerations for pod assignment | `[]` | -| `registry.affinity` | Node/Pod affinities | `{}` | -| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | -| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | -| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | -| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | -| `registry.credentials.htpasswd` | The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html): `htpasswd -nbBC10 $username $password`. More details see [official_docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m` | -| **Chartmuseum** | -| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | -| `chartmuseum.absoluteUrl` | If true, ChartMuseum will return absolute URLs. The default behavior is to return relative URLs | `false` | -| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | -| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | -| `chartmuseum.replicas` | The replica count | `1` | -| `chartmuseum.resources` | The [resources] to allocate for container | undefined | -| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | -| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | -| `chartmuseum.affinity` | Node/Pod affinities | `{}` | -| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | -| **Clair** | -| `clair.enabled` | Enable Clair | `true` | -| `clair.clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | -| `clair.clair.image.tag` | Tag for clair image | `dev` | -| `clair.clair.resources` | The [resources] to allocate for clair container | | -| `clair.adapter.image.repository` | Repository for clair adapter image | `goharbor/harbor-scanner-clair-photon` | -| `clair.adapter.image.tag` | Tag for clair adapter image | `dev` | -| `clair.adapter.resources` | The [resources] to allocate for clair adapter container | | -| `clair.replicas` | The replica count | `1` | -| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | -| `clair.nodeSelector` | Node labels for pod assignment | `{}` | -| `clair.tolerations` | Tolerations for pod assignment | `[]` | -| `clair.affinity` | Node/Pod affinities | `{}` | -| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | -| **[Trivy][trivy]** | -| `trivy.enabled` | The flag to enable Trivy scanner | `true` | -| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | -| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | -| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | -| `trivy.replicas` | The number of Pod replicas | `1` | -| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | -| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | -| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | -| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | -| **Notary** | -| `notary.enabled` | Enable Notary? | `true` | -| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | -| `notary.server.image.tag` | Tag for notary server image | `dev` | -| `notary.server.replicas` | The replica count | -| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` | -| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | -| `notary.signer.image.tag` | Tag for notary signer image | `dev` | -| `notary.signer.replicas` | The replica count | -| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` | -| `notary.nodeSelector` | Node labels for pod assignment | `{}` | -| `notary.tolerations` | Tolerations for pod assignment | `[]` | -| `notary.affinity` | Node/Pod affinities | `{}` | -| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | -| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | -| **Database** | -| `database.type` | If external database is used, set it to `external` | `internal` | -| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | -| `database.internal.image.tag` | Tag for database image | `dev` | -| `database.internal.password` | The password for database | `changeit` | -| `database.internal.resources` | The [resources] to allocate for container | undefined | -| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `database.internal.affinity` | Node/Pod affinities | `{}` | -| `database.external.host` | The hostname of external database | `192.168.0.1` | -| `database.external.port` | The port of external database | `5432` | -| `database.external.username` | The username of external database | `user` | -| `database.external.password` | The password of external database | `password` | -| `database.external.coreDatabase` | The database used by core service | `registry` | -| `database.external.clairDatabase` | The database used by clair | `clair` | -| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | -| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | -| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | -| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | -| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | -| `database.podAnnotations` | Annotations to add to the database pod | `{}` | -| **Redis** | -| `redis.type` | If external redis is used, set it to `external` | `internal` | -| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | -| `redis.internal.image.tag` | Tag for redis image | `dev` | -| `redis.internal.resources` | The [resources] to allocate for container | undefined | -| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.internal.affinity` | Node/Pod affinities | `{}` | -| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | -| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | -| `redis.external.coreDatabaseIndex` | The database index for core | `0` | -| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | -| `redis.external.clairAdapterIndex` | The database index for clair adapter | `4` | -| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | -| `redis.external.password` | The password of external Redis | | -| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | - -[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -[trivy]: https://github.com/aquasecurity/trivy -[trivy-db]: https://github.com/aquasecurity/trivy-db -[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +|-----------------------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.className` | Specify the `ingressClassName` used to implement the Ingress (Kubernetes 1.18+) | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.labels` | The labels specific to ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.clusterIP.annotations` | The annotations used commonly for clusterIP | | +| `expose.clusterIP.labels` | The labels specific to clusterIP | {} | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.nodePort.annotations` | The annotations used commonly for nodePort | | +| `expose.nodePort.labels` | The labels specific to nodePort | {} | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.labels` | The labels specific to loadBalancer | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | +| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/ansible/images.yaml b/ansible/images.yaml deleted file mode 100644 index b8455f9..0000000 --- a/ansible/images.yaml +++ /dev/null @@ -1,40 +0,0 @@ -IMAGES: - harbor-portal: - NAME: harbor-portal - VERSION: 'v2.1.6' - harbor-core: - NAME: harbor-core - VERSION: 'v2.1.6' - harbor-jobservice: - NAME: harbor-jobservice - VERSION: 'v2.1.6' - harbor-db: - NAME: harbor-db - VERSION: 'v2.1.6' - harbor-registryctl: - NAME: harbor-registryctl - VERSION: 'v2.1.6' - chartmuseum: - NAME: chartmuseum - VERSION: 'v0.12.0' - clair: - NAME: clair - VERSION: 'v2.1.7' - harbor-scanner-clair: - NAME: harbor-scanner-clair - VERSION: 'v1.1.1' - harbor-scanner-trivy: - NAME: harbor-scanner-trivy - VERSION: v0.17.0 - notary-server: - NAME: notary-server - VERSION: v0.6.1 - notary-signer: - NAME: notary-signer - VERSION: v0.6.1 - registry: - NAME: registry - VERSION: 'v2.7.1' - redis: - NAME: redis - VERSION: '6.2.6' diff --git a/cert/tls.crt b/cert/tls.crt deleted file mode 100644 index 7a481cb..0000000 --- a/cert/tls.crt +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw -NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o -F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr -PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT -RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q -LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp -UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q -w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc -jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr -vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d -1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN -2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA -AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA -FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL -BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS -Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA -er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY -Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ -qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n -KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB -Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2 -52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1 -2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F -5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX -jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe ------END CERTIFICATE----- diff --git a/cert/tls.key b/cert/tls.key deleted file mode 100644 index 5ba90f8..0000000 --- a/cert/tls.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o -F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr -PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT -RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q -LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp -UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q -w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc -jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr -vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d -1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN -2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA -AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/ -k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4 -MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu -XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz -ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5 -F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K -F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97 -b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5 -fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ -yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um -lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW -YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+ -viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1 -pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+ -/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA -So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt -DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3 -YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn -IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW -gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf -Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC -oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb -FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN -c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn -YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf -Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl -IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ -rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi -vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj -yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g -1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil -u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M -BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK -OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y -AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e -Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh -cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q -OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04 ------END RSA PRIVATE KEY----- diff --git a/conf/clair.yaml b/conf/clair.yaml deleted file mode 100644 index e44790e..0000000 --- a/conf/clair.yaml +++ /dev/null @@ -1,16 +0,0 @@ -clair: - database: - type: pgsql - options: - source: "{{ template "harbor.database.clair" . }}" - # Number of elements kept in the cache - # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. - cachesize: 16384 - api: - # API server port - port: 6060 - healthport: 6061 - # Deadline before an API request will respond with a 503 - timeout: 300s - updater: - interval: {{ .Values.clair.updatersInterval }}h diff --git a/conf/notary-server.json b/conf/notary-server.json deleted file mode 100644 index 8d87f0a..0000000 --- a/conf/notary-server.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "server": { - "http_addr": ":4443" - }, - "trust_service": { - "type": "remote", - "hostname": "{{ template "harbor.notary-signer" . }}", - "port": "7899", - "tls_ca_file": "/etc/ssl/notary/ca.crt", - "key_algorithm": "ecdsa" - }, - "logging": { - "level": "{{ .Values.logLevel }}" - }, - "storage": { - "backend": "postgres", - "db_url": "{{ template "harbor.database.notaryServer" . }}" - }, - "auth": { - "type": "token", - "options": { - "realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token", - "service": "harbor-notary", - "issuer": "harbor-token-issuer", - "rootcertbundle": "/root.crt" - } - } -} \ No newline at end of file diff --git a/conf/notary-signer.json b/conf/notary-signer.json deleted file mode 100644 index f7c5608..0000000 --- a/conf/notary-signer.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "server": { - "grpc_addr": ":7899", - "tls_cert_file": "/etc/ssl/notary/tls.crt", - "tls_key_file": "/etc/ssl/notary/tls.key" - }, - "logging": { - "level": "{{ .Values.logLevel }}" - }, - "storage": { - "backend": "postgres", - "db_url": "{{ template "harbor.database.notarySigner" . }}", - "default_alias": "defaultalias" - } -} \ No newline at end of file diff --git a/docs/High Availability.md b/docs/High Availability.md deleted file mode 100644 index 506fb2f..0000000 --- a/docs/High Availability.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Harbor High Availability Guide ---- - -## Goal - -Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor. - -## Prerequisites - -- Kubernetes cluster 1.10+ -- Helm 2.10.0+ -- High available ingress controller (Harbor does not manage the external endpoint) -- High available PostgreSQL database (Harbor does not handle the deployment of HA of database) -- High available Redis (Harbor does not handle the deployment of HA of Redis) -- PVC that can be shared across nodes or external object storage - -## Architecture - -Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods. - -As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts. - -![HA](img/ha.png) - -## Usage - -### Download Chart - -Download Harbor helm chart: - -```bash -helm repo add harbor https://helm.goharbor.io -helm fetch harbor/harbor --untar -``` - -### Configuration - -Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`: - -- **Ingress rule** - Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`. -- **External URL** - Configure the `externalURL`. -- **External PostgreSQL** - Set the `database.type` to `external` and fill the information in `database.external` section. - - Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up. -- **External Redis** - Set the `redis.type` to `external` and fill the information in `redis.external` section. - - As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point. -- **Storage** - By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs. - - If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`. - - If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes. - - You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`. - - If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. - -- **Replica** - Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). - -### Installation - -Install the Harbor helm chart with a release name `my-release`: - -helm 2: -```bash -helm install --name my-release . -``` -helm 3: -``` -helm install my-release . -``` diff --git a/docs/Upgrade.md b/docs/Upgrade.md deleted file mode 100644 index f84a4d1..0000000 --- a/docs/Upgrade.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Upgrade Guide ---- - -This guide is used to upgrade Harbor deployed by chart since version 0.3.0. - -## Notes - -- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid -- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported - -## Upgrade - -### 1. Backup database - -Backup the database used by Harbor in case the upgrade process fails. - -### 2. Download new chart - -Download the latest version of Harbor chart. - -### 3. Configure new chart - -Configure the new chart to make sure that the configuration items have the same values with the old one. - -> Note: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate: - -1) Get the secret name which certificate is stored in: - - ```bash - kubectl get secret - ``` - - Find the secret whose name ends with `-harbor-ingress` (expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`) - -2) Export the secret as yaml file: - - - ```bash - kubectl get secret -o yaml > secret.yaml - ``` - - - -3) Rename the secret by setting `metadata.name` in `secret.yaml` - -4) Create a new secret: - - ```bash - kubectl create -f secret.yaml - ``` - -5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step **3** - -### 4. Upgrade - -Run upgrade command: - -```bash -helm upgrade release-name --force . -``` - -> The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30). - -## Known issues - -- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0. diff --git a/docs/_index.md b/docs/_index.md deleted file mode 100644 index f4b9166..0000000 --- a/docs/_index.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Managing Harbor with Helm -weight: 50 ---- - -This documentation focuses on deploying and managing Harbor via [Helm](https://helm.sh). For general documentation for Harbor, please see the [Harbor docs](https://goharbor.io/docs). \ No newline at end of file diff --git a/docs/img/ha.png b/docs/img/ha.png deleted file mode 100644 index 6f063c2bba21e05934307b5c5d699cc2211c7f8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 156076 zcmeFZcT`jB);FpsiXufiQWX&C9i;anz4zXGuYrK5fOL>1U8EC=^j;L{oe+9JIwTY+ z0SP5Hp6%YR`(^k@9a|HE$nOUQp5(tnTU-$nbs9Qpr@BQJ3Ydg0XdNt1;P_c;^Wk1O}c;j3rnL=hxl+Kj^$N#%*b3%JP4N9om-? zHTUozylCK24E*7UnH5w^fI)w?qW3h!UCX@xYoltoRkHELSJ?I*T!MT=cL%Dd`Lv`w=4 zrp_E&bQX3d8c5VAoruQDHBZK4c}_YoS{JFAps-1f9MQ@M;Z=h>0sm&y=rv!OD?F)Z z!v2?Jhgy^LkAl@)Gt27CDMXPyAqO*QhOa2}6_Osagi18%>uDa7G%? zc*?1T?WPBOYR*=)6{Nc?wDri=_E2Q83}kBydOjdfCGdbLzvZ!|e49EblHv@z&^O)v2 z7ZrOBe|$gnVC#FBR{l3t3Vn!AOU8|{O%(Z;?Kdas&oTaB7UZ0vn;}pe{@3+C#7DyT z_V#xgQaSFwoRi+hm#x*ZcZCbS^=kq>^eZw%9-9O>r1ldD5+Z6d=Xp_Kz5PJvzi$8a zcylte_J@b|<^6evH!#9qDv4j`t|4`Q%o<;PD`y=53smJ6MJao!(^u8$FON7)U44~C zPFRutUDLbFG0C1feX=Z&|BGi>grA-7MCU7*S>+fiI0` zWB+|u&S+{Zy`B*NwX}pdhIFQRo6(tgpp*`~SMMC5<_Lwp^k0wo1AxrmV?0RWQgS)RhWYoC^scjY;^>U3}jL7}j1Ptd+)rZ2U_lpko`8!)S*I>E*u*itQG zgnfUKPjINn8zkF6G_ZG6*1e`NROs98@j>!TuMw}c&d7EPUU?pn!82j6H`dAug*xuI z@0^?~0Xz<5MU81lG{}5QBL_d2jOBWker)q=NUVFs>Z1PIG^+G|q$uevy&cafMp?hn z(FtRa_3dm*{%F1FyRmPh zB_0r8YUHZd2xD)6jYyLslFImXa32u!_0+W~Lp%LHR%T`te(}yc$a$9-(x}IlmL=rf z@1hT>kzq8Tm%|V`|kBXmL(Yte^iWFh1K_s z>z)DsQQG9wIc-iREl{d5WQLs=78p`CfoJv15*Z@}^z~8YG&`H)0W=j!zB5@i6;`21 zPovsNQ@o3$CByz7rNW|*ys>SnR=80B_ag$DDrHf~ARd9N(&n{a7yKt=cfwDcm? z1$AxrIy`gAKPgfzaS`LC>)GeH7u0stFPlD&6eHDWQpqIH$UPm8d+?53a1XHl8vDdg z0^&_D?DB5lz_HM~U zh~a#e5TL;zg^x{WfwDpbRB5L7(8~bNd7I|+?p=Xs#VowTidGm{BhMpz9j_V zh1h1zwDh+S16UEXLsIjNltxSp*iB&}cize5MC(77`zSV4m0M^O-Cbo;Wtfo-G^V&t zWi=BuidT(1?7Y$4-pB2Q-s~1UF?g`mPqsPOp5) zj5?&o%^Fe_JQ?mA9LY|^5H^uZSIw?C&~!4V==_}6QW@v@M7V zZ5WT9Jc3Ou9ArVxmYk=Q^0@A0nwT}$DEM&)0ksg)s9E>r69pr;5nuwdJ7 zY}Ck)!`Y_!aa8sJ&UXg#Lu8W>Vl|Ej;GY{%8JEIvj@ObeLK)H@4zrOyLi~W&Bc}zA>s^N#k7E5)u;G%H6NrPH{Hn_{Ngzuv zmbv7PHSv2z1Z-+TNEEq=DLPHYwr#06{5NkhMkAEW44WdqB7gpuVkNx6C`ERUXka{c zNjvFUyFe`MS%l(CckN9!`cB)As>N?3dcQ9b@dHn$$>%vgXcu>&(v*aZ0wwV-&%{PT zU)?sf3)ANXZoAl-BG8=tK--AU5gN@;Z1Q*}gy(TVR}(xf$Srv~jK{r+ zDTtAl^MP9cb2~2uxk%HKvSuqz8$+96$?CIOVl;B)(5!C@Ga?Fa(l|1HGk#Dcs2Bvq zIBcwqaPmfs;llSnNxap#a^b@#{c97@gJ3J#3xP@h=-sKbBYB}R(*G0x) z=||P}D>5pevRD8WE{aPY7#h0@6$_V8pp8#Eg=|k`h~NI9@^lQkkE2 z{`tgww8ut@+eUa8S;q&fvg+WUKiL*L#&pX}C^|1f-qv09hz~d^+ymZ~O3tprOL_0s zP_~?!#Ecra#3Fe^6Vypke?uV!z|SmGNR$KZ zAF?q(_sPOTQigVg!^r961qQMtzpi17Ke@b*CZ6Efy;-qqyVa zB66xKJ?oSBv42je;0M$S$ZI&6t@maGy5=}7U>aQ^uWnz7*J05y9c{PiXk-6MEKL;P z0Zx}ZN2C)A|L!E44`Uf`qCDfs?=naI@*AxrzCkxE;@vViwn32Um=U76CUD;vyr(zF zp1kLZBpePgToU$Uq#aT$zd* zdkicMb`R^jFn&;Z(mxehG8Wb=X-cv0nvQ%h2d)<}0th);gGGM&))usYTXm9z%g%zXMf?n+%zfa|xFCMi4%^528@-VTXmR8;(x z+yus-21G7YdnDUFxXVn($KzXo6tZA@I{(73&co;64Rr%+gxmH9FpxUwV_+Kbj+YW+ z>4(nq;=s5AXZTc(7FC90WkZ(6QEq~(>Xc`PgFW6`hIZc?6Pj$wg#<~BGVV7ju2-u9 zIvwYaihA6=bD%{|w(GF9q5Im2g!8Tu`z}T zF~zVui$noby%*Hcx|o?!wZlGc?nT?FOyn8Q9J;{N!;>H5RNdT1I?chvvbsC|sGF0c zNL@hKn}O;-j}@(sUH(4)m9JUAM=Jw|1Pn#qZq^F1a|5*zv7ip znR`w3SL?J9_wR!YH+D$)!d;?+j7&96J8%~#%xJ%|G%{YYAwI?2)vu56O-S%w{rYW7 z9gAp!JDmFT+Hu(dXnx!y0lDh*db+bfY@s%Mi;2LU9YeO~BoIwzkz!wl{f{$!nHR2R z!>pEGZTw{2ki*x1i?Cz}KiDbo5;y#crMtEXKatnEyt&rrV_=bWB=0p^a%lJ@!XR(| zu*0S`r#YbP=u2auF`%_ZRc+U4vdR#!ER&n+3c2KsuvPQ5_s~e)B(*6OsfxdQu@Vqo zuJ)Y@OkBfo+T#qL1uPfVAnSs;#O3{n&vI5|u^Al=bzJn-k`e_;fkW{P$P*Lr`%~k% zK-RWzZ@Iq^K5%QN=g^t_{;HrGbW@)0w;V~AJ@NJx&6a(|W5i$4_=8XqyIGlal9WxO zLJQ?LZJwS*!#qy@8@wajY|v)Q@YJ)om33j#SiUX9&KCURsIYrWcRrYE4^UcdQpSzU z)<+DRvAyl@4$?FMfR-v)lmML>8!DXCFx(11h3N2ywA^~E7EWrEj$o4>!dDw}PYdLS zm*2hjdRYGDC3b#=*ezZE54Y1+sH2~8e|!+X6kM#EvZv{IutDRY?@XaN1zDtcAG1fM z`FqNu%l{$SX^3DiHqqXn$%8}^_nmi#U;O&rHD!~)1wiQ#>^9!EJ~_KqQ{ItpSs&}c zlPWlVW+jmDE%+Az>-%?aDhi$z1wXbJa|df#2{D(mqF}92!#;5t_Q@{g&fDt6Pftdv zEY)Uwiq4G){MjvQ$XyVTrIWYlqfnwG1|O96iY{iE`S@W!JUa3UyOSEvyFtZ4|h0TBp_U;DZG1{TlT?79IHl_yi^Ck@Oy0Pt=1@o$^LN zWR;6^;2JPqmIYEc7+pjNI`{I*XRxOD&2_<|#n(eyEsqU)o?p1vl!eh*?tFhpO!};x z56_!8^}`rMSdR!KQjivz=stFB>jf~%P*nB^bFKHzNP5tenq4SZB=V8waJD0w+sp4y z{aPRbq#E)4MZ&MFgZh7E{z0R^J-<@3MEtN^& z%0oJ}**3;V5z>iKwI2-=y1CzxI3A*|XZqqBdeogC6t(=AGR2TNmMZWqGT+~&?FL3S zF&aOOCFA~d_-^0#_r54HOusu<4Vzxr+-cRayfjQoD{l8w#>sqc0ss!peR^CIV;j&t zZwuZ7S@}>JR4yghl>Z@^96LM*e%%COGJY&twO-pMo-WPKv`?0XKs^SG)3aUx zc8Y?I8*WaMq!PipmRTp^EWPG>B{%1LU4Liu+fIoXHJnv5PQjlUZ8WPTj<6q`-wX)h z-Eu@6L}Xhq?IO2FuumeKkTkk5t!O3h%Q%8CKl+_=!Tg2pz_1^R?mMxc0u+x1i{X%) zgNbZ9%k2(v)E!S5%X6-(I_kERWyVMgH?~($eDcdV1pGyM_PRUi$nL&P_*IfsRK^=> z@1FX#p`79;x&4q~I;iL1pT{`FY7RD`F)L^d*NKuJ6ZKNh6}6-0-dRbDw_o{s zKL4D_dzLx6(wJXsi^LlSxk3OsT2x4bY>KzbYD9qUpXpV`9;hs9Rc}Tk7msm((?>>b z(>pvHS}LNX%&8;VBd>hhFMYFfM5l}B6g3)HGxU;6DeN|!WF5kpfVt`NyY4%ujA{-C zQ1Hl23a5^e`Pp=~TM zdom!r3D4)+bZ9h8v5og+2gFq^`YMXY5E#EebFhi)C#=pqKP9SOvP#LOwke*g_XXrE z)%w31?B1__bwtqaEeqn`<%x~n0QFy~Q9+1vbMnI;XBRsM1OUFR1t87%NKY=WpSJsd zE@aJ|Vg{wEj!q(*3G2(Bv#ri|c-k~m3$>Zy`F>rJ)BGh!|B|Mz9|TxeA;&))1uJBK zC3U%I&2=0)RD@=Tb@k%+gKHGym&N2M7{h#66qLY-Aw}=2norUn%NwSqVf)37-QiaE zm1bu@ge<0jBGS?$R;vqb?AHc0U5v?7#hmM_H(#l$4bOb}6!Fz!0H7zFagt+43E0~l zcz84A)oLWN{IFQSXZ;=g-F^u29W~NlUxI<##<;PdaPA3AI2j|Z!^@cB^iA$TP8I=> z{f=XoJ!nhasu`C^6UG|l;mw?$M zDUEn(F*NmU*PANF7vg=mzIwB@@XyrL=^eEyo&L6+x-M>!i=;IS8e31=fIyt{)b~hz zYrN?5u!IKz)m8im+vmf9&NCh(0kAC7%=!0MfA#{vMmRkOpdaBOx`oTxWS1t+)|;+Q z;QX;&aJY#}V!&B7!{y>>V$8_z;aq|>8l>OtzL})_161UcyY|SX)Gfcw%i&g9iEUP! z@MWBXnXi!MwT8o5`0ojk(;`BEleYbUpw1=Xw-Lp?d3bJuAB}Rw^9OsMtqFvsXqzpR z$ma@{$a0W%yM>AO;O6=Z?|#dHfVbG~C*naT@a|iUL(sWW(nczs0YXLuC8&3HZoN=hP|}Uag-;lkW=Vr?}spLMy4RRRlm9RV?t7S%ra+ zgL9)VkkITI!yih*X&;J?THcjXD01_PE>uqYrX6wbIyxOpt{hhY_WfI#?`GSr-vm!; zAwHAO85)06H!VAKebG2S4;2c?Q{kX?12=@`ZpzsTb*18H)%cirgxlH~*)$d@)%)#V4)=ZEPkc^#<$<=qCwen^dpyflp{67r?S0O=P=j|Bpr}cmWQ!Dy z@S(Md^Ilb|3MX*wR*N^lK4t6KA1Ax|)P3KLq=$`z`(J*dLJYdt`1N`Gxh7V4%(<4r zt=~QKe`z|cDq1vFZ@=LGX;d)K)eDx;S)#DtdGos+bB z#9xrPW@Ns2@}T*kK1`{PsxyxCexM3Qv?H9pvv~jtgxo^e9|df%gL}%)Tc)xZ(ir(W zRU4;P8yMTqzS+oMV*$crE(Jf_!J<8>I z?|&dQp8SIjCwOC|?yH(*wvDiH)sL*E2mv&E=hF&0R=Xbukb;Kx?itWrM3b7}5|^WD zjsO{}l_1TlIJ44*BO4!IB(TtVqx_luDaq0D-3xc~hJlwvV<4(tCI(2TQuYZ8gK zUsz-^H0I84q|CP)fE=U*p5-bp^d2d0AvqA*omv%{*Hx6KL>rHcgg}MiGdl25by!R1 z8K#o64IC1%s$#&lX-d`C2If2K?Yz%zJdZT7@iz(*b&oN9?l{kIP`c&)m0P-Y`p4Gc zu;H;yeJ4__#t3=fLNJ^hrtuivoT}mRsO0uP@DN`-G(Tzj)Oxz)SUBgD&FCp>+7N`e zQ|gPSC!o!4Cv?s!HvFbbRU1pxH38?E&1!ozx)-2wV#6jR z9SpF=Si_q=L+(}`Rf$rbHKxdRoIlmF@ip0PEMF@nW;Qy1XcJ!OxO6I7=*PDsan4xR zRG_@Ka4maUd1}s_CV)R{uU$4my-4knx4T_c@XTS916lVJiMy@6#j>0-GL2e0;sxoA z>QQTM;ou`RhV%HJseAJY_?cb~F)SkrgxbIv?ZM^vEeaC3e_Q%!oia$Ch&*X%j3aAzs1^wC9Lyl7ASrqR zWQijx1;7bAY=++Gcs6sGsb%(0&T&(Q&W?U}SNx{`PXTS{HpXa|%<_ca-3G(q>X%)c zC7s99LBowuqvNb{QPC&NSt+n7HpL{B)O(nkPFhn|cWWm!n`9W|{0QqyY>xd>rjP5I z!7dtWAIBU3E7k`0X9hh_6WUa^R19b`P&0qEOFH@7q{MBBrYftD4?`gVj_jj_;^R=$QaloO9#>1-P0#a#RAO#O~8fijG- zd9^WXJT-;v#icIgF{+`nl`#_revbd7jxi25l~#o64ew8xGwq(Kwb!%GF64LK$@Sbi z6Io9aD)YUQG|y_f2Rf+|u0$3Pb+=J|etlt5qBWBm@j4Wr&LLw2#B}#s`XZj{gv!C_ zNDzGa$YZ!>J8;b6d7K_SO@a>+vqSzEH8$F z=AFw9)KN8)$qM8AdXu`^TKR|yULlA-Y{iM426F@sfTL}3HaREbKHLzMmc!5e_`kVX zXh{og<2(C`^VtW{cNO5Xp8|Caz7($YO{)9;=tY2MVL?B2#7l*Rq5~EPHE=YpCP}TV zb{F*n;HS@B^GfuYW9_D6Syie}hoC&t@iGS12QgU9&80KU;2vV43Os*EyzFoG>29RW zmj@eW7X#);(}Tq}6$@;ce4OQ}A!$CFQp>MuZPnbnD!xf_vHHh3C*5~T+>ImCOtR)h zhv(M3S(vbY2p!h6yDCOo)*LCmsX1+Rbvy7iQI@?=fO|PFoVH?(QDzzi1_F4k%bQs& zQQrizc6rckLpCRJg8ugL97cWRPOs+{1}l%)T9*&UtOyn#Hkc2Oc{CMwShT(ZF-+ev zXcQ@!A6cGA_cPVDd#^S9#V9#=ZDzwe@O2*QC=W6u)wJuU(RD~1 zv3k%5$#nZsT^>*U6Vh|MBvt+i(j~FUjz5gG!Fs=W?2qc=oG>Olub>~#r2k~Y*=g6m zvEOR6yKeyUbCyg$J&W@nR1Dz_N4HE6iEGhMD*8? z!^G`4$M8+WuKn_5JQw1`U)ZUzvdytwb2C`R#I9q`?jXi~Bg}P3-!I;{N{rdyNuWF> z)Aa|EI|PmVFGP=htmj)0r$(7U8%Fo5Qrg`^ADNveYPJfmr^u30+Ay13+(QV|pXb$q zynE^oQqCrWeL4^*>srHG4C%pU-i1g&7#Rf{baS5%+o*A;VA?6XpqzqQ8{Tj*Fafa^ zTGHnN5E1SDh!dI-E2$fAuOKZD13>g!ZoLi-qwYFVxQ~VodIS^2e~9rPr$AOD(TniA z@ccgQ632vZNuL95Yq!IF#~UEMIY}0z6J^tRjqTY2Xw@Z)E*?CXma!jb^pCZeoN z|5v}ozX_Y1YL`>uN6}$Xc*ZyQocUBaaEzpIeveCMGI14>V--zW~&lTDv1%WF6(o`#(9h)-2&m8A&K22bAj|D zu#^i(gty~oGpC=n{b@3b-<6(90C7Zlvy&}oLc z;`;603dOv@RsOE;t0yb$X;z~1S6+gHkJbJGb#H{a-?Ve?W+MOm65SPT(I=4Nc5+u* z2(OnC>z*~&)htTE#w=0$S=s_!Ydfm1heW=iO*NlHRDAT2iqKhj*`qQ(rw#d6pJTfA zH(kWl0W&>aWvqf)8!lpm#sVasd#XE&x$B~5jLp)g!n@a9vf^PG+42Gh{!w5HE?Cp|aVRKt{8OHN|K20%B6Dl4F$#?DK1GO>sQF zd+Xz#_`FGZ)V=18y3^IdnvvEy@3v~X5oQ&a`KM!fxMtTTjEw_6-nA|5re;*Ta#ZEI zvO~+uSg7UR>ldO3`23NU57JV*_hcLDIm=q3YEU)|5+`Quob}bHr0T@6eb|qR%5d>? zIgkH#+9hQkVt)|}yy<7v$>3EZB7aTv{LQil$u^E~kDyfzoY>y6r9d>0xgL0dyPRv{ z)?Ua{?DT4F22r$Y!rhx6h`#JH*P=5z8n;Bn`cG9Ky2tLDb(%$H#icwX?-lVxw$C~m z3`%))nY~5<1|M%r#a#6sPS^Md?WC6v`{0$*)zgxdU_nDfd^(t2f5cQ#9`rP(2p!ml z?c-IvEWMnBCyNDUPdcZXQ%RlO9Xx>hTXj}AXHU9lwv51s`mo-Rg=Xmw#xsQEU*(C1 zB6pNkwrx|_Skd9u^Vi|FXY;3xC+lt~Gnunbct(Tb@>620>xrl%%A>n3&-SgBOlr5;fTRwK@&vm5R~FDJyV8SR$xa zr=C#__H7018Q!qWr6S)j2Sxi_>Cm7dz-n25m@Zi%kXEle3YmToN`0)0r z!BMK?r*jJVGrep3#pU)j;vF6q44f^$EX-lGZ);iS{v-RATD8>v+qu@>1Qb|55LB%; zm*-PZKl{(CHj>$-<~Gb@K0H#bAdr zVe8tTzp`Amw#dU#RU6Y(HBGeTF#J%~>8xd=VxFbeS~I!lIXg)tn4)iwd&ME_iJh{c z^sew^#d<1)Ygd-`9FtOznS<>R+O5T?ICkj}kBo`94JIkw8TZh^6U=b1&91i0uVfk+ zkKE&cjbuExab$nR_cLuui8ZUOEhMeA_bz{@pn)1U=qzgbM8Yub(dn*+^!I!L>x<9Q zj`v*SQ|~VPVFQ|mF$j4IQ5Sdlj8LY6s8fy_YmRq(jI9Fd8e%U1mv~3pUL7yrGC0++ z25e}YQQS;vh%QbM^vG!IysYQIw=`%`n5ID$w}2;;kH+=ZU4;ChdK!YUpmchKTn<$B$3hS?aq5w>_Q09FPkUmAj^NVW9DZun~W-InWo zse?VeRB#@4JQXvQp8J^eEjNWzqmBrZVd~s}~_K_nxnyXnYzcnp_cA zU3}ra!ejf8N=K$;tzxZ9dC@yu?`X#(UdnTa7xS4$C=8?*`Y6FqR`Dk^%K9B9tGy26^u2dx_Zz*PKM~V-13=|+ZGAhD2i?n`0QwcBa>a%L zB3vTvSi-3~w^x}GcrFatKv%DQv-cjEHt2#V`3I=F+t+pi{I?EIgo}p0!+4&^AD?qQ z*(E|Z1+Ph)RaxN}@>HbMxA>c*M zemlwxIRdqn+V|SY)j?zL+|aB;aL$1F8LPIUqGIR9n|)_D zx0#;kSlIS<0@PJYSGVZsm=WiBOv;4V8l(3roz+5E_#Hkz{?bphW`v%{K}laI8~{$% zT6$?(rMOn(oG3MW>QI+UIdm-o%X$m~*|?T0dvxkH!E!-??5{IP;Xs+*4T?X%P#{>$ zDr556bWoksRvCP8(B9aZE#&2%*06^cs0B4FflyRwLXD zexR0VN+O?RRtSuDf^65^|+GzHcs&bwq1@05Vi7EodxK$K(#&c9S;04XFE0*u) z6P+ue5BU-LlxVA3y&MFTCTpSI<GGqi@1)V}67>c4{v$`oIqG(F=5tBFH>az+k*^{ReuB-t zWVUR!<@}-PBtZU{go0aYwTRltvvxyJDiMNmsv>S$H(=Lb(DOO3&u7JUjx!fgRCuRf zCPyNjR)7Jnpz&t2JSE{%<{{TKt0QNZONmfVz%|d(o}-o?D=`e#QQUZIXkhq_}YFLH2#q!UYa4!dn89(>jD+@)$h$t)e9Tuks-~fEXNW! zFvD>qvk(VPdY1gyM>yNFaCYO9u(p1O{z0~&N|kuK?3QIkZK=90K3SARtFNoj2MCR6 zg~*0|Pj4aeipEbKk4R=@scepA+TlecYV;5)OvOG2rcxYZntaD6P`ZoO1P?oV4(>os zd`s)}RfRP1a7(T2w+64TgA$|(kG-rLh576da>OL3Q>Cp&71`|d0`<>&R@4D2&Laa0 z#e=>5cQ$l~b@Cn-cubdeoK43nlXZlR#k)V8ekfs{g{5p%t-%7g#@Y52+<14`-dmaV zg}h}moIIlrA-GqzrwQ&MnWO6QBpT5*=*@e^QKrvV{84)+j!2M$H>{0v@~o35E+@p! zR=cxkq!r#9`F!MOXHjq3%ZJ~;r>Z7bW|8>34LZdevkNj&iF9E5obdcPg(!W4bMRxb z2j{EHKqlPgQ`^IR_IWs3>_V4fMU`+=*pQpj%Wr30ml8gj zi5(`ZQdUF>*}d4d-d|`un9Nrb0gWncG7_1d2gcnt{m8$y+&VomH{JS$00Zl*2CcMg zz;$EO80B-$w|5J#^zyD`QbvaxK!q)ucU5_BFB7nq>*qnDqf*3tB1zV%X0E&BU-b#> zDXcHjiLUL(t7Y8e>x5 zJ$PxZyiTB+{dETST(qrY214O$=827$60qIa7zZLm;{U-h`=d{&#M@fQ)}`4ZE7D78 z0vqKV5Cl}E4p_r9p_IwKn6cr&sK(N_(aAQ20%QcL(hHNzxuNbV?WVHqD~(an zVacP-#j@O}?YHgT|GH^O2vPraOWuszS^npHdfb)4Qs{Y)LaPNcNM%Njn;Lm@M!SEy zt<4lHdp>7{l!J0=VtOtkdti7EoEVEf+u9LoXW`Ta8KCK>xFPb#|NjGMQdh8aRDQTupU^sFesfN36XOa zBEi6;n39pf+}M}DEPD3tdNQdm*N<{sX9&bs;oZO#-xYOuxjF((QS|!}QJij|Sz;s} z6!BDz=@bWI^B@E?2Zu*{*BL!=W4wX&dWL#EmuZ$kSVKj6P*Qt9nBd)1@oB3%Eyfi-78B@_ic@| z7Qn0b&`R6^u#NHr;VDndSVY{T_LIfYguuC6A4ErzVUuktrK}h42tY)i#;VF^()rvC z`jl$_-r^gbk}(}Iab$tTU9{g*`x3&AYAoi@-bQb91W_kY>Uc3!#$6B1@4h=~f6B)& zm?3D?+&ap%zL0c(YxL+$!d0xatV@ZL>rzB%*sVO4hkIhVN5tp(Yz-njE-OJN-yC<(6_r_IS9|TT8 z=Jqqebi8&}qwnGugOZ9=GRu|`>xa8qozv}SXShzp8Dit`{O-9T)KyrZwx%I<%R*yN z&*lB)gQ=h1IM1ucCWf96orgQK=-|$S#C@Gfm=o7Kt2ULJ*F`nGXx*+Kwxerjm-&ce zY5+X>m{>45C!0Jla`aIW&r`j2a_$kj(g(n`dg1K zGL&0PF7O~AYmLw&yAh4v>+H{s{k21O7q6*DA5oR#h(JdmQ$Zmw*S{JGD~BeSuVKBp z&7`kTF7b_-4`8pY5?sZMc4L}t>qjB&vjZ|ok=HJ9ti)5t_QOr8ax)eA8g5rs_F6Q|>f8@KW%|zS4KLomQk0=wPw}rI z4lz0*b=ouHGRYd5A4|b&rlm*koV94_>t5>Uu}x}?ZN2EQ08Os%?WZz0OCe5pBVxpX zSH^yjCs&vE&Z%*!D;(Zt$ZuDlg{)NZu_@Bh^Qs(p4!%4`6xrOnc{`l-TRB9wm=|K9 zXB)2b8S6^|&k4E$%rT$2(#(N}o zrsTSLNy5xO`~Lk)yhHFf7nTYH2addk-yAG95 z)g*)LAWN0{>5{;uBq5x4gpIpnsLA_MV*BzbK`u?=RyZ5FAE@Ov21iOyqb|8&!=W6p zto8n6wcE@Ry?kzWpd^Be0dy2Ut(e#Hu^@_mk8!8wcT)CioEWpx1@>UiEEx{+MQx_~F>WLoW(cW$5J zu+56eOup91lMky?C;xRKWN8>D4+T^eTlI(B?p>7w?xy;S81wL zT=Ate3i^iJI>j*dJGvKF?U!X6SNnF1XkwFJ%FD+?N-Yf%YZTM$PdmV6aaWiJB`Kr1 zeBAS4rd{wlWJpVhAFyT;Js} zC0%-jHVauD5c>p((>$s>@UNXt-m-_i64V@#)EPcK+ZOWLR+lk4zr@P&K-==4Q=9I{ ze9W*y9{Od!_uG8+Bx-sc2R^dJhIcR7Co4@duS-lOYPsE9s=(LTKJy#{i6$k2(IjP- zj+MIswRPofhE-HJ=abtag>+k_4lfd=Yd49?0D2j=n-nOTJ$1-Ua3f>S=|N00bNOFM zS2`wiinD3k=v6ail^DJ;H4e7CYSy%P@Oh}%t;cdyYExMnjczr^p-#KIQCE@!UCoIY zH_^$6@nG*pRWdC^e;xzHav>8iK8{iTP{gFY1Vv3x=y`>wKv9M#FA~J7$dt*)lmnrW zGBqg^Zc)ob)%BrL+eFo5SE>XWXeK7))^5tAZn9>8j-KSJuv5+1QQOKpYG_5ETn3_? zQjuE*WKyxuZ=;8RdG}DY%@MoeNk? zX{?_$!)`GKp@OYdGAp7AZH|C}Wx{1i7B@5Wud^eS3I}fgS^9dLg!V0;OPIFS`R!hk zUWc5H-V%v}IdHY3(mIpJhWQ_RseP zxAJ4r(=~i5ynKz{;>W~50wm;{5j0B|qLEOHtqxit%M7T=W0 z2o|%f=fv9Vu1+E~Z>UlAojzFRGs|jRWe&31!1yY!kA98SM=511=PKD|3(NfJ+%!w^tQaMZ3|ud3EG-^WjrW~LkBpnG-w~_rF&{DC zzLV2+Shx4AhVXH8y93J=#@%S;RM1!1H1po)(SCd%pN{r0@F+L`Ka9O)TohW@Hw;KK zbazR2gT&AwAl+R8($Wpm4I*6~G^T#SFUoxBwn{bi~*}B@? zZRI_XVX3L$LxZreppyn6%crvv22tRXqXdLm27SL^UjH>EmCk7uj;4QNfJ<3?8sZVM zJE1ht6=p*u%k$pJtR66ursK>y1Fe&-|;OK@j0QfT49P z_Gr6wi#7Bw@;UI0Q z%PRRwNymmsIJolR@{J02b;_0wjKwRgY(dJja7|h&X1o?*fpu{S9-nJJPQ#wJCVXW3 zhN9P6{KZCs!;khKB!B9JE4rN6Vt7pjN3Sk4KFz8n0vGdt zE%$Tv}aU8gS)x@iZV9m4W>oOgrtKE-G?j@Yywh*nXVvx z%e>lm1rv6B;Dso-*C76FR0%2e_?*V$a`Vd^V*b;0R?}@B})8G zYFWTNd?*b+`vi2GNtI>uk@0EN5;Vdk`dhsqRZIy`gjLx-|pwh>&);0gl_Huht{dmPDMkXYrzbKCcx zZzC&r+n>1bPhOC-AY?LnA^X0{&eDL*O(jWrUnyb?`&ILKmYQ6lrLolr8HRTYk3h55 zy0{k}i}4q0(|ch3>WL@sgMS(=R6qVB!h4u-nPBn22GN2gLtbl=Ie)C+8|G-#=iA|g z(*ax+5d>i1OzifF>Er!=*XBwstgidh!AZH0|M&9ZHje3>@x~@kQ^~ zR?5f#jNtd#V$EnJm~g?=8^{>E{=Hd;ENXfdQUIGbAmi*&g zl~4m(XA_6G9VwWNXTD`u7tWRW=If}ek26H}`pqg_e5DibrK z=e;V)!z>+Kg{<}%R~lfL^kKihF&+l49>b9TfcFj%eE*scss@Q*;I0Kb1BK&HA(E!j zf}i~N8RnBui6_K>!V&5jz5oN)gq~3jENW`lv+IjbzfVJQN?=Q+@7qpwk7~Qjz%NP$ zub36dpYm$g3dpeG{w0ohAQl!^f0!oa!{XEJVhCoIlm^0P4-)0i;|izVU;Fj;#^0J7 z$Pz@J;U8h`K?ove+*O^={8{e4^{zYKyVRl(-kAjRK?c%V%YhXBth;f_T+cGB-kAOb z@|alj3C(M1J3BN#KfZaVEThC6=&VGvDGtYSG)`g#EvwR}m!_ zj{caP|N6apoy!siTmH7Jzanb{p5mVY(y%)py&x#tN%vtvj(H#%K87HWA4*ScV{Kc83 zGUEMMEL8rBfGbEJZPz1E(Ag>5VmNd%J&PmQE0+fRl`j zOA?M`gWbDy5oH7S;lnFe^(4oM-A+e~H}A4V;;KyoUqOM2$(5B){&^Jr#c`yqTPV&0 z1B3Ataj_xx!=#{>JKL22NQc)8*dY?_!{9W&iR%De(I4CNx1meNM$Qu*D> z^*#GK12@6hN7MIT6#I7vgnuZ9fEA}K9Uie+RuT}i27D0svh}`93SHUZ))f4{k?8Ql zA#4D-*IE9Hl(T&Lk5RhnsB@R}jw>26`4{O%PgYvO1mLr9%n#xT=5Ej{7ce~y3pjLu z%c1bwti&U6Wx>XE0oo3gKiH>{fu)HI6L_Wgw3mISh_$s@dk{Ao{l_-{b(ZTt;Qcz5 zrlwah@CA#%5ww{2N55Kp5=~xoa6ylWCrnGtZ@6WpFDmXGY~r!0sDI!ix|smGgolfI zJPP(og>dl)WP3zEFa2)uq0{@{TkUp$Hl0snHcc##qG7H={PFPc!IhqKw1e?OSi}UO zTJwfsuE(KM)2(y)l~?PtttZMA>{1{7$X30M`CM<=M`hX5fv?t@pXrZoj}+^Prcu4T zbTv^i(bW|UnX+&1xJ%Q(IAlaYzNcN3pznGX+uqa2DjeR+LiCJ(#O|*h#)`lVm^co$ za>%VV%N<0jSnY09gT(A80z~ITo~*sRyt)^kNPxb(wu3LbyIrAy8X-&VcdaSujixOg zLnnOKsC6`d6Zl`9xQvTc;Ramo<#MTQhU5xQPE7@8F6lQkHTH~-qA4pYBcr2-Rh!*p zxeLh3$gS^N2RL;s@7&C?5QM~Z)R|5IoNevxr5zk9%XfBnV-gcppS}#Z7Mq=uEzcL$ zoJUaH$T(q%OZsKMsjjO-jf+D^Mm3-AoUkJ~9BKWRXi%o>9-?tR8&c>C>Ija<;A0wG zeA1`=Lm8hiugowkN1ZQeA4VykH+2?`!ytjSXZJ z6bUysw zmiFZaYCnj2;TfZSd`IUOsQqG!?4W~Oy@HLV!pFxS8XuSP@)9g4EX2abhE-9?054!R ze^a3TXT_#OIEf}neP_iZiGOXmFE~g6hDn1)-pD9NtY~OR-rqzXd^{yEI4B4v zG!&jzP>`szvy*+_R8bMFyrM$Q$f(eGd3l-Bbw??!fi3Q@Gg}E0_xJCBdWXx)YR1M@ z1RNY3(z3Et%*-Sk8)j!`XU=IG^1%NxeVpsigCcg``Y7?AwbjT4CZ z%|1RoIh>^ZG1mZeI0OU)AGycJ$1jZLIC7F$cz6qi#AD;*;{=;XdFVfJ$jKd6zPSGx zr#q4g`e|r!{>>8j!F9n#gKWf{|--|mIOSPP}5rj{+n%^|87 zlyHf_Tj$P{GDC$WIA4Z}l~ps$dCF(@*DrW>fXiU7D!W8*FfsX*$p7np#xd)ffpcH!TteG9ZqJXNI;K&ry2!-mNe2{R0d)&=m`4s<6>Q!OAD^C9ceb^4kkGIwRMmz$z*;%cjA(5!PJ>A$C$~EvA`~LEbsa{^0EN| zRrk+Dvq?ICj^iJ5#|u>}fN65bHJUgNGZr?qSL5`_&)-dbbv5Vk{+%ANIy`Fh==oK$ zN|~5Z{YPwq>SiDLYo{W&_tyurUfU@;vLntpBqd#eFujs}SU4o%-Q83r6SK?@UJu<2 z3xmap(<|ngqP94StYJ8ZXE^%4Cubv&FJJOy#Km@lnDDe2B|q&SPu173K9X@)K^dEg zQq|U$i-eRkG5gC>VgDX@kd7+gNYFjN$cQanr}Re^L1iVI)FC=|P)E{kA53qmB03Y? z$pu-lb+$uopAHI@F|=WEdueViI=STC*Zdwlk1wEI*9jp)Z*OZ=W3!7n*L{QtHH!-o za#;b5@PABocQjN_X^SKJ)YlGsC_M(BL>M}GVV|9!JaWzcS`leS+?6fdz+}4PvT8L0 z1iBwsB0{A$9z3X0P*+zsnp0%wCp^OkqkE z7LS2B%Y>PLai&v~V2$J_@@D;b3IhnjfcI*wpqs29moTnGzOj`m)e)BLFu*>TiFVG@ z4)tof26Y!{QBNlPv3_#R(+yZesPK<|bcCenN`C473vYRp`zZyK0?Bp?dxF z^pupyNfD(G^_FVm4MgFuGZ9n_0zuJneSDv{{%K$L^3f=^KNLh1p1zqdt{1rG=z3KD z-n_NRUP6-BB$q(eclxfnM@z>js^xMb?NrdnW*Fm-uys$;s7`Ih)hl;0I$lU9BxAnK z@>g5h47s3pqI16b)`TZ>JK9<~{;K%9e@?Ppn_XJ3LXinefxkZ1@p3Ft7eW7hqv;nD z9vZ*a7v(jhwvS54R{~Hod>`fP>WX%OhB~>_>x@nw85bq1>lGTnXT3vlsmON;{PpYC z*KgktI>lBaDFr4r61>M3OtXWBF*N6Ym2#XM8JGqE&CM;eXv8{P*>!Cl?4;DplDKv2 zS|$@s-E&Uf8`(Ws`5%fcAAa_Tue_fdjP<`bKUZ(zB`P0mT#YcBO`07X_#FbJ??%eR*!Q!zgSRT9-tyvXKrC(tv*oDYv^88`C}ILju!qt z2?jmkaK7tQ71@k1)ub7(p4obRTwv|sha9i;WV(>&2^rL`1feV_rppx-;nC53d%L$6 z$MtFRt%5?7{&(SS!PTiLwaBO_F5l$zj<@CoTI%WsAgV)tO9SL)wBYh`=HxRMW?bTo z3`UmYE@$RvSfenM@Zb9W%ayl#h2yuk;Blk(>X(<4SnCP7UPYYP!eJ`Pk6VyLXfAQY zPTD)+HC@o^YxTbrbd6EV_+scAl>cE3tC|>8VGkPll+Yp8@vf_G7=w6XH;`6jWUcN^cn= zkgUAiK8_BJ3YvlYwO2at36yfg6kCcGODC=7vkv)9O?>pzo>r20*-1QKKnd&ML%Yk{ z1PXt+TxJDd9*URa`k`T#{=DZ$ody9uw=zm%f}qnUkZ5Ey#q4%EkMQlQje)?<;Ml?l zhg^P#x7?2RH^=-Bey4>h-EAYh%U4KiCUN~JH@G!*E+o+Fy4O_36IS#^p2keB?W%s) zXsO&j&pezC$hBdt$8-o^gO^6Oe$_T#`T~O@N*G$(JT0G~)sj)=B{_D7jbBTNK%y@+ z2jk$H?=$hsI%`EIUE2XO+Qw>3xd9gnFvnh-Q6{uarFel}HwiWFo`mCh;n3(?G3|XU zcn;%4C_PLRDX_p{a~JawYs$sq+5s9>J}Csr4ho;#V&uLYuBD{go$5crirG#}(}nJA zZ(Gb){k|zLf8y0XTCB%>fCPpw)?1t1U3??LxAqCJMUhGoRDbJIsKIFF#jZ?rbOWc2 zv|p*N>88!59q}doyKl0zoF`P#OnoJc!K3ECO;LY9I)!wpBW=R?bJ=%kLnaP(<=mw197uUyL+ErAb~(RaZ?y( zmWsrjoVcSSGD~YKT3}aq{vc79Itg~m(Q1cW<1onf^P+1g+;Ha{fs zzy`>D^~^e1G{dm|7S?F~oS(1B_#Cf7l<+$IS@ErAuHy=1Lip5teq!SEZEY=A^I@AO z4fk~CSF=-Z--~{Q$CF{c<_kNPTIY>V6e@2?-)0wa{PC89H^ix`doWwjpNGmIGLD77 zkED+)A9e8@n#szzP+o)KGC3!@uu+1?i3lenZ-XX=+d@ReA!p6DGT%+=y`V_=IE{HE znpvujHaJNx5aB_!<4>|>z2KW(Bs#i`aqX~cw>II2L(;REhyd8pJKcrEqI(``+8HUesE>3a`8G(o&TA`Nj zwEQ321Cb|(yf(r{f3Z6G>U>R$*fFX-$gEJ+)s37fsXx-1hs>1ra2h@UpYSwFlzJ}E z(x`=mPHeWFokQrwbLFgIG9RYWoB$_X6Wm#oNRG4_34=VK9kH86(66>xOg!V5rkM# zQ&TgqAFHx*f2M>96c^Zj6&*bQ{Gj>$c@YH@voDr-X14eKs$ayFe*Sg5rFF%bUt?oD zde#-cg*-bOE1}fRz~JCvi`-`%Tx^oL`u;Qhu5B$S=k!o_qhRvQUVY-2x%9A+L_$a` zFF&C0uDB_OPy{73afpa0feKfZI!&A31vsh0IjDcSux#4a1KMs%8v%qM?PbmT#iUU9 z^(2~2MWix7Lj!l!`@x9p%`HOJ%Ut6oS4r@Hd{}WHuFdh8xONAyZWbr#$OkydVkU?m z{l*YuzJZ#n1|=#OT^?XBt!_%&E{e#QkxE?ZwE`&d)IJ?FzZ-3Y9LL`B>}#1ag*Jf0 z54FwaR>DTQJ%2Rgfy7>DGAo$R6z+`&Sh^FaGe5M|SQr57u_X7@KC;kf^Jo#1j*PIJ z?GhTx#NlX&oF5Jb#xUghO&2#IbO2yX=t7;xapP_`Iv~^mexEYQ{g0&Sa|1UJe(yb( z>>B^9rtl?_pq`+cdDz@zdb|wlI(!H_pKc%723w3VTv4@07zf}k)6py zQ_Ba&lP+j?1lGsdk(gTN{g1949JM!%^H)BH^PQh691IUD(G6+`sX~?VK7Z1h4?v^N z&mXyMed$iSJzWye5{`)9p*b2)bNEqsog;}nn!cdA;x+oAKaMzNZjS%^ax;SOOjEf< zMvK-$Rwv43nsHT5I7=!=_tq_=<#q~{|ES!D7ojo>m!1nnt)U+~sr0cVJjT@=EYL^? zIs1(_s;%wvv2ipFGFZzlEPTkRx)T8;^7K9PZu|*PkbpHi;qxXARO#sq9L*h6%wwz% zB^7>9ke64bZi1>ZLnG6vgK5*z&=JG$Xy~wG0;X55xlkDB_M#+aTSXmt;AKuS3>$SR zF;P*u89pX(A=6Ebz-$bCHT#_km5LMOv!|?#4BK};xl#4jpf_}n=dOJj!+5}ERpeR% zVC;NJ38HA3kGf#rq8hQV2Oz+04fAYdw3^04^ZW0ED^&#r1#L8zDXd|Tn}>Ehj(lBR zz1D()9OB#P??OUC9~1;k;_53i5{*Vhx!;f3EO4tX9cPn4(^cJ8@V8xBVYLUJOIN<& zj;Wp0cDjXvzLyTk+w{VTY7y5ZPzwv?7kvA+YbGAs%OW%1Uj&cuQ_t{}C20Ez2bjuk z1jT^cibf&i1`Z3C0Is=js?T!!kv|q z%pAOKlSe?9KdhxMz&zge46?@Cky6^P23L~KSBz(9$bwUaPiHX7=JQ0) z0h#El3`}4eXOKUzsk9Hh6CvPY57$N@!UOfJq7U5Fcy;FGbcs=vRc%H7K5BE^ANZVc zg3V(wBAAtn**;v^5*Gs>b^;vXzNjvQZcD<0lR<6m8n+SoXEt+3?BE~-@GU27>QCkl$PNRz4-8x-) zR2jLW5U?8MJK3=a10Qf+{Etm`#y>z^qqPR9dpkWVbc(=VSDh{Iw`o|7T^a+Fv_rea zaRlA=&{B|Fg!|z8Ec_uS!fkFbJnb)!CA(j~dOeUgnH^{*&y!dO@(6v@*Y|1K@JnB_ zSiGPUe0db|f0j_`Lkq*+!JGP+Y~%gbYwX)VhjP-#26^ z=W~k8?$2C34vEYDw8bO9e?u2ADJ~H3D2RW-%txn(0yEKhI=PX^lgn#r2^49-Z@NGE znNHkwPsH%L0?&v_XKnOr_UA6UJ?=2$@RQisXw3p7laNnvQwx)k7tyGkUlHUSaB!W<2is!RHFQo96F*Fl`T5HUwwW;i6gL>!7kY?dK4m9T#x@QJOw3?TMC%l%eye?UtCgGq9m( zugmAiB})>S!+rT$2fSONQaDAWPSmEVrBQ-LEiM}HxPBTJ!8TWISWDCfd{An1KeNGb zbaZOMB4A}MB!H|~x3Nu(JpbmP=*K*HDZ9Y3wLz71w<4D8D`d^8slRTTf385IW&-yf zp;C)HF+f)0^ML2E-jB}9{eoMLQ(l>Gr-4kY?py+b%DDJh{t>25-Foq3E8sH;`G>qvRNvVkeI zMlz_2GT^!U)lNHA?!w(LVodE}9E?0Mp}7XKS&ocr@kSS=G|b!f3%Q862gk?YIm`HZ zM|+dGux@dzg%%6KRey+RgwPu(pV-w4^YR+|9t+gC8;}$$?c)*Ie)*P$40<>?!?s^e zEe2%H#i=%X*&PetI?oL1w%@|BwwuDjy%NT4)0;na%&KQvq-389t3SDRHUP9)z1w+L z=-?FlJzH-i(a7+fb?%R5vb=c!x+Q7{en|R)O}}*3=TGS_SN|W*qvk@j}+fFc{V? zPt(1tp{1ooc#6T6jsNl@bO~?`CkG~*ndO@bGAo~%>H@1=O>AtCqhl1mn7(zY^Y?`m z7B%!UNn|{2xZk#KUTR+6N5;o{?DO;xQ-}J0ylVGfw+70pv|nd$u(|&yRP5#t{`{UY z+hKE4crz3WC;zsuHo~iM3Gr7%2kj!bm~jY`ZoE^T0wy6#Y^6W~sMU`}xbms~TS_Yy zHys~|1oaKKN;Z&_BMQ4AN(!{T|UTzisG5_P%dcg1Hjrh~GwQmlGOE}HF6?|K3^A;%RiyH#^=@xXnoYstDr zJ>ditOk|5E7MRFLFOQ)=uFS!-iwAOmOL3gw9y1+oW*6T18S*|_3^H=r9LAFqSP0BL z{B&<35or6)(P3J9XM9&s(B3bZy|1q4fgCJBRbx9NxA1sQ5W_OV>3ltF(zi($bGFpA z*1elYsaekk67?*X5e5IebKNb)()$632B`5k+hv43H=E`ku;dZz=`H$rRkpW_4AyrGf0cC3VS5wP z;j5h6o2^{+KA3^NeEu9f7-Er111}2)>r*;aA?59<8&+R1k0jc0U*WtNLhq*AE-O?1 z67iEW5RZR9Dl;P~N~NxeMwkJq<6PwY`dVvvJf(>!Ifvo(-d)_iUG~I}Lq;Wnt~9RT zR=huXDrnX{5DuE#`wEe?Ym<91v5zzkwqSUrlZM+EOgjw@S2#?V^(tuTd*v5+?Rm?k zv(^-BuL5Pj$<>zu?2Z(c>P};mrY0Ox{CHV$P@dWMG?Rr4P0_BeMAvM_HjTKxbAyAV zLU&g8`xy)g3)oWnT<$v}9l0GT-aMe$0jy`QeFa-b+u07upZ)heL^s2$cN^3aHkdI% zCFG#+tSY^z!7=JVV}l1D!r+a)GJ8>%`^Svr*7I<#>uyG4UC8hr-_&nfuX`cfM9030 z_S!N%%0Ow|*YV_{#W>CSCUVOd0Dz>GOK>Yh$=+$SBE-F;!`G2@-_dW$9U8U(@L(tE z0v?WE%ujRu3DUM=Pe>ixDeB*kYd*9X>zE{{)pB7->B`6m->A=Az;mj=$|Qj>$&Soz z@_Q_N?=dDVtaiqTnX8A=xhz=k_eaoC1(jOI!k%~tNTOI+SkU1VN=$oqot$E&Elsrb zi&LS=V$CJhgdl zvpxnC(J%?Qh`)cK5Ik!cX)`;*d=T%maCPN*d=>s)w=6LcODW4ESAW41HO;%ld&pe3 z@`#M?iz=s!rVT*MXDeM_Hw`4QLo)R~T7xkvaxVZbuF!7Cg_=_rJ~PWeRiai3g<_kL zgJ=6twMArPRATB!7pkaq#$ZG)*;Vwf4v~U_Uml*T=-En%Im)#>2L7pNsHizUxgRVx zt#w9ezkEp#;<6Y7+$kW*a=mtRBRe=eNFgleFIFZ6_Kp$rgl9(5=kQdS_&*qR?6Xw0 zD43jr@WY$yw9>PrXbn^iV+f6JBPu@-Jdl+{HzMRy^qJ^gW$;X7 zVCCf7Hb@q(AIvtTtPtxS#>A zq1OhtQo3Ldg3hTo?jum#37s9cvTFQU4QonNVNXxp{(?0>s24mz5X~|$Fz}&PEKQa! z{A4l=XNNv2O4i;UV1t*+eFo1MFv$~aRxM~CBp?7PdzgR_hIRfzDGuEo9#&u$`6V77 zYH{1m%rA-%KHKy=8VV2iojoIN5xTvDAs*@!@@1Q#(W&o1Up2`-p6EXU6iNk$=Kmn` z=f4x$>e#BYcz8F99^S!2teN5YTFtxk?2b_e8Nd(QnRlnBwMve+G|GmMkhzq}o||5E zz=L3jdQBi1LGLFGRYl68*ync{g}d1bk3(wJWXbh1C>a)mM7`^D<%ua1KX?|diRojE zdD4tLqEN~84K!jHa&L1ert7P!Fen4AxT;!;8M@$*e0e|m|D~UNafv7=Ltn_sf1>k< zaN zgMc!s$j9Fzc5dSAT(d2cz4GCdlVrgM+`5|M6lP_enTeQc_3+QV0E}(vZ^c#T1J?XU z<8Hy3C7NNLbDhz?Cp>hD)|+l@On#O`Sa>+aeBkivN&w?g_){u7T5uJ7`j^{pX~z4X z!8DAF$eye2ZR3WdcnbHlyqLanv?KGK9thgsn~~c*PX}&}g;kBT92UY^ncF~CyvL^{FO&5`al?gVWM@`^-KC?GABUCN=vI6prIrWBEyBozo!Z8 zpC^<1S-(tHgi;3;HA7KTU2AKrjE@19*|Ls~RT`@jyr}UMq9kQy!^~G&Z$Dmq1s(ma zv#J=dj{npPg(}K|)L@$LQb|(?lkJc({8+9UHo1K#SlwNsfpbxdcZP17HtC|!_@uFh zeL#U;Ye&hIZ3QE*P(2h{PF7l3$+vx6gFO*_I=fq9gyswaN*Eh`{}K{ zkXC%b$7k6DS0>Z*=6%Wp(zMkg2}h+r9#Rl}U)oV?=G%Uvb~1ZD&>7>n7XHYqzI!hl zo6=mvrz8`xQk*~tFGlkdv3jnJgF|qF6XdO{o=oFv$=xo5)!5!y)jBe!Bk$zrK)B`J zoCS~L?oJ+;6F)6y>ERf-|5k0CmJ3h(y(4}m38^M>mGbh<-ne1l?{2TKJ;H`sb24CZ zu13TD!&99L^&%a7I45j0An@fO#m6_G}&XN8D6)gHPU<6Q{0lwug4j=2?hV^p=e&(wT^P>dItl)$~p{KIvDl zixMiIr@9sSp}Y|%)2eEYrO;g6hDA4b9NX`Js>-`i7P?EEA(-s?Q>d^I35$@hjC)KV4FiS=VBoNu}=(XHN2HwDvoTMLQ`6ZMV|O}xFlFl}yq zW**BoORAQ_6&W+DynjRdDUa(N{Llz@6y@Xh95!~30QDdwEK=N<*Y#%-*q?Kg`p$XY z1Cqb}_6*ovZ1c>+8E8(RkT|U}NN9teR|QS=pENb>A0UwtvAwekv5=OfhEWKvtTx}~ z3>oGU2q?kXnE4bGk7$Xf1J0SjXJoCGZNnA9%rQI9ld`&sonbeWk3QV2|}gyb9R z{Na=QGTh|a`D}*U<0g~71j%>o!l z3Vn~?()3Lx%pbrxsa(%&7)y($@)i0pSI3Oi7m`NGDN;^x_22M=MhJUlNso6Pn>SiX zYs`*GVMJ=L`tjQ++(ax}WPhcP9jqal%_$rNO zqeYi6eBQj2&FAypCxzJI`uBn%t+oo_F+4Qv@djb)mEH{=4=j$68X4v38at?$1vS%z2Q zrh>AfJm)*}4;@)DYOVT~MQ`HwZ67+y z=BJm4cg8?EbziQ+^RvO}FyPg$GYDZDk-_KB$J z`AT}@vlW}5H_V2a*$x>U7ky7ZYi1%x9Cu&-q_{$lly^Y(i0V(_l739_aiw?4$_Tje zB}MdY%Fn493@Yx!q;A_OECafrDB2#0be|K=#xwt_T^>^!YuA&c+$|o{+e)bGTpD&f z$*8>XjRzwC33Y>yOiYp1AMm)=Z(X*tm~V_8HBwPtPPS9N&nJaR^;)n`Wx3y4OYb*{b_%nvTqTKM39s_6PDgtsJm+U}a7vpk$!a&^)U zS$$xhUv|Fh`i==r*8M4)k;;Y{_{8C=INMwGQx4u@X#wlCECMwzC(Q9Go}Ay*99M&6 zm9MuO)pQAQZe?6)m6N!K9y$N+JXQ6lnG&SV$ieY$9?udM49to?D%?Mj_xC%+vsq&e z`A8Gsvw_IP=!*t*)%UiWhpu+`7srb*PU43W@Ph?ENQe3 zqx5uVUvyvtz3&BXpA#sKrYUbANenMACjO7ty6u~GKZ{xChTX&2dEvn+I>xd=CNLzK z2Q^2ZwFumiTrI8zs=NJtJsGKO!Kwbp39&ud2#O9K`?qDRk54VTHTT7KoDLI`S?-3l zJj^2SV=#SrrQ6#BRW|BNSa1aJf_7)yX(qGDjvtVOV$M?#%Ai%79|?d@K$)U5&5Cp5@O!oV(8OpXt6r<_ab;;KZ^Yb) zHVp}ScRWu0rQo5 zS)AsJ0b(RucE-(exVr;dk`=>zvV__TK2qfR_M$dDb1Iy4* zxf?~orzgK27*>F6awmjwLgx%MCE+8PTl^z6xcd8 znJwVNUe$3z`t(Ml0SGg78*tpX)@_w$^od;9g9&OYzs81zXL4Zpml2RuFhwhgS*sIH z&3jEa>y}8QD1Q9-dB9oFpryQAKkQU(qv?x)LKJG33~g>>sijL@4mx-7Mgkh{GAUZz zPhK0YGC!s73angot_f;p`i8{O171eHhes@Zjh0X!|7RJ%(n{^onf)d}Q?p3nR$f_) z204t%lLH!H$UqBv!~m;=Bnyc5&wJ#~efZ(z(UIxF89dgdtC#*V`O2fBk_kU@LlFxS z@3zw-W_!aKL;Imgn%I66N3g?Ic+*tDs2|02O*IRLzx&ky@&_+3!O zaq4C}Kce?vWxD_YxJU9-1GQ=b0}HgXb7`+2OvxvItfSKqDxeemtydpt5chf27~16$ zn$X1H*DkUSw!L7twLKMAG(ghVU!Gc-i~l*t&)e8g*!d0rTDh{+!Cu1M0*#qee{xci zwD1An^Sb%`28PBj(=8z@`{IrL1gS^@DWvW4hcBynqyziA({0Qr>)czufQ$7$ALLTZ zrXv`_N}HbO&X$9ZM|aF5c%#;rB@T|yYG5rt2m#?lnt0q}~;#-Y`O0P8E3wu4K1eWfg zMpv9iSm)I*Uum(VU1vdCZ!VtFxvdaCCQzuK2Jf19X`PN!khK1&!@-E}*KbRF@e7AW zwhog+qgV#aK$I{X(F|W+Nhv9#i(JdR4C!1*t~W5J_{(XY0FqbckV{o6M%_e7_lfEF!&dK^4h??O0oM%Qqf=i*2uqy6O zbr=*hG;$osm(@__trWdSK?AoRI!cU@q*BIHK`MyqhEnU(qwGD<%rUe~hiM-00`jjh zqjhXQH>hd}YWTZI^yyuYxr~$|E^0;2L*?`-IjK1z(MJk_T!*s*D1O9qK$;caFgT9Y zmeO$$A4%QO`~KlI$;nIej;Gh%n$zY`&nqKlnQ(;lx!JX!xBYnE*PdeEoSYIae53H> zl>T)}aVLb~=K}B4eonu1J*l2E`|7dX8H_$}c5tPaBkWM+ZT|d8DBWv9`fs+z6|NR%smB$?6V;_LDjLpWIC2TCqWfod$F$^e{F8qD18DaT{-*;bEoB4GXQA6$T z?IUHB?DIw)IDv+RQPho*D%qy?(><+E&lmlFq8?AQ`PORd_Q;OBde`E-kTR7=lIm*z z`JE?g(wXAd;BW)&J`k{b!7|O=cYaSD`{tMu*m_A1^<69or`Wi>KUcoD%){DCg+Uj} z;tz;~zJ{a!s}S3Kw!EUoYnUeH>7;#QcQ=Agk)UF0|LT*%a%xpCNH-yhXWb<53AoVg zl3Wf9>=EJI8j|M#Xh?>Tr70xS>#u(;l>mQLSg0A(P=}_+S-?bb?Y!SzYT0>TvpC_< zJ0(Cemw|-F#+2kpZEIh zzr91<<0zA>)D!}a0k}DPopN%4%32=_a9^ppFV;p|B4%ysT`CK znf(-YS!+2=a~=CbjD7hx?s|P)L&F%B&*Ddvl(Zotj8#K@oa6@C;z1Nr!ShVbMp?5#B0#s+x`lU^nk3N_B$*t-3m3mC$NwlKst?3@74ju`o z(X6)T6AC)Y{)ux!eB+Nsv&)~?JChd2>0MW!DRKlBQVjiH9=It;9yd2FfB2XX#c#RV zQu$oZ27-rlGCfnH5UsJ+JeDidZTKz&1?x6Hid|{V0VuMrs zaaq|NW8VbA@@>`CKPSC~s&%}S+YW(aK!odDr7vjnQrwA*jr!J^D6cIpcvVj+eZp#L z6HOCRQBj_<8#!#66Vl$^&hDM}eNcfqox<7h=4i130|^OntD17H8O!D-5bF%+bKBx(rRKas=KUqGK9FWC zJGajoGciTvv1{a6dWKJcB-@P`7t^%jgImSeMz+7dTQ?#Pe@Ji10NsZ(3oJUYs7itUN z`!S+zElCh?)fF}3#1!ubUvcM=u-`39_L~f|ss33V6QM0hh_0J6ykls1nECyc?T3xC zyWDZnDw4!%eno;+C|lX4eW2o0-%v>uR}^$vv$a@n;WvGHDPAXO1x8?zuH#x+)3= zAwY~n@LY<8RBR#Cc4p$$>9@Z@#s4(x@jxrqSME;G`#P<2nY!=YNoRXE+&d+*T)>_I zoB%miDI7SdWEkto=O-tQ{F)jbB{<)=eG|~ssD(7>lMYz{jm!AF&cUKRjQ`z-(A?RqAkqi-_67Z(p#%^r`K8-e(ukrw$RGO zkSh2{=ar6|VwZ2*cIf1kaCd)C)k`)q!sup`Ul|@_mM5}*oFCS{=^JFsH$f1f^L0<6 z8ncsd4?!~F71N2-x*fEIpinM>DL=2{ee=jTrBhFeNn5W!BK1G*ZhxU6=x{kd-jgC( zrTOC8*ni+;;PT9)q(n-{-h&hEu6~6ncBR|3#kc>FYw=Iy$W8Ndd`GCMu1g!wWg!c$ zYCD0kCQ{_WUbkOYWN#rFP2(6Sc>qf3FL`X|n~q0N%NYMZuHG@A@~B?}&9>cS8q*e$D!a|bky zXEle-4V@+=pqXWj&L!rs#dflVvaKF23nRy^kAEtiX(=dBVOYpPV+WHEllXy>Oe-lZ z7foX*?b`6?{HH|UO~dIZSC!Kq*H3M?G)zXnf86bVrhAOL> zLS|-PpX{$Mhjed(>^8d4ud&Bfr(pd`|2ux#GXWz7=JvVWc+xdhkhT%m?_Ep})(r5I|lXdL3H?*T8`fFzLQu3X<70r70_yAPRFGQ-rgbTbOKNnplGpL`i`xA!-`NmrDC7H+rn9{|3rtOtoKpPoB11cJ zJ-0oWCkG8X%us)}?j7YX=^rM-!(2RS00#Cc?D*_#Q`HwYPa5P;?Bp1LZ$&21%)jMN zhR$v44#!i4(sUlxH-M^;QzIfG5}@yFj;6F<0RnrQq#t&%APUEq2iTYEHyw)eNS~0a4n@T0G#*Q-N)rsok>Q+}W>q;s-=x1(#Z4bB0!fIsHqNRI(AY-} ztIdCi&qxTKgDsPJskseE*cKHN`>I2!kTtywlGiujSkjh~StJJdzzg_9yiJFTTU7M) zDzT!XKu49v)1TUu3dGQ6IUyT+F=PamYG$^zdsk^v^}Qo*QOtaBP&fBO3rMixTIqdL zlrfZ}mU|{Itk+VIREM+IJxN>_8C`Iv6UkUBwki+uSykY~*Xk{!CJgvXYBVw2 zvTrN5*eC%*>D7Z2D;4iPn>BMTKiMu3QmE4vo6GK^#`ea$xBmHLJeg$gc~l~m;_v_8 z9TgF%)wFtOFKzfwO@9^J>%>BIJo_;&&2($6Bw@9(z!PLSAN`pP9r?`?5J0&Q% z6v|{d&xZOuncdE8y5~x7*d>RH=i}6B>;d;{_aKKDH(kH4i5rg@u@KOVkB9&n%2>}X zf;jdM3(@|g4mC-ZDIb`dgRJbBl8#D2KN=iG@eM5vjkvjb@vMYY)1>yw_=;(E`?n!3 z0g9x46@mz5k`}eDgfuIqw1cU>Y3W=)_nvLER73wVPi}1#+#Gz2^U*OnJ4)J8qeCT_ zLvSo_6lbu!|u=4N=+{Db&G>8 zdn|K93g-SwC)T|5nWr(6%xjr1RcmT!kdTpy-oF@0(OSX{1oan*QTP{?P@1l`IQd}- zX0-|+HWo?@ln*?0?CoJCB_|gYrI9pKC!|3pCa7@KuebRtHqjLA?(bI&vaYp~t7-<>~tBTGX4zgRX|3;=`3PGiSB|7|e~Fm`Viwb=#5CT->!{|81L z-=G2ivs3s=h5j27 z%h&bkE~I3$Sr;#AC9|#2zJ7jced}|uG_*JKK&U0G(m2VFkl(vOrxKP$x^bki2xEYv zWR;v2LDL%c=;)}b;@&Egt&dxFRbw4*Pky@3eqgXaEfh_4`y}TpYJrvH6pE>~+r<2@ zD}Eb-9Y-ApD=Vdl^O)doG|H_s#$Ey59!k-sCKiGL0eOYsx3`EtepCv%sMd@2`&#&3 z4y4)`n}^x|-4~!?5r)l|o1VPCU%3W@|Bn~Ikq%=Fu)83VRM!b#E-i~}h4)d2n=<^x z96+HF=|KgBi@V;-j_dTfKUNofvSPEC$O(-39rNE+{n5nGQw0Rvw>6q&dFVc@ zR*s0Edz@O&dn-%b@2XKy)_QH1B@V`e(T7;i=D*w^(psMTqEaewlcA9a#Qrp~W3H?{ z!2zxwPXOLmn03phG7PM??uSUYc`%GKBDg=#&;l$+%Dqq|4a^BlhG?kh;ZDi$51PHDT!i304Nh`;YjpYrdFQN`FQl(0w9F z^NX!hIgPGgi+bVGUkaB8g4zOS0I~2umVlBJ#(ljVr9 z7d3@NChNt+{4Ujm21U5ryvc>zHiXmlEq@0s5zW;!Ku<4g1^DZ}!B}sfW@H9J$gUlU ztpM8y84C;Q&QP4FB7~x4HQB8sR8X>}UaaW1t~q{PnsWO;4Js`@AD6PT&P63X1`P-~EY~>Z|){SI6(ooOGu@^nqrZc22e8Ruqz7 z5|JU1DR~zG124XG=%5_yrinf^V_6pY9{CxCMRfuY?7m<-b3Ftp2P#HIW=6FR7_d-L zk%0OUPqs?{eGbT&s%sO2fML|*jz&&F+2)6=@JR&a3&L%{1DEig*ltM{q0So;CDT63 zf>TM&8{mGhNf+F}u#YiN20*t(5IKHpD+UBXclG1j{?&46Nfsvt{^KKymngZBZ=dH4 zhgue!sf$|beMF9t_i#m}U1@Ie5gri;eblt;)3*q{mORt>RwOj$#ND@Xfs&Si!~Consyjw}qtL=j(fsc02G#HSmNJ}YZ! znQ8Xa&U53$#ho}KfEr)G`SwS^8$(S)t(^RfmMH?uyP`-9cg<@xIaI<0 zFGGH0l^4BLmFqADI*9I>bLq>>Sbjl=o|gv>dJ>&O+?6vwhJ3(HVwfwO*3DlfV`MOS*FPx=QJb$uL{MrkNqK22J%B$${fY}UAcHh-S4gW`o0 zArOLn#2C-o9Ja5|_F}>4vD!@)Y2eo{1+433CvJxv<43Z|#*OV?plb4Z|>DiZX zAc&y(3)pZguyz_-CRZV|*U4un9TKb(jaUhCBxO9yD_Olfl9GSvT>L1javF6R%`o&> z>6kJ$Hg22F_wo=E&p6|MMEZ6ieZyzsPscEX2}v0?%euF65U~g;I!P$-lB_eFEHVse z&$o`M2)vkhcz+0;-JPKsAxd#MJP2O~2DCh< zasl502Bv%4Skf(18esOv*U&bZ zUQP!i#&iG<#PZ%Lo}TRjXd&&tr_8WK%6XfpM5ycgQvr(4EJ;T*_4E`J+6*VykbGfL zW0ObY{CyFiv0wQkJzu&IEG{RNfI(&EjV3pI#?F%j(34O-ng6|afNmW!pj+p> zWkma*{iyjej7v-mVTfpbazkF zmqX5&VSqC9d~JL;+6hChH9It+*J7?7lHkC*1a9JZCt6Vo{;9FCZ}r>I18H+=fCKn% z5;^K0y>|_q3oMWGKc*yKrwcdlckE$MSs}TGT)uh`-9P zf`Ne{aG1@n!A@tM{6ZFN!WsOa{z6fR@@8_j?pn04@p6)t3KCjV3zG7i(@KjP8f2F~ zAG@4>saJG!lH`d_7b&Y$Njq)cH=0srh5G3bB zenM!)Bqnx%@k*ZF)jm1Uan^%D5C@~v&?~yiU>PTX|25ay{RY1Jbej3i#G_d8e|&GB zK0xF&P?%Ow_&*@C=Yr&W69eJ##(SRZLxwDqK8Z0xSnrn-lziNqE9dKvgihDXwj;J8 z5?-O;avkQO^$Ls20zy#_oV!kw&;6yzKEi*uLy+Fi}gonn+*}WCS}PP)CJ&H;(Z}w+a6;OFgvf zx@WypJXiVL(*yGG4E^Im`OE1SD;ql%Qka7(&D-5eLP`f;p6>;bh6QGI5EwBm%wr%xb~i|6aCz-e-E-P5yQIwA|)01jb>$hK82;ob2pGF(DDEL@Zd}96Mctn3$TlO(9eArz-LDmwY~<{i%DO6IzNY zD$la26M*f_9~u@`9=a}xaYai@t5)C~#xy#`By_oKg88SssYHYDd`iH}$ER%d^NFgO z8U|2e18(_1MNSzgJzk992X@1LG>)DSl66AB%oI}}>ZOymnq>loUf$f;MADrnL}69h zvOPQ&{$ALq#|5a`YN@3-2|v(EseVA5B7Byd5d+F~puv0%46kq1A9je}D}6|>aXTH( z{pq#1HVDH$`CQQ0yKazzrZkSTnid{Valc1(`U85WUpveEWZxE z)}6gUSZVPlx=4h&8f&GVoMahHWLQ!c;PIRQ<24H4NKrPJK5_$8UQ>r>$QG9yWBI?thrEEDjz;J?n1gIItJS(}MB{rFoD zi9%q#%==w4wo}tVrMM!u>Eqe?dYJ{IF2Q%iW|E%tafGsj^!Tz4LEu7n6BSj2?)8O2 z@F=F>XJTMbeKdDvB8^aBIu5+!#g(6$l5_?;H$P89!bQg`*?EP# zoXN+EQOs4CO+<{~!vQGPS9gbRNBn{^Q=h`rcIu3RX!KAJ`?;5w9m~%N0}o%d3if@s zpT*!8#gP*(VRwXCBmh844~8)7H8U_)>-6iJH}DG6pThO$!flDeXS4tAHxvy5mQr+! zQHuDVm$LH{P|79(1Bq&yPX)s-a)3)Z;0L4hVpMq=tqKH{)kgfXIY=eNzLIfpsKb7u zDWjqN*%=QqfEY;@8XCIP#6bv+Oax}Bfe(+^${v2cS_{u+Ini^qE6d`2V`Yk|OaB{9@eyP(u&`|6^YqYp9!B+u z{9vUA95sCdR=ne`>wCn`DC3L7CQcR?4&xUye=BVSvROLMoA?R1+-P|wiUDmf0I{+# z|Lv8tlP-;zl8#pw*-KqdW&6cv0vw0KCW+)mtzdgK^eIyKAf$2 zAenvstMgyG(^0CY(3BaRh4&=qn3i6*Nsa@k&D(2}D5m(Jo_ao^8u^D~8$Lke_z!9U zUY>z38;?yg54NjJ$D(l{@2|9%WWe)m0cI9C?%q&-o}M_=-f0lu&5}2l)8kd7WED4p z02Ai&J>rxZM5DO}J`7$@CiEMj9Ktb`WjOWc&|FdJVdVR29?(kN4@|S65}ywqzNa zFju56ZA1#G$A%x3ecK__$)8)$CWjT!wy`TIq#sCE=u`>?c{L!5U+9N^o2Qn|3==(% zh-jf3N!HtskW6p>6(y^xZU zf@vDo-pI{9c2(~`$v!ZU)&B0;x>3OUQ+nXh38VqXXz%qG|4dsDmNDlb`DLW4$lew; z`QdFTj;^})X+z`>mF){NuB9+ z47VBn35t^U;B>hyj(L*hBsiJFA7!L}TvK1(VAq8vX!RPOm`K=@PSp($u6@1{0HVw3 zAZlv5lLpB`Dev{@t>T!s|W1v={5^WgPp3q!OzIsd`JwY$g(Ag7etmYDf411w$Pwue9vlk2$3ll z;`Jf*)g+Tad78e}Ru{{g&s*B~+L2gbx3}1rA?NSYJN(I@3)SuZrVZ@Me@GxqA_KL; z9=caeaJO^E%oY{QdQt3JO>hfPGsA7^b;H7O&`tu9PnbRijx-9e%#DrUMT3A}rL#LJ zy7qnYpEtN<8xv-aAeN-X-|sLjvr~vIr-FZe3zoj2sc!A0Rmb|o?c!`vjGq35+x?^k zu4%I8)D+OCPXBOd)w^>X97+AYLEYrY&)YIy+d|{hNusM5i7rR}F$ndEf*W`nV{CNv zqV{Tdc=)@*T%b^FCwevETKr+}id(a81EsN}ccgy4Tmwd)Qi6O`f}KaRE+=N8dHFWx zTDZFAd`qRk!J7@M1`7h0p&mQlLDpHd35)-z=c0gGrFDLBJNB%;op{0gf@h`K$~cNA zAOoncvb@?|US2*JzF#!c4kmUflmKU~7!&{+Uks^$50~_lKM_2qAq+rZC}v4a&r}-$ z^|N;Go94*dKX`yk*`qM6Y3Qd9+2}6FAvwJ6vC*m3_@r|`&ng%KVa1=nYEaffyf1Xm z)m!xUFL_dm4P*7elg-&GcRi`U=VCfxK9Ghi8^sW%?pG$*a+u*)KJj`!^|*L@&aA!4 zNT%MXF&OZ6+>qP@r|Qu{Z{vV2ZA%6!mYNnch!;JBQVCXbP6$eech4qec=AF_aZc7d za@hpnt_#HB`H@OdM1;SJL}2yk*Hh*j_2Hnezo!yG$JGka)r5sfBzJn`H)2;w+bwgZ zYKhpQF+RIg^Uk{<4THN zotC*qV&9)o_}e3$i;U^WqN=JdeOMQ7E>AbO$*pX;;0;*HeK2dbnAjmKHYK!4@>;0N zB-^l#-zUF83%Y9m`i;1QU)>!FEqEId?vTm;e{)>8FTfdyy>TRAef)+8AeLb7PU@$2 zdfq~as{a01R}9!w)oQXU8}impGXOieC>*N*ob|hJqf}jk5T*On`@bKrm79d3o>?5$ zJ8I6g0NGMvq%c?2zP`zB9q5`wermZke#szQ@c>%V)&Lt+StMP8;depMn5C6U51V#) z!nVzsKfkw+xH6DfX>q)v^tH`}k(DNCOnawab8^Nl*odC5Qq@X3fW1;L8@Lz?mfVda zjKOhWQW0?}jh8v6hAqd#!yAlE4nomZ%a*;&JEIbKmYjf=2m(I6xKdG>{PYxz>^ixj zBP`s-Hrh%^ZIO! z_=mF4`d7|eZpNU*)_dVQ|-o}le^O3~vT`M-nl6NE(| zfW+89v=#p43epfj+b|y2b`&@Nj;IoSt7ki!Vd4w^{ri#V*qr1B0>>z$ck=KFXlzmW6Xp@b`yTv?Q?o#s zkHH_Cr@q(1l^&lIg)=Jzlcdveg^x?oX#B#XudS_GH5#g(!Z1tW$sEqPMgkz&$Cf%1 zs;5~+!DFY9vCsA>B>f>$o=i$OxojS>qw5^IY+vo0sJCO=Hh!m2;fsbXfbSnq`sC8) zncHSydS@Z);MUX&WPx`;&;5W|j(C3u+%2l<>P;)BKPsw3i_xUYla$bg9fB7Efxdpt z^xcc6OP*Lba`7VrbP}zij9Dq8`EuJ@+kI#mIn`1p5T@=MxUM%%!>FbEJnMc6@&7bO zqkypiw54!L6Fc7Jv!*MmWyLaWh1@ZH$C%^moIuO8WuIO1?cjI?y z0~^N(TJKU0`bFc~(%!T!^?E2{qvnq_5JR8aLg-qJaRT$DZNsJ7 z!P^_}XX>ZsS+_@v4!t(cop<7TkAffhQRHnD5omH5nY|mHKhPNj?6kE3a(`%gnwjSh zuaJkHwl*gR;_YKm$0h8Afii2inE9DBNpou}l))4_WT3jz2v z98oEkD)s1uZBopOoCVqhlPHkt$4=sQe8K1Q+;+Ul4OoWk>b57DMV|EkDh=Z*9#62>?G@^*gR0P$@-OV#ICx+0`KPeX|P7Y^_+& z>5L{wo%74)o=OijRc6!uMk45vk~S#4&&npgXchw4X`YJ8LCaAbnpPMxB3?|HKLqOh z?qHa)@boQ--VVYm(5k!NC{q~Q=_@zD^^%iu|5rc$L<^98XvwMSc))8pLPcmls=LDt zU#}Jg&eCuKwqy;xF=%LL;{P<%{P_G@QW3bXu&C*Zjv;4Ks^BEef|X<~JhhyTbDZsF z_x{mPOIO_?(&}njaqNRg?0GtHX1i*{~2Iu+u3clHy{4+He0Qh69aI=<^YMulN#@u9NgiR-QRfX%A zb898^g(l*jcY&-S@EGG*3_3qp6~~^Ts>E-W$X*B`uMmpcId50zbK#+k6cl1D_*L{O zbIQ26m)V@pGlhMfX{mzR&)U$3;<6pJNv?38&)Ne92|ZRRqyKHQ{~4Q@=>T3Z9rMIl z<=^5m1p$Q!FHeizw@%7+00GT+^*A+3&0}bW{&P$6Gq3TaMwTkQorcnXya2*ehgg(p zVw$7_6ynr$^YnsTZ5#^&akUS%=m8@M1GI|^3qb|LTfZdLpfjFX8Y(@{JMU}F$2b9y zs7}4nLbSZReAX`Kl~XvatE1xwfsEPG(fFmWr&kqtLWqwp{}*mW$hG$>l8#@^wPzDL z_?ltI(q=gnfO^u$zoP8$l#R>rg6eR44TT;Y9lZO5=QmW*OOokIHs9+a1jL>)Fry7p!9tJUl%0^?J+PKcV;XyEHT4j&L z*iLkZeNH=WyPo&i_j+!nvW>RY`mmW3dpcBX|23kf(SX&ziwmeSBwzpIX8Y25YE6eO z`_FT4aJ9#{;F0-n@?3kMJx`ZdT<%V|Q;#bK2M0mo=G;w7iFwTq{^U1QVu*`}8qatU zs*&{>S?Y}Qy(}wMDF4FXzdK#|)+;=vymP|5()kSTd(lgz=e}HAUjOw3T$)}M7XO6$ z7QLAaMUycoYiL6NV|b~x5S}1iTf1CU!*I{)$Weixzta-{SbXJD%8`q5DrV@8ZgQF$ z`E_-8Zf>Bia?jSRp-A_!)^D7YXqVJQGm#-)y?u~G#VT`v-Ci`2Ev+3*4ri{jRl92c z&Io-Vd2o<2IS3uNLVspR6}0;O7E7=*Td|XBEQwUw7Phs4f2pF^_f8+Bmxgt8+s_7z zu<+{_hD9%4UpD}Zsv_oR6<b zc0jzH@a3IuW>2gnzj8Z5KBugA~2Kssf{ zs7Mh3oy>RD4s2#7gO1@4W^qKFSgYRE>;>`(`O)&PDU^v$+C#AmQMcH@@r#>BPtT2) zUCZJs3$&lQ4kRZeoOHI+LrVuvDe6msFH{sB`qz}V=|u6XXjhrY%995=@m6J|dDv}~ zjc)m+r)20n4j4r<*3KbZfld5AYq)CNnOwR2OPu3AzX`DITy94VV~ClyA>;qi6FyYw z4B!xEod_)U{70^MLcG1~Pk8RceCFqMN9_61ydDhH2Kjf0nmXf4HsW;Lsbz`2 z4tOiNqbnH?!LB(ZF;I(YANuZAWRbm6$TNYuv#Ovhd#*_+y{xpES2+9a_$`dOBtJ~F z%FGM%rYk6&Uk&P5_*sqQM-gaiYyW(_iN5)9YE)5Ot+~K;rU%57p0p#@whf@ubJKbN zr3I%a;|znYqFh;DoluF{_B>%{XGd8}4MhHdT7z(`-g=_n#~C;{N7voV5zyfH&KR4m z&vB3fRIun`EhHLecFL*}1_+)r~Yt=qTf#7#8Pf zoy1y~%75NDAs?N~May2#9EwjS!_@HU=pR)5I1Xsn%d|MiD`h)X zY+mR4Tin(k^~ILz*k!N5R4&;|(ScX4D0u9n5ImakSWfqp>0Qi_9JYtn2a??MTy)+J zS6QTUp z+Txd&A6Q7ac!`tP7R=nd;fbf(4@`cVkA4Iu2fp3l;f=1Xrr7MYN~U^`?N@PFiWm&p z1}+NkXf%gowsX@VowMU(QF(db8SG~zp+*)?=~xT(J}!y|`r73>lRN+I3F>L{^#E*o zYSr|i3;!t`(m&^&I`a6L8I&09)G67#nq_r7&7h;08Bd)ROJw4sM>Gixk6`9_u+Nt~ z(|;bn0j1f;{6Du$z}?SQLvN3FxiMfDm5!(ZG;jbrF3nkxPvz;6pI<$4k}L(4@b&+L zu)@8-T;Z<(%O7B_M&{R=?(DY&lC--%E2gH=^vnytTI-X!RF(7f46}h4*6j=d3|OSJ zYj!@p;HZqS;7;wIOG23HvXfsMPCmNr&Q68xwZBU-gb(`c+R(&*-rTS=^^%QY4v9)Y zKPOl+KeJiV@^P-Z-Dk6sE`|)B&|d_UDGX>&o6xIisOQ(4Zgat}H}1ZR6YbC^VO01K zR|!^HYn-nYn55s|0`+Ifo%mv?`U6zfbK(hOPKcyy5papuB7_hu=q^VWZ(tU(ah7Q%V8rvl}Bd zD;co5awwbE=RS+tm&3=WIIw*aF6_N5czHNts+mO$@xs6eFx;Y`A`2V{1z$lV>)*~i z0(#04OZjxfunBSlZd|Atvd?P;{$LM>Y)cMkGwcmLwp|Oy_?JBNP73mGKE6Cse2odoR$Z@Sh9_&f3OXd~3x=>hKTVn)B z6M^X}X)AM9F0O;l=l(Gy>aED_`Q`e3zB@}QNpJ5qIsxfeS?XGvt(1E<={MMmX1|eQ zS+zYP3|f+`+qPR#dQf-7vsKGL{g%6K zH}J<-c6f>u>vN#iYV>X?BD1 zcCDgIp7|fj8iq$q>PHgacvVC5RaaHPmy2d+%eJ<*QtK*}L!d+wZ;!3LE@G_m@kZ)U zyEZgX&-~h5C~w4con=c$`Xgj3G!w~KQCG(*x#MAG-baA_4G3XWERnu+KFC9DCQ!)M zT((`Mp`*NBr5Ww|oWJ5abX_*tGP(EpAFpimXK{1?bYo@Xhj_?XTbe#N>M1rC{=^vQ zYhwzs_xCS#swTxXE^)q=TitaIwe=B%XEqNnuf9lxbLaeACA}QL{0RxOBt>Ljb-cHN zwX*&2QD~}THeMyQPh}SXjU+iM*bcqMPO@TsQ|{7LRaNCsR&HIO)%eLVP%xCLO1)^e z+<{r$#X~!Neg78Y@Rp3XiZ*&J^ zG_cMB7}hP3K*F)^mx1c(rKP{h6m4^!Cu4>XuWgd1cmxfF<#j3pFGf8sZEc${Q$pwf zRn62@Y1b9`tgN9^F7XQG?OS<1gw)a0#7W`lIdr<|?BHEBXteQxFoU<^ z@82S)sfn2aUXRnhyDz-Sp`%*7E;paW;uq zI%spKgEcT3twzi|K+h)vuT*M{Q`6Jm)VxT^;JpV}l)I(wyrSnR{a#pzwXn29gK~8M z90@G44|d3V>3i=8IkwBFit%YI(m0u7tsA5HD-8I*e^;V_jwhye_1`0QnI3?_mL^6J zi@v!wOW*6ba%k$Q6zSz3?#Ca_!CnOH33lIu$9b6ONCe#48m4=1seBl(NPw#?JRmC{ zOZ2AxBHPrklaMKkpeKszd1eX!!K21j+BXK{C z-ovP!A*f8ob~H3JeD63=nO^Qb2WhffKALgbUZZr!NJ*_8ny0Hq(-gLM%<(_cKG_K9 zX$(8FeA^;^QxFr!jxU?|F>{#QcAP`2*P=wc%0K1hJ=l}q2)#qVvIo7^6M)*`T_3bo`bP&!;vcoaRB#Gw_+i#qDGO3!A1 zQReosy9^>Bfs{i^w9-RDThZdI|1xn@=g;fXH^FD?O0C*ezvS@`MSl#Uh~iu3QJwt>hM(0V-JjL~LSWOdT|v##aeqWLOHh31?Yw9QI;e z4qKNt%}2GKO&|hmytAkfd znd;N4)mwG1TsXv?PFh*G-$J#Wq@pv4u(cAcsk+Gqwg*$Q!b!U13hZNmU4ND!6Y^DP3EgPu6nJf6 zlneZf>Cj2n_Tzku6c=%L?%5k<_&r)Q-QsH38DB$|Qru zU85!qCtFSs*&*R8?L{)F|%0rrj>UJZhl3&tMpSWrlR5W z_5f9KR80dGo0{nfp+{a;fD%p$M(kSy9pJkqp1ZkuGaqoz?-APXH!ZhW@X#B0j)@^i zJ4q|}a5F|IXRkc;XspuNY!e z6x^Tb?|wK+O@>SvlF?RzpeCwyX&XJfDzB@PffU$(%1Z#Hodn-Ou)2hbRHrKI_kxKu zkvo?I)f=DyG`BV9NOHZ;gibktk~u(;j|sbG&n=GDwo{<{Q%g2GJNrl=4qcZ_*8lt#C_cWa$8U+i zHx*XLsRUMQ=R{^AmDimBv#w~rjp}<@bR_br4+dzL%Dn`>VISZa4qS0)$6VZS)Yobb zBfLit8a3K?^&3FyHIfuzGx&-HJb+7FoX7NHrMR}nU+Bb}v^ld~cVp#XdyjLAV}o_# zc!}LC3i~M?7u7llgPzRY;LA!Ac)N$+=1#(7XJsfn_79`uED4u=_K@O${f%yD=b727 z-LZ@1DL)Cr=tmlcIvd;Lr1px@a@t+aZ|_6Bl=aKe!NI;9q#Z>qFyaFP%9zl!T10j4 zH)uvej;S0Gb@aF~s(tUz-zmYr=cI(4oY*nl>n_vwJj=C7BUrZw(?>5<9~o>p$7%A@ z91{+LIJXYDKv^g%V&8jWygzg}H;3yuJv#HfT$F}%sMNIsm*lLl(9_I|Dqsf}OtsR% zhsXL1&>FK$?$J%d^1cYnbpYcL^c{5*W;@l;8xm+!y`fGdnU_SSU= zDD+5kY^rsF<+7{ZGybKfFYRy!C!P9+lVfA*1u)=^SMO|pejitNN8G=6EYH)sFTJmA z1n^R>g&v~Z%&cPwl+!lOtT*_=b81&+At7}93BGIvdjcV2P!f&(wHCYvOr5)*~Z^rQvWelEDchih|> zewx!~i7uX~CF^r{^2=pPK=6+p_{Ds+KV)(7wdCT+2MnthF{*pDa!_~QTu8VeLiwD` z6N$r0Cn(8n9sa==o8)b2t(rM(Z!KY!C4Qhb$-rzIMZsHofG__pxw{1Wc<~E)3+O+& z)e_W&#}LE;(em&Sza(2q!+7!3Od-Y)l95eT@3U*9Qrq9XwRLdt(02LpK&bFp14Fp2 zy zPxkEO?!W!++c)kVkDX`bKW_qJRczQEr!<0=&*3fah%s~!w1 zsd_YPoP3YFQ*Hotg4krF zp>D?ufp6Dj+<-&EmPiC z4|K*X#_-%alfS55N2{WZumH5TR*O~ss2%eLw-tj3i$)y(@43~JLxK5_=%$`DJD}G` zRlAA>1hAE5d^(Qi?-M$mp`@+_K)laq|0~1yQxn&>7caohh+UzffBY?}642N_>A@a| zNVP0XwHsi3N$XpS9B5y!qX$e*b3n9?mBZh;0odUz3W0R}>&@9`a9k5w<;g46qbXXQd3yox#gxce?6^iX|<;nux^ zFpW<$3nMu6=*xmlFiPQ5qoXQbfDeTzru0YezO{=gTSi9a^xO~m)^SjX#K&CI7vPk@ zSNq^Uze>VUaKe#uX6^;c0$?t-g^RBvZanj|;;wo{v=rUEDW@VL_`4N><9hv zfELb9B1T0M9IhZzBJ#-{SZg%iMI9Yl;D6z;)5*V?{4eP^B7b)tWMvWX-R&|3lD(Dk z*0L4k=PN_ zK+T@y-4z#uR+qL<$0w(krOhI@v-`tv6G_65 z8n(0H-^HoMJ8t-ZXBs1{>aq$=(zE;Js)7g~sI_%^+@<4N5dQ;K4ZDMPs6l)p<%-;Z zZ{@>9$}cGBFt@8N?bNRe3i-!O*^=t@raSRles;6;i2M zP4{YE^J%SaMy688QcGW9_wc_~Qc?L@uuV#FAyLlT4d}h{h+0NjoRn}34R01C}Lj@$ZgKtvyZgrQfFWb-f!J$`yh~qQ%_0 z1xzRLL2S#_>(7QqzqU^cM zZzO#5T6TY@EoOJLjhsMSgzyarmGevJ*8jX;_3_Yx%k<8EmG=^?sJtQImlq~q5{pkY z`Hsi0ukwK?lu+WyKYp>W%tUw$Woe!0;)wd>${GMm>eRLY=Ux+L;BIJ0Y-4MqzOZZMyf(uAG3~S6w2o-1c?Te5s)y7{;_SqT+9I8Zm4aMr) zXjaT0A&mcA1E+zI?0b!~Cv<4p;^}zYTlq-|SVU!8N4ML{$pQYTFHxuno`gpoRm>F) zIQ3@~g}UGh-|=MO0UsU=3+R)}+e9_-JuIIBHhQkl->vWMMaEPj1Gp2XnEHm0ytF(t zG_b|R7=kj&IvV9XOcoWYsbqM%u2D$)YA#;}mI%KP)gp=bE(_(ZXYishD7CgHOIlb! zEwz%-xWm+dpMH3!+!m8fr*iz3+RQUIKCSFe=73*kwYtolQeJ{jq`!Rp&$KBBK4AQD<7P7|jHFSq=PVmRK52C3+ME0ZUe+lP z>&N(qhHC@HKz^_tpW>u*5`Pq^m+NdavK1HmV?3Dps}f2H9qn4DM$6z3?M4eIFbFK( z@|8d$RuK{VoWK*MrjmX~P`MN$g%>f>fDwyADfophEJj75N`kTmh^`T5$8=Qy!T+fr z0>@z!S&?sd)_Mx*x1zwq<#*QvXR+eQdu1mD?STJ>uD1-xW81a`ad!(4+}$m~2^u80 zyIXMg4+!qTJ&@q;?(XjHE+M#ek+b)Cw{Q3R1^l3@)|x)nm~%O~xM^m|%uqB%BMPz&_L4)p{l*uK~oPer?z!R^*CR2{n|?4_3^yF&jxM9sFNY}yI#~=^hMitpx-j)_Ildn+v~7LVDxk}XkDa+Gd&P1Tl@D?!l2{cc@c4zRyvrK?2{KWFZuw+9?I ze65-%$wnBEQ;_u|m%-Buxc_s={u%3o^Fz%SY9$E?Sm3H4R?IE)pmc43;_%a1mLODaiSVY9QAida`u8QCGLrXkC^P|w`ZZZ zIBiM|ff(350QYUP)tu{`->d&eGtHh=nNDHR>hkh2!jRlCx@H^{8Br}qy`TH*3uF;N zn=~7)r&J}5XCMwmHR)Y78-PFeT0WMjf`O5MNr?(8`$L=XIOcUZTj;vqbIQy6UPac& zQ(ji>O6x2eivtBq3N>1(NQj&w6naLW%r_w?3^Z1XkLATRKt~~n7Hy%;o0@K1Wy{L< zUWJ0%Y7XkW<%)>sVTl~ikJqLhd0wY|(&$LjmwPC{=O!5`@HkrT8{XgcBnF(Rrj=#Ke?$pG&ARJ>Z1C7sc_?Dd z2QqTG;%Ed)KY4RFs!3UqP^Bjt`m|`E7mPNPI3U2KT_l*v?;^mh31i!VMIac1$67;< z9+fc&mKWF53Tw-$R&6NK8sa40_h1@z3pgTCU=_pF3M5xr#pGSSIbDqgxXHz1G+|^B zlkBQF;l)5L7}Y$k-tXX@wfssg0p*zw48FG#*KVmGjJW<0N<2$fQMqb!TQ(LrjFrAP zm8sd!e*t?Y-M6mU$N=Q$zAosI-@`5JE>-jsi=; zJcpC`>P#o~nv~I1c?A7G`DK}#)z#i;H-IV3=tJ4gX`h{^wYjSJ?tga%)WIAI0$Ze^ zo{377jkguKK5--++l}HXt_cw&NeXn+{?w)|%m+llF0wK4BU(En?@2{`aqr~~}nOwaQ^fW908bj}6L z8R_WgWb*R*ZTHI+Xe%ohFo*#ptdafOHphLYlZ7_O^}9Via`NtJ>?||TOVR_?0az+K zcmFF$NqtzZQbF+g53gQiUtZ|*%wzf#*vR0Z!YwzF3>-S@J1LAih;Tl z5D7=#qf|e!=MY0ipmeI;b!hL+J{ui1KR-yG;l+SWJ=g*PBH^3}P{nRpuN3e|$4Fyb zHUXV@%g`j<>(+VovL$FReLG%S`WU@HjwB+eV5pr098?vKcv}og92>V)Px%LmNYOCd z^Bm}(uRR+9*UH_Bj(3GFkuASvHkm>!B9a%sg3r;(LITfgV^iTlgMeEyuG-n*0lqOO zt|JrmCTf|fiTtkX9gzZ)_8-DUT8}xrH(LCH1+L6i!ABnY2SC^BgF|gR$}Yip;GW{X6n~Jmo;* z=(4g|s;dqj?vrb~r--vhLXxdKj4}ra)8+a$^XqSBe3KIY+4rZDQX&L}&AB5iXo=}n_vLM|UU%1Kwj&{#LU6#C}54qElNTkUf zuF!sZUqox48Hj(DKvfW!S`beSC|3`LxwW;ZiOOv9b-q})ncyuRXU=)j9|uxZf$r*^QKUF2dG3PvZiG z7%(?pkBe01x0bBRJArXjmG{r31!ZM7!d-GTz>P?lYd(*JB|6QT8bSxTw#Syo7f)Bd zJ)cnd4;)wA=&2l#yU@oYj2tdHgrBAbU&&j}8DEC-=mlMq)c$Y_#v)?-?*7crZ;V7^ zQmqv1!*qF0Ablf(0GO7PADNBK89)U%7FPJ=*gPANC(bArN|bBN=Fd93Z{L)?;Vqy! zZFwnm;6uNB=rat|DmaR+{$A~~rRHUAnvSnSb(S`@9KtOC^AgmcFbg?N40w3X;4)oA z#Ecv_d)BZpMAl3i;0pNP3xdzxjYH* zVHnH_SaK~oBKCw4Q%_B6P z*5iwbsZTxf)+{FATBZoCEa>voF#Zh64PE!J`u+t3dqb?uB+g~6eqQ~x1RE3;RI9%A zj6izU>5O+CKn7Pj=r7w6T-jX_*tVVUdbcIj_>6GVQq>MTS46)KZbI=>bpNIfY@dRq z4Uu#6tYp2GEK<)JMoh?t4pGwmiGCTM+F|1&*w6f5vSGI3{;s|fcxL&KNMRVl zjH&U4a3Eo9&>TEJqCn04h7UvwLv}(|l8*^yNR#z0V0EK}j&@yl|Dxe#mqP3?9f$OW z#+i+vG*vtFU1XzmMajI?T!B%3XAVCBY7Up}S{NiO3XHMNwOL#o>Ri7h;G9yeh3>C@3!a1@oumpLg)IR=zXfg)01;|T;NPs)Q z2M5Jy=;(f1FrN1gt>W~eo26qg)z@$Y*fatZT0b1`5iI-_%=PoB>1mxrqEr*9I)sxk zVdn4NuhUQ$+Se_bt)>YdDVKkhNW@p@mTtvNe6(NL@uP=(&g4(E($ox-$1+%nWz0i0GH$AGr;9At;Tn-d8@_a!E{#nUY6It6uCSJ$w*g|efWR}6Mzm0`E2=< za~o1dZ7YO-HLjb}xv6?+0BEs&3_P?9h^L3jNf9!WpsxG69HrANkZh;Sa!&XbsY%({ zjYKE}U$gYKfD(l0aZ<#jWWMpT&K+y3P2bOs=jx$a`-~_io{{x9~9zdqItTZ$Ynnvkzp{{ z^jSI-FxtFPG3E+$d|K6mM4u@WVcy^%I8dop9duQi74dB}n@{@W=!miQXamBZ)JXw# zc5%oAGt;is3~ULK&u<{A7rgp(Ndv%jROz^;e!buT8V*@aO*}n3F79l7gWCZnG!+(G z>#Ff2;gB1-eLsfO3Vk;l0s^9Zj`$wiggYxR@ORZU*8MG?`3sbUp<vYV$$Xlrrt?;~l z!`hZ??3!ZB`is{>V<*Bj^v?mupX~6?-lj9R{l&O6zofjAlUQ1rYI4@LsNCf>)&jrx z$`<(Y{$Tpj6C;nA@EiE{5FQB6+cU`LXV~vlSLjE&0)l?`_J#eY@=E#d>6@y7p;w3p z-P5fyDer(?dxDz?qem0odb&q+duiOiJRIlaupxKi)@TW?*dA;(GGBpQ<@&w$$&~_& zAHW@Bva(PSD&qczGZ7L#IJ*gC*iIIsOS0(C3Nz*w7S1q^#F0uOh~IB+Zu~Mo5J5wH zR&IBz1P71=;R&5N3a;e>{kX5)qV{`tKEqzS32Fs~urM$k`X>o0vjt^Esy1y9-cj~~ z2xQ{9;E<33*=fMp2(VX)esH9nm+4_7T__J>nWD;nsJ5(KAv}VN_I1*kYUG^oSPxkA z&3jlF4J8@WS0*CyuVR@-xAH=8xI>?lv-qxXxI3TsM_$%|Q1!wYga3A}F${Ib%0(C| za8u1z8!a>+-#OIC#NKUdw|!U;98U{Cc_-*^tq7RZUtp9$0kEi~%!0)4xovPAeKmvR z8BWj6P}JcJWH7>rDTj7dV&@vU_VA1Y-a-rTx$NL!^GF}ZkQgot=%68CzS`Q@xM(Jr z8%ilTR_|3=VysExnuYoESG#_ekx>R;v5?xrkg2Lpcw}sY^`!2*QwL5ahF0nduOV!{|?vBS2uwi=yLzu6yf zha-{EhKZ^_*J8r|o?YJ_vxgGCSw{>BzFC?K8^H`h&&So{<7ju|Xr+Ap-FHqFya+$? z2ERR&T=*za`WWM0$sBBQDb?B&$+^7NJ-3<$$Q|zYj->+IZ3=t&;T_|)1kUp;I{R?_ z4!b_sL~6aiCp|;1=I@PJ{BO}F$hxs$gIQ5vzQZ%y^7_5|$i@@m)GTj6FAB|F$Lb2HpNJI&Wq9p_9W^g5)1hP&zfaLwPG`K>{iJ z8iJABkhAjC812ZZh?jPc(dOu(T7?SbV@2vjjj9P_YO7#sQ$0m3S5hggjNBmV1;#qJ|oRsGfMdk{{`B z;EyEbhU6gJ*I8uoS-hUu%8uP5B9jwKP~|m5MCrbPWh2;H{~u%P=7RAd<$sy}dJrg% zd;}IBgfyed<=GZcjlR4$7c<y^c= z!;WaqvIYjAkoA(_lJ6cmL{2Yas&!vnT0 zkDB>m#=l*cV5!UkAfXY3r-3nl6+OXO($f~@(4YgX9^h-IfeE$*Auy{fPOKv*lnA%wEH@&7NsMpLcdg}y1#TZs!qqIwD5*b6 z*1a8(ut8vnzFa;TIPEhcYNSlcPn2Fw+kL9d?_D-t5*v;&avr_2I47}Dj|ru0JT%9Z z5uKNJf>rzy`M!@pnpjTTyx-GI)4npno8FN+z;49oKO*geA_Bb!u+xrkDis_+FHPZi zFcevot3*tqg2Iahk(HkDa329yObR`T8PL&2Vh#ZVX&%YeqwQuf5j+h3mP&vF!4ZN? zpG7~A$tZ>0u@%L>V`9E^#hO(B-a}&5w(#~KRC}uFvm;5_5n2ReEv~i?xp)cJJkDE( zoc;s+&rHEBzQNIH-zqpB$Zu$2qBm$k^f|Z}f7X~rhON7o?(t}bD|5zULb#egK!iZ) z_5w+7Xq135hs)NN{U!PJrBL+X@^?`k(gdF4W~jA2b-j_^fUfpY5xHvt3v02W;(S{e z4jjuJ`ST0=7p{RF24yX|zheFCnEx)oG}#Y4sz(`#-LtvTAp%$c{BR+^Wz3`~_Is(( zu8S2##+x}&-eDJDts-)M{%~S`>ZnC!h@_;jNHhu?Ued6cR)<20En@IwYS?)Ox*iA* z$nfTo@&**s))M}?#Mh^*ZsmEO;7MB{1ExU}xiWth?LF!MdK-WV1?mYEzRdw-|KfKB z0f74d$u|D|I5Z0I0Q9JzP7xIOMhs>wC{{Q@dx-{ax_IJop9nnZ2abl$05J$@e2V#0 zf>sEgY<+$ z@a9Yznnq4iUy%vY{zFV|DEUXv$l}NU{Hnk6Jl~Sr3epaBGIEO#pPz73x%D){17&xA zk^!4^M~N0eB7#nuu0)bEW{pVta;IQj@by?_as5WL8vQWTR2_3fQi_HAg8)kC9#2nN zq+|$try*Mxfmz_9vEO2WM$&==K?N$WJ~4jh#s%C%a1g6Lv2d0*96#izgR}bF>h-7_ z0p5ob@)x=HH^*eNTU29U#>ueSINY*im~IHdqeLqp$vNlFO+ef-#tbFhqzQzY;tRv}z5$DzNahh%7n{vmLr)7Qf>4&Q{_-p(iZ z%EM>==fuPR{lY+gkR-OKC>;D_R-&>zTwprTNKPt22Mq+j|Gf+Uej;dr6wTu8J(X9> z@relFt`PQTh-`l+O8nn85HOoWFz8rGNwPrEE|s{C2%tj%D<1e`m!SCnyX{ai9o8J# z9Q;H{OBk_+TwA$)y6G0gLebt78*IiBZ(r77jTr(ZOo4I4vplab#tfD7cGbtEhsiIU z|Gh%MpwVuiwq#+nKXBu{M^u!L!9OoLFIvH>xml__^+I*gJrJMYsIW@=pRHj+a8O@> zUXYEHL39xkLpX{aJcU%8Xz4197-Oz2bH^-vow*Mr#ER&S=)ZDANP^(hWtKt~DDf^O zBcr=F^90f@jwR|NLLz_YfjCs&A_y8U)Log+^$LYGgQS>Em>B2NM58c4$wB`{4CL^B zztQX#)Jio8;d=zdiqbNzP_o}l#Juh37KQ&+Ni@wjY%noDo(ihVUr4hBo_?RoKt~tB zA+8pcUNs_jxC!RuZo`n+CH-9dQ#3!r5q$z643au{ib{5KT{f;AO7eLtQERPNG+@1* zV^^yiEpNx>f3-DMj)ZkAB;krfI;L^V^?H^1@p5L5>4cx(4aeGcJph-;rGvms$iH{P5_Ww%B?-rMvlE%N;V{g2MI#Y} z3|+Y3(+0~s=K7;lucS?<FgQ3Q}kG4%13lKpi$R8N2J4>K?~ z15fUkn&S8QCd)6dChS6l{&BTEH0sbCD8m? zqkRMfXdw!W0hy5Q)E2CgL0J(Gf4ooR9mk%Y7b`b51jVLiF;|(j(CRVsp^vK6+fi1E z_C~ST$G_t$^4n0gj+^X$Xq7CJT|P)>{57FUags$^|M+)#WW19lsqNR2#Fy)83VQs49Je{{V^pKsY~w6cXQkHIo&Nf~pt$_&=?`jT2m{+^**!r2;GjY2 zJv=4!lD$XnQj&E&KU~q=3?#T;8a`p#Aj7PC&MkWIwq1GgX09zodX~xd@fVj^a-1Bk zh@RL^oN3G&uHu9Zlbie#wnN~5YRaf5q(va#(*pg0B};rVq=0hPi8D8U|T!Nll2 z&2&vP4lOQduaBsuL%-&z=khn|5@;K0DUgqUD^*;1MOS58A7UbYw)J^qqy6jjzyW6} z>I3^m^zFezR=1Q^CL72Zp-_1o3Nm=IFyrMSJP|W`tY9mT=6;M~*dDVNH-*$}62EA^ zZMyhF+xzPqyn1r1-;&&@;*QWK<_8{Qt-n(p^%058q_Nt55=pG+H zXD+OTzH`0JE;4`9PX!PgnC+1Q3)3t#>mj`hgDQsf2U2mS&{}3Ozx-l@@O?g9pEg#Gs@Sy zNfsIB?yd=IrIHPr`<+%L7xN%(m{YEXXzZo@5Z8YdfduA_f*SBnCzT)t3fKH{=!4Wy zza5CZgJpDAZ(;HqWANkTByY|~Ow2ws;TA2~aL@0Herv+8x=XX+^|!YMvvF=-UOIGT zI_Z92^f02+!b<5T9x^@PCk{rxBmyd&oGc`z$v1?kXm29Nw&dYmol&Pz2 zj^{sUEcAp+7UFu?6tleY!C$X!71*HbjYN9P%Z?^xXWJGBIfy6@RDDO;cXBmXZJT41d^t$I>Y$%@d_#6u}0zniHvca*9X>w^=kQBeZx^lK@))i1$kuz$D! z+0eVM-gU_1)~9`tR^RRSISU&Kd62E}td2#P>t>vC3cnbJ$t2Vh{GYG~%pXJll(YTu zGks1nm|zjEx&2q4u;KoTv+vJtHd^llcs}^O2*Wa%LPB5*we zTw5nz^{*=GjCyrz(`oE#^_4|9YvaP6f2Ub#svGAKy{Q3olJ6Ra?BXVVO@3Iwca2SWa-~2@^dX4-dkgLEGLk zmyXh|N{$yNV9CV3`G~h=a($=tO7@PGc)Ryf3-c4vrL`Far*YA=u6;nxVVD61TcDeo z5EA*Vuz`YJSWKwAfVk^wdHLe3Q@6$i)}|F_fIoac7f$B5?wzaU+}C4f=?-dc^-4n@ z44lO{`NhfT+u~-sf zo@a*7kFj=Df5Q0f^T_6+-oG1Q!HYDj*) z6YYH6HsOAotSi07I$H#B+Y0ENi_>LbOK1*Od&GwvN&TIGPh zJ||dXEsWeP_orQU4!-z}{&CjpA&9-H=Kgrubwjk`CYFOx=hM4ltj$UdPpxS|I~Cb2 z+ZqF!|LC5A06L)7XT`IdO*f8z_cMC}zZ~By+Yk)!3|(VJ&j)FNh=Oa?aofmumq}F$ z>6pQ`PemFUg@+KQZps#`eRt#pD$UR4f-V`j9lKYIcRN8?+UCFUh69Hjq)nKf7$)1BJDZ1oxP3atmC}yk8>4vkPp~qeM)iv8dU3 zMHSOzJuLgLWJ5Omi3tJ!thPCj;OR-<>O9r<_VJXRjsYEl664*XMC5NiB$%R;zju}V z&Cx~q0B1$^g7F!WEW?izxCVr2Oqp2OTH2&L2H4F*edg4UL69!rcB8uoLLeQdwkvqD zd>%p42n-AE>4qWgt^K04WvML_EeBKyIK|J zBSP}G46aGOSZ2x0j3-@h5jwFr?lQDjgN9kAx0-s{E=P=ExuqQR#;hd)YJoc_+~5Ea zNwHSK*E>-}xtS$&Gkj-m-j~U3+h5@&H)jSMK$6V5<25WVq`JDDP}JVf?HaYQZ|k&` zfa-Da1=ZB>Iu2?@CpF4Ut}e>8!TSHWus|VYbfAhVV#?>Bnu4R~#k)+{U8Io;S0h$# z_btcNivAOj1G()g!$s3H)@ja?-Dm~Hs6$?%5m{hS_2n?&^X;S{%TC98&&P|k;O7Pp z13m%I0Bkj8$sRSeo=pkZ_miLXz~At-kk1f~-$(C`!U%r$rd6Dp3;Mk7%MpC!h6^j- z;|ZX@nJ~t;<$x$%?KVFo=u3~_nc@6$3K(iUK`~y>>&qwlOt*H#EbT1+=u)}Pq$IQL zb`-9h9B+L#l?0=Id_4^O#cFE{3pC`Xj#u|46?jr5Z#~z3Nnu}o+=G+Zl6TDy;*f>S z=iDjolws;f=GMf0g8YkN)Gwwes=HL%t4DGiw}Z`(#>qph|C%8HlAvc7e|>W>BN(7# zM5TDNF8y7-Cwp?;=WMlW!y>LkMd!o^YW#L{K6Bh5W{KBZzW&W+C{4I9y6bg1|Aoo%JzstG(zMaqm2 z?b-XVmwgC?pjk?P4%j4->~xu%4u`MZFD19b;YYse!`W9fbJ!s zy+84#O*a`c_`Mp1LH86?{H|sU)_LP?&@e{l2)OJ%(^BQLI`JCsOt|CqCrcp+M)qgQ z<|3$g=U;+|l0J~>tvpbVaPro(f$!!t{?EL1fJv1B#GFZ=Z@;_^r2WW;dA9D&ul?}R zaRkNl$s~La+wS-UqxsVE1U$g7O#3&(*br4mq9qLK@b0dyuIpi=4VqYakvA%D*D=ljM2aq>-!`4l7kkvn8ac9% z)J1XxLoOs8Q5omm1KtnELfsumKg`gO!vTJ^pBifx9>6KpZ07x3hP2|MQgsCO(a8o3 zb{u6(WH<(&k$0^%B*2-rqN2KAPY_+AC$oT1S%qGz9&FZVR&nm%;(Y?{B1JU@BiM)6 z?rbZ@qtC7S2TW{|N!R*X7N{uP<>~gAaA<4t*`9}IM<{VNa9lgdA1KF!HLKdG6U+v& zq?qWd3Z5>URaihk4G_<&pqw$h+w>rV~B^Fa)}n zkGPFKQf<&wn08fTXZ4sf<`8l-NK+e7SJMoZ#CZC9=S4#wNzs7fCLo0A*PZX^tMkja zC$-Hs&1~&3rV91&<&togC&D*`=2ei`y(v)4AaF5Bi{mv{j=5#`;7=$^*zLpk$vmSqr^laD8beu5ieqCv^DC_0JgpE5)j+EB_GSI8 zNj8l{^~#L^VJ}kC50e~vrm;x}#V=l2?Y>_TxEN%6d|T(D=5KGB7~~&d326XPoC_E# z*^p|Cm2E#?_@Gsd02P|t%%5B*8#agUqhvt`ekMRG&_7kLDCb*A^YHugc2@$JL?X5( z;}PV(ap~&$0GrEjZ$J3@y*19~{gh6j-Pemp9H(1e?XuE4VNPFNf;JCN{4%Y~pW@Q6 z)22~uTAmjEL!NTi#gkUS^sol3R=N)wu$cjbiR%yQO%D?uJHg02n(PPcT@h4wwWFUJ z7P$Odu*em+We?)fO*^$w7S-SaIYAuZ@K^S65tr{_tLW z`BJyh`pLTttQt#I2_xbze7WSV=Ruj+l>`%*?8mhg1=RTWz-WS|e2HF0gW&iz3sI}@ z5yqHpxAzR%8aUDKT%EVqGc6py&JUYqDN2mP$<3nZ&l<8j#Elf3PBDo6@izW&W~ zgo~iXbJ3|SJ%lGam&pPir%q4HzC$j!dVo1yyWQ5(9_c(hGP@Mu`k>lKcCLFdtnN38 z9`}z1KgJI)E~`;(|M;!!Y}t2xw?@2dr(xfMA*jj};Yyg6VcPY2?}QWPIC6LRKBHn; zqQV|n;d!^lXShQ=y8<&xSoS+vlnu!Q(^=W@Ys}JTAJ^{*|I>D;-fU-jHoi_22|NnO z_><$^I^@KftS^&rB^!!5%X(rslPETLvxd6_pUR+1SII4%78%tjx0Y{B$cC+yo!7G= z^DSZR3mm|t5f~dx4gBfa%G}}3y%xeLp>ebo^)Fe5&G=$XC@=38j|tr@t&$w{x)rRm z)U*8Cn*~43#)=>f-`vXfI_tEO^XN`TA16_h3ikSMLwdiYQohjvLxcdrISzoEZ5n?i zZh8>+Vh~uMaB1MEL!~DTBv*SqW!J#Px9NK%zV6g#$!6e2dHr1|<6LepAr!l#oT1Zr zMxSEUw4Xn~T5= z=Wnp8ZkaDfk6jlxkVZIC7!IiaG;aM5v>M|_#JnR}i{rLJjIHTg;~c$lENI)60VL3s zTGJPo&V}mnX2P=7gs$2dTdZ!OOjf?Ng^-WqNOY5d0SGp&bc-q+S;aL&0=icHSuQU0 z(x>CA$^P$|iC6cpxHS@n2V>DU_UOOIt5=L zYSu#%EJgud*HKQWq`w-C)FT7e{unS@rUp$e@<;gk&`eVXRTy1Rmpc_iXEowcm9#Se z!)9`J;gxcFv&D-?M>#e#0$KqWlwy8>Lo@2>Bobwpd{K`?oahTPd+-=C9cy4EbW}ZX z+o6xFi7uQd8+a>bNUkz1Me=jQU``r;Q@O`Ue&pTnuc{@j6zJ>EEy(R&#gHnIE?&n* zcmtyZ-q-p<3-dQF+q0-1^7aOBr~KV_H{N(mtUrHQ;R?DH62jw8e`x|h1s?pw zP$qGoCv`5Ms4lgPKTEQaQp$nn&BN%)pn6_*Z6gH!Lx}N$i;9H$D`FW)`N5Ux6hro>d&2M(F4hR z{ioT|%4+}gxH^`Zxodmo*r55|x)oR9zV`9sm4RgI^-4p@ov`n-d@cK{mzz|;Tz$`M zud5E(;vj!%9J5ZSd-S+0{EfxukUMK~_GQ{@m9M?g5lYa#7TK2YKnXmw|G9t-qCY)%ccGC+ z3OEZoAY~EM!IX`jWl`;4IL&$AvCSE9cdS>pF_sW|x5tln_n>nq01FsO2db`h_a%Na zhWWM(425RPxrX?zYPhN;mYeU3IJNHbbU^uPY|wH#p zA|3D2ubm~aQCwLV?BrHkVD4+uV8>XVz0E*o@bEwBQx6(A3~qk$K;I4eOf6DjvdT7R z);LiZt{L;fZ|5nZpWASG6$EVZ#D-Ov#?wsj!dieR6 zcf5X+_*Kx;6@pmB`3ChVX_0-xr*RZvEM7%lZ~*S-9QO z8FL(S*DX^;HD@cQU`ZT&6~ca4*Y^27xAL2ZvUF~TR5q?k@Lrhl%%e`5k{V?lroKOT zy-hdNb)KVO&Kv|=apB&zE{#~7Lr$bT`xt{=EEXY9b9QlmmkEJ&pa)@^0i#j*afWkf z!aG9^Vz5yp2*LfT7>2L8rEGTW^To{^_3-QjG233#2(yYHBRy#5UPew;Hgs{E3K2^pdj5WS|A9gZnHhOJ;{*%xMjg};2TFZj#M63Q&S*w$1PSi z7&HxwIW$FQgH(R^S%BQkVhiI{Z2fW0tSBk(r*#H2GIr)vi@sm^eFZ_{Q^({igU%Dy zNIKCG4tnKR>&?S_Y{jd)-N3-7n9WK}0f_-;wwOm|c~gmU8`KKtc1Q&UO{8e6)rF#5 zll%A3G(zAA@_xWNqajKPPogCvmsiT6<8o>xxvdmbPZh9TFoZ&kr=-xjVHXGuzR0kx z*ZJuHY*N zKF8NRc=(ZbZV8+!+-?}tQIrubAMYQk~m06F0%C7%MUVg))*-uDG5@qR+elB6nBA_+~mK8%kx!m3{ zNF6JUJ*WE$yF5H4aW30h%I;Z7vd#T-x!#q$VB*lw0rG?%jh~(X=)e&v!O%XK1yIh0 zr?v;Per}ERUXBvA8ROwq-}M0~U~)Hz?W5CIk_WM5=Tm<85nG`BKUs%!xwVIlq9FrOy-C z5bw!yY~D9dlWgbKN4Ted=#8)-M~(?RiIu_diVb5-acc_`jktQ#72I?PkbcOYqo@kP z?+A7b=?3EIi@rMa<<}dtYJIoR;~ zC?TAw6A%+DsYdm|u5;>pDirMB?K(1s)Kn&nsM#$b=fmO}Ox8A)p^W8@w&nrG@V2G; zB#42Q1TepK9oA_kf}zBzl4s_uEkBD84CYDIX6`(|?Oeu~xDePC`F+-Rm!f!T7nJMu zPNFEt4ytiW+|5a=WeUJoTiE^Hzm+7 z33*;0mTGOl3|ZaNbtjz&?5KuXIBp}MU;9~Uzz8YD)Z} z{l2ZK53F~OI)%xO{;wa%KF-`Bo(j@DXZJtcm3;*-XxIS4oCp=;W5+hk#+(V>L<2?P0K5|nU+GoR7kh0gr?y* zk*%mrkgo#ZJVNcfz-q~d|EV<8QnXAxea zIj;>rGf{qo)r*jd_F306vvN+;S~#~)%8$5mY1=q4cB6{c0+?8&7>0!K$Iq)3OO&*g zIKROTLn;zn?gXv?gPY)nG9D=0wD;gy?O0P(6D^emCfYl=NS;S_)HnnnqqgcsHUoLf zb~kK#YSjcH(vWC$*n^qIFm`a{X!PI}Q4k8>?wbV#f4y#B=H zvvbd(`yFpTIUqNmdl15#EJ#~XmRRmE#;3j82Xa7V!>kRNwbFO4l@y(FAocmHsvu!X zlF(jEHtGCibW#50x3U-KqoWsvhHH9)=SA z%A*nqV)_sP@jd;EkB^i;zGATn$xa66H67ZP)8oZ`qPX(ReE{xMm?|BJf>_b)yD|hP zkJo~(u|$n-w9FpzVMIjxo9W;>LBy%^ea;p3sf3)mYP#|v^_z!`Ahwa`uY$H7CrxUK z`kXC-kN9M!L+-w$=pYPd#(J7S%`ywVt=J@6z*gO7rUL+gLJfYP6 z)Rj`6^&WC)VEA7r_!gxnqM=1NQJ&qX8xFA!m?7e_=L@C{Z-rrtj`?GqYUIH~aE-92 zqTrA}TrVbyU$am#)|ntZ2kVsw)u4RO9-NfHxNF#7L?9?~`sCp+NnbP06|DJfkcImL zUXy7;5@D%?N0s%WtppawK$O*5TyyU39T2Z4ZlQwu@v=kXK9e-#kMjXP1_?QQ0*Mq4 z$*0>Csa=Sj3Jpqr1}_yCm)u>`Czw}o3t9{|QpX+I(jQ$k*B7ZkxM)a-mBJq11deI2 zi@%@6J&uj1+#h9pd`=Mhz^5lB@=wU50|^;kp2~K2h*w=XI1fvqUOUB8?8X%{vq%XU z%eE2T@~K5t;k#}eZ&;aRypyn8DLp%-#Jv) z`HZUk62>c0QJXZwX_=FAF%w+twlhjMJKJi~$ce10tf7VaOlH!0oq#RyvNr+bBjgj-|nX?nGBa;#vBQb4{y!8fEq>V5o_9lk~bJsS5C zWuX-E5~wN5=MTw0(>p#a>CwGP|FyyZ9U=cehFq6AkCFGR>!|EzpSm6RB3lkD%zwE64^@8Yh{gj*_rAUo_VaY0sjW}-xR0p8 zbmqpsfZlbOrQu(WMoq+c{Z9L%-26x3^~3QwBOM4Ky5VAcytH(H;#NXI<6tGpe6nlm z+vjY^T^nU}Z(N*wBT9LC9UtMh1mOZ<0ImLzRg<9Xazj2r0(y&lGUnLKNuBNY5=?Z{ zT_c~s>?cut_Q=7R%{sBmWJeL2!6pt-4=)YIp9+4Xhuv57M-{C!SSLy8>VnNQM3@qi zwpTQ>O4>o;@gHkHrm0;g$Dgtv>|M6D} zxtNmC@chh#I`GfFwD^BsjTVS+{aimjUl!P>J^u3R&F-DRB|JLqXzPxpBvs`-f|Lo8 zM?8ROe#aI3<$5Y+Ct?bNfmA$PA?4#phJM$e1<9K-x8dYS^Gj# zjGjWLjb!mxd^Pw4?#6<2V08)#u7rZ>6-w8uXTI5M zeEcbXEWd?LLBXW5I^8HNKPuIzu zb2CL4l4BYP&M$uF>xuK5JA9aO=AYA<5`^MDi9%38|FThW&!zLo5lIljz_n0?#}WvV ze7^$voSgxip3JWsJ!8&@QZxCzEK=+q`)?|TWCt!qV>5GD(fkvAiiDQs$%vwv@xB`3 zyY?%E)WeQ;KvUT$u2EM3sR!qbiawEhf~Sv;(m5u4fh4?xETRls`swx6w%sb8Jq?4S z!KyBA+v;IQ9t5m5(IM?&0FHv}?TG?9xAAW`Q0X_95hB|jyKwMc=O17)`m6t#$r)xy zSXh^lSqM8B3_XUsO^*fp{yc%gg*>p?|fM`6%63;fT5 zWT@^!@G`%(DN!XF@jl8BTKqq}y=7P(%hEQC6P(~K!QI^@xCeJa2*KT50t9ym5Fog_ zyF(yIAh^4``#VJT&OT>9=ll2lTi05%db+Di?y9d zgn90fA;s`^WMAHc$HZ3ZYlhy$WNq>wavsmq^RVyP=^qLuz=rw{<2o-+7ZwTiyj)Oy z*9+50hxOc8pD~Mt^+C>upOTSvLJy|u)Ei+mrU<~2C`AY|wg-|m@05krBrW+ZvYw+% zMYg@XBHg5DMrKL#(Y)&yG z8~&DZEcT{1*}AQN$-+(b4oGg(+w@VMk)kE&&f6A`h%?H>Yd4bC2JRq?`k!Z3u2@fA z!}LjQUma_exL~HD`C+PRs$d(-NA#3^pBU)lbC(Oyz1Lyy%}Av~RIN*oBTSmmTg18m z`SwL9W;1%fTlTtgB~0C;tR;r*isi@7;}y1b8_G(ANOs@@wpQBUB7b8@*I3FRz^oY9 zN*~mjQZzEsKVLmKI-6BQd}5~WR9wpt*Ga&EPZ&1gq>4X0tVbp2lZo~$w6QgN1Qh#H zx998OyJ%=ClVe&wwlxE>=xFJci1fmxTtUIcs9^ZVY5{ezA2UO}2b|Rsq<|{w3O|*^0jAxxCU<<3!S#VZ!YO z9C()cqA7CcCx~WaBNJ~=czzZEpg>`u+?_<2<2PoHyBeU@)Zq8h`>xRN54f4262dsz ziF8C<^6C1V2#J~*vFr=h`!fhSOCAPY zKJ70jD5BUbtS8U~W+Xk#E`?3iNw1HRS z5&*RX;gFtr;GIxClp^IZ{L>bTbv0;`%Y!6`}!PQFig) zkh23oxs0^oH&T%C6JMT#!FX=14X)>ETHlbeypa&x=0o{HD*0MmJa8x^+HiY@h1PkU zr4VPLYa6ObH%*GO&}tQe7C1qM*r;!JbBZT9peauZUMyZ=lM?s?r`%+FlcEdg`o4SaMo!yRX~9kijQ$gTNQNy(zu7#e@^<^l zIlI?E492;d8Ss;bHwN;*00uuzCBMc z{idS2+Jm&&YtY}Pu*>K|8Pj?sdE&x*e2CM9#RjBH#1uN38oN=c>91gBwN%}u)#g>zQ7tgpkG{qKAPu#);H1EWQHr&BXHu zsdP*CsmT6?p_$f^-o<%~~?g~Bg6pbZnC%}#*n?#XSGD|M8;gtsY)Hy;*ZqA94uObcOlOYK8kEI zDE_ixg_utmW0-lh=KZk{LE~61jzD+sJ4V{^MIs4L_j@>+mU$DkNx}NGni&u4Mh|Pw zX3Bi)<>A^asDXF8gSU(9OY8DG`pl-v;E*sKq+O;_QF+}{pIzt5IYCFU1j!|HT5i+f zMh)Lw)F~jvjggD4_6QIvu8sxjajiF>5q)8(F`O$?f1?SX=g3-9jeQsXLs?xV1OwR9 zKAI?aJs!dnw(zWVoOmF*EADk|kURi~FRFGd=~Ppz$#b`DW~{-7uuZzY%6M2~^;+sE zLccHXm4)WKgMkk?A_RpD_iKy9YIaTRXR!HPG&8o*8QV+I+4Amq3=Y*-ixi1j&%#Q% zxR-nrYrL-QB$HIkYpa?%Zlo?}Ap|NAiGWJb)`7FRPiB+@E&u`!-i_n~hJfy39txY( z`yAdS$y!g~)lEU;OD!R&z8@yCA!m2)#Lyw4_Mefmr1C9fxt8A@e@aq~OFL080!%U> z^lMNzV~9_CB%@bLwxAwn>l=u%>WnFOq++IsilKGfjwV%=tT2x z!YEx(D6J3I%{cDm#m~pjb-&MgSl7Fo_942&QSoA-(9-S=s?FjYU%zdn9)?byA*dAc zt5ZklK^$L>GJB<5il!kN-S62rP~r=`c7^@*n^*F+Fw;=l_v#;a$}x0dNCza|PfXl9 z$_&-yt(C(E_%EN*Jppkc%1CUIVl}oYjTHqS-xo(9SlT~%oSPhN zJ@Fl@IuZW5wy+DbQZh4O0xktQd+ItSIjs_BEoJ>Yf5}|`(`jzvaZkeeAhk^j0by`N z9V3?(p*aH0=BG!ON*uG3eN*-JDp9&Dvc2z7P;B4RlnJWKX(Cf90Z0g<&S;egxjW$8 z0z36o1qZ+wT4d@x^B1=KX32xrQ>411&fbW;-T1YwF}C&f$lJrqNp=W7Vztz_?c%%U z)YC3Y;o22ul1S3nqwI{5o)O{+s`)+ONP01NO)UU|R^}6QB(N6>aE~pl&>miEa6PTJ zX%~Zo?$^2EUi^G=_l561zyr~IYFDs|N$Ok)pc_%{#_#G|_<8B|l5w=sL)V0r{>acr zc)(D!6H`jmyq2|=&TbTxHeVWq;To|s6d@88$r0kD=&I`oHjjn4=E~n|tT)3clp+%D zB;#av?_?sIh5B}<`zY(=t6@J(Ejkf;t>ig;*^b8zkjyaYv@6^ zu)1-X+gs5)SniAHy^al!4FVn2IC2TuLGygpEhQQn=S%7FS)jv?fhd9hnt@d5`J?1R zSgF&L3XOTbcaxzaujRd2y{QI1awK%BNoMF^4_-;F+i?uV0CA@#pNCrkj;h#3!g5&_ zm=ZN6INkgkTvEvsS-6#?Fo(OL$@3jhX)vaW`&lH;@kr2<5mLkbT0C3wGQN|YcrZ{> ztYoAybbh2KOY)E>a%XM57&Y$Wg)ZcEUdpCMzl*foxcFN3sRvyc|6vW~(| zD6td_8^mpDMbf^^ViI&q5Y&*foX!@CmnlR7-p26o3oO-mpLzDhX)D1LS$$ZO0743> z6u4LFh|Xl&qS^s5q^sGeGj2I}yh|IYL&4=iE{vEx)sj}xL5bCO~4@aBfsRZSrw+E7)30wMG%UaaMy{f{~_)rV_&cpc!WiGI07Sh1J>9Mb6 zqJeUhk2g64yO%e^8Vn^>D+vi?1?Q6K>m4zM%B5V_!Zp47$ICVEVftXCs~%2_RaJb@ zI1>u?Uv);Z&hDual9n;sg+98UOES^;Xo4QYJ>hRZ8GWx$sO$;ikT^Nv%moYRK4#L= z!8IijC!eang|wFDb!Q65D27OMdJn!wY-;SuK`E8)%;X zw#(_wTOd*LCe=*X1pUJC!Ut{p+<7xYp#=q|sp(SIZwDRa3p>67u%7}egb59T43o<8Bjoc!v%ukI=qtLfoo9;QYX?)Lf3 z(WKX;zLaGH&W6Yk-=%J}_hPdK0z(EeW^sE4_Gdd)plVs_ZmAN-$sF3-I?0{~ayUin zr@5ZLI@l*yDxz2qO;C%ZmPSw*odsR9IX1}d-jdCPri^$u@};nIzf;mhj5g(Y2vkDC zW}#fuj||tRok(H#XlWqYH6;c$LQf|uDEUz-d~n z9oU`?%SiaU(|Z`UZu18|0Yz`Hc}gNap@nIk>>iXB6CvKAWCPXJT_*>0X5Iw{4AOwZ-TM8?oJ)(06ir=(NB zp*FuD+AQ|k&sX6aI%pvRr3hma_Jz{qd1|kByek1Ufbg{2j2`E)W_#AS>n$u zYKZo5WJ%{pcy{R;n;QLSr&EEmVET>L?ucIthxmRKwJ-}CUJeD##m#{)%jcE8CMOBh zX3D!B)Y=?2+=+|n$M5+Ib3TGn`VT|8pXdoK`6=YqC#lV>mp{$3=`8dPO|&mk{cIQm zEfc-x&l<;fXp+13fz}_|l&V3mn_J;MT`9eM$9HWJYxiY|OZA7q>iVXuaT*oVI|B_l z*TlO?r0An91W9$)v9vt(mc^=JpNJMS^9fm9YVyf_8~y7W1%@!}Oxdf!amlOJ>e70sCT z*7EGNUtQxH40)DjX*2J z@j^S*f$OV}Ke8C8TyIu*XA><*Q#^tcekvS}R0|&nqz2|M)?q5DNC%JNWWnKe-!p6< z9~MW`O~PAiYu&FW)KvE<9fhMS25{EoT^$o9U5{$f0YFXtQT||ly@ijg2sGx5z{McD zTAEKdi#AX?pfI#2Vkq2ie!p9wMlECL3l!)M(Xqhqt|z<%D3l1)n!&oZ z5w2rY=TC0FiaX@xUsAAh;AVbjWQj&4Vr(v}K$LIND-0Nb^}xNVzE=ada?2nDE##8b z7Ymw}ojh&@vwGgGPk~BzY4O&yY&%G{nm;bxXF3l?wNJF-*cS1dX~t2m*Z9hLnRnmb zF}aKhPKEplK3{DHh7p@38L<#~KE9jDmTe_wujB|JAEX2DZ|3OvAzvM{5 zFDrwY1K`tuX~Es|H5s{Jr%I83SyVGRfBhy$mrd~5*-rfJ&a#PX-JD?Nm=}I5h~(8- zN3X+E6?^2}%+NkMztxqS3luhsas*idMgDSQ{6R_2!^}v{`{99~445BH|MX{!#(jcZ z(Q^?G#K`DCbwh=iOf#?v4V9pt9ma|8m5*40JOUi*wp<^0oP9#;>9*~hodGY#U?>8= zj3o9+r2UvLXA0|(f3z*8DNa+tiBdEgz$P)6V-!i|<1g54c3!zRZ2|~K13r<0-5I1j z@mbr@yE@KXtx|lPVhwsJ5db;G4Gd-N&e)SoX^=b4YO4h}&2_Xp9yBUe{ZXO0m@l${ z0H*a}c^(Ik(&?!NFc_UPa4n+Q8;)(NQ2drmon|*Kq10+(i3 z9w}{V#9Omdm6_LH?ArYR^J7x=8xA%t-_Z9+K0T5C zQ4Rdjodb$o@YoXKF}I@(5I}~bJEs|*_9^i*HO65pEhtipCW788-3SRMVS>CO$23hx z;}38^Si{m*&JF93bRj>-ysL=eAVYsxAa_Hm|30Gi>FdIdF*fs3ps~hxzfa@a?WbA; z#HA@f&iudtyxDc-eKGpg_6O{`qc!zCp1q!dG);q1aozJ5piz{vXu3Ko5ueE9?ylp% z>kEo%w#ng|D0@Yj7SD|41@u&KHHo7?<2r{xJ>V7qjb>TP-bas&Zv}?_0gv}#iYN=Z z%Q(Sva+6h3^Jmivya%Vxp=1H?u_x}p>1GNaO*>ecIr_>CXhe(5&IXkos+pJNL&>0g z-|8ntKyKnEJZL0+P65xMFJF!SID^^0KOR@X$?!9F0KLpDD=?i#yB#aH-u-MrLi9Wb z*Wfv5lxCZ`*vc05GA=+2%29H;rC%Ueo>bUnJ`qy3-kFCt4VWeiUl09>a zdK>%&f*K3To8AnFaa2)Fb;1H9i&wW=ZF)~qdO_6OoD~>!HdSY5116WOzjMM! zY}+4=_u{?yoHa+clo72xHV$d@wnCg10@;gG3^j>T4*4<_3(^6A7e*^_fQ3IAl*n}qNC|Q0{SLN3r{UqS8OMD3kg%VcPiQuKnHbziYPhdZu2TQ_E7my6N%nqR zWRK?WU3f}zk@bfo+pS~kBRrJS>xS~FF|3keeYJ+d#3kRu5xP%KWyeqW;A=6C7cF>J zH$QK6sn&GJPh%90DA#~`L$-^InW^{%%Lwm5s!-fvcUWLa)UzCwgyqb6Pn@c6aK!L+ z4S^PH%E)d~trA>OZm}Ab-O4jRsg;s3Fsr?yo(m~e+8U$oL&}jwNK&W1Tem`+qYhm~^y#xawo!%#GAaxgd2 zMO=e&c$N+seG1pOKY;c^r&lwg@XX#1u8U;R@ql&u0=WtE=t}ifQyoSjqCZOG<>hMU ze(sMZVJbR6FhJqG+CH<7E0uROZmlV3k-j`6h(J;s3VFY_uhq~%05Bsm*>CFC9VDbj z3U*_(NzOF|aqv_oTx{xk7OmTs&sJ6u*qdzixB=ppp|E3fLs|mCYLra0z|k5n$$>T= zQtf1+?PujO<2R)CzpB`P27$h4)9(Y}iku63paSY52#5Q{?cJHEKR)X!)sB$yDwZy~fk~cZ7=RV7u2X-LE_{cla`*%I`DNHA`KZN7)wA$`lL3 zI%;|L)h}fEEO~hlFH_RIXH%&IXG4OhF^!x*o{7>C)YD69y&ip6U$i(=_jfQJy?7XTBbFDjJ+RhxpFYwOKhn}Nv8n)W5VodOs4_&7l9 zyg4O#hS%66qioL%cjzO5-$z54x*K@7)Vp-{3@J*J)1A}n?~%T!l?YQRM!k)0oU{^a z;;D8(*!GnL_U%wfts?h4Y?e+Y^JI59Mjg<`4~W;@$Dz39B{-yjJmz}{6+Kb zGETC9qV6p8YpFSWQNYjI$&V)$*G`fb+W4*; zWLHW;#Yu*btvn2%s0@^!yWs=9%|d7<6TG+IU*^LKZ?6-lt$R6sBA2?SU%eX;NpLr2 z70t(Zi=zIKc{I=W#pvteN=bIbewV8qQh;PrUfmS6ir^H`vq;4V0+HpragMJ-S!DOR z;~BW8i;M3};m|P7gMJr&$SM=93XfEb5!bNT>xDf1>9X^qt=s9n;gCdT8|GDBU=|M z-4=jzceXw_!@Aol8agGA1YskSD|B_}BPjh+o7u2{tH@AgP5g--c5&aaz+GI-18wNz z+kjlEM~N%<C zSt6musQ$YOFYAEyT??I|W-_h3F);(T&k#y?*Vk*;#7z{ET5iO{2(=91YM1-br)xk_ z_Y?h?D%Y=0z*F=)a{{DubNhVl0_hp3q$Z_gFVZBB%3-LUE;(H>k6a&RXP-Hp{qiop zV^d`gL7HVnVON(p_{#Ck(dMNYQL}VBQ1i(gm^4sx!#;hy0kFzetonB@K4(ue$f6-R zQ<8|copta4G07ORA4l8SrBUD+wM)cM62`nib~ya0;_T9Uc$gQP#R>e?!eF>MpR&fy z0YV#D)O_8rk39Qy`go0AFuWu)yL5!!BatM+%ae^E)4jrDiZlx^st4g8!5eK$y>0(I zzejL%7VvGTmReZQFx*ufCK>5CpuAV6WS*^6IES7(UdopTw(I8BH%Ge(G{;@HY|a*O zD(5duteT^p-W=1i04;K`FD@_mNY>+i<$OUZswzea+_|S4o6!n*sv3g7(swf=i3gmmks-=)+qxtrm4L4f^sHPS zy)pVW{zMm(&N0(m}3J#o#doD9gKmaeL@ucS0&~1+NuDw=~ivr8MGJ?cbK}$8}ILE z88Pvm51a!?gh>8XPP+%Tw~RLapaQL=itB@}9>(Zd#?L7JhJNahQ!H=F2wV=F($FYN z>{jCLq}U+FBZfcpu6%qearC)alED4@R7X;#S0ZdI9g>QYu3KC%b6Ti4?T0`wkC!NK z94)r>5nvu_ z`eV;=sE-5^~vNJqWHKc+sN@WF80u2yxj_;R|R$;uC}w0IQl6LKA~&L`={D|I_lM( zx5_zhD9f!M(sB8x&BtBItTwhQp8-@R>Q@m@DBnrQLcS#0=&8&21ib})Jc--%C0aRU z=K9*nk0i^{_2Sf@n+11RmCCAq7&n@`T}XQKF8LiFQE^M<*!h&wLXeT$R7XQ?IP|2n zPYd}{WRv(Tjl%R+$97DH&2GI-Gfr0=fdiazqRr~GO<8@jvw;@m4&GO@?~@Pn)^0!2 z4N@N<#WM6N1~&}AL6&@IO`UTJ90|O-m%RJbm z)W!KJ2omHuD$g(h9o9wNWPkNnhgFO*$f0Y`udm5q5}9VQdaylR+#t2okvhC$=8RzN zNr~d<7%WPC$5uNLjJpjKDLU^QlqbsXFtCOWfodw~(Q-AuN+j_!E}&fXBoSAowu6fm z08o~3^Qkk^K}~)#@PQx;za-t|^@xT607GfXmkL=nb7bo#B=AY`pK6m1U~zz26G4Dw zi2m|KA>PnHbhEu+F0&(U306c$6TAW~UPma)&QveY&6|YcJRiL#R?40>6#t&1V zgLpG{mTj<_BR|AspLm(qz0!N9=sJ?!V|F}i7Ol@DzMOgQfJbtZwh4R1Uji9!p*}&*w(7UaXZ!F1;)b=|GYT>D~`nSwkmW=jG-S1%ZSA+fyC?7`1maLd*jjQ1?-)(5^PDT zar;*$@}h->AnL+eal*W>Ih55U+nJ$9?SUMQ%EYY|<&SMP(m;UKMU9Nlqk4-^o+Gw; z?Z$kxoddN;=Wzb+<;Vyr-B2QmUzIZgtQmfLe0_638~P7JX-h}HdgnzK(1pXuHy@g7 zDgWy7zzqpF5i@CcdB|LKFbBg_CJH|K>eOQ661VE{p>FlJ#H$zp>$+vXdnzFdqQnc- zm*ZhZ$aQVWfQuRLM9kL2v2h+hv}hJFRN~h<*uH$?G-E`jz8NjtznkMsNkR|lu6!Ln zfauap;OG1aP~`0{H35flT2oW!bdg&4-vLz} zQz9-I&R=T%q%^FUfR5Hf3n-=!!|oMTtRgKE_VhuJ$Vq$) zH>GGK{vqzm=DkT-tbq%m==44jrOUYy!< zVm}@BTc9crcXDYY>A{ikb>&B}`f11w)Fbz@{f!NfDQUk({$;B_E$GSH|8Rf+bV&#C zBjyVl$oR{5|JNlyVuJ^Oa9kg;tl|E+%fEcw5_-B0IpO7BKK5U4JaP*LA8_`-w1n}; zRQ~1Th~Lw7MD!tl`@`Q8|MTkfOMv0LeQ(%C_iI&u{`mJ=71E)ft`pM6kp0(LJq7!x zs|63?fL*xl_160R&A-YdT@dMMxBTj8ll~Itzunkp;Ys%{BS35an99F=^dUeSIoF^5 zx6yobF(iU-4H>LJ)fO=!3w926Lz25KGJa0$ED<=1aE3((_x~XzhG%8Q5_+7lb5OAG zD4;bGxTMexA&p-!OmrYt_x@9?BQ#()E=U*suJuX)0&;_xV##vD(}4Y9c>lJ@AENV6 z24WSztA3rve-8IgLE1+EN;kjSr}Qrx^v4cvWj^ixH}KBEUn~7TZVXHh*j57Z_+MD| zk0Jj2_-CB@pEsT-0sPh_X9e0{NbR4~|22)9JYW?bXKmJ%|8q37EdszM8hWF$|Bvba zQiT!mC*{n94oH6azqRx78K8B1;j~Yv=ie3c>02LuYG4(Fe2jCn|9cq?;=raI*u0_o zU!wtzLh&ib+45O_`-fNkmlcih0h?wYK_U%swQrieVZP+h!gClCcj}wkS%n7BzDXRN zxht+@U_se=R8Rx16-yjU+cQE!y9Pr+r+)z zf8aP0au6D;HL0^5y~jeW#*}w|G{!?ru05@du^yiqhy=qed+;oBaB2~)9sK;I)5vA= zbpaV-Bb;Z5S1jRnO@;S=x|ayX;f)wC(70L%{I|cv{f;FLfUMDp&=O zOZmbNQ5Kwgwj^YhFUZN@+o=pagFmPcu6*Mg824;kZ-2QOP&feFSpInhBxn1A=#djj zIDkU$eWCa#cw2U@a4A$$B1_dcQGZs^dZpfA%I6b*CFI`8q z=eW(l_-Ah@`OByMc2DqLf*5#pJ8>rRqTcqiLl1BfSP9=6cOHzEmi2z_tqYy*3;P(n zn=|K2!OlC|9iY-{SXhtvbI043ko6hgSmPNVkO8@^6cHu|8>BEbHGfykZG7kR#9Vvq z_>Y^b7auUeN@m(>dyho>cL;lyV%QUt$C{Boo>zP}sPNojIV@``ZWl=>mo$^eFEQ@^oGk zwX#&G1fxuqwtMwf(<#|$iobi+Y!YN^Nk}FpKm$9(TIohT3-_z1ggkx?o-?FX>^{6- zSTC20K&SFNJ#Xzkn=)A6Km#Tw8QN;;^{&mvmKh@*F?x7#wsTgP1q==4N$ml{ahjio zHNGdpEM4uA5R}M^+SQcb$`9DkJVW}&aOpr}@Vt(|WWpXC;{lba^0$kA>a~Q{_9LjI zT$c1hILy$QD*w{p)WoCS}i9@ zX77y{kyjR_c_v~H6x)$wFwikqPu7vkYRq@L7x8NTqJ$6@S`?!;cz3C!v_Z8hrCXF@> zXhVtd*UBAynSqgK$?4s3b1=ABUbDtlUGoM({@i1akci_a`Q^#o!gKp9Z=Xhjr5Bxj zVh1B84i5(-_J*;uqwgd|)vrc>9a4>#Glk07!;H=$*N8h@bZf`B7}TB^AZmeE;PCmY zcke2}oaQ50O@JfC)lfPM}3yi>600HI6Te zkMz0=)d;s{HU0rp)JfruxsS*s0jVKtqZBF($W)VQRuJv(B$lP{{pf*RdEm}&r-oA_ zHgnm9$vr@U>u<+Ck_!>goef%MFuzRKTc+daUbSmA`2&9s5Jzd2)N#%Ss$JkFFP;#4HJ0O?hLLJ>AY9@j3p;J z+yC+RAY1%ChNWv2cdM1-ZN|iPR@GAl@AE=E7nJFEk92C{1TbqBHA-m{;F?=nKW9wOuLra{Pt+! z8;E#YGkjM?-yZ$oqF0hEbcNacn!ZU}*TgQ*1sFSejug>){tlH(SFjL= z;^Bv;_3Te>sF`wUF2a_9@r40Y!0NzKU5CzWhV~rmHuah*AE)ygi@Qb(IJ+#oQfMa= z*)D77R+U;1#*y-hLKl)B8)dCZJE;8FThrz8LlK8b_9VMMQE$2$1fqmzQwyzM{Se-|sfI6bInFkz6^gP&;}vb#hxqP*aD>^n%QH%uE?mbyqi{)rv28f3E{L zRQ+53pEk`^D!tB@r>L`%>Gc&`qUr@ByXYJxW!1}0lz{w&aVraVT3X3#IrCyi15-`* z(9asPUX$I4Y<4)r6eKuvIT zwM!cmaQ&E&6MHU@(9MEUH%KjJ}KVEp%k=ZHjE+)0ufFD)in3|z%kh333 zEn0%!J!$!0{@(9pTRol?J|_qfdV<_7?`n%NvY5ib$=8NriRoExMU_`9Xzq^&^thp(7hJMS>echC8#VW?!qw7ybk>b-9 zRBySeJjeV%8kaAMuN{UMw{Eo*R^bckRaEcyQ(itTl*oB$yCJhZKaz)$O0bLdtIo?= zYq=qZ#81o+F##z)f&$19g?NjY_oxHZB1qJZdQ%(DwM!rOX{_BAz(OT>z)42$T2<6M z0wU&LSvw{nh8gHQ&Q}yohAGgnBO&YRs(<4flG?rA39=_b z6C{(zzINZ=OQV+Kj-bx?u-!1sq+KxR%m6!yu>j}{(Le)fRvcXGFU`P1@}W!{c1kH+ z4ezzA*6nR_IsKjhJod!&o}~4&pg&k`32iX2?umFor8&acn}!H?W8na^mRxPH+jisf27AK@OQTw}5*|X#lzNC)N+=@TE`{ZG1DVct zv$vlQuYR7%_;U>-q;2}o9;tr28$lmKI+-fW%M2;%i^>^nVBq9jIsm2oY_ae1< zFQ)x^%K{`Y@8Oe!OM21n-|p>55s3zK47G(exr~rwT;A&k9lPFLMU(Y?2MJTbJ)VCk z9_f|^Y!Ee)W1UHRKd+Xe{VVIHj6jqyQ1-(h*`^x2pol|G7ZPCLHFP;iko56c%?_Q(*fc>rM7v%D- zDv-j6>jJ^87SGNbuCtcp)hqOg#bld6%iUC^AF+NEi~cbQpQi$k5bPhpRGcDx{4L14 z=X>v*5gFW*{PfbCo{O!ez@gofsXNaEiQ62X*+p5h=O6Ocye@j!@GLSl3o5uuwmIL! zWu(qGk)X6 zLWbU^dL(_R4P?%c)Gn>@+@%v6jj4(oC|U-K^25YnxFHu<61LB_N$i`6dhA~Jzzb9< z4DM4Eh(ysfA6Q}W;G%LlI^h9i`gN4{ADIo%Culnl~)r6l*e$wzO6@~i@h&lTqymtJ6fSI~x}q%0NG z-eHvyIA=&Kxu_(-s84>?jtn;%qhugNeFh4?I#{>glpG1dK|R2pF@qX$7OK4#){5Vg zH11rlPm<2omWMQlvXdTHLXSwHEo($d7V1q#1-!Ai0vX0NJ*NQVJ^D+^qP_rwe&rO- zb1_;59TfFUS2p;1q4m>uyj2`nu_o-DOdeA~=Wa9oX3?OTVz7t@_e{m_;r;|7PXYi| z{fze-v8Z`v;cuH*1>VuSF;gMW`HD=9p>TThk#Ad3o7x9?R;=k_Ic^HIZ{MJaK!Do| z=0wf~L<4g3v*;indWifvwD5(MD>8$X8%tgIx0uCF71Z8>VW0H(?$&Og?~vi&kRl4; z!hl?qHe)bAgFnk;bUCZ1j0YTbI%NZT1b!20>s9-H+vm;Ws{#ci46l!2AShAkbZxB< z9t7-@1>GR-ezMhYOnlq4UxPJ#s|_GndI#f*+XH01;J?nTmVT(`AQ4C69AICPh$s!C z`P*Urif|9)=`+LUwP70msX(#}aY1?vDTRqh7E;+3u0oa?bQO zcDM=h_9tbgpl{bfot+}G;+k;x1fO6(&yisLQk;MoBX_UBe#G#b3xJoIg(-gZoi#Qd zCr7HqD%gS3;{CE6TQh^WOBj04p|eEZjxT1JUB6yrf-QSV>y|mIW=MJI(c+c4U5LI! zpbff)I2COFfR=^0M?1}wfFZf9n6A%WHG@zMD~;9XRt~8L0iMBGCXWRU_1N)Pxa|D1 zdo!z!0XJch_tlyvAq?>ONXs>lYIy{lZj%dsD!nuyW3PFxqW%gBztr)j=Bb!=du6@* z+k0)Tg4wbd(P{bJ?LciU`7#}&$wPV%`T$1}mgHk_+{t9HvY*I!Z0mmWty^7Z zoV)FL3*w_2{t|cSC_6Yg&GCBb>$T9~?!9lX6zh6}H4NWemArPx781-Xe;_g~a&%4t z6VVKV>t<`zv=Zi7%v$I7!jTh}+*hG5`GVIW-I7&V(Hlba#C1o7X$g*57pP#}kzzIX1)C7{n!R4ALZ7^^s&zp~ zR$PV*Frx2Cxmq-EU{r(lz6!L~d|QNrQPA8ivY0^P)vMFDNc>4D=k-MF;!;XeIj6(T zxq35mM+!kj%)ZQftp%~ct26`U1-2kQr3jn1ZJK8_J7l9nFWO5_Cv}4F9NHsvTv7Xz zU-#aWTDC#Iv>;PCREkRZ$rS#*DZu2R%0TP_;FtUcbTWTI@TIF~@2as4Xl8;q1U#^# z9o;+fyh#o;0*+b+0Wm~$ic3iN9w7rRPK*Tzj%I%S=vd4deF5+ ztfqgnmT(->twy9thnLFF*Ho2rdCXxr6jUiJP{;9lzhP2=WKp6b1|z0-R>ME18|>uU zJzfi+GEx^qTi7YRH-@A6)QL7Oi{ql2o!otYn&5(pH&VQ;0a4cNI}Mb7A{`%48URXx zUyRuH{$AD=o6pSRa&>W~^=emn-C0WD(bfs{c+PiBoxpW2K$t}|Wos)`>Xoag$~?4v z{i%UeA3H%Ox2G;Q;@Y)w-zPJ)Dc!r(aaz%m%hcneCOP)GZiy5fr}|E7xcVc-qt}(g zx!1k}qWnBq3bP4r&E7pmHX=Crnog0etMUZ?vt!PdZi7kLzAsH!o1p`u?yyJ8YSO;5 z&y&jcoy<6jyRbiE61Qi7n+o(yE;p;s=&n(=%65M=F7Dd1kMVNBwC-C;^ z6^f*~5FDMU4UYMHcYen|A0H}Y=eGojZoSQam(%%ZN5r7vs(YdbISlqk;u7O*A?dM? zrL60Ustbn#Z@Y4B92X$IrqW-t-Mum#7b{Y?Q!4}!eQ1D-Y&D^-U?C^gHS-_1;5!-M zczwf*t=A8!rcRGkJA;J@cK?!J{Q*w@LY|4t4(zQglE0F7MMlDLM*|0VAygTTp5=5< z%JwTJvzwP7dwKKMobiQO+Xw7!QT}xB%6#ErDj`fXl7Y>$dgk#I+0*X5cf@dC;&Xr} zvdg?vk=UpVVe63!m|ad)UAr3ufycApC^ z-rx2$mJ(t2U6FcQ4b-e3iIxT6RW{i4l2<+4kEU<0Kr$mS(!l*N-n~=*u(QPcc^b}1 z`$Hh?1`!WEPW3pA;yl_Ljn*B}BBa5Ip~iBF7+qq@wj|#X#~PMXCinRsegY8_?cXiH zU-b^a&Yqeiew*rc^1s~)aEN@JQ>nV5ldeDY3}hpM(D!%KuydwmZD(xBXBx(Yh1`#o?SX1f`GF~sPx0mX!g$~zZ~teTIDSM_k8 zZ1QJk{da}}#1il)x`dAnUOndTFX8P$ow#=9o2OB;*viJrpOaav5t;zc&-t^u^mFZJ zCEhtsYQxq437-Bb89~5z1Bs@whX(gQ{mNfE_e&9*X@Ld|10hJs({n)nV~jtpeHv~k zGWFbO`~SL1PyoZa*fo#PijTvi3~pNGhpuYU@zvu8@ zNy7gxqisR0$l0U;y{ZZcE1iaJ~Ye=K=5k+9qH$Kte|mOqY@WdbeNRlQ9o6k>$_P^sV7yb4s!1K<322y-$6!y-wf>EdTxE z-`caa`DB-;;C+L?Ng==e`#=AcZU|Hbxi6OgCdvNmb-?U^uHH51+Q$D@`jK+L8R6d^ z0gq|b)KJQB}{L50DlYa55|1dI=&-K;EypMh4~ z9pu(J9em|79=ewEXBHdFcv!W1y(FeRU1F{t&~qI*9t429Q<+uXb_3 zBAFF>KG{%XSSs4=KEuvGMxmuZzpE7PD7}&Bo7?WHsPt5+VzBGkW>mP~GQNK?_v<`k zdK($a($`37h{3V{oGze=OC=WOeaZU7Xh@d(oexxN<0u4`5wkg63 z`Vhxx9F17%Zs)fJ5;IJa{sIIXvaDg2UA#YWT2I&)rca>wwN^{8DWCPYJ~rIVl@k%a zlJJ|@&|V7Q0fxH5F7?6pMr}SQ=x<3FAA)ZxwZ4`!i#dVWtB#|)A6rE){toqZU10pJ z7}_f=r}n=^{l|puwLzb!6yo-sZ?iIYLU*5S$2D>Bw6C z?weavL2|OJDVd&XKg~IbiYPU{&@J$_>J0joiYc?D+{ygn*B*_qKiyG+BGGQ7?_ocv zzoheBKfn-f(qWNG97Xq*?Ot>TBVKXV_3?GG6CDxi=n}O;Xycm|O-5g-oUQz*lGTAn zPfVuTkuK4;r+n=39HiNwhELkq1r~g&Vo(721!6J(4yoRyQt2Uv!w#?4ma8quNcY3SCtyeJI*LT}GNeLfbRz3!AO4FwssQ!&Bp6-ICUZW`V zn9q#j`v3TP=lD9eHCi~fZQHh;#&%;gwzXm>RnQoXZQE|z*tYGvvhQj4-uImE`)~bL zvR=$*&Ie*^(-=G8N-@t4Rva{JuGU_j5Okn$eghE zWL}TjxX(clf zO7Bnp5c`D@ejL|Q1LU)Vdj-%Jmzbp^;Ki;YNy~+7w}OK>-Kx%L2swstaB~*J1c!o3pk^B z(8rkxeC8t|?|z~v`_IHK0sN3Y4|)p4v)ZJq?cAD*1T{OQ;q26eVV5u~X(eNqg6~li zW7@%~I(5H+Y8SUn$A`prYHXx7aT6#~BQRpnTx0~|+ld8|R&qI|%*g_oOlMe*i_=oM z#qY_ocd;-bJaL=xKTifC1`^i+9j)=kp95l*oJ&PK;rs>l1bq6j{~6mC@&mU^bGDID zF94BB-snbR!Z z=+wc)zfiZevg&su_fSS6P$4Zg_@O7}+GrD57WKJYhit{gIT$FCo&;L~saQBefHx$O zbuwpHrKj`r;BNM_SR)h~XzALqA_+QFE2d3dY0u29q`lV-d4DUdopvH2w@VYiiX<1M zV8c}jEm-2-qNFvXLy8UF9$P#A3z}+S&~Z-TEjAphXKm>{UBQx1y_;G4&|%(UefDq= z-1xkX5h5i8z98JSPy`zO4}s9+31saPsS}?*I%ReNPT65bqRkQ)X3E!2PE<6a1M+oB zk8-5rER}9>aeZzaZm-0_iyzJqE11FB{!oPhnabT;OhTBc&HL&f-$RT>B%R;USg~u@ z6But?^$B2z!RBymqCXWt&c=I3aPgq}H^JQMwd|M`?ua^W!W!P9n_ZVls zWjeKn07RRawf&ff&FB~euJ8_j-jjc3<|2A1DEH!U0$uR9X9j`p^T==#{+Iq*gW5b& z{nxN)_INa#-w(|x20N>WF-x!gLgw=~zJS9-C$W??goKC5p~Ry^l0*;M5M?r$c6~*o zx^b+#+)&3AT)w>@Z;OcS*jW&V>m9vFW&!z1*KR$GfcZ*w_vU#;Y9QnK^P3J6H?C$d z7wR#-0?*UoE?zp?F*q*D5KenuWZe%WN))8I-%)ZLvji1`in(FNI2$W3tmISw#i!2m zW$hSB{ru6|MXbcZqh5bar`B-l=vzRrngClqA7ljYHJqLM z`0-~3^l;VhH~}0TR~*of!V+EZre?`U8{7t&NeX>xHkblm=uE9jLvX83wkMu@0a zgxA$(+M0GMqx^#@_1Wh%+~1X>kG#`pt<>rIT*T&mi{YTP{^=*2P|Zl=cWPzy#^%wc zlWC2@Ib9@ubVve$VowK{nN!r;x7cZ=1A0E7_WA`@H}|IPHGDjg48xdj12p6c7fE{M z1&hykb7ES0FP*2+95XDo4N+C!aBXkgdspxf24MW_IU;sS?B~j6Tn@wBjj#9kJOy=n z`VY6M3et^nH)iPJ`c?po9xT}F-pv=)vZZ$88 z;Xi#0e`RNY5t_3DEyU$=XSZQz%{~WVhpZT2u;k`5<^mIx;4*<6v^T@*2bjVU@xUU$ zfk)8?ih0x|s$wenZA&CMX4QxWjpdN(rD|;SVrP8cUY5dVOP`yBsIXsH=EXb=f-wK4 zoG$s-lgN?i9YlAXd>ilnJh_j^(_{|0F`yX!MF4T!RA+L3+@oEura36&8#stP_-HyP zYfCqEgd>eFLs(oIL9MZ$FWlAa_blsWH5S|;W>YsBW4th=Mm8Bg!JL5?DC=>{J>Lg? zcH<|9a6QaUmVH_Zs1KMs+OEwz#vqcF1s$lR5Vv)#psyvX{d^NAZ+LfODVTfJaOH}_ zg1_41<;B!2t1#to#oda>OW=BRDqjmZ#wpV?yG1nDaJA#=sJXx0IsCsoXiH!plv(Cs zMiO)v6oFNitudx@#13;f8;y!s0A$1wX>KMF&9L!?D>A<@kcWH#`{Y{w!J?e6`se!& zXK)`r1D7OsiLqCC_>c%@@G>9cF4yGja12an^{<@DE#@AX({7S!GkKt7TCLOuPok!9 zVNKwq)-O`O2wtG1+HCS=zluX278>T-sB?5vzoOQyJ|SOuzplkT1)q}@M(uK`MR9Q#!FcYD(7}CrEvaE>F##tX}oKy zOgihlNujJD^XN@E4j3Vs)XpNuc>bING6L({a{APw>Au4eHIA{N4mdP$-J!T4;$7|y z`*ePM&|&QU&N9nZ_=VmMRmjRj0qfs&gs!I12C(MHAH>0j*B;S$dKS3^r)OMbuLo)~ zYNbFgEA^Cf+@-28R@Yk8k7MTYJ}MmeXXLUsH_6QqE$o!#CaE7S9zNLP-NVl^AfEn+ zt|9FfNT*)OjJGid(g);t zIm;_257u5#M|!KbP+}6HGQr>~dWM~>(bT4qGxDEblxBSjHOIf*=X0Zwxm$TD+lB+R z2n-10P&xYweBkhPRG{Ms9~88L{eW&)H@5SE*qK$>oF!j~2h`Ki^x2=%AYA>tQ2ZB(;`#n698( zemHd%X8Cr5mOu<)D1(iGT5ay*+!OaY^Lg;#u2)Tm({8s;<&T4{=ttEEJ&@Fp*oO!Y znLX?YH8(8D)WXHvw5X5Px4ye$uTB(4bo$>h8G=?+4~kSz*-y?o02xZ1EUtV<`0uZo zs@!BeAO)gLbsA>J{9$cLe194O4l`humiIiS4~FH< za&c{6GBjVh8T;pwH)E!LHmK46bwQk67%2V(2)1?Rxa2O5M{!YPr(>5r zUkph$@9{}4#G{hP?JE$A{x>ZXVXDLx>!ZGiYnZ5@683(%b=$s6@lcNpW*ogFO6 z?r|DXoDi((RQ!w*KNRX89hfmvN?5sj{YsoC!tQ>pc%+IA13GDW7U*5(O1y#$#7nM? z8i5((-(bOCA1AFLbS>;)OUR5Joda$Q5ejQl*Al?N3E?mdLOiyzwcbMy08U$1Cp>cb z4$;*UvB9fxg28-bl&%PP`=(@`Jr2(xuw3_#QCdtTS4Mr$~V~FRS44#70088;ve5W?Jw2X2XUh0 zYoTh^fy=A{-a#u92;#|}h$!8;#djvYsJ8i%buFy7&oEAkRW;8D%G|tZLOSo^A}k4f zS08V;*E08^>uzsB2XuE*;x3O#NB)U-Wg)`v1x7}qq1}(T;uv*C1V$*30t&@jLZAd*YKN!4NjhIdotGxhd>h9g|d0QTC|5RA9h{X9Oe@i z$n5l@@Ib?J*ROf#2p%qnu{Q)oJHvF4T`LyCy4@yv>Uy;x2yVhA@RidI^{PY+BFZp5 zKK-H7{s9nWJ;UT7B(SpUh`F@}NwWo0PuU6Q+8I&s!MgMh;w;1RG!8^+UE~hD`lKY)og>U;+?7j@;c)Yk5fhm>gzDRsc+xGDI?OsHUC$J#rlWvF5mZJ5B z@sBz;oq+wxT>M{qLV>!<+ zL(qbm-hDLe_E4I}2}Y~~(T9(9QUnZqXAHQYtKTjeX#eNf{@=G*$m+~Sr@OGxupK*2 z1|+l#nzi!uVZxv$F|V~7;psi7E+9Qd`7VV%kO8NNCeGN#|HE*12p@u$wI7S z``VQ-K|M_?yJ7H?ps{_~loP&KStz7{+w7aZpqvSgdlL{X^ ztW49Kg!igWo`=}FURA%6{O^t{`40|edCbxXYe4*RbK2~<%yZ|6f>vfTj5;1K!NAP#XAMtj}fDeH3_9CYt|eGSO1&fGvhe=K8VsQtm)dyRi_gE7MrmJYJ0X z*2~7dpvMYE{u@!N8kJ7pNg6RLS(C6>{}b2^Vg-1+&Tz1n&BY46t&d}&FBz1SB)Ki{ zoa@qn9}YLN0i5_g?6byugF}v3;Vvd#-Th){c*zB`n7C%u+G#_ewDfV}2gg*=7U0Z_7vb_)iZQG_&(@0My***64zwLBbWu2+Q`Ze&;N>t>|0 zCnP23d>^!(7bNXor+n6*Z(?2#rxzDQm~P&Rc6iVd!2DL$?d^ei`-Db!9te-*lujU) z8%1mzeFi5b8tF|_3N$+>(H1yDvYa&A&8Xf`W0MrCYkXYy5wRWdmdUPCE>ZM}r!ZrZ z+RiIL0l?t2AP1@Htb6zxO=Dq{EyC*GyYvotT+X=I@hG=n6Nb!W1j&we!%X?Vwwm)e zS2KGnHI}TzG!KskbnCl;Ve-v_nG~x5Fjl60{B_3IiGd5iVaX7 zKO2%Q+0HcQcm#lHeklupHFi$$B{fN5O-HSqg@_3@)T;qTn6mqWN{9b9!iWI4s8~+k z5n5b9NEmIb;gSfbicM(4vYVO_+^LF^f~XaS;0R6*?E-c(V}BTb@=28N{}{yv61+hv zz&C`+Q0NZL3K2d8BXIz*k!nd~MD0ox>(lVJjY2|o+&C2iMMYin%&I6!409*ft8ROiM(*6GkZj zYa_9_YqEB+3VfPi?&qO}u%{F^&8cuDH~WBc?aGN=4ej$JVk_d{bGiSjx!{$!g;>-9 z>_A39}XWbLua-}_MZN=O--UGBR^E`d#OSil1e-)Ljpx- z3-RX{ULNR)5GFoU&XyNQKXakc6CI}DG-%`37v2zvs|k;zN!+K0RfDU5L-@+Vz%kfC zK60_J71}O-p$X2jtBI6Uq_15l%yN2jRto`scE%J(EC}ud*7_vKk3hwqeP=CB6-vz4IyT&@no7C#E{xjs?r_Afh(?Nb|skI`T1n_ zMbwfij!2o1rX47u=%$s!1{qUz*xbX~T7MiUe=w115|4rkV0#W-^;|XtS&8wT8gI6B136PGaKiECzQAN_nWY+ZdXfu(_ zcLpJs9&98tl7cgvozi*mj*lwl*&27)C|(|X#iwlbY&$}1x1zM8!z$P4Tr`VqJVybd zWCxJHPy`)seQAgp!d@2mvo$fr*xYBpNas=z>!e-7g_y=2B6s`gT;Ec73 z9zqt+wBa>E0NJlZwxIm_nM2PVcdY3>69IW`>J*#C^qR|wqFFRyqNl2V#z-O&?KIO5C%KPD{Rp70qA&V0>1Sea-4}8nA zV+M?D+?D_mXj zZr|PEg4ESDa&>_9^Rw{8NG!f<&N{C#+b!nV0U_HoZ{<+z@AZVGJx4pq%<5r0FK-_2 zq%6mCnDTL*m7UFmoqewnVDZkC8g}!}sA4t>|IIrez&3)DnS{w0kx0-l{)nFi-;A4K z=uG(^?z@v0@@4nFBPW0FOT$t)aeH{udvC-~N3Tb-H_Omfw)^}m&Lx`uabCB}vHrp3 zS10KBNCoJZ#Lo^68+7Casa zf@$cLE1znS*qetv%|AssxTvSqfw#5D;t(=}B4Ivus4Bb1xqBwRd7*I3GYEmWuOPwA zGnRXM1BcO$O7xgK@rJ~@`!I8i|C&x&J#ZLF8V`_S`Y74j9Xmh0sZN>nG#ys)9olpp zR{QN*p20|SI*Z8Y$1{X?_-@-hq4I#xk2SYk4)Vp2GP>0WNH=1G{eo@*|z4;c<`faTi# z#%0rbU=Sj7V6O~`KD4?9xR1H#6nNo)=2Z<9O$yQt4M*RX+=zX{w@ zi`9CcZHC?NP%sG!`9OJ%z-RsW$5De}B4q^hP^`aCA9lDQN#2TaCZQiR!uh>sKuwX~ zdD(m#Uyi@a;eAHxB1YpJn0Z~GC-*VsdN~FzEQmdgs#B#r`_WJ?fT)is~fT=3oDDD)C#U8%@JwK%p@mcEQ zNkzkH`~2;%MURm@Czv#RH1tp@%g_j^@dDXouyUU#QoqdK0%xOZg%;Xf*U1=Lb?+s;D)nx+fXcBqQ2&`9d|! zzw^6VLLdabFkWZ!M-cW`0uF$J2s50&L(|N#PS4489OInzZ0EY8l|}1+HIok>z~`U* z)qYq1;~zG$iUq^M=K;#0-s9Z-M;A01_9m3*!HzfhJ^p`Jp=oNJ7zssBX_(r7e^)CE zx`Xf`VD=07Z=pn1Fih*y%%P(hWB-V3ptd^2+@i*g+tc!H_I*-PJM2LIfTIgMpVtK8 z=b*X~$qu33`ukiZ$nf3}G2NW(K>a(E{1uAcdam)x!5)D#?>~>X&@6I-*LuHw>*=%*+~}j=uSbmd z_+QeVWBI@lv$`7i;q~8d1%#a`&lahZtP0x4eqG2p8kDo1|Ep)`&6txyz%}@Rc=ls% zmPjg!3{7jc!qw;W)><$~gZB1X>aF?zk?jC~$Cn0@G<4vYlm`C)y9I)jPt3U_jlwsjUDIz0}D%hyO^9-wBPRs z3Ir1ZI}8}?d-~Fq{ICYG))gxxy_70DOUj8P@)rcn)hwOVg4$C6@uB92u7J!Rv-}A@~m)K0}5q-i3XGl#*g6;p7HHk>S zDPZDU>v%Q)SUyDr>cnduy43ItUH|bcnkMa2q(l8KxPkX(b0lrVEO=b&>G@iB@UiU@ z0n+cW`7fb;8eOV3zpxiNEuZrT&{j9!%l_a(ypA&IW;F_8!=n}{05%-2cc|W$y-)?#!64;#B zrz`bMBr$~eM@}Hw|5;;yMw02RuuQrKJG=UQ6XmQXuy#OwzHLq9hyE|B`M>X) zMFS?2fRXx)dm$!4n`#~s?Nhe5nRMyTOzN~rWiaMjKmG|;&YQ#m)O?aO7 z|IR_+qy#EY$qnq{fc>dfPJlb2j;@H1bH)`W{C}E5qy#$xMluP0FAp-X#~l>0cB6RJ z@0`(j818JWxI)i~d7kq>*Bd~a^eA0-t_7xTsn{%nQLE2K?@SJI*gu{y4GVS-_7%RNCz=) z>Agw>X$>~1;7<)9dU|vlA#cc^sjV--L#{e5P`SJg9s0h-uXHcbiXWu2yWOyBr?=OY zJM5R7Z(RjCv;I6+@#e!)AP)M~6kTbdMpa!s#mWtv{4yFoSNj1mBL$5DRc6YTL1{I_ zjaV?3kuZ_Nk95XPVSv5{d_fvvhv{L`q4hAaBTfg9^MeguP8BnXpG7@2W|k1)k7wE82QFt=_ur|GHU|xi*iz^TiGW=^vflmEIbAgt3Rrg>wd^^&7*QD$l59%W7aU$@3oO7 z@`xdm{)#oz!3G_Sp5sJiDO_(!7)B|8WO}L{ST=$^Gs3)qf(*Odj6*CSfV-~2JJ&7< z?`1C19mpZ@Jmf5ojOGIKCH471I{7mfh=m+zb-g8NL1$11XfDfX0P!_EfxKZOfgDjr zSg#d{!>haP#4v!I57k598Fb~_;pc`tJ*BItxc?C>KEOkK5KB=$xwD*Z;>x6+(QoPH7B87&{4?c25aJ3{~Vq=@jf zyE;XP@!zC@lra}`)=xLcgk#~j1Mc(jhPHEIwSru&Q`*k++17zgAHjHB^875hLY>9k z(xIMwVl0w2qojry5Ap;5CC(F~tJwXmh3{WX26hS@dAynOZ;|_EOA1UHuzL5R52-q$ zjl&E)Z%6J|zURiU#&4X!z9I{fch@~|*?>C7F%2xFS7c-KI9#8$D;dZSgD6qkK+_lnGVWr9RIA-#FP3+#NkqkTKKXiw+E&$TY^X@bikm1UU z$aznTSQyv{ExPwQ&va9t3QW#(+8VE`%uk*JVZwSTsmYk1F_#|BR8L=;Dk{2KtA@1C z7IL+nv`pm`zLOmn^K@1d*9@$N`ki2XnzGmoQ%qSomGOas&!+-6*YR|}u`NAwW&D68 z^k4)kHKrF>OUa(Vbf6U}ofxLKV9v!MbN%SY&@ zPK%jY9lBjzVIkp^?0T}%c^$*3HonP@u&~by-#4+IcnLU-oYsm&l(9jFJJ+wPyFp0F zdm?%u5eA{C36QlKZ^5`mMv6;F5VS^1r<@G57TxAphT!&vwj}t`L2HVGK_Pj=G*BSV zGPpUz^d4cIPvKs(3|2E)1Cw ziP^L-S7jDT%>g!=?ngN4xHe)5RHWv3pRkSk`0xjsjb`XIfP9^)2y%M?pd3Fvp4}|; zkc9;65zAcO&{#Y$~;Ih)qUi^u2Iba6f-cK!G=Tx??)5&1ZQMPPwC4O z8bMuX0+9lVCd`S^o*O!n`{tG>i#CX~NW(v2M5NP4t^%;R^tQWO)>k+PrRijjJ3ht+ zN#l7Htq#+Sf#cv$fNutOx7am~y_X@0`$@?zhv+ywH?miQDN*RU`|FM7-9X6|!H75B z>FMJj|Bb&^d3U-vwAJeIN?Tx0o9h=#!-C$!x&R2GkvrZM;f)lxDQvBq)Sy;^*;@_6 zIEj-GdHF-gQiF5!Bb3*`OD|rGst`?Ti9_egi<+W2gA?96@akcQ?ug_e8AKm2Tp@_u ziblMR`Q~(;SV7+158;`AA|^0Xu+jnKjhkq?f(pHokjwPYpGnS;Cnrt8qlbaux;eqA zZ(Dd<%KXw8?L>wiNnoP`t6B!}v^4tl)zR*_C!D^9<=_M(Z_JD6gNuKB>vPK8MsP!w znZmLx8d+Z%vS9hkGhV3<%4FC|I_|_)$Lr{N`V0TkDjU`d@x_TJ-q7r7XkKVJW!27- zkdz*n$MK?E(992aDoPRb;U~PV5CKfn@;%67DTNI;?V9|TAZ=8WoR*$Pnnd8~jDPGA z1WY6qL`+bD)^LO60ZkSQ&sI~%>2@WpNEwo1Eh2ovwzVno66F zCK!^DZwhLuJU`?77(-CcH?;|VRlcenR)SL|Nq!^rpccpce%m8Wyz?t6Ijk|Mcc%)V z8p@xzt~uZFmyLo0OoZ4k`X6_3R~@7Mb@-O+kv;{+za~Lt2-3p5CJNSXa8HeP{G#i4 zqGq_y`8{PqZr0R|qBXGKuM8eRPeSW@V?X5t`+!F`byRd-9C!5fdu~-l5 zvdA(beEA{sg*;y^8EdPMk=`cD;MTsT3lpJg4;58~dvRHBNHvsB8YZkC3Q zGD!iTph?tboydR@-iFi}Qh;U&k?rE4$7!>~4Y{%D{bIs^;u*mH$bs)Op8 z7J}f>@R>B(?>H;Mf6?Z=vyk8MI%Zzxm>bs# zq`tzJxpS~Xaj4w)*yDQZmknw#Ct@Pzw!}Ev^Lc>j(`esI?AcpG2ml^KIUSCGa@sL5 zTKEHqUmkArxN(B(Xx^m0uJHjwQJ8pgF`a8S2NgnfmrG4i6JyOvAIh52L!YuaknZS| z#6($-9qt|*Y!f3&)nLu2&UgDVV5HLMR3LiR_6|Xh5Bsp z>=qvGcNu$!B;jBsfU-f?f<(-i85r+TD(UYV9+4&STF+S;iauMM@~~DGH}vpzX?Pks zFT9++6)g|FMV@}{2JJ{HoNh1h$qZD!*tT5*u~5t=EQdd&Kkmq4k?pvb>cqT`Tm=;F z9bN^KRl(%9o#n0a^frCUAMLkYg#vpZy0YmPt`wR8oT=Pygz`g!$MxJf%8GoUt~5D; zzI*=^l*xiyA&5)zg%AGHvI)_7)>H}Ch{zE-BV~h~rL2u&G()qV#2@APdg`$A$A zfXUt9eqmY-Rbwvii4?Ao?Ao|q;6DwmsPp??;@;!jI@f^LfRCztg!GF*Aa*0(V{I#^ zZt(GPmg(m#*II~0vnIdhqbVsyxb|vD#SGb6`}M4DbC3TU&co9X7*Uof@F37WJmii| zg!CL^j)UWZZohvGB_wzVwPcS(2?q=W}calGks#-=@EI71LcZ8wI&t|HfE2}Ngpe4b~EZfP` zNsqN<80O+`%xsbEbEVc-6gw+VlUKm#q7z9?7202%%75z4M;x51-&z0>03YZ%PlAva zUc3HJ5Vka7Y>E= zC;;_P>Um*YB{yA+XSq@8spU9FQ6-AYaCT$%*!T0KW+Ze`J?VV7qOZERyrwCP>BQ7B zjIHg845UQdH?`p2zx|*UP3h@!&n55Y$&gcrS^a{%|2{H|>)qK_YXgh#wg5u=rdMgp z1(a_+6@358CX3wxO-L@>3~|4y?1_*-;~HTeb4u`siHd(Ut@L3+y+I=_I+LEZ0df4cb8Bdm&ih7|vHiXK?Z;+*apoJcdRHJaj( z?}c#N_%+4{Sh1BQ-ee5lsS(aa6NPOLhIGm$->N%QDJ~$;pl=PDt|(t{3nA#fp6jqW zu-WhgCQj8FCpb_sfa(#BM9d$U>J!sHSCZLR@21qV^Yh19h~ z^O0eX&?b}7>1I9?f-%!ko+H&6Q=Q&DiJ zmX~uHu7W2d)3EmYvOeoJ;IpEcwff7Md;ZHN12@ADdS1A;rF3(0iXu-6pu5YUhPyb`5t_oN??v zmj)fKBD&kuc@R4%84cIMwbpquNg>Mgq=DL#4&avh9P%=pj|L5C$J91y`rZ}zuy`JE zj9xZo!RgSi_MhUw6tQn(0h`{a*J>Ax1=S;p3B3vh)j`@coFGMd<)LJQwhXA3G!!5t zkD}mGHv$<(DtFT)b;fmg$Ztq(wUI;O483 zl6fcou0f(x2vu76+jjct$CgJfUt8@^T%b#l85Td2pQ{kKhUB6*Wi1Z}ZI3qhdO^89 zYT-Thz(EC#A*@ICscy*WwC+s+u-B#$^82rVUa^DnE_MwpMYdi8A7aR zlwV|mZR_&u^jIt5nDC|v-?-#`lJ{)w`EI=IFCKwAD6#ezcsiTpnO-Mw3n&;A-!cwDDO@w#EEdiAneiJAS^jg9YM}IuLD=kadwL`0{2stv7l+- z0@{)6gq3T4j3M+LaM#^EWw81nwqHl1(tYE;g_b2GSgDT1bVmyqD46S?r;PYBkPkoF zGFF6|aad&*kAV)NA;21BscZFU(mO}WOls&FEvE%Xjm^XC6Gor?kcGiraI%P|ai=bw zw^Xj%%fd8=*xqM5O z`^cBqKi;e4^E}d`uPOCV<{0A(K8s8cV9J0|XIq>ZjPy$ee~VysGKd;L26{2I3AChDLflb$113vi;^4#hwpOAhbA#WQBt>dG7oC5Z(A>>BVG(ECCS$J^h z1Ix=9N4+s&)laE_D`VVlMyiY7Khj&sB)dRxn~}YN%ez*OML!A}>om*=3oOpo)-% zpS~kQvcROOYLkma&P(Zc zUhY*Gu=X}L6P^mNmG74uXkKkGt?SLjkXXshwqPU_(;zMrj0ZD4gb9F0QJbaDgh{$_ z<}sH^jXe;nWW11%`fZ{J4*V>gQWpo(Zn2IJT?*9AJ`xb zr%QaG_}Lr=;zoIT2l7bNp?|5HWe*cu_-KOQR{LkbXPx@UDjLz0rZl zi)NQ&8RAI7molh(E|7B*O&I4&-hy)bgdoOR8*HHm9-~smUu>!W1KrR109LPNzVJz5 znqNtTv1|qmOR6syWsC@gA>mxVfdo~#Xpt(O04-R=>pow`uH>6ynm9;3@jt5$$S5wlQ3 zFh%4^8$?HH$cLEZAb$~s^IG%RZfp#|#DVePSyjrfe6t^5B$x<2f8;JYL;;L2Kv=)}eN+UVlNF}ay%tYk8k z1tH(O;eNzlkKN~Zw~>6_6EK@9i`H6Xi}5wnXTBuo({xt}cO`ex>ZOb` zk+^53&*UNq2C;WVq*5p6B#Fmw>iuu-k!G?OvKIg5Q7M;>9h*}at9uUv{#~O5fa90b zwEe7wH%_yMe83ckAW*ty=8LdCZkfx7y+kYCj`B<(sG5}LaTmF?UaQB01e z(T&lmM35@vBJAJ2E2oFcazC|~@lLm(!@at8j*jTwP}fwdEXu*sWSn!w*m<9hD#V7G z-Qz7nOn5NM)S;gYL#I=WgAt0Qiq)PUyIm$R7LE~M=&Ch?U_o3dk` z470A%7OhD#j*NpB%Q*Lw5fPblbnW;&SzMIvuM_^zZ=;)qL$qNkf*#64=2_MwQK8G8 zf;kQ;VU<;zB>VVEff;94nUf!O(rI435sSHP1CKq4B-UiN%wTUW5V?5clCmy5i?D3r z2-C90uvo97!%MN}jqaLJfRq)JM7$di*mtK%h$ZB=G#*g=cua@1-b~Y(5?c(loBIA; zkZq|pFZ{W2Rp4dm>XdF$HMYRNdSCxD8ragEobY)dUvZnt%~SDOjZgVQN!OrSAb7^H za$WlhXbc;$9`>yE`1(XnwDO2@u*M_%_d_h)`z%Je}ETrpf()9WT8N`4y29~~cjE$&p&F5HH5 z($pe1n>1p4QaPVas?6ls7Q5Q-*rAg{adE=Xn0AhCOr%mHot-lp8i#uH2@ozO~_^s&ccITRgmFU@2c;Q43ow13VT z{Z4lHJT`h_)inkb4S=^88O?VwH zQL%QE?9;@)$lV<0Ufq?r3>10PY5=sQp#gBmB*qfT9Q;oZLxpd#Qxqi?nEUUD_}d}! z;m7P@nS`k%k_M6a*GLZA7|(lRU;-QhE5eE2farCSbo0V@Rkmg*Ty9a4V5n`-Rvj_b<+Vrf zZhK@NtF^tS=6PPqtUb(5;Y(XUmS$1=n3T7$-@A`TZ%v3q5gJN1yrzpJ0b$cy#BkC| z8TWI$@WGe(UAs_V0>A);mku@`)F6w!B?-CdjJONw2N-bUj}11Lgn#7y|N00Nu1s10 z2xvq!!UiE#^B5QN?smXXfp1UPJckp4fFG5Rt=0XjfZ4U`JVAUkkU_L=VV!|CjFTBV z(a%RE^(&;$3#|yXxbv!ZMJl(6*w~E$jbRGdYPc;X2JSYdgSEE0J7nBbPt5h-NmCiR0! zPY`tES({*(`%VJ49ZBgLcDtN`Dy(R9q(T%YcqKO1by_g=9eOB|tzmj&B2P$!Wp9zV zn5m2J5hRhSHh@ie(o*RfgM6RcF0Xu?PlE+HF57BF_yAbWMfWV*`++@YSwUKB0|Ghblh$HCX5F4X| zSO$W&sO@EAmRRPle?=g{34f-E2kAJogKd-ioXY+2H!) z)S=@|rh`q5tnEOY4>(m$1T_qq1weg)fW~c3<F59u(GlUDx*A_aXWzV6v;VI+!;>pJ^U#Ip3{3Q>S5mP1tG% z37>HaM(T6u_zw9MnEi^g&1|EeC-bRiO)-JVaj8dc5A~L!!zPe^DEF2PQgGU^a)XT1 z&>~r|k~&q^s-)G0&;%Kq=G5!uWbt$2wB{xd^?HbhIV6rB#1HRGTdGH!H=GQ0klGG> z#ryUHtmKbK=O01=Ks^}>J7h&`8_0*DAA{bz_M`7xE6T3Yo`F>RLSx`h6Y>3F!NT#; z(3SG;eSY{}2U|L`T-0U52YLyis7tSXvRo9wWA~6)qTtP%0HnnsHGl3?%5DGLxNb$5j-zmQP!~~||bUPtFH~4WdV9lR~vu?$_SHc{XpemE8cYiknofO+cd#KJ_ z1;b7=*0C;%a%?HXBvEEf?g&j3^_;For?SVQYbA=UH&u*X%T)fU^qlmhn&Z0d6 z@21C6S-TQaFryK)S^0ATj4(Jv&@%%x#`=FNYk+{_N z!P`#Y77&Wx83+7Gm5TaJb9;ivYu^$?7i zp^r1ojVbRpT{rTkgV?#~kD_uQ`ScsMgVm9%PSW+n(t@A@NK$3PL@b@%@s5x+P3>U$?8pwa(47zzmnal z7}aG>TKu$_i{RV!VSf)H9a9a_Hi-IjP!1w+T=Q3_MHRPdR5%ZNi12^w&w!1<0f4-w zyUW%gmRy8KzgyrfyUl4zb-D`NV?SLgpb8TpGxG&N>=E5Pi_-%Gno(gI!W$B}P^mQ%p=q zO5*nT1kqs9l+oC)wrASg4K~JtX$ArNtPZh!wAtunBQkKX(_jkb?$C7UFYNZM(@Xd{ zagLav2|Q|riJvK1DKJolcy)XaJ@v~JAqz@uRLF{O)Mp`AbC%qJn`?CwL;jDHZJ|Tt z1g-Va+)#Vf7op_mO1C#qxAV%m3qw0O4AEN}ZCwDqEG{-VWE99Cr|W$5u#AyXkD2Cu zK>N$=SmbKL;zMLR<#Ln5_QJ)b^2@d*jo+&v&$|%=+1A6%PRsaW^J}asM4d!byGinQ z72%Q^$`%baBNmY)VV++0Gtpki29g;Gl`MAq`7G(s={z(v|C>4wqfeLI9CHhrI_i0GW_l5F^S}E(2`BZdHsb3r$(?BZ= zz&K6&shU`9zJNIQ>F2g?Ii^hP#MIt4RYITQ0nMb}kb;DnC@q+jp%U7I$Bm3)^Co zH~&{PB@V~nb-`-4BrdNY_id5%BaanO$D0EiA%Jh??rk+O}+g5ZvA6;2JErb8wdgcXtWy?(XhRaCdhnxJz(?yM%vk zzrMF$_rJIQui8cJI#8Uw*P3&TF=ee)`HE27)u~U!3p4c7n`y|&55r>7!MhX-KXY)f zhDZQvyf>hRh#Ns%64xlsQS%TqT0yk_c)Pz;^1|`&3>HBvg|uZFl5f`()gVQkWEq&G zSP|!dC#!_*UWJ-ugSCr}OI4$>(Vwck#hcUAs6=MNtZuEq+`Zhu**jB)f+- z0p+3#J}P`(d=v@HIhc!;6QI1R@2 zV+2Sl+yqBPYzCf(uD1xVqAfayaNJ>@B;Z0QsJ!R`R10!c;UFVuTx+D5)T&}ATJ2iX zXDam4)dig}^51mNUu7!{GYW`o1>e+J1$ArjP|*;z0@y5Bu~erz=lb?@$}X6%sbI`J z`tPLk=bP10!t`7p<)Lgu2V}HZIR>sZW=3NX+(Ee_i*Nfev9~NgV^NL@3UXs<Xh% z;dtBy)6l>M59lyC{tEXO;13!@FKO`g;|x0rfJuGzx!;83AG_9i?>5O9%@#xx_CR2@`YTYUTg$v8`quY&_NsB&P%PIh!9s-7XsRBSGDqff{Ol^kDNlN1@` zbZe#-E?%%RjhufKH@uq~EcVGznj>QyUIWvR0ggPo3_)^;vIBnu?c=Uc#ZtwbIqVPR z!7tOUOj*hZxH1)^t+8OR|8(7YKv*R35UkjZtb`fbq)25Y+18geNY#N8g`Vx=C&~x) zX1da;qC+Bljabd)Ffr<3aUlO*$1K3!AY_aCSp$}|c;bxFN<+sJ$=Y&Jl>OHpyjedJ zX#-8Q4^g}Ng=ptm6jqLEkvDf%#vPu#iL_l@?^1(y0Q0(7vzEve{(VU!mQsPxqEuK zTM<2G`LrVHKK@DuXM;ydf|Sr>LW{MwwPw}H$XQQd6W_%p&Bm)c&N6P&Yncouh$tGT z?D|?g?m+@3Jqv@-{ma=%rv*VwTq6Y#X5$(|B=)Pb8?8SU7?ZH6yoZ#LAHsgxIfg9i z7E{`jG(+j*`N2UINQ7yR`d*W=H20My+o5}OPqB*%DFL;gf&J$SeU0=D`eDL*LXNkf`z%{Sw#&|4jGRxKARpxyC9WH zlC@ZEq|l=^nmG&E4?dh!L@$m@6paM@e_lAWkQ%2kxm}yEIiJ`J>sKPOl9EJ>pEIdo zV+92$^_ntJ9bdL1wtAO5+57M}474`SZu<1uf|bpJ*st0j!;cOv*!r}cP{iL~7&)`u z@VHd9qrSr@Q$}ips=z}jzEtG&Ybrw*Y+$u+Y=k9eNq5K(AQ#T=1&v=IKgCe%Q@L5! z7iRf`8%vk;WM`$TC3Jkw<;hl(mnPl6g}yASM*nQX9NH|XWM-T`Io8vqS8VLtx7Y_QXsvT;$zsRGQ(ufYp7~3O*aJ_O(81G3&il zzk&A=Kee<}T5VW*wz_*(JhZO}jZk?L1imnngnn1-XTG||#bI^vOsUNri5lGM#?buT zK$N|@Xyayqiuqelq3A09C8`bF4reFLuo* z^G1Jf87=_e4cPGwTLe?=P!#m$q_{fD?ocgc(-6PEmu^Pc5VL#FR+0_rZET>@5~ zq>PWVQfF?~ROOrNu&Nc(uri~rQqUR=67AC=?A6%fS&X41fLXw?K})uR85-G3Y|GB7 zGVI}$?#`nwk=Rha=t%1cUg0#iW>LvCVYT=#J^^LQQz*l0>j!k%pdxTM$N*Y2s(vFe z#Wuns(wpA{@PrsG_3{|uh7J*L1O3l;-Uea5-#Iz@alWkoC-?esFE z{yFw5O;7#?*G{_@861;FgVf3LIde(A$s;XG5g;-{UEbYb%Iy8>X^nhVC+_&%ap)} zm2s;6W$52n0GOyx6JpOb1oLj13a8E@O0J``S^XiDY;OKS1m9X!1|*7I8`UaDc*;H`p<>Od%+`1Aq_ebTg?(_a z(n6^SP!yXOYSuH6J6X2B#9t0*jTq8GGmTCAV)L8Bnsh{tvkXQQG_0ro){sbqbL$() z9H!9!fFaHWNG%V`*_snC96TOWqxU5$ zce59U2_9Xb86Xr!+JH^>;wtyYg*X$AhNhc<GiL7T>pP5}qAUyNO6by~l4N-PAdhLU} zyV;$Giji>2YV6Ld4{=dmVKXB?Y!~r`A^dexQS}G#VRl2O1B89Rw8iI)%{DemUw?7` z#F4c-amCYD@E>7{`1s3PV1T%Abk8pobt4Qgr#MnULC!{K@0`DA4Qyg+T!}Si?>Ay2 zzr+eFruc#U6ZKR--fY9?xKGZ%cV5D6{cTt|!HvoZ^_yf z?OZ8J&nZJm(Ss0iDy?K;9)d+Uw|$>GwC}$Z&#NR-kudf`6jd?^F^k3KC5W!aB136Z zT%upNQ3V+XC2ujyAvMB;lgJSc9A~f`q`~m z@M6nnBW%NXxt78S3wjDP4djD~Fk%3 zZB&wiYmO-mU+dHvyPs1K-6aRfg@az7b*;A}RDmQgNy6j$s>Vj>-J66`c@!CE8%3T< ziXWf?RwI`tdVk26EX#@+_b}ie?`o2Ek(IfsmNI`F?9c?r2^%IiC~6Fd=TEv%k`>7D zvUqx9*5(d5#UtD;e9lG_BHIl{GqYmH{Gu<{qdX@4Gpb|2NIP;OCW5OYI-twzt#wG{ zzzNu)p~YC3HaXUz1BtFrOH&(I1|#MmkFIq4>uCD3zGNURs%o2T5GJ1QNkQI^f>$jq z?;X4oal<^@oI`C`1%%_VK$pK|-T(Y>I}s&T)&UjA2wnG;i-r7S!el-#$AAZ!4#q6| zl_*Ap>SHH1r{z0~B$Wu~)6f z3PkfoHTuo_*x18{aQo*EMKTzPQ@_gN%jZAiDbpkv*5;FB!b#td&9Wvvr*F@n+!air zhwsh;G}=z76t_B{ho&w?{+!Ie1-Ft6-=?(6z;L8b(QWG}d$!DH&NxxE{5U(Zo~;6u z42YulVClR%^B%lr4^IG8qS1p~>s>03s&3-d8srR@H7gvG`o3ap^FG5kZVjMx#dI}5 zRf$;_84^N&3Er!k%BL!f5iQI9KjNE$a5PkXppu!n;g=hD@hu$i&)vKcqN3wwM5F+= zQHYTnBk_y0;HU#@_9O#(z9bbjMs>qxjlFDu97Hcz;#jg(Plr5nV9x&~rvF`DgV=2X zin==b(Yry`NwU{*eqT6ijZiYLsHh-328+4h7s6viSGZ{ABnVl|^L@23xk++P7E{f7 zr1suwbK~cI>D3sH`|9@;?+K_66XwpTXH+>grBvCw0f4eW@)Hr!Ej5M_Sv}t>QA3Hg za>pwR*uX%_GAiMOA<@OM<`7DHE*Y_(n*Dw8lGtwrtz8i{7|$f7Dr&<#{WKkp`H_^_ z6nFuHdVyRUNCm%swo+R7)U1I_~7?LmgHgr&~U~L z#jLdSQ56^rqDM52JW=YxjERwE^;pYB;khq^5dbBwH3PAxh5Qb#!t4%rsXWYMjL=Y= zIq|$nC|O_BI6-u{!VbKgS+M3uYfce>NXT?`dVJLDIs2(`7nJ#yEiPqy8$|q&G*2iJ>^~DI&h1OM?!Dn)qW5pCM8(yN<#*acK9*g zeX$c_Dpj(KlKZ9?xKaEnak8N!;WbIFy_K^1h>Y)bs9uSq-%O^wROQ{T6NpqhbaV?n zvyCBuf=nJR8VJttIjPI~t#vV`-$+>c3za3@;Z{`c@pb)ze)yh>qu}`$pPfes zlcR_VdO9$4PG+BVk`$!uStld|i|Hd^)fXKp7ztfGl9&Ku$6+92|Axu9d%@CYqAHwp z@RDa*4l50)A-E8wrAJI&O!34LONtrzxrWutOfTXw@jwnq9ZU}1zxKb3Mj5(mWBJE% z>3ZerOWed)`eC!Cbmo`w!#olWbPt_p30SQ7F-dfOw4G3^U1*5X*^-&M)mUR@5!TJG z8GHJ~2w_Qr%2xRW}cPBw@ni~?^d_Q{1s@@2>&fJz);Il(63jB!+}dDgqq1OA2Q z7FTXN@R0q0&`A2HJnKbifnC3N+h)>&$$-US_7CHfq=rMOKa-R_0lcOg9Vlei^|dd= z#M>?7A9b17x{L~bxQ;!hd+FRcv_y_|c&9F;FIQ0D1Tq-3*nBy-1Hd>vzM&S+RSoJ1 z7B7^)3c80^p$dsA>3?=zw|n|PdnUG6)IRO6H`@~4QrNQky@tave}6gyMT;NT+!V7! z!qyC{0EdNbDXX6HpFqKnpNs_1UjYr}i{p?hI{8$OV*NUqRjS*G*vr?5lapOMM-^5g zN=uUpBJrpl6)7}Kk~o0d71W`=BJd>isTG*m5&+(K%;+EbD7`!hIy_iY9}#$G$VNR| zFuO05HH>)mVK!e{Y3)07qIhs>wPs~a5FblN7g*%yO3p5Kd@JLp8Y6DGlbb`^W8m8l z;-2nP9H}1!)HP~JEi*@VeZL+aQs<;t#j*SE$mFOjHqL7VjYN|N;}y(UPC7K$ig#(y z^l8hLI5otHVe?_7tqs^N?CIj9q}vyi9c4>9V@DG5An7Zl+Kpkw>mNJ7AEVg{&Z{+< zPr4a{pU7LY=ksrG#xOvqD?r%0{-a6F zB{Y3T1cNPxDivT}JzRhpsrA3PKvE-MPGVm9;w$+FGW zRN@`*l*5Y69X%4$Jj%sxlyoB?nDHZ}UPt724*_qk;PcLH3fp%9_`gTL;u$3nAm;p| zqy>X@6xYjzC0*6xhZiz(aUvWlE}@x5UQtlZ*zhAUQub0wCk%3?OXuUK05-gMq8fg) zp18VLrR-8Y3?M~CjDMDrSpWq{P4>jAYAJ-y8#bLb{W=Isr#yUSb{^YEf%&uzBVmu; zjh5E+n?_8fFtH%C9o#GYaVRcZ0$(`#N$`S}4L6QV2DD>bOO>eWNR5X9Z5;7#Enrq4%g?ubCSlgIVT0t1G9mmV z&QT4ifH{6lMpIeV>iF{6uAx7O9i2(m=2}9^S6ESr&GUcJ1hJ7lf|$Y$PnkACg@cFv zRg3HxVL2g_a14`iO<}hF;7`tU!RicV^09I>EBwur;SxNuL@`pmi8g2gC=pV5MR#O3 z$t-!-wCf^8Q{|_Qw5a43;o09yP+DVQP*lvDt_P5TtWF$(6YGZTr--C`cibiTh(yS* zeqdHe6-|&-cU7)UqHf^=VZcr^-l8jl2wbkO(&W#@vwOj;C=y&6z(C3?>9|@`sc_m1 z#MU+pjX7~%5e^8e`>TQCTYq`*Bl?vJQp4Y89>lGYUX`v!K5*+lm>CBatZmcst2>89#G7EIa- zJSs|1gl$1Vbr8Y((We-z;JqbQ)GtfN|pmcrP472 z!v|s$wOE`pbbMoBB{Uccgu>9$1%hGN46GOpe+*#@oTIm5WzU_LWMz$Ahycm;X^-oE zqI`1QhbE2`+ls8wBn`d<*fh9zj)7@Ih8l5;N^rvQVP1*q9D|G?5H;b}wHVD0aN`tG zpx~Zfjb`I7lo};QQFl~e30$7#N46jk`|uj?Ae|r57knR|Eo0Az>MK%%G#E?Ta+JyP zH-h9}?vqLF*9!Ph<1&VL@>e~{NZ~b_Ul3~ z197uJNLCi-2}`L2#<8xhIUCb$!3 zWyRj=0SqJvQ7M2&Qb}c${t~qG%xNhpQV*C2!9aqdU7(k^k#`g$2j03)=uFX5ZYFKj zD9-;Q`2Pbo?b2Zo*hzu?&LBHDR$d!OLA+hH!z+&63c*}yW0QH7ecjQ3W4L;-YhR%3 zdQ>U|giGYq*h7|J2e?(;WXmW+3Czd4v0pDcFAnI_~65 zYC$O0yCoVZaU=e*1bKHj8-gi(Rx7c#_pW5-rPuLRyQZl!BNH%1GZqN8yF72dB^m@9 z?w0F+&WSfrM&UwXEL)$nx;9Eku}Hd52#dSqhu$vW7l%b2 zBoy^o+&`;0MiuU((+#v{_03F)2M?oamRNYKf@vBAEtbbX~|;AWef9_ZfA~%FOOv{^l>CjA~QjNT62; z5T!?-rTqR@SVrw#VWFWxxl%{qgfH(1Ll-XNPH6>@aYy-qQkM%p+DbfM|Mo;jp0^PO zF06~|ARa@*#wcx2bs*fTqBX*=)3M5}Q34~Fl5N!8%)HE|kuo?21ph9Qm`fdP$d)G-kTV9-~?3d(dR)hlwga;nejY;R2QTeN%T{*P=)1uMpU#C0sRSZ31LZB) zY-6bjP`mreY8;17pP8vL5(f2Datd~o!|e|+S>t?$LV==g^5VV*p-52jl7E*%|Cf#D zL%Nd%0xc0=>y=4EjWA3MXMJ?SKfJGpd7V1&7Nb&8~e10dgM7n?(Sn(yOe(dJ&n9*sm_4IM?hzEmbCdrpz{a0(FJ+;f2ob za#FkW^^nSLp@|v`4L1I4Cf{~I?RV&pGK4b<4e~7uk>tVeIA${Y+6Qr#%w)q>Vx}ay zfizd-ux>#(iJ|#-Ma-D?qQKZ4c1zF+57}k9ffOcx%iK_O#Od4I47WneAwNQb$6N6x04ISYn#g#4=Gl5ieg5)jm*08$KhKOp1a8}Yp^ zZE7_YypJ6d=^2N2Tpsp%GTLX|k6Kn?9zKfniRIfg9Kn|e_=B7o_EkYHt?mPK0_QTlnFjWJ~4 zMNZxil{SRWb?UY(xpu2&k-99fAC<-KaQNnm@-S@GzMIIXIb%sp(GAZ&lq=jV63t(f z`K{;$a!@NN?~1_kL46?qn0je`?ViL$9tS`pBoj_3<-gXFMo%_jqwT*#b>>O$liBc7 zE9SzAFi59w6XOi8nV%U~QKS5z7mNxOf?05wobPxA{24_j!OOKNE9Gk-@xO{Ikpw}_ zEA;@t{=#TgHVokR6o7vGJJ(9F!O0pc0ktOgM?-9R;IDfT&dUSF`Ey8^ts6e&)gnt^tmY&iO;efuVS44DtF%u(Ho)s1?1ws7O3;)_kmpm8xu*$-pFu z!YH7hnPnP6G%xm!6q2|;`w(NMZ~RAN3F7Re?{F6nf}l}B_I*tK`x+O>=z`I}QH56{ zN|1_ZTzHn2G$Q72y0CzSiuHq$yDLQ}3o2h?%J16kkKR7OG`Nv4L-Q5Q#Iu8vW(}@h zW6*{zg)?=7phu4K-2ipZOt~Unc;GjOn5IxD+*LAi`)f56&bfc!si{DcGr zl?)YOj@x2Olu%~f#~CI=I;J`dpvpNe#P2jcW}RD5hlrH;X|Rz#fYQbxnII2ADw?6K zS&6k_=|#cfY4HB3ZT%_^L_r4CWnx27t~ybKgd&n>mS(4lst%yzHNTeT3yMwQ!CR)w z(#?I^WQD6^I=)UzwYyR;U9*Szf`7lA3fy`Opb^~~ArF+SSb}b6(P|bPC~l~^2utRd z&iFp0GC+k|5?J==S4c~5URD!nj1 z0&g2aOGHrOm^mF-ne3m~5*gA0+hUOEbmI&$j9**EG}p zv(KvUi3_b_=RTOHEa8}P;h`C7>HOD!X-3j&tP0Fy6LcB(Vwn8N{V!$XN>Np);1raY zix84QpTUox(%yo%^zdLnHIIh$O!$A+ykOvPq-8=p+Ww)DLspG?Kff#8S#YbxoHRe| zDz6OKI+4a2fC40fbrZHe8@66EUnxuqlN09RqYW7WwAxtX;Z(OhMRy%8harU1VzGCx zL{<|{2Y%2x8@iIcsJS=}C(Cul|ELF!9w4a$Z*9WlN=WjfWF|)Tzj&`W60B$h zl{Y`+Kk4zwfcyv!-!8(uxo}pPsdS>fXaf|M?zcYrjl?mtKvNuM`^7(@Z;!~TK0rPD z4D@)P<%dyoRTB(9ER-i2g*1O5o!RVEjhN8fqvXxHk|`2|(G&)z*BD9EQ|F}4iSFa@ z>jV4hI#xiB5q!(1+$8b8RT{kHdg2nI{~$=m(X`T+M;N5?x7_!6#It(Fr_Lsl-#vC`6*2BR3FF$&4@UF}^<3(O(AV|I9bQ__;O%dRR z0gkmTKh!t4HfGj((hlje;W}Z8+uQZq%%44CK*@vsA;xs%q(9N`XE8(UVaWn#&uV3Y z7Nn!S)H4kvbmxpT|54d8fx#-ENLtT62cVz{%$?1;rQSb%192`J!KPABfbE5t@|Wp2 z#JOlne;g~5$ZQUxJ;uzy_4u7DZG6KJ&+i3_yJega$-9_cS$MeodOP7y@1R=SqG=5{!wJ*`k>4}#x1=J+dXekKNq0n zhZs#uiLA_xQg`YBEL;eN{G4)f5B5Zupb=?_C825J&wGenXuIDu5fkX z4tJAR1cD}tjFh^p(8eh;UxH6xmM(<*Hw~HaBWX2&(<(AQCSgREFeYh4pXz8v@O34k z-$KC#W4#-22;lzFeLa&QfhbQGWIQuEym$2kV%?|h-SDLDdT1+54q{>M3#vr@y@(zP zn)WzZvRN=t5KQWmBeWxZBgYgVc7!yFDul^DOgUOl2JNkNZHOhOK#$zjiS5*Gxov@3 zEHubQCV(!gEKVm7n@6Ob5UTIfBFD%ewnOY`qViRLorXybO&bmNa9XpRi z4EK=g5pas^OZ?;fg0vwvxMUiIL5~8T(Rq5zn1XSSTSAW>K#NyAFi_>fh#TIIFMs&t8E4UU|J0htO~Y($dsFdyq?(f15d2 zCteCL1b`YDm_ZU&E)w7JAA3Z4Vo7tuKJbOXYP9}_D;~aL{ruHOn>#uJQZ60rhfx-r zF#A8xP(Y3^4B;E!^`6mJzp`4nV4~A_!FMV_=EC=CRPldCvN!)8Jxm}7b|Yf2p@kqy z694!jr4Fmi{{}ZuMBuu%!DpNwD!P1V#L_)|R|2Cqs`d8^+TDLZjK}{u00>MF8noZD zmE;f;%@tvAsp$so<9kN`zo)^SFwpG;w&XqkV-nzAC1etLZ_Ye1o`gob#|2b(0gb)FuD0wI>j{NnRG_Yn{ zrxN~uK9MgZ6r`WJ^3;&FYIeXA#fs$6>2U8``_*kk_0DE^G`X>>2Q^yiXMNf(uR+gD zT^(N|A4s0HldB;f+daQ-RXt4zi9?1?jIC690~n^IYt8kVCN80}JjV(Y)k(&1xfXjK zqP62MOS&Du$6E}~nI4rCOJDgLT-bK>_8DJq?ikb-FsxY|4mdx^za7y=ay)&39P@LE z*;!4o0K|Cs7z|E#y;Qfj7UJ^fz;?Ag)EsR(b=n4h{!iD@gF(kR@`nkEC4Jr5pARAT zGurwPLXIGp{^#4}3ZU2QR#kh$Zl!Y6g$SiHIlmftK1_|acu!-!-fk{kWmW}y>)v+^ zF72e@k1za4=fk(V>%>QS&v5=-TNuEhCl7zs(_GbiNQr!E4;4M(`CZK$Gg;S_|0~}! zMpt7IdvWyeDL4w6NUlM=0TFU*1g>dL!13{{xlf&W1X|qBEm;j`N-*?^vR5*ej95c_ zzvFNFPW)Xh9%SB6+iS}x)_8X8xl@Rd(=27}dsvJ;*D2Y(70)c4oXB!&q446XDu}p- z+6#U<^CpUaNrxy<$`@p{W^^MiXgJ)EX1V;1i|MQs|Ej9^fy-`BRd23}!d!7_Ud~Q= zxq2K5sVp`+rfnTvx4K^L@Lbl@v~8?17724)4@V9Jl25yOfT2@!;cLFTYC@0>#27k> z*BVX>d3JOo-N|*zK;ba7KK4~M@8sxa1=oS|zA5uK(p9M!zNqf;gqkiLzY{*ox4iU) z!CwjpbYgJ~G|Ys4u|0x>*Tm)L5TGgs+A?-I&8oM-h5kYmD=mf~;WI@{QA17->D|mnY5g6=kyx>Y=(PNC;v+i9pXaxyq=g39kNb6C> z(083y99>NfB#)nxM2wnR!SCfqqZ_>;Qxb&P2v88lte^T$-&v5+a!~j*uCC!vFOT4f zhs6lN)Yw4AZ2uO-Sxru+-maS*>C4UOB~d^VyUlW7`2HRf z1;&hDnY2m1)ero*!`WmH&he}u>G1{_;@lzwIwD75s_0vVoS47xyA5Rq0BqwuGUWiF zQT@jqJBe*JG!S&)>DSZ!Iq!bxWOjE3Z=YH;uU^_O`eP~(wei0#?v_-j?v;E>+_l~6 z#=^!}+xhl&R~-44JP=Gs*Z;olzK7>Skl?w>E14Wj*-HJ#t?q}rLh~ecmGhq9c9-ql z!IYf`jwuCzRR8a&$HCZ#kCGinTP=3wa*kF5_|?N<32heMK0NGfpCQ6J1ZQAWh=)Y* zH$R3`?o2mV_uSgi(ql~YZb&!n1v??`EF$d#CE=9)S8WFfg8(UHL=wpikw^s+P+oroKHcatJlK7@|`jb30({X26fzn@AGXO;Yw8iYqHKIG-&?34Ebkzx$F@&&RRwMNwL5w^11-k*>!=z%uOazZ_>G=(o4(WXw!QQ2 zOfM~OV^R5d^?~8@5_g2#bpJ2u5S})U&zg6-k=?0jylNM!IOd=>{ z`UY906*4oR;ALu3-%2aWhSoCphsyDqzw#Yu3v8xBZ)m+9+#6HR@V)=cGOc}_h1+poE=Hl$sjUC_qFf0EoPek{?;g8WKAJJE0PC0!5f$(}tIh97VFeDnS*%;4P} zFKcZF>yK~R-2>AWj?I9Qpq7j1q!t@@MWY+;YnYzT<0-oWYZjODtkZk#_@}oqZJ9aE zmkzwn8?H{>_S4d-t{2dc&tr6UFLU(@KSO^jZCo8gyS^qpn|X!2A@BQv?W|2RFQ!GF9dHhrFl7KtB3tvr_^mDmHD~9}7G5s*&UcuY^ zFZGl<6tv@f2l%S8NUgi`Lir`i4+5`ahjvdGoek)OQ%};2154|b%TK?>UJufKNwtLW zFHAk>BUV<oW+{dZ~5Oo}N{$WpH$9#D1uL!RXdxr&OWl!8Qd~RGfZ-)hTTO zYYrL2@i<<26gq!tp%P_2=!=*RgJGEKg??XO-OziC{F4g*m2lOIMalJhCQ+A=3;54p zKz;I4i}5=?l;JrpbC=H#s-ro~+ud2a3?df}U2Gt$hvC?8;A!%5fi*GbK=1S@UE0ctD;a_z)vnmz+1K?#Z2rV}AqE4xz`_%5cbet0`;JAmDHGH1i+V8P!5eu? z5>$rTH`3wQdbZ|uazfQ;%(yJzDQ?z!bF+HhED8&XmB8--tt-@DxabO9%YTY+lvfsb zYo;qXgJMg!A~=g zbkk>E{!?zxnYXpRU0%@hExS5~uslZ0XhqDRyo#snZHA6GpJ7f0Yf3kd)gfkG-Z4JJ z5-V5~%Wb{w1G3L@v!VPv-NnDlRB}p`Tj=cy+W<>lK2SsK9y0zd z@{&Bm*y&Ge2S+=igOFX`I_l4yh^1!nd<9sw_4~f_&cZ;b;`3KkiBwG^emk&}2?f%& z)LQyvt@?gWoxE&R)wk4A8TsCtvOTD2It&bOT|23Dz7b#cyyW~Iy~F7-q@u;fMavt> zsO#Ik@sYlpC;fm5H*IcZ+%Dr>UtAfHy`vkS2bp-dOJ2iK9`9<&C0c)KZU)J|XD!@% z4V2eE|FEpN5L!IJ`(3RACMTmRsy{Ho_7%;$=5VQn%0@0v4E`#{!)9Q8!i+q8eXIT( z&!Sfgc1{x>lP8clc`D1#e2~=gc`(AXy!?4yt_@sFuG@1XrV`K@=L;_!4~D38PCEAmE#)bKHK=Y!^$5R=L4 zH&-euJ5!2jj@4>BIe?@cba&$L&YovkYPz&A@pCP|>zbBW?K&`@mU9wDjZT4;(%o~8-BI!E{w(~M zf%TZkk39($?_sBu+M%m1n*-I0=Mfn`3_6v|K_%E)!Nay`sGIci{rf5M{d_(r=~G8z z6)A>Yaxhm-gacj=?}*)1(a$MhIoqn$-v^T-KJ{1kAMCPlzNH#K(P5)A_Q*R4hfb>p zKzqO7oR`fv!>_mBBWg9?!maygkHoH-;YRV;<^+F%9a=4lX~C~APClLEa58ushu)RS zd>%*F&KQ1gljh*0JCGZR(Q;Ag4EXeZPq@J?y}|)*w4Je}?93=RZ_tP#Ytr+|kf2D;p`YZ~MpgEbR=pvq>qf=c3UaXi+tLb5tTP zn!Hu)GS46RtYn9mgnjVU=0j(*YrJIt)@{W38Im^yZ}w_d-_c3{LRXuP9*XQ027m(t zKsle=M(j~tf>PDy(b(LCUK=4OoF<66Juc9v8R7l>!LULkSg?6ZHw59M++W$KTwV0# zrhTqgn;{8L!+WL;PT5qJH_!qWmumcw=tX_g1%9hdrP)fi)+%re&HQdAv=2@j_Z3~K z+})>i(oPv?J#7m<1BjMRL_}?PFXaL~ty|^&;}0ADT>5eP&vWCK0nO*~XlbaG1ec53 z;#=O-L1w|UTE7cI@-fjft(PAGzjco#UJdN?+_~Maan+)Kso^W%BfRRlu~{qhc%W=O zExuDkjk(&qMLf3j1~s4aiZ>q<{m^^t3m4E4;7}4fxZ8V|;IB4a`uzb>hc&yEnOrVu zDm!Mah7g(3qAkPYI9j357vqYn;!0nu5XkZ6<#INxYLand)ksgx{r0BS^ad*nC7;-W z$NOeN`Eiof;S+nEcwl^jt;iNO3VmA0;Ky0eJ~L~PhXxUuw+k(!(pL-Wv#~fn8?}M_ zEYSR(=odQ7xQ9kTZ3G;)L|C1-T77j&05u1qL==#8f<+XywU4iIiLkCZu-vH=>=WjnPiL@qS!| z5mhzsl@XkN z@??DWAg5mPqj(sRL@xr{Y(bKpSjL*XtCU0T8qV$U;4_Ebf~u*gvQKXmht5`Vp%hQH z=jo55`df!}P5}mYLKiH7`z0kp4=tV!@_%!aqikPSZ%!9NkvDWryIWPunL2m;ju(8A z-y~ClVBR>fjh?vQ4aG>0uF6y5h5W%GH;C?7_V@b|(_n2$RH%;bdR6T)hKaqfKX+?I z6dyMCdzIF{_+8S#4xs88Nf4mu{FO7g)rEMd_9l3!#tq8(o*I!ZSA91!D zMe--z(5>IQ$Soz@zp-yRGxpr}3s4Y8YzB0RWt+J0mu&7dU5^TIAH~!pXtLOG>uaF3 z(Z2+pJY}|DE)PYwh_!Xo)6ouMAEp?NrSgU<2M?c$efvgtf{$O*d`&{cr4^$AMj@Gw zo0fzbwt2}#clG$}`Ym_>^TPX>Y@ORJ&*ler)4Ed9pi8tr99;_BVDsU@xbaTMvS z*-sov^rE%1=wATPi9b0p7_|42aS56k&IFcMA9jvnZ|ert-XcbqU#GBm8>=Aj(F&tZ zxR1KbM3%}8(HOIFuASrB&%KDZmuSQ`3sWZh-c&IFW-)L3IlYJCGgczMM+_39i5B;7 zRGNQLcy{A|yO%xP>^qOJ9T>P&n$}{2HqKyojLNr{87yk6bvauL-zw&GCIrv^YhXdn z;wU0GG0nrz9e9t-AJklo`85C)l*0yxeV8ExPk}%1_l$fw{xsX9PY7C(N|dF!6*8+I zVt7w)l+_J+Por#qbgCOrUGx#EK(cWME*Ou6!zuSBs?$up8~eV_(`bU$&&vUIB8}8X zL|c`Y!Vd=`=NHF7YTo6)rInOOW*l(@JcV_7zUM2dvFssaezw6dNsbZjBD?*#aTbMUh^W*AiFm03vJ6OO*7>mGk@GzYTENwU z3~Sv@MLfsL5YKOD5VYa;`u>*wRcT96cRP_MO$X8e*#oUzoALh@O) z!E++573PpJ99}w{W(L$&)1+#*f}W&JJh09cnbN$Vzq@W1-|nB*;?(EvS9SfOJSzo(#E827palQB1E!j4o3%6R{cvHm5e&uqy@7q+or&WsdB1nly>Qsicn z`?3B^Lco%o#U!PN+ZiWv=)CLWU{pv7h}@8MB|{LP|BKx8z|fYze#5z*ixx#M-aU{$ zG#oVQd=V$=a(+SMy(@4!nk;TxEbcHh0V-e2s}i3X)Kz`L_xatM-ESu1<|@KN*g87@ z0Zd1it?a8O5A%}fH_&b(EE@+l6F*Yn3#PCs4ul^2h^R@=r~iF$~2R+fd<^2qiy_-R-R6lym6MzVY*ZJN<~0Qbim9%SAS< zm)DW39d4`Q6v;rHvrcVomA%!i5Z^LfAo#;9Ddd@BOtp@z)=35-}b%<+q zG(v(DXiGot4Xmkt<*hDiF&J~+I^^jpH)LDlQlTvPk&!W>s~XeSLm)HP2bs^?G+7m>| z$T5XZ%%$HCU$r>iwdggOa1+E29M#AB=8jwT1f~Wezr08Itl_n1do2vzJ{{_XpNqTY zbR-k&9&*y-HLc zFgrkQ_H#M@?AMLJVpV5=wL@GuR;?_x?<_$^-It2-hddFI(WSV&559k9UBS_C0wFD$ zcFx{Mhf217@G@9YGd6+AZlY&=|MWcU)tib&-`AA*Lw%B-F}yJTnkz=n(qH%D!9<}R zOUrk#b@mh3Mb|SVGG+Rz-${QDG!K~CRm@9Q$Wz)Z_j4cNX6cNfb7t7|^kh#k z1D~zfR_p8ck&fG6qEk*29oED<(K#I-`Y$)%Xipz^`f1@xRDEi=UACi6Fk3((l;7+4 zV~g9JH!mLUav9I@Y2$2+<6Utx=_gJWyEpX&CZ8#c35FjLTI}>KJCvR!*T|Bh-J1=l zrymUl8zacYs5~E$c2^J?R=-Gr`Y$f_iUm{)RqlasZ_}23PqDq zETP_}QuJz&J8!orc<;|XX1|BOG3^`mCvwPinr1iSEHW4675jrfT39BjhISWxh?Y!9 z>Y06BrMo2Jhr==GUK&a2HB%__`_P+vjdewBPYGjK0)75~ocGpgp%&pFJPY_C)~kdP zB@q^#V=Ce&Sly+G^pPZ!?9WVd4+*JV3wV^^@?KA{q9~W3=o_r;c@8o0VE6Qtq7y^f zp51I93439x$zk!gA>i|EJ8zkX1JGhHJ255{PmSYDcj*gE7(*3%K>PaK#&VNAKCNwL zAnXoxx^#6nOhgm!TIaHI1K3vTMyKlN>V~2Tr3cc?e5h%Lk*M6;RmNw`mfwrGJJI2n zleUw61rJ4L?mlS!r>BjQoEWA&znh#Y+`-*iPMfB8!o%{WDPx1wS?m3r_+T(Qt;p2s zP$J;-yYnkHnsBEn2(&mjCQI%uL-O2N7m2eXBE*A-)HyA|Z64QzUY)L6)pEyYob_%F z&IQ&sWc*_O3SlMms8KIJHxw8SgQBAsj4Bb?8r(=260qtza9H8j-#;lr3hU!jT>V1v zP!S%%-H2fN^w|3Jm`P`j{crZ*?zECnSskAQx{N93%_s;M{s8QFmvb+*fsbcHwib%&9qZoAn} z^bNSu6!**>cl*&XgbP!w@m+Gc=d|(oUEYG?D$eD`Omu?rhr|;kzg&FhJdRqvGR)^` zx0a>(`IgQCZ%P#g2OHH1CvU|=lom|!4es~r-nhN7<8qv-!~bFLEd#3Bp7(J@LIeaQ zrIqH;(v5UWOLv!agCL4@cS=h4p|Bd(R)%(5vUjAQwUR*A0&slrc zteIz?nKgTDMRsF;{?o;WM9_rp$Y6BvR%muDi$>R%JF& zjc}#2FFrSX4$55|;z)n3-t=Mo#Bxk&EwuK$O<=J)Yh*nw+mQ9F-5$9% z)^jo)k4q74EyYJefpL2ai)h@HP6uXM71Sj2I-YMCieI4Vcz-1qu9S0hEfW7{2lvh^ z!PZS-)6NH<`1cvYW*ZQw(p_S-Mdx!w`GI;6roXhDC! z9H>IAeTmgoaz-FU>_ymlG8b^+({SfeFc7^!C_?d6bRjSF%5K_~fs;mP$cR!kYu>}A z^RVCNju&FAufxN6uV6kgUZHsQZUiHU%MR(z2M3R`mdZQ8c{m%h42_esuj0dqI+Kr% zPOB<0`Qi2B-aW_%jv0Q~`|vL5`d-_~o&xKIF=p761seYK-h+?V{@uf*FD-mB*;w)H z<9^bhyolDVMBGK+SVI+bfGz^ZLS7LxH?q^plJCp}3C!~9*68oP&O@@@&tPPqop!bli#a&=!d)D!YG|FBahUrAnJo57IQmtoz78On!-Q@jYgJd*k&O^{1brMn zi?-3|?NH(v7_&yCVmRv#NbimvvuSe_eo|{08 z*1>(+6a5lSw;4qp^D?2Y?oPOm0D{nUN#@m9;vzv&?PlsT?5C9_aHDmoqT7x3r&a$ z^w2FGz%8k}C+&%Sx-W3-%%Szk#r;*;YiSP$tDwqgn+|5|c)1WUGN52tL=(NKXUSbeEkF!&D3_w zhv}B>tnG*&KM6~`&MW;IPwX)BF?}YgvnRt&eV>!a%)IvySo!x&Pc@->Ok!DKDws`v zK|gu{%!84;NxUT<E9mdcz>d8=-lJoyj!lv@2ILKRPKd`PntWPdGNhA1ny&5LPxu_0M*Ij{T%*pj9 zEMZ%oJO;T%rH2z~ugy^A%Z$Q40*|PF((lZiT_;(v-((Eu4>+00oJY)MXuJn)Zh(hi ziagh+K02C;Yx=uft%r>b>Me^_#1BK9LD< z%(ww|Bk1YkRmN@!Z##qIzr@d+=Mi)>)a>-eQJj*mV!r>F4Vg;YP{Fyy+jZhMpfUZ=Hc+|;;O z3;D-?2Y17!S+97d%xtsl9sL_GEw@hPi6;j_5 zNuJ~Svv=Wp?`I1n_-!6|v8Ty$1a`)7x-p{+{|1EdoF?~>j@(#fXU(>C9f??ErihCM z#K04oV?qMpHwu?pM<%FkAImO@~BKhW#3v z_rx!_qO9|AK;G4e*e;C0R`EXPFeH`_aK!EvxbDa5}A1bLcfm z&U$AYGi4h*pz>^To@UKCC#nhFb8;I`W6on*YLDxO zmS#3*Ka`YojO5Cv#Xiu}F z@x`2ucHThBoy}84PJuH#M28F8L$pOKt@mb5u+n!dY&P*h@W`~c$&F$@C(DTvmgA!_ z1*c1L1mFr0+HQ;ZLQuq$c5Jt7HolFtk^!wx3&oGbW&XacaEKsTv(voo-o%%c(_SZs z=O3U>92%oc%|>)x@#JD(9EjWRv|OPOJHEZj*ir0*A*)*Rhxw%AvfPOe-H(+%=;++v zyWFK~OW)POEmo~WP};HApQ};(QlwQZOOPv*_Le3(t25KoyK%4GLhHJ{dA&HAzpyh% zx3nXzfkD|kC7Y{~3_Tb}tV!fh+e)Var`bHXtc(=vYi36tBM!HV>f+l5pVt+cik@~? zMlwY40aguYlecj#l8x($SM}Gzy9=g{bAqJ5@keMOqip zrf?);{^iK5i>1T$?sZV3k9HuoF?W``CQeseuXJ+iRTFmU6%3(~Ha+0mcC@*0QUbrv zHp3?S0D85}c-DL}s0DGwidQ5lMh1V zTv}V|&W%qEQh~~G{tU=u2JJ(~f^eOMc9d9;#^F^3YjI4`$ zbolE@*7T-u@;r(y(}yR5nG{*pJ*XFL8A11ZYjX6p+_}3rMjt{A*xrXH1!jiGgMCusVwv=wgJiCy$+~kb*KGvU*Bj!s z=c_BV-aD>FR0>A;8wKBH4=lgwYFc0(x<0H)QK|j9*3ygM#UYF@7Ys!yaItMRC zQcW7D#ItcGvKO6RWZI2{&7OZNV%Q)*BZVbS5?xw#FN36Ya^%x^_xIU7Z6-z~;Nweo z?p)YWwTvGlYq9_A4FDdZ1rBI3J2`)D3Ln-Pj9aK)qTAwqw?9saR|Vc?cchHNZiunSn{MyUXP~W$a|K?^ z^!|W=$^GiU_xlT+4{bQ_P=jbc)-44oq*wWoziiqOA3n<_h1YmCdzDcn*auPTnO&H5h8G<-n(Z6|8sBQsu|@F02GJ&P}oMY`-V z3&)J<>fY2ED>8SP1bC;en45P|AssK(B`w$49PNiT^C5FeY{y?eI)(DNeDU*p{-LgL z$4d+LTCGf*gT||&9{PpFZ$+ugP)ec1fXHAXBuM^vaXj~9y5^;;A#}q%wozAGT^zB5 z+X1x;9TFJwzPOqQsSuEQ<0DFZA71_89Hct(x@q+6>nKjq3-&sA@theICkt%Z}F(*JTiw}N8(-EyC|LWYVJfvyUhtR_?LhEun7+uUioHZI5#tzyq zQpKi;lEHegi@`&j^Ykk0Hi zajwlW)wYmY!xcaPJv=ILzhD9?o~5+P;w??kfpd-(WC0A890`ecUF071mFC>yD-g!`2q zfeexJ^AP%I1?9V~R${|TD1jtT0uz8kIl1%(d*9ZPl1z*k>d`zx(d>QkLOlF!jw>tv z)deX&iJOdQjzs!s)p4cwBhC70c-`TGOyPd9*Fm=)C^=rfhmZMIDOMxm>pHw~RN$y# zP{qJVEF2&>xho-Tx&ySY{<9_c>d8yQtMiKTjjcX{7QX}FrDg}V&EXuM1^m^LXH;0b zi=rZ5@Y}LCm$^QC`*l={ZFl|^W3l{zUP>9#ec$lU(2x;&u88?d81Se~&7kj7=dhn! zyFjx{#tHm01zbeek5#iPijkOqpTx;r7^4I{S@n7Z{)H^F9r2kCTVUIIS=++P)|gZ@ zX*=ekC(a>{?rbKMZ_Kdpl63Xcd8s&khFz($UOHi;>bHcS!X+^opoWts-u;48ih1)i zeYjLHHnV{|sUQ47fo^f2jFN0?)3YoyZipyZNhwG;a4NtFc; zf%##t$NWSQ@DtW^{!W@%!fWwwsZrAYGRuqWtvT}u<2A4Ollkf036GPl1cW=N6SoC1 zG9-e?C4yM16XR%Tf|PSAR20d@bGMX5W9=zaBv;;OQREqD24jl_M>k3sC{zr*s2~r{ zM)m{2E5egTwcZj&H9;J!JpAk;V7b9n!#I4a-orhv*=u)u7n^Z#+hK@n=)g0LK`~*T zcZlRRJO&=lZOj*qZbYJ{b^+4`eJQ&4gz3d2gTji<8HbG)@)tN^`yn-StyBKwN_&w3 zY)1zzANCtQH#KQIUS(V=Dp}vZz7U{A>6lb|V>Q|el`EaUXW9J7f*JMT71g{qq)1|# z6rLHqm%cw^fEGtb7}VM_iMsuXg$W)*@D^})LA_+SfwiNaQo4;ApR0hwK=J!Fh7ASa z=8I{8F{-O?w&3Yo@sD5Kg1bxl*AKxKtU3DZB*_94JK=aJxN8zT zjBhtLY5CI1-h-I=Q}YEITe^o%j!TQ?lFv!Eirdh+5kgxW*5uX7b-_e1BZR@qOZ((8 ztRPMn+|IHn?m{@XIq&W`srcSQz*(csY_C}N-~a;|<1Oll5ewE2ffsTSl1jfuw_JLh z8QCdbFL;Hod!ZAL%snNeb$ipu)EHxCx0lp>G>dZ9G2{(mWbhfYwj=u~J}{B3`c|at z-tdjD@_hN$6+3O&^EAp5rI&N|ggK$P1wL2t1y?I; z%C&1Yp;znOY{wk}Pj-hRYuH{~wwqR81f<7lGj&eXcsmJ4I9FU2mrV$iKm9DT>YR;eg#s@YU(NKsuDn)nxt=a2IRKx7n^SBb z{IxpYmndThK38sMGT=Hde6wHIQ+%!Y8&S2YrW>ijv$q2}b1FF1oT_X=tWc{J-*+^% zI_wCO*3w_0$HNsy2&pf#oK}t5S`LP)zLomu#!{sXpHg{0TXAUy&8N}oB#e#woLRa> zIzc{P%yZf}gNk+%M(H3mkOIz<`*A4Tc4rA);RB8>tDGOiE<8LeX}*u~=1Ulg^%Zo4x)|44Xj*vquP% z4TEu;eT`$|1##D>^Oi^QSIV6Ma+VjE>Cd;n=8g0FC>$d~&79PH$<1>+owMu8ipQz@ z)C#RkL3EY(K4Qtc(1Flxk72&`Zx)l~z2vJ))5q4)XAAej=cphv7Rz&yF9}5ejSHo) zorV0+_%9OQ*z>HP;O2^D(mBU`1fOnvp$t+Gf-F*VToxxfM}b|@4sFnYYOtg515EY= zgH4FS2Ls4RHi=o^iLyO+TRRjtc*>GZh=uLyOr5P6RJ6ovRT^3AuTa7k@_E?d`My9cL)0V=%2KgQWM(bnFLG;>N`aQ4Y zN$14BFZ%!eVWYgTGJnz7Wi1XI-SLJVgf5cHD_>1M;)!QLgKFGor{s zi=2E0HiG&YFq?@*Fubprwpy6Ab(zM;s1-NcO?M7>bIQO~d~16D$Qj9fcM=(0u=|Q| zMN9zmm>bg)=;h}Z#RjUyj=Cn$V(?c7(8zn%aj3^wQ`Axh3gC-psG~kVeDPmGE+8Td z7AZRwDUW8a^%|kfd1h!HWPRbpr-^s`@Vw_vB#cRsFHl!Ewp`u8Eka)%RuJ`u>5~Cg z{+8pt5_!bte%jDb@G#2|o+Zz$u*nxT&=RBPA6VPCN^=@nNqQKsTLekFpz@Y_2XYt3Q&MD1~D_NsgsjowbNr*O>Ai z3yLeAnf_osh}I0a#KO>HvR}aP=VIPmvysebFpO1CwJV<TdK4fltH~kC(k20r0 z;zk{5Qb8e$;H~459Z3!gLQx|7SX9r1z}bJ2+*IGzV=`YVFpnk#fR+)4S=Wim=RwsM z#S#wsJm@+lHDAaF6u*XAnRp#|5iY^+*IShp5Ie40b0oKkQTv9bX$5aupNMY&-) z|CS55HYL+~q}_C|+aix-(slU7^hyJzIPMDp^{Zw=ah6>J$VB$8W#7rcm(92w4qUAv z7KBnJLffr-co@OAbOCxE#?1 zxh)3C#RSc)!C-x8O1GL)$?HGIsm^^_&s{jnF;P;3S|?(3U~!Nf@p2L1X!#hT6g$WD z!9U8)eV0G2@X{JaDXBmuqu%l`y8&C3O>WZJ?@XRsAKi;Y}PeVZT?dNx-zX#mouYSC4yyYe)1|G6D^c#oH=W z4y_XDD`lu7eI~h<(;GDPJ8zuit6bO5uU^*?^_d$#|C3Hv;TY3eat(8$q)MV0J9|1_vqn=%Bi%#T zKDbldm72M1LLpW|?Pj{&)itz@h!sjc0uvLC*93R*$y2^#0vL;se_aEnY6AM^!-#77 z%A#s_(t`nKVn5bV)|R#+xUb-HJM{XY0p*v3vhF&~M5-fT+0`i9`D);Zh3!vSFDj4X z3c?P*slJ952@Rr$0O-~#gH1$acV?j=K!yu zw3t2F&s;Of>B*#dm6i+Dp?_$cSW*p5LKhBApfB(f#M}g8?Hy(XiRODo+a&r)eg34Y z%@Z@u+ORmSNn~1``FjvMHX_%gZ}Tj<)%~6Dw3I&i6oDmdGcb!dWyOWln$FmO!_r&& z64!%he8T_XU^h(nyYvAMvScVgn7jy>G)3Kc11sA`LP>ilrf8@1`!RmW5$9d z#YPd1dT3_jtuxhXQEr$RRVUM8uv;?rliaELe8w+4U>QqEO132t6NElRyn@tRw}B{t z71&wxpsP>VzA*-WcHg9p_-Iv!-37CVj^*szj7?zYCj0!rgm^|AzyUATM~(=8z=8Ex zL5?D(LS~a>dTq-9d`-fXOXdFQU zEcr-GILx@$A8(bovY?~r3GEK8bJ)ok-&%DQSu zEAHEe7Q|+G9DqzscDdMp@TUw$g!=dIkSTE5p9d>sS4`XVov=PQy*FX~eq7sHKPWrd zZ!=(2Sz12^iLAOBZVjqVZvcmbspzOX$M5L#dA-&fRFv2{gp%c9>9u(bnVkfpexxIK zmSxGj)Vi+PjfXO1`h&_KS}*T6J-suqn8L>ujtT&n%mg%m7BlB}y) zzn&)@UwQ_ElpJT_(dWjWl+bO1;9)1#Q$;xDYf$aP48uZzhMM^WZZ_>ZSJ3H78mPVk zID63w^`K=~f^}V#wN;%l9SbDNIH>mkUjvA)?^87p-~KDC{rJ<04nrmei;?4CJDl2d6r!D8%s)IU8MXZbl%_B{7&p&#a-b+b#DK}m#6z!J^ z&CEY9$9eAf`T-^rAstQ?WiN@1ZtI2@Ra$zD%p_nJx|Q?2Ej zpU%~+%Xoc#6w(6|iXIb2Ou+;-kgQYw^rvxWkS;yT5)%HA7MCqRCmGVeX@xeF;F}k~ zoOwzmM*-Acc`Q{^Y_sQxS(1QZ#QjZI*K4#GDJp;voI^fPh1HdW0@YB*t<3n)24%8XO&D@ zT~;f!AgVDrZk!b(UURXyCV2&&OrI37da;x_K%$ghH@q`n%%)ivIv_;>9YiT1p~kAh zdduR(H)9?(NpD9FYVnypU|p@VpI5|cBJfMVFfN~-xInXcv+^Peq^UYGNi^^BjEdj2 zlyY~rW@MO?+6~|W6kVRe16?omBM79zh-Q#`u~TfQPtEp4s^#hgxTB!f zM(3qh`-#r{eu1XiN8S#9(m6GbTfIY?u=a;4OXL9j7x4y8K8vt99c|hz?%q*-QO+Ve z@A8}~tyT?b-cCkm#Ah?-qOlurljAA>r&@oIX~7*X)+-BmSqE=HgU`3B5M ze6!W#O8M(_?gG3O!r;bzx^6cIYx7|B+R!`MBYc3Nf42qx54Ls-j^LiFZ(c|Ed}2#H zWB=wwyzT@nPgkK)dB`$I%cuIC5g43g4R$OhvS@$${#|LsW)JhGY>^z(Lt3S3Y;%6p zYJBk-xw{5%F&x%!jxJ3=MGY!xkEUPJrOZMB^YQSwdc^l9oS^sJ%NoPKPBfo8*b{eL zNnShf+nm&C&J;`q{;vr@ci0Y&hOafKjA%M;f4fFQGLs2n^bp6vrZAQi$SOBK3v=(i z_i$Q>%wnmQcYR!z2ta@dOUl2>1b7m@@?M8ig2%~nWZx@wOw@31q!hZ-Yt_2>Uxwoh z>WstkbVe=bdGo4pXcY>kun?!0$I-Yn%nMACRy&32-wYq1Reh!=+XquQ*0fhhrQH{B zeg-VI_?QccE7U1PP>&3N>QH6QfFIEOuUZOeSuho7@JTO*gm=yHZ&!Ms-#MkY%w{+eG7pe$w+=t~KiWwR=>liieSS~zs}dcZ(Kn?j z`Qc#@!oLWj7xMvRToe(z0C>;9*jkbIvo|j_-pCz zHl=SR--I$MUbx5xOD41zEs$ZNDra{c+S(3?@x&B2F*yE1OA83x-cv z0fBx}8KaJ(VGt6vU4NdTt-If#owjhlthH*{#{poHvv4Z=A6EiHFvAp>I$u`q<3CLu z7;*{?F!;IWd9weH&#VL9C^7WG{O<1}{5An+;a5yX9G}cF{~w=mrxe5+eQJUK?6+_J zHp%~~=YQ(?gLVARdj98J{|zqx|6|)Ii8S-15m6-4S(F<7x6xU9`R2l*&AlU zL04v~`gXPqmE+$$<(K%>`ur|HsXJL&?*2b8eo6+w@28Ij|Ke4@eET0F^uKZbr=LHS zQGiPG|Lo^~{`Du^s1;_u_Y=s3A4eD`e&HOPSHN27W(vX<3yfk_!Ey(Nlm$D`6T9-VvJ<#CkVJDf8OBw=KT%>TVyimQ;8nRnSLKmhfA)tY-zAsKR4puKLLI*^%%<@^ zsaRrwNjXX*XiP?uwo@`!IW9^DHe^mqvEj+SCZiWgGMOs<5L4@e!)L8@bt!ta#BJ(I zEs8iQ=pH#F&X}j-vm8UeexyFh zx8CCZJ2+j^0wlcjsc_3*yt@|R_JIr0%r;n~I1WD)tV%#XPGBu+p39^_tS4fZ+XIi4 zkCo_<=$8C43)5;@9Mh`DAG6s28f}bJp(TJ$y&v%f=d7prHH}_-0{Q(|%J(t;_G928 z))-_%nOCF8vN8*qypDGC2VBu>FZTBxRvUF%z*>hYGzbM)cd&y*v4at&VWUZHhwmr< z6%#LM05Q`Ko|XP3W)Ff)hC(Svl}4eZdG&kM1nRA~xcU2f9sUFg27YLo)|Fn$7Bo`y zIdVef+tPAEVY)F(XCC$x2rW{V^bwSiQ6F+xZF*%j?W5v&d7_aOc)R^6qjnP_D3r>a zw^E|-r4<7&w_YNnh?S!7i@8d(aQ{93-zoqS_mcfF&KqU6>O5qsX0oWRS1oj+FPTuW z6}9M2jm6&9zkHL3Ld>7MKz0qs0l@xR_})`#YfSqd6)Ri{9}&6dan?$P`YtA+ zswZH=eT3Fh5mavuaO1-nZqM`uSsWMRdX*@{jO?i$^ zrO!&Z`n5xQ)&n5btPE9~E$9m?*pCuxp7{t*Y0@d#_Vlq-uAgN-A?J($TW&8hW>O5Y ztg~T-+3%h>^$fT*3Ssm2+!0UiHl`yTBjaY@MNph-vPD<^OnJ^*^^pha7UU*u0eL+{ zz@2;1r2GjxV1=z8Flw#g%<(}sC4KkRR`Q%+a=Dq7`DUugoaQ?7*@ROw0$c@&`F1L_ z*l^L%+@aUMC#0J|JyL7_9q9X2M461a`_*N&AEqrK8rJ?Wi!c*%wkIp;P`6=b+Ct99 zlN>@wj5qXc4M8Rp6EopM6P-YQ{(=#0-3C0RPHvQ`rA1M;@Ka3ubiDW_PM&!hjo$<6 z@jJlKh!f4;1_HDTHCiw!S3^fU&%Pv@cWkC&m?ZW?xuLqYmRYaNP10zh2x_u zAcy*w#zKVyoalV`kvZ-Lg)3pbG`rEsxRkm+xar?38lUMRXjn8~vaPL%7t*eQB!6Cr37o0sf(>wCZ$CGdFK|s1yB8KloHDxj`dpb- zLBRafB<;bkcWQM9Dkewxo?${sQU>M{pQ@qjGcxH@U`Ic5EDS+ICIB_JkJM4p& zNpi8y0Q~l^Nl5DeP{f)|A#l0ToiM!~xW3-iPStd9z~cSHpql5W;)>CcEEu~QJc%&h zCF*@Ztf^cHG!Iv;4kg&D54hjX{f1Vy|Vyk3%;Po2b~>*xb(X7bSlK@m43GZdY>W<4wG4 zWx88bQnUfX9o!h7<|+o$k2fJtV^Xceb_M9WhTP0dQ12Cd`)W{?qg>}pp)7>2>&$))dAtxg!n6O)ihuc17r*3d$w)>Y(6<;B2VDs!#V%GePE;Qle;^U7(O?8Js@vEOC z?z}Oi!jegiFy^tXiz4}}$hj`>OD8?9!OQ6LwMa@;iR%8qdb#+{TMoG7 zBQvqkL{nfYCSZ_N_Me2YKpL%k?PK}|ec01wrSwJSG+rY&r?lwUaf8&^vw(An;u|5nZ5Yt zm*l$`D2~q-ke=N5YXdbC4^LrU%aI?$Kxx5B2x!iw(?U&N?AFdOr^$ebZ<;t*vD(>xXBr!r4taNfsbBd%tv?)as%3sGMv zhiJ{7WMUMjVw{N75_qeKo+r>K&zeh>l2La&s<%3}h0mdiJAHs_XmFV;P7B)j6x&mL zQ8%QLoYrz>hT0_jQZp+@krn&E zZ`rtGA_PBtx)tqaSxE8XZ+v_S=cPx0mfpl}2N11!Sj1Jn=6#DIZJpT^!zS<8Y+H<2ODrU`8e6b77 zo;{>e8sT^^3GglRA}q7(!w-~Q-O6-0E;;F}K|dA%H5uR_WdqbpLbrTY=(aNUdO_dMZ{iEz;Tqclg=4#OFOHpr)p*zu0rYqfD%AEDg%u8a$3RtAG;sMh07K6 z{PZGjOd~3OLfN^JmzoBNlBvAPwy~(=oQjQ^OXxDHIf0q`N0sc76v!LUD+Nga?3BOP zKd3W7;`zUA^|zsKU*8? z!oD*4hN8|6I^K;1Qp6DnWg;^I%$bG(rmS3Cy%tgYDO~mbf9t%4K@iV=^DXZUuaI z+n||l!RdP`IA2!WlawX%&XsBo$}VaMCmB6FtfGV9zfu?${jrdOPf!s zeYx9mUaC^r%?k4ppzlU=t`#K)Mop8kV)@Yv@Y7`mkw4~A_HGpUO{9ojD3kd*npr64 z$q|lxI{Y-q)*t<2L(5ka*eR<+;I+A#N(ogNQ%lDD#kM?6a;=h5_%%7yKpQ<|_s55C z!y_t^TBziVPhwTAvf&%ygX-(gr@T{n?UaRDbrJD&QR!@v2qso{@UNai6hUHA=yYZO`Ch9`vF0W+fL3 zqwI=k*#oN|`p^>w=o*?j=M8h8O%jYVK1-d4X=~TkXWt>Yv|X;fD&~u5_(xm}yqCVJ zPI80$Alf{(Q20bSBAyJSohIoVMe|m1v6H_)sD}Zt1w{S0b>QI+)RfjSd4Vi}3y$=O zek32E6)zWbt?RE$KSc%10u+&7#|yHBrSuh;7kt?qLE0JJTM{>h9uKk)jQto>9)PT^ zUUSo7fHRK4wH#ZvlvrpCzYo9YljG<-_*Fz#U-J9d^eM3|_BvVKMdxzF<79ceD&;Q- zPs^EqkjZuQ+cg69LX0;##Nva5)YS3zi$*b$tHs4fSY*F+@aQ2S^n)t~ug-HWPYQEo z+W2dT@R%((>+dvw44gg-6hL;P2BcB{_KHYrMFKi&huj6Aq_M%`ZMLHGT` zDsB8Hb^f}-5QU8sgz;>ur z^!UyGquxvSC~^fX(b5*^_KN`~#X{@?>`tJ5V@}(d7*o>HmJ0=^DbuLilg9Z;edpPS*OjxtY*~HlE)#YI?7)U=T-H$^iCoP zf6=|*LL5BHcxf~FTAxD_9oN}{2g$g$OKM{dmHpGdSA2^Iu(+nDlOc{02>m3dHBf7| zWT1LOUp%2{0TzB^7Z-p{nei@KMv}5~)d8rEaL;!p#v&1{dM5ekps>=3=daLK@_jEv z8F8g%Z6_cYTL!jAB(c!_FzFlbUbh7h@`KY==`vkQrnvlk;YrgPvug0+Nz4e(U!QZ< z2B`96-mCkhq=~V3p<+r$?!waJZwrp%W+dZ~@Fgv1WO65IA?rB zHmVby))5LLX#E*?z5_C96Hq0w==awA3M<|Gl>vigdPe4F$X7^O^Z@FsifO!*e zEZqmX5hTV~(b<4n434Tr!35M|?e<%&E=3-6CYcER{8%Hmj0X?}1KikJ3NCNSFw=Ha zRb4A&;H~CAX+H2~Opgb_Xd!MXf6AqK6YH>-@IH7csWBNbNXzEEPZn(2 zb>I(>14u!DIo0yJY%y{+**!Z`Wm>r&P{O4_eutg*bB14J2aN5l1gS-_#UAK7@4js8 z(Sg88B`wye^h;sZCe*(gTYas88(1X=p|~jNIT@?Omkh3Hs;hL+q4Ua2jWB_DiYi9i zvl~Zi>4IBUDw7XHpuerOpujzHJ52}q%jR6^QGtsUU1bdT%PHBjA5oZxS`e?|buI5% z7re}Nn5Dx3w*XIGr-kOglpaHo4XM#+tX1 z3lUGY?&+JB@EJx-=63%iFhw%<2~MZFsk zn2G+IysZ()pGumuVT@P4-e-9}QsFI|<&O!7fWY;A)qRWMXN#McdEjkCNg*usbad+; zxFzc|in7(u3z8Pdjzxa-iHKB$QZN(G-tgAqE%+{P4q;K+eV?^JS;c zSrM_vMQR1zhLp`p=ijAA)My}DG7YRUgi**UY1i4ynht7@8Wb06@F)RAg8e+BaN=l9 zTIn1)BqB+m1Lk*gyydHdf)$oBFwuKy+UTd7upIjWWyBTt7?N8Z$Rp@kMV zL}YtxeNMSfk(@g)X$pi{g@qaRg6X)z=%L`{sW9H|xLvM&EwvKMK^}W;@vt$sh7u4I z+z`I@!^>-gUL`%QxotN^qOa-&(8iJZ6t29w0`(*P{6+abd;!W*Chn~cQ_tU4=qA)h z0f5C~YplMOKq)o$LOp5ORyuHtF1A=iJ*ubApiY$%+P6FvCqrjY@cSfE{5Jo>axU3Pi%T0^zsUqbY^hWT_vkcO^ceQNHRqGzzs8etFh5}f3xex0q zZFcyR%%2THk~FOg@zpJ`(R-7*A9s5hj*Fw$Kg0aDXrwQL;V2y?zdSdeRgJ4!$+4a` z=Rwz!iTJ{u$g86A1k>COt#R z<0NZCy1<(r(tFi>ShpYKjGfTpB|h4Z{Ey~PAcuQc6I*3rA5}kFThiKV)DDzi;nTR1 zZgnd5R#y91C@U>x6@(~HH5cMW3*Y2#t;9FIY{JoLGkru-zS53QfIsT|R}lZ(yVLF^ zSl0u2)z(XO9YwX?US&s?Sl)cB7x?t<+>N%+o{mM|fMYseD&coV^y5Ba4O|=?c~mX? zXxg=n8LnR#U;)Gi2tA=s?Ei1?CaS++T$jZp&PqV=y^7pEO7guJlJ36dFye&KX0Ne* zFCWq_VXE)GXVU_}z&6KRHC2*zS(?Wc&)MkMP{G%bKK?TsY_XGV4IeYSfB8P}=altr z%ozW1F1KQ?*ez;wiN0pmhg0=St=T)Ao`RhQb~O!>=ik-JLkA#lM{AR-XXW%KC0%cg zdCwgLbtL)1mxs(;z{Ab&agVEhBzXT=Ik4$u5nEMwu&=46(vyV0M<3fH6HVs3!|ne3 z{A8%dE~Sl-u<3g}#Pueng-Rf^S<>%~vGJ*@Ow9R0oo zz!S+)wZ*PZszR1>WHtp-LP^v>PH`$k#P9gLWb;@({Ok9mzSSAJ)5(u^MO5i$ zLCuG;rdYF=w^hQLqA{|ER^RRXbc!Fcw|={uEtze$5_PeP9a>*b+w7=kFLE;H6p)*j z7hswZ0uLw;&j1J;x07e%2OG1mPsY+Co36b>XRj5e!#MQFG8%pi^*!)@|IxaDB2rvX zv7)A8#b}mIIuL?&xR7ti?RlDE1tq??%>s7=COtP`V)U$o=@ZFy!*#|k0CFQPm+`b= zB*YPEWB<_vsCSC6zg>+pNMoio`YwHAK}0ls)<+TPJ~7@^+tX(^L*BX>QZEW;756ZI z{#*bH=fv_NRY212@OHw}`XBK6kGLM1q&AbW{VmxUcIr!_(s}YklU^q&%I}{~L7Beq zHce3g6W8{ex2Y^`a+Yj4Xt_+g;Q5^28{m^LLkfMf#Qh&jB@bUgr((I+*!bott-9=- z%a?bbVPQzh`O0V60giWWwCN2D%AdAWSI2b;nLj1sLL&KenB`Lw?jbe#f1MAAi=bgG zciF+}UFvu72gOyyK8KH0L#%MaH-QiPCIi4xCs~`?Odn==dEm3BsbK--{`OuM*v;jc zBOm%#)ADzYvz{-Q+f`jzQOcXQM>-zx`8;8V-$_m0L(mY=OsmcVQq-?wiQXH*x}&E2 z2P9S3Wa-Lw`(gas6m$Pn6#gMgwM1~aT@tQ~04Yx&Gen=yJ83?*L-6(CAs%@8eKs<; zgMeIw{7imf(tCSSWgv+A@J{+x%isvv|5e^CU!n&+qasJaKE=xyW9}D3=o_y|Tp2aZ zw%@U$ivm>xO1<6c+vx4CYO1PLOahEPtAj%83|{}$zgjB`XHt0BSKiHbcBMPPu?lxN z=5tJNwjbY;%PMQDgu;t>g9^z&K=I<-4HbL38;copUgqM63|#(ac7Oe*mxn+HnOINV z9r=iv{>jJt*w6dY2ZlB1yHhNj ziiWlvP{n?R>0eH?obh>m%`ZJHFrT?$QUIACDi}fS)$3b{3M1wzfT#^huuy0hJ%044 z=$zT4A4k~yi%Wk8g+s**CU?PTl2bRn%R`Ps)9bw5I7$@D*mE5Jv^>*p{b4Q(Ec`vEr6=|0ul(5Vj7Sl0Ujj~ zAlQn-6A%p$=2^p(8c9+F!Kw(6!AQc4P=<(!3=hIQ_TFgKV*UO8ygylIt(<%A-rwGL z-+lJ}&J||Se=Gq{Nv9$It)^%6V%ge^ZnpCi1!7F6q^xuC@`Jk24Ld*3Gl3(j5=XS7 zh6gmVObTLF64wGwIS5A04KDT2dmztIMgOU?36IZj8Zcaw-Lp?JB?@iDKU!#xq zj8N><(?TdUCA!h8?&%Z@8?>UM&$_xB-K6nJ{^V!2h<%g|l(;YR2UZ=hB@|xW!c<-P zE!D|B{j=y?FtUz=HS<^b_=OsvP5ZiNl1Cc#`F=&JN1dxF^;QA2^4loH zglEmQwIye-&e<9pnoy7BxfqZzssGPn)+TrdR4fx4X|=< zalpKZiJ2KiuGNz@7KLbcEGeqZZ~H#tZ2Y<2iHYze#gC8ChY|i@($heT5VR~u$6w`S z82^nZ6uV@K(BPW#4!i;#d@ccq9Q~xX3VSf}4Z?=BXI8rt)JdD_{6fs4UVPe0rjeSZ zfC0|y16JPPZmWktu0WF~2)44=jqt z``iwqgv|}fY8&{r!)#}tx-@0ohTgnxS4IW5J# z+u`P1MhDmOGp`0VNoU-XP?4vK3QMS|fUmr*t)5^hSV=R3yA%rKLd=Exq86~FRVF|G zYM1E!mJV8gz&M%p?NMl=Wr_sGDk1F&XImg2a;w?RJioe)~Z( z$m5|Oj5%(PK_+;4gv-6}|9%>w2>W*ES+w5b`z?-35HnB6>LThHp+l_7gjc~=d`AtR zG1~!&%m)BfX2vchfX0H)OT`z3{nwm0FYx7#&p-e{tZwJ1J` z_zbcxm{@R^qf>Rsexyr%%XDCcjb}0WX1={5G?&Lyr$6X{)yZs?1sp3IbgT?Po>K5b z&(6M;{PUx(&H)hrdMEvqy?GqFLY9Ww^s|v&4P^L{nYypH3h6K(qocR(S1Q4G3lHm3 z9^Q?U9d&mn_SsoDr0>z>bq(%0WpDqSzSwjtk~bfB5A;jRSiPSIE{HbRx{%wAUTdGygf!qKXFk{=n|U3TQJR8}Oj zzcPNFT@#_Oe9%1&CiW--tS zDbEQ7tL%bwQYNcW%A$EW^q?@iVWomeqLFr}zvCvm)ntI)!6lZwcJ=qK-0{mHmBT*P z7ak|K-pjJdBcpv6ZTgZ&h};E8H{C=HR+O_rRjIy0^WwV*_+A$-KzegaqYSCxQp8N) zzuywGI%4LKh&ZZmQ1bHS=_;M|)~H*5^a*PjzY+j*ZdS`Y?tN#|W4&ZDhKei?2&Pq> zPrIvtzUHKUq&I~0;%bo|NM8GvHXW{FMTR^3N@7o48Isr;KR~t~s@foi`fnXoOgNBh7iDH++X=2E`fQETC8fhwmvs;o)M_LMf{DS%IsNH%ll)? zW~g42s47)U`p)j>-4ZCHSbd|-n`~4p1lcD0hK3y@aJcD(lJ$1lO%YMCP0=Yph(I%q zbqL`*&vY83HbGLG4AxC!ngomh&mY5N9DfY69oKi@Lml1by&>fC5jw4mR`)`&ghM@- zVNYfsW@CH21Z_Ea$o{Dd3fI6TrMB%ij|B&&baPu&5Sd}?L?OMkeLZeqOEzkT#FM#t zkcO(U0}Z^uh|J}s7-oek3sr zipoj!&SnVd&R7$st=2vl{StMQ*z9urL0A2;4PaTbZ~H9{T&7rV2os=D=*-CJ78(r zGv&Q$giSeXBcr_Zi(T8~d=G=6c>FeFd|rGkhdqa1{@NEW;Fvi;iUurQlKrx=#)?>D z9V3Mld6|$DZqgH3{0 zbM(r9S94c~2Jrc*PhtMcKcu$35qrFCScuZ6m;I&RZY01_3XPPt`qB(3*nhsTFbIvP zPa|s_A^)Wr`?nt6{7-iUotKa&0i1wmxCVc8=D$yk)qA@8y_f&}4^Y#~y8sHyE6@6G zzBJ?UwzFSSY1{vm7Ggez4?QL#B9dr*;(O-}SpDy;{wU_ui43X0nSH*1Xd>1Y_9rTi Hd&m6=0W1T$ diff --git a/raws/values-aliyun.yaml b/raws/values-aliyun.yaml deleted file mode 100644 index d29a4c7..0000000 --- a/raws/values-aliyun.yaml +++ /dev/null @@ -1,159 +0,0 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.wodcloud.local - notary: notary.wodcloud.local - annotations: - ingress.kubernetes.io/proxy-body-size: '0' - -externalURL: https://hub.wodcloud.local - -persistence: - enabled: true - persistentVolumeClaim: - registry: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - database: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - redis: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - imageChartStorage: - # s3 , filesystem - type: filesystem - s3: - accesskey: AKIAIOSFODNN7EXAMPLE - secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - region: us-east-1 - regionendpoint: http://minio.wodcloud.local - bucket: registry - encrypt: false - v4auth: true - chunksize: '5242880' - rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: 'spaceIN511' -secretKey: 'IpTIscRIgmerlare' - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.6 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.6 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.6 - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: v2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.6 - -chartmuseum: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum - tag: v2.1.6 - nodeSelector: {} - # nodeSelector: - # harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - clair: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair - tag: v2.1.6 - adapter: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-clair - tag: v2.1.6 - -trivy: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-trivy - tag: v2.1.6 - -notary: - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server - tag: v2.1.6 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer - tag: v2.1.6 - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.6 - password: 'spaceIN511' - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis - tag: 6.2.6 diff --git a/raws/values-arm.yaml b/raws/values-arm.yaml deleted file mode 100644 index 9419a87..0000000 --- a/raws/values-arm.yaml +++ /dev/null @@ -1,159 +0,0 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.wodcloud.local - notary: notary.wodcloud.local - annotations: - ingress.kubernetes.io/proxy-body-size: '0' - -externalURL: https://hub.wodcloud.local - -persistence: - enabled: true - persistentVolumeClaim: - registry: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - database: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - redis: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - imageChartStorage: - # s3 , filesystem - type: filesystem - s3: - accesskey: AKIAIOSFODNN7EXAMPLE - secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - region: us-east-1 - regionendpoint: http://minio.wodcloud.local - bucket: registry - encrypt: false - v4auth: true - chunksize: '5242880' - rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: 'spaceIN511' -secretKey: 'IpTIscRIgmerlare' - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.6-arm64 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.6-arm64 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.6-arm64 - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: v2.7.1-arm64 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.6-arm64 - -chartmuseum: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum - tag: v2.1.6-arm64 - nodeSelector: {} - # nodeSelector: - # harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - clair: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair - tag: v2.1.6-arm64 - adapter: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-clair - tag: v2.1.6-arm64 - -trivy: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-trivy - tag: v2.1.6-arm64 - -notary: - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server - tag: v2.1.6-arm64 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer - tag: v2.1.6-arm64 - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.6-arm64 - password: 'spaceIN511' - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis - tag: 6.2.6-arm64 diff --git a/raws/values-pg.yaml b/raws/values-pg.yaml deleted file mode 100644 index 9990e76..0000000 --- a/raws/values-pg.yaml +++ /dev/null @@ -1,158 +0,0 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.test.wodcloud.com - notary: notary.test.wodcloud.com - annotations: - ingress.kubernetes.io/proxy-body-size: '0' - -externalURL: https://hub.test.wodcloud.com - -persistence: - enabled: true - imageChartStorage: - # s3 , filesystem - type: filesystem - filesystem: - rootdirectory: /data - #s3: - # accesskey: AKIAIOSFODNN7EXAMPLE - # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - # region: us-east-1 - # regionendpoint: https://minio.sxwh.local - # bucket: registry - # encrypt: false - # v4auth: true - # chunksize: '5242880' - # rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: 'spaceIN511' -secretKey: 'IpTIscRIgmerlare' - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v1.8.2 - replicas: 1 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v1.8.2 - replicas: 1 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v1.8.2 - replicas: 1 - maxJobWorkers: 10 - jobLogger: file - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: v2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - # type: emptyDir , hostPath , volumeClaimTemplate - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ['ReadWriteOnce'] - resources: - requests: - storage: 100Gi - selector: {} - - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v1.8.2 - replicas: 1 - -chartmuseum: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon - tag: v0.9.0-v1.8.2 - replicas: 1 - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon - tag: v2.0.8-v1.8.2 - replicas: 1 - -notary: - enabled: true - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v1.8.2 - password: 'spaceIN511' - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ['ReadWriteOnce'] - resources: - requests: - storage: 20Gi - selector: {} - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis - tag: 4.0.14-alpine diff --git a/raws/values-ppc64le.yaml b/raws/values-ppc64le.yaml deleted file mode 100644 index e01a525..0000000 --- a/raws/values-ppc64le.yaml +++ /dev/null @@ -1,159 +0,0 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.wodcloud.local - notary: notary.wodcloud.local - annotations: - ingress.kubernetes.io/proxy-body-size: '0' - -externalURL: https://hub.wodcloud.local - -persistence: - enabled: true - persistentVolumeClaim: - registry: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - database: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - redis: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - imageChartStorage: - # s3 , filesystem - type: filesystem - s3: - accesskey: AKIAIOSFODNN7EXAMPLE - secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - region: us-east-1 - regionendpoint: http://minio.wodcloud.local - bucket: registry - encrypt: false - v4auth: true - chunksize: '5242880' - rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: 'spaceIN511' -secretKey: 'IpTIscRIgmerlare' - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v2.1.6-ppc64le - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v2.1.6-ppc64le - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v2.1.6-ppc64le - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: v2.7.1-ppc64le - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v2.1.6-ppc64le - -chartmuseum: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum - tag: v2.1.1-ppc64le - nodeSelector: {} - # nodeSelector: - # harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - clair: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair - tag: v2.1.1-ppc64le - adapter: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-clair - tag: v2.1.1-ppc64le - -trivy: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-trivy - tag: v2.1.1-ppc64le - -notary: - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server - tag: v2.1.1-ppc64le - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer - tag: v2.1.1-ppc64le - -database: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db - tag: v2.1.6-ppc64le - password: 'spaceIN511' - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis - tag: 6.2.6-ppc64le diff --git a/raws/values-stolon.yaml b/raws/values-stolon.yaml deleted file mode 100644 index 4d96009..0000000 --- a/raws/values-stolon.yaml +++ /dev/null @@ -1,143 +0,0 @@ -expose: - type: ingress - tls: - enabled: false - ingress: - hosts: - core: hub.test.wodcloud.com - notary: notary.test.wodcloud.com - annotations: - ingress.kubernetes.io/proxy-body-size: '0' - -externalURL: https://hub.test.wodcloud.com - -persistence: - enabled: true - imageChartStorage: - # s3 , filesystem - type: filesystem - filesystem: - rootdirectory: /data - #s3: - # accesskey: AKIAIOSFODNN7EXAMPLE - # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - # region: us-east-1 - # regionendpoint: https://minio.sxwh.local - # bucket: registry - # encrypt: false - # v4auth: true - # chunksize: '5242880' - # rootdirectory: / - -imagePullPolicy: IfNotPresent - -logLevel: info -harborAdminPassword: 'spaceIN511' -secretKey: 'IpTIscRIgmerlare' - -portal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal - tag: v1.8.2 - replicas: 1 - -core: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core - tag: v1.8.2 - replicas: 1 - -jobservice: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice - tag: v1.8.2 - replicas: 1 - maxJobWorkers: 10 - jobLogger: file - -registry: - registry: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/registry - tag: v2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: - harbor: enabled - storageSpec: - # type: emptyDir , hostPath , volumeClaimTemplate - type: hostPath - emptyDir: {} - hostPath: - root: /data - volumeClaimTemplate: - spec: - storageClassName: rook-ceph-block - accessModes: ['ReadWriteOnce'] - resources: - requests: - storage: 100Gi - selector: {} - - controller: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl - tag: v1.8.2 - replicas: 1 - -chartmuseum: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon - tag: v0.9.0-v1.8.2 - replicas: 1 - nodeSelector: - harbor: enabled - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - -clair: - enabled: true - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon - tag: v2.0.8-v1.8.2 - replicas: 1 - -notary: - enabled: true - server: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - signer: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon - tag: v0.6.1-v1.8.2 - replicas: 1 - -database: - type: external - external: - host: 'stolon-proxy.devops' - port: '5432' - username: 'postgres' - password: 'spaceIN511' - coreDatabase: 'hub_registry' - clairDatabase: 'hub_clair' - notaryServerDatabase: 'hub_notary_server' - notarySignerDatabase: 'hub_notary_signer' - sslmode: 'disable' - -redis: - type: internal - internal: - image: - repository: registry.cn-qingdao.aliyuncs.com/wod/redis - tag: 4.0.14-alpine diff --git a/raws/values.yaml b/raws/values.yaml deleted file mode 100644 index 8264518..0000000 --- a/raws/values.yaml +++ /dev/null @@ -1,747 +0,0 @@ -expose: - # Set the way how to expose the service. Set the type as "ingress", - # "clusterIP", "nodePort" or "loadBalancer" and fill the information - # in the corresponding section - type: ingress - tls: - # Enable the tls or not. Note: if the type is "ingress" and the tls - # is disabled, the port must be included in the command when pull/push - # images. Refer to https://github.com/goharbor/harbor/issues/5291 - # for the detail. - enabled: true - # The source of the tls certificate. Set it as "auto", "secret" - # or "none" and fill the information in the corresponding section - # 1) auto: generate the tls certificate automatically - # 2) secret: read the tls certificate from the specified secret. - # The tls certificate can be generated manually or by cert manager - # 3) none: configure no tls certificate for the ingress. If the default - # tls certificate is configured in the ingress controller, choose this option - certSource: auto - auto: - # The common name used to generate the certificate, it's necessary - # when the type isn't "ingress" - commonName: '' - secret: - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - secretName: '' - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # Only needed when the "expose.type" is "ingress". - notarySecretName: '' - ingress: - hosts: - core: core.harbor.domain - notary: notary.harbor.domain - # set to the type of ingress controller if it has specific requirements. - # leave as `default` for most ingress controllers. - # set to `gce` if using the GCE ingress controller - # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller - controller: default - annotations: - ingress.kubernetes.io/ssl-redirect: 'true' - ingress.kubernetes.io/proxy-body-size: '0' - nginx.ingress.kubernetes.io/ssl-redirect: 'true' - nginx.ingress.kubernetes.io/proxy-body-size: '0' - clusterIP: - # The name of ClusterIP service - name: harbor - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - nodePort: - # The name of NodePort service - name: harbor - ports: - http: - # The service port Harbor listens on when serving with HTTP - port: 80 - # The node port Harbor listens on when serving with HTTP - nodePort: 30002 - https: - # The service port Harbor listens on when serving with HTTPS - port: 443 - # The node port Harbor listens on when serving with HTTPS - nodePort: 30003 - # Only needed when notary.enabled is set to true - notary: - # The service port Notary listens on - port: 4443 - # The node port Notary listens on - nodePort: 30004 - loadBalancer: - # The name of LoadBalancer service - name: harbor - # Set the IP if the LoadBalancer supports assigning IP - IP: '' - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - annotations: {} - sourceRanges: [] - -# The external URL for Harbor core service. It is used to -# 1) populate the docker/helm commands showed on portal -# 2) populate the token service URL returned to docker/notary client -# -# Format: protocol://domain[:port]. Usually: -# 1) if "expose.type" is "ingress", the "domain" should be -# the value of "expose.ingress.hosts.core" -# 2) if "expose.type" is "clusterIP", the "domain" should be -# the value of "expose.clusterIP.name" -# 3) if "expose.type" is "nodePort", the "domain" should be -# the IP address of k8s node -# -# If Harbor is deployed behind the proxy, set it as the URL of proxy -externalURL: https://core.harbor.domain - -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each components tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: 'auto' - # The content of trust ca, only available when `certSource` is "manual" - trustCa: '' - # core related cert configuration - core: - # secret name for core's tls certs - secretName: '' - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: '' - # Content of core's TLS key file, only available when `certSource` is "manual" - key: '' - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: '' - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: '' - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: '' - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: '' - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: '' - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: '' - # chartmuseum related cert configuration - chartmuseum: - # secret name for chartmuseum's tls certs - secretName: '' - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - key: '' - # clair related cert configuration - clair: - # secret name for clair's tls certs - secretName: '' - # Content of clair's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of clair's TLS key file, only available when `certSource` is "manual" - key: '' - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: '' - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: '' - -# The persistence is enabled by default and a default StorageClass -# is needed in the k8s cluster to provision volumes dynamicly. -# Specify another StorageClass in the "storageClass" or set "existingClaim" -# if you have already existing persistent volumes to use -# -# For storing images and charts, you can also use "azure", "gcs", "s3", -# "swift" or "oss". Set it in the "imageChartStorage" section -persistence: - enabled: true - # Setting it to "keep" to avoid removing PVCs during a helm delete - # operation. Leaving it empty will delete PVCs after the chart deleted - # (this does not apply for PVCs that are created for internal database - # and redis components, i.e. they are never deleted automatically) - resourcePolicy: 'keep' - persistentVolumeClaim: - registry: - # Use the existing PVC which must be created manually before bound, - # and specify the "subPath" if the PVC is shared with other components - existingClaim: '' - # Specify the "storageClass" used to provision the volume. Or the default - # StorageClass will be used(the default). - # Set it to "-" to disable dynamic provisioning - storageClass: '' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: '' - storageClass: '' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: '' - storageClass: '' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - # If external database is used, the following settings for database will - # be ignored - database: - existingClaim: '' - storageClass: '' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - # If external Redis is used, the following settings for Redis will - # be ignored - redis: - existingClaim: '' - storageClass: '' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: '' - storageClass: '' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - # Define which storage backend is used for registry and chartmuseum to store - # images and charts. Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage - # for the detail. - imageChartStorage: - # Specify whether to disable `redirect` for images and chart storage, for - # backends which not supported it (such as using minio for `s3` storage type), please disable - # it. To disable redirects, simply set `disableredirect` to `true` instead. - # Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect - # for the detail. - disableredirect: false - # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. - # The secret must contain keys named "ca.crt" which will be injected into the trust store - # of registry's and chartmuseum's containers. - # caBundleSecretName: - - # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", - # "oss" and fill the information needed in the corresponding section. The type - # must be "filesystem" if you want to use persistent volumes for registry - # and chartmuseum - type: filesystem - filesystem: - rootdirectory: /storage - #maxthreads: 100 - azure: - accountname: accountname - accountkey: base64encodedaccountkey - container: containername - #realm: core.windows.net - gcs: - bucket: bucketname - # The base64 encoded json file which contains the key - encodedkey: base64-encoded-json-key-file - #rootdirectory: /gcs/object/name/prefix - #chunksize: "5242880" - s3: - region: us-west-1 - bucket: bucketname - #accesskey: awsaccesskey - #secretkey: awssecretkey - #regionendpoint: http://myobjects.local - #encrypt: false - #keyid: mykeyid - #secure: true - #skipverify: false - #v4auth: true - #chunksize: "5242880" - #rootdirectory: /s3/object/name/prefix - #storageclass: STANDARD - #multipartcopychunksize: "33554432" - #multipartcopymaxconcurrency: 100 - #multipartcopythresholdsize: "33554432" - swift: - authurl: https://storage.myprovider.com/v3/auth - username: username - password: password - container: containername - #region: fr - #tenant: tenantname - #tenantid: tenantid - #domain: domainname - #domainid: domainid - #trustid: trustid - #insecureskipverify: false - #chunksize: 5M - #prefix: - #secretkey: secretkey - #accesskey: accesskey - #authversion: 3 - #endpointtype: public - #tempurlcontainerkey: false - #tempurlmethods: - oss: - accesskeyid: accesskeyid - accesskeysecret: accesskeysecret - region: regionname - bucket: bucketname - #endpoint: endpoint - #internal: false - #encrypt: false - #secure: true - #chunksize: 10M - #rootdirectory: rootdirectory - -imagePullPolicy: IfNotPresent - -# Use this set to assign a list of default pullSecrets -imagePullSecrets: -# - name: docker-registry-secret -# - name: internal-registry-secret - -# The update strategy for deployments with persistent volumes(jobservice, registry -# and chartmuseum): "RollingUpdate" or "Recreate" -# Set it as "Recreate" when "RWM" for volumes isn't supported -updateStrategy: - type: RollingUpdate - -# debug, info, warning, error or fatal -logLevel: info - -# The initial password of Harbor admin. Change it from portal after launching Harbor -harborAdminPassword: 'Harbor12345' - -# The name of the secret which contains key named "ca.crt". Setting this enables the -# download link on portal to download the certificate of CA when the certificate isn't -# generated automatically -caSecretName: '' - -# The secret key used for encryption. Must be a string of 16 chars. -secretKey: 'not-a-secure-key' - -# The proxy settings for updating clair vulnerabilities from the Internet and replicating -# artifacts from/to the registries that cannot be reached directly -proxy: - httpProxy: - httpsProxy: - noProxy: 127.0.0.1,localhost,.local,.internal - components: - - core - - jobservice - - clair - - trivy - -# The custom ca bundle secret, the secret must contain key named "ca.crt" -# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components -# caBundleSecretName: "" - -## UAA Authentication Options -# If you're using UAA for authentication behind a self-signed -# certificate you will need to provide the CA Cert. -# Set uaaSecretName below to provide a pre-created secret that -# contains a base64 encoded CA Certificate named `ca.crt`. -# uaaSecretName: - -# If expose the service via "ingress", the Nginx will not be used -nginx: - image: - repository: goharbor/nginx-photon - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -portal: - image: - repository: goharbor/harbor-portal - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -core: - image: - repository: goharbor/harbor-core - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - replicas: 1 - ## Startup probe values - startupProbe: - enabled: false - initialDelaySeconds: 10 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when core server communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: '' - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate and private key for token encryption/decryption. - # The secret must contain keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # The default key pair will be used if it isn't set - secretName: '' - # The XSRF key. Will be generated automatically if it isn't specified - xsrfKey: '' - -jobservice: - image: - repository: goharbor/harbor-jobservice - tag: v2.1.6 - replicas: 1 - # set the service account to be used, default if left empty - serviceAccountName: '' - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLogger: file - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when job service communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: '' - -registry: - # set the service account to be used, default if left empty - serviceAccountName: '' - registry: - image: - repository: goharbor/registry-photon - tag: v2.1.6 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - controller: - image: - repository: goharbor/harbor-registryctl - tag: v2.1.6 - - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used to secure the upload state from client - # and registry storage backend. - # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: '' - # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. - relativeurls: false - credentials: - username: 'harbor_registry_user' - password: 'harbor_registry_password' - # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash - # e.g. "htpasswd -nbBC10 $username $password" - htpasswd: 'harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m' - - middleware: - enabled: false - type: cloudFront - cloudFront: - baseurl: example.cloudfront.net - keypairid: KEYPAIRID - duration: 3000s - ipfilteredby: none - # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key - # that allows access to CloudFront - privateKeySecret: 'my-secret' - -chartmuseum: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: '' - # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' - absoluteUrl: false - image: - repository: goharbor/chartmuseum-photon - tag: v2.1.6 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -clair: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: '' - clair: - image: - repository: goharbor/clair-photon - tag: v2.1.6 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - adapter: - image: - repository: goharbor/harbor-scanner-clair-photon - tag: v2.1.6 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - # The interval of clair updaters, the unit is hour, set to 0 to - # disable the updaters - updatersInterval: 12 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -trivy: - # enabled the flag to enable Trivy scanner - enabled: true - image: - # repository the repository for Trivy adapter image - repository: goharbor/trivy-adapter-photon - # tag the tag for Trivy adapter image - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - # replicas the number of Pod replicas - replicas: 1 - # debugMode the flag to enable Trivy debug mode with more verbose scanning log - debugMode: false - # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. - vulnType: 'os,library' - # severity a comma-separated list of severities to be checked - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - # ignoreUnfixed the flag to display only fixed vulnerabilities - ignoreUnfixed: false - # insecure the flag to skip verifying registry certificate - insecure: false - # gitHubToken the GitHub access token to download Trivy DB - # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. - # - # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough - # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 - # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult - # https://developer.github.com/v3/#rate-limiting - # - # You can create a GitHub token by following the instructions in - # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line - gitHubToken: '' - # skipUpdate the flag to disable Trivy DB downloads from GitHub - # - # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. - # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the - # `/home/scanner/.cache/trivy/db/trivy.db` path. - skipUpdate: false - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -notary: - enabled: true - server: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: goharbor/notary-server-photon - tag: v2.1.6 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - signer: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: goharbor/notary-signer-photon - tag: v2.1.6 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate authority, certificate and private key for notary - # communications. - # The secret must contain keys named ca.crt, tls.crt and tls.key that - # contain the CA, certificate and private key. - # They will be generated if not set. - secretName: '' - -database: - # if external database is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: goharbor/harbor-db - tag: v2.1.6 - # The initial superuser password for internal database - password: 'changeit' - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - host: '192.168.0.1' - port: '5432' - username: 'user' - password: 'password' - coreDatabase: 'registry' - clairDatabase: 'clair' - notaryServerDatabase: 'notary_server' - notarySignerDatabase: 'notary_signer' - # "disable" - No SSL - # "require" - Always SSL (skip verification) - # "verify-ca" - Always SSL (verify that the certificate presented by the - # server was signed by a trusted CA) - # "verify-full" - Always SSL (verify that the certification presented by the - # server was signed by a trusted CA and the server host name matches the one - # in the certificate) - sslmode: 'disable' - # The maximum number of connections in the idle connection pool. - # If it <=0, no idle connections are retained. - maxIdleConns: 50 - # The maximum number of open connections to the database. - # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. - maxOpenConns: 1000 - ## Additional deployment annotations - podAnnotations: {} - -redis: - # if external Redis is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: goharbor/redis-photon - tag: v2.1.6 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - # support redis, redis+sentinel - # addr for redis: : - # addr for redis+sentinel: :,:,: - addr: '192.168.0.2:6379' - # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel - sentinelMasterSet: '' - # The "coreDatabaseIndex" must be "0" as the library Harbor - # used doesn't support configuring it - coreDatabaseIndex: '0' - jobserviceDatabaseIndex: '1' - registryDatabaseIndex: '2' - chartmuseumDatabaseIndex: '3' - clairAdapterIndex: '4' - trivyAdapterIndex: '5' - password: '' - ## Additional deployment annotations - podAnnotations: {} - -commonLabels: - app.bd-apaas.com/cluster-component: registry diff --git a/templates/NOTES.txt b/templates/NOTES.txt index f9b57e2..0980c08 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,3 +1,3 @@ -Please wait for several minutes for Harbor deployment to complete. -Then you should be able to visit the Harbor portal at {{ $.Values.global.host }} -For more details, please visit https://github.com/goharbor/harbor +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index b1d119b..9a1a22f 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -1,597 +1,595 @@ -{{/* -Create chart imageArch suffix. -*/}} -{{- define ".beagle.imageArch" -}} -{{- if not (eq "amd64" .Values.global.imageArch) -}} -{{- print "-" .Values.global.imageArch -}} -{{- else -}} -{{- print "" -}} -{{- end -}} -{{- end }} - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "harbor.name" -}} -{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "harbor.fullname" -}} -{{- $name := default "harbor" .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Helm required labels */}} -{{- define "harbor.labels" -}} -heritage: {{ .Release.Service }} -release: {{ .Release.Name }} -chart: {{ .Chart.Name }} -app: "{{ template "harbor.name" . }}" -{{- if .Values.commonLabels}} -{{ toYaml .Values.commonLabels }} -{{- end }} -{{- end -}} - -{{/* matchLabels */}} -{{- define "harbor.matchLabels" -}} -release: {{ .Release.Name }} -app: "{{ template "harbor.name" . }}" -{{- end -}} - -{{- define "harbor.autoGenCert" -}} - {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.autoGenCertForIngress" -}} - {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.autoGenCertForNginx" -}} - {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.host" -}} - {{- if eq .Values.database.type "internal" -}} - {{- template "harbor.database" . }} - {{- else -}} - {{- .Values.database.external.host -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.port" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "5432" -}} - {{- else -}} - {{- .Values.database.external.port -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.username" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "postgres" -}} - {{- else -}} - {{- .Values.database.external.username -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.rawPassword" -}} - {{- if eq .Values.database.type "internal" -}} - {{- .Values.database.internal.password -}} - {{- else -}} - {{- .Values.database.external.password -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.escapedRawPassword" -}} - {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} -{{- end -}} - -{{- define "harbor.database.encryptedPassword" -}} - {{- include "harbor.database.rawPassword" . | b64enc | quote -}} -{{- end -}} - -{{- define "harbor.database.coreDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "registry" -}} - {{- else -}} - {{- .Values.database.external.coreDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.clairDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "postgres" -}} - {{- else -}} - {{- .Values.database.external.clairDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.notaryServerDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "notaryserver" -}} - {{- else -}} - {{- .Values.database.external.notaryServerDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.notarySignerDatabase" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "notarysigner" -}} - {{- else -}} - {{- .Values.database.external.notarySignerDatabase -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.sslmode" -}} - {{- if eq .Values.database.type "internal" -}} - {{- printf "%s" "disable" -}} - {{- else -}} - {{- .Values.database.external.sslmode -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.database.clair" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.database.notaryServer" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.database.notarySigner" -}} -postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} -{{- end -}} - -{{- define "harbor.redis.scheme" -}} - {{- with .Values.redis }} - {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} - {{- end }} -{{- end -}} - -/*host:port*/ -{{- define "harbor.redis.addr" -}} - {{- with .Values.redis }} - {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.masterSet" -}} - {{- with .Values.redis }} - {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.password" -}} - {{- with .Values.redis }} - {{- ternary "" .external.password (eq .type "internal") }} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]host:port[/master_set]*/ -{{- define "harbor.redis.url" -}} - {{- with .Values.redis }} - {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} - {{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} - {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForCore" -}} - {{- with .Values.redis }} - {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index*/ -{{- define "harbor.redis.urlForJobservice" -}} - {{- with .Values.redis }} - {{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForRegistry" -}} - {{- with .Values.redis }} - {{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForClair" -}} - {{- with .Values.redis }} - {{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/ -{{- define "harbor.redis.urlForTrivy" -}} - {{- with .Values.redis }} - {{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }} - {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.dbForRegistry" -}} - {{- with .Values.redis }} - {{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.redis.dbForChartmuseum" -}} - {{- with .Values.redis }} - {{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }} - {{- end }} -{{- end -}} - -{{- define "harbor.portal" -}} - {{- printf "%s-portal" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.core" -}} - {{- printf "%s-core" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.redis" -}} - {{- printf "%s-redis" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.jobservice" -}} - {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.registry" -}} - {{- printf "%s-registry" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.chartmuseum" -}} - {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.database" -}} - {{- printf "%s-database" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.clair" -}} - {{- printf "%s-clair" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.trivy" -}} - {{- printf "%s-trivy" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.notary-server" -}} - {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.notary-signer" -}} - {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.nginx" -}} - {{- printf "%s-nginx" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.ingress" -}} - {{- printf "%s-ingress" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.ingress-notary" -}} - {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} -{{- end -}} - -{{- define "harbor.noProxy" -}} - {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}} -{{- end -}} - -{{- define "harbor.caBundleVolume" -}} -- name: ca-bundle-certs - secret: - secretName: {{ .Values.caBundleSecretName }} -{{- end -}} - -{{- define "harbor.caBundleVolumeMount" -}} -- name: ca-bundle-certs - mountPath: /harbor_cust_cert/custom-ca.crt - subPath: ca.crt -{{- end -}} - -{{/* scheme for all components except notary because it only support http mode */}} -{{- define "harbor.component.scheme" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "https" -}} - {{- else -}} - {{- printf "http" -}} - {{- end -}} -{{- end -}} - -{{/* chartmuseum component container port */}} -{{- define "harbor.chartmuseum.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "9443" -}} - {{- else -}} - {{- printf "9999" -}} - {{- end -}} -{{- end -}} - -{{/* chartmuseum component service port */}} -{{- define "harbor.chartmuseum.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* clair adapter component container port */}} -{{- define "harbor.clairAdapter.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* clair adapter component service port */}} -{{- define "harbor.clairAdapter.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* core component container port */}} -{{- define "harbor.core.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* core component service port */}} -{{- define "harbor.core.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* jobservice component container port */}} -{{- define "harbor.jobservice.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* jobservice component service port */}} -{{- define "harbor.jobservice.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* portal component container port */}} -{{- define "harbor.portal.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* portal component service port */}} -{{- define "harbor.portal.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "443" -}} - {{- else -}} - {{- printf "80" -}} - {{- end -}} -{{- end -}} - -{{/* registry component container port */}} -{{- define "harbor.registry.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "5443" -}} - {{- else -}} - {{- printf "5000" -}} - {{- end -}} -{{- end -}} - -{{/* registry component service port */}} -{{- define "harbor.registry.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "5443" -}} - {{- else -}} - {{- printf "5000" -}} - {{- end -}} -{{- end -}} - -{{/* registryctl component container port */}} -{{- define "harbor.registryctl.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* registryctl component service port */}} -{{- define "harbor.registryctl.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* trivy component container port */}} -{{- define "harbor.trivy.containerPort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* trivy component service port */}} -{{- define "harbor.trivy.servicePort" -}} - {{- if .Values.internalTLS.enabled -}} - {{- printf "8443" -}} - {{- else -}} - {{- printf "8080" -}} - {{- end -}} -{{- end -}} - -{{/* CLAIR_ADAPTER_URL */}} -{{- define "harbor.clairAdapterURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}} -{{- end -}} - -{{/* CORE_URL */}} -{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} -{{- define "harbor.coreURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} -{{- end -}} - -{{/* JOBSERVICE_URL */}} -{{- define "harbor.jobserviceURL" -}} - {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} -{{- end -}} - -{{/* PORTAL_URL */}} -{{- define "harbor.portalURL" -}} - {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} -{{- end -}} - -{{/* REGISTRY_URL */}} -{{- define "harbor.registryURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} -{{- end -}} - -{{/* REGISTRY_CONTROLLER_URL */}} -{{- define "harbor.registryControllerURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} -{{- end -}} - -{{/* TOKEN_SERVICE_URL */}} -{{- define "harbor.tokenServiceURL" -}} - {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} -{{- end -}} - -{{/* TRIVY_ADAPTER_URL */}} -{{- define "harbor.trivyAdapterURL" -}} - {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} -{{- end -}} - -{{- define "harbor.internalTLS.chartmuseum.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.chartmuseum.secretName -}} - {{- else -}} - {{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.clair.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.clair.secretName -}} - {{- else -}} - {{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.core.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.core.secretName -}} - {{- else -}} - {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.jobservice.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.jobservice.secretName -}} - {{- else -}} - {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.portal.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.portal.secretName -}} - {{- else -}} - {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.registry.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.registry.secretName -}} - {{- else -}} - {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.internalTLS.trivy.secretName" -}} - {{- if eq .Values.internalTLS.certSource "secret" -}} - {{- .Values.internalTLS.trivy.secretName -}} - {{- else -}} - {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsCoreSecretForIngress" -}} - {{- if eq .Values.expose.tls.certSource "none" -}} - {{- printf "" -}} - {{- else if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.secretName -}} - {{- else -}} - {{- include "harbor.ingress" . -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsNotarySecretForIngress" -}} - {{- if eq .Values.expose.tls.certSource "none" -}} - {{- printf "" -}} - {{- else if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.notarySecretName -}} - {{- else -}} - {{- include "harbor.ingress" . -}} - {{- end -}} -{{- end -}} - -{{- define "harbor.tlsSecretForNginx" -}} - {{- if eq .Values.expose.tls.certSource "secret" -}} - {{- .Values.expose.tls.secret.secretName -}} - {{- else -}} - {{- include "harbor.nginx" . -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels: legacy */}} +{{- define "harbor.legacy.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "harbor.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: {{ include "harbor.name" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* Helper for printing values from existing secrets*/}} +{{- define "harbor.secretKeyHelper" -}} + {{- if and (not (empty .data)) (hasKey .data .key) }} + {{- index .data .key | b64dec -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}} + {{- else -}} + {{- .Values.database.internal.password -}} + {{- end -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- if eq .type "external" -}} + {{- if not (not .external.sentinelMasterSet) -}} + {{- ternary "rediss+sentinel" "redis+sentinel" (.external.tlsOptions.enable) }} + {{- else -}} + {{- ternary "rediss" "redis" (.external.tlsOptions.enable) }} + {{- end -}} + {{- else -}} + {{ print "redis" }} + {{- end -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.enableTLS" -}} + {{- with .Values.redis }} + {{- ternary "true" "false" (and ( eq .type "external") (.external.tlsOptions.enable)) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (contains "+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + + +{{- define "harbor.redis.pwdfromsecret" -}} + {{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }} +{{- end -}} + +{{- define "harbor.redis.cred" -}} + {{- with .Values.redis }} + {{- if (and (eq .type "external" ) (.external.existingSecret)) }} + {{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }} + {{- else }} + {{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- end }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }} + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} diff --git a/templates/chartmuseum/chartmuseum-cm.yaml b/templates/chartmuseum/chartmuseum-cm.yaml deleted file mode 100644 index 97c46da..0000000 --- a/templates/chartmuseum/chartmuseum-cm.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - PORT: "{{ template "harbor.chartmuseum.containerPort" . }}" -{{- if .Values.internalTLS.enabled }} - TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt" - TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key" -{{- end }} - {{- if eq "redis" (include "harbor.redis.scheme" .) }} - CACHE: "redis" - {{- else }} - CACHE: "redis_sentinel" - CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}" - {{- end }} - CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}" - CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}" - BASIC_AUTH_USER: "chart_controller" -{{- if .Values.chartmuseum.absoluteUrl }} - CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo -{{- end }} - DEPTH: "1" -{{- if eq .Values.logLevel "debug" }} - DEBUG: "true" -{{- else }} - DEBUG: "false" -{{- end }} - LOG_JSON: "true" - DISABLE_METRICS: "false" - DISABLE_API: "false" - DISABLE_STATEFILES: "false" - ALLOW_OVERWRITE: "true" - AUTH_ANONYMOUS_GET: "false" - CONTEXT_PATH: "" - INDEX_LIMIT: "0" - MAX_STORAGE_OBJECTS: "0" - MAX_UPLOAD_SIZE: "20971520" - CHART_POST_FORM_FIELD_NAME: "chart" - PROV_POST_FORM_FIELD_NAME: "prov" -{{- $storage := .Values.persistence.imageChartStorage }} -{{- $storageType := $storage.type }} -{{- if eq $storageType "filesystem" }} - STORAGE: "local" - STORAGE_LOCAL_ROOTDIR: "/chart_storage" -{{- else if eq $storageType "azure" }} - STORAGE: "microsoft" - STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }} - AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }} - AZURE_BASE_URL: {{ $storage.azure.realm }} - STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts" -{{- else if eq $storageType "gcs" }} - STORAGE: "google" - STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json - {{- if $storage.gcs.rootdirectory }} - STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} - {{- end }} -{{- else if eq $storageType "s3" }} - STORAGE: "amazon" - STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }} - {{- if $storage.s3.rootdirectory }} - STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }} - {{- end }} - STORAGE_AMAZON_REGION: {{ $storage.s3.region }} - {{- if $storage.s3.regionendpoint }} - STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.accesskey }} - AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }} - {{- end }} - {{- if $storage.s3.keyid }} - STORAGE_AMAZON_SSE: aws:kms - {{- end }} -{{- else if eq $storageType "swift" }} - STORAGE: "openstack" - STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }} - {{- if $storage.swift.prefix }} - STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.region }} - STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }} - {{- end }} - OS_AUTH_URL: {{ $storage.swift.authurl }} - OS_USERNAME: {{ $storage.swift.username }} - {{- if $storage.swift.tenantid }} - OS_PROJECT_ID: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.tenant }} - OS_PROJECT_NAME: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.domainid }} - OS_DOMAIN_ID: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.domain }} - OS_DOMAIN_NAME: {{ $storage.swift.domain }} - {{- end }} -{{- else if eq $storageType "oss" }} - STORAGE: "alibaba" - STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }} - {{- if $storage.oss.rootdirectory }} - STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- if $storage.oss.endpoint }} - STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }} - {{- end }} - ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }} -{{- end }} - STORAGE_TIMESTAMP_TOLERANCE: 1s -{{- end }} diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml deleted file mode 100644 index 4c151d3..0000000 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ /dev/null @@ -1,173 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: chartmuseum -spec: - replicas: {{ .Values.chartmuseum.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: chartmuseum - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: chartmuseum - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.chartmuseum.podAnnotations }} -{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 10000 -{{- if .Values.chartmuseum.serviceAccountName }} - serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: chartmuseum -{{- if contains "/" .Values.chartmuseum.image.repository }} - image: "{{ .Values.chartmuseum.image.repository }}" -{{- else }} - image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.chartmuseum.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.chartmuseum.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.chartmuseum.resources }} - resources: -{{ toYaml .Values.chartmuseum.resources | indent 10 }} -{{- end }} - envFrom: - - configMapRef: - name: "{{ template "harbor.chartmuseum" . }}" - - secretRef: - name: "{{ template "harbor.chartmuseum" . }}" - env: - {{- if has "chartmuseum" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/chartmuseum/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/chartmuseum/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/chartmuseum/ca.crt - {{- end }} - - name: BASIC_AUTH_PASS - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280) - name: AWS_SDK_LOAD_CONFIG - value: "1" - ports: - - containerPort: {{ template "harbor.chartmuseum.containerPort" . }} - volumeMounts: - - name: chartmuseum-data - mountPath: /chart_storage - subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} - {{- if .Values.internalTLS.enabled }} - - name: chart-internal-certs - mountPath: /etc/harbor/ssl/chartmuseum - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/chartmuseum/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: chartmuseum-data - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: chart-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }} - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: GCS_KEY_DATA - path: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - secret: - secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.chartmuseum.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.chartmuseum.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- end }} diff --git a/templates/chartmuseum/chartmuseum-pvc.yaml b/templates/chartmuseum/chartmuseum-pvc.yaml deleted file mode 100644 index 814a5d1..0000000 --- a/templates/chartmuseum/chartmuseum-pvc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -{{- $persistence := .Values.persistence -}} -{{- if $persistence.enabled }} -{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}} -{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.chartmuseum" . }} - {{- if eq $persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: chartmuseum -spec: - accessModes: - - {{ $chartmuseum.accessMode }} - resources: - requests: - storage: {{ $chartmuseum.size }} - {{- if $chartmuseum.storageClass }} - {{- if eq "-" $chartmuseum.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $chartmuseum.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml deleted file mode 100644 index 4647c21..0000000 --- a/templates/chartmuseum/chartmuseum-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} -{{- $storage := .Values.persistence.imageChartStorage }} -{{- $storageType := $storage.type }} -{{- if eq $storageType "azure" }} - AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }} -{{- else if eq $storageType "gcs" }} - # TODO support the keyfile of gcs -{{- else if eq $storageType "s3" }} - {{- if $storage.s3.secretkey }} - AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} -{{- else if eq $storageType "swift" }} - OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }} -{{- else if eq $storageType "oss" }} - ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-svc.yaml b/templates/chartmuseum/chartmuseum-svc.yaml deleted file mode 100644 index eb8c2b7..0000000 --- a/templates/chartmuseum/chartmuseum-svc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.chartmuseum.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.chartmuseum" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.chartmuseum.servicePort" . }} - targetPort: {{ template "harbor.chartmuseum.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: chartmuseum -{{- end }} \ No newline at end of file diff --git a/templates/chartmuseum/chartmuseum-tls.yaml b/templates/chartmuseum/chartmuseum-tls.yaml deleted file mode 100644 index fded090..0000000 --- a/templates/chartmuseum/chartmuseum-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/templates/clair/clair-dpl.yaml b/templates/clair/clair-dpl.yaml deleted file mode 100644 index ea824d3..0000000 --- a/templates/clair/clair-dpl.yaml +++ /dev/null @@ -1,178 +0,0 @@ -{{ if .Values.clair.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.clair" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: clair -spec: - replicas: {{ .Values.clair.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: clair - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: clair - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/clair/clair-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.clair.podAnnotations }} -{{ toYaml .Values.clair.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 10000 -{{- if .Values.clair.serviceAccountName }} - serviceAccountName: {{ .Values.clair.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: clair -{{- if contains "/" .Values.clair.clair.image.repository }} - image: "{{ .Values.clair.clair.image.repository }}" -{{- else }} - image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /health - port: 6061 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: 6061 - initialDelaySeconds: 30 - periodSeconds: 10 - args: ["-log-level", "{{ .Values.logLevel }}"] - env: - {{- if has "clair" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} -{{- if .Values.clair.clair.resources }} - resources: -{{ toYaml .Values.clair.clair.resources | indent 10 }} -{{- end }} - ports: - - containerPort: 6060 - volumeMounts: - - name: config - mountPath: /etc/clair/config.yaml - subPath: config.yaml - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - mountPath: /etc/harbor/ssl/clair - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - - name: adapter -{{- if contains "/" .Values.clair.adapter.image.repository }} - image: "{{ .Values.clair.adapter.image.repository }}" -{{- else }} - image: "{{ .Values.clair.adapter.image.hub | default .Values.global.hub }}/{{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /probe/healthy - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.clairAdapter.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /probe/ready - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.clairAdapter.containerPort" . }} - initialDelaySeconds: 30 - periodSeconds: 10 - env: - - name: SCANNER_CLAIR_URL - # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin - value: "http://127.0.0.1:6060" - - name: SCANNER_STORE_REDIS_URL - valueFrom: - secretKeyRef: - name: {{ template "harbor.clair" . }} - key: redis - - name: SCANNER_CLAIR_DATABASE_URL - valueFrom: - secretKeyRef: - name: {{ template "harbor.clair" . }} - key: database - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: SCANNER_API_SERVER_ADDR - value: ":8443" - - name: SCANNER_API_SERVER_TLS_KEY - value: /etc/harbor/ssl/clair/tls.key - - name: SCANNER_API_SERVER_TLS_CERTIFICATE - value: /etc/harbor/ssl/clair/tls.crt - {{- end }} - - name: SCANNER_LOG_LEVEL - value: "{{ .Values.logLevel }}" -{{- if .Values.clair.adapter.resources }} - resources: -{{ toYaml .Values.clair.adapter.resources | indent 10 }} -{{- end }} - ports: - - containerPort: {{ template "harbor.clairAdapter.containerPort" . }} - {{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }} - volumeMounts: - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - mountPath: /etc/harbor/ssl/clair - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - {{- end }} - volumes: - - name: config - secret: - secretName: "{{ template "harbor.clair" . }}" - {{- if .Values.internalTLS.enabled }} - - name: clair-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.clair.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.clair.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.clair.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/templates/clair/clair-secret.yaml b/templates/clair/clair-secret.yaml deleted file mode 100644 index 0eb3ec6..0000000 --- a/templates/clair/clair-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.clair.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.clair" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }} - redis: {{ include "harbor.redis.urlForClair" . | b64enc }} - database: {{ include "harbor.database.clair" . | b64enc }} -{{- end }} \ No newline at end of file diff --git a/templates/clair/clair-svc.yaml b/templates/clair/clair-svc.yaml deleted file mode 100644 index dff8440..0000000 --- a/templates/clair/clair-svc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Values.clair.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.clair" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: adapter - port: {{ include "harbor.clairAdapter.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: clair -{{ end }} diff --git a/templates/clair/clair-tls.yaml b/templates/clair/clair-tls.yaml deleted file mode 100644 index f4233ee..0000000 --- a/templates/clair/clair-tls.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.clair.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.clair.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index 37465a0..f27bdaa 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -1,59 +1,91 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - app.conf: |+ - appname = Harbor - runmode = prod - enablegzip = true - - [prod] - httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} - PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" - DATABASE_TYPE: "postgresql" - POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" - POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" - POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" - POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" - POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" - POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" - EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}" - CORE_URL: "{{ template "harbor.coreURL" . }}" - JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" - REGISTRY_URL: "{{ template "harbor.registryURL" . }}" - TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" - WITH_NOTARY: "{{ .Values.notary.enabled }}" - NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" - CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" - WITH_CLAIR: "{{ .Values.clair.enabled }}" - CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}" - WITH_TRIVY: {{ .Values.trivy.enabled | quote }} - TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" - REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" - WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}" - CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}" - LOG_LEVEL: "{{ .Values.logLevel }}" - CONFIG_PATH: "/etc/core/app.conf" - CHART_CACHE_DRIVER: "redis" - _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" - _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" - PORTAL_URL: "{{ template "harbor.portalURL" . }}" - REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" - REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" - {{- if .Values.uaaSecretName }} - UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" - {{- end }} - {{- if has "core" .Values.proxy.components }} - HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" - HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" - NO_PROXY: "{{ template "harbor.noProxy" . }}" - {{- end }} - PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor" - {{- if hasKey .Values.core "gcTimeWindowHours" }} - #make the GC time window configurable for testing - GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" - {{- end }} \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- if .Values.core.gdpr.auditLogsCompliant}} + GDPR_AUDIT_LOGS: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + + {{- if .Values.core.quotaUpdateProvider }} + QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" + {{- end }} diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index eaf7354..4705c5f 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -1,197 +1,258 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: core -spec: - replicas: {{ .Values.core.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: core - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: core - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} - checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.core.podAnnotations }} -{{ toYaml .Values.core.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 10000 -{{- if .Values.core.serviceAccountName }} - serviceAccountName: {{ .Values.core.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: core -{{- if contains "/" .Values.core.image.repository }} - image: "{{ .Values.core.image.repository }}" -{{- else }} - image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - {{- if .Values.core.startupProbe.enabled }} - startupProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - failureThreshold: 360 - initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} - periodSeconds: 10 - {{- end }} - livenessProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - failureThreshold: 2 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v2.0/ping - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.core.containerPort" . }} - failureThreshold: 2 - periodSeconds: 10 - envFrom: - - configMapRef: - name: "{{ template "harbor.core" . }}" - - secretRef: - name: "{{ template "harbor.core" . }}" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" - key: JOBSERVICE_SECRET - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/core/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/core/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/core/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.core.containerPort" . }} - volumeMounts: - - name: config - mountPath: /etc/core/app.conf - subPath: app.conf - - name: secret-key - mountPath: /etc/core/key - subPath: key - - name: token-service-private-key - mountPath: /etc/core/private_key.pem - subPath: tls.key - {{- if .Values.expose.tls.enabled }} - - name: ca-download - mountPath: /etc/core/ca - {{- end }} - {{- if .Values.uaaSecretName }} - - name: auth-ca-cert - mountPath: /etc/core/auth-ca/auth-ca.crt - subPath: auth-ca.crt - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: core-internal-certs - mountPath: /etc/harbor/ssl/core - {{- end }} - - name: psc - mountPath: /etc/core/token - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} -{{- if .Values.core.resources }} - resources: -{{ toYaml .Values.core.resources | indent 10 }} -{{- end }} - volumes: - - name: config - configMap: - name: {{ template "harbor.core" . }} - items: - - key: app.conf - path: app.conf - - name: secret-key - secret: - secretName: {{ template "harbor.core" . }} - items: - - key: secretKey - path: key - - name: token-service-private-key - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - {{- if .Values.expose.tls.enabled }} - - name: ca-download - secret: - {{- if .Values.caSecretName }} - secretName: {{ .Values.caSecretName }} - {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} - secretName: "{{ template "harbor.ingress" . }}" - {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} - secretName: {{ template "harbor.tlsSecretForNginx" . }} - {{- end }} - {{- end }} - {{- if .Values.uaaSecretName }} - - name: auth-ca-cert - secret: - secretName: {{ .Values.uaaSecretName }} - items: - - key: ca.crt - path: auth-ca.crt - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: core-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.core.secretName" . }} - {{- end }} - - name: psc - emptyDir: {} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.core.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.core.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.core.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core + app.kubernetes.io/component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: core + app.kubernetes.io/component: core +{{- if .Values.core.podLabels }} +{{ toYaml .Values.core.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.core.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: core +{{- end }} +{{- end }} + {{- with .Values.core.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + {{- if .Values.core.existingXsrfSecret }} + - name: CSRF_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.core.existingXsrfSecret }} + key: {{ .Values.core.existingXsrfSecretKey }} + {{- end }} +{{- with .Values.core.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000..8727156 --- /dev/null +++ b/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,78 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 7ead3f3..ea9d4cf 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -1,18 +1,37 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - secretKey: {{ .Values.secretKey | b64enc | quote }} - secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} -{{- if not .Values.core.secretName }} - tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} - tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} -{{- end }} - HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} - POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} - REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} - CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingSecret }} + secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingXsrfSecret }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} + {{- end }} +{{- if .Values.core.configureUserSettings }} + CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} +{{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/core/core-svc.yaml b/templates/core/core-svc.yaml index de46198..f918eb3 100644 --- a/templates/core/core-svc.yaml +++ b/templates/core/core-svc.yaml @@ -1,16 +1,26 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.core" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: -{{- if (eq .Values.expose.ingress.controller "gce") }} - type: NodePort -{{- end }} - ports: - - port: {{ template "harbor.core.servicePort" . }} - targetPort: {{ template "harbor.core.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: core +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/templates/core/core-tls.yaml b/templates/core/core-tls.yaml index 1c24eeb..d90d30c 100644 --- a/templates/core/core-tls.yaml +++ b/templates/core/core-tls.yaml @@ -1,15 +1,16 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.core.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml index 4b09db1..0d07ec2 100644 --- a/templates/database/database-secret.yaml +++ b/templates/database/database-secret.yaml @@ -1,11 +1,12 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} -{{- end -}} +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 6a53fe7..9bd5c09 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -1,139 +1,163 @@ -{{- if eq .Values.database.type "internal" -}} -{{- $database := .Values.persistence.persistentVolumeClaim.database -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: database -spec: - replicas: 1 - serviceName: "{{ template "harbor.database" . }}" - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: database - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: database - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} -{{- if .Values.database.podAnnotations }} -{{ toYaml .Values.database.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} -{{- if .Values.database.internal.serviceAccountName }} - serviceAccountName: {{ .Values.database.internal.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: "change-permission-of-directory" - securityContext: - runAsUser: 0 -{{- if contains "/" .Values.database.internal.image.repository }} - image: "{{ .Values.database.internal.image.repository }}" -{{- else }} - image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - command: ["/bin/sh"] - args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"] - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - - name: "remove-lost-found" -{{- if contains "/" .Values.database.internal.image.repository }} - image: "{{ .Values.database.internal.image.repository }}" -{{- else }} - image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - containers: - - name: database -{{- if contains "/" .Values.database.internal.image.repository }} - image: "{{ .Values.database.internal.image.repository }}" -{{- else }} - image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - livenessProbe: - exec: - command: - - /docker-healthcheck.sh - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /docker-healthcheck.sh - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.database.internal.resources }} - resources: -{{ toYaml .Values.database.internal.resources | indent 10 }} -{{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.database" . }}" - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} - {{- if not .Values.persistence.enabled }} - volumes: - - name: "database-data" - emptyDir: {} - {{- else if $database.existingClaim }} - volumes: - - name: "database-data" - persistentVolumeClaim: - claimName: {{ $database.existingClaim }} - {{- end -}} - {{- with .Values.database.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.database.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if and .Values.persistence.enabled (not $database.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: "database-data" - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $database.accessMode | quote }}] - {{- if $database.storageClass }} - {{- if (eq "-" $database.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $database.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $database.size | quote }} - {{- end -}} - {{- end -}} +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database + app.kubernetes.io/component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database + app.kubernetes.io/component: database +{{- if .Values.database.podLabels }} +{{ toYaml .Values.database.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + {{- with .Values.database.internal.extrInitContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" +{{- with .Values.database.internal.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.legacy.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/templates/database/database-svc.yaml b/templates/database/database-svc.yaml index 05a5134..e2085a0 100644 --- a/templates/database/database-svc.yaml +++ b/templates/database/database-svc.yaml @@ -1,14 +1,15 @@ -{{- if eq .Values.database.type "internal" -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.database" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 5432 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: database -{{- end -}} \ No newline at end of file +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} diff --git a/templates/exporter/exporter-cm-env.yaml b/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000..3f91103 --- /dev/null +++ b/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,36 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000..32fac20 --- /dev/null +++ b/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,147 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter + app.kubernetes.io/component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter + app.kubernetes.io/component: exporter +{{- if .Values.exporter.podLabels }} +{{ toYaml .Values.exporter.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/exporter/exporter-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/exporter/exporter-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} +{{- with .Values.exporter.topologySpreadConstraints }} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: exporter +{{- end }} +{{- end }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} +{{- with .Values.exporter.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + ports: + - containerPort: {{ .Values.metrics.exporter.port }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000..02c74d0 --- /dev/null +++ b/templates/exporter/exporter-secret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/templates/exporter/exporter-svc.yaml b/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000..6d0d831 --- /dev/null +++ b/templates/exporter/exporter-svc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index e518ba9..06096b8 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -1,135 +1,132 @@ -{{- if eq .Values.expose.type "ingress" }} -{{- $ingress := .Values.expose.ingress -}} -{{- $tls := .Values.expose.tls -}} -{{- if eq .Values.expose.ingress.controller "gce" }} - {{- $_ := set . "portal_path" "/*" -}} - {{- $_ := set . "api_path" "/api/*" -}} - {{- $_ := set . "service_path" "/service/*" -}} - {{- $_ := set . "v2_path" "/v2/*" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} - {{- $_ := set . "controller_path" "/c/*" -}} - {{- $_ := set . "notary_path" "/" -}} -{{- else if eq .Values.expose.ingress.controller "ncp" }} - {{- $_ := set . "portal_path" "/.*" -}} - {{- $_ := set . "api_path" "/api/.*" -}} - {{- $_ := set . "service_path" "/service/.*" -}} - {{- $_ := set . "v2_path" "/v2/.*" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} - {{- $_ := set . "controller_path" "/c/.*" -}} - {{- $_ := set . "notary_path" "/.*" -}} -{{- else }} - {{- $_ := set . "portal_path" "/" -}} - {{- $_ := set . "api_path" "/api" -}} - {{- $_ := set . "service_path" "/service" -}} - {{- $_ := set . "v2_path" "/v2" -}} - {{- $_ := set . "chartrepo_path" "/chartrepo" -}} - {{- $_ := set . "controller_path" "/c" -}} - {{- $_ := set . "notary_path" "/" -}} -{{- end }} - ---- -{{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: extensions/v1beta1 -{{- else }} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: "{{ template "harbor.ingress" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - annotations: -{{ toYaml $ingress.annotations | indent 4 }} -{{- if .Values.internalTLS.enabled }} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -{{- end }} -{{- if eq .Values.expose.ingress.controller "ncp" }} - ncp/use-regex: "true" - {{- if $tls.enabled }} - ncp/http-redirect: "true" - {{- end }} -{{- end }} -spec: - {{- if $tls.enabled }} - tls: - - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} - {{- if $ingress.hosts.core }} - hosts: - - {{ $ingress.hosts.core }}.{{ $.Values.global.host }} - {{- end }} - {{- end }} - rules: - - http: - paths: - - path: {{ .portal_path }} - backend: - serviceName: {{ template "harbor.portal" . }} - servicePort: {{ template "harbor.portal.servicePort" . }} - - path: {{ .api_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .service_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .v2_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .chartrepo_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - - path: {{ .controller_path }} - backend: - serviceName: {{ template "harbor.core" . }} - servicePort: {{ template "harbor.core.servicePort" . }} - {{- if $ingress.hosts.core }} - host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }} - {{- end }} - -{{- if .Values.notary.enabled }} ---- -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: extensions/v1beta1 -{{- else }} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: "{{ template "harbor.ingress-notary" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - annotations: -{{ toYaml $ingress.annotations | indent 4 }} -{{- if eq .Values.expose.ingress.controller "ncp" }} - ncp/use-regex: "true" - {{- if $tls.enabled }} - ncp/http-redirect: "true" - {{- end }} -{{- end }} -spec: - {{- if $tls.enabled }} - tls: - - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} - {{- if $ingress.hosts.notary }} - hosts: - - {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} - {{- end }} - {{- end }} - rules: - - http: - paths: - - path: {{ .notary_path }} - backend: - serviceName: {{ template "harbor.notary-server" . }} - servicePort: 4443 - {{- if $ingress.hosts.notary }} - host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }} - {{- end }} -{{- end }} - -{{- end }} -{{- end }} \ No newline at end of file +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "path_type" "ImplementationSpecific" -}} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "path_type" "Prefix" -}} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "path_type" "Prefix" -}} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.labels }} +{{ toYaml $ingress.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: {{ .path_type }} + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: {{ .path_type }} + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: {{ .path_type }} + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: {{ .path_type }} + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: {{ .path_type }} + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- end }} diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml index de990ed..90ba275 100644 --- a/templates/ingress/secret.yaml +++ b/templates/ingress/secret.yaml @@ -1,15 +1,16 @@ -{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} -{{- $ca := genCA "harbor-ca" 365 }} -{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.ingress" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} diff --git a/templates/internal/auto-tls.yaml b/templates/internal/auto-tls.yaml index 8f11d6c..32807cf 100644 --- a/templates/internal/auto-tls.yaml +++ b/templates/internal/auto-tls.yaml @@ -1,115 +1,86 @@ -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} -{{- $ca := genCA "harbor-internal-ca" 365 }} -{{- $coreCN := (include "harbor.core" .) }} -{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} -{{- $jsCN := (include "harbor.jobservice" .) }} -{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} -{{- $regCN := (include "harbor.registry" .) }} -{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} -{{- $portalCN := (include "harbor.portal" .) }} -{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.core.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $coreCrt.Cert | b64enc | quote }} - tls.key: {{ $coreCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $jsCrt.Cert | b64enc | quote }} - tls.key: {{ $jsCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.registry.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $regCrt.Cert | b64enc | quote }} - tls.key: {{ $regCrt.Key | b64enc | quote }} - ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.portal.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $portalCrt.Cert | b64enc | quote }} - tls.key: {{ $portalCrt.Key | b64enc | quote }} - -{{- if .Values.chartmuseum.enabled }} ---- -{{- $chartCN := (include "harbor.chartmuseum" .) }} -{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $chartCrt.Cert | b64enc | quote }} - tls.key: {{ $chartCrt.Key | b64enc | quote }} -{{- end }} - -{{- if .Values.clair.enabled }} ---- -{{- $clairCN := (include "harbor.clair" .) }} -{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.clair.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $clairCrt.Cert | b64enc | quote }} - tls.key: {{ $clairCrt.Key | b64enc | quote }} -{{- end }} - -{{- if and .Values.trivy.enabled}} ---- -{{- $trivyCN := (include "harbor.trivy" .) }} -{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} - tls.key: {{ $trivyCrt.Key | b64enc | quote }} -{{- end }} - -{{- end }} \ No newline at end of file +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} diff --git a/templates/jobservice/jobservice-cm-env.yaml b/templates/jobservice/jobservice-cm-env.yaml index 7a375b8..f135913 100644 --- a/templates/jobservice/jobservice-cm-env.yaml +++ b/templates/jobservice/jobservice-cm-env.yaml @@ -1,17 +1,37 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.jobservice" . }}-env" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - CORE_URL: "{{ template "harbor.coreURL" . }}" - TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" - REGISTRY_URL: "{{ template "harbor.registryURL" . }}" - REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" - REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" - {{- if has "jobservice" .Values.proxy.components }} - HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" - HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" - NO_PROXY: "{{ template "harbor.noProxy" . }}" - {{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + LOG_LEVEL: "{{ .Values.logLevel }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/templates/jobservice/jobservice-cm.yaml b/templates/jobservice/jobservice-cm.yaml index 6a109a3..c950e67 100644 --- a/templates/jobservice/jobservice-cm.yaml +++ b/templates/jobservice/jobservice-cm.yaml @@ -1,46 +1,58 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - #Server listening port - protocol: "{{ template "harbor.component.scheme" . }}" - port: {{ template "harbor.jobservice.containerPort". }} - {{- if .Values.internalTLS.enabled }} - https_config: - cert: "/etc/harbor/ssl/jobservice/tls.crt" - key: "/etc/harbor/ssl/jobservice/tls.key" - {{- end }} - worker_pool: - workers: {{ .Values.jobservice.maxJobWorkers }} - backend: "redis" - redis_pool: - redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" - namespace: "harbor_job_service_namespace" - idle_timeout_second: 3600 - job_loggers: - {{- if eq .Values.jobservice.jobLogger "file" }} - - name: "FILE" - level: {{ .Values.logLevel | upper }} - settings: # Customized settings of logger - base_dir: "/var/log/jobs" - sweeper: - duration: 14 #days - settings: # Customized settings of sweeper - work_dir: "/var/log/jobs" - {{- else if eq .Values.jobservice.jobLogger "database" }} - - name: "DB" - level: {{ .Values.logLevel | upper }} - sweeper: - duration: 14 #days - {{- else }} - - name: "STD_OUTPUT" - level: {{ .Values.logLevel | upper }} - {{- end }} - #Loggers for the job service - loggers: - - name: "STD_OUTPUT" - level: {{ .Values.logLevel | upper }} \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 4ba94a9..3e42669 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -1,144 +1,183 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: jobservice -spec: - replicas: {{ .Values.jobservice.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: jobservice - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: jobservice - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} - checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.jobservice.podAnnotations }} -{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 10000 -{{- if .Values.jobservice.serviceAccountName }} - serviceAccountName: {{ .Values.jobservice.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: jobservice -{{- if contains "/" .Values.jobservice.image.repository }} - image: "{{ .Values.jobservice.image.repository }}" -{{- else }} - image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /api/v1/stats - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.jobservice.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v1/stats - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.jobservice.containerPort" . }} - initialDelaySeconds: 20 - periodSeconds: 10 -{{- if .Values.jobservice.resources }} - resources: -{{ toYaml .Values.jobservice.resources | indent 10 }} -{{- end }} - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/jobservice/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/jobservice/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/jobservice/ca.crt - {{- end }} - envFrom: - - configMapRef: - name: "{{ template "harbor.jobservice" . }}-env" - - secretRef: - name: "{{ template "harbor.jobservice" . }}" - ports: - - containerPort: {{ template "harbor.jobservice.containerPort" . }} - volumeMounts: - - name: jobservice-config - mountPath: /etc/jobservice/config.yml - subPath: config.yml - - name: job-logs - mountPath: /var/log/jobs - subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} - {{- if .Values.internalTLS.enabled }} - - name: jobservice-internal-certs - mountPath: /etc/harbor/ssl/jobservice - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: jobservice-config - configMap: - name: "{{ template "harbor.jobservice" . }}" - - name: job-logs - {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: jobservice-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.jobservice.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.jobservice.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice + app.kubernetes.io/component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice + app.kubernetes.io/component: jobservice +{{- if .Values.jobservice.podLabels }} +{{ toYaml .Values.jobservice.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.jobservice.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: jobservice +{{- end }} +{{- end }} + {{- with .Values.jobservice.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + {{- if .Values.jobservice.existingSecret }} + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.jobservice.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/templates/jobservice/jobservice-pvc.yaml b/templates/jobservice/jobservice-pvc.yaml index 9c8fc9b..eb781ee 100644 --- a/templates/jobservice/jobservice-pvc.yaml +++ b/templates/jobservice/jobservice-pvc.yaml @@ -1,29 +1,32 @@ -{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}} -{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }} -{{- if eq .Values.jobservice.jobLogger "file" }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.jobservice" . }} - {{- if eq .Values.persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: jobservice -spec: - accessModes: - - {{ $jobservice.accessMode }} - resources: - requests: - storage: {{ $jobservice.size }} - {{- if $jobservice.storageClass }} - {{- if eq "-" $jobservice.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $jobservice.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} \ No newline at end of file +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice + app.kubernetes.io/component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index 6cab65e..7706c35 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -1,10 +1,17 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.jobservice.existingSecret }} + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/jobservice/jobservice-svc.yaml b/templates/jobservice/jobservice-svc.yaml index 5b98b21..483b40e 100644 --- a/templates/jobservice/jobservice-svc.yaml +++ b/templates/jobservice/jobservice-svc.yaml @@ -1,13 +1,19 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.jobservice" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.jobservice.servicePort" . }} - targetPort: {{ template "harbor.jobservice.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: jobservice +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/templates/jobservice/jobservice-tls.yaml b/templates/jobservice/jobservice-tls.yaml index 902c3c4..58809ec 100644 --- a/templates/jobservice/jobservice-tls.yaml +++ b/templates/jobservice/jobservice-tls.yaml @@ -1,15 +1,16 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/metrics/metrics-svcmon.yaml b/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000..d566285 --- /dev/null +++ b/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml index 085aaf6..93ef76e 100644 --- a/templates/nginx/configmap-http.yaml +++ b/templates/nginx/configmap-http.yaml @@ -1,150 +1,136 @@ -{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} -{{- $scheme := (include "harbor.component.scheme" .) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; - } - - upstream portal { - server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; - } - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - server { - listen 8080; - server_tokens off; - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # Add extra headers - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass {{ $scheme }}://portal/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass {{ $scheme }}://core/api/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass {{ $scheme }}://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass {{ $scheme }}://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass {{ $scheme }}://core/service/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - } -{{- end }} +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml index 92dd43a..390caf2 100644 --- a/templates/nginx/configmap-https.yaml +++ b/templates/nginx/configmap-https.yaml @@ -1,221 +1,171 @@ -{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} -{{- $scheme := (include "harbor.component.scheme" .) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; - } - - upstream portal { - server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; - } - - {{- if .Values.notary.enabled }} - upstream notary-server { - server {{ template "harbor.notary-server" . }}:4443; - } - {{- end }} - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - {{- if .Values.notary.enabled }} - server { - listen 4443 ssl; - server_tokens off; - # ssl - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html - ssl_protocols tlsv1.1 tlsv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:ssl:10m; - - # disable any limits to avoid http 413 for large image uploads - client_max_body_size 0; - - # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - location /v2/ { - proxy_pass http://notary-server/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_request_buffering off; - } - } - {{- end }} - - server { - listen 8443 ssl; - # server_name harbordomain.com; - server_tokens off; - # SSL - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - # Add extra headers - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass {{ $scheme }}://portal/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; HttpOnly; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass {{ $scheme }}://core/api/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass {{ $scheme }}://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass {{ $scheme }}://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass {{ $scheme }}://core/service/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - server { - listen 8080; - #server_name harbordomain.com; - return 301 https://$host$request_uri; - } - } -{{- end }} +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 9903d8a..04faa37 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -1,111 +1,133 @@ -{{- if ne .Values.expose.type "ingress" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: nginx -spec: - replicas: {{ .Values.nginx.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: nginx - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: nginx - annotations: - {{- if not .Values.expose.tls.enabled }} - checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} - {{- else }} - checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} - {{- end }} - {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} - checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} - {{- end }} -{{- if .Values.nginx.podAnnotations }} -{{ toYaml .Values.nginx.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} -{{- if .Values.nginx.serviceAccountName }} - serviceAccountName: {{ .Values.nginx.serviceAccountName }} -{{- end }} - securityContext: - fsGroup: 10000 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: nginx -{{- if contains "/" .Values.nginx.image.repository }} - image: "{{ .Values.nginx.image.repository }}" -{{- else }} - image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - {{- $_ := set . "scheme" "HTTP" -}} - {{- $_ := set . "port" "8080" -}} - {{- if .Values.expose.tls.enabled }} - {{- $_ := set . "scheme" "HTTPS" -}} - {{- $_ := set . "port" "8443" -}} - {{- end }} - livenessProbe: - httpGet: - scheme: {{ .scheme }} - path: / - port: {{ .port }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - scheme: {{ .scheme }} - path: / - port: {{ .port }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.nginx.resources }} - resources: -{{ toYaml .Values.nginx.resources | indent 10 }} -{{- end }} - ports: - - containerPort: 8080 - - containerPort: 8443 - - containerPort: 4443 - volumeMounts: - - name: config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - {{- if .Values.expose.tls.enabled }} - - name: certificate - mountPath: /etc/nginx/cert - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "harbor.nginx" . }} - {{- if .Values.expose.tls.enabled }} - - name: certificate - secret: - secretName: {{ template "harbor.tlsSecretForNginx" . }} - {{- end }} - {{- with .Values.nginx.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- end }} +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx + app.kubernetes.io/component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx + app.kubernetes.io/component: nginx +{{- if .Values.nginx.podLabels }} +{{ toYaml .Values.nginx.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} +{{- with .Values.nginx.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: nginx +{{- end }} +{{- end }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} +{{- with .Values.nginx.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + ports: + - containerPort: 8080 + {{- if .Values.expose.tls.enabled }} + - containerPort: 8443 + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/templates/nginx/secret.yaml b/templates/nginx/secret.yaml index 9812189..369bd65 100644 --- a/templates/nginx/secret.yaml +++ b/templates/nginx/secret.yaml @@ -1,23 +1,24 @@ -{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} -{{- $ca := genCA "harbor-ca" 365 }} -{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.nginx" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} - {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- else }} - {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml index a025a7c..7eac84e 100644 --- a/templates/nginx/service.yaml +++ b/templates/nginx/service.yaml @@ -1,92 +1,95 @@ -{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} -apiVersion: v1 -kind: Service -metadata: -{{- if eq .Values.expose.type "clusterIP" }} -{{- $clusterIP := .Values.expose.clusterIP }} - name: {{ $clusterIP.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - type: ClusterIP - ports: - - name: http - port: {{ $clusterIP.ports.httpPort }} - targetPort: 8080 - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $clusterIP.ports.httpsPort }} - targetPort: 8443 - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $clusterIP.ports.notaryPort }} - targetPort: 4443 - {{- end }} -{{- else if eq .Values.expose.type "nodePort" }} -{{- $nodePort := .Values.expose.nodePort }} - name: {{ $nodePort.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - type: NodePort - ports: - - name: http - port: {{ $nodePort.ports.http.port }} - targetPort: 8080 - {{- if $nodePort.ports.http.nodePort }} - nodePort: {{ $nodePort.ports.http.nodePort }} - {{- end }} - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $nodePort.ports.https.port }} - targetPort: 8443 - {{- if $nodePort.ports.https.nodePort }} - nodePort: {{ $nodePort.ports.https.nodePort }} - {{- end }} - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $nodePort.ports.notary.port }} - targetPort: 4443 - {{- if $nodePort.ports.notary.nodePort }} - nodePort: {{ $nodePort.ports.notary.nodePort }} - {{- end }} - {{- end }} -{{- else if eq .Values.expose.type "loadBalancer" }} -{{- $loadBalancer := .Values.expose.loadBalancer }} - name: {{ $loadBalancer.name }} - labels: -{{ include "harbor.labels" . | indent 4 }} -{{- with $loadBalancer.annotations }} - annotations: - {{- toYaml . | nindent 4 }} -{{- end }} -spec: - type: LoadBalancer - {{- with $loadBalancer.sourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if $loadBalancer.IP }} - loadBalancerIP: {{ $loadBalancer.IP }} - {{- end }} - ports: - - name: http - port: {{ $loadBalancer.ports.httpPort }} - targetPort: 8080 - {{- if .Values.expose.tls.enabled }} - - name: https - port: {{ $loadBalancer.ports.httpsPort }} - targetPort: 8443 - {{- end }} - {{- if .Values.notary.enabled }} - - name: notary - port: {{ $loadBalancer.ports.notaryPort }} - targetPort: 4443 - {{- end }} -{{- end }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: nginx -{{- end }} +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if .Values.expose.clusterIP.labels }} +{{ toYaml $clusterIP.labels | indent 4 }} +{{- end }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.expose.clusterIP.staticClusterIP }} + clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }} + {{- end }} + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if .Values.expose.nodePort.labels }} +{{ toYaml $nodePort.labels | indent 4 }} +{{- end }} +{{- with $nodePort.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if .Values.expose.loadBalancer.labels }} +{{ toYaml $loadBalancer.labels | indent 4 }} +{{- end }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/templates/notary/notary-secret.yaml b/templates/notary/notary-secret.yaml deleted file mode 100644 index a13185a..0000000 --- a/templates/notary/notary-secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.notary.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary -type: Opaque -data: - {{- if not .Values.notary.secretName }} - {{- $ca := genCA "harbor-notary-ca" 365 }} - {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $cert.Cert | b64enc | quote }} - tls.key: {{ $cert.Key | b64enc | quote }} - {{- end }} - server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }} - signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }} -{{- end }} diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml deleted file mode 100644 index 814a7ea..0000000 --- a/templates/notary/notary-server.yaml +++ /dev/null @@ -1,97 +0,0 @@ -{{ if .Values.notary.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary-server -spec: - replicas: {{ .Values.notary.server.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: notary-server - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: notary-server - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if .Values.notary.podAnnotations }} -{{ toYaml .Values.notary.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 10000 -{{- if .Values.notary.server.serviceAccountName }} - serviceAccountName: {{ .Values.notary.server.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: notary-server -{{- if contains "/" .Values.notary.server.image.repository }} - image: "{{ .Values.notary.server.image.repository }}" -{{- else }} - image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" -{{- if .Values.notary.server.resources }} - resources: -{{ toYaml .Values.notary.server.resources | indent 10 }} -{{- end }} - env: - - name: MIGRATIONS_PATH - value: migrations/server/postgresql - - name: DB_URL - value: {{ template "harbor.database.notaryServer" . }} - volumeMounts: - - name: config - mountPath: /etc/notary/server-config.postgres.json - subPath: server.json - - name: token-service-certificate - mountPath: /root.crt - subPath: tls.crt - - name: signer-certificate - mountPath: /etc/ssl/notary/ca.crt - subPath: ca.crt - volumes: - - name: config - secret: - secretName: "{{ template "harbor.notary-server" . }}" - - name: token-service-certificate - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - - name: signer-certificate - secret: - {{- if .Values.notary.secretName }} - secretName: {{ .Values.notary.secretName }} - {{- else }} - secretName: {{ template "harbor.notary-server" . }} - {{- end }} - {{- with .Values.notary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml deleted file mode 100644 index a3697ab..0000000 --- a/templates/notary/notary-signer.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{ if .Values.notary.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "harbor.notary-signer" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: notary-signer -spec: - replicas: {{ .Values.notary.signer.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: notary-signer - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: notary-signer - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} - spec: - securityContext: - fsGroup: 10000 -{{- if .Values.notary.signer.serviceAccountName }} - serviceAccountName: {{ .Values.notary.signer.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: notary-signer -{{- if contains "/" .Values.notary.signer.image.repository }} - image: "{{ .Values.notary.signer.image.repository }}" -{{- else }} - image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" -{{- if .Values.notary.signer.resources }} - resources: -{{ toYaml .Values.notary.signer.resources | indent 10 }} -{{- end }} - env: - - name: MIGRATIONS_PATH - value: migrations/signer/postgresql - - name: DB_URL - value: {{ template "harbor.database.notarySigner" . }} - - name: NOTARY_SIGNER_DEFAULTALIAS - value: defaultalias - volumeMounts: - - name: config - mountPath: /etc/notary/signer-config.postgres.json - subPath: signer.json - - name: signer-certificate - mountPath: /etc/ssl/notary/tls.crt - subPath: tls.crt - - name: signer-certificate - mountPath: /etc/ssl/notary/tls.key - subPath: tls.key - volumes: - - name: config - secret: - secretName: "{{ template "harbor.notary-server" . }}" - - name: signer-certificate - secret: - {{- if .Values.notary.secretName }} - secretName: {{ .Values.notary.secretName }} - {{- else }} - secretName: {{ template "harbor.notary-server" . }} - {{- end }} - {{- with .Values.notary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.notary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{ end }} diff --git a/templates/notary/notary-svc.yaml b/templates/notary/notary-svc.yaml deleted file mode 100644 index 2bca7ed..0000000 --- a/templates/notary/notary-svc.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.notary.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.notary-server" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: -{{- if (eq .Values.expose.ingress.controller "gce") }} - type: NodePort -{{- end }} - ports: - - port: 4443 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: notary-server - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.notary-signer" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 7899 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: notary-signer -{{ end }} \ No newline at end of file diff --git a/templates/portal/configmap.yaml b/templates/portal/configmap.yaml index 773cfe2..af56783 100644 --- a/templates/portal/configmap.yaml +++ b/templates/portal/configmap.yaml @@ -1,50 +1,68 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - server { - {{- if .Values.internalTLS.enabled }} - listen {{ template "harbor.portal.containerPort" . }} ssl; - # SSL - ssl_certificate /etc/harbor/ssl/portal/tls.crt; - ssl_certificate_key /etc/harbor/ssl/portal/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.2; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - {{- else }} - listen {{ template "harbor.portal.containerPort" . }}; - {{- end }} - server_name localhost; - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; - location / { - try_files $uri $uri/ /index.html; - } - location = /index.html { - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - } - } +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 781e690..88bcd49 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -1,96 +1,124 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: portal -spec: - replicas: {{ .Values.portal.replicas }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: portal - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: portal - annotations: -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.portal.podAnnotations }} -{{ toYaml .Values.portal.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- if .Values.portal.serviceAccountName }} - serviceAccountName: {{ .Values.portal.serviceAccountName }} -{{- end }} - containers: - - name: portal -{{- if contains "/" .Values.portal.image.repository }} - image: "{{ .Values.portal.image.repository }}" -{{- else }} - image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" -{{- if .Values.portal.resources }} - resources: -{{ toYaml .Values.portal.resources | indent 10 }} -{{- end }} - livenessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.portal.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.portal.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 - ports: - - containerPort: {{ template "harbor.portal.containerPort" . }} - volumeMounts: - - name: portal-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - {{- if .Values.internalTLS.enabled }} - - name: portal-internal-certs - mountPath: /etc/harbor/ssl/portal - {{- end }} - volumes: - - name: portal-config - configMap: - name: "{{ template "harbor.portal" . }}" - {{- if .Values.internalTLS.enabled }} - - name: portal-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.portal.secretName" . }} - {{- end }} - {{- with .Values.portal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.portal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.portal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal + app.kubernetes.io/component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: portal + app.kubernetes.io/component: portal +{{- if .Values.portal.podLabels }} +{{ toYaml .Values.portal.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} +{{- with .Values.portal.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: portal +{{- end }} +{{- end }} + {{- with .Values.portal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} +{{- with .Values.portal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/templates/portal/service.yaml b/templates/portal/service.yaml index c1523d8..c1273f0 100644 --- a/templates/portal/service.yaml +++ b/templates/portal/service.yaml @@ -1,13 +1,21 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.portal" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: {{ template "harbor.portal.servicePort" . }} - targetPort: {{ template "harbor.portal.containerPort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: portal +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.portal.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/templates/portal/tls.yaml b/templates/portal/tls.yaml index 023143b..e61a7d3 100644 --- a/templates/portal/tls.yaml +++ b/templates/portal/tls.yaml @@ -1,15 +1,16 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.portal.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} -{{- end }} -{{- end }} +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/redis/service.yaml b/templates/redis/service.yaml index 46d466e..61c21d1 100644 --- a/templates/redis/service.yaml +++ b/templates/redis/service.yaml @@ -1,14 +1,15 @@ -{{- if eq .Values.redis.type "internal" -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "harbor.redis" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - port: 6379 - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: redis -{{- end -}} \ No newline at end of file +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 8b55798..fa5dd22 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -1,107 +1,126 @@ -{{- if eq .Values.redis.type "internal" -}} -{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "harbor.redis" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: redis -spec: - replicas: 1 - serviceName: {{ template "harbor.redis" . }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: redis - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: redis -{{- if .Values.redis.podAnnotations }} - annotations: -{{ toYaml .Values.redis.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 999 -{{- if .Values.redis.internal.serviceAccountName }} - serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: redis -{{- if contains "/" .Values.redis.internal.image.repository }} - image: "{{ .Values.redis.internal.image.repository }}" -{{- else }} - image: "{{ .Values.redis.internal.image.hub | default .Values.global.hub }}/{{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - tcpSocket: - port: 6379 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 6379 - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.redis.internal.resources }} - resources: -{{ toYaml .Values.redis.internal.resources | indent 10 }} -{{- end }} - volumeMounts: - - name: data - mountPath: /var/lib/redis - subPath: {{ $redis.subPath }} - {{- if not .Values.persistence.enabled }} - volumes: - - name: data - emptyDir: {} - {{- else if $redis.existingClaim }} - volumes: - - name: data - persistentVolumeClaim: - claimName: {{ $redis.existingClaim }} - {{- end -}} - {{- with .Values.redis.internal.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.redis.internal.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.redis.internal.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $redis.accessMode | quote }}] - {{- if $redis.storageClass }} - {{- if (eq "-" $redis.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $redis.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $redis.size | quote }} - {{- end -}} - {{- end -}} +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis + app.kubernetes.io/component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis + app.kubernetes.io/component: redis +{{- if .Values.redis.podLabels }} +{{ toYaml .Values.redis.podLabels | indent 8 }} +{{- end }} +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + {{- with .Values.redis.internal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} +{{- with .Values.redis.internal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.legacy.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml index c1bba9c..2ef398e 100644 --- a/templates/registry/registry-cm.yaml +++ b/templates/registry/registry-cm.yaml @@ -1,224 +1,248 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -data: - config.yml: |+ - version: 0.1 - log: - {{- if eq .Values.logLevel "warning" }} - level: warn - {{- else if eq .Values.logLevel "fatal" }} - level: error - {{- else }} - level: {{ .Values.logLevel }} - {{- end }} - fields: - service: registry - storage: - {{- $storage := .Values.persistence.imageChartStorage }} - {{- $type := $storage.type }} - {{- if eq $type "filesystem" }} - filesystem: - rootdirectory: {{ $storage.filesystem.rootdirectory }} - {{- if $storage.filesystem.maxthreads }} - maxthreads: {{ $storage.filesystem.maxthreads }} - {{- end }} - {{- else if eq $type "azure" }} - azure: - accountname: {{ $storage.azure.accountname }} - container: {{ $storage.azure.container }} - {{- if $storage.azure.realm }} - realm: {{ $storage.azure.realm }} - {{- end }} - {{- else if eq $type "gcs" }} - gcs: - bucket: {{ $storage.gcs.bucket }} - keyfile: /etc/registry/gcs-key.json - {{- if $storage.gcs.rootdirectory }} - rootdirectory: {{ $storage.gcs.rootdirectory }} - {{- end }} - {{- if $storage.gcs.chunksize }} - chunksize: {{ $storage.gcs.chunksize }} - {{- end }} - {{- else if eq $type "s3" }} - s3: - region: {{ $storage.s3.region }} - bucket: {{ $storage.s3.bucket }} - {{- if $storage.s3.regionendpoint }} - regionendpoint: {{ $storage.s3.regionendpoint }} - {{- end }} - {{- if $storage.s3.encrypt }} - encrypt: {{ $storage.s3.encrypt }} - {{- end }} - {{- if $storage.s3.keyid }} - keyid: {{ $storage.s3.keyid }} - {{- end }} - {{- if $storage.s3.secure }} - secure: {{ $storage.s3.secure }} - {{- end }} - {{- if and $storage.s3.secure $storage.s3.skipverify }} - skipverify: {{ $storage.s3.skipverify }} - {{- end }} - {{- if $storage.s3.v4auth }} - v4auth: {{ $storage.s3.v4auth }} - {{- end }} - {{- if $storage.s3.chunksize }} - chunksize: {{ $storage.s3.chunksize }} - {{- end }} - {{- if $storage.s3.rootdirectory }} - rootdirectory: {{ $storage.s3.rootdirectory }} - {{- end }} - {{- if $storage.s3.storageclass }} - storageclass: {{ $storage.s3.storageclass }} - {{- end }} - {{- if $storage.s3.multipartcopychunksize }} - multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} - {{- end }} - {{- if $storage.s3.multipartcopymaxconcurrency }} - multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} - {{- end }} - {{- if $storage.s3.multipartcopythresholdsize }} - multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} - {{- end }} - {{- else if eq $type "swift" }} - swift: - authurl: {{ $storage.swift.authurl }} - username: {{ $storage.swift.username }} - container: {{ $storage.swift.container }} - {{- if $storage.swift.region }} - region: {{ $storage.swift.region }} - {{- end }} - {{- if $storage.swift.tenant }} - tenant: {{ $storage.swift.tenant }} - {{- end }} - {{- if $storage.swift.tenantid }} - tenantid: {{ $storage.swift.tenantid }} - {{- end }} - {{- if $storage.swift.domain }} - domain: {{ $storage.swift.domain }} - {{- end }} - {{- if $storage.swift.domainid }} - domainid: {{ $storage.swift.domainid }} - {{- end }} - {{- if $storage.swift.trustid }} - trustid: {{ $storage.swift.trustid }} - {{- end }} - {{- if $storage.swift.insecureskipverify }} - insecureskipverify: {{ $storage.swift.insecureskipverify }} - {{- end }} - {{- if $storage.swift.chunksize }} - chunksize: {{ $storage.swift.chunksize }} - {{- end }} - {{- if $storage.swift.prefix }} - prefix: {{ $storage.swift.prefix }} - {{- end }} - {{- if $storage.swift.authversion }} - authversion: {{ $storage.swift.authversion }} - {{- end }} - {{- if $storage.swift.endpointtype }} - endpointtype: {{ $storage.swift.endpointtype }} - {{- end }} - {{- if $storage.swift.tempurlcontainerkey }} - tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} - {{- end }} - {{- if $storage.swift.tempurlmethods }} - tempurlmethods: {{ $storage.swift.tempurlmethods }} - {{- end }} - {{- else if eq $type "oss" }} - oss: - accesskeyid: {{ $storage.oss.accesskeyid }} - region: {{ $storage.oss.region }} - bucket: {{ $storage.oss.bucket }} - {{- if $storage.oss.endpoint }} - endpoint: {{ $storage.oss.endpoint }} - {{- end }} - {{- if $storage.oss.internal }} - internal: {{ $storage.oss.internal }} - {{- end }} - {{- if $storage.oss.encrypt }} - encrypt: {{ $storage.oss.encrypt }} - {{- end }} - {{- if $storage.oss.secure }} - secure: {{ $storage.oss.secure }} - {{- end }} - {{- if $storage.oss.chunksize }} - chunksize: {{ $storage.oss.chunksize }} - {{- end }} - {{- if $storage.oss.rootdirectory }} - rootdirectory: {{ $storage.oss.rootdirectory }} - {{- end }} - {{- end }} - cache: - layerinfo: redis - maintenance: - uploadpurging: - enabled: false - delete: - enabled: true - redirect: - disable: {{ $storage.disableredirect }} - redis: - addr: {{ template "harbor.redis.addr" . }} - {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} - sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} - {{- end }} - db: {{ template "harbor.redis.dbForRegistry" . }} - password: {{ template "harbor.redis.password" . }} - readtimeout: 10s - writetimeout: 10s - dialtimeout: 10s - http: - addr: :{{ template "harbor.registry.containerPort" . }} - relativeurls: {{ .Values.registry.relativeurls }} - {{- if .Values.internalTLS.enabled }} - tls: - certificate: /etc/harbor/ssl/registry/tls.crt - key: /etc/harbor/ssl/registry/tls.key - minimumtls: tls1.2 - {{- end }} - # set via environment variable - # secret: placeholder - debug: - addr: localhost:5001 - auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd - validation: - disabled: true - compatibility: - schema1: - enabled: true - - {{- if .Values.registry.middleware.enabled }} - {{- $middleware := .Values.registry.middleware }} - {{- $middlewareType := $middleware.type }} - {{- if eq $middlewareType "cloudFront" }} - middleware: - storage: - - name: cloudfront - options: - baseurl: {{ $middleware.cloudFront.baseurl }} - privatekey: /etc/registry/pk.pem - keypairid: {{ $middleware.cloudFront.keypairid }} - duration: {{ $middleware.cloudFront.duration }} - ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} - {{- end }} - {{- end }} - ctl-config.yml: |+ - --- - {{- if .Values.internalTLS.enabled }} - protocol: "https" - port: 8443 - https_config: - cert: "/etc/harbor/ssl/registry/tls.crt" - key: "/etc/harbor/ssl/registry/tls.key" - {{- else }} - protocol: "http" - port: 8080 - {{- end }} - log_level: {{ .Values.logLevel }} - registry_config: "/etc/registry/config.yml" +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + enableTLS: {{ template "harbor.redis.enableTLS" . }} + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index a711c26..a86e2ee 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -1,284 +1,431 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} - component: registry -spec: - replicas: {{ .Values.registry.replicas }} - strategy: - type: {{ .Values.updateStrategy.type }} - {{- if eq .Values.updateStrategy.type "Recreate" }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: registry - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: registry - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} - checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} - checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.registry.podAnnotations }} -{{ toYaml .Values.registry.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - securityContext: - fsGroup: 10000 -{{- if .Values.registry.serviceAccountName }} - serviceAccountName: {{ .Values.registry.serviceAccountName }} -{{- end -}} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: registry -{{- if contains "/" .Values.registry.registry.image.repository }} - image: "{{ .Values.registry.registry.image.repository }}" -{{- else }} - image: "{{ .Values.registry.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registry.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registry.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.registry.registry.resources }} - resources: -{{ toYaml .Values.registry.registry.resources | indent 10 }} -{{- end }} - args: ["serve", "/etc/registry/config.yml"] - envFrom: - - secretRef: - name: "{{ template "harbor.registry" . }}" - env: - {{- if has "registry" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/registry/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/registry/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/registry/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.registry.containerPort" . }} - - containerPort: 5001 - volumeMounts: - - name: registry-data - mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} - subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} - - name: registry-root-certificate - mountPath: /etc/registry/root.crt - subPath: tls.crt - - name: registry-htpasswd - mountPath: /etc/registry/passwd - subPath: passwd - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - mountPath: /etc/harbor/ssl/registry - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/registry/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if .Values.registry.middleware.enabled }} - {{- if eq .Values.registry.middleware.type "cloudFront" }} - - name: cloudfront-key - mountPath: /etc/registry/pk.pem - subPath: pk.pem - {{- end }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - - name: registryctl -{{- if contains "/" .Values.registry.controller.image.repository }} - image: "{{ .Values.registry.controller.image.repository }}" -{{- else }} - image: "{{ .Values.registry.controller.image.hub | default .Values.global.hub }}/{{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - livenessProbe: - httpGet: - path: /api/health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registryctl.containerPort" . }} - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/health - scheme: {{ include "harbor.component.scheme" . | upper }} - port: {{ template "harbor.registryctl.containerPort" . }} - initialDelaySeconds: 1 - periodSeconds: 10 -{{- if .Values.registry.controller.resources }} - resources: -{{ toYaml .Values.registry.controller.resources | indent 10 }} -{{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.registry" . }}" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.core" . }} - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "harbor.jobservice" . }} - key: JOBSERVICE_SECRET - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: INTERNAL_TLS_KEY_PATH - value: /etc/harbor/ssl/registry/tls.key - - name: INTERNAL_TLS_CERT_PATH - value: /etc/harbor/ssl/registry/tls.crt - - name: INTERNAL_TLS_TRUST_CA_PATH - value: /etc/harbor/ssl/registry/ca.crt - {{- end }} - ports: - - containerPort: {{ template "harbor.registryctl.containerPort" . }} - volumeMounts: - - name: registry-data - mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} - subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registry-config - mountPath: /etc/registryctl/config.yml - subPath: ctl-config.yml - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - mountPath: /etc/harbor/ssl/registry - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - mountPath: /harbor_cust_cert/custom-ca-bundle.crt - subPath: ca.crt - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - mountPath: /etc/registry/gcs-key.json - subPath: gcs-key.json - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 8 }} - {{- end }} - volumes: - - name: registry-htpasswd - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: REGISTRY_HTPASSWD - path: passwd - - name: registry-root-certificate - secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} - {{- else }} - secretName: {{ template "harbor.core" . }} - {{- end }} - - name: registry-config - configMap: - name: "{{ template "harbor.registry" . }}" - - name: registry-data - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.internalTLS.enabled }} - - name: registry-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.registry.secretName" . }} - {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - - name: gcs-key - secret: - secretName: {{ template "harbor.registry" . }} - items: - - key: GCS_KEY_DATA - path: gcs-key.json - {{- end }} - {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} - - name: storage-service-ca - secret: - secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} - {{- end }} - {{- if .Values.registry.middleware.enabled }} - {{- if eq .Values.registry.middleware.type "cloudFront" }} - - name: cloudfront-key - secret: - secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} - items: - - key: CLOUDFRONT_KEY_DATA - path: pk.pem - {{- end }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- with .Values.registry.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.registry.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry + app.kubernetes.io/component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry + app.kubernetes.io/component: registry +{{- if .Values.registry.podLabels }} +{{ toYaml .Values.registry.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.registry.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: registry +{{- end }} +{{- end }} + {{- with .Values.registry.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.registry.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: {{ ternary .Values.metrics.registry.port 5001 .Values.metrics.enabled }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.controller.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/templates/registry/registry-pvc.yaml b/templates/registry/registry-pvc.yaml index 26e4d69..712c211 100644 --- a/templates/registry/registry-pvc.yaml +++ b/templates/registry/registry-pvc.yaml @@ -1,29 +1,34 @@ -{{- if .Values.persistence.enabled }} -{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} -{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "harbor.registry" . }} - {{- if eq .Values.persistence.resourcePolicy "keep" }} - annotations: - helm.sh/resource-policy: keep - {{- end }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: registry -spec: - accessModes: - - {{ $registry.accessMode }} - resources: - requests: - storage: {{ $registry.size }} - {{- if $registry.storageClass }} - {{- if eq "-" $registry.storageClass }} - storageClassName: "" - {{- else }} - storageClassName: {{ $registry.storageClass }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} \ No newline at end of file +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry + app.kubernetes.io/component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index e636080..11ada3b 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -1,35 +1,57 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }} - REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }} - {{- $storage := .Values.persistence.imageChartStorage }} - {{- $type := $storage.type }} - {{- if eq $type "azure" }} - REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} - {{- else if eq $type "gcs" }} - GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} - {{- else if eq $type "s3" }} - {{- if $storage.s3.accesskey }} - REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} - {{- end }} - {{- if $storage.s3.secretkey }} - REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} - {{- end }} - {{- else if eq $type "swift" }} - REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} - {{- if $storage.swift.secretkey }} - REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} - {{- end }} - {{- if $storage.swift.accesskey }} - REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} - {{- end }} - {{- else if eq $type "oss" }} - REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} - {{- end }} +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.registry.existingSecret }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/templates/registry/registry-svc.yaml b/templates/registry/registry-svc.yaml index 64be226..d89ae7d 100644 --- a/templates/registry/registry-svc.yaml +++ b/templates/registry/registry-svc.yaml @@ -1,15 +1,21 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.registry" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: registry - port: {{ template "harbor.registry.servicePort" . }} - - name: controller - port: {{ template "harbor.registryctl.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: registry \ No newline at end of file +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry diff --git a/templates/registry/registry-tls.yaml b/templates/registry/registry-tls.yaml index 8a4b1bf..ec4540c 100644 --- a/templates/registry/registry-tls.yaml +++ b/templates/registry/registry-tls.yaml @@ -1,15 +1,16 @@ -{{- if and .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.registry.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} -{{- end }} -{{- end }} \ No newline at end of file +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/templates/registry/registryctl-cm.yaml b/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000..61b2c5e --- /dev/null +++ b/templates/registry/registryctl-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/templates/registry/registryctl-secret.yaml b/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000..324a2e0 --- /dev/null +++ b/templates/registry/registryctl-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/trivy/trivy-secret.yaml b/templates/trivy/trivy-secret.yaml index af588a5..b13f880 100644 --- a/templates/trivy/trivy-secret.yaml +++ b/templates/trivy/trivy-secret.yaml @@ -1,12 +1,13 @@ -{{- if .Values.trivy.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "harbor.trivy" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} -type: Opaque -data: - redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} - gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} -{{- end }} +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index 2d3137d..7e34ee9 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -1,202 +1,231 @@ -{{- if .Values.trivy.enabled }} -{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "harbor.trivy" . }} - labels: -{{ include "harbor.labels" . | indent 4 }} - component: trivy -spec: - replicas: {{ .Values.trivy.replicas }} - serviceName: {{ template "harbor.trivy" . }} - selector: - matchLabels: -{{ include "harbor.matchLabels" . | indent 6 }} - component: trivy - template: - metadata: - labels: -{{ include "harbor.labels" . | indent 8 }} - component: trivy - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} -{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} - checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} -{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} - checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.trivy.podAnnotations }} -{{ toYaml .Values.trivy.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- with .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} -{{- if .Values.trivy.serviceAccountName }} - serviceAccountName: {{ .Values.trivy.serviceAccountName }} -{{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: trivy -{{- if contains "/" .Values.trivy.image.repository }} - image: "{{ .Values.trivy.image.repository }}" -{{- else }} - image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}" -{{- end }} - imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}" - securityContext: - privileged: false - allowPrivilegeEscalation: false - env: - {{- if has "trivy" .Values.proxy.components }} - - name: HTTP_PROXY - value: "{{ .Values.proxy.httpProxy }}" - - name: HTTPS_PROXY - value: "{{ .Values.proxy.httpsProxy }}" - - name: NO_PROXY - value: "{{ template "harbor.noProxy" . }}" - {{- end }} - - name: "SCANNER_LOG_LEVEL" - value: {{ .Values.logLevel | quote }} - - name: "SCANNER_TRIVY_CACHE_DIR" - value: "/home/scanner/.cache/trivy" - - name: "SCANNER_TRIVY_REPORTS_DIR" - value: "/home/scanner/.cache/reports" - - name: "SCANNER_TRIVY_DEBUG_MODE" - value: {{ .Values.trivy.debugMode | quote }} - - name: "SCANNER_TRIVY_VULN_TYPE" - value: {{ .Values.trivy.vulnType | quote }} - - name: "SCANNER_TRIVY_GITHUB_TOKEN" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: gitHubToken - - name: "SCANNER_TRIVY_SEVERITY" - value: {{ .Values.trivy.severity | quote }} - - name: "SCANNER_TRIVY_IGNORE_UNFIXED" - value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} - - name: "SCANNER_TRIVY_SKIP_UPDATE" - value: {{ .Values.trivy.skipUpdate | default false | quote }} - - name: "SCANNER_TRIVY_INSECURE" - value: {{ .Values.trivy.insecure | default false | quote }} - - name: SCANNER_API_SERVER_ADDR - value: ":{{ template "harbor.trivy.containerPort" . }}" - {{- if .Values.internalTLS.enabled }} - - name: INTERNAL_TLS_ENABLED - value: "true" - - name: SCANNER_API_SERVER_TLS_KEY - value: /etc/harbor/ssl/trivy/tls.key - - name: SCANNER_API_SERVER_TLS_CERTIFICATE - value: /etc/harbor/ssl/trivy/tls.crt - {{- end }} - - name: "SCANNER_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - - name: "SCANNER_STORE_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - - name: "SCANNER_JOB_QUEUE_REDIS_URL" - valueFrom: - secretKeyRef: - name: {{ template "harbor.trivy" . }} - key: redisURL - ports: - - name: api-server - containerPort: {{ template "harbor.trivy.containerPort" . }} - volumeMounts: - - name: data - mountPath: /home/scanner/.cache - subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} - readOnly: false - {{- if .Values.internalTLS.enabled }} - - name: trivy-internal-certs - mountPath: /etc/harbor/ssl/trivy - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolumeMount" . | indent 10 }} - {{- end }} - livenessProbe: - httpGet: - scheme: {{ include "harbor.component.scheme" . | upper }} - path: /probe/healthy - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - scheme: {{ include "harbor.component.scheme" . | upper }} - path: /probe/ready - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: -{{ toYaml .Values.trivy.resources | indent 12 }} - {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} - volumes: - {{- if .Values.internalTLS.enabled }} - - name: trivy-internal-certs - secret: - secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} - {{- end }} - {{- if .Values.caBundleSecretName }} -{{ include "harbor.caBundleVolume" . | indent 6 }} - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: "data" - emptyDir: {} - {{- else if $trivy.existingClaim }} - - name: "data" - persistentVolumeClaim: - claimName: {{ $trivy.existingClaim }} - {{- end }} - {{- end }} - {{- with .Values.trivy.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.trivy.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.trivy.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - labels: -{{ include "harbor.labels" . | indent 8 }} - spec: - accessModes: [{{ $trivy.accessMode | quote }}] - {{- if $trivy.storageClass }} - {{- if (eq "-" $trivy.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $trivy.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ $trivy.size | quote }} -{{- end }} -{{- end }} +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy + app.kubernetes.io/component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy + app.kubernetes.io/component: trivy +{{- if .Values.trivy.podLabels }} +{{ toYaml .Values.trivy.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} +{{- with .Values.trivy.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: trivy +{{- end }} +{{- end }} + {{- with .Values.trivy.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" + value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL +{{- with .Values.trivy.extraEnvVars }} +{{- toYaml . | nindent 12 }} +{{- end }} + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.legacy.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/templates/trivy/trivy-svc.yaml b/templates/trivy/trivy-svc.yaml index f15c5a3..e0ae320 100644 --- a/templates/trivy/trivy-svc.yaml +++ b/templates/trivy/trivy-svc.yaml @@ -1,16 +1,17 @@ -{{ if .Values.trivy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: "{{ template "harbor.trivy" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -spec: - ports: - - name: api-server - protocol: TCP - port: {{ template "harbor.trivy.servicePort" . }} - selector: -{{ include "harbor.matchLabels" . | indent 4 }} - component: trivy -{{ end }} +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/templates/trivy/trivy-tls.yaml b/templates/trivy/trivy-tls.yaml index 7d51eb0..58bce4e 100644 --- a/templates/trivy/trivy-tls.yaml +++ b/templates/trivy/trivy-tls.yaml @@ -1,15 +1,16 @@ -{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} -{{- if eq .Values.internalTLS.certSource "manual" }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" - labels: -{{ include "harbor.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} - tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} - tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} -{{- end }} -{{- end }} +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/test/go.mod b/test/go.mod deleted file mode 100644 index 9a274cd..0000000 --- a/test/go.mod +++ /dev/null @@ -1,9 +0,0 @@ -module github.com/goharbor/harbor-helm - -go 1.13 - -require ( - github.com/gruntwork-io/terratest v0.28.2 - github.com/stretchr/testify v1.6.0 - k8s.io/api v0.18.3 -) diff --git a/test/go.sum b/test/go.sum deleted file mode 100644 index 805e9b2..0000000 --- a/test/go.sum +++ /dev/null @@ -1,572 +0,0 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= -cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v38.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= -github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= -github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= -github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= -github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= -github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM= -github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw= -github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= -github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= -github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= -github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= -github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= -github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= -github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= -github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= -github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= -github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= -github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= -github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= -github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= -github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= -github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= -github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= -github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= -github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= -github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= -github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= -github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= -github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= -github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKGUhzj7BQlPSU4OvT6tfOKe3DVHzOA7s= -github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 h1:yY9rWGoXv1U5pl4gxqlULARMQD7x0QG85lqEXTWysik= -github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= -github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 h1:dWB6v3RcOy03t/bUadywsbyrQwCqZeNIEX6M1OtSZOM= -github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= -github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= -github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= -github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= -github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= -github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= -github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= -github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= -github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= -github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= -github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= -github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/gruntwork-io/gruntwork-cli v0.5.1 h1:mVmVsFubUSLSCO8bGigI63HXzvzkC0uWXzm4dd9pXRg= -github.com/gruntwork-io/gruntwork-cli v0.5.1/go.mod h1:IBX21bESC1/LGoV7jhXKUnTQTZgQ6dYRsoj/VqxUSZQ= -github.com/gruntwork-io/terratest v0.28.2 h1:M9CMfS/5unIawxYlz55eRDWH16AH522OAJcUc+zsKv4= -github.com/gruntwork-io/terratest v0.28.2/go.mod h1:lTntpr4gGDzb2YEQ1GTjC5G/xw9ixMwxGmZkPCk1O0A= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= -github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= -github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= -github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= -github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= -github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= -github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= -github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= -github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= -github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= -github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= -github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= -github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= -github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= -github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo= -golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200107162124-548cf772de50 h1:YvQ10rzcqWXLlJZ3XCUoO25savxmscf4+SC+ZqiCHhA= -golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200113040837-eac381796e91/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= -gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= -gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= -k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0= -k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA= -k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= -k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk= -k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= -k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= -k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k= -k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw= -k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= -k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= -k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= -k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= -k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= -k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= -k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= -k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU= -k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= -modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= -modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= -modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= -modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= -sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06 h1:zD2IemQ4LmOcAumeiyDWXKUI2SO0NYDe3H6QGvPOVgU= -sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E= -sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/test/install_helm.sh b/test/install_helm.sh deleted file mode 100644 index 7a12643..0000000 --- a/test/install_helm.sh +++ /dev/null @@ -1,24 +0,0 @@ -#/bin/bash -set -e -version=${HELM_VERSION} -if [ "$version" = "2" ] -then - dist="helm-v2.8.0-linux-amd64.tar.gz" - # as the helm v3 removes tiller, here appends the "-c" option - # to args only when running helm v2 to display the client version - version_args="-c" -elif [ "$version" = "3" ] -then - # the "template" command doesn't work for helm beta3: - # https://github.com/helm/helm/issues/6404, use the beta2 for now - dist="helm-v3.0.0-beta.2-linux-amd64.tar.gz" -else - echo "unsupported helm version: $version" - exit 1 -fi -wget -O /tmp/${dist} https://get.helm.sh/${dist} -tar -zxvf /tmp/${dist} -C /tmp/ - -sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm -helm version $version_args -echo "Helm installed" \ No newline at end of file diff --git a/test/integration/base.go b/test/integration/base.go deleted file mode 100644 index a488c20..0000000 --- a/test/integration/base.go +++ /dev/null @@ -1,145 +0,0 @@ -package integration - -import ( - "crypto/tls" - "encoding/json" - "fmt" - "io/ioutil" - "log" - "net/http" - "os" - "os/exec" - "strings" - "time" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/stretchr/testify/suite" -) - -var ( - client = &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - }, - } -) - -func NewBaseTestSuite(values map[string]string) BaseTestSuite { - if values == nil { - values = map[string]string{} - } - return BaseTestSuite{ - Options: &helm.Options{ - KubectlOptions: &k8s.KubectlOptions{ - Namespace: "default", - }, - SetValues: values, - }, - ReleaseName: "harbor", - URL: values["externalURL"], - } -} - -type BaseTestSuite struct { - suite.Suite - Options *helm.Options - ReleaseName string - URL string // the external URL of Harbor -} - -func (b *BaseTestSuite) SetupSuite() { - helm.Install(b.T(), b.Options, "../..", b.ReleaseName) - b.waitUntilHealthy(b.URL) -} - -type overallStatus struct { - Status string `json:"status"` - Components []*componentStatus `json:"components"` -} - -type componentStatus struct { - Name string `json:"name"` - Status string `json:"status"` - Error string `json:"error,omitempty"` -} - -func (b *BaseTestSuite) waitUntilHealthy(url string) { - url = fmt.Sprintf("%s/api/v2.0/health", url) - log.Printf("wait until Harbor is healthy by calling health check API: %s ...", url) - for i := 0; i < 60; i++ { - time.Sleep(10 * time.Second) - - resp, err := client.Get(url) - if err != nil { - log.Printf("failed to call the health API: %v, retry 10 seconds later...", err) - continue - } - - if resp.StatusCode != http.StatusOK { - log.Printf("the response status code %d != 200, retry 10 seconds later...", resp.StatusCode) - continue - } - - data, err := ioutil.ReadAll(resp.Body) - b.Require().Nil(err) - resp.Body.Close() - status := &overallStatus{} - err = json.Unmarshal(data, status) - b.Require().Nil(err) - if status.Status != "healthy" { - for _, component := range status.Components { - if component.Status == "healthy" { - continue - } - log.Printf("the status of component %s isn't healthy: %s , retry 10 seconds later...", - component.Name, component.Error) - break - } - continue - } - - log.Printf("the status is healthy") - return - } - b.FailNow("the status still isn't healthy after several retries") -} - -func (b *BaseTestSuite) TestPush() { - addr := strings.TrimPrefix(b.URL, "http://") - addr = strings.TrimPrefix(addr, "https://") - - // push image - b.T().Log("pushing the image...") - cmdStr := fmt.Sprintf("docker pull hello-world:latest;docker tag hello-world:latest %s/library/hello-world:latest; docker login %s -u admin -p Harbor12345;docker push %s/library/hello-world:latest", - addr, addr, addr) - cmd := exec.Command("/bin/sh", "-c", cmdStr) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err := cmd.Run() - b.Require().Nil(err) - - // delete image in local - b.T().Log("deleting the image in local") - cmdStr = fmt.Sprintf("docker rmi %s/library/hello-world:latest", addr) - cmd = exec.Command("/bin/sh", "-c", cmdStr) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err = cmd.Run() - b.Require().Nil(err) - - // pull image - b.T().Log("pull the image...") - cmdStr = fmt.Sprintf("docker pull %s/library/hello-world:latest", addr) - cmd = exec.Command("/bin/sh", "-c", cmdStr) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err = cmd.Run() - b.Require().Nil(err) -} - -func (b *BaseTestSuite) TearDownSuite() { - helm.Delete(b.T(), &helm.Options{}, b.ReleaseName, true) -} diff --git a/test/integration/ingress_test.go b/test/integration/ingress_test.go deleted file mode 100644 index 0115e67..0000000 --- a/test/integration/ingress_test.go +++ /dev/null @@ -1,28 +0,0 @@ -package integration - -import ( - "fmt" - "testing" - - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/stretchr/testify/suite" -) - -type IngressTestSuite struct { - BaseTestSuite -} - -func (i *IngressTestSuite) TestIngress() { - k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress", i.ReleaseName)) - k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress-notary", i.ReleaseName)) -} - -func TestIngressTestSuite(t *testing.T) { - suite.Run(t, &IngressTestSuite{ - BaseTestSuite: NewBaseTestSuite(map[string]string{ - "expose.ingress.hosts.core": "harbor.local", - "expose.ingress.hosts.notary": "notary.harbor.local", - "externalURL": "https://harbor.local", - }), - }) -} diff --git a/test/integration/kind-cluster.yaml b/test/integration/kind-cluster.yaml deleted file mode 100644 index 63e3aa3..0000000 --- a/test/integration/kind-cluster.yaml +++ /dev/null @@ -1,20 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -nodes: -- role: control-plane - kubeadmConfigPatches: - - | - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - containerPort: 30003 - hostPort: 30003 - protocol: TCP diff --git a/test/integration/node_port_test.go b/test/integration/node_port_test.go deleted file mode 100644 index 134c3db..0000000 --- a/test/integration/node_port_test.go +++ /dev/null @@ -1,28 +0,0 @@ -package integration - -import ( - "testing" - - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/stretchr/testify/suite" -) - -type NodePortTestSuite struct { - BaseTestSuite -} - -func (n *NodePortTestSuite) TestNodePort() { - service := k8s.GetService(n.T(), n.Options.KubectlOptions, "harbor") - n.Equal("NodePort", string(service.Spec.Type)) -} - -func TestNodePortTestSuite(t *testing.T) { - suite.Run(t, &NodePortTestSuite{ - BaseTestSuite: NewBaseTestSuite(map[string]string{ - "expose.type": "nodePort", - "expose.tls.auto.commonName": "127.0.0.1", - "expose.nodePort.ports.https.nodePort": "30003", - "externalURL": "https://127.0.0.1:30003", - }), - }) -} diff --git a/test/test.go b/test/test.go deleted file mode 100644 index 5a3561d..0000000 --- a/test/test.go +++ /dev/null @@ -1 +0,0 @@ -package test diff --git a/test/unittest/trivy_stateful_set_test.go b/test/unittest/trivy_stateful_set_test.go deleted file mode 100644 index 1e696b5..0000000 --- a/test/unittest/trivy_stateful_set_test.go +++ /dev/null @@ -1,171 +0,0 @@ -package unittest - -import ( - "os" - "testing" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/logger" - "github.com/stretchr/testify/suite" - appsV1 "k8s.io/api/apps/v1" -) - -type TrivyStatefulSetTestSuite struct { - suite.Suite -} - -func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet { - helmChartPath := "../../" - - options := &helm.Options{ - SetValues: values, - } - - debug := os.Getenv("debug") - if debug != "true" { - options.Logger = logger.Discard - } - - output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"}) - - var ss appsV1.StatefulSet - helm.UnmarshalK8SYaml(suite.T(), output, &ss) - - return &ss -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() { - values := map[string]string{ - "persistence.enabled": "false", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() { - values := map[string]string{ - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 0) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) -} - -func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() { - values := map[string]string{ - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim) - suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() { - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func (suite *TrivyStatefulSetTestSuite) TestCustomCA() { - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func TestTrivyStatefulSetTestSuite(t *testing.T) { - suite.Run(t, &TrivyStatefulSetTestSuite{}) -} diff --git a/test/verify.sh b/test/verify.sh deleted file mode 100644 index cf8484d..0000000 --- a/test/verify.sh +++ /dev/null @@ -1,8 +0,0 @@ -#/bin/bash -set -e - -helm lint . -# expose the service via ingress, this disables the deployment of nginx -helm template --set "expose.type=ingress" --output-dir /tmp/ . -# expose the service via node port, this enables the deployment of nginx -helm template --set "expose.type=nodePort,expose.tls.commonName=127.0.0.1" --output-dir /tmp/ . \ No newline at end of file diff --git a/values-operator.yaml b/values-operator.yaml index a728bbf..af6339f 100644 --- a/values-operator.yaml +++ b/values-operator.yaml @@ -2,8 +2,9 @@ global: hub: registry.cn-qingdao.aliyuncs.com/wod imagePullPolicy: "IfNotPresent" imageArch: amd64 - host: wodcloud.local + host: wocloud.local imagePullSecrets: - name: beagle-registry -registrySecrets: true \ No newline at end of file +registrySecrets: true +externalURL: https://hub.wocloud.local \ No newline at end of file diff --git a/values.yaml b/values.yaml index 487ccd3..acab08a 100644 --- a/values.yaml +++ b/values.yaml @@ -1,754 +1,1069 @@ -expose: - # Set the way how to expose the service. Set the type as "ingress", - # "clusterIP", "nodePort" or "loadBalancer" and fill the information - # in the corresponding section - type: ingress - tls: - # Enable the tls or not. Note: if the type is "ingress" and the tls - # is disabled, the port must be included in the command when pull/push - # images. Refer to https://github.com/goharbor/harbor/issues/5291 - # for the detail. - enabled: false - # The source of the tls certificate. Set it as "auto", "secret" - # or "none" and fill the information in the corresponding section - # 1) auto: generate the tls certificate automatically - # 2) secret: read the tls certificate from the specified secret. - # The tls certificate can be generated manually or by cert manager - # 3) none: configure no tls certificate for the ingress. If the default - # tls certificate is configured in the ingress controller, choose this option - certSource: auto - auto: - # The common name used to generate the certificate, it's necessary - # when the type isn't "ingress" - commonName: '' - secret: - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - secretName: '' - # The name of secret which contains keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # Only needed when the "expose.type" is "ingress". - notarySecretName: '' - ingress: - hosts: - core: hub - notary: notary - # set to the type of ingress controller if it has specific requirements. - # leave as `default` for most ingress controllers. - # set to `gce` if using the GCE ingress controller - # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller - controller: default - annotations: - ingress.kubernetes.io/ssl-redirect: 'true' - ingress.kubernetes.io/proxy-body-size: '0' - nginx.ingress.kubernetes.io/ssl-redirect: 'true' - nginx.ingress.kubernetes.io/proxy-body-size: '0' - clusterIP: - # The name of ClusterIP service - name: harbor - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - nodePort: - # The name of NodePort service - name: harbor - ports: - http: - # The service port Harbor listens on when serving with HTTP - port: 80 - # The node port Harbor listens on when serving with HTTP - nodePort: 30002 - https: - # The service port Harbor listens on when serving with HTTPS - port: 443 - # The node port Harbor listens on when serving with HTTPS - nodePort: 30003 - # Only needed when notary.enabled is set to true - notary: - # The service port Notary listens on - port: 4443 - # The node port Notary listens on - nodePort: 30004 - loadBalancer: - # The name of LoadBalancer service - name: harbor - # Set the IP if the LoadBalancer supports assigning IP - IP: '' - ports: - # The service port Harbor listens on when serving with HTTP - httpPort: 80 - # The service port Harbor listens on when serving with HTTPS - httpsPort: 443 - # The service port Notary listens on. Only needed when notary.enabled - # is set to true - notaryPort: 4443 - annotations: {} - sourceRanges: [] - -# The external URL for Harbor core service. It is used to -# 1) populate the docker/helm commands showed on portal -# 2) populate the token service URL returned to docker/notary client -# -# Format: protocol://domain[:port]. Usually: -# 1) if "expose.type" is "ingress", the "domain" should be -# the value of "expose.ingress.hosts.core" -# 2) if "expose.type" is "clusterIP", the "domain" should be -# the value of "expose.clusterIP.name" -# 3) if "expose.type" is "nodePort", the "domain" should be -# the IP address of k8s node -# -# If Harbor is deployed behind the proxy, set it as the URL of proxy -externalURL: https://hub - -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each components tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: 'auto' - # The content of trust ca, only available when `certSource` is "manual" - trustCa: '' - # core related cert configuration - core: - # secret name for core's tls certs - secretName: '' - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: '' - # Content of core's TLS key file, only available when `certSource` is "manual" - key: '' - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: '' - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: '' - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: '' - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: '' - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: '' - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: '' - # chartmuseum related cert configuration - chartmuseum: - # secret name for chartmuseum's tls certs - secretName: '' - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of chartmuseum's TLS key file, only available when `certSource` is "manual" - key: '' - # clair related cert configuration - clair: - # secret name for clair's tls certs - secretName: '' - # Content of clair's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of clair's TLS key file, only available when `certSource` is "manual" - key: '' - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: '' - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: '' - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: '' - -# The persistence is enabled by default and a default StorageClass -# is needed in the k8s cluster to provision volumes dynamicly. -# Specify another StorageClass in the "storageClass" or set "existingClaim" -# if you have already existing persistent volumes to use -# -# For storing images and charts, you can also use "azure", "gcs", "s3", -# "swift" or "oss". Set it in the "imageChartStorage" section -persistence: - enabled: true - # Setting it to "keep" to avoid removing PVCs during a helm delete - # operation. Leaving it empty will delete PVCs after the chart deleted - # (this does not apply for PVCs that are created for internal database - # and redis components, i.e. they are never deleted automatically) - resourcePolicy: 'keep' - persistentVolumeClaim: - registry: - # Use the existing PVC which must be created manually before bound, - # and specify the "subPath" if the PVC is shared with other components - existingClaim: '' - # Specify the "storageClass" used to provision the volume. Or the default - # StorageClass will be used(the default). - # Set it to "-" to disable dynamic provisioning - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - chartmuseum: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - jobservice: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - # If external database is used, the following settings for database will - # be ignored - database: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 10Gi - # If external Redis is used, the following settings for Redis will - # be ignored - redis: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 1Gi - trivy: - existingClaim: '' - storageClass: 'hostpath' - subPath: '' - accessMode: ReadWriteOnce - size: 5Gi - # Define which storage backend is used for registry and chartmuseum to store - # images and charts. Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage - # for the detail. - imageChartStorage: - # Specify whether to disable `redirect` for images and chart storage, for - # backends which not supported it (such as using minio for `s3` storage type), please disable - # it. To disable redirects, simply set `disableredirect` to `true` instead. - # Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect - # for the detail. - disableredirect: false - # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. - # The secret must contain keys named "ca.crt" which will be injected into the trust store - # of registry's and chartmuseum's containers. - # caBundleSecretName: - - # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", - # "oss" and fill the information needed in the corresponding section. The type - # must be "filesystem" if you want to use persistent volumes for registry - # and chartmuseum - type: filesystem - filesystem: - rootdirectory: /storage - #maxthreads: 100 - azure: - accountname: accountname - accountkey: base64encodedaccountkey - container: containername - #realm: core.windows.net - gcs: - bucket: bucketname - # The base64 encoded json file which contains the key - encodedkey: base64-encoded-json-key-file - #rootdirectory: /gcs/object/name/prefix - #chunksize: "5242880" - s3: - region: us-west-1 - bucket: bucketname - #accesskey: awsaccesskey - #secretkey: awssecretkey - #regionendpoint: http://myobjects.local - #encrypt: false - #keyid: mykeyid - #secure: true - #skipverify: false - #v4auth: true - #chunksize: "5242880" - #rootdirectory: /s3/object/name/prefix - #storageclass: STANDARD - #multipartcopychunksize: "33554432" - #multipartcopymaxconcurrency: 100 - #multipartcopythresholdsize: "33554432" - swift: - authurl: https://storage.myprovider.com/v3/auth - username: username - password: password - container: containername - #region: fr - #tenant: tenantname - #tenantid: tenantid - #domain: domainname - #domainid: domainid - #trustid: trustid - #insecureskipverify: false - #chunksize: 5M - #prefix: - #secretkey: secretkey - #accesskey: accesskey - #authversion: 3 - #endpointtype: public - #tempurlcontainerkey: false - #tempurlmethods: - oss: - accesskeyid: accesskeyid - accesskeysecret: accesskeysecret - region: regionname - bucket: bucketname - #endpoint: endpoint - #internal: false - #encrypt: false - #secure: true - #chunksize: 10M - #rootdirectory: rootdirectory - -imagePullPolicy: IfNotPresent - -# Use this set to assign a list of default pullSecrets -imagePullSecrets: -# - name: docker-registry-secret -# - name: internal-registry-secret - -# The update strategy for deployments with persistent volumes(jobservice, registry -# and chartmuseum): "RollingUpdate" or "Recreate" -# Set it as "Recreate" when "RWM" for volumes isn't supported -updateStrategy: - type: RollingUpdate - -# debug, info, warning, error or fatal -logLevel: info - -# The initial password of Harbor admin. Change it from portal after launching Harbor -harborAdminPassword: 'spaceIN511' - -# The name of the secret which contains key named "ca.crt". Setting this enables the -# download link on portal to download the certificate of CA when the certificate isn't -# generated automatically -caSecretName: '' - -# The secret key used for encryption. Must be a string of 16 chars. -secretKey: 'IpTIscRIgmerlare' - -# The proxy settings for updating clair vulnerabilities from the Internet and replicating -# artifacts from/to the registries that cannot be reached directly -proxy: - httpProxy: - httpsProxy: - noProxy: 127.0.0.1,localhost,.local,.internal - components: - - core - - jobservice - - clair - - trivy - -# The custom ca bundle secret, the secret must contain key named "ca.crt" -# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components -# caBundleSecretName: "" - -## UAA Authentication Options -# If you're using UAA for authentication behind a self-signed -# certificate you will need to provide the CA Cert. -# Set uaaSecretName below to provide a pre-created secret that -# contains a base64 encoded CA Certificate named `ca.crt`. -# uaaSecretName: - -# If expose the service via "ingress", the Nginx will not be used -nginx: - image: - repository: nginx - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -portal: - image: - repository: harbor-portal - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -core: - image: - repository: harbor-core - tag: v2.1.6 - # set the service account to be used, default if left empty - serviceAccountName: '' - replicas: 1 - ## Startup probe values - startupProbe: - enabled: false - initialDelaySeconds: 10 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when core server communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: '' - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate and private key for token encryption/decryption. - # The secret must contain keys named: - # "tls.crt" - the certificate - # "tls.key" - the private key - # The default key pair will be used if it isn't set - secretName: '' - # The XSRF key. Will be generated automatically if it isn't specified - xsrfKey: '' - -jobservice: - image: - repository: harbor-jobservice - tag: v2.1.6 - replicas: 1 - # set the service account to be used, default if left empty - serviceAccountName: '' - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLogger: file - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used when job service communicates with other components. - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: '' - -registry: - # set the service account to be used, default if left empty - serviceAccountName: '' - registry: - image: - repository: registry - tag: v2.7.1 - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - controller: - image: - repository: harbor-registryctl - tag: v2.1.6 - - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Secret is used to secure the upload state from client - # and registry storage backend. - # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http - # If a secret key is not specified, Helm will generate one. - # Must be a string of 16 chars. - secret: '' - # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. - relativeurls: false - credentials: - username: 'harbor_registry_user' - password: 'harbor_registry_password' - # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash - # e.g. "htpasswd -nbBC10 $username $password" - htpasswd: 'harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m' - - middleware: - enabled: false - type: cloudFront - cloudFront: - baseurl: example.cloudfront.net - keypairid: KEYPAIRID - duration: 3000s - ipfilteredby: none - # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key - # that allows access to CloudFront - privateKeySecret: 'my-secret' - -chartmuseum: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: '' - # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true' - absoluteUrl: false - image: - repository: chartmuseum - tag: v0.12.0 - storageSpec: - type: hostPath - emptyDir: {} - hostPath: - root: /data - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -clair: - enabled: true - # set the service account to be used, default if left empty - serviceAccountName: '' - clair: - image: - repository: clair - tag: v2.1.7 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - adapter: - image: - repository: harbor-scanner-clair - tag: v1.1.1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - replicas: 1 - # The interval of clair updaters, the unit is hour, set to 0 to - # disable the updaters - updatersInterval: 12 - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -trivy: - # enabled the flag to enable Trivy scanner - enabled: true - image: - # repository the repository for Trivy adapter image - repository: harbor-scanner-trivy - # tag the tag for Trivy adapter image - tag: v0.17.0 - # set the service account to be used, default if left empty - serviceAccountName: '' - # replicas the number of Pod replicas - replicas: 1 - # debugMode the flag to enable Trivy debug mode with more verbose scanning log - debugMode: false - # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. - vulnType: 'os,library' - # severity a comma-separated list of severities to be checked - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - # ignoreUnfixed the flag to display only fixed vulnerabilities - ignoreUnfixed: false - # insecure the flag to skip verifying registry certificate - insecure: false - # gitHubToken the GitHub access token to download Trivy DB - # - # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. - # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached - # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update - # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. - # Currently, the database is updated every 12 hours and published as a new release to GitHub. - # - # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough - # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 - # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult - # https://developer.github.com/v3/#rate-limiting - # - # You can create a GitHub token by following the instructions in - # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line - gitHubToken: '' - # skipUpdate the flag to disable Trivy DB downloads from GitHub - # - # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. - # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the - # `/home/scanner/.cache/trivy/db/trivy.db` path. - skipUpdate: false - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - -notary: - enabled: true - server: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: notary-server - tag: v0.6.1 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - signer: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: notary-signer - tag: v0.6.1 - replicas: 1 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - ## Additional deployment annotations - podAnnotations: {} - # Fill the name of a kubernetes secret if you want to use your own - # TLS certificate authority, certificate and private key for notary - # communications. - # The secret must contain keys named ca.crt, tls.crt and tls.key that - # contain the CA, certificate and private key. - # They will be generated if not set. - secretName: '' - -database: - # if external database is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: harbor-db - tag: v2.1.6 - # The initial superuser password for internal database - password: 'spaceIN511' - resources: - limits: - memory: 4Gi - requests: - memory: 256Mi - nodeSelector: {} - tolerations: [] - affinity: {} - external: - host: '192.168.0.1' - port: '5432' - username: 'user' - password: 'password' - coreDatabase: 'registry' - clairDatabase: 'clair' - notaryServerDatabase: 'notary_server' - notarySignerDatabase: 'notary_signer' - # "disable" - No SSL - # "require" - Always SSL (skip verification) - # "verify-ca" - Always SSL (verify that the certificate presented by the - # server was signed by a trusted CA) - # "verify-full" - Always SSL (verify that the certification presented by the - # server was signed by a trusted CA and the server host name matches the one - # in the certificate) - sslmode: 'disable' - # The maximum number of connections in the idle connection pool. - # If it <=0, no idle connections are retained. - maxIdleConns: 50 - # The maximum number of open connections to the database. - # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. - maxOpenConns: 1000 - ## Additional deployment annotations - podAnnotations: {} - -redis: - # if external Redis is used, set "type" to "external" - # and fill the connection informations in "external" section - type: internal - internal: - # set the service account to be used, default if left empty - serviceAccountName: '' - image: - repository: redis - tag: 6.2.6 - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - nodeSelector: {} - tolerations: [] - affinity: {} - external: - # support redis, redis+sentinel - # addr for redis: : - # addr for redis+sentinel: :,:,: - addr: '192.168.0.2:6379' - # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel - sentinelMasterSet: '' - # The "coreDatabaseIndex" must be "0" as the library Harbor - # used doesn't support configuring it - coreDatabaseIndex: '0' - jobserviceDatabaseIndex: '1' - registryDatabaseIndex: '2' - chartmuseumDatabaseIndex: '3' - clairAdapterIndex: '4' - trivyAdapterIndex: '5' - password: '' - ## Additional deployment annotations - podAnnotations: {} - -commonLabels: - app.bd-apaas.com/cluster-component: registry +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/registry.cn-qingdao.aliyuncs.com/wod/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + ingress: + hosts: + core: hub + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + # ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) + staticClusterIP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + # Annotations on the ClusterIP service + annotations: {} + # ClusterIP-specific labels + labels: {} + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + # Annotations on the nodePort service + annotations: {} + # nodePort-specific labels + labels: {} + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + # Annotations on the loadBalancer service + annotations: {} + # loadBalancer-specific labels + labels: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://hub.wodcloud.local + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "csi-s3" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "csi-s3" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "hostpath" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "csi-s3" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "csi-s3" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: oss + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be GCS_KEY_DATA + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY + existingSecret: "" + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: "" + accesskeysecret: "" + region: "" + bucket: "" + # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + existingSecret: "" + endpoint: "" + #internal: false + #encrypt: false + secure: true + #chunksize: 10M + rootdirectory: hub + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 + +## set Container Security Context to comply with PSP restricted policy if necessary +## each of the conatiner will apply the same security context +## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience +containerSecurityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/nginx-photon + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + +core: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + ## User settings configuration json string + configureUserSettings: + # The provider for updating project quota(usage), there are 2 options, redis or db. + # By default it is implemented by db but you can configure it to redis which + # can improve the performance of high concurrent pushing to the same project, + # and reduce the database connections spike and occupies. + # Using redis will bring up some delay for quota usage updation for display, so only + # suggest switch provider to redis if you were ran into the db connections spike around + # the scenario of high concurrent pushing to same project, no improvment for other scenes. + quotaUpdateProvider: db # Or redis + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret + # Must be a string of 16 chars. + secret: "" + # Fill in the name of a kubernetes secret if you want to use your own + # If using existingSecret, the key must be secret + existingSecret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + # While you specified, Please make sure it is 32 characters, otherwise would have validation issue at the harbor-core runtime + # https://github.com/registry.cn-qingdao.aliyuncs.com/wod/harbor/pull/21154 + xsrfKey: "" + # If using existingSecret, the key is defined by core.existingXsrfSecretKey + existingXsrfSecret: "" + # If using existingSecret, the key + existingXsrfSecretKey: CSRF_KEY + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + auditLogsCompliant: false + +jobservice: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the job service secret + existingSecretKey: JOBSERVICE_SECRET + +registry: + registry: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/registry-photon + tag: v2.13.2 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + controller: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl + tag: v2.13.2 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the registry service secret + existingSecretKey: REGISTRY_HTTP_SECRET + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + htpasswdString: "" + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: registry.cn-qingdao.aliyuncs.com/wod/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + # + skipJavaDBUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + extraEnvVars: [] + nodeSelector: + kubernetes.io/hostname: 172.16.1.11 + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + extrInitContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/registry.cn-qingdao.aliyuncs.com/wod/harbor/issues/15034 + shmSizeLimit: 512Mi + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for harbor's postgres. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/redis-photon + tag: v2.13.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # TLS configuration for redis connection + # only server-authentication is supported, mTLS for redis connection is not supported + # tls connection will be disable by default + # Once `tlsOptions.enable` set as true, tls/ssl connection will be used for redis + # Please set the `caBundleSecretName` in this configuration file which conatins redis server rootCA if it is self-signed. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + tlsOptions: + enable: false + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +exporter: + image: + repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-exporter + tag: v2.13.2 + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + ## The priority class to run the pod as + priorityClassName: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + cacheDuration: 23 + cacheCleanInterval: 14400 -- 2.26.0