Skip to content

H
harbor
Commit d68116b6 authored by gaoshiyao's avatar gaoshiyao
Browse files
Options

2.13.2

parent 2133e634
Show whitespace changes
Inline Side-by-side
Showing with 5887 additions and 8491 deletions
.github/workflows/integration.yaml deleted 100644 → 0
View file @ 2133e634
name: Integration test
on:
pull_request:
push:
jobs:
integration-test:
runs-on: ubuntu-latest
strategy:
matrix:
k8s_version: [v1.18.2, v1.17.5, v1.16.9]
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Docker
uses: docker-practice/actions-setup-docker@0.0.1
with:
docker_version: 18.09
docker_channel: stable
docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}'
- name: Create kind cluster
uses: helm/kind-action@v1.0.0-rc.1
with:
version: v0.8.1
node_image: kindest/node:${{ matrix.k8s_version }}
cluster_name: kind-cluster-${{ matrix.k8s_version }}
config: test/integration/kind-cluster.yaml
- name: Install Nginx ingress controller
run: |
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s
- name: Set up Go 1.13
uses: actions/setup-go@v2
with:
go-version: 1.13
- name: Cache go mod
uses: actions/cache@v2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Set /etc/hosts
run: |
sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts"
sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts"
- name: Run integration tests
working-directory: ./test
run:
go test -v -timeout 30m github.com/goharbor/harbor-helm/integration
\ No newline at end of file
.github/workflows/lint.yaml deleted 100644 → 0
View file @ 2133e634
name: Lint
on:
pull_request:
push:
jobs:
lint:
runs-on: ubuntu-latest
strategy:
matrix:
helm_version: [3.2.3, 2.16.8]
steps:
- name: Checkout
uses: actions/checkout@v2
with:
path: harbor
- name: Set up Helm
uses: azure/setup-helm@v1
with:
version: '${{ matrix.helm_version }}'
- name: Helm version
run:
helm version -c
- name: Run lint
working-directory: ./harbor
run:
helm lint .
- name: Update dependency
working-directory: ./harbor
run:
helm dependency update .
- name: Run template for ingress expose
working-directory: ./harbor
run:
helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
- name: Run template for nodePort expose
working-directory: ./harbor
run:
helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
\ No newline at end of file
.github/workflows/unittest.yaml deleted 100644 → 0
View file @ 2133e634
name: Unit test
on:
pull_request:
push:
jobs:
unit-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Helm 3.2.3
uses: azure/setup-helm@v1
with:
version: '3.2.3'
- name: Set up Go 1.13
uses: actions/setup-go@v2
with:
go-version: 1.13
- name: Cache go mod
uses: actions/cache@v2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Run unit tests
working-directory: ./test
run:
go test -v github.com/goharbor/harbor-helm/unittest
Chart.yaml
View file @ d68116b6
apiVersion: v1
name: beagle-harbor
version: 2.1.7
appVersion: 2.1.7
description: An open source trusted cloud native registry that stores, signs, and scans content
keywords:
- docker
- registry
- harbor
appVersion: 2.13.2
description: An open source trusted cloud native registry that stores, signs, and
scans content
home: https://goharbor.io
icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png
sources:
- https://github.com/goharbor/harbor
- https://github.com/goharbor/harbor-helm
icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png
keywords:
- docker
- registry
- harbor
maintainers:
- name: Wenkai Yin
email: yinw@vmware.com
- name: Weiwei He
email: hweiwei@vmware.com
- name: Qian Deng
email: dengq@vmware.com
engine: gotpl
- email: yan-yw.wang@broadcom.com
name: Yan Wang
- email: wenkai.yin@broadcom.com
name: Wenkai Yin
- email: miner.yang@broadcom.com
name: Miner Yang
- email: shengwen.yu@broadcom.com
name: Shengwen Yu
name: harbor
sources:
- https://github.com/goharbor/harbor
- https://github.com/goharbor/harbor-helm
version: 1.17.2
REAME.md README.md
View file @ d68116b6
This source diff could not be displayed because it is too large. You can view the blob instead.
ansible/images.yaml deleted 100644 → 0
View file @ 2133e634
IMAGES:
harbor-portal:
NAME: harbor-portal
VERSION: 'v2.1.6'
harbor-core:
NAME: harbor-core
VERSION: 'v2.1.6'
harbor-jobservice:
NAME: harbor-jobservice
VERSION: 'v2.1.6'
harbor-db:
NAME: harbor-db
VERSION: 'v2.1.6'
harbor-registryctl:
NAME: harbor-registryctl
VERSION: 'v2.1.6'
chartmuseum:
NAME: chartmuseum
VERSION: 'v0.12.0'
clair:
NAME: clair
VERSION: 'v2.1.7'
harbor-scanner-clair:
NAME: harbor-scanner-clair
VERSION: 'v1.1.1'
harbor-scanner-trivy:
NAME: harbor-scanner-trivy
VERSION: v0.17.0
notary-server:
NAME: notary-server
VERSION: v0.6.1
notary-signer:
NAME: notary-signer
VERSION: v0.6.1
registry:
NAME: registry
VERSION: 'v2.7.1'
redis:
NAME: redis
VERSION: '6.2.6'
cert/tls.crt deleted 100644 → 0
View file @ 2133e634
-----BEGIN CERTIFICATE-----
MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw
NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o
F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr
PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT
RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q
LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp
UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q
w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc
jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr
vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d
1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN
2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA
AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA
FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS
Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA
er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY
Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ
qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n
KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB
Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2
52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1
2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F
5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX
jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe
-----END CERTIFICATE-----
cert/tls.key deleted 100644 → 0
View file @ 2133e634
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o
F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr
PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT
RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q
LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp
UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q
w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc
jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr
vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d
1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN
2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA
AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/
k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4
MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu
XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz
ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5
F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K
F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97
b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5
fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ
yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um
lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW
YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+
viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1
pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+
/wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA
So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt
DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3
YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn
IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW
gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf
Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC
oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb
FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN
c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn
YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf
Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl
IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ
rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi
vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj
yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g
1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil
u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M
BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK
OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y
AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e
Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh
cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q
OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04
-----END RSA PRIVATE KEY-----
conf/clair.yaml deleted 100644 → 0
View file @ 2133e634
clair:
database:
type: pgsql
options:
source: "{{ template "harbor.database.clair" . }}"
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cachesize: 16384
api:
# API server port
port: 6060
healthport: 6061
# Deadline before an API request will respond with a 503
timeout: 300s
updater:
interval: {{ .Values.clair.updatersInterval }}h
conf/notary-server.json deleted 100644 → 0
View file @ 2133e634
{
"server": {
"http_addr": ":4443"
},
"trust_service": {
"type": "remote",
"hostname": "{{ template "harbor.notary-signer" . }}",
"port": "7899",
"tls_ca_file": "/etc/ssl/notary/ca.crt",
"key_algorithm": "ecdsa"
},
"logging": {
"level": "{{ .Values.logLevel }}"
},
"storage": {
"backend": "postgres",
"db_url": "{{ template "harbor.database.notaryServer" . }}"
},
"auth": {
"type": "token",
"options": {
"realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token",
"service": "harbor-notary",
"issuer": "harbor-token-issuer",
"rootcertbundle": "/root.crt"
}
}
}
\ No newline at end of file
conf/notary-signer.json deleted 100644 → 0
View file @ 2133e634
{
"server": {
"grpc_addr": ":7899",
"tls_cert_file": "/etc/ssl/notary/tls.crt",
"tls_key_file": "/etc/ssl/notary/tls.key"
},
"logging": {
"level": "{{ .Values.logLevel }}"
},
"storage": {
"backend": "postgres",
"db_url": "{{ template "harbor.database.notarySigner" . }}",
"default_alias": "defaultalias"
}
}
\ No newline at end of file
docs/High Availability.md deleted 100644 → 0
View file @ 2133e634
---
title: Harbor High Availability Guide
---
## Goal
Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor.
## Prerequisites
- Kubernetes cluster 1.10+
- Helm 2.10.0+
- High available ingress controller (Harbor does not manage the external endpoint)
- High available PostgreSQL database (Harbor does not handle the deployment of HA of database)
- High available Redis (Harbor does not handle the deployment of HA of Redis)
- PVC that can be shared across nodes or external object storage
## Architecture
Most of Harbor's components are stateless now. So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods.
As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts.
![HA](img/ha.png)
## Usage
### Download Chart
Download Harbor helm chart:
```bash
helm repo add harbor https://helm.goharbor.io
helm fetch harbor/harbor --untar
```
### Configuration
Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`:
- **Ingress rule**
Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`.
- **External URL**
Configure the `externalURL`.
- **External PostgreSQL**
Set the `database.type` to `external` and fill the information in `database.external` section.
Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up.
- **External Redis**
Set the `redis.type` to `external` and fill the information in `redis.external` section.
As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point.
- **Storage**
By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs.
If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`.
If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes.
You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`.
If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`.
- **Replica**
Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2).
### Installation
Install the Harbor helm chart with a release name `my-release`:
helm 2:
```bash
helm install --name my-release .
```
helm 3:
```
helm install my-release .
```
docs/Upgrade.md deleted 100644 → 0
View file @ 2133e634
---
title: Upgrade Guide
---
This guide is used to upgrade Harbor deployed by chart since version 0.3.0.
## Notes
- As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid
- The database schema cannot be downgraded automatically, so the `helm rollback` is not supported
## Upgrade
### 1. Backup database
Backup the database used by Harbor in case the upgrade process fails.
### 2. Download new chart
Download the latest version of Harbor chart.
### 3. Configure new chart
Configure the new chart to make sure that the configuration items have the same values with the old one.
> Note: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate:
1) Get the secret name which certificate is stored in:
```bash
kubectl get secret
```
Find the secret whose name ends with `-harbor-ingress` (expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`)
2) Export the secret as yaml file:
```bash
kubectl get secret <secret-name-from-step-1> -o yaml > secret.yaml
```
3) Rename the secret by setting `metadata.name` in `secret.yaml`
4) Create a new secret:
```bash
kubectl create -f secret.yaml
```
5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step **3**
### 4. Upgrade
Run upgrade command:
```bash
helm upgrade release-name --force .
```
> The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30).
## Known issues
- The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0.
docs/_index.md deleted 100644 → 0
View file @ 2133e634
---
title: Managing Harbor with Helm
weight: 50
---
This documentation focuses on deploying and managing Harbor via [Helm](https://helm.sh). For general documentation for Harbor, please see the [Harbor docs](https://goharbor.io/docs).
\ No newline at end of file
raws/values-aliyun.yaml deleted 100644 → 0
View file @ 2133e634
expose:
type: ingress
tls:
enabled: false
ingress:
hosts:
core: hub.wodcloud.local
notary: notary.wodcloud.local
annotations:
ingress.kubernetes.io/proxy-body-size: '0'
externalURL: https://hub.wodcloud.local
persistence:
enabled: true
persistentVolumeClaim:
registry:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
database:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
redis:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
imageChartStorage:
# s3 , filesystem
type: filesystem
s3:
accesskey: AKIAIOSFODNN7EXAMPLE
secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region: us-east-1
regionendpoint: http://minio.wodcloud.local
bucket: registry
encrypt: false
v4auth: true
chunksize: '5242880'
rootdirectory: /
imagePullPolicy: IfNotPresent
logLevel: info
harborAdminPassword: 'spaceIN511'
secretKey: 'IpTIscRIgmerlare'
portal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v2.1.6
core:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v2.1.6
jobservice:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: v2.1.6
registry:
registry:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: v2.7.1
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
controller:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v2.1.6
chartmuseum:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum
tag: v2.1.6
nodeSelector: {}
# nodeSelector:
# harbor: enabled
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
clair:
clair:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/clair
tag: v2.1.6
adapter:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-clair
tag: v2.1.6
trivy:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-trivy
tag: v2.1.6
notary:
server:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server
tag: v2.1.6
signer:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer
tag: v2.1.6
database:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
tag: v2.1.6
password: 'spaceIN511'
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
redis:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 6.2.6
raws/values-arm.yaml deleted 100644 → 0
View file @ 2133e634
expose:
type: ingress
tls:
enabled: false
ingress:
hosts:
core: hub.wodcloud.local
notary: notary.wodcloud.local
annotations:
ingress.kubernetes.io/proxy-body-size: '0'
externalURL: https://hub.wodcloud.local
persistence:
enabled: true
persistentVolumeClaim:
registry:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
database:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
redis:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
imageChartStorage:
# s3 , filesystem
type: filesystem
s3:
accesskey: AKIAIOSFODNN7EXAMPLE
secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region: us-east-1
regionendpoint: http://minio.wodcloud.local
bucket: registry
encrypt: false
v4auth: true
chunksize: '5242880'
rootdirectory: /
imagePullPolicy: IfNotPresent
logLevel: info
harborAdminPassword: 'spaceIN511'
secretKey: 'IpTIscRIgmerlare'
portal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v2.1.6-arm64
core:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v2.1.6-arm64
jobservice:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: v2.1.6-arm64
registry:
registry:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: v2.7.1-arm64
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
controller:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v2.1.6-arm64
chartmuseum:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum
tag: v2.1.6-arm64
nodeSelector: {}
# nodeSelector:
# harbor: enabled
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
clair:
clair:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/clair
tag: v2.1.6-arm64
adapter:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-clair
tag: v2.1.6-arm64
trivy:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-trivy
tag: v2.1.6-arm64
notary:
server:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server
tag: v2.1.6-arm64
signer:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer
tag: v2.1.6-arm64
database:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
tag: v2.1.6-arm64
password: 'spaceIN511'
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
redis:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 6.2.6-arm64
raws/values-pg.yaml deleted 100644 → 0
View file @ 2133e634
expose:
type: ingress
tls:
enabled: false
ingress:
hosts:
core: hub.test.wodcloud.com
notary: notary.test.wodcloud.com
annotations:
ingress.kubernetes.io/proxy-body-size: '0'
externalURL: https://hub.test.wodcloud.com
persistence:
enabled: true
imageChartStorage:
# s3 , filesystem
type: filesystem
filesystem:
rootdirectory: /data
#s3:
# accesskey: AKIAIOSFODNN7EXAMPLE
# secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# region: us-east-1
# regionendpoint: https://minio.sxwh.local
# bucket: registry
# encrypt: false
# v4auth: true
# chunksize: '5242880'
# rootdirectory: /
imagePullPolicy: IfNotPresent
logLevel: info
harborAdminPassword: 'spaceIN511'
secretKey: 'IpTIscRIgmerlare'
portal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v1.8.2
replicas: 1
core:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v1.8.2
replicas: 1
jobservice:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: v1.8.2
replicas: 1
maxJobWorkers: 10
jobLogger: file
registry:
registry:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: v2.7.1
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
nodeSelector:
harbor: enabled
storageSpec:
# type: emptyDir , hostPath , volumeClaimTemplate
type: hostPath
emptyDir: {}
hostPath:
root: /data
volumeClaimTemplate:
spec:
storageClassName: rook-ceph-block
accessModes: ['ReadWriteOnce']
resources:
requests:
storage: 100Gi
selector: {}
controller:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v1.8.2
replicas: 1
chartmuseum:
enabled: true
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon
tag: v0.9.0-v1.8.2
replicas: 1
nodeSelector:
harbor: enabled
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
clair:
enabled: true
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon
tag: v2.0.8-v1.8.2
replicas: 1
notary:
enabled: true
server:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon
tag: v0.6.1-v1.8.2
replicas: 1
signer:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon
tag: v0.6.1-v1.8.2
replicas: 1
database:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
tag: v1.8.2
password: 'spaceIN511'
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
nodeSelector:
harbor: enabled
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
volumeClaimTemplate:
spec:
storageClassName: rook-ceph-block
accessModes: ['ReadWriteOnce']
resources:
requests:
storage: 20Gi
selector: {}
redis:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 4.0.14-alpine
raws/values-ppc64le.yaml deleted 100644 → 0
View file @ 2133e634
expose:
type: ingress
tls:
enabled: false
ingress:
hosts:
core: hub.wodcloud.local
notary: notary.wodcloud.local
annotations:
ingress.kubernetes.io/proxy-body-size: '0'
externalURL: https://hub.wodcloud.local
persistence:
enabled: true
persistentVolumeClaim:
registry:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
database:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
redis:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
imageChartStorage:
# s3 , filesystem
type: filesystem
s3:
accesskey: AKIAIOSFODNN7EXAMPLE
secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region: us-east-1
regionendpoint: http://minio.wodcloud.local
bucket: registry
encrypt: false
v4auth: true
chunksize: '5242880'
rootdirectory: /
imagePullPolicy: IfNotPresent
logLevel: info
harborAdminPassword: 'spaceIN511'
secretKey: 'IpTIscRIgmerlare'
portal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v2.1.6-ppc64le
core:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v2.1.6-ppc64le
jobservice:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: v2.1.6-ppc64le
registry:
registry:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: v2.7.1-ppc64le
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
controller:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v2.1.6-ppc64le
chartmuseum:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum
tag: v2.1.1-ppc64le
nodeSelector: {}
# nodeSelector:
# harbor: enabled
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
clair:
clair:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/clair
tag: v2.1.1-ppc64le
adapter:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-clair
tag: v2.1.1-ppc64le
trivy:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-scanner-trivy
tag: v2.1.1-ppc64le
notary:
server:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server
tag: v2.1.1-ppc64le
signer:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer
tag: v2.1.1-ppc64le
database:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
tag: v2.1.6-ppc64le
password: 'spaceIN511'
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
redis:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 6.2.6-ppc64le
raws/values-stolon.yaml deleted 100644 → 0
View file @ 2133e634
expose:
type: ingress
tls:
enabled: false
ingress:
hosts:
core: hub.test.wodcloud.com
notary: notary.test.wodcloud.com
annotations:
ingress.kubernetes.io/proxy-body-size: '0'
externalURL: https://hub.test.wodcloud.com
persistence:
enabled: true
imageChartStorage:
# s3 , filesystem
type: filesystem
filesystem:
rootdirectory: /data
#s3:
# accesskey: AKIAIOSFODNN7EXAMPLE
# secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# region: us-east-1
# regionendpoint: https://minio.sxwh.local
# bucket: registry
# encrypt: false
# v4auth: true
# chunksize: '5242880'
# rootdirectory: /
imagePullPolicy: IfNotPresent
logLevel: info
harborAdminPassword: 'spaceIN511'
secretKey: 'IpTIscRIgmerlare'
portal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v1.8.2
replicas: 1
core:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v1.8.2
replicas: 1
jobservice:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: v1.8.2
replicas: 1
maxJobWorkers: 10
jobLogger: file
registry:
registry:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/registry
tag: v2.7.1
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
nodeSelector:
harbor: enabled
storageSpec:
# type: emptyDir , hostPath , volumeClaimTemplate
type: hostPath
emptyDir: {}
hostPath:
root: /data
volumeClaimTemplate:
spec:
storageClassName: rook-ceph-block
accessModes: ['ReadWriteOnce']
resources:
requests:
storage: 100Gi
selector: {}
controller:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v1.8.2
replicas: 1
chartmuseum:
enabled: true
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon
tag: v0.9.0-v1.8.2
replicas: 1
nodeSelector:
harbor: enabled
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
clair:
enabled: true
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon
tag: v2.0.8-v1.8.2
replicas: 1
notary:
enabled: true
server:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon
tag: v0.6.1-v1.8.2
replicas: 1
signer:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon
tag: v0.6.1-v1.8.2
replicas: 1
database:
type: external
external:
host: 'stolon-proxy.devops'
port: '5432'
username: 'postgres'
password: 'spaceIN511'
coreDatabase: 'hub_registry'
clairDatabase: 'hub_clair'
notaryServerDatabase: 'hub_notary_server'
notarySignerDatabase: 'hub_notary_signer'
sslmode: 'disable'
redis:
type: internal
internal:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/redis
tag: 4.0.14-alpine
raws/values.yaml deleted 100644 → 0
View file @ 2133e634
expose:
# Set the way how to expose the service. Set the type as "ingress",
# "clusterIP", "nodePort" or "loadBalancer" and fill the information
# in the corresponding section
type: ingress
tls:
# Enable the tls or not. Note: if the type is "ingress" and the tls
# is disabled, the port must be included in the command when pull/push
# images. Refer to https://github.com/goharbor/harbor/issues/5291
# for the detail.
enabled: true
# The source of the tls certificate. Set it as "auto", "secret"
# or "none" and fill the information in the corresponding section
# 1) auto: generate the tls certificate automatically
# 2) secret: read the tls certificate from the specified secret.
# The tls certificate can be generated manually or by cert manager
# 3) none: configure no tls certificate for the ingress. If the default
# tls certificate is configured in the ingress controller, choose this option
certSource: auto
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: ''
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: ''
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ''
ingress:
hosts:
core: core.harbor.domain
notary: notary.harbor.domain
# set to the type of ingress controller if it has specific requirements.
# leave as `default` for most ingress controllers.
# set to `gce` if using the GCE ingress controller
# set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
controller: default
annotations:
ingress.kubernetes.io/ssl-redirect: 'true'
ingress.kubernetes.io/proxy-body-size: '0'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: '0'
clusterIP:
# The name of ClusterIP service
name: harbor
ports:
# The service port Harbor listens on when serving with HTTP
httpPort: 80
# The service port Harbor listens on when serving with HTTPS
httpsPort: 443
# The service port Notary listens on. Only needed when notary.enabled
# is set to true
notaryPort: 4443
nodePort:
# The name of NodePort service
name: harbor
ports:
http:
# The service port Harbor listens on when serving with HTTP
port: 80
# The node port Harbor listens on when serving with HTTP
nodePort: 30002
https:
# The service port Harbor listens on when serving with HTTPS
port: 443
# The node port Harbor listens on when serving with HTTPS
nodePort: 30003
# Only needed when notary.enabled is set to true
notary:
# The service port Notary listens on
port: 4443
# The node port Notary listens on
nodePort: 30004
loadBalancer:
# The name of LoadBalancer service
name: harbor
# Set the IP if the LoadBalancer supports assigning IP
IP: ''
ports:
# The service port Harbor listens on when serving with HTTP
httpPort: 80
# The service port Harbor listens on when serving with HTTPS
httpsPort: 443
# The service port Notary listens on. Only needed when notary.enabled
# is set to true
notaryPort: 4443
annotations: {}
sourceRanges: []
# The external URL for Harbor core service. It is used to
# 1) populate the docker/helm commands showed on portal
# 2) populate the token service URL returned to docker/notary client
#
# Format: protocol://domain[:port]. Usually:
# 1) if "expose.type" is "ingress", the "domain" should be
# the value of "expose.ingress.hosts.core"
# 2) if "expose.type" is "clusterIP", the "domain" should be
# the value of "expose.clusterIP.name"
# 3) if "expose.type" is "nodePort", the "domain" should be
# the IP address of k8s node
#
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://core.harbor.domain
# The internal TLS used for harbor components secure communicating. In order to enable https
# in each components tls cert files need to provided in advance.
internalTLS:
# If internal TLS enabled
enabled: false
# There are three ways to provide tls
# 1) "auto" will generate cert automatically
# 2) "manual" need provide cert file manually in following value
# 3) "secret" internal certificates from secret
certSource: 'auto'
# The content of trust ca, only available when `certSource` is "manual"
trustCa: ''
# core related cert configuration
core:
# secret name for core's tls certs
secretName: ''
# Content of core's TLS cert file, only available when `certSource` is "manual"
crt: ''
# Content of core's TLS key file, only available when `certSource` is "manual"
key: ''
# jobservice related cert configuration
jobservice:
# secret name for jobservice's tls certs
secretName: ''
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
key: ''
# registry related cert configuration
registry:
# secret name for registry's tls certs
secretName: ''
# Content of registry's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of registry's TLS key file, only available when `certSource` is "manual"
key: ''
# portal related cert configuration
portal:
# secret name for portal's tls certs
secretName: ''
# Content of portal's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of portal's TLS key file, only available when `certSource` is "manual"
key: ''
# chartmuseum related cert configuration
chartmuseum:
# secret name for chartmuseum's tls certs
secretName: ''
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
key: ''
# clair related cert configuration
clair:
# secret name for clair's tls certs
secretName: ''
# Content of clair's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of clair's TLS key file, only available when `certSource` is "manual"
key: ''
# trivy related cert configuration
trivy:
# secret name for trivy's tls certs
secretName: ''
# Content of trivy's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of trivy's TLS key file, only available when `certSource` is "manual"
key: ''
# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamicly.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
# if you have already existing persistent volumes to use
#
# For storing images and charts, you can also use "azure", "gcs", "s3",
# "swift" or "oss". Set it in the "imageChartStorage" section
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: 'keep'
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ''
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# Set it to "-" to disable dynamic provisioning
storageClass: ''
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ''
storageClass: ''
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: ''
storageClass: ''
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ''
storageClass: ''
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ''
storageClass: ''
subPath: ''
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: ''
storageClass: ''
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
# Define which storage backend is used for registry and chartmuseum to store
# images and charts. Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
# for the detail.
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
# of registry's and chartmuseum's containers.
# caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry
# and chartmuseum
type: filesystem
filesystem:
rootdirectory: /storage
#maxthreads: 100
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
#realm: core.windows.net
gcs:
bucket: bucketname
# The base64 encoded json file which contains the key
encodedkey: base64-encoded-json-key-file
#rootdirectory: /gcs/object/name/prefix
#chunksize: "5242880"
s3:
region: us-west-1
bucket: bucketname
#accesskey: awsaccesskey
#secretkey: awssecretkey
#regionendpoint: http://myobjects.local
#encrypt: false
#keyid: mykeyid
#secure: true
#skipverify: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
#multipartcopychunksize: "33554432"
#multipartcopymaxconcurrency: 100
#multipartcopythresholdsize: "33554432"
swift:
authurl: https://storage.myprovider.com/v3/auth
username: username
password: password
container: containername
#region: fr
#tenant: tenantname
#tenantid: tenantid
#domain: domainname
#domainid: domainid
#trustid: trustid
#insecureskipverify: false
#chunksize: 5M
#prefix:
#secretkey: secretkey
#accesskey: accesskey
#authversion: 3
#endpointtype: public
#tempurlcontainerkey: false
#tempurlmethods:
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
#endpoint: endpoint
#internal: false
#encrypt: false
#secure: true
#chunksize: 10M
#rootdirectory: rootdirectory
imagePullPolicy: IfNotPresent
# Use this set to assign a list of default pullSecrets
imagePullSecrets:
# - name: docker-registry-secret
# - name: internal-registry-secret
# The update strategy for deployments with persistent volumes(jobservice, registry
# and chartmuseum): "RollingUpdate" or "Recreate"
# Set it as "Recreate" when "RWM" for volumes isn't supported
updateStrategy:
type: RollingUpdate
# debug, info, warning, error or fatal
logLevel: info
# The initial password of Harbor admin. Change it from portal after launching Harbor
harborAdminPassword: 'Harbor12345'
# The name of the secret which contains key named "ca.crt". Setting this enables the
# download link on portal to download the certificate of CA when the certificate isn't
# generated automatically
caSecretName: ''
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: 'not-a-secure-key'
# The proxy settings for updating clair vulnerabilities from the Internet and replicating
# artifacts from/to the registries that cannot be reached directly
proxy:
httpProxy:
httpsProxy:
noProxy: 127.0.0.1,localhost,.local,.internal
components:
- core
- jobservice
- clair
- trivy
# The custom ca bundle secret, the secret must contain key named "ca.crt"
# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
# caBundleSecretName: ""
## UAA Authentication Options
# If you're using UAA for authentication behind a self-signed
# certificate you will need to provide the CA Cert.
# Set uaaSecretName below to provide a pre-created secret that
# contains a base64 encoded CA Certificate named `ca.crt`.
# uaaSecretName:
# If expose the service via "ingress", the Nginx will not be used
nginx:
image:
repository: goharbor/nginx-photon
tag: v2.1.6
# set the service account to be used, default if left empty
serviceAccountName: ''
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
portal:
image:
repository: goharbor/harbor-portal
tag: v2.1.6
# set the service account to be used, default if left empty
serviceAccountName: ''
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
core:
image:
repository: goharbor/harbor-core
tag: v2.1.6
# set the service account to be used, default if left empty
serviceAccountName: ''
replicas: 1
## Startup probe values
startupProbe:
enabled: false
initialDelaySeconds: 10
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used when core server communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ''
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate and private key for token encryption/decryption.
# The secret must contain keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# The default key pair will be used if it isn't set
secretName: ''
# The XSRF key. Will be generated automatically if it isn't specified
xsrfKey: ''
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v2.1.6
replicas: 1
# set the service account to be used, default if left empty
serviceAccountName: ''
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLogger: file
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ''
registry:
# set the service account to be used, default if left empty
serviceAccountName: ''
registry:
image:
repository: goharbor/registry-photon
tag: v2.1.6
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
controller:
image:
repository: goharbor/harbor-registryctl
tag: v2.1.6
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used to secure the upload state from client
# and registry storage backend.
# See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ''
# If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
relativeurls: false
credentials:
username: 'harbor_registry_user'
password: 'harbor_registry_password'
# If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
# e.g. "htpasswd -nbBC10 $username $password"
htpasswd: 'harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m'
middleware:
enabled: false
type: cloudFront
cloudFront:
baseurl: example.cloudfront.net
keypairid: KEYPAIRID
duration: 3000s
ipfilteredby: none
# The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
# that allows access to CloudFront
privateKeySecret: 'my-secret'
chartmuseum:
enabled: true
# set the service account to be used, default if left empty
serviceAccountName: ''
# Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
absoluteUrl: false
image:
repository: goharbor/chartmuseum-photon
tag: v2.1.6
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
clair:
enabled: true
# set the service account to be used, default if left empty
serviceAccountName: ''
clair:
image:
repository: goharbor/clair-photon
tag: v2.1.6
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
adapter:
image:
repository: goharbor/harbor-scanner-clair-photon
tag: v2.1.6
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
replicas: 1
# The interval of clair updaters, the unit is hour, set to 0 to
# disable the updaters
updatersInterval: 12
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
trivy:
# enabled the flag to enable Trivy scanner
enabled: true
image:
# repository the repository for Trivy adapter image
repository: goharbor/trivy-adapter-photon
# tag the tag for Trivy adapter image
tag: v2.1.6
# set the service account to be used, default if left empty
serviceAccountName: ''
# replicas the number of Pod replicas
replicas: 1
# debugMode the flag to enable Trivy debug mode with more verbose scanning log
debugMode: false
# vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
vulnType: 'os,library'
# severity a comma-separated list of severities to be checked
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
# ignoreUnfixed the flag to display only fixed vulnerabilities
ignoreUnfixed: false
# insecure the flag to skip verifying registry certificate
insecure: false
# gitHubToken the GitHub access token to download Trivy DB
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
# timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
# Currently, the database is updated every 12 hours and published as a new release to GitHub.
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
gitHubToken: ''
# skipUpdate the flag to disable Trivy DB downloads from GitHub
#
# You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
# `/home/scanner/.cache/trivy/db/trivy.db` path.
skipUpdate: false
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
notary:
enabled: true
server:
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: goharbor/notary-server-photon
tag: v2.1.6
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
signer:
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: goharbor/notary-signer-photon
tag: v2.1.6
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate authority, certificate and private key for notary
# communications.
# The secret must contain keys named ca.crt, tls.crt and tls.key that
# contain the CA, certificate and private key.
# They will be generated if not set.
secretName: ''
database:
# if external database is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: goharbor/harbor-db
tag: v2.1.6
# The initial superuser password for internal database
password: 'changeit'
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: '192.168.0.1'
port: '5432'
username: 'user'
password: 'password'
coreDatabase: 'registry'
clairDatabase: 'clair'
notaryServerDatabase: 'notary_server'
notarySignerDatabase: 'notary_signer'
# "disable" - No SSL
# "require" - Always SSL (skip verification)
# "verify-ca" - Always SSL (verify that the certificate presented by the
# server was signed by a trusted CA)
# "verify-full" - Always SSL (verify that the certification presented by the
# server was signed by a trusted CA and the server host name matches the one
# in the certificate)
sslmode: 'disable'
# The maximum number of connections in the idle connection pool.
# If it <=0, no idle connections are retained.
maxIdleConns: 50
# The maximum number of open connections to the database.
# If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgre of harbor.
maxOpenConns: 1000
## Additional deployment annotations
podAnnotations: {}
redis:
# if external Redis is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: goharbor/redis-photon
tag: v2.1.6
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
# support redis, redis+sentinel
# addr for redis: <host_redis>:<port_redis>
# addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
addr: '192.168.0.2:6379'
# The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
sentinelMasterSet: ''
# The "coreDatabaseIndex" must be "0" as the library Harbor
# used doesn't support configuring it
coreDatabaseIndex: '0'
jobserviceDatabaseIndex: '1'
registryDatabaseIndex: '2'
chartmuseumDatabaseIndex: '3'
clairAdapterIndex: '4'
trivyAdapterIndex: '5'
password: ''
## Additional deployment annotations
podAnnotations: {}
commonLabels:
app.bd-apaas.com/cluster-component: registry
templates/NOTES.txt
View file @ d68116b6
Please wait for several minutes for Harbor deployment to complete.
Then you should be able to visit the Harbor portal at {{ $.Values.global.host }}
Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}
For more details, please visit https://github.com/goharbor/harbor
templates/_helpers.tpl
View file @ d68116b6
{{/*
Create chart imageArch suffix.
*/}}
{{- define ".beagle.imageArch" -}}
{{- if not (eq "amd64" .Values.global.imageArch) -}}
{{- print "-" .Values.global.imageArch -}}
{{- else -}}
{{- print "" -}}
{{- end -}}
{{- end }}
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
......@@ -21,10 +10,27 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "harbor.fullname" -}}
{{- $name := default "harbor" .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "harbor" .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/* Helm required labels: legacy */}}
{{- define "harbor.legacy.labels" -}}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}}
{{/* Helm required labels */}}
......@@ -33,8 +39,12 @@ heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
app: "{{ template "harbor.name" . }}"
{{- if .Values.commonLabels}}
{{ toYaml .Values.commonLabels }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "harbor.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ include "harbor.name" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- end -}}
......@@ -44,6 +54,13 @@ release: {{ .Release.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}}
{{/* Helper for printing values from existing secrets*/}}
{{- define "harbor.secretKeyHelper" -}}
{{- if and (not (empty .data)) (hasKey .data .key) }}
{{- index .data .key | b64dec -}}
{{- end -}}
{{- end -}}
{{- define "harbor.autoGenCert" -}}
{{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
{{- printf "true" -}}
......@@ -94,7 +111,12 @@ app: "{{ template "harbor.name" . }}"
{{- define "harbor.database.rawPassword" -}}
{{- if eq .Values.database.type "internal" -}}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}}
{{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}}
{{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}}
{{- else -}}
{{- .Values.database.internal.password -}}
{{- end -}}
{{- else -}}
{{- .Values.database.external.password -}}
{{- end -}}
......@@ -116,53 +138,31 @@ app: "{{ template "harbor.name" . }}"
{{- end -}}
{{- end -}}
{{- define "harbor.database.clairDatabase" -}}
{{- if eq .Values.database.type "internal" -}}
{{- printf "%s" "postgres" -}}
{{- else -}}
{{- .Values.database.external.clairDatabase -}}
{{- end -}}
{{- end -}}
{{- define "harbor.database.notaryServerDatabase" -}}
{{- define "harbor.database.sslmode" -}}
{{- if eq .Values.database.type "internal" -}}
{{- printf "%s" "notaryserver" -}}
{{- printf "%s" "disable" -}}
{{- else -}}
{{- .Values.database.external.notaryServerDatabase -}}
{{- .Values.database.external.sslmode -}}
{{- end -}}
{{- end -}}
{{- define "harbor.database.notarySignerDatabase" -}}
{{- if eq .Values.database.type "internal" -}}
{{- printf "%s" "notarysigner" -}}
{{- define "harbor.redis.scheme" -}}
{{- with .Values.redis }}
{{- if eq .type "external" -}}
{{- if not (not .external.sentinelMasterSet) -}}
{{- ternary "rediss+sentinel" "redis+sentinel" (.external.tlsOptions.enable) }}
{{- else -}}
{{- .Values.database.external.notarySignerDatabase -}}
{{- ternary "rediss" "redis" (.external.tlsOptions.enable) }}
{{- end -}}
{{- end -}}
{{- define "harbor.database.sslmode" -}}
{{- if eq .Values.database.type "internal" -}}
{{- printf "%s" "disable" -}}
{{- else -}}
{{- .Values.database.external.sslmode -}}
{{ print "redis" }}
{{- end -}}
{{- end }}
{{- end -}}
{{- define "harbor.database.clair" -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}}
{{- define "harbor.database.notaryServer" -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}}
{{- define "harbor.database.notarySigner" -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}}
{{- define "harbor.redis.scheme" -}}
{{- define "harbor.redis.enableTLS" -}}
{{- with .Values.redis }}
{{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
{{- ternary "true" "false" (and ( eq .type "external") (.external.tlsOptions.enable)) }}
{{- end }}
{{- end -}}
......@@ -175,7 +175,7 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- define "harbor.redis.masterSet" -}}
{{- with .Values.redis }}
{{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }}
{{- ternary .external.sentinelMasterSet "" (contains "+sentinel" (include "harbor.redis.scheme" $)) }}
{{- end }}
{{- end -}}
......@@ -185,16 +185,30 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- end }}
{{- end -}}
/*scheme://[redis:password@]host:port[/master_set]*/
{{- define "harbor.redis.pwdfromsecret" -}}
{{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }}
{{- end -}}
{{- define "harbor.redis.cred" -}}
{{- with .Values.redis }}
{{- if (and (eq .type "external" ) (.external.existingSecret)) }}
{{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }}
{{- else }}
{{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
{{- end }}
{{- end }}
{{- end -}}
/*scheme://[:password@]host:port[/master_set]*/
{{- define "harbor.redis.url" -}}
{{- with .Values.redis }}
{{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
{{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
{{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
{{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}}
{{- end }}
{{- end -}}
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForCore" -}}
{{- with .Values.redis }}
{{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }}
......@@ -202,47 +216,49 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- end }}
{{- end -}}
/*scheme://[redis:password@]addr/db_index*/
/*scheme://[:password@]addr/db_index*/
{{- define "harbor.redis.urlForJobservice" -}}
{{- with .Values.redis }}
{{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }}
{{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }}
{{- printf "%s/%s" (include "harbor.redis.url" $) $index -}}
{{- end }}
{{- end -}}
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForRegistry" -}}
{{- with .Values.redis }}
{{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }}
{{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }}
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
{{- end }}
{{- end -}}
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForClair" -}}
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForTrivy" -}}
{{- with .Values.redis }}
{{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }}
{{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }}
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
{{- end }}
{{- end -}}
/*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForTrivy" -}}
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForHarbor" -}}
{{- with .Values.redis }}
{{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }}
{{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }}
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
{{- end }}
{{- end -}}
{{- define "harbor.redis.dbForRegistry" -}}
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
{{- define "harbor.redis.urlForCache" -}}
{{- with .Values.redis }}
{{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }}
{{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }}
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
{{- end }}
{{- end -}}
{{- define "harbor.redis.dbForChartmuseum" -}}
{{- define "harbor.redis.dbForRegistry" -}}
{{- with .Values.redis }}
{{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }}
{{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }}
{{- end }}
{{- end -}}
......@@ -266,44 +282,32 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- printf "%s-registry" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.chartmuseum" -}}
{{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}}
{{- define "harbor.registryCtl" -}}
{{- printf "%s-registryctl" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.database" -}}
{{- printf "%s-database" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.clair" -}}
{{- printf "%s-clair" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.trivy" -}}
{{- printf "%s-trivy" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.notary-server" -}}
{{- printf "%s-notary-server" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.notary-signer" -}}
{{- printf "%s-notary-signer" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.nginx" -}}
{{- printf "%s-nginx" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.ingress" -}}
{{- printf "%s-ingress" (include "harbor.fullname" .) -}}
{{- define "harbor.exporter" -}}
{{- printf "%s-exporter" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.ingress-notary" -}}
{{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}}
{{- define "harbor.ingress" -}}
{{- printf "%s-ingress" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.noProxy" -}}
{{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}}
{{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}}
{{- end -}}
{{- define "harbor.caBundleVolume" -}}
......@@ -318,7 +322,7 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
subPath: ca.crt
{{- end -}}
{{/* scheme for all components except notary because it only support http mode */}}
{{/* scheme for all components because it only support http mode */}}
{{- define "harbor.component.scheme" -}}
{{- if .Values.internalTLS.enabled -}}
{{- printf "https" -}}
......@@ -327,42 +331,6 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- end -}}
{{- end -}}
{{/* chartmuseum component container port */}}
{{- define "harbor.chartmuseum.containerPort" -}}
{{- if .Values.internalTLS.enabled -}}
{{- printf "9443" -}}
{{- else -}}
{{- printf "9999" -}}
{{- end -}}
{{- end -}}
{{/* chartmuseum component service port */}}
{{- define "harbor.chartmuseum.servicePort" -}}
{{- if .Values.internalTLS.enabled -}}
{{- printf "443" -}}
{{- else -}}
{{- printf "80" -}}
{{- end -}}
{{- end -}}
{{/* clair adapter component container port */}}
{{- define "harbor.clairAdapter.containerPort" -}}
{{- if .Values.internalTLS.enabled -}}
{{- printf "8443" -}}
{{- else -}}
{{- printf "8080" -}}
{{- end -}}
{{- end -}}
{{/* clair adapter component service port */}}
{{- define "harbor.clairAdapter.servicePort" -}}
{{- if .Values.internalTLS.enabled -}}
{{- printf "8443" -}}
{{- else -}}
{{- printf "8080" -}}
{{- end -}}
{{- end -}}
{{/* core component container port */}}
{{- define "harbor.core.containerPort" -}}
{{- if .Values.internalTLS.enabled -}}
......@@ -471,11 +439,6 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- end -}}
{{- end -}}
{{/* CLAIR_ADAPTER_URL */}}
{{- define "harbor.clairAdapterURL" -}}
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}}
{{- end -}}
{{/* CORE_URL */}}
{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}}
{{- define "harbor.coreURL" -}}
......@@ -512,22 +475,6 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}}
{{- end -}}
{{- define "harbor.internalTLS.chartmuseum.secretName" -}}
{{- if eq .Values.internalTLS.certSource "secret" -}}
{{- .Values.internalTLS.chartmuseum.secretName -}}
{{- else -}}
{{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}}
{{- end -}}
{{- end -}}
{{- define "harbor.internalTLS.clair.secretName" -}}
{{- if eq .Values.internalTLS.certSource "secret" -}}
{{- .Values.internalTLS.clair.secretName -}}
{{- else -}}
{{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}}
{{- end -}}
{{- end -}}
{{- define "harbor.internalTLS.core.secretName" -}}
{{- if eq .Values.internalTLS.certSource "secret" -}}
{{- .Values.internalTLS.core.secretName -}}
......@@ -578,16 +525,6 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- end -}}
{{- end -}}
{{- define "harbor.tlsNotarySecretForIngress" -}}
{{- if eq .Values.expose.tls.certSource "none" -}}
{{- printf "" -}}
{{- else if eq .Values.expose.tls.certSource "secret" -}}
{{- .Values.expose.tls.secret.notarySecretName -}}
{{- else -}}
{{- include "harbor.ingress" . -}}
{{- end -}}
{{- end -}}
{{- define "harbor.tlsSecretForNginx" -}}
{{- if eq .Values.expose.tls.certSource "secret" -}}
{{- .Values.expose.tls.secret.secretName -}}
......@@ -595,3 +532,64 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- include "harbor.nginx" . -}}
{{- end -}}
{{- end -}}
{{- define "harbor.metricsPortName" -}}
{{- if .Values.internalTLS.enabled }}
{{- printf "https-metrics" -}}
{{- else -}}
{{- printf "http-metrics" -}}
{{- end -}}
{{- end -}}
{{- define "harbor.traceEnvs" -}}
TRACE_ENABLED: "{{ .Values.trace.enabled }}"
TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}"
TRACE_NAMESPACE: "{{ .Values.trace.namespace }}"
{{- if .Values.trace.attributes }}
TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }}
{{- end }}
{{- if eq .Values.trace.provider "jaeger" }}
TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}"
TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}"
TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}"
TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}"
{{- else }}
TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}"
TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}"
TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}"
TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}"
TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}"
{{- end }}
{{- end -}}
{{- define "harbor.traceEnvsForCore" -}}
{{- if .Values.trace.enabled }}
TRACE_SERVICE_NAME: "harbor-core"
{{ include "harbor.traceEnvs" . }}
{{- end }}
{{- end -}}
{{- define "harbor.traceEnvsForJobservice" -}}
{{- if .Values.trace.enabled }}
TRACE_SERVICE_NAME: "harbor-jobservice"
{{ include "harbor.traceEnvs" . }}
{{- end }}
{{- end -}}
{{- define "harbor.traceEnvsForRegistryCtl" -}}
{{- if .Values.trace.enabled }}
TRACE_SERVICE_NAME: "harbor-registryctl"
{{ include "harbor.traceEnvs" . }}
{{- end }}
{{- end -}}
{{- define "harbor.traceJaegerPassword" -}}
{{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }}
TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}"
{{- end }}
{{- end -}}
{{/* Allow KubeVersion to be overridden. */}}
{{- define "harbor.ingress.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}}
{{- end -}}
templates/chartmuseum/chartmuseum-cm.yaml deleted 100644 → 0
View file @ 2133e634
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.chartmuseum" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
PORT: "{{ template "harbor.chartmuseum.containerPort" . }}"
{{- if .Values.internalTLS.enabled }}
TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt"
TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key"
{{- end }}
{{- if eq "redis" (include "harbor.redis.scheme" .) }}
CACHE: "redis"
{{- else }}
CACHE: "redis_sentinel"
CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}"
{{- end }}
CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}"
CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}"
BASIC_AUTH_USER: "chart_controller"
{{- if .Values.chartmuseum.absoluteUrl }}
CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo
{{- end }}
DEPTH: "1"
{{- if eq .Values.logLevel "debug" }}
DEBUG: "true"
{{- else }}
DEBUG: "false"
{{- end }}
LOG_JSON: "true"
DISABLE_METRICS: "false"
DISABLE_API: "false"
DISABLE_STATEFILES: "false"
ALLOW_OVERWRITE: "true"
AUTH_ANONYMOUS_GET: "false"
CONTEXT_PATH: ""
INDEX_LIMIT: "0"
MAX_STORAGE_OBJECTS: "0"
MAX_UPLOAD_SIZE: "20971520"
CHART_POST_FORM_FIELD_NAME: "chart"
PROV_POST_FORM_FIELD_NAME: "prov"
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $storageType := $storage.type }}
{{- if eq $storageType "filesystem" }}
STORAGE: "local"
STORAGE_LOCAL_ROOTDIR: "/chart_storage"
{{- else if eq $storageType "azure" }}
STORAGE: "microsoft"
STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }}
AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }}
AZURE_BASE_URL: {{ $storage.azure.realm }}
STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts"
{{- else if eq $storageType "gcs" }}
STORAGE: "google"
STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
{{- if $storage.gcs.rootdirectory }}
STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
{{- end }}
{{- else if eq $storageType "s3" }}
STORAGE: "amazon"
STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }}
{{- if $storage.s3.rootdirectory }}
STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }}
{{- end }}
STORAGE_AMAZON_REGION: {{ $storage.s3.region }}
{{- if $storage.s3.regionendpoint }}
STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }}
{{- end }}
{{- if $storage.s3.accesskey }}
AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }}
{{- end }}
{{- if $storage.s3.keyid }}
STORAGE_AMAZON_SSE: aws:kms
{{- end }}
{{- else if eq $storageType "swift" }}
STORAGE: "openstack"
STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }}
{{- if $storage.swift.prefix }}
STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }}
{{- end }}
{{- if $storage.swift.region }}
STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }}
{{- end }}
OS_AUTH_URL: {{ $storage.swift.authurl }}
OS_USERNAME: {{ $storage.swift.username }}
{{- if $storage.swift.tenantid }}
OS_PROJECT_ID: {{ $storage.swift.tenantid }}
{{- end }}
{{- if $storage.swift.tenant }}
OS_PROJECT_NAME: {{ $storage.swift.tenant }}
{{- end }}
{{- if $storage.swift.domainid }}
OS_DOMAIN_ID: {{ $storage.swift.domainid }}
{{- end }}
{{- if $storage.swift.domain }}
OS_DOMAIN_NAME: {{ $storage.swift.domain }}
{{- end }}
{{- else if eq $storageType "oss" }}
STORAGE: "alibaba"
STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }}
{{- if $storage.oss.rootdirectory }}
STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }}
{{- end }}
{{- if $storage.oss.endpoint }}
STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }}
{{- end }}
ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }}
{{- end }}
STORAGE_TIMESTAMP_TOLERANCE: 1s
{{- end }}
templates/chartmuseum/chartmuseum-dpl.yaml deleted 100644 → 0
View file @ 2133e634
{{- if .Values.chartmuseum.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.chartmuseum" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
component: chartmuseum
spec:
replicas: {{ .Values.chartmuseum.replicas }}
strategy:
type: {{ .Values.updateStrategy.type }}
{{- if eq .Values.updateStrategy.type "Recreate" }}
rollingUpdate: null
{{- end }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: chartmuseum
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: chartmuseum
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
checksum/tls: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-tls.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.chartmuseum.podAnnotations }}
{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
fsGroup: 10000
{{- if .Values.chartmuseum.serviceAccountName }}
serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: chartmuseum
{{- if contains "/" .Values.chartmuseum.image.repository }}
image: "{{ .Values.chartmuseum.image.repository }}"
{{- else }}
image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
livenessProbe:
httpGet:
path: /health
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.chartmuseum.containerPort" . }}
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.chartmuseum.containerPort" . }}
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.chartmuseum.resources }}
resources:
{{ toYaml .Values.chartmuseum.resources | indent 10 }}
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "harbor.chartmuseum" . }}"
- secretRef:
name: "{{ template "harbor.chartmuseum" . }}"
env:
{{- if has "chartmuseum" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
- name: HTTPS_PROXY
value: "{{ .Values.proxy.httpsProxy }}"
- name: NO_PROXY
value: "{{ template "harbor.noProxy" . }}"
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /etc/harbor/ssl/chartmuseum/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /etc/harbor/ssl/chartmuseum/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/chartmuseum/ca.crt
{{- end }}
- name: BASIC_AUTH_PASS
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
key: secret
- # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
name: AWS_SDK_LOAD_CONFIG
value: "1"
ports:
- containerPort: {{ template "harbor.chartmuseum.containerPort" . }}
volumeMounts:
- name: chartmuseum-data
mountPath: /chart_storage
subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }}
{{- if .Values.internalTLS.enabled }}
- name: chart-internal-certs
mountPath: /etc/harbor/ssl/chartmuseum
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
mountPath: /etc/chartmuseum/gcs-key.json
subPath: gcs-key.json
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
volumes:
- name: chartmuseum-data
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: chart-internal-certs
secret:
secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }}
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
secret:
secretName: {{ template "harbor.registry" . }}
items:
- key: GCS_KEY_DATA
path: gcs-key.json
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
secret:
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 6 }}
{{- end }}
{{- with .Values.chartmuseum.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.chartmuseum.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.chartmuseum.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
templates/chartmuseum/chartmuseum-pvc.yaml deleted 100644 → 0
View file @ 2133e634
{{- if .Values.chartmuseum.enabled }}
{{- $persistence := .Values.persistence -}}
{{- if $persistence.enabled }}
{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}}
{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "harbor.chartmuseum" . }}
{{- if eq $persistence.resourcePolicy "keep" }}
annotations:
helm.sh/resource-policy: keep
{{- end }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: chartmuseum
spec:
accessModes:
- {{ $chartmuseum.accessMode }}
resources:
requests:
storage: {{ $chartmuseum.size }}
{{- if $chartmuseum.storageClass }}
{{- if eq "-" $chartmuseum.storageClass }}
storageClassName: ""
{{- else }}
storageClassName: {{ $chartmuseum.storageClass }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/chartmuseum/chartmuseum-secret.yaml deleted 100644 → 0
View file @ 2133e634
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.chartmuseum" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $storageType := $storage.type }}
{{- if eq $storageType "azure" }}
AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if eq $storageType "gcs" }}
# TODO support the keyfile of gcs
{{- else if eq $storageType "s3" }}
{{- if $storage.s3.secretkey }}
AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $storageType "swift" }}
OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- else if eq $storageType "oss" }}
ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/chartmuseum/chartmuseum-svc.yaml deleted 100644 → 0
View file @ 2133e634
{{- if .Values.chartmuseum.enabled }}
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.chartmuseum" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: {{ template "harbor.chartmuseum.servicePort" . }}
targetPort: {{ template "harbor.chartmuseum.containerPort" . }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: chartmuseum
{{- end }}
\ No newline at end of file
templates/chartmuseum/chartmuseum-tls.yaml deleted 100644 → 0
View file @ 2133e634
{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }}
{{- if eq .Values.internalTLS.certSource "manual" }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }}
tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }}
{{- end }}
{{- end }}
templates/clair/clair-dpl.yaml deleted 100644 → 0
View file @ 2133e634
{{ if .Values.clair.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.clair" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: clair
spec:
replicas: {{ .Values.clair.replicas }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: clair
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: clair
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
checksum/tls: {{ include (print $.Template.BasePath "/clair/clair-tls.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.clair.podAnnotations }}
{{ toYaml .Values.clair.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
fsGroup: 10000
{{- if .Values.clair.serviceAccountName }}
serviceAccountName: {{ .Values.clair.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: clair
{{- if contains "/" .Values.clair.clair.image.repository }}
image: "{{ .Values.clair.clair.image.repository }}"
{{- else }}
image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
livenessProbe:
httpGet:
path: /health
port: 6061
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 6061
initialDelaySeconds: 30
periodSeconds: 10
args: ["-log-level", "{{ .Values.logLevel }}"]
env:
{{- if has "clair" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
- name: HTTPS_PROXY
value: "{{ .Values.proxy.httpsProxy }}"
- name: NO_PROXY
value: "{{ template "harbor.noProxy" . }}"
{{- end }}
{{- if .Values.clair.clair.resources }}
resources:
{{ toYaml .Values.clair.clair.resources | indent 10 }}
{{- end }}
ports:
- containerPort: 6060
volumeMounts:
- name: config
mountPath: /etc/clair/config.yaml
subPath: config.yaml
{{- if .Values.internalTLS.enabled }}
- name: clair-internal-certs
mountPath: /etc/harbor/ssl/clair
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
- name: adapter
{{- if contains "/" .Values.clair.adapter.image.repository }}
image: "{{ .Values.clair.adapter.image.repository }}"
{{- else }}
image: "{{ .Values.clair.adapter.image.hub | default .Values.global.hub }}/{{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
livenessProbe:
httpGet:
path: /probe/healthy
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.clairAdapter.containerPort" . }}
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /probe/ready
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.clairAdapter.containerPort" . }}
initialDelaySeconds: 30
periodSeconds: 10
env:
- name: SCANNER_CLAIR_URL
# To avoid a pod cannot reach itself via service IP when the clusters disable hairpin
value: "http://127.0.0.1:6060"
- name: SCANNER_STORE_REDIS_URL
valueFrom:
secretKeyRef:
name: {{ template "harbor.clair" . }}
key: redis
- name: SCANNER_CLAIR_DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ template "harbor.clair" . }}
key: database
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: SCANNER_API_SERVER_ADDR
value: ":8443"
- name: SCANNER_API_SERVER_TLS_KEY
value: /etc/harbor/ssl/clair/tls.key
- name: SCANNER_API_SERVER_TLS_CERTIFICATE
value: /etc/harbor/ssl/clair/tls.crt
{{- end }}
- name: SCANNER_LOG_LEVEL
value: "{{ .Values.logLevel }}"
{{- if .Values.clair.adapter.resources }}
resources:
{{ toYaml .Values.clair.adapter.resources | indent 10 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.clairAdapter.containerPort" . }}
{{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }}
volumeMounts:
{{- if .Values.internalTLS.enabled }}
- name: clair-internal-certs
mountPath: /etc/harbor/ssl/clair
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: config
secret:
secretName: "{{ template "harbor.clair" . }}"
{{- if .Values.internalTLS.enabled }}
- name: clair-internal-certs
secret:
secretName: {{ template "harbor.internalTLS.clair.secretName" . }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 6 }}
{{- end }}
{{- with .Values.clair.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.clair.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.clair.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{ end }}
templates/clair/clair-secret.yaml deleted 100644 → 0
View file @ 2133e634
{{- if .Values.clair.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.clair" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }}
redis: {{ include "harbor.redis.urlForClair" . | b64enc }}
database: {{ include "harbor.database.clair" . | b64enc }}
{{- end }}
\ No newline at end of file
templates/clair/clair-tls.yaml deleted 100644 → 0
View file @ 2133e634
{{- if and .Values.clair.enabled .Values.internalTLS.enabled }}
{{- if eq .Values.internalTLS.certSource "manual" }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }}
tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/core/core-cm.yaml
View file @ d68116b6
......@@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.core" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -21,26 +22,26 @@ data:
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}"
EXT_ENDPOINT: "{{ .Values.externalURL }}"
CORE_URL: "{{ template "harbor.coreURL" . }}"
JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
WITH_NOTARY: "{{ .Values.notary.enabled }}"
NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}"
WITH_CLAIR: "{{ .Values.clair.enabled }}"
CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}"
WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}"
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}"
LOG_LEVEL: "{{ .Values.logLevel }}"
CONFIG_PATH: "/etc/core/app.conf"
CHART_CACHE_DRIVER: "redis"
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
_REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}"
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }}
_REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}"
{{- end }}
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
_REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
{{- end }}
PORTAL_URL: "{{ template "harbor.portalURL" . }}"
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
......@@ -52,8 +53,39 @@ data:
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
NO_PROXY: "{{ template "harbor.noProxy" . }}"
{{- end }}
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor"
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory"
{{- if .Values.metrics.enabled}}
METRIC_ENABLE: "true"
METRIC_PATH: "{{ .Values.metrics.core.path }}"
METRIC_PORT: "{{ .Values.metrics.core.port }}"
METRIC_NAMESPACE: harbor
METRIC_SUBSYSTEM: core
{{- end }}
{{- if hasKey .Values.core "gcTimeWindowHours" }}
#make the GC time window configurable for testing
GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}"
{{- end }}
{{- template "harbor.traceEnvsForCore" . }}
{{- if .Values.core.artifactPullAsyncFlushDuration }}
ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }}
{{- end }}
{{- if .Values.core.gdpr}}
{{- if .Values.core.gdpr.deleteUser}}
GDPR_DELETE_USER: "true"
{{- end }}
{{- if .Values.core.gdpr.auditLogsCompliant}}
GDPR_AUDIT_LOGS: "true"
{{- end }}
{{- end }}
{{- if .Values.cache.enabled }}
CACHE_ENABLED: "true"
CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
{{- end }}
{{- if .Values.core.quotaUpdateProvider }}
QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}"
{{- end }}
templates/core/core-dpl.yaml
View file @ d68116b6
......@@ -2,11 +2,14 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.core" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: core
app.kubernetes.io/component: core
spec:
replicas: {{ .Values.core.replicas }}
revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
......@@ -16,6 +19,10 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: core
app.kubernetes.io/component: core
{{- if .Values.core.podLabels }}
{{ toYaml .Values.core.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
......@@ -29,11 +36,8 @@ spec:
{{ toYaml .Values.core.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 10000
fsGroup: 10000
{{- if .Values.core.serviceAccountName }}
serviceAccountName: {{ .Values.core.serviceAccountName }}
......@@ -42,14 +46,26 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
{{- with .Values.core.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: core
{{- end }}
{{- end }}
{{- with .Values.core.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: core
{{- if contains "/" .Values.core.image.repository }}
image: "{{ .Values.core.image.repository }}"
{{- else }}
image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.core.startupProbe.enabled }}
startupProbe:
httpGet:
......@@ -83,13 +99,24 @@ spec:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.jobservice" . }}"
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
{{- if .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- else }}
key: JOBSERVICE_SECRET
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecretAdminPassword }}
key: {{ .Values.existingSecretAdminPasswordKey }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
......@@ -100,6 +127,33 @@ spec:
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/core/ca.crt
{{- end }}
{{- if .Values.database.external.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
{{- end }}
{{- if .Values.registry.credentials.existingSecret }}
- name: REGISTRY_CREDENTIAL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.registry.credentials.existingSecret }}
key: REGISTRY_PASSWD
{{- end }}
{{- if .Values.core.existingXsrfSecret }}
- name: CSRF_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.core.existingXsrfSecret }}
key: {{ .Values.core.existingXsrfSecretKey }}
{{- end }}
{{- with .Values.core.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.core.containerPort" . }}
volumeMounts:
......@@ -143,7 +197,11 @@ spec:
path: app.conf
- name: secret-key
secret:
{{- if .Values.existingSecretSecretKey }}
secretName: {{ .Values.existingSecretSecretKey }}
{{- else }}
secretName: {{ template "harbor.core" . }}
{{- end }}
items:
- key: secretKey
path: key
......@@ -195,3 +253,6 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.core.priorityClassName }}
priorityClassName: {{ .Values.core.priorityClassName }}
{{- end }}
templates/core/core-pre-upgrade-job.yaml 0 → 100644
View file @ d68116b6
{{- if .Values.enableMigrateHelmHook }}
apiVersion: batch/v1
kind: Job
metadata:
name: migration-job
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: migrator
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-5"
spec:
template:
metadata:
labels:
{{ include "harbor.matchLabels" . | indent 8 }}
component: migrator
spec:
restartPolicy: Never
securityContext:
runAsUser: 10000
fsGroup: 10000
{{- if .Values.core.serviceAccountName }}
serviceAccountName: {{ .Values.core.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 120
containers:
- name: core-job
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command: ["/harbor/harbor_core", "-mode=migrate"]
envFrom:
- configMapRef:
name: "{{ template "harbor.core" . }}"
- secretRef:
name: "{{ template "harbor.core" . }}"
{{- if .Values.database.external.existingSecret }}
env:
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/core/app.conf
subPath: app.conf
volumes:
- name: config
configMap:
name: {{ template "harbor.core" . }}
items:
- key: app.conf
path: app.conf
{{- with .Values.core.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.core.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.core.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
templates/core/core-secret.yaml
View file @ d68116b6
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.core" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if not .Values.existingSecretSecretKey }}
secretKey: {{ .Values.secretKey | b64enc | quote }}
secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- if not .Values.core.secretName }}
tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
{{- end }}
{{- end }}
{{- if not .Values.core.existingSecret }}
secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.core.secretName }}
{{- $ca := genCA "harbor-token-ca" 365 }}
tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
{{- end }}
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if not .Values.database.external.existingSecret }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingXsrfSecret }}
CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
{{- end }}
{{- if .Values.core.configureUserSettings }}
CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
{{- end }}
{{- template "harbor.traceJaegerPassword" . }}
templates/core/core-svc.yaml
View file @ d68116b6
......@@ -2,15 +2,25 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "harbor.core" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- with .Values.core.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }}
type: NodePort
{{- end }}
ports:
- port: {{ template "harbor.core.servicePort" . }}
- name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }}
port: {{ template "harbor.core.servicePort" . }}
targetPort: {{ template "harbor.core.containerPort" . }}
{{- if .Values.metrics.enabled}}
- name: {{ template "harbor.metricsPortName" . }}
port: {{ .Values.metrics.core.port }}
{{- end }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: core
templates/core/core-tls.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
templates/database/database-secret.yaml
View file @ d68116b6
......@@ -3,6 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.database" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
......
templates/database/database-ss.yaml
View file @ d68116b6
......@@ -4,9 +4,11 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: "{{ template "harbor.database" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: database
app.kubernetes.io/component: database
spec:
replicas: 1
serviceName: "{{ template "harbor.database" . }}"
......@@ -19,16 +21,19 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: database
app.kubernetes.io/component: database
{{- if .Values.database.podLabels }}
{{ toYaml .Values.database.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }}
{{- if .Values.database.podAnnotations }}
{{ toYaml .Values.database.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 999
fsGroup: 999
{{- if .Values.database.internal.serviceAccountName }}
serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
{{- end -}}
......@@ -36,54 +41,53 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
initContainers:
- name: "change-permission-of-directory"
securityContext:
runAsUser: 0
{{- if contains "/" .Values.database.internal.image.repository }}
image: "{{ .Values.database.internal.image.repository }}"
{{- else }}
image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
# with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume
# this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph
# use this init container to correct the permission
# as "fsGroup" applied before the init container running, the container has enough permission to execute the command
- name: "data-permissions-ensurer"
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
command: ["/bin/sh"]
args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"]
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: {{ $database.subPath }}
- name: "remove-lost-found"
{{- if contains "/" .Values.database.internal.image.repository }}
image: "{{ .Values.database.internal.image.repository }}"
{{- else }}
image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
{{- if .Values.database.internal.initContainer.permissions.resources }}
resources:
{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }}
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: {{ $database.subPath }}
{{- with .Values.database.internal.extrInitContainers }}
{{- toYaml . | nindent 6 }}
{{- end }}
containers:
- name: database
{{- if contains "/" .Values.database.internal.image.repository }}
image: "{{ .Values.database.internal.image.repository }}"
{{- else }}
image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
livenessProbe:
exec:
command:
- /docker-healthcheck.sh
initialDelaySeconds: 300
periodSeconds: 10
timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }}
readinessProbe:
exec:
command:
- /docker-healthcheck.sh
initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }}
{{- if .Values.database.internal.resources }}
resources:
{{ toYaml .Values.database.internal.resources | indent 10 }}
......@@ -91,16 +95,29 @@ spec:
envFrom:
- secretRef:
name: "{{ template "harbor.database" . }}"
env:
# put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
# more detail refer to https://github.com/goharbor/harbor-helm/issues/756
- name: PGDATA
value: "/var/lib/postgresql/data/pgdata"
{{- with .Values.database.internal.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: {{ $database.subPath }}
{{- if not .Values.persistence.enabled }}
- name: shm-volume
mountPath: /dev/shm
volumes:
- name: shm-volume
emptyDir:
medium: Memory
sizeLimit: {{ .Values.database.internal.shmSizeLimit }}
{{- if not .Values.persistence.enabled }}
- name: "database-data"
emptyDir: {}
{{- else if $database.existingClaim }}
volumes:
- name: "database-data"
persistentVolumeClaim:
claimName: {{ $database.existingClaim }}
......@@ -117,12 +134,19 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.database.internal.priorityClassName }}
priorityClassName: {{ .Values.database.internal.priorityClassName }}
{{- end }}
{{- if and .Values.persistence.enabled (not $database.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: "database-data"
labels:
{{ include "harbor.labels" . | indent 8 }}
{{ include "harbor.legacy.labels" . | indent 8 }}
annotations:
{{- range $key, $value := $database.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
accessModes: [{{ $database.accessMode | quote }}]
{{- if $database.storageClass }}
......
templates/database/database-svc.yaml
View file @ d68116b6
......@@ -3,6 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.database" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
......
templates/exporter/exporter-cm-env.yaml 0 → 100644
View file @ d68116b6
{{- if .Values.metrics.enabled}}
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.exporter" . }}-env"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
{{- if has "jobservice" .Values.proxy.components }}
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
NO_PROXY: "{{ template "harbor.noProxy" . }}"
{{- end }}
LOG_LEVEL: "{{ .Values.logLevel }}"
HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}"
HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}"
HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}"
HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}"
HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}"
HARBOR_METRIC_NAMESPACE: harbor
HARBOR_METRIC_SUBSYSTEM: exporter
HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}"
HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace
HARBOR_REDIS_TIMEOUT: "3600"
HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}"
HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}"
HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}"
HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}"
HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}"
HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}"
HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}"
HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
{{- end}}
templates/exporter/exporter-dpl.yaml 0 → 100644
View file @ d68116b6
{{- if .Values.metrics.enabled}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.exporter" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: exporter
app.kubernetes.io/component: exporter
spec:
replicas: {{ .Values.exporter.replicas }}
revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: exporter
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: exporter
app.kubernetes.io/component: exporter
{{- if .Values.exporter.podLabels }}
{{ toYaml .Values.exporter.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/exporter/exporter-cm-env.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/exporter/exporter-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.exporter.podAnnotations }}
{{ toYaml .Values.exporter.podAnnotations | indent 8 }}
{{- end }}
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
{{- if .Values.exporter.serviceAccountName }}
serviceAccountName: {{ .Values.exporter.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }}
{{- with .Values.exporter.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: exporter
{{- end }}
{{- end }}
containers:
- name: exporter
image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /
port: {{ .Values.metrics.exporter.port }}
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: {{ .Values.metrics.exporter.port }}
initialDelaySeconds: 30
periodSeconds: 10
args: ["-log-level", "{{ .Values.logLevel }}"]
envFrom:
- configMapRef:
name: "{{ template "harbor.exporter" . }}-env"
- secretRef:
name: "{{ template "harbor.exporter" . }}"
env:
{{- if .Values.database.external.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecretAdminPassword }}
key: {{ .Values.existingSecretAdminPasswordKey }}
{{- end }}
{{- if .Values.exporter.resources }}
resources:
{{ toYaml .Values.exporter.resources | indent 10 }}
{{- end }}
{{- with .Values.exporter.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
ports:
- containerPort: {{ .Values.metrics.exporter.port }}
volumeMounts:
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: core-internal-certs
mountPath: /etc/harbor/ssl/core
# There are some metric data are collectd from harbor core.
# When internal TLS is enabled, the Exporter need the CA file to collect these data.
{{- end }}
volumes:
- name: config
secret:
secretName: "{{ template "harbor.exporter" . }}"
{{- if .Values.internalTLS.enabled }}
- name: core-internal-certs
secret:
secretName: {{ template "harbor.internalTLS.core.secretName" . }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 6 }}
{{- end }}
{{- with .Values.exporter.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.exporter.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.exporter.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.exporter.priorityClassName }}
priorityClassName: {{ .Values.exporter.priorityClassName }}
{{- end }}
{{ end }}
templates/exporter/exporter-secret.yaml 0 → 100644
View file @ d68116b6
{{- if .Values.metrics.enabled}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.exporter" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if not .Values.database.external.existingSecret }}
HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- end }}
templates/clair/clair-svc.yaml templates/exporter/exporter-svc.yaml
View file @ d68116b6
{{ if .Values.clair.enabled }}
{{- if .Values.metrics.enabled}}
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.clair" . }}"
name: "{{ template "harbor.exporter" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- name: adapter
port: {{ include "harbor.clairAdapter.servicePort" . }}
- name: {{ template "harbor.metricsPortName" . }}
port: {{ .Values.metrics.exporter.port }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: clair
component: exporter
{{ end }}
templates/ingress/ingress.yaml
View file @ d68116b6
......@@ -2,43 +2,45 @@
{{- $ingress := .Values.expose.ingress -}}
{{- $tls := .Values.expose.tls -}}
{{- if eq .Values.expose.ingress.controller "gce" }}
{{- $_ := set . "path_type" "ImplementationSpecific" -}}
{{- $_ := set . "portal_path" "/*" -}}
{{- $_ := set . "api_path" "/api/*" -}}
{{- $_ := set . "service_path" "/service/*" -}}
{{- $_ := set . "v2_path" "/v2/*" -}}
{{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
{{- $_ := set . "controller_path" "/c/*" -}}
{{- $_ := set . "notary_path" "/" -}}
{{- else if eq .Values.expose.ingress.controller "ncp" }}
{{- $_ := set . "path_type" "Prefix" -}}
{{- $_ := set . "portal_path" "/.*" -}}
{{- $_ := set . "api_path" "/api/.*" -}}
{{- $_ := set . "service_path" "/service/.*" -}}
{{- $_ := set . "v2_path" "/v2/.*" -}}
{{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
{{- $_ := set . "controller_path" "/c/.*" -}}
{{- $_ := set . "notary_path" "/.*" -}}
{{- else }}
{{- $_ := set . "path_type" "Prefix" -}}
{{- $_ := set . "portal_path" "/" -}}
{{- $_ := set . "api_path" "/api" -}}
{{- $_ := set . "service_path" "/service" -}}
{{- $_ := set . "v2_path" "/v2" -}}
{{- $_ := set . "chartrepo_path" "/chartrepo" -}}
{{- $_ := set . "controller_path" "/c" -}}
{{- $_ := set . "notary_path" "/" -}}
{{- $_ := set . "api_path" "/api/" -}}
{{- $_ := set . "service_path" "/service/" -}}
{{- $_ := set . "v2_path" "/v2/" -}}
{{- $_ := set . "controller_path" "/c/" -}}
{{- end }}
---
{{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }}
apiVersion: extensions/v1beta1
{{- else }}
{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: networking.k8s.io/v1
{{- end }}
kind: Ingress
metadata:
name: "{{ template "harbor.ingress" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if $ingress.labels }}
{{ toYaml $ingress.labels | indent 4 }}
{{- end }}
annotations:
{{ toYaml $ingress.annotations | indent 4 }}
{{- if .Values.internalTLS.enabled }}
......@@ -51,21 +53,21 @@ metadata:
{{- end }}
{{- end }}
spec:
{{- if $ingress.className }}
ingressClassName: {{ $ingress.className }}
{{- end }}
{{- if $tls.enabled }}
tls:
- secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
{{- if $ingress.hosts.core }}
hosts:
- {{ $ingress.hosts.core }}.{{ $.Values.global.host }}
- {{ $ingress.hosts.core }}
{{- end }}
{{- end }}
rules:
- http:
paths:
- path: {{ .portal_path }}
backend:
serviceName: {{ template "harbor.portal" . }}
servicePort: {{ template "harbor.portal.servicePort" . }}
{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
- path: {{ .api_path }}
backend:
serviceName: {{ template "harbor.core" . }}
......@@ -78,58 +80,53 @@ spec:
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: {{ template "harbor.core.servicePort" . }}
- path: {{ .chartrepo_path }}
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: {{ template "harbor.core.servicePort" . }}
- path: {{ .controller_path }}
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: {{ template "harbor.core.servicePort" . }}
{{- if $ingress.hosts.core }}
host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }}
{{- end }}
{{- if .Values.notary.enabled }}
---
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: extensions/v1beta1
- path: {{ .portal_path }}
backend:
serviceName: {{ template "harbor.portal" . }}
servicePort: {{ template "harbor.portal.servicePort" . }}
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: "{{ template "harbor.ingress-notary" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
annotations:
{{ toYaml $ingress.annotations | indent 4 }}
{{- if eq .Values.expose.ingress.controller "ncp" }}
ncp/use-regex: "true"
{{- if $tls.enabled }}
ncp/http-redirect: "true"
{{- end }}
{{- end }}
spec:
{{- if $tls.enabled }}
tls:
- secretName: {{ template "harbor.tlsNotarySecretForIngress" . }}
{{- if $ingress.hosts.notary }}
hosts:
- {{ $ingress.hosts.notary }}.{{ $.Values.global.host }}
{{- end }}
{{- end }}
rules:
- http:
paths:
- path: {{ .notary_path }}
- path: {{ .api_path }}
pathType: {{ .path_type }}
backend:
serviceName: {{ template "harbor.notary-server" . }}
servicePort: 4443
{{- if $ingress.hosts.notary }}
host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }}
{{- end }}
service:
name: {{ template "harbor.core" . }}
port:
number: {{ template "harbor.core.servicePort" . }}
- path: {{ .service_path }}
pathType: {{ .path_type }}
backend:
service:
name: {{ template "harbor.core" . }}
port:
number: {{ template "harbor.core.servicePort" . }}
- path: {{ .v2_path }}
pathType: {{ .path_type }}
backend:
service:
name: {{ template "harbor.core" . }}
port:
number: {{ template "harbor.core.servicePort" . }}
- path: {{ .controller_path }}
pathType: {{ .path_type }}
backend:
service:
name: {{ template "harbor.core" . }}
port:
number: {{ template "harbor.core.servicePort" . }}
- path: {{ .portal_path }}
pathType: {{ .path_type }}
backend:
service:
name: {{ template "harbor.portal" . }}
port:
number: {{ template "harbor.portal.servicePort" . }}
{{- end }}
{{- if $ingress.hosts.core }}
host: {{ $ingress.hosts.core }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/ingress/secret.yaml
View file @ d68116b6
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
{{- $ca := genCA "harbor-ca" 365 }}
{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }}
{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.ingress" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
templates/internal/auto-tls.yaml
View file @ d68116b6
......@@ -14,6 +14,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......@@ -27,6 +28,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......@@ -40,6 +42,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......@@ -53,6 +56,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......@@ -61,40 +65,6 @@ data:
tls.crt: {{ $portalCrt.Cert | b64enc | quote }}
tls.key: {{ $portalCrt.Key | b64enc | quote }}
{{- if .Values.chartmuseum.enabled }}
---
{{- $chartCN := (include "harbor.chartmuseum" .) }}
{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $chartCrt.Cert | b64enc | quote }}
tls.key: {{ $chartCrt.Key | b64enc | quote }}
{{- end }}
{{- if .Values.clair.enabled }}
---
{{- $clairCN := (include "harbor.clair" .) }}
{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $clairCrt.Cert | b64enc | quote }}
tls.key: {{ $clairCrt.Key | b64enc | quote }}
{{- end }}
{{- if and .Values.trivy.enabled}}
---
{{- $trivyCN := (include "harbor.trivy" .) }}
......@@ -103,6 +73,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
templates/jobservice/jobservice-cm-env.yaml
View file @ d68116b6
......@@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.jobservice" . }}-env"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -10,8 +11,27 @@ data:
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}"
JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}"
LOG_LEVEL: "{{ .Values.logLevel }}"
{{- if has "jobservice" .Values.proxy.components }}
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
NO_PROXY: "{{ template "harbor.noProxy" . }}"
{{- end }}
{{- if .Values.metrics.enabled}}
METRIC_NAMESPACE: harbor
METRIC_SUBSYSTEM: jobservice
{{- end }}
{{- template "harbor.traceEnvsForJobservice" . }}
{{- if .Values.cache.enabled }}
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
CACHE_ENABLED: "true"
CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
{{- end }}
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
_REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
{{- end }}
templates/jobservice/jobservice-cm.yaml
View file @ d68116b6
......@@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.jobservice" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -22,25 +23,36 @@ data:
namespace: "harbor_job_service_namespace"
idle_timeout_second: 3600
job_loggers:
{{- if eq .Values.jobservice.jobLogger "file" }}
{{- if has "file" .Values.jobservice.jobLoggers }}
- name: "FILE"
level: {{ .Values.logLevel | upper }}
settings: # Customized settings of logger
base_dir: "/var/log/jobs"
sweeper:
duration: 14 #days
duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
settings: # Customized settings of sweeper
work_dir: "/var/log/jobs"
{{- else if eq .Values.jobservice.jobLogger "database" }}
{{- end }}
{{- if has "database" .Values.jobservice.jobLoggers }}
- name: "DB"
level: {{ .Values.logLevel | upper }}
sweeper:
duration: 14 #days
{{- else }}
duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
{{- end }}
{{- if has "stdout" .Values.jobservice.jobLoggers }}
- name: "STD_OUTPUT"
level: {{ .Values.logLevel | upper }}
{{- end }}
metric:
enabled: {{ .Values.metrics.enabled }}
path: {{ .Values.metrics.jobservice.path }}
port: {{ .Values.metrics.jobservice.port }}
#Loggers for the job service
loggers:
- name: "STD_OUTPUT"
level: {{ .Values.logLevel | upper }}
reaper:
# the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }}
# the max time for execution in running state without new task created
max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }}
templates/jobservice/jobservice-dpl.yaml
View file @ d68116b6
......@@ -2,11 +2,14 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.jobservice" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: jobservice
app.kubernetes.io/component: jobservice
spec:
replicas: {{ .Values.jobservice.replicas }}
revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }}
strategy:
type: {{ .Values.updateStrategy.type }}
{{- if eq .Values.updateStrategy.type "Recreate" }}
......@@ -21,6 +24,10 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: jobservice
app.kubernetes.io/component: jobservice
{{- if .Values.jobservice.podLabels }}
{{ toYaml .Values.jobservice.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }}
......@@ -35,11 +42,8 @@ spec:
{{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 10000
fsGroup: 10000
{{- if .Values.jobservice.serviceAccountName }}
serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
......@@ -48,14 +52,26 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
{{- with .Values.jobservice.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: jobservice
{{- end }}
{{- end }}
{{- with .Values.jobservice.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: jobservice
{{- if contains "/" .Values.jobservice.image.repository }}
image: "{{ .Values.jobservice.image.repository }}"
{{- else }}
image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /api/v1/stats
......@@ -78,8 +94,15 @@ spec:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
{{- if .Values.jobservice.existingSecret }}
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
......@@ -90,6 +113,19 @@ spec:
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/jobservice/ca.crt
{{- end }}
{{- if .Values.registry.credentials.existingSecret }}
- name: REGISTRY_CREDENTIAL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.registry.credentials.existingSecret }}
key: REGISTRY_PASSWD
{{- end }}
{{- with .Values.jobservice.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "harbor.jobservice" . }}-env"
......@@ -103,7 +139,7 @@ spec:
subPath: config.yml
- name: job-logs
mountPath: /var/log/jobs
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }}
{{- if .Values.internalTLS.enabled }}
- name: jobservice-internal-certs
mountPath: /etc/harbor/ssl/jobservice
......@@ -116,9 +152,9 @@ spec:
configMap:
name: "{{ template "harbor.jobservice" . }}"
- name: job-logs
{{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }}
{{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }}
{{- else }}
emptyDir: {}
{{- end }}
......@@ -142,3 +178,6 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.jobservice.priorityClassName }}
priorityClassName: {{ .Values.jobservice.priorityClassName }}
{{- end }}
templates/jobservice/jobservice-pvc.yaml
View file @ d68116b6
{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}}
{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }}
{{- if eq .Values.jobservice.jobLogger "file" }}
{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}}
{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "harbor.jobservice" . }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
namespace: {{ .Release.Namespace | quote }}
annotations:
{{- range $key, $value := $jobLog.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
helm.sh/resource-policy: keep
{{- end }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: jobservice
app.kubernetes.io/component: jobservice
spec:
accessModes:
- {{ $jobservice.accessMode }}
- {{ $jobLog.accessMode }}
resources:
requests:
storage: {{ $jobservice.size }}
{{- if $jobservice.storageClass }}
{{- if eq "-" $jobservice.storageClass }}
storage: {{ $jobLog.size }}
{{- if $jobLog.storageClass }}
{{- if eq "-" $jobLog.storageClass }}
storageClassName: ""
{{- else }}
storageClassName: {{ $jobservice.storageClass }}
storageClassName: {{ $jobLog.storageClass }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/jobservice/jobservice-secrets.yaml
View file @ d68116b6
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.jobservice" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- if not .Values.jobservice.existingSecret }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
{{- template "harbor.traceJaegerPassword" . }}
templates/jobservice/jobservice-svc.yaml
View file @ d68116b6
......@@ -2,12 +2,18 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.jobservice" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: {{ template "harbor.jobservice.servicePort" . }}
- name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }}
port: {{ template "harbor.jobservice.servicePort" . }}
targetPort: {{ template "harbor.jobservice.containerPort" . }}
{{- if .Values.metrics.enabled }}
- name: {{ template "harbor.metricsPortName" . }}
port: {{ .Values.metrics.jobservice.port }}
{{- end }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: jobservice
templates/jobservice/jobservice-tls.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
templates/metrics/metrics-svcmon.yaml 0 → 100644
View file @ d68116b6
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "harbor.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "harbor.labels" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
spec:
jobLabel: app.kubernetes.io/name
endpoints:
- port: {{ template "harbor.metricsPortName" . }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
honorLabels: true
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings:
{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }}
{{- end }}
selector:
matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }}
{{- end }}
templates/nginx/configmap-http.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.nginx" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -12,7 +13,7 @@ data:
pid /tmp/nginx.pid;
events {
worker_connections 1024;
worker_connections 3096;
use epoll;
multi_accept on;
}
......@@ -43,8 +44,18 @@ data:
access_log /dev/stdout timed_combined;
map $http_x_forwarded_proto $x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
server {
{{- if .Values.ipFamily.ipv4.enabled}}
listen 8080;
{{- end}}
{{- if .Values.ipFamily.ipv6.enabled }}
listen [::]:8080;
{{- end }}
server_tokens off;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
......@@ -58,9 +69,7 @@ data:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
......@@ -75,26 +84,7 @@ data:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass {{ $scheme }}://core/chartrepo/;
{{- if and .Values.internalTLS.enabled }}
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
{{- end }}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
......@@ -105,9 +95,7 @@ data:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
......@@ -122,11 +110,11 @@ data:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
proxy_send_timeout 900;
proxy_read_timeout 900;
}
location /service/ {
......@@ -134,9 +122,7 @@ data:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
......
templates/nginx/configmap-https.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.nginx" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -12,7 +13,7 @@ data:
pid /tmp/nginx.pid;
events {
worker_connections 1024;
worker_connections 3096;
use epoll;
multi_accept on;
}
......@@ -36,12 +37,6 @@ data:
server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
}
{{- if .Values.notary.enabled }}
upstream notary-server {
server {{ template "harbor.notary-server" . }}:4443;
}
{{- end }}
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
......@@ -49,43 +44,18 @@ data:
access_log /dev/stdout timed_combined;
{{- if .Values.notary.enabled }}
server {
listen 4443 ssl;
server_tokens off;
# ssl
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
ssl_protocols tlsv1.1 tlsv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:ssl:10m;
# disable any limits to avoid http 413 for large image uploads
client_max_body_size 0;
# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
proxy_pass http://notary-server/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
map $http_x_forwarded_proto $x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
{{- end }}
server {
{{- if .Values.ipFamily.ipv4.enabled }}
listen 8443 ssl;
{{- end}}
{{- if .Values.ipFamily.ipv6.enabled }}
listen [::]:8443 ssl;
{{- end }}
# server_name harbordomain.com;
server_tokens off;
# SSL
......@@ -93,8 +63,12 @@ data:
ssl_certificate_key /etc/nginx/cert/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
{{- if .Values.internalTLS.strong_ssl_ciphers }}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{{ else }}
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
{{- end }}
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
......@@ -114,9 +88,7 @@ data:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; HttpOnly; Secure";
......@@ -133,28 +105,7 @@ data:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass {{ $scheme }}://core/chartrepo/;
{{- if and .Values.internalTLS.enabled }}
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
{{- end }}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
......@@ -167,9 +118,7 @@ data:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
......@@ -186,9 +135,7 @@ data:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
}
......@@ -198,9 +145,7 @@ data:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
......@@ -213,7 +158,12 @@ data:
}
}
server {
{{- if .Values.ipFamily.ipv4.enabled }}
listen 8080;
{{- end}}
{{- if .Values.ipFamily.ipv6.enabled }}
listen [::]:8080;
{{- end}}
#server_name harbordomain.com;
return 301 https://$host$request_uri;
}
......
templates/nginx/deployment.yaml
View file @ d68116b6
......@@ -3,11 +3,14 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.nginx" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: nginx
app.kubernetes.io/component: nginx
spec:
replicas: {{ .Values.nginx.replicas }}
revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
......@@ -17,6 +20,10 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: nginx
app.kubernetes.io/component: nginx
{{- if .Values.nginx.podLabels }}
{{ toYaml .Values.nginx.podLabels | indent 8 }}
{{- end }}
annotations:
{{- if not .Values.expose.tls.enabled }}
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }}
......@@ -30,27 +37,31 @@ spec:
{{ toYaml .Values.nginx.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.nginx.serviceAccountName }}
serviceAccountName: {{ .Values.nginx.serviceAccountName }}
{{- end }}
securityContext:
runAsUser: 10000
fsGroup: 10000
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }}
{{- with .Values.nginx.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: nginx
{{- end }}
{{- end }}
containers:
- name: nginx
{{- if contains "/" .Values.nginx.image.repository }}
image: "{{ .Values.nginx.image.repository }}"
{{- else }}
image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
{{- $_ := set . "scheme" "HTTP" -}}
{{- $_ := set . "port" "8080" -}}
{{- if .Values.expose.tls.enabled }}
......@@ -75,10 +86,18 @@ spec:
resources:
{{ toYaml .Values.nginx.resources | indent 10 }}
{{- end }}
{{- with .Values.nginx.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
ports:
- containerPort: 8080
{{- if .Values.expose.tls.enabled }}
- containerPort: 8443
- containerPort: 4443
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/nginx/nginx.conf
......@@ -108,4 +127,7 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.nginx.priorityClassName }}
priorityClassName: {{ .Values.nginx.priorityClassName }}
{{- end }}
{{- end }}
templates/nginx/secret.yaml
View file @ d68116b6
......@@ -5,6 +5,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.nginx" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
......
templates/nginx/service.yaml
View file @ d68116b6
......@@ -5,10 +5,21 @@ metadata:
{{- if eq .Values.expose.type "clusterIP" }}
{{- $clusterIP := .Values.expose.clusterIP }}
name: {{ $clusterIP.name }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if .Values.expose.clusterIP.labels }}
{{ toYaml $clusterIP.labels | indent 4 }}
{{- end }}
{{- with $clusterIP.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
{{- if .Values.expose.clusterIP.staticClusterIP }}
clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }}
{{- end }}
ports:
- name: http
port: {{ $clusterIP.ports.httpPort }}
......@@ -18,16 +29,18 @@ spec:
port: {{ $clusterIP.ports.httpsPort }}
targetPort: 8443
{{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $clusterIP.ports.notaryPort }}
targetPort: 4443
{{- end }}
{{- else if eq .Values.expose.type "nodePort" }}
{{- $nodePort := .Values.expose.nodePort }}
name: {{ $nodePort.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if .Values.expose.nodePort.labels }}
{{ toYaml $nodePort.labels | indent 4 }}
{{- end }}
{{- with $nodePort.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: NodePort
ports:
......@@ -45,19 +58,14 @@ spec:
nodePort: {{ $nodePort.ports.https.nodePort }}
{{- end }}
{{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $nodePort.ports.notary.port }}
targetPort: 4443
{{- if $nodePort.ports.notary.nodePort }}
nodePort: {{ $nodePort.ports.notary.nodePort }}
{{- end }}
{{- end }}
{{- else if eq .Values.expose.type "loadBalancer" }}
{{- $loadBalancer := .Values.expose.loadBalancer }}
name: {{ $loadBalancer.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if .Values.expose.loadBalancer.labels }}
{{ toYaml $loadBalancer.labels | indent 4 }}
{{- end }}
{{- with $loadBalancer.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
......@@ -80,11 +88,6 @@ spec:
port: {{ $loadBalancer.ports.httpsPort }}
targetPort: 8443
{{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $loadBalancer.ports.notaryPort }}
targetPort: 4443
{{- end }}
{{- end }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
......
templates/notary/notary-secret.yaml deleted 100644 → 0
View file @ 2133e634
{{- if and .Values.notary.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.notary-server" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: notary
type: Opaque
data:
{{- if not .Values.notary.secretName }}
{{- $ca := genCA "harbor-notary-ca" 365 }}
{{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
{{- end }}
server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }}
signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }}
{{- end }}
templates/notary/notary-server.yaml deleted 100644 → 0
View file @ 2133e634
{{ if .Values.notary.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.notary-server" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: notary-server
spec:
replicas: {{ .Values.notary.server.replicas }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: notary-server
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: notary-server
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.notary.podAnnotations }}
{{ toYaml .Values.notary.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
fsGroup: 10000
{{- if .Values.notary.server.serviceAccountName }}
serviceAccountName: {{ .Values.notary.server.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: notary-server
{{- if contains "/" .Values.notary.server.image.repository }}
image: "{{ .Values.notary.server.image.repository }}"
{{- else }}
image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
{{- if .Values.notary.server.resources }}
resources:
{{ toYaml .Values.notary.server.resources | indent 10 }}
{{- end }}
env:
- name: MIGRATIONS_PATH
value: migrations/server/postgresql
- name: DB_URL
value: {{ template "harbor.database.notaryServer" . }}
volumeMounts:
- name: config
mountPath: /etc/notary/server-config.postgres.json
subPath: server.json
- name: token-service-certificate
mountPath: /root.crt
subPath: tls.crt
- name: signer-certificate
mountPath: /etc/ssl/notary/ca.crt
subPath: ca.crt
volumes:
- name: config
secret:
secretName: "{{ template "harbor.notary-server" . }}"
- name: token-service-certificate
secret:
{{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }}
{{- end }}
- name: signer-certificate
secret:
{{- if .Values.notary.secretName }}
secretName: {{ .Values.notary.secretName }}
{{- else }}
secretName: {{ template "harbor.notary-server" . }}
{{- end }}
{{- with .Values.notary.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{ end }}
templates/notary/notary-signer.yaml deleted 100644 → 0
View file @ 2133e634
{{ if .Values.notary.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "harbor.notary-signer" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: notary-signer
spec:
replicas: {{ .Values.notary.signer.replicas }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: notary-signer
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: notary-signer
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
spec:
securityContext:
fsGroup: 10000
{{- if .Values.notary.signer.serviceAccountName }}
serviceAccountName: {{ .Values.notary.signer.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: notary-signer
{{- if contains "/" .Values.notary.signer.image.repository }}
image: "{{ .Values.notary.signer.image.repository }}"
{{- else }}
image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
{{- if .Values.notary.signer.resources }}
resources:
{{ toYaml .Values.notary.signer.resources | indent 10 }}
{{- end }}
env:
- name: MIGRATIONS_PATH
value: migrations/signer/postgresql
- name: DB_URL
value: {{ template "harbor.database.notarySigner" . }}
- name: NOTARY_SIGNER_DEFAULTALIAS
value: defaultalias
volumeMounts:
- name: config
mountPath: /etc/notary/signer-config.postgres.json
subPath: signer.json
- name: signer-certificate
mountPath: /etc/ssl/notary/tls.crt
subPath: tls.crt
- name: signer-certificate
mountPath: /etc/ssl/notary/tls.key
subPath: tls.key
volumes:
- name: config
secret:
secretName: "{{ template "harbor.notary-server" . }}"
- name: signer-certificate
secret:
{{- if .Values.notary.secretName }}
secretName: {{ .Values.notary.secretName }}
{{- else }}
secretName: {{ template "harbor.notary-server" . }}
{{- end }}
{{- with .Values.notary.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{ end }}
templates/notary/notary-svc.yaml deleted 100644 → 0
View file @ 2133e634
{{ if .Values.notary.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "harbor.notary-server" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports:
- port: 4443
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: notary-server
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "harbor.notary-signer" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 7899
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: notary-signer
{{ end }}
\ No newline at end of file
templates/portal/configmap.yaml
View file @ d68116b6
......@@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.portal" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -19,18 +20,32 @@ data:
scgi_temp_path /tmp/scgi_temp;
server {
{{- if .Values.internalTLS.enabled }}
{{- if .Values.ipFamily.ipv4.enabled}}
listen {{ template "harbor.portal.containerPort" . }} ssl;
{{- end }}
{{- if .Values.ipFamily.ipv6.enabled}}
listen [::]:{{ template "harbor.portal.containerPort" . }} ssl;
{{- end }}
# SSL
ssl_certificate /etc/harbor/ssl/portal/tls.crt;
ssl_certificate_key /etc/harbor/ssl/portal/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
{{- if .Values.internalTLS.strong_ssl_ciphers }}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{{ else }}
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
{{- end }}
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
{{- else }}
{{- if .Values.ipFamily.ipv4.enabled }}
listen {{ template "harbor.portal.containerPort" . }};
{{- end }}
{{- if .Values.ipFamily.ipv6.enabled}}
listen [::]:{{ template "harbor.portal.containerPort" . }};
{{- end }}
{{- end }}
server_name localhost;
root /usr/share/nginx/html;
......@@ -40,6 +55,9 @@ data:
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location /devcenter-api-2.0 {
try_files $uri $uri/ /swagger-ui-index.html;
}
location / {
try_files $uri $uri/ /index.html;
}
......
templates/portal/deployment.yaml
View file @ d68116b6
......@@ -2,11 +2,14 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.portal" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: portal
app.kubernetes.io/component: portal
spec:
replicas: {{ .Values.portal.replicas }}
revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
......@@ -16,20 +19,24 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: portal
app.kubernetes.io/component: portal
{{- if .Values.portal.podLabels }}
{{ toYaml .Values.portal.podLabels | indent 8 }}
{{- end }}
annotations:
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }}
{{- end }}
checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }}
{{- if .Values.portal.podAnnotations }}
{{ toYaml .Values.portal.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 10000
fsGroup: 10000
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
......@@ -37,18 +44,36 @@ spec:
{{- if .Values.portal.serviceAccountName }}
serviceAccountName: {{ .Values.portal.serviceAccountName }}
{{- end }}
automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }}
{{- with .Values.portal.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: portal
{{- end }}
{{- end }}
{{- with .Values.portal.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: portal
{{- if contains "/" .Values.portal.image.repository }}
image: "{{ .Values.portal.image.repository }}"
{{- else }}
image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.portal.resources }}
resources:
{{ toYaml .Values.portal.resources | indent 10 }}
{{- end }}
{{- with .Values.portal.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
livenessProbe:
httpGet:
path: /
......@@ -94,3 +119,6 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.portal.priorityClassName }}
priorityClassName: {{ .Values.portal.priorityClassName }}
{{- end }}
templates/portal/service.yaml
View file @ d68116b6
......@@ -2,9 +2,17 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.portal" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- with .Values.portal.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }}
type: NodePort
{{- end }}
ports:
- port: {{ template "harbor.portal.servicePort" . }}
targetPort: {{ template "harbor.portal.containerPort" . }}
......
templates/portal/tls.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
templates/redis/service.yaml
View file @ d68116b6
......@@ -3,6 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "harbor.redis" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
......
templates/redis/statefulset.yaml
View file @ d68116b6
......@@ -4,9 +4,11 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "harbor.redis" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: redis
app.kubernetes.io/component: redis
spec:
replicas: 1
serviceName: {{ template "harbor.redis" . }}
......@@ -19,16 +21,17 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: redis
app.kubernetes.io/component: redis
{{- if .Values.redis.podLabels }}
{{ toYaml .Values.redis.podLabels | indent 8 }}
{{- end }}
{{- if .Values.redis.podAnnotations }}
annotations:
{{ toYaml .Values.redis.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 999
fsGroup: 999
{{- if .Values.redis.internal.serviceAccountName }}
serviceAccountName: {{ .Values.redis.internal.serviceAccountName }}
......@@ -37,14 +40,19 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
{{- with .Values.redis.internal.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: redis
{{- if contains "/" .Values.redis.internal.image.repository }}
image: "{{ .Values.redis.internal.image.repository }}"
{{- else }}
image: "{{ .Values.redis.internal.image.hub | default .Values.global.hub }}/{{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
livenessProbe:
tcpSocket:
port: 6379
......@@ -58,6 +66,10 @@ spec:
{{- if .Values.redis.internal.resources }}
resources:
{{ toYaml .Values.redis.internal.resources | indent 10 }}
{{- end }}
{{- with .Values.redis.internal.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: data
......@@ -85,12 +97,19 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.redis.internal.priorityClassName }}
priorityClassName: {{ .Values.redis.internal.priorityClassName }}
{{- end }}
{{- if and .Values.persistence.enabled (not $redis.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: data
labels:
{{ include "harbor.labels" . | indent 8 }}
{{ include "harbor.legacy.labels" . | indent 8 }}
annotations:
{{- range $key, $value := $redis.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
accessModes: [{{ $redis.accessMode | quote }}]
{{- if $redis.storageClass }}
......
templates/registry/registry-cm.yaml
View file @ d68116b6
......@@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.registry" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
......@@ -36,7 +37,9 @@ data:
{{- else if eq $type "gcs" }}
gcs:
bucket: {{ $storage.gcs.bucket }}
{{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }}
keyfile: /etc/registry/gcs-key.json
{{- end }}
{{- if $storage.gcs.rootdirectory }}
rootdirectory: {{ $storage.gcs.rootdirectory }}
{{- end }}
......@@ -133,7 +136,7 @@ data:
region: {{ $storage.oss.region }}
bucket: {{ $storage.oss.bucket }}
{{- if $storage.oss.endpoint }}
endpoint: {{ $storage.oss.endpoint }}
endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }}
{{- end }}
{{- if $storage.oss.internal }}
internal: {{ $storage.oss.internal }}
......@@ -155,7 +158,14 @@ data:
layerinfo: redis
maintenance:
uploadpurging:
{{- if .Values.registry.upload_purging.enabled }}
enabled: true
age: {{ .Values.registry.upload_purging.age }}
interval: {{ .Values.registry.upload_purging.interval }}
dryrun: {{ .Values.registry.upload_purging.dryrun }}
{{- else }}
enabled: false
{{- end }}
delete:
enabled: true
redirect:
......@@ -166,10 +176,17 @@ data:
sentinelMasterSet: {{ template "harbor.redis.masterSet" . }}
{{- end }}
db: {{ template "harbor.redis.dbForRegistry" . }}
{{- if not (eq (include "harbor.redis.password" .) "") }}
password: {{ template "harbor.redis.password" . }}
{{- end }}
readtimeout: 10s
writetimeout: 10s
dialtimeout: 10s
enableTLS: {{ template "harbor.redis.enableTLS" . }}
pool:
maxidle: 100
maxactive: 500
idletimeout: 60s
http:
addr: :{{ template "harbor.registry.containerPort" . }}
relativeurls: {{ .Values.registry.relativeurls }}
......@@ -182,7 +199,14 @@ data:
# set via environment variable
# secret: placeholder
debug:
{{- if .Values.metrics.enabled}}
addr: :{{ .Values.metrics.registry.port }}
prometheus:
enabled: true
path: {{ .Values.metrics.registry.path }}
{{- else }}
addr: localhost:5001
{{- end }}
auth:
htpasswd:
realm: harbor-registry-basic-realm
......
templates/registry/registry-dpl.yaml
View file @ d68116b6
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.registry" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: registry
app.kubernetes.io/component: registry
spec:
replicas: {{ .Values.registry.replicas }}
revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }}
strategy:
type: {{ .Values.updateStrategy.type }}
{{- if eq .Values.updateStrategy.type "Recreate" }}
......@@ -21,6 +26,10 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: registry
app.kubernetes.io/component: registry
{{- if .Values.registry.podLabels }}
{{ toYaml .Values.registry.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
......@@ -35,12 +44,10 @@ spec:
{{ toYaml .Values.registry.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
{{- if .Values.registry.serviceAccountName }}
serviceAccountName: {{ .Values.registry.serviceAccountName }}
{{- end -}}
......@@ -48,14 +55,26 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
{{- with .Values.registry.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: registry
{{- end }}
{{- end }}
{{- with .Values.registry.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: registry
{{- if contains "/" .Values.registry.registry.image.repository }}
image: "{{ .Values.registry.registry.image.repository }}"
{{- else }}
image: "{{ .Values.registry.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /
......@@ -74,11 +93,24 @@ spec:
resources:
{{ toYaml .Values.registry.registry.resources | indent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"]
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
envFrom:
- secretRef:
name: "{{ template "harbor.registry" . }}"
{{- if .Values.persistence.imageChartStorage.s3.existingSecret }}
- secretRef:
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
{{- end }}
env:
{{- if .Values.registry.existingSecret }}
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.registry.existingSecret }}
key: {{ .Values.registry.existingSecretKey }}
{{- end }}
{{- if has "registry" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
......@@ -97,16 +129,57 @@ spec:
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/registry/ca.crt
{{- end }}
{{- if .Values.redis.external.existingSecret }}
- name: REGISTRY_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.redis.external.existingSecret }}
key: REDIS_PASSWORD
{{- end }}
{{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
key: AZURE_STORAGE_ACCESS_KEY
{{- end }}
{{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_PASSWORD
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_SECRETKEY
optional: true
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
optional: true
{{- end }}
{{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
optional: true
{{- end}}
{{- with .Values.registry.registry.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.registry.containerPort" . }}
- containerPort: 5001
- containerPort: {{ ternary .Values.metrics.registry.port 5001 .Values.metrics.enabled }}
volumeMounts:
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
- name: registry-root-certificate
mountPath: /etc/registry/root.crt
subPath: tls.crt
- name: registry-htpasswd
mountPath: /etc/registry/passwd
subPath: passwd
......@@ -117,7 +190,7 @@ spec:
- name: registry-internal-certs
mountPath: /etc/harbor/ssl/registry
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
subPath: gcs-key.json
......@@ -138,12 +211,8 @@ spec:
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
- name: registryctl
{{- if contains "/" .Values.registry.controller.image.repository }}
image: "{{ .Values.registry.controller.image.repository }}"
{{- else }}
image: "{{ .Values.registry.controller.image.hub | default .Values.global.hub }}/{{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /api/health
......@@ -162,20 +231,50 @@ spec:
resources:
{{ toYaml .Values.registry.controller.resources | indent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "harbor.registryCtl" . }}"
- secretRef:
name: "{{ template "harbor.registry" . }}"
- secretRef:
name: "{{ template "harbor.registryCtl" . }}"
{{- if .Values.persistence.imageChartStorage.s3.existingSecret }}
- secretRef:
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
{{- end }}
env:
{{- if .Values.registry.existingSecret }}
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.registry.existingSecret }}
key: {{ .Values.registry.existingSecretKey }}
{{- end }}
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.jobservice" . }}
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
{{- if .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- else }}
key: JOBSERVICE_SECRET
{{- end }}
{{- if has "registry" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
- name: HTTPS_PROXY
value: "{{ .Values.proxy.httpsProxy }}"
- name: NO_PROXY
value: "{{ template "harbor.noProxy" . }}"
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
......@@ -186,6 +285,50 @@ spec:
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/registry/ca.crt
{{- end }}
{{- if .Values.redis.external.existingSecret }}
- name: REGISTRY_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.redis.external.existingSecret }}
key: REDIS_PASSWORD
{{- end }}
{{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
key: AZURE_STORAGE_ACCESS_KEY
{{- end }}
{{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_PASSWORD
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_SECRETKEY
optional: true
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
optional: true
{{- end }}
{{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
optional: true
{{- end}}
{{- with .Values.registry.controller.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.registryctl.containerPort" . }}
volumeMounts:
......@@ -207,7 +350,7 @@ spec:
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
subPath: gcs-key.json
......@@ -218,17 +361,14 @@ spec:
volumes:
- name: registry-htpasswd
secret:
secretName: {{ template "harbor.registry" . }}
{{- if not .Values.registry.credentials.existingSecret }}
secretName: {{ template "harbor.registry" . }}-htpasswd
{{ else }}
secretName: {{ .Values.registry.credentials.existingSecret }}
{{- end }}
items:
- key: REGISTRY_HTPASSWD
path: passwd
- name: registry-root-certificate
secret:
{{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }}
{{- end }}
- name: registry-config
configMap:
name: "{{ template "harbor.registry" . }}"
......@@ -244,10 +384,14 @@ spec:
secret:
secretName: {{ template "harbor.internalTLS.registry.secretName" . }}
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
- name: gcs-key
secret:
{{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
secretName: {{ $storage.gcs.existingSecret }}
{{- else }}
secretName: {{ template "harbor.registry" . }}
{{- end }}
items:
- key: GCS_KEY_DATA
path: gcs-key.json
......@@ -282,3 +426,6 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.registry.priorityClassName }}
priorityClassName: {{ .Values.registry.priorityClassName }}
{{- end }}
templates/registry/registry-pvc.yaml
View file @ d68116b6
......@@ -5,13 +5,18 @@ kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "harbor.registry" . }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
namespace: {{ .Release.Namespace | quote }}
annotations:
{{- range $key, $value := $registry.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
helm.sh/resource-policy: keep
{{- end }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: registry
app.kubernetes.io/component: registry
spec:
accessModes:
- {{ $registry.accessMode }}
......
templates/registry/registry-secret.yaml
View file @ d68116b6
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registry" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }}
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }}
{{- if not .Values.registry.existingSecret }}
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.redis.external.existingSecret }}
REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
{{- end }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
{{- if eq $type "azure" }}
{{- if and (eq $type "azure") (not $storage.azure.existingSecret) }}
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if eq $type "gcs" }}
{{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }}
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
{{- else if eq $type "s3" }}
{{- if $storage.s3.accesskey }}
{{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }}
REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
{{- end }}
{{- if $storage.s3.secretkey }}
{{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $type "swift" }}
{{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }}
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- if $storage.swift.secretkey }}
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
......@@ -30,6 +35,23 @@ data:
{{- if $storage.swift.accesskey }}
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
{{- end }}
{{- else if eq $type "oss" }}
{{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registry" . }}-htpasswd"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if .Values.registry.credentials.htpasswdString }}
REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }}
{{- else }}
REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
{{- end }}
templates/registry/registry-svc.yaml
View file @ d68116b6
......@@ -2,14 +2,20 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.registry" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- name: registry
- name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }}
port: {{ template "harbor.registry.servicePort" . }}
- name: controller
- name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }}
port: {{ template "harbor.registryctl.servicePort" . }}
{{- if .Values.metrics.enabled}}
- name: {{ template "harbor.metricsPortName" . }}
port: {{ .Values.metrics.registry.port }}
{{- end }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: registry
templates/registry/registry-tls.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
templates/registry/registryctl-cm.yaml 0 → 100644
View file @ d68116b6
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.registryCtl" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
{{- template "harbor.traceEnvsForRegistryCtl" . }}
templates/registry/registryctl-secret.yaml 0 → 100644
View file @ d68116b6
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registryCtl" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- template "harbor.traceJaegerPassword" . }}
templates/trivy/trivy-secret.yaml
View file @ d68116b6
......@@ -3,6 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.trivy" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
......
templates/trivy/trivy-sts.yaml
View file @ d68116b6
......@@ -4,9 +4,11 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "harbor.trivy" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: trivy
app.kubernetes.io/component: trivy
spec:
replicas: {{ .Values.trivy.replicas }}
serviceName: {{ template "harbor.trivy" . }}
......@@ -19,6 +21,10 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: trivy
app.kubernetes.io/component: trivy
{{- if .Values.trivy.podLabels }}
{{ toYaml .Values.trivy.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
......@@ -30,10 +36,6 @@ spec:
{{ toYaml .Values.trivy.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
......@@ -42,21 +44,30 @@ spec:
serviceAccountName: {{ .Values.trivy.serviceAccountName }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }}
{{- with .Values.trivy.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: trivy
{{- end }}
{{- end }}
{{- with .Values.trivy.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: trivy
{{- if contains "/" .Values.trivy.image.repository }}
image: "{{ .Values.trivy.image.repository }}"
{{- else }}
image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
{{- end }}
imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
securityContext:
privileged: false
allowPrivilegeEscalation: false
image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }}
{{- end }}
env:
{{- if has "trivy" .Values.proxy.components }}
- name: HTTP_PROXY
......@@ -76,6 +87,8 @@ spec:
value: {{ .Values.trivy.debugMode | quote }}
- name: "SCANNER_TRIVY_VULN_TYPE"
value: {{ .Values.trivy.vulnType | quote }}
- name: "SCANNER_TRIVY_TIMEOUT"
value: {{ .Values.trivy.timeout | quote }}
- name: "SCANNER_TRIVY_GITHUB_TOKEN"
valueFrom:
secretKeyRef:
......@@ -87,6 +100,12 @@ spec:
value: {{ .Values.trivy.ignoreUnfixed | default false | quote }}
- name: "SCANNER_TRIVY_SKIP_UPDATE"
value: {{ .Values.trivy.skipUpdate | default false | quote }}
- name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE"
value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }}
- name: "SCANNER_TRIVY_OFFLINE_SCAN"
value: {{ .Values.trivy.offlineScan | default false | quote }}
- name: "SCANNER_TRIVY_SECURITY_CHECKS"
value: {{ .Values.trivy.securityCheck | quote }}
- name: "SCANNER_TRIVY_INSECURE"
value: {{ .Values.trivy.insecure | default false | quote }}
- name: SCANNER_API_SERVER_ADDR
......@@ -114,6 +133,9 @@ spec:
secretKeyRef:
name: {{ template "harbor.trivy" . }}
key: redisURL
{{- with .Values.trivy.extraEnvVars }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: api-server
containerPort: {{ template "harbor.trivy.containerPort" . }}
......@@ -180,12 +202,19 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.trivy.priorityClassName }}
priorityClassName: {{ .Values.trivy.priorityClassName }}
{{- end }}
{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: data
labels:
{{ include "harbor.labels" . | indent 8 }}
{{ include "harbor.legacy.labels" . | indent 8 }}
annotations:
{{- range $key, $value := $trivy.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
accessModes: [{{ $trivy.accessMode | quote }}]
{{- if $trivy.storageClass }}
......
templates/trivy/trivy-svc.yaml
View file @ d68116b6
......@@ -3,11 +3,12 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.trivy" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- name: api-server
- name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }}
protocol: TCP
port: {{ template "harbor.trivy.servicePort" . }}
selector:
......
templates/trivy/trivy-tls.yaml
View file @ d68116b6
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
......
test/go.mod deleted 100644 → 0
View file @ 2133e634
module github.com/goharbor/harbor-helm
go 1.13
require (
github.com/gruntwork-io/terratest v0.28.2
github.com/stretchr/testify v1.6.0
k8s.io/api v0.18.3
)
test/go.sum deleted 100644 → 0
View file @ 2133e634
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM=
cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw=
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v38.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM=
github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw=
github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM=
github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc=
github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA=
github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8=
github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI=
github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU=
github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk=
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKGUhzj7BQlPSU4OvT6tfOKe3DVHzOA7s=
github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 h1:yY9rWGoXv1U5pl4gxqlULARMQD7x0QG85lqEXTWysik=
github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 h1:dWB6v3RcOy03t/bUadywsbyrQwCqZeNIEX6M1OtSZOM=
github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU=
github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk=
github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk=
github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
github.com/gruntwork-io/gruntwork-cli v0.5.1 h1:mVmVsFubUSLSCO8bGigI63HXzvzkC0uWXzm4dd9pXRg=
github.com/gruntwork-io/gruntwork-cli v0.5.1/go.mod h1:IBX21bESC1/LGoV7jhXKUnTQTZgQ6dYRsoj/VqxUSZQ=
github.com/gruntwork-io/terratest v0.28.2 h1:M9CMfS/5unIawxYlz55eRDWH16AH522OAJcUc+zsKv4=
github.com/gruntwork-io/terratest v0.28.2/go.mod h1:lTntpr4gGDzb2YEQ1GTjC5G/xw9ixMwxGmZkPCk1O0A=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto=
github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U=
github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho=
github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY=
github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo=
github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200107162124-548cf772de50 h1:YvQ10rzcqWXLlJZ3XCUoO25savxmscf4+SC+ZqiCHhA=
golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200113040837-eac381796e91/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4=
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0=
k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA=
k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk=
k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg=
k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k=
k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw=
k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE=
k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s=
k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc=
k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls=
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8=
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU=
k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=
modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs=
modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06 h1:zD2IemQ4LmOcAumeiyDWXKUI2SO0NYDe3H6QGvPOVgU=
sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=
sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
test/install_helm.sh deleted 100644 → 0
View file @ 2133e634
#/bin/bash
set -e
version=${HELM_VERSION}
if [ "$version" = "2" ]
then
dist="helm-v2.8.0-linux-amd64.tar.gz"
# as the helm v3 removes tiller, here appends the "-c" option
# to args only when running helm v2 to display the client version
version_args="-c"
elif [ "$version" = "3" ]
then
# the "template" command doesn't work for helm beta3:
# https://github.com/helm/helm/issues/6404, use the beta2 for now
dist="helm-v3.0.0-beta.2-linux-amd64.tar.gz"
else
echo "unsupported helm version: $version"
exit 1
fi
wget -O /tmp/${dist} https://get.helm.sh/${dist}
tar -zxvf /tmp/${dist} -C /tmp/
sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
helm version $version_args
echo "Helm installed"
\ No newline at end of file
test/integration/base.go deleted 100644 → 0
View file @ 2133e634
package integration
import (
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"os/exec"
"strings"
"time"
"github.com/gruntwork-io/terratest/modules/helm"
"github.com/gruntwork-io/terratest/modules/k8s"
"github.com/stretchr/testify/suite"
)
var (
client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
)
func NewBaseTestSuite(values map[string]string) BaseTestSuite {
if values == nil {
values = map[string]string{}
}
return BaseTestSuite{
Options: &helm.Options{
KubectlOptions: &k8s.KubectlOptions{
Namespace: "default",
},
SetValues: values,
},
ReleaseName: "harbor",
URL: values["externalURL"],
}
}
type BaseTestSuite struct {
suite.Suite
Options *helm.Options
ReleaseName string
URL string // the external URL of Harbor
}
func (b *BaseTestSuite) SetupSuite() {
helm.Install(b.T(), b.Options, "../..", b.ReleaseName)
b.waitUntilHealthy(b.URL)
}
type overallStatus struct {
Status string `json:"status"`
Components []*componentStatus `json:"components"`
}
type componentStatus struct {
Name string `json:"name"`
Status string `json:"status"`
Error string `json:"error,omitempty"`
}
func (b *BaseTestSuite) waitUntilHealthy(url string) {
url = fmt.Sprintf("%s/api/v2.0/health", url)
log.Printf("wait until Harbor is healthy by calling health check API: %s ...", url)
for i := 0; i < 60; i++ {
time.Sleep(10 * time.Second)
resp, err := client.Get(url)
if err != nil {
log.Printf("failed to call the health API: %v, retry 10 seconds later...", err)
continue
}
if resp.StatusCode != http.StatusOK {
log.Printf("the response status code %d != 200, retry 10 seconds later...", resp.StatusCode)
continue
}
data, err := ioutil.ReadAll(resp.Body)
b.Require().Nil(err)
resp.Body.Close()
status := &overallStatus{}
err = json.Unmarshal(data, status)
b.Require().Nil(err)
if status.Status != "healthy" {
for _, component := range status.Components {
if component.Status == "healthy" {
continue
}
log.Printf("the status of component %s isn't healthy: %s , retry 10 seconds later...",
component.Name, component.Error)
break
}
continue
}
log.Printf("the status is healthy")
return
}
b.FailNow("the status still isn't healthy after several retries")
}
func (b *BaseTestSuite) TestPush() {
addr := strings.TrimPrefix(b.URL, "http://")
addr = strings.TrimPrefix(addr, "https://")
// push image
b.T().Log("pushing the image...")
cmdStr := fmt.Sprintf("docker pull hello-world:latest;docker tag hello-world:latest %s/library/hello-world:latest; docker login %s -u admin -p Harbor12345;docker push %s/library/hello-world:latest",
addr, addr, addr)
cmd := exec.Command("/bin/sh", "-c", cmdStr)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
b.Require().Nil(err)
// delete image in local
b.T().Log("deleting the image in local")
cmdStr = fmt.Sprintf("docker rmi %s/library/hello-world:latest", addr)
cmd = exec.Command("/bin/sh", "-c", cmdStr)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err = cmd.Run()
b.Require().Nil(err)
// pull image
b.T().Log("pull the image...")
cmdStr = fmt.Sprintf("docker pull %s/library/hello-world:latest", addr)
cmd = exec.Command("/bin/sh", "-c", cmdStr)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err = cmd.Run()
b.Require().Nil(err)
}
func (b *BaseTestSuite) TearDownSuite() {
helm.Delete(b.T(), &helm.Options{}, b.ReleaseName, true)
}
test/integration/ingress_test.go deleted 100644 → 0
View file @ 2133e634
package integration
import (
"fmt"
"testing"
"github.com/gruntwork-io/terratest/modules/k8s"
"github.com/stretchr/testify/suite"
)
type IngressTestSuite struct {
BaseTestSuite
}
func (i *IngressTestSuite) TestIngress() {
k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress", i.ReleaseName))
k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress-notary", i.ReleaseName))
}
func TestIngressTestSuite(t *testing.T) {
suite.Run(t, &IngressTestSuite{
BaseTestSuite: NewBaseTestSuite(map[string]string{
"expose.ingress.hosts.core": "harbor.local",
"expose.ingress.hosts.notary": "notary.harbor.local",
"externalURL": "https://harbor.local",
}),
})
}
test/integration/kind-cluster.yaml deleted 100644 → 0
View file @ 2133e634
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- containerPort: 30003
hostPort: 30003
protocol: TCP
test/integration/node_port_test.go deleted 100644 → 0
View file @ 2133e634
package integration
import (
"testing"
"github.com/gruntwork-io/terratest/modules/k8s"
"github.com/stretchr/testify/suite"
)
type NodePortTestSuite struct {
BaseTestSuite
}
func (n *NodePortTestSuite) TestNodePort() {
service := k8s.GetService(n.T(), n.Options.KubectlOptions, "harbor")
n.Equal("NodePort", string(service.Spec.Type))
}
func TestNodePortTestSuite(t *testing.T) {
suite.Run(t, &NodePortTestSuite{
BaseTestSuite: NewBaseTestSuite(map[string]string{
"expose.type": "nodePort",
"expose.tls.auto.commonName": "127.0.0.1",
"expose.nodePort.ports.https.nodePort": "30003",
"externalURL": "https://127.0.0.1:30003",
}),
})
}
test/unittest/trivy_stateful_set_test.go deleted 100644 → 0
View file @ 2133e634
package unittest
import (
"os"
"testing"
"github.com/gruntwork-io/terratest/modules/helm"
"github.com/gruntwork-io/terratest/modules/logger"
"github.com/stretchr/testify/suite"
appsV1 "k8s.io/api/apps/v1"
)
type TrivyStatefulSetTestSuite struct {
suite.Suite
}
func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet {
helmChartPath := "../../"
options := &helm.Options{
SetValues: values,
}
debug := os.Getenv("debug")
if debug != "true" {
options.Logger = logger.Discard
}
output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"})
var ss appsV1.StatefulSet
helm.UnmarshalK8SYaml(suite.T(), output, &ss)
return &ss
}
func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() {
values := map[string]string{
"persistence.enabled": "false",
"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 1)
suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() {
values := map[string]string{
"persistence.enabled": "true",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 0)
suite.Len(ss.Spec.VolumeClaimTemplates, 1)
}
func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() {
values := map[string]string{
"persistence.enabled": "true",
"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 1)
suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim)
suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() {
{
values := map[string]string{
"internalTLS.enabled": "true",
"persistence.enabled": "false",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 2)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
{
values := map[string]string{
"internalTLS.enabled": "true",
"persistence.enabled": "true",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 1)
suite.Len(ss.Spec.VolumeClaimTemplates, 1)
}
{
values := map[string]string{
"internalTLS.enabled": "true",
"persistence.enabled": "true",
"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 2)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
}
func (suite *TrivyStatefulSetTestSuite) TestCustomCA() {
{
values := map[string]string{
"caBundleSecretName": "ca-bundle-secret",
"persistence.enabled": "false",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 2)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
{
values := map[string]string{
"caBundleSecretName": "ca-bundle-secret",
"internalTLS.enabled": "true",
"persistence.enabled": "false",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 3)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
{
values := map[string]string{
"caBundleSecretName": "ca-bundle-secret",
"internalTLS.enabled": "true",
"persistence.enabled": "true",
"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 3)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
{
values := map[string]string{
"caBundleSecretName": "ca-bundle-secret",
"persistence.enabled": "true",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 1)
suite.Len(ss.Spec.VolumeClaimTemplates, 1)
}
{
values := map[string]string{
"caBundleSecretName": "ca-bundle-secret",
"persistence.enabled": "true",
"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
}
ss := suite.render(values)
suite.Len(ss.Spec.Template.Spec.Volumes, 2)
suite.Len(ss.Spec.VolumeClaimTemplates, 0)
}
}
func TestTrivyStatefulSetTestSuite(t *testing.T) {
suite.Run(t, &TrivyStatefulSetTestSuite{})
}
test/verify.sh deleted 100644 → 0
View file @ 2133e634
#/bin/bash
set -e
helm lint .
# expose the service via ingress, this disables the deployment of nginx
helm template --set "expose.type=ingress" --output-dir /tmp/ .
# expose the service via node port, this enables the deployment of nginx
helm template --set "expose.type=nodePort,expose.tls.commonName=127.0.0.1" --output-dir /tmp/ .
\ No newline at end of file
values-operator.yaml
View file @ d68116b6
......@@ -2,8 +2,9 @@ global:
hub: registry.cn-qingdao.aliyuncs.com/wod
imagePullPolicy: "IfNotPresent"
imageArch: amd64
host: wodcloud.local
host: wocloud.local
imagePullSecrets:
- name: beagle-registry
registrySecrets: true
externalURL: https://hub.wocloud.local
\ No newline at end of file
values.yaml
View file @ d68116b6
expose:
# Set the way how to expose the service. Set the type as "ingress",
# "clusterIP", "nodePort" or "loadBalancer" and fill the information
# in the corresponding section
# Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer"
# and fill the information in the corresponding section
type: ingress
tls:
# Enable the tls or not. Note: if the type is "ingress" and the tls
# is disabled, the port must be included in the command when pull/push
# images. Refer to https://github.com/goharbor/harbor/issues/5291
# for the detail.
enabled: false
# The source of the tls certificate. Set it as "auto", "secret"
# Enable TLS or not.
# Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress"
# Note: if the "expose.type" is "ingress" and TLS is disabled,
# the port must be included in the command when pulling/pushing images.
# Refer to https://github.com/registry.cn-qingdao.aliyuncs.com/wod/harbor/issues/5291 for details.
enabled: true
# The source of the tls certificate. Set as "auto", "secret"
# or "none" and fill the information in the corresponding section
# 1) auto: generate the tls certificate automatically
# 2) secret: read the tls certificate from the specified secret.
......@@ -20,81 +20,85 @@ expose:
auto:
# The common name used to generate the certificate, it's necessary
# when the type isn't "ingress"
commonName: ''
commonName: ""
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: ''
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# Only needed when the "expose.type" is "ingress".
notarySecretName: ''
secretName: ""
ingress:
hosts:
core: hub
notary: notary
# set to the type of ingress controller if it has specific requirements.
# leave as `default` for most ingress controllers.
# set to `gce` if using the GCE ingress controller
# set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
# set to `alb` if using the ALB ingress controller
# set to `f5-bigip` if using the F5 BIG-IP ingress controller
controller: default
## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress
kubeVersionOverride: ""
className: ""
annotations:
ingress.kubernetes.io/ssl-redirect: 'true'
ingress.kubernetes.io/proxy-body-size: '0'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: '0'
# note different ingress controllers may require a different ssl-redirect annotation
# for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
# ingress-specific labels
labels: {}
clusterIP:
# The name of ClusterIP service
name: harbor
# The ip address of the ClusterIP service (leave empty for acquiring dynamic ip)
staticClusterIP: ""
ports:
# The service port Harbor listens on when serving with HTTP
# The service port Harbor listens on when serving HTTP
httpPort: 80
# The service port Harbor listens on when serving with HTTPS
# The service port Harbor listens on when serving HTTPS
httpsPort: 443
# The service port Notary listens on. Only needed when notary.enabled
# is set to true
notaryPort: 4443
# Annotations on the ClusterIP service
annotations: {}
# ClusterIP-specific labels
labels: {}
nodePort:
# The name of NodePort service
name: harbor
ports:
http:
# The service port Harbor listens on when serving with HTTP
# The service port Harbor listens on when serving HTTP
port: 80
# The node port Harbor listens on when serving with HTTP
# The node port Harbor listens on when serving HTTP
nodePort: 30002
https:
# The service port Harbor listens on when serving with HTTPS
# The service port Harbor listens on when serving HTTPS
port: 443
# The node port Harbor listens on when serving with HTTPS
# The node port Harbor listens on when serving HTTPS
nodePort: 30003
# Only needed when notary.enabled is set to true
notary:
# The service port Notary listens on
port: 4443
# The node port Notary listens on
nodePort: 30004
# Annotations on the nodePort service
annotations: {}
# nodePort-specific labels
labels: {}
loadBalancer:
# The name of LoadBalancer service
name: harbor
# Set the IP if the LoadBalancer supports assigning IP
IP: ''
IP: ""
ports:
# The service port Harbor listens on when serving with HTTP
# The service port Harbor listens on when serving HTTP
httpPort: 80
# The service port Harbor listens on when serving with HTTPS
# The service port Harbor listens on when serving HTTPS
httpsPort: 443
# The service port Notary listens on. Only needed when notary.enabled
# is set to true
notaryPort: 4443
# Annotations on the loadBalancer service
annotations: {}
# loadBalancer-specific labels
labels: {}
sourceRanges: []
# The external URL for Harbor core service. It is used to
# 1) populate the docker/helm commands showed on portal
# 2) populate the token service URL returned to docker/notary client
# 2) populate the token service URL returned to docker client
#
# Format: protocol://domain[:port]. Usually:
# 1) if "expose.type" is "ingress", the "domain" should be
......@@ -105,81 +109,12 @@ expose:
# the IP address of k8s node
#
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://hub
# The internal TLS used for harbor components secure communicating. In order to enable https
# in each components tls cert files need to provided in advance.
internalTLS:
# If internal TLS enabled
enabled: false
# There are three ways to provide tls
# 1) "auto" will generate cert automatically
# 2) "manual" need provide cert file manually in following value
# 3) "secret" internal certificates from secret
certSource: 'auto'
# The content of trust ca, only available when `certSource` is "manual"
trustCa: ''
# core related cert configuration
core:
# secret name for core's tls certs
secretName: ''
# Content of core's TLS cert file, only available when `certSource` is "manual"
crt: ''
# Content of core's TLS key file, only available when `certSource` is "manual"
key: ''
# jobservice related cert configuration
jobservice:
# secret name for jobservice's tls certs
secretName: ''
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
key: ''
# registry related cert configuration
registry:
# secret name for registry's tls certs
secretName: ''
# Content of registry's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of registry's TLS key file, only available when `certSource` is "manual"
key: ''
# portal related cert configuration
portal:
# secret name for portal's tls certs
secretName: ''
# Content of portal's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of portal's TLS key file, only available when `certSource` is "manual"
key: ''
# chartmuseum related cert configuration
chartmuseum:
# secret name for chartmuseum's tls certs
secretName: ''
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
key: ''
# clair related cert configuration
clair:
# secret name for clair's tls certs
secretName: ''
# Content of clair's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of clair's TLS key file, only available when `certSource` is "manual"
key: ''
# trivy related cert configuration
trivy:
# secret name for trivy's tls certs
secretName: ''
# Content of trivy's TLS key file, only available when `certSource` is "manual"
crt: ''
# Content of trivy's TLS key file, only available when `certSource` is "manual"
key: ''
externalURL: https://hub.wodcloud.local
# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamicly.
# is needed in the k8s cluster to provision volumes dynamically.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
# if you have already existing persistent volumes to use
# if you already have existing persistent volumes to use
#
# For storing images and charts, you can also use "azure", "gcs", "s3",
# "swift" or "oss". Set it in the "imageChartStorage" section
......@@ -189,75 +124,74 @@ persistence:
# operation. Leaving it empty will delete PVCs after the chart deleted
# (this does not apply for PVCs that are created for internal database
# and redis components, i.e. they are never deleted automatically)
resourcePolicy: 'keep'
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# Use the existing PVC which must be created manually before bound,
# and specify the "subPath" if the PVC is shared with other components
existingClaim: ''
existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default).
# StorageClass will be used (the default).
# Set it to "-" to disable dynamic provisioning
storageClass: 'hostpath'
subPath: ''
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
storageClass: "csi-s3"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
annotations: {}
jobservice:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
jobLog:
existingClaim: ""
storageClass: "csi-s3"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
# If external database is used, the following settings for database will
# be ignored
database:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
existingClaim: ""
storageClass: "hostpath"
subPath: ""
accessMode: ReadWriteOnce
size: 10Gi
size: 1Gi
annotations: {}
# If external Redis is used, the following settings for Redis will
# be ignored
redis:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
existingClaim: ""
storageClass: "csi-s3"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
trivy:
existingClaim: ''
storageClass: 'hostpath'
subPath: ''
existingClaim: ""
storageClass: "csi-s3"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
# Define which storage backend is used for registry and chartmuseum to store
annotations: {}
# Define which storage backend is used for registry to store
# images and charts. Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
# https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#storage
# for the detail.
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
# of registry's and chartmuseum's containers.
# of registry's containers.
# caBundleSecretName:
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry
# and chartmuseum
type: filesystem
type: oss
filesystem:
rootdirectory: /storage
#maxthreads: 100
......@@ -266,13 +200,21 @@ persistence:
accountkey: base64encodedaccountkey
container: containername
#realm: core.windows.net
# To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY
existingSecret: ""
gcs:
bucket: bucketname
# The base64 encoded json file which contains the key
encodedkey: base64-encoded-json-key-file
#rootdirectory: /gcs/object/name/prefix
#chunksize: "5242880"
# To use existing secret, the key must be GCS_KEY_DATA
existingSecret: ""
useWorkloadIdentity: false
s3:
# Set an existing secret for S3 accesskey and secretkey
# keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry
#existingSecret: ""
region: us-west-1
bucket: bucketname
#accesskey: awsaccesskey
......@@ -294,6 +236,8 @@ persistence:
username: username
password: password
container: containername
# keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY
existingSecret: ""
#region: fr
#tenant: tenantname
#tenantid: tenantid
......@@ -310,16 +254,88 @@ persistence:
#tempurlcontainerkey: false
#tempurlmethods:
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
#endpoint: endpoint
accesskeyid: ""
accesskeysecret: ""
region: ""
bucket: ""
# key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
existingSecret: ""
endpoint: ""
#internal: false
#encrypt: false
#secure: true
secure: true
#chunksize: 10M
#rootdirectory: rootdirectory
rootdirectory: hub
# The initial password of Harbor admin. Change it from portal after launching Harbor
# or give an existing secret for it
# key in secret is given via (default to HARBOR_ADMIN_PASSWORD)
# existingSecretAdminPassword:
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
harborAdminPassword: "Harbor12345"
# The internal TLS used for harbor components secure communicating. In order to enable https
# in each component tls cert files need to provided in advance.
internalTLS:
# If internal TLS enabled
enabled: false
# enable strong ssl ciphers (default: false)
strong_ssl_ciphers: false
# There are three ways to provide tls
# 1) "auto" will generate cert automatically
# 2) "manual" need provide cert file manually in following value
# 3) "secret" internal certificates from secret
certSource: "auto"
# The content of trust ca, only available when `certSource` is "manual"
trustCa: ""
# core related cert configuration
core:
# secret name for core's tls certs
secretName: ""
# Content of core's TLS cert file, only available when `certSource` is "manual"
crt: ""
# Content of core's TLS key file, only available when `certSource` is "manual"
key: ""
# jobservice related cert configuration
jobservice:
# secret name for jobservice's tls certs
secretName: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
key: ""
# registry related cert configuration
registry:
# secret name for registry's tls certs
secretName: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
key: ""
# portal related cert configuration
portal:
# secret name for portal's tls certs
secretName: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
key: ""
# trivy related cert configuration
trivy:
# secret name for trivy's tls certs
secretName: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
key: ""
ipFamily:
# ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component
ipv6:
enabled: true
# ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component
ipv4:
enabled: true
imagePullPolicy: IfNotPresent
......@@ -328,8 +344,7 @@ imagePullSecrets:
# - name: docker-registry-secret
# - name: internal-registry-secret
# The update strategy for deployments with persistent volumes(jobservice, registry
# and chartmuseum): "RollingUpdate" or "Recreate"
# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate"
# Set it as "Recreate" when "RWM" for volumes isn't supported
updateStrategy:
type: RollingUpdate
......@@ -337,18 +352,17 @@ updateStrategy:
# debug, info, warning, error or fatal
logLevel: info
# The initial password of Harbor admin. Change it from portal after launching Harbor
harborAdminPassword: 'spaceIN511'
# The name of the secret which contains key named "ca.crt". Setting this enables the
# download link on portal to download the certificate of CA when the certificate isn't
# download link on portal to download the CA certificate when the certificate isn't
# generated automatically
caSecretName: ''
caSecretName: ""
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: 'IpTIscRIgmerlare'
secretKey: "not-a-secure-key"
# If using existingSecretSecretKey, the key must be secretKey
existingSecretSecretKey: ""
# The proxy settings for updating clair vulnerabilities from the Internet and replicating
# The proxy settings for updating trivy vulnerabilities from the Internet and replicating
# artifacts from/to the registries that cannot be reached directly
proxy:
httpProxy:
......@@ -357,11 +371,13 @@ proxy:
components:
- core
- jobservice
- clair
- trivy
# Run the migration job via helm hook
enableMigrateHelmHook: false
# The custom ca bundle secret, the secret must contain key named "ca.crt"
# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
# which will be injected into the trust store for core, jobservice, registry, trivy components
# caBundleSecretName: ""
## UAA Authentication Options
......@@ -371,141 +387,388 @@ proxy:
# contains a base64 encoded CA Certificate named `ca.crt`.
# uaaSecretName:
# If expose the service via "ingress", the Nginx will not be used
metrics:
enabled: false
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
## Create prometheus serviceMonitor to scrape harbor metrics.
## This requires the monitoring.coreos.com/v1 CRD. Please see
## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md
##
serviceMonitor:
enabled: false
additionalLabels: {}
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval: ""
# Metric relabel configs to apply to samples before ingestion.
metricRelabelings:
[]
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# Relabel configs to apply to samples before ingestion.
relabelings:
[]
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
trace:
enabled: false
# trace provider: jaeger or otel
# jaeger should be 1.26+
provider: jaeger
# set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
sample_rate: 1
# namespace used to differentiate different harbor services
# namespace:
# attributes is a key value dict contains user defined attributes used to initialize trace provider
# attributes:
# application: harbor
jaeger:
# jaeger supports two modes:
# collector mode(uncomment endpoint and uncomment username, password if needed)
# agent mode(uncomment agent_host and agent_port)
endpoint: http://hostname:14268/api/traces
# username:
# password:
# agent_host: hostname
# export trace data by jaeger.thrift in compact mode
# agent_port: 6831
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
# timeout is in seconds
timeout: 10
# cache layer configurations
# if this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which help to improve the performance of high concurrent pulling manifest.
cache:
# default is not enabled.
enabled: false
# default keep cache for one day.
expireHours: 24
## set Container Security Context to comply with PSP restricted policy if necessary
## each of the conatiner will apply the same security context
## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience
containerSecurityContext:
privileged: false
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
capabilities:
drop:
- ALL
# If service exposed via "ingress", the Nginx will not be used
nginx:
image:
repository: nginx
tag: v2.1.6
repository: registry.cn-qingdao.aliyuncs.com/wod/nginx-photon
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ''
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
portal:
image:
repository: harbor-portal
tag: v2.1.6
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ''
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## Additional service annotations
serviceAnnotations: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
core:
image:
repository: harbor-core
tag: v2.1.6
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ''
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
## Startup probe values
startupProbe:
enabled: false
enabled: true
initialDelaySeconds: 10
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## Additional service annotations
serviceAnnotations: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
## User settings configuration json string
configureUserSettings:
# The provider for updating project quota(usage), there are 2 options, redis or db.
# By default it is implemented by db but you can configure it to redis which
# can improve the performance of high concurrent pushing to the same project,
# and reduce the database connections spike and occupies.
# Using redis will bring up some delay for quota usage updation for display, so only
# suggest switch provider to redis if you were ran into the db connections spike around
# the scenario of high concurrent pushing to same project, no improvment for other scenes.
quotaUpdateProvider: db # Or redis
# Secret is used when core server communicates with other components.
# If a secret key is not specified, Helm will generate one.
# If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret
# Must be a string of 16 chars.
secret: ''
secret: ""
# Fill in the name of a kubernetes secret if you want to use your own
# If using existingSecret, the key must be secret
existingSecret: ""
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate and private key for token encryption/decryption.
# The secret must contain keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# The default key pair will be used if it isn't set
secretName: ''
# "tls.crt" - the certificate
secretName: ""
# If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead.
# If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated.
# tokenKey and tokenCert must BOTH be set or BOTH unset.
# The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line.
tokenKey: |
# If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line.
tokenCert: |
# The XSRF key. Will be generated automatically if it isn't specified
xsrfKey: ''
# While you specified, Please make sure it is 32 characters, otherwise would have validation issue at the harbor-core runtime
# https://github.com/registry.cn-qingdao.aliyuncs.com/wod/harbor/pull/21154
xsrfKey: ""
# If using existingSecret, the key is defined by core.existingXsrfSecretKey
existingXsrfSecret: ""
# If using existingSecret, the key
existingXsrfSecretKey: CSRF_KEY
# The time duration for async update artifact pull_time and repository
# pull_count, the unit is second. Will be 10 seconds if it isn't set.
# eg. artifactPullAsyncFlushDuration: 10
artifactPullAsyncFlushDuration:
gdpr:
deleteUser: false
auditLogsCompliant: false
jobservice:
image:
repository: harbor-jobservice
tag: v2.1.6
replicas: 1
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ''
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLogger: file
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints:
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLoggers:
- file
# - database
# - stdout
# The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
loggerSweeperDuration: 14 #days
notification:
webhook_job_max_retry: 3
webhook_job_http_client_timeout: 3 # in seconds
reaper:
# the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
max_update_hours: 24
# the max time for execution in running state without new task created
max_dangling_hours: 168
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ''
secret: ""
# Use an existing secret resource
existingSecret: ""
# Key within the existing secret for the job service secret
existingSecretKey: JOBSERVICE_SECRET
registry:
# set the service account to be used, default if left empty
serviceAccountName: ''
registry:
image:
repository: registry
tag: v2.7.1
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
repository: registry.cn-qingdao.aliyuncs.com/wod/registry-photon
tag: v2.13.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
controller:
image:
repository: harbor-registryctl
tag: v2.1.6
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
tag: v2.13.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# Secret is used to secure the upload state from client
# and registry storage backend.
# See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
# See: https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#http
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ''
secret: ""
# Use an existing secret resource
existingSecret: ""
# Key within the existing secret for the registry service secret
existingSecretKey: REGISTRY_HTTP_SECRET
# If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
relativeurls: false
credentials:
username: 'harbor_registry_user'
password: 'harbor_registry_password'
# If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
# e.g. "htpasswd -nbBC10 $username $password"
htpasswd: 'harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m'
username: "harbor_registry_user"
password: "harbor_registry_password"
# If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD
existingSecret: ""
# Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt.
# htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string
htpasswdString: ""
middleware:
enabled: false
type: cloudFront
......@@ -516,81 +779,66 @@ registry:
ipfilteredby: none
# The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
# that allows access to CloudFront
privateKeySecret: 'my-secret'
chartmuseum:
privateKeySecret: "my-secret"
# enable purge _upload directories
upload_purging:
enabled: true
# set the service account to be used, default if left empty
serviceAccountName: ''
# Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
absoluteUrl: false
image:
repository: chartmuseum
tag: v0.12.0
storageSpec:
type: hostPath
emptyDir: {}
hostPath:
root: /data
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
clair:
enabled: true
# set the service account to be used, default if left empty
serviceAccountName: ''
clair:
image:
repository: clair
tag: v2.1.7
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
adapter:
image:
repository: harbor-scanner-clair
tag: v1.1.1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
replicas: 1
# The interval of clair updaters, the unit is hour, set to 0 to
# disable the updaters
updatersInterval: 12
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: false
trivy:
# enabled the flag to enable Trivy scanner
enabled: true
image:
# repository the repository for Trivy adapter image
repository: harbor-scanner-trivy
repository: registry.cn-qingdao.aliyuncs.com/wod/trivy-adapter-photon
# tag the tag for Trivy adapter image
tag: v0.17.0
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ''
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
# replicas the number of Pod replicas
replicas: 1
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# debugMode the flag to enable Trivy debug mode with more verbose scanning log
debugMode: false
# vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
vulnType: 'os,library'
vulnType: "os,library"
# severity a comma-separated list of severities to be checked
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
# ignoreUnfixed the flag to display only fixed vulnerabilities
ignoreUnfixed: false
# insecure the flag to skip verifying registry certificate
......@@ -610,92 +858,91 @@ trivy:
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
gitHubToken: ''
gitHubToken: ""
# skipUpdate the flag to disable Trivy DB downloads from GitHub
#
# You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
# `/home/scanner/.cache/trivy/db/trivy.db` path.
skipUpdate: false
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
# `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
#
skipJavaDBUpdate: false
# The offlineScan option prevents Trivy from sending API requests to identify dependencies.
#
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
# exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
# It would work if all the dependencies are in local.
# This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment.
offlineScan: false
# Comma-separated list of what security issues to detect. Defaults to `vuln`.
securityCheck: "vuln"
# The duration to wait for scan completion
timeout: 5m0s
notary:
enabled: true
server:
# set the service account to be used, default if left empty
serviceAccountName: ''
database:
# if external database is used, set "type" to "external"
# and fill the connection information in "external" section
type: internal
internal:
image:
repository: notary-server
tag: v0.6.1
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
signer:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: notary-signer
tag: v0.6.1
replicas: 1
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
# The timeout used in livenessProbe; 1 to 5 seconds
livenessProbe:
timeoutSeconds: 1
# The timeout used in readinessProbe; 1 to 5 seconds
readinessProbe:
timeoutSeconds: 1
extraEnvVars: []
nodeSelector:
kubernetes.io/hostname: 172.16.1.11
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate authority, certificate and private key for notary
# communications.
# The secret must contain keys named ca.crt, tls.crt and tls.key that
# contain the CA, certificate and private key.
# They will be generated if not set.
secretName: ''
database:
# if external database is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: harbor-db
tag: v2.1.6
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
extrInitContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# The initial superuser password for internal database
password: 'spaceIN511'
resources:
limits:
memory: 4Gi
requests:
memory: 256Mi
nodeSelector: {}
tolerations: []
affinity: {}
password: "changeit"
# The size limit for Shared memory, pgSQL use it for shared_buffer
# More details see:
# https://github.com/registry.cn-qingdao.aliyuncs.com/wod/harbor/issues/15034
shmSizeLimit: 512Mi
initContainer:
migrator: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
permissions: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
external:
host: '192.168.0.1'
port: '5432'
username: 'user'
password: 'password'
coreDatabase: 'registry'
clairDatabase: 'clair'
notaryServerDatabase: 'notary_server'
notarySignerDatabase: 'notary_signer'
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
# if using existing secret, the key must be "password"
existingSecret: ""
# "disable" - No SSL
# "require" - Always SSL (skip verification)
# "verify-ca" - Always SSL (verify that the certificate presented by the
......@@ -703,52 +950,120 @@ database:
# "verify-full" - Always SSL (verify that the certification presented by the
# server was signed by a trusted CA and the server host name matches the one
# in the certificate)
sslmode: 'disable'
# The maximum number of connections in the idle connection pool.
sslmode: "disable"
# The maximum number of connections in the idle connection pool per pod (core+exporter).
# If it <=0, no idle connections are retained.
maxIdleConns: 50
# The maximum number of open connections to the database.
maxIdleConns: 100
# The maximum number of open connections to the database per pod (core+exporter).
# If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgre of harbor.
maxOpenConns: 1000
# Note: the default number of connections is 1024 for harbor's postgres.
maxOpenConns: 900
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
redis:
# if external Redis is used, set "type" to "external"
# and fill the connection informations in "external" section
# and fill the connection information in "external" section
type: internal
internal:
# set the service account to be used, default if left empty
serviceAccountName: ''
image:
repository: redis
tag: 6.2.6
repository: registry.cn-qingdao.aliyuncs.com/wod/redis-photon
tag: v2.13.2
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# # jobserviceDatabaseIndex defaults to "1"
# # registryDatabaseIndex defaults to "2"
# # trivyAdapterIndex defaults to "5"
# # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional
# # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
trivyAdapterIndex: "5"
# harborDatabaseIndex: "6"
# cacheLayerDatabaseIndex: "7"
external:
# support redis, redis+sentinel
# addr for redis: <host_redis>:<port_redis>
# addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
addr: '192.168.0.2:6379'
addr: "192.168.0.2:6379"
# The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
sentinelMasterSet: ''
sentinelMasterSet: ""
# TLS configuration for redis connection
# only server-authentication is supported, mTLS for redis connection is not supported
# tls connection will be disable by default
# Once `tlsOptions.enable` set as true, tls/ssl connection will be used for redis
# Please set the `caBundleSecretName` in this configuration file which conatins redis server rootCA if it is self-signed.
# The secret must contain keys named "ca.crt" which will be injected into the trust store
tlsOptions:
enable: false
# The "coreDatabaseIndex" must be "0" as the library Harbor
# used doesn't support configuring it
coreDatabaseIndex: '0'
jobserviceDatabaseIndex: '1'
registryDatabaseIndex: '2'
chartmuseumDatabaseIndex: '3'
clairAdapterIndex: '4'
trivyAdapterIndex: '5'
password: ''
# harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional
# cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
trivyAdapterIndex: "5"
# harborDatabaseIndex: "6"
# cacheLayerDatabaseIndex: "7"
# username field can be an empty string, and it will be authenticated against the default user
username: ""
password: ""
# If using existingSecret, the key must be REDIS_PASSWORD
existingSecret: ""
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
commonLabels:
app.bd-apaas.com/cluster-component: registry
exporter:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-exporter
tag: v2.13.2
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
podAnnotations: {}
## Additional deployment labels
podLabels: {}
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
## The priority class to run the pod as
priorityClassName:
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
cacheDuration: 23
cacheCleanInterval: 14400
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment