Skip to content

H
harbor
Commit fadc628d authored by root's avatar root
Browse files
Options

update

parent e1e04d48
Hide whitespace changes
Inline Side-by-side
Showing with 663 additions and 649 deletions
Chart.yaml
View file @ fadc628d
name: harbor name: harbor
version: dev version: 1.0.0
appVersion: dev appVersion: 1.7.0
description: An open source trusted cloud native registry that stores, signs, and scans content description: An open source trusted cloud native registry that stores, signs, and scans content
keywords: keywords:
- docker - docker
......
Deploy.md
View file @ fadc628d
...@@ -35,6 +35,11 @@ docker pull goharbor/harbor-core:v1.7.5 && \ ...@@ -35,6 +35,11 @@ docker pull goharbor/harbor-core:v1.7.5 && \
docker tag goharbor/harbor-core:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5 && \ docker tag goharbor/harbor-core:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5 docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-core:v1.7.5
# goharbor/harbor-adminserver
docker pull goharbor/harbor-adminserver:v1.7.5 && \
docker tag goharbor/harbor-adminserver:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-adminserver:v1.7.5 && \
docker push registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-adminserver:v1.7.5
# goharbor/harbor-jobservice # goharbor/harbor-jobservice
docker pull goharbor/harbor-jobservice:v1.7.5 && \ docker pull goharbor/harbor-jobservice:v1.7.5 && \
docker tag goharbor/harbor-jobservice:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.7.5 && \ docker tag goharbor/harbor-jobservice:v1.7.5 registry-vpc.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v1.7.5 && \
......
docs/High Availability.md
View file @ fadc628d
...@@ -53,7 +53,7 @@ Configure the followings items in `values.yaml`, you can also set them as parame ...@@ -53,7 +53,7 @@ Configure the followings items in `values.yaml`, you can also set them as parame
If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`. If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`.
- **Replica** - **Replica**
Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2). Set `portal.replicas`, `adminserver.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2).
### Installation ### Installation
Install the Harbor helm chart with a release name `my-release`: Install the Harbor helm chart with a release name `my-release`:
......
readme.md
View file @ fadc628d
# Helm Chart for Harbor # Helm Chart for Harbor
**Notes:** The master branch is in heavy development, please use the codes on other branch instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. **Notes:** The master branch is in heavy development, please use the codes on other branch instead. A high available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment.
## Introduction ## Introduction
This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor.
## Prerequisites ## Prerequisites
- Kubernetes cluster 1.10+ - Kubernetes cluster 1.10+
- Helm 2.8.0+ - Helm 2.8.0+
## Installation ## Installation
### Download the chart ### Download the chart
Download Harbor helm chart code. Download Harbor helm chart code.
```bash ```bash
git clone https://github.com/goharbor/harbor-helm git clone https://github.com/goharbor/harbor-helm
``` ```
Checkout the branch. Checkout the branch.
```bash ```bash
cd harbor-helm cd harbor-helm
git checkout branch_name git checkout branch_name
``` ```
### Configure the chart ### Configure the chart
The following items can be configured in `values.yaml` or set via `--set` flag during installation.
The following items can be configured in `values.yaml` or set via `--set` flag during installation.
#### Configure the way how to expose Harbor service: #### Configure the way how to expose Harbor service:
- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. - **Ingress**: The ingress controller must be installed in the Kubernetes cluster.
**Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail.
- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. - **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. - **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer.
#### Configure the external URL #### Configure the external URL
The external URL for Harbor core service is used to:
1) populate the docker/helm commands showed on portal
2) populate the token service URL returned to docker/notary client
The external URL for Harbor core service is used to: Format: `protocol://domain[:port]`. Usually:
- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core`
1. populate the docker/helm commands showed on portal - if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name`
2. populate the token service URL returned to docker/notary client - if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node
Format: `protocol://domain[:port]`. Usually:
- if expose the service via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` If Harbor is deployed behind the proxy, set it as the URL of proxy.
- if expose the service via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name`
- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node
- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider
If Harbor is deployed behind the proxy, set it as the URL of proxy.
#### Configure the way how to persistent data: #### Configure the way how to persistent data:
- **Disable**: The data does not survive the termination of a pod. - **Disable**: The data does not survive the termination of a pod.
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. - **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use.
- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. - **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`.
#### Configure the secrets
- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure.
- **Certificates**:
- *notary*: Used for authentication during communications. Fill `notary.secretName` to configure. Notary server certificate must be issued with notary service name as subject alternative name.
- *core*: Used for token encryption/decryption. Fill `core.secretName` to configure.
Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)).
#### Configure the other items listed in [configuration](#configuration) section. #### Configure the other items listed in [configuration](#configuration) section.
### Install the chart ### Install the chart
Install the Harbor helm chart with a release name `my-release`: Install the Harbor helm chart with a release name `my-release`:
```bash ```bash
helm install --name my-release . helm install --name my-release .
``` ```
## Uninstallation ## Uninstallation
To uninstall/delete the `my-release` deployment: To uninstall/delete the `my-release` deployment:
```bash ```bash
...@@ -91,194 +62,190 @@ helm delete --purge my-release ...@@ -91,194 +62,190 @@ helm delete --purge my-release
``` ```
## Configuration ## Configuration
The following table lists the configurable parameters of the Harbor chart and the default values. The following table lists the configurable parameters of the Harbor chart and the default values.
| Parameter | Description | Default | | Parameter | Description | Default |
| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | | ----------------------- | ---------------------------------- | ----------------------- |
| **Expose** | | **Expose** |
| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer` | `ingress` | |`expose.type`|The way how to expose the service: `ingress`, `clusterIP` or `nodePort`|`ingress`|
| `expose.tls.enabled` | Enable the tls or not | `true` | |`expose.tls.enabled`|Enable the tls or not|`true`|
| `expose.tls.secretName` | Fill the name of secret if you want to use your own TLS certificate. The secret must contain keys named: |`expose.tls.secretName`|Fill the name of secret if you want to use your own TLS certificate and private key. The secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. The certificate and private key will be generated automatically if it is not set||
`tls.crt` - the certificate, `tls.key` - the private key, `ca.crt` - the certificate of CA.These files will be generated automatically if the `secretName` is not set || |`expose.tls.notarySecretName`|By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the `expose.type` is `ingress`.||
| `expose.tls.commonName` | The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null | | |`expose.tls.commonName`|The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null||
| `expose.ingress.host` | The host of Harbor service in ingress rule | `harbor.local` | | `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `expose.ingress.controller` | The ingress controller type. Currently supports `default` and `gce` | `default` | | `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` |
| `expose.ingress.annotations` | The annotations used in ingress | | | `expose.ingress.annotations` | The annotations used in ingress ||
| `expose.ingress.rewriteAnnotation` | The name of the `rewrite-target` annotation| `nginx.ingress.kubernetes.io/rewrite-target` | | `expose.clusterIP.name` | The name of ClusterIP service |`harbor`|
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | | `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP |`80`|
| `expose.clusterIP.ports.http` | The service port Harbor listens on when serving with HTTP | `80` | | `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS |`443`|
| `expose.clusterIP.ports.https` | The service port Harbor listens on when serving with HTTPS | `443` | | `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` |`4443`|
| `expose.nodePort.name` | The name of NodePort service | `harbor` | | `expose.nodePort.name` | The name of NodePort service |`harbor`|
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` | | `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP |`80`|
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` | | `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP |`30002`|
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` | | `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS |`443`|
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` | | `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS |`30003`|
| `expose.loadBalancer.name` | The name of service |`harbor`| | `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` |`4443`|
| `expose.loadBalancer.ports.http` | The service port Harbor listens on when serving with HTTP |`80`| | `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` |`30004`|
| `expose.loadBalancer.ports.https` | The service port Harbor listens on when serving with HTTP |`30002`| | **Persistence** |
| **Persistence** | | `persistence.enabled` | Enable the data persistence or not | `true` |
| `persistence.enabled` | Enable the data persistence or not | `true` | | `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` |
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` | | `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound | |
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | |`persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | |`persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | |`persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | |`persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | |`persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound | |
| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | |`persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | |`persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | | |`persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` | |`persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` | |`persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound | |
| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | |`persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | | |`persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | | |`persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` | |`persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` | |`persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | |`persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | |`persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | |`persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | |`persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | |`persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | |`persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | |`persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | |`persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | |`persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | |`persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` |
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` | | |
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` | | `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
| **General** | | `imagePullPolicy` | The image pull policy | `IfNotPresent` |
| `externalURL` | The external URL for Harbor service | `https://harbor.local` | | `logLevel` | The log level | `debug` |
| `imagePullPolicy` | The image pull policy | `IfNotPresent` | | `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
| `logLevel` | The log level | `debug` | | `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | | **Nginx**(if expose the service via `ingress`, the Nginx will not be used) |
| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | | `nginx.image.repository` | Image repository | `goharbor/nginx-photon` |
| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | | `nginx.image.tag` | Image tag | `dev` |
| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | | `nginx.replicas` | The replica count | `1` |
| `nginx.image.tag` | Image tag | `dev` | | `nginx.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `nginx.replicas` | The replica count | `1` | | `nginx.nodeSelector` | Node labels for pod assignment | `{}` |
| `nginx.resources` | The [resources] to allocate for container | undefined | | `nginx.tolerations` | Tolerations for pod assignment | `[]` |
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | | `nginx.affinity` | Node/Pod affinities | `{}` |
| `nginx.tolerations` | Tolerations for pod assignment | `[]` | | `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
| `nginx.affinity` | Node/Pod affinities | `{}` | | **Portal** |
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | | `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` |
| **Portal** | | `portal.image.tag` | Tag for portal image | `dev` |
| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | | `portal.replicas` | The replica count | `1` |
| `portal.image.tag` | Tag for portal image | `dev` | | `portal.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `portal.replicas` | The replica count | `1` | | `portal.nodeSelector` | Node labels for pod assignment | `{}` |
| `portal.resources` | The [resources] to allocate for container | undefined | | `portal.tolerations` | Tolerations for pod assignment | `[]` |
| `portal.nodeSelector` | Node labels for pod assignment | `{}` | | `portal.affinity` | Node/Pod affinities | `{}` |
| `portal.tolerations` | Tolerations for pod assignment | `[]` | | `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
| `portal.affinity` | Node/Pod affinities | `{}` | | **Core** |
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | | `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` |
| **Core** | | `core.image.tag` | Tag for Harbor core image | `dev` |
| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | | `core.replicas` | The replica count | `1` |
| `core.image.tag` | Tag for Harbor core image | `dev` | | `core.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `core.replicas` | The replica count | `1` | | `core.nodeSelector` | Node labels for pod assignment | `{}` |
| `core.resources` | The [resources] to allocate for container | undefined | | `core.tolerations` | Tolerations for pod assignment | `[]` |
| `core.nodeSelector` | Node labels for pod assignment | `{}` | | `core.affinity` | Node/Pod affinities | `{}` |
| `core.tolerations` | Tolerations for pod assignment | `[]` | | `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.affinity` | Node/Pod affinities | `{}` | | **Adminserver** |
| `core.podAnnotations` | Annotations to add to the core pod | `{}` | | `adminserver.image.repository` | Repository for adminserver image | `goharbor/harbor-adminserver` |
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | `adminserver.image.tag` | Tag for adminserver image | `dev` |
| `core.secret` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named `tls.tokenServiceRootCertBundle` and `tls.tokenServicePrivateKey` that contain the certificate and private key. They will be automatically generated if not set. | | | `adminserver.replicas` | The replica count | `1` |
| **Jobservice** | | `adminserver.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | | `adminserver.nodeSelector` | Node labels for pod assignment | `{}` |
| `jobservice.image.tag` | Tag for jobservice image | `dev` | | `adminserver.tolerations` | Tolerations for pod assignment | `[]` |
| `jobservice.replicas` | The replica count | `1` | | `adminserver.affinity` | Node/Pod affinities | `{}` |
| `jobservice.maxJobWorkers` | The max job workers | `10` | | `adminserver.podAnnotations` | Annotations to add to the adminserver pod | `{}` |
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | | **Jobservice** |
| `jobservice.resources` | The [resources] to allocate for container | undefined | | `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` |
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | | `jobservice.image.tag` | Tag for jobservice image | `dev` |
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | | `jobservice.replicas` | The replica count | `1` |
| `jobservice.affinity` | Node/Pod affinities | `{}` | | `jobservice.maxJobWorkers` | The max job workers | `10` |
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | | `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | `jobservice.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| **Registry** | | `jobservice.nodeSelector` | Node labels for pod assignment | `{}` |
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | | `jobservice.tolerations` | Tolerations for pod assignment | `[]` |
| `registry.registry.image.tag` | Tag for registry image | | `jobservice.affinity` | Node/Pod affinities | `{}` |
| `registry.registry.resources` | The [resources] to allocate for container | undefined | | `dev` | | `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | | **Registry** |
| `registry.controller.image.tag` | Tag for registry controller image | | `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
| `registry.controller.resources` | The [resources] to allocate for container | undefined | | `dev` | | `registry.registry.image.tag` | Tag for registry image | `dev` |
| `registry.replicas` | The replica count | `1` | | `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` |
| `registry.nodeSelector` | Node labels for pod assignment | `{}` | | `registry.controller.image.tag` | Tag for registry controller image | `dev` |
| `registry.tolerations` | Tolerations for pod assignment | `[]` | | `registry.replicas` | The replica count | `1` |
| `registry.affinity` | Node/Pod affinities | `{}` | | `registry.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | | `registry.nodeSelector` | Node labels for pod assignment | `{}` |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | `registry.tolerations` | Tolerations for pod assignment | `[]` |
| **Chartmuseum** | | `registry.affinity` | Node/Pod affinities | `{}` |
| `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | | `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | | **Chartmuseum** |
| `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` | | `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` |
| `chartmuseum.replicas` | The replica count | `1` | | `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` |
| `chartmuseum.resources` | The [resources] to allocate for container | undefined | | `chartmuseum.image.tag` | Tag for chartmuseum image | `dev` |
| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` | | `chartmuseum.replicas` | The replica count | `1` |
| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | | `chartmuseum.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `chartmuseum.affinity` | Node/Pod affinities | `{}` | | `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` |
| `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | | `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` |
| **Clair** | | `chartmuseum.affinity` | Node/Pod affinities | `{}` |
| `clair.enabled` | Enable Clair | `true` | | `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` |
| `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | | **Clair** |
| `clair.image.tag` | Tag for clair image | `dev` | | `clair.enabled` | Enable Clair | `true` |
| `clair.replicas` | The replica count | `1` | | `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` |
| `clair.httpProxy` | The HTTP proxy used to update vulnerabilities database from internet | | | `clair.image.tag` | Tag for clair image | `dev`
| `clair.httpsProxy` | The HTTPS proxy used to update vulnerabilities database from internet | | | `clair.replicas` | The replica count | `1` |
| `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` | | `clair.httpProxy` | The HTTP proxy used to update vulnerabilities database from internet ||
| `clair.resources` | The [resources] to allocate for container | undefined | | `clair.httpsProxy` | The HTTPS proxy used to update vulnerabilities database from internet ||
| `clair.nodeSelector` | Node labels for pod assignment | `{}` | | `clair.updatersInterval` | The interval of clair updaters, the unit is hour, set to 0 to disable the updaters | `12` |
| `clair.tolerations` | Tolerations for pod assignment | `[]` | | `clair.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined
| `clair.affinity` | Node/Pod affinities | `{}` | | `clair.nodeSelector` | Node labels for pod assignment | `{}` |
| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` | | `clair.tolerations` | Tolerations for pod assignment | `[]` |
| **Notary** | | `clair.affinity` | Node/Pod affinities | `{}` |
| `notary.enabled` | Enable Notary? | `true` | | `clair.podAnnotations` | Annotations to add to the clair pod | `{}` |
| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | | **Notary** |
| `notary.server.image.tag` | Tag for notary server image | `dev` | | `notary.enabled` | Enable Notary? | `true` |
| `notary.server.replicas` | The replica count | | `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` |
| `notary.server.resources` | The [resources] to allocate for container | undefined | | `1` | | `notary.server.image.tag` | Tag for notary server image | `dev`
| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | | `notary.server.replicas` | The replica count | `1` |
| `notary.signer.image.tag` | Tag for notary signer image | `dev` | | `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` |
| `notary.signer.replicas` | The replica count | | `notary.signer.image.tag` | Tag for notary signer image | `dev`
| `notary.signer.resources` | The [resources] to allocate for container | undefined | | `1` | | `notary.signer.replicas` | The replica count | `1` |
| `notary.nodeSelector` | Node labels for pod assignment | `{}` | | `notary.nodeSelector` | Node labels for pod assignment | `{}` |
| `notary.tolerations` | Tolerations for pod assignment | `[]` | | `notary.tolerations` | Tolerations for pod assignment | `[]` |
| `notary.affinity` | Node/Pod affinities | `{}` | | `notary.affinity` | Node/Pod affinities | `{}` |
| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | | `notary.podAnnotations` | Annotations to add to the notary pod | `{}` |
| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | | **Database** |
| **Database** | | `database.type` | If external database is used, set it to `external` | `internal` |
| `database.type` | If external database is used, set it to `external` | `internal` | | `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | | `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.image.tag` | Tag for database image | `dev` | | `database.internal.password` | The password for database | `changeit` |
| `database.internal.password` | The password for database | `changeit` | | `database.internal.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `database.internal.resources` | The [resources] to allocate for container | undefined | | `database.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | | `database.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | | `database.internal.affinity` | Node/Pod affinities | `{}` |
| `database.internal.affinity` | Node/Pod affinities | `{}` | | `database.external.host` | The hostname of external database | `192.168.0.1` |
| `database.external.host` | The hostname of external database | `192.168.0.1` | | `database.external.port` | The port of external database | `5432` |
| `database.external.port` | The port of external database | `5432` | | `database.external.username` | The username of external database | `user` |
| `database.external.username` | The username of external database | `user` | | `database.external.password` | The password of external database | `password` |
| `database.external.password` | The password of external database | `password` | | `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.coreDatabase` | The database used by core service | `registry` | | `database.external.clairDatabase` | The database used by clair | `clair` |
| `database.external.clairDatabase` | The database used by clair | `clair` | | `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` |
| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | | `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` |
| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | | `database.external.sslmode` | Connection method of external database (require|prefer|disable) | `disable`|
| `database.external.sslmode` | Connection method of external database (require | prefer | disable) | `disable` | | `database.podAnnotations` | Annotations to add to the database pod | `{}` |
| `database.podAnnotations` | Annotations to add to the database pod | `{}` | | **Redis** |
| **Redis** | | `redis.type` | If external redis is used, set it to `external` | `internal` |
| `redis.type` | If external redis is used, set it to `external` | `internal` | | `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` |
| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | | `redis.internal.image.tag` | Tag for redis image | `dev` |
| `redis.internal.image.tag` | Tag for redis image | `dev` | | `redis.internal.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `redis.internal.resources` | The [resources] to allocate for container | undefined | | `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | | `redis.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | | `redis.internal.affinity` | Node/Pod affinities | `{}` |
| `redis.internal.affinity` | Node/Pod affinities | `{}` | | `redis.external.host` | The hostname of external Redis | `192.168.0.2` |
| `redis.external.host` | The hostname of external Redis | `192.168.0.2` | | `redis.external.port` | The port of external Redis | `6379` |
| `redis.external.port` | The port of external Redis | `6379` | | `redis.external.coreDatabaseIndex` | The database index for core | `0` |
| `redis.external.coreDatabaseIndex` | The database index for core | `0` | | `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | | `redis.external.registryDatabaseIndex` | The database index for registry | `2` |
| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | | `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` |
| `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | | `redis.external.password` | The password of external Redis | |
| `redis.external.password` | The password of external Redis | | | `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
templates/_helpers.tpl
View file @ fadc628d
...@@ -36,6 +36,22 @@ release: {{ .Release.Name }} ...@@ -36,6 +36,22 @@ release: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "harbor.autoGenCertForIngress" -}}
{{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}}
{{- printf "true" -}}
{{- else -}}
{{- printf "false" -}}
{{- end -}}
{{- end -}}
{{- define "harbor.autoGenCertForNginx" -}}
{{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}}
{{- printf "true" -}}
{{- else -}}
{{- printf "false" -}}
{{- end -}}
{{- end -}}
{{- define "harbor.database.host" -}} {{- define "harbor.database.host" -}}
{{- if eq .Values.database.type "internal" -}} {{- if eq .Values.database.type "internal" -}}
{{- template "harbor.database" . }} {{- template "harbor.database" . }}
...@@ -216,6 +232,10 @@ host:port,pool_size,password ...@@ -216,6 +232,10 @@ host:port,pool_size,password
{{- printf "%s-redis" (include "harbor.fullname" .) -}} {{- printf "%s-redis" (include "harbor.fullname" .) -}}
{{- end -}} {{- end -}}
{{- define "harbor.adminserver" -}}
{{- printf "%s-adminserver" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.jobservice" -}} {{- define "harbor.jobservice" -}}
{{- printf "%s-jobservice" (include "harbor.fullname" .) -}} {{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
{{- end -}} {{- end -}}
...@@ -248,32 +268,6 @@ host:port,pool_size,password ...@@ -248,32 +268,6 @@ host:port,pool_size,password
{{- printf "%s-nginx" (include "harbor.fullname" .) -}} {{- printf "%s-nginx" (include "harbor.fullname" .) -}}
{{- end -}} {{- end -}}
{{- define "harbor.ingress.core" -}} {{- define "harbor.ingress" -}}
{{- printf "%s-ingress-core" (include "harbor.fullname" .) -}} {{- printf "%s-ingress" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.ingress.notary" -}}
{{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.certificate" -}}
{{- printf "%s-certificate" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.certificate-secret" -}}
{{- $tls := .Values.expose.tls -}}
{{- if $tls.secretName }}
{{- printf "%s" $tls.secretName -}}
{{- else }}
{{- printf "%s" (include "harbor.certificate" .) -}}
{{- end }}
{{- end -}}
{{- define "harbor.common-name" -}}
{{- $expose := .Values.expose }}
{{- if and (eq $expose.type "ingress") $expose.ingress.host }}
{{- printf "%s" $expose.ingress.host -}}
{{- else }}
{{- printf "%s" $expose.tls.commonName -}}
{{- end }}
{{- end -}} {{- end -}}
\ No newline at end of file
templates/adminserver/adminserver-cm.yaml 0 → 100644
View file @ fadc628d
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.adminserver" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
app: adminserver
data:
DATABASE_TYPE: "postgresql"
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
EXT_ENDPOINT: "{{ .Values.externalURL }}"
CORE_URL: "http://{{ template "harbor.core" . }}"
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000"
TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token"
WITH_NOTARY: "{{ .Values.notary.enabled }}"
NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
LOG_LEVEL: "{{ .Values.logLevel }}"
IMAGE_STORE_PATH: "/" # This is a temporary hack.
CFG_EXPIRATION: "5"
ADMIRAL_URL: "NA"
RESET: "false"
WITH_CLAIR: "{{ .Values.clair.enabled }}"
CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}"
CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}"
CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}"
CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}"
CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060"
CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
UAA_ENDPOINT: ""
UAA_CLIENTID: ""
UAA_CLIENTSECRET: ""
UAA_VERIFY_CERT: "True"
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}"
# The following properties have no default value in Harbor core if not
# set via env. They should be removed after the refactoring:
# AUTH_MODE, SELF_REGISTRATION, PROJECT_CREATION_RESTRICTION
AUTH_MODE: "db_auth"
SELF_REGISTRATION: "on"
PROJECT_CREATION_RESTRICTION: "everyone"
TOKEN_EXPIRATION: "30"
EMAIL_HOST: "smtp.mydomain.com"
EMAIL_FROM: "admin <sample_admin@mydomain.com>"
EMAIL_PORT: "25"
\ No newline at end of file
templates/adminserver/adminserver-dpl.yaml 0 → 100644
View file @ fadc628d
apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.adminserver" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
app: adminserver
spec:
replicas: {{ .Values.adminserver.replicas }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
app: adminserver
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
app: adminserver
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/adminserver/adminserver-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/adminserver/adminserver-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
{{- if .Values.adminserver.podAnnotations }}
{{ toYaml .Values.adminserver.podAnnotations | indent 8 }}
{{- end }}
spec:
containers:
- name: adminserver
image: "{{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}"
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
livenessProbe:
httpGet:
path: /api/ping
port: 8080
initialDelaySeconds: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/ping
port: 8080
initialDelaySeconds: 1
periodSeconds: 10
resources:
{{ toYaml .Values.adminserver.resources | indent 10 }}
envFrom:
- configMapRef:
name: "{{ template "harbor.adminserver" . }}"
- secretRef:
name: "{{ template "harbor.adminserver" . }}"
env:
- name: PORT
value: "8080"
- name: JSON_CFG_STORE_PATH
value: /etc/adminserver/config/config.json
- name: KEY_PATH
value: /etc/adminserver/key
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.core" . }}"
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.jobservice" . }}"
key: secret
ports:
- containerPort: 8080
volumeMounts:
- name: adminserver-key
mountPath: /etc/adminserver/key
subPath: key
- name: etc-localtime
mountPath: /etc/localtime
volumes:
- name: etc-localtime
hostPath:
path: /etc/localtime
- name: adminserver-key
secret:
secretName: "{{ template "harbor.adminserver" . }}"
items:
- key: secretKey
path: key
{{- with .Values.adminserver.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.adminserver.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.adminserver.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
\ No newline at end of file
templates/adminserver/adminserver-secrets.yaml 0 → 100644
View file @ fadc628d
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.adminserver" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
app: adminserver
type: Opaque
data:
secretKey: {{ .Values.secretKey | b64enc | quote }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{ if .Values.clair.enabled }}
CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{ end }}
templates/adminserver/adminserver-svc.yaml 0 → 100644
View file @ fadc628d
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.adminserver" . }}"
spec:
ports:
- port: 80
targetPort: 8080
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
app: adminserver
\ No newline at end of file
templates/chartmuseum/chartmuseum-cm.yaml
View file @ fadc628d
...@@ -22,7 +22,7 @@ data: ...@@ -22,7 +22,7 @@ data:
DISABLE_API: "false" DISABLE_API: "false"
DISABLE_STATEFILES: "false" DISABLE_STATEFILES: "false"
ALLOW_OVERWRITE: "true" ALLOW_OVERWRITE: "true"
#CHART_URL: {{ .Values.externalURL }}/chartrepo CHART_URL:
AUTH_ANONYMOUS_GET: "false" AUTH_ANONYMOUS_GET: "false"
TLS_CERT: TLS_CERT:
TLS_KEY: TLS_KEY:
...@@ -45,7 +45,6 @@ data: ...@@ -45,7 +45,6 @@ data:
{{- else if eq $storageType "gcs" }} {{- else if eq $storageType "gcs" }}
STORAGE: "google" STORAGE: "google"
STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
{{- if $storage.gcs.rootdirectory }} {{- if $storage.gcs.rootdirectory }}
STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
{{- end }} {{- end }}
......
templates/chartmuseum/chartmuseum-dpl.yaml
View file @ fadc628d
...@@ -20,7 +20,6 @@ spec: ...@@ -20,7 +20,6 @@ spec:
annotations: annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }} checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.chartmuseum.podAnnotations }} {{- if .Values.chartmuseum.podAnnotations }}
{{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }} {{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }}
{{- end }} {{- end }}
...@@ -41,10 +40,8 @@ spec: ...@@ -41,10 +40,8 @@ spec:
port: 9999 port: 9999
initialDelaySeconds: 1 initialDelaySeconds: 1
periodSeconds: 10 periodSeconds: 10
{{- if .Values.chartmuseum.resources }}
resources: resources:
{{ toYaml .Values.chartmuseum.resources | indent 10 }} {{ toYaml .Values.chartmuseum.resources | indent 10 }}
{{- end }}
envFrom: envFrom:
- configMapRef: - configMapRef:
name: "{{ template "harbor.chartmuseum" . }}" name: "{{ template "harbor.chartmuseum" . }}"
...@@ -62,7 +59,7 @@ spec: ...@@ -62,7 +59,7 @@ spec:
- name: chartmuseum-data - name: chartmuseum-data
mountPath: /chart_storage mountPath: /chart_storage
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
......
templates/clair/clair-dpl.yaml
View file @ fadc628d
...@@ -51,10 +51,8 @@ spec: ...@@ -51,10 +51,8 @@ spec:
{{- end }} {{- end }}
- name: NO_PROXY - name: NO_PROXY
value: "{{ template "harbor.registry" . }},{{ template "harbor.core" . }}" value: "{{ template "harbor.registry" . }},{{ template "harbor.core" . }}"
{{- if .Values.clair.resources }}
resources: resources:
{{ toYaml .Values.clair.resources | indent 10 }} {{ toYaml .Values.clair.resources | indent 10 }}
{{- end }}
ports: ports:
- containerPort: 6060 - containerPort: 6060
volumeMounts: volumeMounts:
......
templates/clair/clair-svc.yaml
View file @ fadc628d
...@@ -7,10 +7,7 @@ metadata: ...@@ -7,10 +7,7 @@ metadata:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
ports: ports:
- name: clair - port: 6060
port: 6060
- name: health
port: 6061
selector: selector:
{{ include "harbor.matchLabels" . | indent 4 }} {{ include "harbor.matchLabels" . | indent 4 }}
app: clair app: clair
......
templates/core/core-cm.yaml
View file @ fadc628d
...@@ -7,41 +7,8 @@ metadata: ...@@ -7,41 +7,8 @@ metadata:
data: data:
app.conf: |+ app.conf: |+
appname = Harbor appname = Harbor
runmode = dev runmode = prod
enablegzip = true enablegzip = true
[dev] [prod]
httpport = 8080 httpport = 8080
DATABASE_TYPE: "postgresql"
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
EXT_ENDPOINT: "{{ .Values.externalURL }}"
CORE_URL: "http://{{ template "harbor.core" . }}"
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000"
TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token"
WITH_NOTARY: "{{ .Values.notary.enabled }}"
NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
CFG_EXPIRATION: "5"
WITH_CLAIR: "{{ .Values.clair.enabled }}"
CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}"
CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}"
CLAIR_DB_USERNAME: "{{ template "harbor.database.username" . }}"
CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}"
CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
CLAIR_URL: "http://{{ template "harbor.fullname" . }}-clair:6060"
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}"
LOG_LEVEL: "{{ .Values.logLevel }}"
CONFIG_PATH: "/etc/core/app.conf"
SYNC_REGISTRY: "false"
CHART_CACHE_DRIVER: "redis"
_REDIS_URL: "{{ template "harbor.redisForCore" . }}"
_REDIS_URL_REG: "{{ template "harbor.redisForGC" . }}"
PORTAL_URL: "http://{{ template "harbor.portal" . }}"
REGISTRYCTL_URL: "http://{{ template "harbor.registry" . }}:8080"
CLAIR_HEALTH_CHECK_SERVER_URL: "http://{{ template "harbor.clair" . }}:6061"
\ No newline at end of file
templates/core/core-dpl.yaml
View file @ fadc628d
...@@ -19,7 +19,6 @@ spec: ...@@ -19,7 +19,6 @@ spec:
annotations: annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
{{- if .Values.core.podAnnotations }} {{- if .Values.core.podAnnotations }}
{{ toYaml .Values.core.podAnnotations | indent 8 }} {{ toYaml .Values.core.podAnnotations | indent 8 }}
{{- end }} {{- end }}
...@@ -40,11 +39,6 @@ spec: ...@@ -40,11 +39,6 @@ spec:
port: 8080 port: 8080
initialDelaySeconds: 20 initialDelaySeconds: 20
periodSeconds: 10 periodSeconds: 10
envFrom:
- configMapRef:
name: "{{ template "harbor.core" . }}"
- secretRef:
name: "{{ template "harbor.core" . }}"
env: env:
- name: CORE_SECRET - name: CORE_SECRET
valueFrom: valueFrom:
...@@ -56,6 +50,20 @@ spec: ...@@ -56,6 +50,20 @@ spec:
secretKeyRef: secretKeyRef:
name: "{{ template "harbor.jobservice" . }}" name: "{{ template "harbor.jobservice" . }}"
key: secret key: secret
- name: _REDIS_URL
value: {{ template "harbor.redisForCore" . }}
- name: _REDIS_URL_REG
value: {{ template "harbor.redisForGC" . }}
- name: LOG_LEVEL
value: {{ .Values.logLevel }}
- name: CONFIG_PATH
value: /etc/core/app.conf
- name: SYNC_REGISTRY
value: "false"
- name: ADMINSERVER_URL
value: "http://{{ template "harbor.adminserver" . }}"
- name: CHART_CACHE_DRIVER
value: "redis"
ports: ports:
- containerPort: 8080 - containerPort: 8080
volumeMounts: volumeMounts:
...@@ -69,18 +77,14 @@ spec: ...@@ -69,18 +77,14 @@ spec:
mountPath: /etc/core/private_key.pem mountPath: /etc/core/private_key.pem
subPath: tokenServicePrivateKey subPath: tokenServicePrivateKey
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
{{- if .Values.expose.tls.enabled }} {{- if eq (include "harbor.autoGenCert" .) "true" }}
- name: ca-download - name: ca-download
mountPath: /etc/core/ca/ca.crt mountPath: /etc/core/ca/ca.crt
subPath: ca.crt subPath: ca.crt
{{- end }} {{- end }}
- name: psc - name: psc
mountPath: /etc/core/token mountPath: /etc/core/token
{{- if .Values.core.resources }}
resources:
{{ toYaml .Values.core.resources | indent 10 }}
{{- end }}
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
...@@ -96,15 +100,15 @@ spec: ...@@ -96,15 +100,15 @@ spec:
path: key path: key
- name: token-service-private-key - name: token-service-private-key
secret: secret:
{{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }} secretName: {{ template "harbor.core" . }}
{{- end }} {{- if eq (include "harbor.autoGenCert" .) "true" }}
{{- if .Values.expose.tls.enabled }}
- name: ca-download - name: ca-download
secret: secret:
secretName: "{{ template "harbor.certificate-secret" . }}" {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
secretName: "{{ template "harbor.ingress" . }}"
{{- else }}
secretName: {{ template "harbor.nginx" . }}
{{- end }}
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt
...@@ -122,4 +126,4 @@ spec: ...@@ -122,4 +126,4 @@ spec:
{{- with .Values.core.tolerations }} {{- with .Values.core.tolerations }}
tolerations: tolerations:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
\ No newline at end of file
templates/core/core-secret.yaml
View file @ fadc628d
...@@ -8,13 +8,7 @@ metadata: ...@@ -8,13 +8,7 @@ metadata:
type: Opaque type: Opaque
data: data:
secretKey: {{ .Values.secretKey | b64enc | quote }} secretKey: {{ .Values.secretKey | b64enc | quote }}
secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} secret: {{ randAlphaNum 16 | b64enc | quote }}
{{- if not .Values.core.secretName }}
tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }}
tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }}
{{- end }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} \ No newline at end of file
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{ if .Values.clair.enabled }}
CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{ end }}
templates/core/core-svc.yaml
View file @ fadc628d
...@@ -5,9 +5,6 @@ metadata: ...@@ -5,9 +5,6 @@ metadata:
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports: ports:
- port: 80 - port: 80
targetPort: 8080 targetPort: 8080
......
templates/database/database-ss.yaml
View file @ fadc628d
{{- if eq .Values.database.type "internal" -}} {{- if eq .Values.database.type "internal" -}}
{{- $database := .Values.persistence.persistentVolumeClaim.database -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
...@@ -28,7 +27,6 @@ spec: ...@@ -28,7 +27,6 @@ spec:
initContainers: initContainers:
- name: "remove-lost-found" - name: "remove-lost-found"
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"] command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
volumeMounts: volumeMounts:
- name: database-data - name: database-data
...@@ -49,10 +47,8 @@ spec: ...@@ -49,10 +47,8 @@ spec:
- /docker-healthcheck.sh - /docker-healthcheck.sh
initialDelaySeconds: 1 initialDelaySeconds: 1
periodSeconds: 10 periodSeconds: 10
{{- if .Values.database.internal.resources }}
resources: resources:
{{ toYaml .Values.database.internal.resources | indent 10 }} {{ toYaml .Values.database.internal.resources | indent 10 }}
{{- end }}
envFrom: envFrom:
- secretRef: - secretRef:
name: "{{ template "harbor.database" . }}" name: "{{ template "harbor.database" . }}"
...@@ -60,7 +56,7 @@ spec: ...@@ -60,7 +56,7 @@ spec:
- name: database-data - name: database-data
mountPath: /var/lib/postgresql/data mountPath: /var/lib/postgresql/data
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
......
templates/ingress/ingress.yaml
View file @ fadc628d
{{- if eq .Values.expose.type "ingress" }} {{- if eq .Values.expose.type "ingress" }}
{{- $ingress := .Values.expose.ingress -}} {{- $ingress := .Values.expose.ingress -}}
{{- $tls := .Values.expose.tls -}}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
name: "{{ template "harbor.ingress.core" . }}" name: "{{ template "harbor.ingress" . }}"
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
annotations: annotations:
{{ toYaml $ingress.annotations | indent 4 }} {{ toYaml $ingress.annotations | indent 4 }}
spec: spec:
{{- if .Values.expose.tls.enabled }} {{- if $tls.enabled }}
tls: tls:
- secretName: {{ template "harbor.certificate-secret" . }} - hosts:
{{- if $ingress.host }} - {{ $ingress.hosts.core }}
hosts: {{- if $tls.secretName }}
- {{ $ingress.host }} secretName: {{ $tls.secretName }}
{{- else }}
secretName: "{{ template "harbor.ingress" . }}"
{{- end }} {{- end }}
{{- end }} {{- if .Values.notary.enabled }}
{{- if eq .Values.expose.ingress.controller "gce" }} - hosts:
rules: - {{ $ingress.hosts.notary }}
- http: {{- if $tls.notarySecretName }}
paths: secretName: {{ $tls.notarySecretName }}
- path: /* {{- else if $tls.secretName }}
backend: secretName: {{ $tls.secretName }}
serviceName: {{ template "harbor.portal" . }} {{- else }}
servicePort: 80 secretName: "{{ template "harbor.ingress" . }}"
- path: /api/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /service/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /v2/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /chartrepo/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /c/*
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
{{- if $ingress.host }}
host: {{ $ingress.host }}
{{- end }} {{- end }}
{{- else }} {{- end }}
{{- end }}
rules: rules:
- http: - host: {{ $ingress.hosts.core }}
http:
paths: paths:
- path: / - path: /
backend: backend:
...@@ -76,8 +59,13 @@ spec: ...@@ -76,8 +59,13 @@ spec:
backend: backend:
serviceName: {{ template "harbor.core" . }} serviceName: {{ template "harbor.core" . }}
servicePort: 80 servicePort: 80
{{- if $ingress.host }} {{- if .Values.notary.enabled }}
host: {{ $ingress.host }} - host: {{ $ingress.hosts.notary }}
{{- end }} http:
{{- end }} paths:
- path: /
backend:
serviceName: {{ template "harbor.notary-server" . }}
servicePort: 4443
{{- end }}
{{- end }} {{- end }}
\ No newline at end of file
templates/ingress/secret.yaml 0 → 100644
View file @ fadc628d
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
{{- $ca := genCA "harbor-ca" 365 }}
{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.ingress" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}
\ No newline at end of file
templates/jobservice/jobservice-cm.yaml
View file @ fadc628d
...@@ -36,4 +36,5 @@ data: ...@@ -36,4 +36,5 @@ data:
#Loggers for the job service #Loggers for the job service
loggers: loggers:
- name: "STD_OUTPUT" - name: "STD_OUTPUT"
level: {{ .Values.logLevel | upper }} level: {{ .Values.logLevel | upper }}
\ No newline at end of file admin_server: "http://{{ template "harbor.adminserver" . }}"
templates/jobservice/jobservice-dpl.yaml
View file @ fadc628d
...@@ -19,7 +19,6 @@ spec: ...@@ -19,7 +19,6 @@ spec:
annotations: annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.jobservice.podAnnotations }} {{- if .Values.jobservice.podAnnotations }}
{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} {{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
{{- end }} {{- end }}
...@@ -40,10 +39,8 @@ spec: ...@@ -40,10 +39,8 @@ spec:
port: 8080 port: 8080
initialDelaySeconds: 20 initialDelaySeconds: 20
periodSeconds: 10 periodSeconds: 10
{{- if .Values.jobservice.resources }}
resources: resources:
{{ toYaml .Values.jobservice.resources | indent 10 }} {{ toYaml .Values.jobservice.resources | indent 10 }}
{{- end }}
env: env:
- name: CORE_SECRET - name: CORE_SECRET
valueFrom: valueFrom:
...@@ -55,8 +52,8 @@ spec: ...@@ -55,8 +52,8 @@ spec:
secretKeyRef: secretKeyRef:
name: "{{ template "harbor.jobservice" . }}" name: "{{ template "harbor.jobservice" . }}"
key: secret key: secret
- name: CORE_URL - name: ADMINSERVER_URL
value: "http://{{ template "harbor.core" . }}" value: "http://{{ template "harbor.adminserver" . }}"
- name: REGISTRY_CONTROLLER_URL - name: REGISTRY_CONTROLLER_URL
value: "http://{{ template "harbor.registry" . }}:8080" value: "http://{{ template "harbor.registry" . }}:8080"
- name: LOG_LEVEL - name: LOG_LEVEL
...@@ -70,7 +67,7 @@ spec: ...@@ -70,7 +67,7 @@ spec:
- name: job-logs - name: job-logs
mountPath: /var/log/jobs mountPath: /var/log/jobs
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
...@@ -79,7 +76,12 @@ spec: ...@@ -79,7 +76,12 @@ spec:
configMap: configMap:
name: "{{ template "harbor.jobservice" . }}" name: "{{ template "harbor.jobservice" . }}"
- name: job-logs - name: job-logs
{{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
{{- else }}
emptyDir: {} emptyDir: {}
{{- end }}
{{- with .Values.jobservice.nodeSelector }} {{- with .Values.jobservice.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/jobservice/jobservice-secrets.yaml
View file @ fadc628d
...@@ -6,4 +6,4 @@ metadata: ...@@ -6,4 +6,4 @@ metadata:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
type: Opaque type: Opaque
data: data:
secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} secret: {{ randAlphaNum 16 | b64enc | quote }}
\ No newline at end of file
templates/nginx/configmap-http.yaml
View file @ fadc628d
...@@ -67,19 +67,6 @@ data: ...@@ -67,19 +67,6 @@ data:
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
} }
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ { location /c/ {
proxy_pass http://core/c/; proxy_pass http://core/c/;
......
templates/nginx/configmap-https.yaml
View file @ fadc628d
...@@ -42,6 +42,41 @@ data: ...@@ -42,6 +42,41 @@ data:
access_log /dev/stdout timed_combined; access_log /dev/stdout timed_combined;
{{- if .Values.notary.enabled }}
server {
listen 4443 ssl;
server_tokens off;
# ssl
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
ssl_protocols tlsv1.1 tlsv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:ssl:10m;
# disable any limits to avoid http 413 for large image uploads
client_max_body_size 0;
# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
proxy_pass http://notary-server/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
}
{{- end }}
server { server {
listen 443 ssl; listen 443 ssl;
# server_name harbordomain.com; # server_name harbordomain.com;
...@@ -90,19 +125,6 @@ data: ...@@ -90,19 +125,6 @@ data:
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
} }
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ { location /c/ {
proxy_pass http://core/c/; proxy_pass http://core/c/;
...@@ -149,22 +171,6 @@ data: ...@@ -149,22 +171,6 @@ data:
location /service/notifications { location /service/notifications {
return 404; return 404;
} }
{{- if .Values.notary.enabled }}
location /notary/ {
proxy_pass http://notary-server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
rewrite /notary/(.*) /$1 break;
}
{{- end }}
} }
server { server {
listen 80; listen 80;
...@@ -172,4 +178,5 @@ data: ...@@ -172,4 +178,5 @@ data:
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
} }
{{- end }} {{- end }}
\ No newline at end of file
\ No newline at end of file
templates/nginx/deployment.yaml
View file @ fadc628d
...@@ -23,8 +23,8 @@ spec: ...@@ -23,8 +23,8 @@ spec:
{{- else }} {{- else }}
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }}
{{- end }} {{- end }}
{{- if eq (include "harbor.autoGenCert" .) "true" }} {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
checksum/secret: {{ include (print $.Template.BasePath "/common/certificate-secret.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }}
{{- end }} {{- end }}
{{- if .Values.nginx.podAnnotations }} {{- if .Values.nginx.podAnnotations }}
{{ toYaml .Values.nginx.podAnnotations | indent 8 }} {{ toYaml .Values.nginx.podAnnotations | indent 8 }}
...@@ -46,13 +46,12 @@ spec: ...@@ -46,13 +46,12 @@ spec:
port: 80 port: 80
initialDelaySeconds: 1 initialDelaySeconds: 1
periodSeconds: 10 periodSeconds: 10
{{- if .Values.nginx.resources }}
resources: resources:
{{ toYaml .Values.nginx.resources | indent 10 }} {{ toYaml .Values.nginx.resources | indent 10 }}
{{- end }}
ports: ports:
- containerPort: 80 - containerPort: 80
- containerPort: 443 - containerPort: 443
- containerPort: 4443
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/nginx/nginx.conf mountPath: /etc/nginx/nginx.conf
...@@ -68,7 +67,11 @@ spec: ...@@ -68,7 +67,11 @@ spec:
{{- if .Values.expose.tls.enabled }} {{- if .Values.expose.tls.enabled }}
- name: certificate - name: certificate
secret: secret:
secretName: {{ template "harbor.certificate-secret" . }} {{- if .Values.expose.tls.secretName }}
secretName: {{ .Values.expose.tls.secretName }}
{{- else }}
secretName: {{ template "harbor.nginx" . }}
{{- end }}
{{- end }} {{- end }}
{{- with .Values.nginx.nodeSelector }} {{- with .Values.nginx.nodeSelector }}
nodeSelector: nodeSelector:
......
templates/nginx/secret.yaml 0 → 100644
View file @ fadc628d
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
{{- $ca := genCA "harbor-ca" 365 }}
{{- $cn := (required "The \"expose.tls.commonName\" is required!" .Values.expose.tls.commonName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.nginx" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
{{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- else }}
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}
{{- end }}
\ No newline at end of file
templates/nginx/service.yaml
View file @ fadc628d
...@@ -5,19 +5,25 @@ metadata: ...@@ -5,19 +5,25 @@ metadata:
{{- if eq .Values.expose.type "clusterIP" }} {{- if eq .Values.expose.type "clusterIP" }}
{{- $clusterIP := .Values.expose.clusterIP }} {{- $clusterIP := .Values.expose.clusterIP }}
name: {{ $clusterIP.name }} name: {{ $clusterIP.name }}
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
type: ClusterIP type: ClusterIP
ports: ports:
- name: http - name: http
port: {{ $clusterIP.ports.http }} port: {{ $clusterIP.ports.httpPort }}
targetPort: 80 targetPort: 80
{{- if .Values.expose.tls.enabled }} {{- if .Values.expose.tls.enabled }}
- name: https - name: https
port: {{ $clusterIP.ports.https }} port: {{ $clusterIP.ports.httpsPort }}
targetPort: 443 targetPort: 443
{{- end }} {{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $clusterIP.ports.notaryPort }}
targetPort: 4443
{{- end }}
{{- else if eq .Values.expose.type "nodePort" }} {{- else if eq .Values.expose.type "nodePort" }}
{{- $nodePort := .Values.expose.nodePort }} {{- $nodePort := .Values.expose.nodePort }}
name: {{ $nodePort.name }} name: {{ $nodePort.name }}
...@@ -40,21 +46,13 @@ spec: ...@@ -40,21 +46,13 @@ spec:
nodePort: {{ $nodePort.ports.https.nodePort }} nodePort: {{ $nodePort.ports.https.nodePort }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- else if eq .Values.expose.type "loadBalancer" }} {{- if .Values.notary.enabled }}
{{- $loadBalancer := .Values.expose.loadBalancer }} - name: notary
name: {{ $loadBalancer.name }} port: {{ $nodePort.ports.notary.port }}
labels: targetPort: 4443
{{ include "harbor.labels" . | indent 4 }} {{- if $nodePort.ports.notary.nodePort }}
spec: nodePort: {{ $nodePort.ports.notary.nodePort }}
type: LoadBalancer {{- end }}
ports:
- name: http
port: {{ $loadBalancer.ports.http }}
targetPort: 80
{{- if .Values.expose.tls.enabled }}
- name: https
port: {{ $loadBalancer.ports.https }}
targetPort: 443
{{- end }} {{- end }}
{{- end }} {{- end }}
selector: selector:
......
templates/notary/notary-cm.yaml
View file @ fadc628d
...@@ -9,14 +9,12 @@ metadata: ...@@ -9,14 +9,12 @@ metadata:
data: data:
{{ $ca := genCA "harbor-notary-ca" 365 }} {{ $ca := genCA "harbor-notary-ca" 365 }}
{{ $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} {{ $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }}
{{- if not .Values.notary.secretName }}
notary-signer-ca.crt: | notary-signer-ca.crt: |
{{ $ca.Cert | indent 4 }} {{ $ca.Cert | indent 4 }}
notary-signer.crt: | notary-signer.crt: |
{{ $cert.Cert | indent 4 }} {{ $cert.Cert | indent 4 }}
notary-signer.key: | notary-signer.key: |
{{ $cert.Key | indent 4 }} {{ $cert.Key | indent 4 }}
{{- end }}
server-config.postgres.json: | server-config.postgres.json: |
{ {
"server": { "server": {
...@@ -26,11 +24,7 @@ data: ...@@ -26,11 +24,7 @@ data:
"type": "remote", "type": "remote",
"hostname": "{{ template "harbor.notary-signer" . }}", "hostname": "{{ template "harbor.notary-signer" . }}",
"port": "7899", "port": "7899",
{{- if not .Values.notary.secretName }}
"tls_ca_file": "./notary-signer-ca.crt", "tls_ca_file": "./notary-signer-ca.crt",
{{- else }}
"tls_ca_file": "/etc/ssl/notary/cert/notary-signer-ca.crt",
{{- end }}
"key_algorithm": "ecdsa" "key_algorithm": "ecdsa"
}, },
"logging": { "logging": {
...@@ -54,13 +48,8 @@ data: ...@@ -54,13 +48,8 @@ data:
{ {
"server": { "server": {
"grpc_addr": ":7899", "grpc_addr": ":7899",
{{- if not .Values.notary.secretName }}
"tls_cert_file": "./notary-signer.crt", "tls_cert_file": "./notary-signer.crt",
"tls_key_file": "./notary-signer.key" "tls_key_file": "./notary-signer.key"
{{- else }}
"tls_cert_file": "/etc/ssl/notary/cert/notary-signer.crt",
"tls_key_file": "/etc/ssl/notary/cert/notary-signer.key"
{{- end }}
}, },
"logging": { "logging": {
"level": "{{ .Values.logLevel }}" "level": "{{ .Values.logLevel }}"
......
templates/notary/notary-server.yaml
View file @ fadc628d
...@@ -19,7 +19,6 @@ spec: ...@@ -19,7 +19,6 @@ spec:
app: notary-server app: notary-server
annotations: annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }} checksum/configmap: {{ include (print $.Template.BasePath "/notary/notary-cm.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.notary.podAnnotations }} {{- if .Values.notary.podAnnotations }}
{{ toYaml .Values.notary.podAnnotations | indent 8 }} {{ toYaml .Values.notary.podAnnotations | indent 8 }}
{{- end }} {{- end }}
...@@ -28,10 +27,8 @@ spec: ...@@ -28,10 +27,8 @@ spec:
- name: notary-server - name: notary-server
image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.server.resources }}
resources: resources:
{{ toYaml .Values.notary.server.resources | indent 10 }} {{ toYaml .Values.notary.server.resources | indent 10 }}
{{- end }}
env: env:
- name: MIGRATIONS_PATH - name: MIGRATIONS_PATH
value: migrations/server/postgresql value: migrations/server/postgresql
...@@ -41,15 +38,10 @@ spec: ...@@ -41,15 +38,10 @@ spec:
- name: notary-config - name: notary-config
mountPath: /etc/notary mountPath: /etc/notary
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
- name: root-certificate - name: root-certificate
mountPath: /root.crt mountPath: /root.crt
subPath: tokenServiceRootCertBundle subPath: tokenServiceRootCertBundle
{{- if .Values.notary.secretName }}
- name: notary-ca
mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt
subPath: ca
{{- end }}
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
...@@ -59,16 +51,7 @@ spec: ...@@ -59,16 +51,7 @@ spec:
name: "{{ template "harbor.notary-server" . }}" name: "{{ template "harbor.notary-server" . }}"
- name: root-certificate - name: root-certificate
secret: secret:
{{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }} secretName: {{ template "harbor.core" . }}
{{- end }}
{{- if .Values.notary.secretName }}
- name: notary-ca
secret:
secretName: {{ .Values.notary.secretName }}
{{- end }}
{{- with .Values.notary.nodeSelector }} {{- with .Values.notary.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/notary/notary-signer.yaml
View file @ fadc628d
...@@ -24,10 +24,8 @@ spec: ...@@ -24,10 +24,8 @@ spec:
- name: notary-signer - name: notary-signer
image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.signer.resources }}
resources: resources:
{{ toYaml .Values.notary.signer.resources | indent 10 }} {{ toYaml .Values.notary.signer.resources | indent 10 }}
{{- end }}
env: env:
- name: MIGRATIONS_PATH - name: MIGRATIONS_PATH
value: migrations/signer/postgresql value: migrations/signer/postgresql
...@@ -39,18 +37,7 @@ spec: ...@@ -39,18 +37,7 @@ spec:
- name: notary-config - name: notary-config
mountPath: /etc/notary mountPath: /etc/notary
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
{{- if .Values.notary.secretName }}
- name: notary-cert
mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt
subPath: ca
- name: notary-cert
mountPath: /etc/ssl/notary/cert/notary-signer.crt
subPath: crt
- name: notary-cert
mountPath: /etc/ssl/notary/cert/notary-signer.key
subPath: key
{{- end }}
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
...@@ -58,11 +45,6 @@ spec: ...@@ -58,11 +45,6 @@ spec:
- name: notary-config - name: notary-config
configMap: configMap:
name: "{{ template "harbor.notary-server" . }}" name: "{{ template "harbor.notary-server" . }}"
{{- if .Values.notary.secretName }}
- name: notary-cert
secret:
secretName: {{ .Values.notary.secretName }}
{{- end }}
{{- with .Values.notary.nodeSelector }} {{- with .Values.notary.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/notary/notary-svc.yaml
View file @ fadc628d
...@@ -6,9 +6,6 @@ metadata: ...@@ -6,9 +6,6 @@ metadata:
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports: ports:
- port: 4443 - port: 4443
selector: selector:
......
templates/portal/deployment.yaml
View file @ fadc628d
...@@ -49,7 +49,7 @@ spec: ...@@ -49,7 +49,7 @@ spec:
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
{{- with .Values.portal.nodeSelector }} {{- with .Values.portal.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/portal/service.yaml
View file @ fadc628d
...@@ -5,9 +5,6 @@ metadata: ...@@ -5,9 +5,6 @@ metadata:
labels: labels:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
spec: spec:
{{- if (eq .Values.expose.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports: ports:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
......
templates/redis/statefulset.yaml
View file @ fadc628d
...@@ -37,19 +37,17 @@ spec: ...@@ -37,19 +37,17 @@ spec:
port: 6379 port: 6379
initialDelaySeconds: 1 initialDelaySeconds: 1
periodSeconds: 10 periodSeconds: 10
{{- if .Values.redis.internal.resources }}
resources: resources:
{{ toYaml .Values.redis.internal.resources | indent 10 }} {{ toYaml .Values.redis.internal.resources | indent 10 }}
{{- end }}
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /var/lib/redis mountPath: /var/lib/redis
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: data - name: data
emptyDir: {} emptyDir: {}
{{- with .Values.redis.internal.nodeSelector }} {{- with .Values.redis.internal.nodeSelector }}
...@@ -64,4 +62,4 @@ spec: ...@@ -64,4 +62,4 @@ spec:
tolerations: tolerations:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }} {{- end }}
{{- end -}} {{- end -}}
templates/registry/registry-cm.yaml
View file @ fadc628d
...@@ -21,10 +21,9 @@ data: ...@@ -21,10 +21,9 @@ data:
enabled: false enabled: false
delete: delete:
enabled: true enabled: true
redirect:
disable: false
redis: redis:
addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}" addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}"
password: {{ template "harbor.redis.rawPassword" . }}
db: {{ template "harbor.redis.registryDatabaseIndex" . }} db: {{ template "harbor.redis.registryDatabaseIndex" . }}
http: http:
addr: :5000 addr: :5000
...@@ -38,8 +37,6 @@ data: ...@@ -38,8 +37,6 @@ data:
realm: "{{ .Values.externalURL }}/service/token" realm: "{{ .Values.externalURL }}/service/token"
rootcertbundle: /etc/registry/root.crt rootcertbundle: /etc/registry/root.crt
service: harbor-registry service: harbor-registry
validation:
disabled: true
notifications: notifications:
endpoints: endpoints:
- name: harbor - name: harbor
......
templates/registry/registry-dpl.yaml
View file @ fadc628d
...@@ -19,8 +19,6 @@ spec: ...@@ -19,8 +19,6 @@ spec:
annotations: annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.registry.podAnnotations }} {{- if .Values.registry.podAnnotations }}
{{ toYaml .Values.registry.podAnnotations | indent 8 }} {{ toYaml .Values.registry.podAnnotations | indent 8 }}
{{- end }} {{- end }}
...@@ -41,10 +39,8 @@ spec: ...@@ -41,10 +39,8 @@ spec:
port: 5000 port: 5000
initialDelaySeconds: 1 initialDelaySeconds: 1
periodSeconds: 10 periodSeconds: 10
{{- if .Values.registry.registry.resources }}
resources: resources:
{{ toYaml .Values.registry.registry.resources | indent 10 }} {{ toYaml .Values.registry.resources | indent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"] args: ["serve", "/etc/registry/config.yml"]
envFrom: envFrom:
- secretRef: - secretRef:
...@@ -62,7 +58,7 @@ spec: ...@@ -62,7 +58,7 @@ spec:
mountPath: /etc/registry/config.yml mountPath: /etc/registry/config.yml
subPath: config.yml subPath: config.yml
- name: etc-localtime - name: etc-localtime
mountPath: /etc/localtime mountPath: /etc/localtime
- name: registryctl - name: registryctl
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }}
...@@ -78,10 +74,8 @@ spec: ...@@ -78,10 +74,8 @@ spec:
port: 8080 port: 8080
initialDelaySeconds: 1 initialDelaySeconds: 1
periodSeconds: 10 periodSeconds: 10
{{- if .Values.registry.controller.resources }}
resources: resources:
{{ toYaml .Values.registry.controller.resources | indent 10 }} {{ toYaml .Values.registry.resources | indent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"] args: ["serve", "/etc/registry/config.yml"]
envFrom: envFrom:
- secretRef: - secretRef:
...@@ -95,7 +89,7 @@ spec: ...@@ -95,7 +89,7 @@ spec:
- name: JOBSERVICE_SECRET - name: JOBSERVICE_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ template "harbor.jobservice" . }} name: "{{ template "harbor.fullname" . }}-jobservice"
key: secret key: secret
ports: ports:
- containerPort: 8080 - containerPort: 8080
...@@ -113,14 +107,10 @@ spec: ...@@ -113,14 +107,10 @@ spec:
volumes: volumes:
- name: etc-localtime - name: etc-localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: registry-root-certificate - name: registry-root-certificate
secret: secret:
{{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }} secretName: {{ template "harbor.core" . }}
{{- end }}
- name: registry-config - name: registry-config
configMap: configMap:
name: "{{ template "harbor.registry" . }}" name: "{{ template "harbor.registry" . }}"
...@@ -130,7 +120,7 @@ spec: ...@@ -130,7 +120,7 @@ spec:
path: {{ .Values.registry.hostPath }} path: {{ .Values.registry.hostPath }}
{{- else }} {{- else }}
path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/registry path: /data/{{ .Release.Namespace }}/{{ .Release.Name }}/registry
{{- end }} {{- end }}
{{- with .Values.registry.nodeSelector }} {{- with .Values.registry.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml . | indent 8 }} {{ toYaml . | indent 8 }}
......
templates/registry/registry-secret.yaml
View file @ fadc628d
...@@ -6,14 +6,11 @@ metadata: ...@@ -6,14 +6,11 @@ metadata:
{{ include "harbor.labels" . | indent 4 }} {{ include "harbor.labels" . | indent 4 }}
type: Opaque type: Opaque
data: data:
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} REGISTRY_HTTP_SECRET: {{ randAlphaNum 16 | b64enc | quote }}
REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.rawPassword" .) | b64enc | quote }}
{{- $storage := .Values.persistence.imageChartStorage }} {{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }} {{- $type := $storage.type }}
{{- if eq $type "azure" }} {{- if eq $type "azure" }}
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if eq $type "gcs" }}
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
{{- else if eq $type "s3" }} {{- else if eq $type "s3" }}
{{- if $storage.s3.accesskey }} {{- if $storage.s3.accesskey }}
REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
...@@ -31,4 +28,4 @@ data: ...@@ -31,4 +28,4 @@ data:
{{- end }} {{- end }}
{{- else if eq $type "oss" }} {{- else if eq $type "oss" }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }} {{- end }}
\ No newline at end of file
values-aliyun.yaml
View file @ fadc628d
...@@ -3,11 +3,11 @@ expose: ...@@ -3,11 +3,11 @@ expose:
tls: tls:
enabled: false enabled: false
ingress: ingress:
host: hub.wodcloud.local hosts:
controller: default core: hub.wodcloud.local
notary: notary.wodcloud.local
annotations: annotations:
ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/ssl-redirect: "true"
rewriteAnnotation: traefik.ingress.kubernetes.io/rewrite-target
externalURL: https://hub.wodcloud.local externalURL: https://hub.wodcloud.local
...@@ -32,6 +32,12 @@ core: ...@@ -32,6 +32,12 @@ core:
tag: v1.7.5 tag: v1.7.5
replicas: 1 replicas: 1
adminserver:
image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-adminserver
tag: v1.7.5
replicas: 1
jobservice: jobservice:
image: image:
repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
......
values.yaml
View file @ fadc628d
expose: expose:
# Set the way how to expose the service. Set the type as "ingress", # Set the way how to expose the service. Set the type as "ingress",
# "clusterIP", "nodePort" or "loadBalancer" and fill the information # "clusterIP" or "nodePort" and fill the information in the corresponding
# in the corresponding section # section
type: ingress type: ingress
tls: tls:
# Enable the tls or not. Note: if the type is "ingress" and the tls # Enable the tls or not. Note: if the type is "ingress" and the tls
...@@ -9,38 +9,39 @@ expose: ...@@ -9,38 +9,39 @@ expose:
# images. Refer to https://github.com/goharbor/harbor/issues/5291 # images. Refer to https://github.com/goharbor/harbor/issues/5291
# for the detail. # for the detail.
enabled: true enabled: true
# Fill the name of secret if you want to use your own TLS certificate. # Fill the name of secret if you want to use your own TLS certificate
# The secret must contain keys named: # and private key. The secret must contain keys named tls.crt and
# "tls.crt" - the certificate # tls.key that contain the certificate and private key to use for TLS
# "tls.key" - the private key # The certificate and private key will be generated automatically if
# "ca.crt" - the certificate of CA # it is not set
# These files will be generated automatically if the "secretName" is not set
secretName: "" secretName: ""
# By default, the Notary service will use the same cert and key as
# described above. Fill the name of secret if you want to use a
# separated one. Only needed when the type is "ingress".
notarySecretName: ""
# The commmon name used to generate the certificate, it's necessary # The commmon name used to generate the certificate, it's necessary
# when the type isn't "ingress" and "secretName" is null # when the type is "clusterIP" or "nodePort" and "secretName" is null
commonName: "" commonName: ""
ingress: ingress:
host: harbor.local hosts:
# set to the type of ingress controller if it has specific requirements. core: core.harbor.domain
# leave as `default` for most ingress controllers. notary: notary.harbor.domain
# set to `gce` if using the GCE ingress controller
controller: default
annotations: annotations:
ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0"
# The annotation name for "rewrite-target", only needed when Notary
# service is enabled
rewriteAnnotation: nginx.ingress.kubernetes.io/rewrite-target
clusterIP: clusterIP:
# The name of ClusterIP service # The name of ClusterIP service
name: harbor name: harbor
ports: ports:
# The service port Harbor listens on when serving with HTTP # The service port Harbor listens on when serving with HTTP
http: 80 httpPort: 80
# The service port Harbor listens on when serving with HTTPS # The service port Harbor listens on when serving with HTTPS
https: 443 httpsPort: 443
# The service port Notary listens on. Only needed when notary.enabled
# is set to true
notaryPort: 4443
nodePort: nodePort:
# The name of NodePort service # The name of NodePort service
name: harbor name: harbor
...@@ -55,29 +56,27 @@ expose: ...@@ -55,29 +56,27 @@ expose:
port: 443 port: 443
# The node port Harbor listens on when serving with HTTPS # The node port Harbor listens on when serving with HTTPS
nodePort: 30003 nodePort: 30003
loadBalancer: # Only needed when notary.enabled is set to true
# The name of LoadBalancer service notary:
name: harbor # The service port Notary listens on
ports: port: 4443
# The service port Harbor listens on when serving with HTTP # The node port Notary listens on
http: 80 nodePort: 30004
# The service port Harbor listens on when serving with HTTPS
https: 443
# The external URL for Harbor service. It is used to # The external URL for Harbor core service. It is used to
# 1) populate the docker/helm commands showed on portal # 1) populate the docker/helm commands showed on portal
# 2) populate the token service URL returned to docker/notary client # 2) populate the token service URL returned to docker/notary client
# #
# Format: protocol://domain[:port]. Usually: # Format: protocol://domain[:port]. Usually:
# 1) if "expose.type" is "ingress", the "domain" should be # 1) if "expose.type" is "ingress", the "domain" should be
# the value of "expose.ingress.host" # the value of "expose.ingress.hosts.core"
# 2) if "expose.type" is "clusterIP", the "domain" should be # 2) if "expose.type" is "clusterIP", the "domain" should be
# the value of "expose.clusterIP.name" # the value of "expose.clusterIP.name"
# 3) if "expose.type" is "nodePort", the "domain" should be # 3) if "expose.type" is "nodePort", the "domain" should be
# the IP address of k8s node # the IP address of k8s node
# #
# If Harbor is deployed behind the proxy, set it as the URL of proxy # If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://harbor.local externalURL: https://core.harbor.domain
# The persistence is enabled by default and a default StorageClass # The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamicly. # is needed in the k8s cluster to provision volumes dynamicly.
...@@ -93,8 +92,7 @@ persistence: ...@@ -93,8 +92,7 @@ persistence:
resourcePolicy: "keep" resourcePolicy: "keep"
persistentVolumeClaim: persistentVolumeClaim:
registry: registry:
# Use the existing PVC which must be created manually before bound, # Use the existing PVC which must be created manually before bound
# and specify the "subPath" if the PVC is shared with other components
existingClaim: "" existingClaim: ""
# Specify the "storageClass" used to provision the volume. Or the default # Specify the "storageClass" used to provision the volume. Or the default
# StorageClass will be used(the default). # StorageClass will be used(the default).
...@@ -136,13 +134,6 @@ persistence: ...@@ -136,13 +134,6 @@ persistence:
# https://github.com/docker/distribution/blob/master/docs/configuration.md#storage # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
# for the detail. # for the detail.
imageChartStorage: imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
# for the detail.
disableredirect: false
# Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
# "oss" and fill the information needed in the corresponding section. The type # "oss" and fill the information needed in the corresponding section. The type
# must be "filesystem" if you want to use persistent volumes for registry # must be "filesystem" if you want to use persistent volumes for registry
...@@ -158,8 +149,8 @@ persistence: ...@@ -158,8 +149,8 @@ persistence:
#realm: core.windows.net #realm: core.windows.net
gcs: gcs:
bucket: bucketname bucket: bucketname
# The base64 encoded json file which contains the key # TODO: support the keyfile of gcs
encodedkey: base64-encoded-json-key-file #keyfile: /path/to/keyfile
#rootdirectory: /gcs/object/name/prefix #rootdirectory: /gcs/object/name/prefix
#chunksize: "5242880" #chunksize: "5242880"
s3: s3:
...@@ -219,7 +210,7 @@ secretKey: "not-a-secure-key" ...@@ -219,7 +210,7 @@ secretKey: "not-a-secure-key"
nginx: nginx:
image: image:
repository: goharbor/nginx-photon repository: goharbor/nginx-photon
tag: dev tag: v1.7.0
replicas: 1 replicas: 1
# resources: # resources:
# requests: # requests:
...@@ -234,7 +225,7 @@ nginx: ...@@ -234,7 +225,7 @@ nginx:
portal: portal:
image: image:
repository: goharbor/harbor-portal repository: goharbor/harbor-portal
tag: dev tag: v1.7.0
replicas: 1 replicas: 1
# resources: # resources:
# requests: # requests:
...@@ -249,7 +240,7 @@ portal: ...@@ -249,7 +240,7 @@ portal:
core: core:
image: image:
repository: goharbor/harbor-core repository: goharbor/harbor-core
tag: dev tag: v1.7.0
replicas: 1 replicas: 1
# resources: # resources:
# requests: # requests:
...@@ -260,22 +251,26 @@ core: ...@@ -260,22 +251,26 @@ core:
affinity: {} affinity: {}
## Additional deployment annotations ## Additional deployment annotations
podAnnotations: {} podAnnotations: {}
# Secret is used when core server communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
# Fill the name of a kubernetes secret if you want to use your own adminserver:
# TLS certificate and private key for token encryption/decryption. image:
# The secret must contain keys named tls.tokenServiceRootCertBundle and repository: goharbor/harbor-adminserver
# tls.tokenServicePrivateKey that contain the certificate and private key. tag: v1.7.0
# They will be automatically generated if not set replicas: 1
secretName: "" # resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
jobservice: jobservice:
image: image:
repository: goharbor/harbor-jobservice repository: goharbor/harbor-jobservice
tag: dev tag: v1.7.0
replicas: 1 replicas: 1
maxJobWorkers: 10 maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout" # The logger for jobs: "file", "database" or "stdout"
...@@ -289,46 +284,32 @@ jobservice: ...@@ -289,46 +284,32 @@ jobservice:
affinity: {} affinity: {}
## Additional deployment annotations ## Additional deployment annotations
podAnnotations: {} podAnnotations: {}
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
registry: registry:
registry: registry:
image: image:
repository: goharbor/registry-photon repository: goharbor/registry-photon
tag: dev tag: v2.6.2-v1.7.0
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
controller: controller:
image: image:
repository: goharbor/harbor-registryctl repository: goharbor/harbor-registryctl
tag: dev tag: v1.7.0
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
replicas: 1 replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
## Additional deployment annotations ## Additional deployment annotations
podAnnotations: {} podAnnotations: {}
# Secret is used to secure the upload state from client
# and registry storage backend.
# See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
chartmuseum: chartmuseum:
enabled: true enabled: true
image: image:
repository: goharbor/chartmuseum-photon repository: goharbor/chartmuseum-photon
tag: dev tag: v0.7.1-v1.7.0
replicas: 1 replicas: 1
# resources: # resources:
# requests: # requests:
...@@ -344,7 +325,7 @@ clair: ...@@ -344,7 +325,7 @@ clair:
enabled: true enabled: true
image: image:
repository: goharbor/clair-photon repository: goharbor/clair-photon
tag: dev tag: v2.0.7-v1.7.0
replicas: 1 replicas: 1
# The http(s) proxy used to update vulnerabilities database from internet # The http(s) proxy used to update vulnerabilities database from internet
httpProxy: httpProxy:
...@@ -367,33 +348,18 @@ notary: ...@@ -367,33 +348,18 @@ notary:
server: server:
image: image:
repository: goharbor/notary-server-photon repository: goharbor/notary-server-photon
tag: dev tag: v0.6.1-v1.7.0
replicas: 1 replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
signer: signer:
image: image:
repository: goharbor/notary-signer-photon repository: goharbor/notary-signer-photon
tag: dev tag: v0.6.1-v1.7.0
replicas: 1 replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
## Additional deployment annotations ## Additional deployment annotations
podAnnotations: {} podAnnotations: {}
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate authority, certificate and private key for notary
# communications.
# The secret must contain keys named tls.ca, tls.crt and tls.key that
# contain the CA, certificate and private key.
# They will be generated if not set.
secretName: ""
database: database:
# if external database is used, set "type" to "external" # if external database is used, set "type" to "external"
...@@ -402,7 +368,7 @@ database: ...@@ -402,7 +368,7 @@ database:
internal: internal:
image: image:
repository: goharbor/harbor-db repository: goharbor/harbor-db
tag: dev tag: v1.7.0
# The initial superuser password for internal database # The initial superuser password for internal database
password: "changeit" password: "changeit"
# resources: # resources:
...@@ -432,7 +398,7 @@ redis: ...@@ -432,7 +398,7 @@ redis:
internal: internal:
image: image:
repository: goharbor/redis-photon repository: goharbor/redis-photon
tag: dev tag: v1.7.0
# resources: # resources:
# requests: # requests:
# memory: 256Mi # memory: 256Mi
...@@ -451,4 +417,4 @@ redis: ...@@ -451,4 +417,4 @@ redis:
chartmuseumDatabaseIndex: "3" chartmuseumDatabaseIndex: "3"
password: "" password: ""
## Additional deployment annotations ## Additional deployment annotations
podAnnotations: {} podAnnotations: {}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment