diff --git a/harbor/application.yml b/harbor/application.yml index 853b79b..123b95f 100644 --- a/harbor/application.yml +++ b/harbor/application.yml @@ -1,4 +1,3 @@ ---- # Source: harbor/templates/core/core-cm.yaml apiVersion: v1 kind: ConfigMap @@ -13,7 +12,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: app.conf: |+ appname = Harbor @@ -73,7 +72,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: HTTP_PROXY: "" HTTPS_PROXY: "" @@ -114,7 +113,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: CORE_URL: "http://harbor-core:80" TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" @@ -144,7 +143,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: config.yml: |+ #Server listening port @@ -180,180 +179,6 @@ data: # the max time for execution in running state without new task created max_dangling_hours: 168 --- -# Source: harbor/templates/nginx/configmap-https.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: harbor-nginx - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 3096; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "harbor-core:80"; - } - - upstream portal { - server "harbor-portal:80"; - } - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - map $http_x_forwarded_proto $x_forwarded_proto { - default $http_x_forwarded_proto; - "" $scheme; - } - - server { - listen 8443 ssl; - listen [::]:8443 ssl; - # server_name harbordomain.com; - server_tokens off; - # SSL - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - # Add extra headers - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass http://portal/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; HttpOnly; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass http://core/api/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /chartrepo/ { - proxy_pass http://core/chartrepo/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass http://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass http://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/ { - proxy_pass http://core/service/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - server { - listen 8080; - listen [::]:8080; - #server_name harbordomain.com; - return 301 https://$host$request_uri; - } - } ---- # Source: harbor/templates/portal/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -368,7 +193,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: nginx.conf: |+ worker_processes auto; @@ -419,7 +244,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: config.yml: |+ version: 0.1 @@ -443,7 +268,7 @@ data: delete: enabled: true redirect: - disable: true + disable: false redis: addr: dragonfly:6379 db: 2 @@ -495,7 +320,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" data: --- # Source: harbor/templates/jobservice/jobservice-pvc.yaml @@ -514,7 +339,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: jobservice app.kubernetes.io/component: jobservice spec: @@ -539,7 +364,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" spec: ports: - name: http-web @@ -566,7 +391,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" spec: ports: - name: http-metrics @@ -590,7 +415,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" spec: ports: - name: http-jobservice @@ -603,39 +428,6 @@ spec: app: "harbor" component: jobservice --- -# Source: harbor/templates/nginx/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: harbor - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" - annotations: - cert-manager.io/cluster-issuer: default - external-dns.alpha.kubernetes.io/hostname: harbor.k-space.ee - metallb.universe.tf/address-pool: elisa -spec: - type: LoadBalancer - ports: - - name: http - port: 80 - targetPort: 8080 - - name: https - port: 443 - targetPort: 8443 - selector: - release: harbor - app: "harbor" - component: nginx ---- # Source: harbor/templates/portal/service.yaml apiVersion: v1 kind: Service @@ -650,7 +442,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" spec: ports: - port: 80 @@ -674,7 +466,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" spec: ports: - name: http-registry @@ -703,7 +495,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: core app.kubernetes.io/component: core spec: @@ -725,13 +517,13 @@ spec: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: core app.kubernetes.io/component: core annotations: - checksum/configmap: 9ea7f1881e4fe5b908355ee28e246b67c8c498d2f719dd74a5536a51ee2d9865 - checksum/secret: 0d2219f91d2afe8594c0136b9b35ea5048724958d8c76a501028f770b34398df - checksum/secret-jobservice: 555460412a789ff6b5f107e7a44d6deb7ce9d069b97350b3e9e088e4e5d15330 + checksum/configmap: 459defa5f990e3b5029d62cfdb86ca9a4191544419bdac39dac6eabc20a1d07c + checksum/secret: d5281f549a139365b09eb4bc8e2376155c5a67d037b5a2e1fcb1d51a2d321615 + checksum/secret-jobservice: 86e7ec26365fbc33f4c2ecf695d2934a23308e08c76a71be7d190763914a8e1b spec: securityContext: runAsUser: 10000 @@ -740,7 +532,7 @@ spec: terminationGracePeriodSeconds: 120 containers: - name: core - image: goharbor/harbor-core:v2.11.0 + image: goharbor/harbor-core:v2.11.1 imagePullPolicy: IfNotPresent startupProbe: httpGet: @@ -828,6 +620,7 @@ spec: secretName: harbor-core - name: ca-download secret: + secretName: "harbor-ingress" - name: psc emptyDir: {} --- @@ -845,7 +638,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: exporter app.kubernetes.io/component: exporter spec: @@ -867,12 +660,12 @@ spec: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: exporter app.kubernetes.io/component: exporter annotations: - checksum/configmap: 79f5dcd087513f8f1d03fca430907faeb9bd7df805dbb251b750fb49ccb0f0b5 - checksum/secret: 55bad27b07dca97c644c9977eb8c3da9c08c8b8bbda2854878d2936a8da28508 + checksum/configmap: 7175588df9aea5ad07381b9e28514d0f3506380b511be090b7d2ddc40beb5ab0 + checksum/secret: be1b09e9e24f666fd357cca51bb49abd966708df0bd2e97078bf88db7ffddf85 spec: securityContext: runAsUser: 10000 @@ -880,7 +673,7 @@ spec: automountServiceAccountToken: false containers: - name: exporter - image: goharbor/harbor-exporter:v2.11.0 + image: goharbor/harbor-exporter:v2.11.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -937,7 +730,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: jobservice app.kubernetes.io/component: jobservice spec: @@ -961,14 +754,14 @@ spec: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: jobservice app.kubernetes.io/component: jobservice annotations: - checksum/configmap: 3a35bef831e58536bf86670117b43e2913a4c1a60d0e74d948559d7a7d564684 - checksum/configmap-env: 80e8b81abf755707210d6112ad65167a7d53088b209f63c603d308ef68c4cfad - checksum/secret: 66cf8ec37ca1e006ea224e0913c9deb407300393d221fe0564dee44e6b0174cd - checksum/secret-core: a4bf7ecaeb201e06638a18b9e941a4b0e66668e484d6084fd1844d2c25a6492c + checksum/configmap: 5af691ab7fd728ad91fbd355f03ea709d69f58a32e405436cec9056617490bb3 + checksum/configmap-env: f86af5d5cdbf21c00a2721265d7db84c8cda8ef1b2ac4da29aff32dbdf0a875d + checksum/secret: 5c1da09046fad8a9360c25063c6f994ff2b3ef91838f4d82f319994cfde74bfe + checksum/secret-core: b5644ea6869f9d895c16fe1ec9f6f7d83311c61aee4468b501d3f227e3e2de7e spec: securityContext: runAsUser: 10000 @@ -977,7 +770,7 @@ spec: terminationGracePeriodSeconds: 120 containers: - name: jobservice - image: goharbor/harbor-jobservice:v2.11.0 + image: goharbor/harbor-jobservice:v2.11.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1030,96 +823,6 @@ spec: persistentVolumeClaim: claimName: harbor-jobservice --- -# Source: harbor/templates/nginx/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: harbor-nginx - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" - component: nginx - app.kubernetes.io/component: nginx -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: nginx - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" - component: nginx - app.kubernetes.io/component: nginx - annotations: - checksum/configmap: 7114a5d89af834358c44d0e87c66e2c69da2e3dd545c02472a416c8a7857b983 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: nginx - image: "goharbor/nginx-photon:v2.11.0" - imagePullPolicy: "IfNotPresent" - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 1 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 8080 - - containerPort: 8443 - volumeMounts: - - name: config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: certificate - mountPath: /etc/nginx/cert - volumes: - - name: config - configMap: - name: harbor-nginx - - name: certificate - secret: - secretName: harbor-ingress ---- # Source: harbor/templates/portal/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -1134,7 +837,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: portal app.kubernetes.io/component: portal spec: @@ -1156,11 +859,11 @@ spec: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: portal app.kubernetes.io/component: portal annotations: - checksum/configmap: d1b4818dc76aa5b382b435491e437f3c5f9795bf1fb019c82b003f75e7bc3d8f + checksum/configmap: 24d858ac32ea0ba10f15274a5dc08a307a5bb9f3577cab5a58d086976c36aee5 spec: securityContext: runAsUser: 10000 @@ -1168,7 +871,7 @@ spec: automountServiceAccountToken: false containers: - name: portal - image: goharbor/harbor-portal:v2.11.0 + image: goharbor/harbor-portal:v2.11.1 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -1218,7 +921,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: registry app.kubernetes.io/component: registry spec: @@ -1242,14 +945,14 @@ spec: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" component: registry app.kubernetes.io/component: registry annotations: - checksum/configmap: b6973055b0a56022c00f9460283665c292d00f4ec15c0b36ae334781fd72ff93 - checksum/secret: fbad596b28ac7eacc5280d30c332e45f389746bc7bd4fe312d81d20d787aa608 - checksum/secret-jobservice: 50e965ac72128c882e5371663c8a24d54936984ec4596ee0beb3f5a35708571e - checksum/secret-core: f16bee9ef108e28e08e2d059c96c79edefb3daeb36709e49be6d0a9971247651 + checksum/configmap: 275b555209ecc9f8ff34a171d588f4030db27ae049e605ccf3cfa3c75d1acb6d + checksum/secret: ac3e3bb685db5fdc3d29fe7b464139e5bf5acbd831d0278960f1b05e1addf1ca + checksum/secret-jobservice: 45de3984a60f56d5ba07d509d8e1023ae3eb9991a15d42aaf973d7d2f7801ce9 + checksum/secret-core: 8960ab140ede9fdba5036954428d37ab14d2398379516989d3acd370472c9b1a spec: securityContext: runAsUser: 10000 @@ -1259,7 +962,7 @@ spec: terminationGracePeriodSeconds: 120 containers: - name: registry - image: goharbor/registry-photon:v2.11.0 + image: goharbor/registry-photon:v2.11.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1305,7 +1008,7 @@ spec: mountPath: /etc/registry/config.yml subPath: config.yml - name: registryctl - image: goharbor/harbor-registryctl:v2.11.0 + image: goharbor/harbor-registryctl:v2.11.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1376,6 +1079,83 @@ spec: - name: registry-data emptyDir: {} --- +# Source: harbor/templates/ingress/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "harbor-ingress" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.1" + annotations: + cert-manager.io/cluster-issuer: default + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/ssl-redirect: "true" + kubernetes.io/ingress.class: traefik + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + tls: + - secretName: harbor-ingress + hosts: + - harbor.k-space.ee + rules: + - http: + paths: + - path: /api/ + pathType: Prefix + backend: + service: + name: harbor-core + port: + number: 80 + - path: /service/ + pathType: Prefix + backend: + service: + name: harbor-core + port: + number: 80 + - path: /v2/ + pathType: Prefix + backend: + service: + name: harbor-core + port: + number: 80 + - path: /chartrepo/ + pathType: Prefix + backend: + service: + name: harbor-core + port: + number: 80 + - path: /c/ + pathType: Prefix + backend: + service: + name: harbor-core + port: + number: 80 + - path: / + pathType: Prefix + backend: + service: + name: harbor-portal + port: + number: 80 + host: harbor.k-space.ee +--- # Source: harbor/templates/metrics/metrics-svcmon.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -1390,7 +1170,7 @@ metadata: app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" + app.kubernetes.io/version: "2.11.1" spec: jobLabel: app.kubernetes.io/name endpoints: