--- # Source: harbor/templates/core/core-secret.yaml apiVersion: v1 kind: Secret metadata: name: harbor-core labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" type: Opaque data: secretKey: "bm90LWEtc2VjdXJlLWtleQ==" secret: "SmhSWFBRek5wQ2NqdWxUbA==" tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbk5zRWc2SE95OUtFODNjbFpHS1ZhRG1ST3hHM3UwcDRydGptVHd0Z3p4VDB0UlV0CjVvVEI1Uk5ER0QrTE9MQnBSM3VOaFlheDVIQW5WbEpYTnJsa21vQWpuelVMUHRldTNmWWdpbWlqK0ZCS1RnVTkKakdwbmV6TGRKMDh4R0doR2cvMFVJVjZEU2NRT2t5VTlOR2xGK1laRS90SjhjRzR6MFFxbFZWL0NpZVZWK0N2egpnbWc1MEt6MHJOTjJaSUNFL3M0d2ZGODNXVVV6MFZTRmZ2YnFCTnpKUkNJSyt0ektGWmFVcUx0amp3V2lwZTRMCjZGbUJlLzlDODkrNmF6a1ZlQ3QyMDdaanM5ck9NVVFpZ0dkRlNhczhRM0ZGVTVTaExxQUhnbVkyaE1ETlRBYnQKQVdtTzRwRlJFTXZlQ1BXazBINHU2QW1iejFKZ0tZRGdjUm01Y3dJREFRQUJBb0lCQURqamNtS3ZWOG95b3dlTwpLZUNicEtaMVlvZnk2QmtrYkZxMXplblRMWnhOZEdjTXRHWUx0aXIzN25pbjZ6MTNOZWU0RnQ3YnVEOHFzZ21yCnVYZmVpMjlCbENuVTJpeERtMmRqTWZBZy9YODgxNFl1Zm1FajRqNGJkM3dmUzZZWGc2T3hNUkRkTDI2Y2pkQ3UKUytGcllQYWJ6UUJDcE9FK0Jzc0ZPbXVaWEh3WVFOTERPbTZzWnlqR3VQZEZCZUlLa1ROSjJjWUZqQXBMd1dWdgp2NUwybnhWaHdwNXdqWWFPZmdVZUs1K2YwT3VXNFgva1dveGhHeVZLczJ2WUNwOTM1ZTk0KytwN05OOXVOQmExCmNKejhRY3FYQ0ZZRG0rbkswdVVacmlSR2E3elBKbmdjd0g2c3pMbHlpZ3YzeHZKbzBqZ2tnUjltNVF5TkV2cUwKNWdLY3Rra0NnWUVBeFJuOXBtdDlab3Y1RC92S3RPaDBKakNmVDQ4NzNRYkZmdUVydm95RVUyMit6MTZVL3hBbgpiTXVHSEU5dnJQWjFxWHlkdUNuYXRUY3RBTHRyQ1RicFhCTTRYQlV1d2phQzRnS3l6NVNNM1cvdFdsZ0xNeDIrCnBmZS9rTVE4N1VIMm5Ncnl2d1RGMG5VS2hDSG9VOGZsUGdhRUc5dzhlVC9uT1ByV3llZS9QVThDZ1lFQXk3cEMKNFpJRFgyWXpJRU1ueUpJY3BFYU5RaVFGTHppWk1WVllVVGc4dkcvczhGZGI5S3hiMjFQekR5SzZnSFc3dUs2TwpISjBacUtzcHBEYkNpUDVDb2tiM1JMWVM0eXZIWnBPdlF4QVRQanhURUNxMUVvSHVXNkdWUTBXYVY1ckFseEUzClBjV0dUcVNvTkd0NG5QWFFjNGZabVZlbFVyQWpNNWdDcFg4VTRKMENnWUFuUzdsQVZxblhxZ3hyM1YxYW1BV2cKSDQyRGhTRUFQZnRlQW5LQU9PK2cybjV5Ulg4Ykl4TlpJM0tIYm1icmF1K21iTXZkRGFzbStlc2svRGlveTZQVwowWllvOWFndTNFTlg0QVhhVU5tTXhHWGozeTNNY1Irell5TjBMMHVlV2NwYkZETTFWalJDYzBjM2RMTW5FUEZwClhrODBac0kvd2pmTkttVnNONkh2RFFLQmdCT0FDNkROdWhicWtHQTVMVmlzYTZOcHdXR2dVd0szRnlxNnNZNXMKcEp1ZzF2d1dVSTMxNVlEejR5TUN2dmxHeTZZY3h5dUQrZzNEL0dOa2ZuQmdiZjVjYnBTY0hPaXpxdzF0ZTJ3ZQo0TWluTzRnam5sdGNKbldNM04yb2p1SnR4SnR4SVdsL082RFJiK3c4a1RuczZYdjFkK1dPbHh0NEVwYUFxVmd2CjlzNmRBb0dBV3A2VUVtRXpXUThCSVNYWUl0a1NBMjc1N3BEUmw1YnoxNkg4L2htanFRWVFOeWg2WnVSRjV1TUwKRndldytHeHN4OHJWazdEUktuN2tRcHFSU0ZYOTJkOUREVkc4WW9uemRDSFZpemtqR0FwSUZNNUFmWG04TTZ2UQpOUjB5MU5Yd2ZMZ0FsNU1TK0thcVQwaGJjU3FkYjI0OUtFZ1pLcmEyZGpVSk1nNmhXTU09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJRENDQWdpZ0F3SUJBZ0lSQUtoRDl2ZlVWOE1IVGRHRXdadDViUDR3RFFZSktvWklodmNOQVFFTEJRQXcKR2pFWU1CWUdBMVVFQXhNUGFHRnlZbTl5TFhSdmEyVnVMV05oTUI0WERUSTBNRGd5TXpFNE1qZ3dNbG9YRFRJMQpNRGd5TXpFNE1qZ3dNbG93R2pFWU1CWUdBMVVFQXhNUGFHRnlZbTl5TFhSdmEyVnVMV05oTUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbk5zRWc2SE95OUtFODNjbFpHS1ZhRG1ST3hHM3UwcDQKcnRqbVR3dGd6eFQwdFJVdDVvVEI1Uk5ER0QrTE9MQnBSM3VOaFlheDVIQW5WbEpYTnJsa21vQWpuelVMUHRldQozZllnaW1paitGQktUZ1U5akdwbmV6TGRKMDh4R0doR2cvMFVJVjZEU2NRT2t5VTlOR2xGK1laRS90SjhjRzR6CjBRcWxWVi9DaWVWVitDdnpnbWc1MEt6MHJOTjJaSUNFL3M0d2ZGODNXVVV6MFZTRmZ2YnFCTnpKUkNJSyt0eksKRlphVXFMdGpqd1dpcGU0TDZGbUJlLzlDODkrNmF6a1ZlQ3QyMDdaanM5ck9NVVFpZ0dkRlNhczhRM0ZGVTVTaApMcUFIZ21ZMmhNRE5UQWJ0QVdtTzRwRlJFTXZlQ1BXazBINHU2QW1iejFKZ0tZRGdjUm01Y3dJREFRQUJvMkV3Clh6QU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUMKTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9xalpvcGlBOTZqTmZKVTRuNGNnQUlaWG1DaApNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDNVdTSG4rcXVZZzJGRkoyYU9FajNWRk9ISENkaU9qNE1xUlE3Cjh4dTVyL2s5QnZvUit6QUpqSHNqRUpCcGNpNjYwV2FBbkw3NWNpc1N2MnB5S3YwNmFzS1MwNEdENFRIVE1sa1QKRXc0Y3JwMWIrWVg1akRMenBtSEJBN2ZaUmNFdEhkT01PdENBaVV0UkVSMmZZeThyZXFxMFpEa1FlNkk3OElEQwpERHRnbC85bDFQZ0xMeDYxeWdEZ1p2aG1od0hiVkFIdU5nb2kwdkhjeldoelhFK1RTTzJ0VVVxMmxhYTV2Y0Z1CmxnK3g0YzVGRUhrdmc1S0FLellDczM4RHhDYmZpWXhyanYwYkZVcnNzRzRZWmRDYTJNOGg0NDJ5L3AveXpKZU0KN0UvTjdyeUpla3FTUFVMQ1JuVHhXL2FEV3VSQ1Fac21ZamV2UmxCTXJhNkdtckh6Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU=" REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk" CSRF_KEY: "dmFZRUtVQ0MySGxCRnRyeVdMcXF3U0dhMUNWOHVzUE8=" --- # Source: harbor/templates/exporter/exporter-secret.yaml apiVersion: v1 kind: Secret metadata: name: harbor-exporter labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" type: Opaque data: HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU=" --- # Source: harbor/templates/jobservice/jobservice-secrets.yaml apiVersion: v1 kind: Secret metadata: name: "harbor-jobservice" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" type: Opaque data: JOBSERVICE_SECRET: "ZU1oS0lBajVQUVcyRjI1Vg==" REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk" --- # Source: harbor/templates/registry/registry-secret.yaml apiVersion: v1 kind: Secret metadata: name: "harbor-registry" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" type: Opaque data: REGISTRY_HTTP_SECRET: "VWxMS0YwYkpZQVRnU0dSUg==" REGISTRY_REDIS_PASSWORD: "TXZZY3VVMFJhSXUxU1g3ZlkxbTFKcmdMVVNhWkpqZ2U=" --- # Source: harbor/templates/registry/registry-secret.yaml apiVersion: v1 kind: Secret metadata: name: "harbor-registry-htpasswd" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" type: Opaque data: REGISTRY_HTPASSWD: "aGFyYm9yX3JlZ2lzdHJ5X3VzZXI6JDJhJDEwJDJzNFJMemFkMjNXYnUwNC5RZ1JrSi5JMWFLODhjWmFYdVRHOUh4Y1NGR2tsWjh1UmI5SUdx" --- # Source: harbor/templates/registry/registryctl-secret.yaml apiVersion: v1 kind: Secret metadata: name: "harbor-registryctl" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" type: Opaque data: --- # Source: harbor/templates/core/core-cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: harbor-core labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: app.conf: |+ appname = Harbor runmode = prod enablegzip = true [prod] httpport = 8080 PORT: "8080" DATABASE_TYPE: "postgresql" POSTGRESQL_HOST: "172.20.43.1" POSTGRESQL_PORT: "5432" POSTGRESQL_USERNAME: "kspace_harbor" POSTGRESQL_DATABASE: "kspace_harbor" POSTGRESQL_SSLMODE: "disable" POSTGRESQL_MAX_IDLE_CONNS: "100" POSTGRESQL_MAX_OPEN_CONNS: "900" EXT_ENDPOINT: "https://harbor.k-space.ee" CORE_URL: "http://harbor-core:80" JOBSERVICE_URL: "http://harbor-jobservice" REGISTRY_URL: "http://harbor-registry:5000" TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" CORE_LOCAL_URL: "http://127.0.0.1:8080" WITH_TRIVY: "false" TRIVY_ADAPTER_URL: "http://harbor-trivy:8080" REGISTRY_STORAGE_PROVIDER_NAME: "s3" LOG_LEVEL: "debug" CONFIG_PATH: "/etc/core/app.conf" CHART_CACHE_DRIVER: "redis" _REDIS_URL_CORE: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/0?idle_timeout_seconds=30" _REDIS_URL_REG: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/2?idle_timeout_seconds=30" PORTAL_URL: "http://harbor-portal" REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" HTTP_PROXY: "" HTTPS_PROXY: "" NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" METRIC_ENABLE: "true" METRIC_PATH: "/metrics" METRIC_PORT: "8001" METRIC_NAMESPACE: harbor METRIC_SUBSYSTEM: core QUOTA_UPDATE_PROVIDER: "db" --- # Source: harbor/templates/exporter/exporter-cm-env.yaml apiVersion: v1 kind: ConfigMap metadata: name: "harbor-exporter-env" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: HTTP_PROXY: "" HTTPS_PROXY: "" NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" LOG_LEVEL: "debug" HARBOR_EXPORTER_PORT: "8001" HARBOR_EXPORTER_METRICS_PATH: "/metrics" HARBOR_EXPORTER_METRICS_ENABLED: "true" HARBOR_EXPORTER_CACHE_TIME: "23" HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "14400" HARBOR_METRIC_NAMESPACE: harbor HARBOR_METRIC_SUBSYSTEM: exporter HARBOR_REDIS_URL: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/1" HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace HARBOR_REDIS_TIMEOUT: "3600" HARBOR_SERVICE_SCHEME: "http" HARBOR_SERVICE_HOST: "harbor-core" HARBOR_SERVICE_PORT: "80" HARBOR_DATABASE_HOST: "172.20.43.1" HARBOR_DATABASE_PORT: "5432" HARBOR_DATABASE_USERNAME: "kspace_harbor" HARBOR_DATABASE_DBNAME: "kspace_harbor" HARBOR_DATABASE_SSLMODE: "disable" HARBOR_DATABASE_MAX_IDLE_CONNS: "100" HARBOR_DATABASE_MAX_OPEN_CONNS: "900" --- # Source: harbor/templates/jobservice/jobservice-cm-env.yaml apiVersion: v1 kind: ConfigMap metadata: name: "harbor-jobservice-env" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: CORE_URL: "http://harbor-core:80" TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" REGISTRY_URL: "http://harbor-registry:5000" REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "3" JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "3" HTTP_PROXY: "" HTTPS_PROXY: "" NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" METRIC_NAMESPACE: harbor METRIC_SUBSYSTEM: jobservice --- # Source: harbor/templates/jobservice/jobservice-cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: "harbor-jobservice" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: config.yml: |+ #Server listening port protocol: "http" port: 8080 worker_pool: workers: 10 backend: "redis" redis_pool: redis_url: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/1" namespace: "harbor_job_service_namespace" idle_timeout_second: 3600 job_loggers: - name: "FILE" level: DEBUG settings: # Customized settings of logger base_dir: "/var/log/jobs" sweeper: duration: 14 #days settings: # Customized settings of sweeper work_dir: "/var/log/jobs" metric: enabled: true path: /metrics port: 8001 #Loggers for the job service loggers: - name: "STD_OUTPUT" level: DEBUG reaper: # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 max_update_hours: 24 # the max time for execution in running state without new task created max_dangling_hours: 168 --- # Source: harbor/templates/nginx/configmap-https.yaml apiVersion: v1 kind: ConfigMap metadata: name: harbor-nginx labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: nginx.conf: |+ worker_processes auto; pid /tmp/nginx.pid; events { worker_connections 3096; use epoll; multi_accept on; } http { client_body_temp_path /tmp/client_body_temp; proxy_temp_path /tmp/proxy_temp; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; tcp_nodelay on; # this is necessary for us to be able to disable request buffering in all cases proxy_http_version 1.1; upstream core { server "harbor-core:80"; } upstream portal { server "harbor-portal:80"; } log_format timed_combined '[$time_local]:$remote_addr - ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time $pipe'; access_log /dev/stdout timed_combined; map $http_x_forwarded_proto $x_forwarded_proto { default $http_x_forwarded_proto; "" $scheme; } server { listen 8443 ssl; listen [::]:8443 ssl; # server_name harbordomain.com; server_tokens off; # SSL ssl_certificate /etc/nginx/cert/tls.crt; ssl_certificate_key /etc/nginx/cert/tls.key; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; # Add extra headers add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header Content-Security-Policy "frame-ancestors 'none'"; location / { proxy_pass http://portal/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_cookie_path / "/; HttpOnly; Secure"; proxy_buffering off; proxy_request_buffering off; } location /api/ { proxy_pass http://core/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /chartrepo/ { proxy_pass http://core/chartrepo/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /c/ { proxy_pass http://core/c/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /v1/ { return 404; } location /v2/ { proxy_pass http://core/v2/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_buffering off; proxy_request_buffering off; } location /service/ { proxy_pass http://core/service/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /service/notifications { return 404; } } server { listen 8080; listen [::]:8080; #server_name harbordomain.com; return 301 https://$host$request_uri; } } --- # Source: harbor/templates/portal/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: "harbor-portal" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: nginx.conf: |+ worker_processes auto; pid /tmp/nginx.pid; events { worker_connections 1024; } http { client_body_temp_path /tmp/client_body_temp; proxy_temp_path /tmp/proxy_temp; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; server { listen 8080; listen [::]:8080; server_name localhost; root /usr/share/nginx/html; index index.html index.htm; include /etc/nginx/mime.types; gzip on; gzip_min_length 1000; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; location /devcenter-api-2.0 { try_files $uri $uri/ /swagger-ui-index.html; } location / { try_files $uri $uri/ /index.html; } location = /index.html { add_header Cache-Control "no-store, no-cache, must-revalidate"; } } } --- # Source: harbor/templates/registry/registry-cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: "harbor-registry" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: config.yml: |+ version: 0.1 log: level: debug fields: service: registry storage: s3: region: us-east-1 bucket: harbor-operator-e60e5943-234a-496d-ae74-933f6a67c530 regionendpoint: https://external.minio-clusters.k-space.ee cache: layerinfo: redis maintenance: uploadpurging: enabled: true age: 168h interval: 24h dryrun: false delete: enabled: true redirect: disable: false redis: addr: dragonfly:6379 db: 2 password: MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge readtimeout: 10s writetimeout: 10s dialtimeout: 10s pool: maxidle: 100 maxactive: 500 idletimeout: 60s http: addr: :5000 relativeurls: false # set via environment variable # secret: placeholder debug: addr: :8001 prometheus: enabled: true path: /metrics auth: htpasswd: realm: harbor-registry-basic-realm path: /etc/registry/passwd validation: disabled: true compatibility: schema1: enabled: true ctl-config.yml: |+ --- protocol: "http" port: 8080 log_level: debug registry_config: "/etc/registry/config.yml" --- # Source: harbor/templates/registry/registryctl-cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: "harbor-registryctl" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" data: --- # Source: harbor/templates/jobservice/jobservice-pvc.yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: harbor-jobservice annotations: helm.sh/resource-policy: keep labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: jobservice app.kubernetes.io/component: jobservice spec: accessModes: - ReadWriteMany resources: requests: storage: 5Gi storageClassName: longhorn --- # Source: harbor/templates/core/core-svc.yaml apiVersion: v1 kind: Service metadata: name: harbor-core labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" spec: ports: - name: http-web port: 80 targetPort: 8080 - name: http-metrics port: 8001 selector: release: harbor app: "harbor" component: core --- # Source: harbor/templates/exporter/exporter-svc.yaml apiVersion: v1 kind: Service metadata: name: "harbor-exporter" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" spec: ports: - name: http-metrics port: 8001 selector: release: harbor app: "harbor" component: exporter --- # Source: harbor/templates/jobservice/jobservice-svc.yaml apiVersion: v1 kind: Service metadata: name: "harbor-jobservice" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" spec: ports: - name: http-jobservice port: 80 targetPort: 8080 - name: http-metrics port: 8001 selector: release: harbor app: "harbor" component: jobservice --- # Source: harbor/templates/nginx/service.yaml apiVersion: v1 kind: Service metadata: name: harbor labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" annotations: cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/hostname: harbor.k-space.ee metallb.universe.tf/address-pool: elisa spec: type: LoadBalancer ports: - name: http port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 selector: release: harbor app: "harbor" component: nginx --- # Source: harbor/templates/portal/service.yaml apiVersion: v1 kind: Service metadata: name: "harbor-portal" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" spec: ports: - port: 80 targetPort: 8080 selector: release: harbor app: "harbor" component: portal --- # Source: harbor/templates/registry/registry-svc.yaml apiVersion: v1 kind: Service metadata: name: "harbor-registry" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" spec: ports: - name: http-registry port: 5000 - name: http-controller port: 8080 - name: http-metrics port: 8001 selector: release: harbor app: "harbor" component: registry --- # Source: harbor/templates/core/core-dpl.yaml apiVersion: apps/v1 kind: Deployment metadata: name: harbor-core labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: core app.kubernetes.io/component: core spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: release: harbor app: "harbor" component: core template: metadata: labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: core app.kubernetes.io/component: core annotations: checksum/configmap: 9ea7f1881e4fe5b908355ee28e246b67c8c498d2f719dd74a5536a51ee2d9865 checksum/secret: ad9c2189410b47755f168b9cbb79d326a13d16176d96a521e287abbafc419df5 checksum/secret-jobservice: d1b516e308114f8734b8eddf9260861e6c3d00e587c60491ad2c4e5f8c3e8b6f spec: securityContext: runAsUser: 10000 fsGroup: 10000 automountServiceAccountToken: false terminationGracePeriodSeconds: 120 containers: - name: core image: goharbor/harbor-core:v2.11.0 imagePullPolicy: IfNotPresent startupProbe: httpGet: path: /api/v2.0/ping scheme: HTTP port: 8080 failureThreshold: 360 initialDelaySeconds: 10 periodSeconds: 10 livenessProbe: httpGet: path: /api/v2.0/ping scheme: HTTP port: 8080 failureThreshold: 2 periodSeconds: 10 readinessProbe: httpGet: path: /api/v2.0/ping scheme: HTTP port: 8080 failureThreshold: 2 periodSeconds: 10 envFrom: - configMapRef: name: "harbor-core" - secretRef: name: "harbor-core" env: - name: CORE_SECRET valueFrom: secretKeyRef: name: harbor-core key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: name: harbor-jobservice key: JOBSERVICE_SECRET - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: name: harbor-postgres-password key: password securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ports: - containerPort: 8080 volumeMounts: - name: config mountPath: /etc/core/app.conf subPath: app.conf - name: secret-key mountPath: /etc/core/key subPath: key - name: token-service-private-key mountPath: /etc/core/private_key.pem subPath: tls.key - name: ca-download mountPath: /etc/core/ca - name: psc mountPath: /etc/core/token volumes: - name: config configMap: name: harbor-core items: - key: app.conf path: app.conf - name: secret-key secret: secretName: harbor-core items: - key: secretKey path: key - name: token-service-private-key secret: secretName: harbor-core - name: ca-download secret: - name: psc emptyDir: {} nodeSelector: dedicated: storage tolerations: - effect: NoSchedule key: dedicated operator: Equal value: storage --- # Source: harbor/templates/exporter/exporter-dpl.yaml apiVersion: apps/v1 kind: Deployment metadata: name: harbor-exporter labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: exporter app.kubernetes.io/component: exporter spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: release: harbor app: "harbor" component: exporter template: metadata: labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: exporter app.kubernetes.io/component: exporter annotations: checksum/configmap: 79f5dcd087513f8f1d03fca430907faeb9bd7df805dbb251b750fb49ccb0f0b5 checksum/secret: 55bad27b07dca97c644c9977eb8c3da9c08c8b8bbda2854878d2936a8da28508 spec: securityContext: runAsUser: 10000 fsGroup: 10000 automountServiceAccountToken: false containers: - name: exporter image: goharbor/harbor-exporter:v2.11.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: / port: 8001 initialDelaySeconds: 300 periodSeconds: 10 readinessProbe: httpGet: path: / port: 8001 initialDelaySeconds: 30 periodSeconds: 10 args: ["-log-level", "debug"] envFrom: - configMapRef: name: "harbor-exporter-env" - secretRef: name: "harbor-exporter" env: - name: HARBOR_DATABASE_PASSWORD valueFrom: secretKeyRef: name: harbor-postgres-password key: password securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ports: - containerPort: 8001 volumeMounts: volumes: - name: config secret: secretName: "harbor-exporter" --- # Source: harbor/templates/jobservice/jobservice-dpl.yaml apiVersion: apps/v1 kind: Deployment metadata: name: "harbor-jobservice" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: jobservice app.kubernetes.io/component: jobservice spec: replicas: 1 revisionHistoryLimit: 10 strategy: type: RollingUpdate selector: matchLabels: release: harbor app: "harbor" component: jobservice template: metadata: labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: jobservice app.kubernetes.io/component: jobservice annotations: checksum/configmap: 3a35bef831e58536bf86670117b43e2913a4c1a60d0e74d948559d7a7d564684 checksum/configmap-env: 80e8b81abf755707210d6112ad65167a7d53088b209f63c603d308ef68c4cfad checksum/secret: 611e10e564e1a519738a970fde36e25bcc66253e31b90c0bb456cc55d42cd5a7 checksum/secret-core: bd3ce629c3ae3006f760f0552687212b8661ef62a9b8aea7cb476655be546e21 spec: securityContext: runAsUser: 10000 fsGroup: 10000 automountServiceAccountToken: false terminationGracePeriodSeconds: 120 containers: - name: jobservice image: goharbor/harbor-jobservice:v2.11.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /api/v1/stats scheme: HTTP port: 8080 initialDelaySeconds: 300 periodSeconds: 10 readinessProbe: httpGet: path: /api/v1/stats scheme: HTTP port: 8080 initialDelaySeconds: 20 periodSeconds: 10 env: - name: CORE_SECRET valueFrom: secretKeyRef: name: harbor-core key: secret securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault envFrom: - configMapRef: name: "harbor-jobservice-env" - secretRef: name: "harbor-jobservice" ports: - containerPort: 8080 volumeMounts: - name: jobservice-config mountPath: /etc/jobservice/config.yml subPath: config.yml - name: job-logs mountPath: /var/log/jobs subPath: volumes: - name: jobservice-config configMap: name: "harbor-jobservice" - name: job-logs persistentVolumeClaim: claimName: harbor-jobservice nodeSelector: dedicated: storage tolerations: - effect: NoSchedule key: dedicated operator: Equal value: storage --- # Source: harbor/templates/nginx/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: harbor-nginx labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: nginx app.kubernetes.io/component: nginx spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: release: harbor app: "harbor" component: nginx template: metadata: labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: nginx app.kubernetes.io/component: nginx annotations: checksum/configmap: 7114a5d89af834358c44d0e87c66e2c69da2e3dd545c02472a416c8a7857b983 spec: securityContext: runAsUser: 10000 fsGroup: 10000 automountServiceAccountToken: false containers: - name: nginx image: "goharbor/nginx-photon:v2.11.0" imagePullPolicy: "IfNotPresent" livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 300 periodSeconds: 10 readinessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 1 periodSeconds: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ports: - containerPort: 8080 - containerPort: 8443 volumeMounts: - name: config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf - name: certificate mountPath: /etc/nginx/cert volumes: - name: config configMap: name: harbor-nginx - name: certificate secret: secretName: harbor-ingress nodeSelector: dedicated: storage tolerations: - effect: NoSchedule key: dedicated operator: Equal value: storage --- # Source: harbor/templates/portal/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: "harbor-portal" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: portal app.kubernetes.io/component: portal spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: release: harbor app: "harbor" component: portal template: metadata: labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: portal app.kubernetes.io/component: portal annotations: checksum/configmap: d1b4818dc76aa5b382b435491e437f3c5f9795bf1fb019c82b003f75e7bc3d8f spec: securityContext: runAsUser: 10000 fsGroup: 10000 automountServiceAccountToken: false containers: - name: portal image: goharbor/harbor-portal:v2.11.0 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault livenessProbe: httpGet: path: / scheme: HTTP port: 8080 initialDelaySeconds: 300 periodSeconds: 10 readinessProbe: httpGet: path: / scheme: HTTP port: 8080 initialDelaySeconds: 1 periodSeconds: 10 ports: - containerPort: 8080 volumeMounts: - name: portal-config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf volumes: - name: portal-config configMap: name: "harbor-portal" nodeSelector: dedicated: storage tolerations: - effect: NoSchedule key: dedicated operator: Equal value: storage --- # Source: harbor/templates/registry/registry-dpl.yaml apiVersion: apps/v1 kind: Deployment metadata: name: "harbor-registry" labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: registry app.kubernetes.io/component: registry spec: replicas: 1 revisionHistoryLimit: 10 strategy: type: RollingUpdate selector: matchLabels: release: harbor app: "harbor" component: registry template: metadata: labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" component: registry app.kubernetes.io/component: registry annotations: checksum/configmap: b11f146e734a9ac7c3df9f83562e7ac5fea9e2b10b89118f19207c9b95104496 checksum/secret: 0f5e88685eab94c5cbd47af720313509083331fcdbd9cae66b398fcda5db4d0f checksum/secret-jobservice: 7a0f120fa4eeb574f5aa57abcc015d73eee4412bb4548488f26d13f3837416ee checksum/secret-core: e354eacb10ba71353349bcbd04502278c8bcb0522adc2a26f213000305ab1327 spec: securityContext: runAsUser: 10000 fsGroup: 10000 fsGroupChangePolicy: OnRootMismatch automountServiceAccountToken: false terminationGracePeriodSeconds: 120 containers: - name: registry image: goharbor/registry-photon:v2.11.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: / scheme: HTTP port: 5000 initialDelaySeconds: 300 periodSeconds: 10 readinessProbe: httpGet: path: / scheme: HTTP port: 5000 initialDelaySeconds: 1 periodSeconds: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: name: "harbor-registry" - secretRef: name: harbor-minio-credentials env: ports: - containerPort: 5000 - containerPort: 8001 volumeMounts: - name: registry-data mountPath: /storage subPath: - name: registry-htpasswd mountPath: /etc/registry/passwd subPath: passwd - name: registry-config mountPath: /etc/registry/config.yml subPath: config.yml - name: registryctl image: goharbor/harbor-registryctl:v2.11.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /api/health scheme: HTTP port: 8080 initialDelaySeconds: 300 periodSeconds: 10 readinessProbe: httpGet: path: /api/health scheme: HTTP port: 8080 initialDelaySeconds: 1 periodSeconds: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true seccompProfile: type: RuntimeDefault envFrom: - configMapRef: name: "harbor-registryctl" - secretRef: name: "harbor-registry" - secretRef: name: "harbor-registryctl" - secretRef: name: harbor-minio-credentials env: - name: CORE_SECRET valueFrom: secretKeyRef: name: harbor-core key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: name: harbor-jobservice key: JOBSERVICE_SECRET ports: - containerPort: 8080 volumeMounts: - name: registry-data mountPath: /storage subPath: - name: registry-config mountPath: /etc/registry/config.yml subPath: config.yml - name: registry-config mountPath: /etc/registryctl/config.yml subPath: ctl-config.yml volumes: - name: registry-htpasswd secret: secretName: harbor-registry-htpasswd items: - key: REGISTRY_HTPASSWD path: passwd - name: registry-config configMap: name: "harbor-registry" - name: registry-data emptyDir: {} nodeSelector: dedicated: storage tolerations: - effect: NoSchedule key: dedicated operator: Equal value: storage --- # Source: harbor/templates/metrics/metrics-svcmon.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: harbor labels: heritage: Helm release: harbor chart: harbor app: "harbor" app.kubernetes.io/instance: harbor app.kubernetes.io/name: harbor app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: harbor app.kubernetes.io/version: "2.11.0" spec: jobLabel: app.kubernetes.io/name endpoints: - port: http-metrics honorLabels: true selector: matchLabels: release: harbor app: "harbor"