265 lines
7.0 KiB
YAML
265 lines
7.0 KiB
YAML
|
---
|
||
|
apiVersion: cert-manager.io/v1
|
||
|
kind: Issuer
|
||
|
metadata:
|
||
|
name: harbor-operator
|
||
|
spec:
|
||
|
selfSigned: {}
|
||
|
---
|
||
|
apiVersion: cert-manager.io/v1
|
||
|
kind: Certificate
|
||
|
metadata:
|
||
|
name: harbor-core
|
||
|
spec:
|
||
|
secretName: harbor-core-key
|
||
|
dnsNames:
|
||
|
- harbor-core.harbor-operator.svc
|
||
|
issuerRef:
|
||
|
name: harbor-operator
|
||
|
---
|
||
|
apiVersion: codemowers.io/v1alpha1
|
||
|
kind: GeneratedSecret
|
||
|
metadata:
|
||
|
name: harbor-admin-secrets
|
||
|
spec:
|
||
|
mapping:
|
||
|
- key: HARBOR_ADMIN_PASSWORD
|
||
|
value: "%(password)s"
|
||
|
- key: HARBOR_URI
|
||
|
value: "https://admin:%(password)s@{{ .Values.ingress.host }}"
|
||
|
---
|
||
|
apiVersion: codemowers.io/v1alpha1
|
||
|
kind: GeneratedSecret
|
||
|
metadata:
|
||
|
name: harbor-core-secret
|
||
|
spec:
|
||
|
mapping:
|
||
|
- key: CORE_SECRET
|
||
|
value: "%(password)s"
|
||
|
---
|
||
|
apiVersion: codemowers.io/v1alpha1
|
||
|
kind: GeneratedSecret
|
||
|
metadata:
|
||
|
name: harbor-core-oidc-secret-encryption-key
|
||
|
spec:
|
||
|
size: 32
|
||
|
mapping:
|
||
|
- key: secretKey
|
||
|
value: "%(password)s"
|
||
|
---
|
||
|
apiVersion: codemowers.io/v1alpha1
|
||
|
kind: GeneratedSecret
|
||
|
metadata:
|
||
|
name: harbor-core-csrf-key
|
||
|
spec:
|
||
|
size: 32
|
||
|
mapping:
|
||
|
- key: CSRF_KEY
|
||
|
value: "%(password)s"
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
name: harbor-core
|
||
|
labels:
|
||
|
app: harbor
|
||
|
data:
|
||
|
app.conf: |+
|
||
|
appname = Harbor
|
||
|
runmode = prod
|
||
|
enablegzip = true
|
||
|
[prod]
|
||
|
httpport = 8080
|
||
|
PORT: "8080"
|
||
|
POSTGRESQL_MAX_IDLE_CONNS: "100"
|
||
|
POSTGRESQL_MAX_OPEN_CONNS: "900"
|
||
|
EXT_ENDPOINT: "https://{{ .Values.ingress.host }}"
|
||
|
CORE_URL: "http://harbor-core:80"
|
||
|
JOBSERVICE_URL: "http://harbor-jobservice"
|
||
|
REGISTRY_URL: "http://harbor-registry:5000"
|
||
|
TOKEN_SERVICE_URL: "http://harbor-core:80/service/token"
|
||
|
CORE_LOCAL_URL: "http://127.0.0.1:8080"
|
||
|
REGISTRY_STORAGE_PROVIDER_NAME: "filesystem"
|
||
|
LOG_LEVEL: "info"
|
||
|
CONFIG_PATH: "/etc/core/app.conf"
|
||
|
CHART_CACHE_DRIVER: "redis"
|
||
|
PORTAL_URL: "http://harbor-portal"
|
||
|
REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080"
|
||
|
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry"
|
||
|
METRIC_ENABLE: "true"
|
||
|
METRIC_PATH: "/metrics"
|
||
|
METRIC_PORT: "8001"
|
||
|
METRIC_NAMESPACE: harbor
|
||
|
METRIC_SUBSYSTEM: core
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
name: harbor-core
|
||
|
labels:
|
||
|
app: harbor
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: http
|
||
|
port: 80
|
||
|
targetPort: 8080
|
||
|
selector:
|
||
|
app: harbor
|
||
|
component: core
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
name: harbor-core
|
||
|
labels:
|
||
|
app: harbor
|
||
|
component: core
|
||
|
spec:
|
||
|
replicas: 2
|
||
|
revisionHistoryLimit: 0
|
||
|
selector:
|
||
|
matchLabels: &selectorLabels
|
||
|
app: harbor
|
||
|
component: core
|
||
|
template:
|
||
|
metadata:
|
||
|
labels: *selectorLabels
|
||
|
spec:
|
||
|
affinity:
|
||
|
nodeAffinity:
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
nodeSelectorTerms:
|
||
|
- matchExpressions:
|
||
|
- key: kubernetes.io/arch
|
||
|
operator: In
|
||
|
values:
|
||
|
- amd64
|
||
|
securityContext:
|
||
|
runAsUser: 10000
|
||
|
fsGroup: 10000
|
||
|
automountServiceAccountToken: false
|
||
|
terminationGracePeriodSeconds: 120
|
||
|
containers:
|
||
|
- name: core
|
||
|
image: "{{ .Values.image.repository }}/harbor-core:{{ .Values.image.tag }}"
|
||
|
startupProbe:
|
||
|
httpGet:
|
||
|
path: /api/v2.0/ping
|
||
|
scheme: HTTP
|
||
|
port: 8080
|
||
|
failureThreshold: 360
|
||
|
initialDelaySeconds: 10
|
||
|
periodSeconds: 10
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /api/v2.0/ping
|
||
|
scheme: HTTP
|
||
|
port: 8080
|
||
|
failureThreshold: 2
|
||
|
periodSeconds: 10
|
||
|
envFrom:
|
||
|
- configMapRef:
|
||
|
name: harbor-core
|
||
|
env:
|
||
|
- name: REGISTRY_CREDENTIAL_USERNAME
|
||
|
value: harbor_registry_user
|
||
|
- name: REGISTRY_CREDENTIAL_PASSWORD
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-registry-credentials
|
||
|
key: REGISTRY_CREDENTIAL_PASSWORD
|
||
|
- name: DATABASE_TYPE
|
||
|
value: postgresql
|
||
|
- name: POSTGRESQL_SSLMODE
|
||
|
value: require
|
||
|
- name: CSRF_KEY
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-core-csrf-key
|
||
|
key: CSRF_KEY
|
||
|
- name: HARBOR_ADMIN_PASSWORD
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-admin-secrets
|
||
|
key: HARBOR_ADMIN_PASSWORD
|
||
|
- name: POSTGRESQL_HOST
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-pguser-harbor
|
||
|
key: host
|
||
|
- name: POSTGRESQL_PORT
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-pguser-harbor
|
||
|
key: port
|
||
|
- name: POSTGRESQL_DATABASE
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-pguser-harbor
|
||
|
key: dbname
|
||
|
- name: POSTGRESQL_USERNAME
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-pguser-harbor
|
||
|
key: user
|
||
|
- name: POSTGRESQL_PASSWORD
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-pguser-harbor
|
||
|
key: password
|
||
|
- name: _REDIS_URL_CORE
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-core-redis-secrets
|
||
|
key: REDIS_URI
|
||
|
- name: _REDIS_URL_REG
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-registry-redis-secrets
|
||
|
key: REDIS_URI
|
||
|
- name: CORE_SECRET
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-core-secret
|
||
|
key: CORE_SECRET
|
||
|
- name: JOBSERVICE_SECRET
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: harbor-jobservice
|
||
|
key: JOBSERVICE_SECRET
|
||
|
ports:
|
||
|
- containerPort: 8080
|
||
|
name: http
|
||
|
- containerPort: 8001
|
||
|
name: metrics
|
||
|
volumeMounts:
|
||
|
- name: config
|
||
|
mountPath: /etc/core/app.conf
|
||
|
subPath: app.conf
|
||
|
- name: secret-key
|
||
|
mountPath: /etc/core/key
|
||
|
subPath: key
|
||
|
- name: token-service-private-key
|
||
|
mountPath: /etc/core/private_key.pem
|
||
|
subPath: tls.key
|
||
|
- name: psc
|
||
|
mountPath: /etc/core/token
|
||
|
volumes:
|
||
|
- name: config
|
||
|
configMap:
|
||
|
name: harbor-core
|
||
|
items:
|
||
|
- key: app.conf
|
||
|
path: app.conf
|
||
|
- name: secret-key
|
||
|
secret:
|
||
|
secretName: harbor-core-oidc-secret-encryption-key
|
||
|
items:
|
||
|
- key: secretKey
|
||
|
path: key
|
||
|
- name: token-service-private-key
|
||
|
secret:
|
||
|
secretName: harbor-core-key
|
||
|
- name: psc
|
||
|
emptyDir: {}
|