Compare commits
4 Commits
Author | SHA1 | Date |
---|---|---|
Lauri Võsandi | 2103ac0815 | |
Lauri Võsandi | 7f9d653d49 | |
Lauri Võsandi | 713910086f | |
Lauri Võsandi | 7077d75395 |
|
@ -10,6 +10,20 @@ from sanic.response import json
|
|||
from image_mutation import mutate_image
|
||||
from harbor_wrapper import Harbor
|
||||
|
||||
mutation_excluded_namespaces = set([
|
||||
# Do not fiddle with CNI stuff
|
||||
"kube-system", # kube-proxy hosted here
|
||||
"tigera-operator",
|
||||
"calico-system",
|
||||
"metallb-system",
|
||||
|
||||
# Do not fiddle with CSI stuff
|
||||
"longhorn-system",
|
||||
|
||||
# Don't touch Harbor itself
|
||||
"harbor-operator",
|
||||
])
|
||||
|
||||
harbor = Harbor(os.environ["HARBOR_URI"])
|
||||
cached_registries = set()
|
||||
app = Sanic("admission_control")
|
||||
|
@ -18,17 +32,21 @@ app = Sanic("admission_control")
|
|||
@app.post("/")
|
||||
async def admission_control_handler(request):
|
||||
patches = []
|
||||
for index, container in enumerate(request.json["request"]["object"]["spec"]["containers"]):
|
||||
mutated_image = mutate_image(container["image"], harbor.hostname, cached_registries)
|
||||
patches.append({
|
||||
"op": "replace",
|
||||
"path": "/spec/containers/%d/image" % index,
|
||||
"value": mutated_image,
|
||||
})
|
||||
print("Substituting %s with %s for pod %s/%s" % (
|
||||
container["image"], mutated_image,
|
||||
request.json["request"]["object"]["metadata"]["namespace"],
|
||||
request.json["request"]["object"]["metadata"]["name"]))
|
||||
pod_namespace = request.json["request"]["object"]["metadata"]["namespace"]
|
||||
pod_name = request.json["request"]["object"]["metadata"].get("name", "")
|
||||
pod_ref = "%s/%s" % (pod_namespace, pod_name)
|
||||
if pod_namespace in mutation_excluded_namespaces:
|
||||
print("Pod %s not mutated by namespace exclusion" % pod_ref)
|
||||
else:
|
||||
for index, container in enumerate(request.json["request"]["object"]["spec"]["containers"]):
|
||||
mutated_image = mutate_image(container["image"], harbor.hostname, cached_registries)
|
||||
patches.append({
|
||||
"op": "replace",
|
||||
"path": "/spec/containers/%d/image" % index,
|
||||
"value": mutated_image,
|
||||
})
|
||||
print("Substituting %s with %s for pod %s" % (
|
||||
container["image"], mutated_image, pod_ref))
|
||||
response = {
|
||||
"apiVersion": "admission.k8s.io/v1",
|
||||
"kind": "AdmissionReview",
|
||||
|
|
|
@ -1,4 +1,20 @@
|
|||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: PostgresDatabase
|
||||
metadata:
|
||||
name: harbor
|
||||
spec:
|
||||
capacity: {{ .Values.storage.postgres.storage }}
|
||||
class: {{ .Values.storage.postgres.class }}
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: Redis
|
||||
metadata:
|
||||
name: core
|
||||
spec:
|
||||
class: ephemeral
|
||||
capacity: 512Mi
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
|
@ -18,7 +34,7 @@ spec:
|
|||
name: harbor-operator
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-admin-secrets
|
||||
spec:
|
||||
|
@ -29,7 +45,7 @@ spec:
|
|||
value: "https://admin:%(password)s@{{ .Values.ingress.host }}"
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-core-secret
|
||||
spec:
|
||||
|
@ -38,7 +54,7 @@ spec:
|
|||
value: "%(password)s"
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-core-oidc-secret-encryption-key
|
||||
spec:
|
||||
|
@ -48,7 +64,7 @@ spec:
|
|||
value: "%(password)s"
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-core-csrf-key
|
||||
spec:
|
||||
|
@ -115,7 +131,7 @@ metadata:
|
|||
app: harbor
|
||||
component: core
|
||||
spec:
|
||||
replicas: 2
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 0
|
||||
selector:
|
||||
matchLabels: &selectorLabels
|
||||
|
@ -185,37 +201,37 @@ spec:
|
|||
- name: POSTGRESQL_HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-pguser-harbor
|
||||
key: host
|
||||
name: postgres-database-harbor-owner-secrets
|
||||
key: PGHOST
|
||||
- name: POSTGRESQL_PORT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-pguser-harbor
|
||||
key: port
|
||||
name: postgres-database-harbor-owner-secrets
|
||||
key: PGPORT
|
||||
- name: POSTGRESQL_DATABASE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-pguser-harbor
|
||||
key: dbname
|
||||
name: postgres-database-harbor-owner-secrets
|
||||
key: PGDATABASE
|
||||
- name: POSTGRESQL_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-pguser-harbor
|
||||
key: user
|
||||
name: postgres-database-harbor-owner-secrets
|
||||
key: PGUSER
|
||||
- name: POSTGRESQL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-pguser-harbor
|
||||
key: password
|
||||
name: postgres-database-harbor-owner-secrets
|
||||
key: PGPASSWORD
|
||||
- name: _REDIS_URL_CORE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-core-redis-secrets
|
||||
name: redis-core-owner-secrets
|
||||
key: REDIS_URI
|
||||
- name: _REDIS_URL_REG
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-registry-redis-secrets
|
||||
name: redis-registry-owner-secrets
|
||||
key: REDIS_URI
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
|
|
|
@ -1,6 +1,14 @@
|
|||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Redis
|
||||
metadata:
|
||||
name: jobservice
|
||||
spec:
|
||||
class: ephemeral
|
||||
capacity: 512Mi
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-jobservice
|
||||
spec:
|
||||
|
@ -36,7 +44,6 @@ data:
|
|||
workers: 1
|
||||
backend: "redis"
|
||||
redis_pool:
|
||||
redis_url: "redis://harbor-jobservice-redis:6379/0"
|
||||
namespace: "harbor_job_service_namespace"
|
||||
idle_timeout_second: 3600
|
||||
job_loggers:
|
||||
|
@ -121,7 +128,7 @@ spec:
|
|||
- name: JOB_SERVICE_POOL_REDIS_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-jobservice-redis-secrets
|
||||
name: redis-jobservice-owner-secrets
|
||||
key: REDIS_URI
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
|
@ -131,7 +138,7 @@ spec:
|
|||
- name: _REDIS_URL_CORE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-core-redis-secrets
|
||||
name: redis-core-owner-secrets
|
||||
key: REDIS_URI
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
|
|
|
@ -1,6 +1,22 @@
|
|||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Bucket
|
||||
metadata:
|
||||
name: registry
|
||||
spec:
|
||||
capacity: {{ .Values.storage.registry.storage }}
|
||||
class: {{ .Values.storage.registry.class }}
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: Redis
|
||||
metadata:
|
||||
name: registry
|
||||
spec:
|
||||
class: ephemeral
|
||||
capacity: 512Mi
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-registry-credentials
|
||||
spec:
|
||||
|
@ -11,7 +27,7 @@ spec:
|
|||
value: "harbor_registry_user:%(bcrypt)s"
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: GeneratedSecret
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: harbor-registry
|
||||
spec:
|
||||
|
@ -33,8 +49,6 @@ data:
|
|||
fields:
|
||||
service: registry
|
||||
storage:
|
||||
filesystem:
|
||||
rootdirectory: /storage
|
||||
cache:
|
||||
layerinfo: redis
|
||||
maintenance:
|
||||
|
@ -45,10 +59,7 @@ data:
|
|||
dryrun: false
|
||||
delete:
|
||||
enabled: true
|
||||
redirect:
|
||||
disable: false
|
||||
redis:
|
||||
addr: harbor-registry-redis:6379
|
||||
db: 0
|
||||
readtimeout: 10s
|
||||
writetimeout: 10s
|
||||
|
@ -81,21 +92,6 @@ data:
|
|||
log_level: info
|
||||
registry_config: "/etc/registry/config.yml"
|
||||
---
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: harbor-registry
|
||||
labels:
|
||||
app: harbor
|
||||
component: registry
|
||||
spec:
|
||||
storageClassName: {{ .Values.storage.registry.storageClass }}
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.storage.registry.storage }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
@ -154,20 +150,52 @@ spec:
|
|||
- serve
|
||||
- /etc/registry/config.yml
|
||||
env:
|
||||
- name: REGISTRY_HTTP_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-registry
|
||||
key: REGISTRY_HTTP_SECRET
|
||||
- name: REGISTRY_REDIS_ADDR
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: redis-registry-owner-secrets
|
||||
key: REDIS_HOST_PORT
|
||||
- name: REGISTRY_REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: harbor-registry-redis-secrets
|
||||
name: redis-registry-owner-secrets
|
||||
key: REDIS_PASSWORD
|
||||
- name: REGISTRY_STORAGE_S3_ACCESSKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_ACCESS_KEY_ID
|
||||
- name: REGISTRY_STORAGE_S3_SECRETKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_SECRET_ACCESS_KEY
|
||||
- name: REGISTRY_STORAGE_S3_REGION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_DEFAULT_REGION
|
||||
- name: REGISTRY_STORAGE_S3_REGIONENDPOINT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_S3_ENDPOINT_URL
|
||||
- name: REGISTRY_STORAGE_S3_BUCKET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: BUCKET_NAME
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
name: http
|
||||
- containerPort: 5001
|
||||
name: metrics
|
||||
volumeMounts:
|
||||
- name: registry-data
|
||||
mountPath: /storage
|
||||
subPath:
|
||||
- name: registry-htpasswd
|
||||
mountPath: /etc/registry/passwd
|
||||
subPath: passwd
|
||||
|
@ -199,13 +227,45 @@ spec:
|
|||
secretKeyRef:
|
||||
name: harbor-registry
|
||||
key: REGISTRY_HTTP_SECRET
|
||||
- name: REGISTRY_REDIS_ADDR
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: redis-registry-owner-secrets
|
||||
key: REDIS_HOST_PORT
|
||||
- name: REGISTRY_REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: redis-registry-owner-secrets
|
||||
key: REDIS_PASSWORD
|
||||
- name: REGISTRY_STORAGE_S3_ACCESSKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_ACCESS_KEY_ID
|
||||
- name: REGISTRY_STORAGE_S3_SECRETKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_SECRET_ACCESS_KEY
|
||||
- name: REGISTRY_STORAGE_S3_REGION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_DEFAULT_REGION
|
||||
- name: REGISTRY_STORAGE_S3_REGIONENDPOINT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: AWS_S3_ENDPOINT_URL
|
||||
- name: REGISTRY_STORAGE_S3_BUCKET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: bucket-registry-owner-secrets
|
||||
key: BUCKET_NAME
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
volumeMounts:
|
||||
- name: registry-data
|
||||
mountPath: /storage
|
||||
subPath:
|
||||
- name: registry-config
|
||||
mountPath: /etc/registry/config.yml
|
||||
subPath: config.yml
|
||||
|
@ -222,6 +282,3 @@ spec:
|
|||
- name: registry-config
|
||||
configMap:
|
||||
name: harbor-registry
|
||||
- name: registry-data
|
||||
persistentVolumeClaim:
|
||||
claimName: harbor-registry
|
||||
|
|
|
@ -1,68 +0,0 @@
|
|||
apiVersion: postgres-operator.crunchydata.com/v1beta1
|
||||
kind: PostgresCluster
|
||||
metadata:
|
||||
name: harbor
|
||||
spec:
|
||||
postgresVersion: 14
|
||||
instances:
|
||||
- name: postgres
|
||||
replicas: 3
|
||||
dataVolumeClaimSpec:
|
||||
storageClassName: {{ .Values.storage.postgres.storageClass }}
|
||||
accessModes:
|
||||
- "ReadWriteOnce"
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.storage.postgres.storage }}
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- amd64
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- topologyKey: {{ .Values.topologyKey }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
postgres-operator.crunchydata.com/cluster: harbor
|
||||
postgres-operator.crunchydata.com/instance-set: postgres
|
||||
backups:
|
||||
pgbackrest:
|
||||
global:
|
||||
repo1-retention-full: "1"
|
||||
repo1-retention-full-type: time
|
||||
repoHost:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- amd64
|
||||
jobs:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- amd64
|
||||
repos:
|
||||
- name: repo1
|
||||
schedules:
|
||||
full: "0 5 31 2 *"
|
||||
volume:
|
||||
volumeClaimSpec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: KeyDBCluster
|
||||
metadata:
|
||||
name: harbor-core-redis
|
||||
spec:
|
||||
replicas: 3
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: KeyDBCluster
|
||||
metadata:
|
||||
name: harbor-jobservice-redis
|
||||
spec:
|
||||
replicas: 3
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: KeyDBCluster
|
||||
metadata:
|
||||
name: harbor-registry-redis
|
||||
spec:
|
||||
replicas: 3
|
|
@ -26,10 +26,10 @@ image:
|
|||
# Storage options
|
||||
storage:
|
||||
postgres:
|
||||
storageClass: postgres
|
||||
class: shared
|
||||
storage: 5Gi
|
||||
registry:
|
||||
storageClass: longhorn
|
||||
class: shared
|
||||
storage: 30Gi
|
||||
|
||||
# Harbor projects to initialize
|
||||
|
|
Loading…
Reference in New Issue