expose harbor via dedicated lb on storage nodes

This commit is contained in:
Erki Aas 2024-08-23 21:34:41 +03:00
parent a94a3f829c
commit 024edc1c9b

View File

@ -1,4 +1,125 @@
--- ---
# Source: harbor/templates/core/core-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: harbor-core
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
type: Opaque
data:
secretKey: "bm90LWEtc2VjdXJlLWtleQ=="
secret: "SmhSWFBRek5wQ2NqdWxUbA=="
tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbk5zRWc2SE95OUtFODNjbFpHS1ZhRG1ST3hHM3UwcDRydGptVHd0Z3p4VDB0UlV0CjVvVEI1Uk5ER0QrTE9MQnBSM3VOaFlheDVIQW5WbEpYTnJsa21vQWpuelVMUHRldTNmWWdpbWlqK0ZCS1RnVTkKakdwbmV6TGRKMDh4R0doR2cvMFVJVjZEU2NRT2t5VTlOR2xGK1laRS90SjhjRzR6MFFxbFZWL0NpZVZWK0N2egpnbWc1MEt6MHJOTjJaSUNFL3M0d2ZGODNXVVV6MFZTRmZ2YnFCTnpKUkNJSyt0ektGWmFVcUx0amp3V2lwZTRMCjZGbUJlLzlDODkrNmF6a1ZlQ3QyMDdaanM5ck9NVVFpZ0dkRlNhczhRM0ZGVTVTaExxQUhnbVkyaE1ETlRBYnQKQVdtTzRwRlJFTXZlQ1BXazBINHU2QW1iejFKZ0tZRGdjUm01Y3dJREFRQUJBb0lCQURqamNtS3ZWOG95b3dlTwpLZUNicEtaMVlvZnk2QmtrYkZxMXplblRMWnhOZEdjTXRHWUx0aXIzN25pbjZ6MTNOZWU0RnQ3YnVEOHFzZ21yCnVYZmVpMjlCbENuVTJpeERtMmRqTWZBZy9YODgxNFl1Zm1FajRqNGJkM3dmUzZZWGc2T3hNUkRkTDI2Y2pkQ3UKUytGcllQYWJ6UUJDcE9FK0Jzc0ZPbXVaWEh3WVFOTERPbTZzWnlqR3VQZEZCZUlLa1ROSjJjWUZqQXBMd1dWdgp2NUwybnhWaHdwNXdqWWFPZmdVZUs1K2YwT3VXNFgva1dveGhHeVZLczJ2WUNwOTM1ZTk0KytwN05OOXVOQmExCmNKejhRY3FYQ0ZZRG0rbkswdVVacmlSR2E3elBKbmdjd0g2c3pMbHlpZ3YzeHZKbzBqZ2tnUjltNVF5TkV2cUwKNWdLY3Rra0NnWUVBeFJuOXBtdDlab3Y1RC92S3RPaDBKakNmVDQ4NzNRYkZmdUVydm95RVUyMit6MTZVL3hBbgpiTXVHSEU5dnJQWjFxWHlkdUNuYXRUY3RBTHRyQ1RicFhCTTRYQlV1d2phQzRnS3l6NVNNM1cvdFdsZ0xNeDIrCnBmZS9rTVE4N1VIMm5Ncnl2d1RGMG5VS2hDSG9VOGZsUGdhRUc5dzhlVC9uT1ByV3llZS9QVThDZ1lFQXk3cEMKNFpJRFgyWXpJRU1ueUpJY3BFYU5RaVFGTHppWk1WVllVVGc4dkcvczhGZGI5S3hiMjFQekR5SzZnSFc3dUs2TwpISjBacUtzcHBEYkNpUDVDb2tiM1JMWVM0eXZIWnBPdlF4QVRQanhURUNxMUVvSHVXNkdWUTBXYVY1ckFseEUzClBjV0dUcVNvTkd0NG5QWFFjNGZabVZlbFVyQWpNNWdDcFg4VTRKMENnWUFuUzdsQVZxblhxZ3hyM1YxYW1BV2cKSDQyRGhTRUFQZnRlQW5LQU9PK2cybjV5Ulg4Ykl4TlpJM0tIYm1icmF1K21iTXZkRGFzbStlc2svRGlveTZQVwowWllvOWFndTNFTlg0QVhhVU5tTXhHWGozeTNNY1Irell5TjBMMHVlV2NwYkZETTFWalJDYzBjM2RMTW5FUEZwClhrODBac0kvd2pmTkttVnNONkh2RFFLQmdCT0FDNkROdWhicWtHQTVMVmlzYTZOcHdXR2dVd0szRnlxNnNZNXMKcEp1ZzF2d1dVSTMxNVlEejR5TUN2dmxHeTZZY3h5dUQrZzNEL0dOa2ZuQmdiZjVjYnBTY0hPaXpxdzF0ZTJ3ZQo0TWluTzRnam5sdGNKbldNM04yb2p1SnR4SnR4SVdsL082RFJiK3c4a1RuczZYdjFkK1dPbHh0NEVwYUFxVmd2CjlzNmRBb0dBV3A2VUVtRXpXUThCSVNYWUl0a1NBMjc1N3BEUmw1YnoxNkg4L2htanFRWVFOeWg2WnVSRjV1TUwKRndldytHeHN4OHJWazdEUktuN2tRcHFSU0ZYOTJkOUREVkc4WW9uemRDSFZpemtqR0FwSUZNNUFmWG04TTZ2UQpOUjB5MU5Yd2ZMZ0FsNU1TK0thcVQwaGJjU3FkYjI0OUtFZ1pLcmEyZGpVSk1nNmhXTU09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJRENDQWdpZ0F3SUJBZ0lSQUtoRDl2ZlVWOE1IVGRHRXdadDViUDR3RFFZSktvWklodmNOQVFFTEJRQXcKR2pFWU1CWUdBMVVFQXhNUGFHRnlZbTl5TFhSdmEyVnVMV05oTUI0WERUSTBNRGd5TXpFNE1qZ3dNbG9YRFRJMQpNRGd5TXpFNE1qZ3dNbG93R2pFWU1CWUdBMVVFQXhNUGFHRnlZbTl5TFhSdmEyVnVMV05oTUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbk5zRWc2SE95OUtFODNjbFpHS1ZhRG1ST3hHM3UwcDQKcnRqbVR3dGd6eFQwdFJVdDVvVEI1Uk5ER0QrTE9MQnBSM3VOaFlheDVIQW5WbEpYTnJsa21vQWpuelVMUHRldQozZllnaW1paitGQktUZ1U5akdwbmV6TGRKMDh4R0doR2cvMFVJVjZEU2NRT2t5VTlOR2xGK1laRS90SjhjRzR6CjBRcWxWVi9DaWVWVitDdnpnbWc1MEt6MHJOTjJaSUNFL3M0d2ZGODNXVVV6MFZTRmZ2YnFCTnpKUkNJSyt0eksKRlphVXFMdGpqd1dpcGU0TDZGbUJlLzlDODkrNmF6a1ZlQ3QyMDdaanM5ck9NVVFpZ0dkRlNhczhRM0ZGVTVTaApMcUFIZ21ZMmhNRE5UQWJ0QVdtTzRwRlJFTXZlQ1BXazBINHU2QW1iejFKZ0tZRGdjUm01Y3dJREFRQUJvMkV3Clh6QU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUMKTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9xalpvcGlBOTZqTmZKVTRuNGNnQUlaWG1DaApNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDNVdTSG4rcXVZZzJGRkoyYU9FajNWRk9ISENkaU9qNE1xUlE3Cjh4dTVyL2s5QnZvUit6QUpqSHNqRUpCcGNpNjYwV2FBbkw3NWNpc1N2MnB5S3YwNmFzS1MwNEdENFRIVE1sa1QKRXc0Y3JwMWIrWVg1akRMenBtSEJBN2ZaUmNFdEhkT01PdENBaVV0UkVSMmZZeThyZXFxMFpEa1FlNkk3OElEQwpERHRnbC85bDFQZ0xMeDYxeWdEZ1p2aG1od0hiVkFIdU5nb2kwdkhjeldoelhFK1RTTzJ0VVVxMmxhYTV2Y0Z1CmxnK3g0YzVGRUhrdmc1S0FLellDczM4RHhDYmZpWXhyanYwYkZVcnNzRzRZWmRDYTJNOGg0NDJ5L3AveXpKZU0KN0UvTjdyeUpla3FTUFVMQ1JuVHhXL2FEV3VSQ1Fac21ZamV2UmxCTXJhNkdtckh6Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU="
REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk"
CSRF_KEY: "dmFZRUtVQ0MySGxCRnRyeVdMcXF3U0dhMUNWOHVzUE8="
---
# Source: harbor/templates/exporter/exporter-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: harbor-exporter
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
type: Opaque
data:
HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU="
---
# Source: harbor/templates/jobservice/jobservice-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: "harbor-jobservice"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
type: Opaque
data:
JOBSERVICE_SECRET: "ZU1oS0lBajVQUVcyRjI1Vg=="
REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk"
---
# Source: harbor/templates/registry/registry-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: "harbor-registry"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
type: Opaque
data:
REGISTRY_HTTP_SECRET: "VWxMS0YwYkpZQVRnU0dSUg=="
REGISTRY_REDIS_PASSWORD: "TXZZY3VVMFJhSXUxU1g3ZlkxbTFKcmdMVVNhWkpqZ2U="
---
# Source: harbor/templates/registry/registry-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: "harbor-registry-htpasswd"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
type: Opaque
data:
REGISTRY_HTPASSWD: "aGFyYm9yX3JlZ2lzdHJ5X3VzZXI6JDJhJDEwJDJzNFJMemFkMjNXYnUwNC5RZ1JrSi5JMWFLODhjWmFYdVRHOUh4Y1NGR2tsWjh1UmI5SUdx"
---
# Source: harbor/templates/registry/registryctl-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: "harbor-registryctl"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
type: Opaque
data:
---
# Source: harbor/templates/core/core-cm.yaml # Source: harbor/templates/core/core-cm.yaml
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -180,6 +301,180 @@ data:
# the max time for execution in running state without new task created # the max time for execution in running state without new task created
max_dangling_hours: 168 max_dangling_hours: 168
--- ---
# Source: harbor/templates/nginx/configmap-https.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-nginx
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
data:
nginx.conf: |+
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 3096;
use epoll;
multi_accept on;
}
http {
client_body_temp_path /tmp/client_body_temp;
proxy_temp_path /tmp/proxy_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server "harbor-core:80";
}
upstream portal {
server "harbor-portal:80";
}
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
map $http_x_forwarded_proto $x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
server {
listen 8443 ssl;
listen [::]:8443 ssl;
# server_name harbordomain.com;
server_tokens off;
# SSL
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
# Add extra headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
proxy_pass http://portal/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; HttpOnly; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ {
proxy_pass http://core/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ {
proxy_pass http://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://core/service/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
}
server {
listen 8080;
listen [::]:8080;
#server_name harbordomain.com;
return 301 https://$host$request_uri;
}
}
---
# Source: harbor/templates/portal/configmap.yaml # Source: harbor/templates/portal/configmap.yaml
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -429,6 +724,39 @@ spec:
app: "harbor" app: "harbor"
component: jobservice component: jobservice
--- ---
# Source: harbor/templates/nginx/service.yaml
apiVersion: v1
kind: Service
metadata:
name: harbor
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
annotations:
cert-manager.io/cluster-issuer: default
external-dns.alpha.kubernetes.io/hostname: harbor.k-space.ee
metallb.universe.tf/address-pool: elisa
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
selector:
release: harbor
app: "harbor"
component: nginx
---
# Source: harbor/templates/portal/service.yaml # Source: harbor/templates/portal/service.yaml
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -523,8 +851,8 @@ spec:
app.kubernetes.io/component: core app.kubernetes.io/component: core
annotations: annotations:
checksum/configmap: 9ea7f1881e4fe5b908355ee28e246b67c8c498d2f719dd74a5536a51ee2d9865 checksum/configmap: 9ea7f1881e4fe5b908355ee28e246b67c8c498d2f719dd74a5536a51ee2d9865
checksum/secret: af720060dbb42f2109b7fd0811a83c48c55313f95c3ba2e6e68010be0a2b2cd4 checksum/secret: ad9c2189410b47755f168b9cbb79d326a13d16176d96a521e287abbafc419df5
checksum/secret-jobservice: fdcf96de5337fccbcdac406929acbb799cb61e43c21be4f6affce7b2d7eaef3f checksum/secret-jobservice: d1b516e308114f8734b8eddf9260861e6c3d00e587c60491ad2c4e5f8c3e8b6f
spec: spec:
securityContext: securityContext:
runAsUser: 10000 runAsUser: 10000
@ -621,9 +949,15 @@ spec:
secretName: harbor-core secretName: harbor-core
- name: ca-download - name: ca-download
secret: secret:
secretName: "harbor-ingress"
- name: psc - name: psc
emptyDir: {} emptyDir: {}
nodeSelector:
dedicated: storage
tolerations:
- effect: NoSchedule
key: dedicated
operator: Equal
value: storage
--- ---
# Source: harbor/templates/exporter/exporter-dpl.yaml # Source: harbor/templates/exporter/exporter-dpl.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@ -761,8 +1095,8 @@ spec:
annotations: annotations:
checksum/configmap: 3a35bef831e58536bf86670117b43e2913a4c1a60d0e74d948559d7a7d564684 checksum/configmap: 3a35bef831e58536bf86670117b43e2913a4c1a60d0e74d948559d7a7d564684
checksum/configmap-env: 80e8b81abf755707210d6112ad65167a7d53088b209f63c603d308ef68c4cfad checksum/configmap-env: 80e8b81abf755707210d6112ad65167a7d53088b209f63c603d308ef68c4cfad
checksum/secret: 6902f5ee11437ee5149ff54e363487163c43e21ddce1b120ea5528f3def513c6 checksum/secret: 611e10e564e1a519738a970fde36e25bcc66253e31b90c0bb456cc55d42cd5a7
checksum/secret-core: ed0bce05c92f40e7b854d7206e08d4c1581aac476956839e42075ab9cdd61e45 checksum/secret-core: bd3ce629c3ae3006f760f0552687212b8661ef62a9b8aea7cb476655be546e21
spec: spec:
securityContext: securityContext:
runAsUser: 10000 runAsUser: 10000
@ -823,6 +1157,110 @@ spec:
- name: job-logs - name: job-logs
persistentVolumeClaim: persistentVolumeClaim:
claimName: harbor-jobservice claimName: harbor-jobservice
nodeSelector:
dedicated: storage
tolerations:
- effect: NoSchedule
key: dedicated
operator: Equal
value: storage
---
# Source: harbor/templates/nginx/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-nginx
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
component: nginx
app.kubernetes.io/component: nginx
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
release: harbor
app: "harbor"
component: nginx
template:
metadata:
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
component: nginx
app.kubernetes.io/component: nginx
annotations:
checksum/configmap: 7114a5d89af834358c44d0e87c66e2c69da2e3dd545c02472a416c8a7857b983
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: nginx
image: "goharbor/nginx-photon:v2.11.0"
imagePullPolicy: "IfNotPresent"
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 1
periodSeconds: 10
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 8080
- containerPort: 8443
volumeMounts:
- name: config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: certificate
mountPath: /etc/nginx/cert
volumes:
- name: config
configMap:
name: harbor-nginx
- name: certificate
secret:
secretName: harbor-ingress
nodeSelector:
dedicated: storage
tolerations:
- effect: NoSchedule
key: dedicated
operator: Equal
value: storage
--- ---
# Source: harbor/templates/portal/deployment.yaml # Source: harbor/templates/portal/deployment.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@ -907,6 +1345,13 @@ spec:
- name: portal-config - name: portal-config
configMap: configMap:
name: "harbor-portal" name: "harbor-portal"
nodeSelector:
dedicated: storage
tolerations:
- effect: NoSchedule
key: dedicated
operator: Equal
value: storage
--- ---
# Source: harbor/templates/registry/registry-dpl.yaml # Source: harbor/templates/registry/registry-dpl.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@ -951,9 +1396,9 @@ spec:
app.kubernetes.io/component: registry app.kubernetes.io/component: registry
annotations: annotations:
checksum/configmap: b11f146e734a9ac7c3df9f83562e7ac5fea9e2b10b89118f19207c9b95104496 checksum/configmap: b11f146e734a9ac7c3df9f83562e7ac5fea9e2b10b89118f19207c9b95104496
checksum/secret: dca1f41d66de90e85f5979631e3653bd898df32609307e2e794a72004dec22f9 checksum/secret: 0f5e88685eab94c5cbd47af720313509083331fcdbd9cae66b398fcda5db4d0f
checksum/secret-jobservice: 1728caf6daf5c1b1770da4133efe152d0a10260cb6e5271b7545696ff3b8a1f4 checksum/secret-jobservice: 7a0f120fa4eeb574f5aa57abcc015d73eee4412bb4548488f26d13f3837416ee
checksum/secret-core: 7c8aefdcb5f56e17ceb9dc21105e5b98d5a9294b70e1bea13ef83cc40fb595e2 checksum/secret-core: e354eacb10ba71353349bcbd04502278c8bcb0522adc2a26f213000305ab1327
spec: spec:
securityContext: securityContext:
runAsUser: 10000 runAsUser: 10000
@ -1079,83 +1524,13 @@ spec:
name: "harbor-registry" name: "harbor-registry"
- name: registry-data - name: registry-data
emptyDir: {} emptyDir: {}
--- nodeSelector:
# Source: harbor/templates/ingress/ingress.yaml dedicated: storage
apiVersion: networking.k8s.io/v1 tolerations:
kind: Ingress - effect: NoSchedule
metadata: key: dedicated
name: "harbor-ingress" operator: Equal
labels: value: storage
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.11.0"
annotations:
cert-manager.io/cluster-issuer: default
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
ingress.kubernetes.io/proxy-body-size: "0"
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: traefik
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- secretName: harbor-ingress
hosts:
- harbor.k-space.ee
rules:
- http:
paths:
- path: /api/
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 80
- path: /service/
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 80
- path: /v2/
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 80
- path: /chartrepo/
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 80
- path: /c/
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: harbor-portal
port:
number: 80
host: harbor.k-space.ee
--- ---
# Source: harbor/templates/metrics/metrics-svcmon.yaml # Source: harbor/templates/metrics/metrics-svcmon.yaml
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1