k-space/kube
10
1
Fork 3
Code Issues 31 Pull Requests Activity

fix and update harbor install

Browse Source
This commit is contained in:
Erki Aas 2024-07-28 20:21:48 +03:00
parent 0c38d2369b
commit 249ad2e9ed
4 changed files with 761 additions and 457 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
harbor/README.md
View File

@ -1,8 +1,12 @@
Deploy with:
```
kubectl create namespace harbor
kubectl apply -n harbor -f application.yml -f application-secrets.yml
kubectl create namespace harbor-operator
kubectl -n harbor-operator create secret generic harbor-minio-credentials --from-literal REGISTRY_STORAGE_S3_ACCESSKEY=...--from-literal=REGISTRY_STORAGE_S3_SECRETKEY=...
kubectl -n harbor-operator create secret generic harbor-postgres-password --from-literal password=...
helm template -n harbor-operator --release-name harbor harbor/harbor --include-crds -f harbor/values.yaml > harbor/application.yml
kubectl apply -n harbor -f application.yml -f application-extras.yml
```
After deployment login with Harbor admin credentials and configure OIDC:

36
harbor/application-extras.yml
View File

@ -20,4 +20,38 @@ spec:
- openid
- profile
pkce: false
---
apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim
metadata:
name: harbor
namespace: harbor-operator
spec:
capacity: 1Ti
class: external
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: dragonfly-auth
spec:
size: 32
mapping:
- key: REDIS_PASSWORD
value: "%(plaintext)s"
- key: REDIS_URI
value: "redis://:%(plaintext)s@dragonfly"
---
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: dragonfly
spec:
authentication:
passwordFromSecret:
key: REDIS_PASSWORD
name: dragonfly-auth
replicas: 3
resources:
limits:
memory: 5Gi

1030
harbor/application.yml
View File

File diff suppressed because it is too large Load Diff

144
harbor/values.yaml Normal file
View File

@ -0,0 +1,144 @@
expose:
type: ingress
tls:
enabled: true
ingress:
hosts:
core: harbor.k-space.ee
annotations:
cert-manager.io/cluster-issuer: default
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
labels: {}
externalURL: https://harbor.k-space.ee
# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamically.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
# if you already have existing persistent volumes to use
#
# For storing images and charts, you can also use "azure", "gcs", "s3",
# "swift" or "oss". Set it in the "imageChartStorage" section
persistence:
enabled: true
# Define which storage backend is used for registry to store
# images and charts. Refer to
# https://github.com/distribution/distribution/blob/main/docs/content/about/configuration.md#storage
# for the detail.
persistentVolumeClaim:
jobservice:
jobLog:
existingClaim: ""
storageClass: "longhorn"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi
annotations: {}
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
# backends which not supported it (such as using minio for `s3` storage type), please disable
# it. To disable redirects, simply set `disableredirect` to `true` instead.
# Refer to
# https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect
# for the detail.
disableredirect: false
type: s3
s3:
# Set an existing secret for S3 accesskey and secretkey
# keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry
existingSecret: "harbor-minio-credentials"
region: us-east-1
bucket: harbor-operator-e60e5943-234a-496d-ae74-933f6a67c530
#accesskey: awsaccesskey
#secretkey: awssecretkey
regionendpoint: https://external.minio-clusters.k-space.ee
#encrypt: false
#keyid: mykeyid
#secure: true
#skipverify: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
#multipartcopychunksize: "33554432"
#multipartcopymaxconcurrency: 100
#multipartcopythresholdsize: "33554432"
# The initial password of Harbor admin. Change it from portal after launching Harbor
# or give an existing secret for it
# key in secret is given via (default to HARBOR_ADMIN_PASSWORD)
# existingSecretAdminPassword:
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
# debug, info, warning, error or fatal
logLevel: debug
# If using existingSecretSecretKey, the key must be secretKey
existingSecretSecretKey: "harbor-core-oidc-secret-encryption-key"
# Run the migration job via helm hook
enableMigrateHelmHook: false
metrics:
enabled: true
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
serviceMonitor:
enabled: true
additionalLabels: {}
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval: ""
# Metric relabel configs to apply to samples before ingestion.
metricRelabelings:
[]
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# Relabel configs to apply to samples before ingestion.
relabelings:
[]
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
trivy:
enabled: false
database:
type: "external"
external:
host: "172.20.43.1"
port: "5432"
username: "kspace_harbor"
coreDatabase: "kspace_harbor"
existingSecret: "harbor-postgres-password"
sslmode: "disable"
redis:
type: external
external:
# support redis, redis+sentinel
# addr for redis: <host_redis>:<port_redis>
# addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
addr: "dragonfly:6379"
username: ""
password: "MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge"