sync namespace names with directory names

2025-08-07 18:29:03 +03:00
parent 42aef1e928
commit 82311c86ff
19 changed files with 14 additions and 7 deletions
--- a/harbor-operator/README.md
+++ b/harbor-operator/README.md
@@ -0,0 +1,18 @@
+Deploy with:
+
+```
+kubectl create namespace harbor-operator
+kubectl -n harbor-operator create secret generic harbor-minio-credentials --from-literal REGISTRY_STORAGE_S3_ACCESSKEY=...--from-literal=REGISTRY_STORAGE_S3_SECRETKEY=...
+kubectl -n harbor-operator create secret generic harbor-postgres-password --from-literal password=...
+
+```
+# Deployment
+With ArgoCD. Render it locally:
+
+```sh
+kustomize build . --enable-helm
+```
+
+After initial deployment login with Harbor admin credentials and configure OIDC:
+
+![OIDC configuration](harbor-oidc-config.png)
--- a/harbor-operator/application-extras.yml
+++ b/harbor-operator/application-extras.yml
@@ -0,0 +1,57 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: harbor
+  namespace: harbor-operator
+spec:
+  displayName: Harbor
+  uri: https://harbor.k-space.ee
+  redirectUris:
+    - https://harbor.k-space.ee/c/oidc/callback
+  allowedGroups:
+    - k-space:floor
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: MinioBucketClaim
+metadata:
+  name: harbor
+  namespace: harbor-operator
+spec:
+  capacity: 1Ti
+  class: external
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: dragonfly-auth
+spec:
+  size: 32
+  mapping:
+    - key: REDIS_PASSWORD
+      value: "%(plaintext)s"
+    - key: REDIS_URI
+      value: "redis://:%(plaintext)s@dragonfly"
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: dragonfly
+spec:
+  authentication:
+    passwordFromSecret:
+      key: REDIS_PASSWORD
+      name: dragonfly-auth
+  replicas: 1
+  resources:
+    limits:
+      memory: 5Gi
--- a/harbor-operator/harbor-oidc-config.png
+++ b/harbor-operator/harbor-oidc-config.png
--- a/harbor-operator/kustomization.yaml
+++ b/harbor-operator/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: harbor-operator
+
+# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
+helmCharts:
+- includeCRDs: true
+  name: &name harbor
+  releaseName: *name
+  repo: https://helm.goharbor.io
+  valuesFile: values.yaml
+  version: 1.17.1
+
+resources:
+- ./application-extras.yml
--- a/harbor-operator/values.yaml
+++ b/harbor-operator/values.yaml
@@ -0,0 +1,144 @@
+expose:
+  type: ingress
+  tls:
+    # harbor helm needs PR to use non-core-host-named tls (wildcard), like *.k-space.ee; currently it gets its own cert (harbor.k-space.ee)
+    enabled: true
+    certSource: secret
+    secret:
+      secretName: wildcard-tls
+  ingress:
+    hosts:
+      core: harbor.k-space.ee
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    labels: {}
+
+externalURL: https://harbor.k-space.ee
+
+# The persistence is enabled by default and a default StorageClass
+# is needed in the k8s cluster to provision volumes dynamically.
+# Specify another StorageClass in the "storageClass" or set "existingClaim"
+# if you already have existing persistent volumes to use
+#
+# For storing images and charts, you can also use "azure", "gcs", "s3",
+# "swift" or "oss". Set it in the "imageChartStorage" section
+persistence:
+  enabled: true
+  # Define which storage backend is used for registry to store
+  # images and charts. Refer to
+  # https://github.com/distribution/distribution/blob/main/docs/content/about/configuration.md#storage
+  # for the detail.
+  persistentVolumeClaim:
+    jobservice:
+      jobLog:
+        existingClaim: ""
+        storageClass: "longhorn"
+        subPath: ""
+        accessMode: ReadWriteMany
+        size: 5Gi
+        annotations: {}
+  imageChartStorage:
+    # Specify whether to disable `redirect` for images and chart storage, for
+    # backends which not supported it (such as using minio for `s3` storage type), please disable
+    # it. To disable redirects, simply set `disableredirect` to `true` instead.
+    # Refer to
+    # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect
+    # for the detail.
+    disableredirect: false
+    type: s3
+    s3:
+      # Set an existing secret for S3 accesskey and secretkey
+      # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry
+      existingSecret: "harbor-minio-credentials"
+      region: us-east-1
+      bucket: harbor-operator-e60e5943-234a-496d-ae74-933f6a67c530
+      #accesskey: awsaccesskey
+      #secretkey: awssecretkey
+      regionendpoint: https://external.minio-clusters.k-space.ee
+      #encrypt: false
+      #keyid: mykeyid
+      #secure: true
+      #skipverify: false
+      #v4auth: true
+      #chunksize: "5242880"
+      #rootdirectory: /s3/object/name/prefix
+      #storageclass: STANDARD
+      #multipartcopychunksize: "33554432"
+      #multipartcopymaxconcurrency: 100
+      #multipartcopythresholdsize: "33554432"
+
+# The initial password of Harbor admin. Change it from portal after launching Harbor
+# or give an existing secret for it
+# key in secret is given via (default to HARBOR_ADMIN_PASSWORD)
+# existingSecretAdminPassword:
+existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
+
+# debug, info, warning, error or fatal
+logLevel: debug
+
+# Run the migration job via helm hook
+enableMigrateHelmHook: false
+
+metrics:
+  enabled: true
+  core:
+    path: /metrics
+    port: 8001
+  registry:
+    path: /metrics
+    port: 8001
+  jobservice:
+    path: /metrics
+    port: 8001
+  exporter:
+    path: /metrics
+    port: 8001
+  serviceMonitor:
+    enabled: true
+    additionalLabels: {}
+    # Scrape interval. If not set, the Prometheus default scrape interval is used.
+    interval: ""
+    # Metric relabel configs to apply to samples before ingestion.
+    metricRelabelings:
+      []
+      # - action: keep
+    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+    #   sourceLabels: [__name__]
+    # Relabel configs to apply to samples before ingestion.
+    relabelings:
+      []
+      # - sourceLabels: [__meta_kubernetes_pod_node_name]
+      #   separator: ;
+      #   regex: ^(.*)$
+      #   targetLabel: nodename
+    #   replacement: $1
+    #   action: replace
+
+
+trivy:
+  enabled: false
+notary:
+  enabled: false
+
+database:
+  type: "external"
+
+  external:
+    host: "172.20.43.1"
+    port: "5432"
+    username: "kspace_harbor"
+    coreDatabase: "kspace_harbor"
+    existingSecret: "harbor-postgres-password"
+    sslmode: "disable"
+
+redis:
+  type: external
+  external:
+      # support redis, redis+sentinel
+    # addr for redis: <host_redis>:<port_redis>
+    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
+    addr: "dragonfly:6379"
+    username: ""
+    password: "MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge"