diff --git a/harbor/.gitignore b/harbor/.gitignore deleted file mode 100644 index 9f85fc5..0000000 --- a/harbor/.gitignore +++ /dev/null @@ -1 +0,0 @@ -harbor.yml \ No newline at end of file diff --git a/harbor/README.md b/harbor/README.md index 516ff11..73c768f 100644 --- a/harbor/README.md +++ b/harbor/README.md @@ -5,12 +5,14 @@ kubectl create namespace harbor-operator kubectl -n harbor-operator create secret generic harbor-minio-credentials --from-literal REGISTRY_STORAGE_S3_ACCESSKEY=...--from-literal=REGISTRY_STORAGE_S3_SECRETKEY=... kubectl -n harbor-operator create secret generic harbor-postgres-password --from-literal password=... -helm repo add harbor https://helm.goharbor.io +``` +# Deployment +With ArgoCD. Render it locally: -helm template -n harbor-operator --release-name harbor harbor/harbor --include-crds -f harbor/values.yaml > harbor/application.yml -kubectl apply -n harbor-operator -f harbor/application.yml -f harbor/application-extras.yml +```sh +kustomize build . --enable-helm ``` -After deployment login with Harbor admin credentials and configure OIDC: +After initial deployment login with Harbor admin credentials and configure OIDC: ![OIDC configuration](harbor-oidc-config.png) diff --git a/harbor/application.yml b/harbor/application.yml deleted file mode 100644 index 07a1763..0000000 --- a/harbor/application.yml +++ /dev/null @@ -1,1322 +0,0 @@ ---- -# Source: harbor/templates/core/core-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: harbor-core - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -type: Opaque -data: - secretKey: "bm90LWEtc2VjdXJlLWtleQ==" - secret: "dU0wN0trdmV1MTduU3BFOA==" - tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeFN6Z252L25kM2Q4ay9LVkNydXRxZmVBTElVcXF0aUlQeCtYVlRFMUNhR3gwcWY5CkpVaVFhOC9oNHZzWDdDRi9PNjNKaHdtdXpwWmxQSGovQzRMeXhDdWJLSHVZdk9EUW5CbWxtbVEwenc2UEdGencKV25lUThtaTNma3ZmYkJpdUVoR2JrYlBsSmQ4dmtIN2lVZ3doOElyZmVYVjRNM2w5bXp3K1pySnNUcWpwUitndQpzMm1qajJHR0ovcWFESHExTGxENEdNMk5mcmRXeTk2RU94YVJ3a3BrU0V4MTJMMEZjcldBRlBDZVZsVHJYdkJWCmJPUkg5dldmUi8zMTJ6MnJmY05YMlE4cCtRQjlWMVNDTlVFbU96Zy9IbzZpM1BRM1AyRm1uNmI3N3lPNGVsUU8KcVNndGJUZWhXT3FXdCtNUVpRUSszVC9ONFRrcVZhZGxNRDdRNHdJREFRQUJBb0lCQURsanBZRkIxSm9tRWdGeAowc1dMK0xFRzA2eWhtZGllSzVITDNSMHp0RTg0Vyt5SGJwdmljZjZmUkF6dnJuZlJEQnBQcTk5OUJ2OGtNUlVYCjFvd0FNaTY4em0xTEJCcTlpSnBXc0tldVVOeVBUVUQzRkJJUXlRUjFUQ3NiWkUwdkpjTW1rdFFtdXlSNXdIdGIKSXY1a2Y2Qm1tMExiMlArS2RlK3Y2aTJ6OHVnMXAvOTV2ZGV0QlRBc1hDbk8rZE5uMUluR09XYW4yNHVuUmVEVwowM041ZkV1b2d1MHY4OWx4b09DT20zVFVxRGxScythUVUxK3VjUW40NXpsU2lSVmZZS0ZMYWprbVVOSkpyQVEyCnVDSlJlSmFmTjF1Vld4NTdVOFJsOGt0ZzRoQ1Y3aSs4R0hXcUttWFY5Z2RuV2UzTklmV1RNdWkzOEZNNDlKVDcKMzdNdHE2a0NnWUVBL0RJWHNDQ3pXZjlHOUhmMmYvZk85VVpWZmkyWTBSSTFpMm1ZczhLVjdpaThyMFhWUlNvdwpHM21oUVJYdVM5STlxSW9VSXRSbThRYU1RM0ZONFl3b0trYnNOZnZJRWtJZDllMFUvYldRNkRUTko2RDZESC9xCnM2TGVQMmRyS1h0bUdNR0E3eStDeUxQVElOQjVJMUlBWWxJcFFqeUgzd1VoaS9qSUlLUmdmTmNDZ1lFQXlDWlAKM2JobU5UTjY2VzROSnYvd3hla1pkS3hDYUxaSWQ2MXJVa0lpMU5hbHJwazhSZFBhaFllbmVKZUlyU0lHMkRhNwovU0NodWhYek5xL2tTenBLQlJxYVF5NHZGVmdneUpabjRlU2FvdDMxSDc4NWxlVllaYzdEWnZvaU9Rd1EyVW15CmpGeFFQUHhHemNxRmlYLzJDUzFtUXF2dFJDKzU4ZGNrWUE3Z1h0VUNnWUEyWnJQWGFXWm0zbnMyMXYzVVl1ZEEKMzNnbnJMeFBOU2RadUdDWlBqdExVWHhLTHIwdm0wY2ZWaUJqd3RCUmlMdUdOS3JkVElZY0xmWnB3Zkl6MmlENwo1YXFraG5pRS84QW93WWlLcGZUcE1pS2pEc1dCbHNKUkY2dnJiMnFkV3lJTjZ3ZmVFSmljcExYQldWY1lPR01lCjBteFYvbXFzd0JXWmRRUHVqcWJGcHdLQmdCbG93N3JpTGhlUzhZZXc4UHFDZzQ2Y2lSN0d2NmVMZktlMDNHc1UKK2xjSzZQM0JkbVZtLzliejRjN3RiZXlNNVZHTm9WQUJWSWJMUXBVdXYwek5tWmdNU0lrKzA3dGg5TWVDVUszYwoxOFRWYU1rZS9iQ0o3Uzcva004QjhsWkxzZGZrQTBiT2NXRk1wYkI2aFhsdlJVems5cGFBUFI3cThEQkRuOXFTCkNPb0JBb0dBQmNOcCtmb21jQWZOZkY4c0ZBT0pqdTh5OEZPd1pjSzV1SzJiN0FFOTBGaHduU05UampyZXJ1Z2oKbFBhWG9MTmZ4MmIxVlJvbzFtTjF1WU1aR1hpVDlZM2FRRkcrS0dMY3NuOG1uK2wxcVBhWkw2NnloYThaVm9VdwpxQWV2eXRzUlRsQWhFcXI1akdYMlVsQzNEbW5MaVJmVFBDVEtTclkzZ0trc29tMjlpdWM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" - tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIekNDQWdlZ0F3SUJBZ0lRUWJUbTFCZlRNOHpQRkxHM3ZSZlExREFOQmdrcWhraUc5dzBCQVFzRkFEQWEKTVJnd0ZnWURWUVFERXc5b1lYSmliM0l0ZEc5clpXNHRZMkV3SGhjTk1qVXdOREU0TVRrd05UVTRXaGNOTWpZdwpOREU0TVRrd05UVTRXakFhTVJnd0ZnWURWUVFERXc5b1lYSmliM0l0ZEc5clpXNHRZMkV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURGTE9DZS8rZDNkM3lUOHBVS3U2MnA5NEFzaFNxcTJJZy8KSDVkVk1UVUpvYkhTcC8wbFNKQnJ6K0hpK3hmc0lYODdyY21IQ2E3T2xtVThlUDhMZ3ZMRUs1c29lNWk4NE5DYwpHYVdhWkRUUERvOFlYUEJhZDVEeWFMZCtTOTlzR0s0U0VadVJzK1VsM3krUWZ1SlNEQ0h3aXQ5NWRYZ3plWDJiClBENW1zbXhPcU9sSDZDNnphYU9QWVlZbitwb01lclV1VVBnWXpZMSt0MWJMM29RN0ZwSENTbVJJVEhYWXZRVnkKdFlBVThKNVdWT3RlOEZWczVFZjI5WjlIL2ZYYlBhdDl3MWZaRHluNUFIMVhWSUkxUVNZN09EOGVqcUxjOURjLwpZV2FmcHZ2dkk3aDZWQTZwS0MxdE42Rlk2cGEzNHhCbEJEN2RQODNoT1NwVnAyVXdQdERqQWdNQkFBR2pZVEJmCk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXcKRHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVZWdSMWFiRzg5L1VRUlFibWwxRXAwZVpGMXVjdwpEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSFpwWVBkQ1AxeWxmUFE3NE5HWTNSMURxaDFITWErYTdwd0c3VCsvCkc4MllLRnM4THRCcnJ6RDVvUSt0NnI4YTRZU2ZkaldTVVQ0WkI2Z0RDZFVQeVRJNWxCTnNvYjk4RnVjc0t6VmwKTHFHYUh1ZGFZL2ZTenArVkhIWmt3ZU1hVzY0TmFON1RVdWFWdCtEcXQ1cUwvenV6aW42b0trb1A1YTQvdjltWgp3c1NkUk5odC92UkFZMllma054bGpXNzR1MlpOaml0OG1tL2xwRjVteWNrVnFST1VweGowMXUvUUJyRmk2YUR6CkJjZ3FRajlkc2ZXVHVQUFk2VlAvdzVWOFFLS1NuaTkzcFN1N3FzU2tGaEJIQ1FJQmpXaGxWTTYwMWVWYkhsQ1QKeE1kM2x2Y3JpNlgrU3J1bjhSUytrTVhoY1orNEZZWHN2MHAvZ0YzZElMSDVMSXM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" - HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU=" - REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk" - CSRF_KEY: "V3ZHVTlmaDdSQkJkc0FXVjNiVFVselpCYUJtMUZDUks=" ---- -# Source: harbor/templates/exporter/exporter-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: harbor-exporter - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -type: Opaque -data: - HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU=" ---- -# Source: harbor/templates/jobservice/jobservice-secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-jobservice" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -type: Opaque -data: - JOBSERVICE_SECRET: "SXZTSjVnVHg3aHY1YUhSWg==" - REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk" ---- -# Source: harbor/templates/registry/registry-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-registry" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -type: Opaque -data: - REGISTRY_HTTP_SECRET: "QmhvSnJoalMyb0tlTElNYQ==" - REGISTRY_REDIS_PASSWORD: "TXZZY3VVMFJhSXUxU1g3ZlkxbTFKcmdMVVNhWkpqZ2U=" ---- -# Source: harbor/templates/registry/registry-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-registry-htpasswd" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -type: Opaque -data: - REGISTRY_HTPASSWD: "aGFyYm9yX3JlZ2lzdHJ5X3VzZXI6JDJhJDEwJHcydGVWR21hNEppSHJqOVJaSXZ4NHVQMG1VRmRTWjJvdTdsV2Zyd0NBcXowRkFrR3pGNkV1" ---- -# Source: harbor/templates/registry/registryctl-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-registryctl" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -type: Opaque -data: ---- -# Source: harbor/templates/core/core-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: harbor-core - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: - app.conf: |+ - appname = Harbor - runmode = prod - enablegzip = true - - [prod] - httpport = 8080 - PORT: "8080" - DATABASE_TYPE: "postgresql" - POSTGRESQL_HOST: "172.20.43.1" - POSTGRESQL_PORT: "5432" - POSTGRESQL_USERNAME: "kspace_harbor" - POSTGRESQL_DATABASE: "kspace_harbor" - POSTGRESQL_SSLMODE: "disable" - POSTGRESQL_MAX_IDLE_CONNS: "100" - POSTGRESQL_MAX_OPEN_CONNS: "900" - EXT_ENDPOINT: "https://harbor.k-space.ee" - CORE_URL: "http://harbor-core:80" - JOBSERVICE_URL: "http://harbor-jobservice" - REGISTRY_URL: "http://harbor-registry:5000" - TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" - CORE_LOCAL_URL: "http://127.0.0.1:8080" - WITH_TRIVY: "false" - TRIVY_ADAPTER_URL: "http://harbor-trivy:8080" - REGISTRY_STORAGE_PROVIDER_NAME: "s3" - LOG_LEVEL: "debug" - CONFIG_PATH: "/etc/core/app.conf" - CHART_CACHE_DRIVER: "redis" - _REDIS_URL_CORE: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/0?idle_timeout_seconds=30" - _REDIS_URL_REG: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/2?idle_timeout_seconds=30" - PORTAL_URL: "http://harbor-portal" - REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" - REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" - HTTP_PROXY: "" - HTTPS_PROXY: "" - NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" - METRIC_ENABLE: "true" - METRIC_PATH: "/metrics" - METRIC_PORT: "8001" - METRIC_NAMESPACE: harbor - METRIC_SUBSYSTEM: core - QUOTA_UPDATE_PROVIDER: "db" ---- -# Source: harbor/templates/exporter/exporter-cm-env.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-exporter-env" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: - HTTP_PROXY: "" - HTTPS_PROXY: "" - NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - LOG_LEVEL: "debug" - HARBOR_EXPORTER_PORT: "8001" - HARBOR_EXPORTER_METRICS_PATH: "/metrics" - HARBOR_EXPORTER_METRICS_ENABLED: "true" - HARBOR_EXPORTER_CACHE_TIME: "23" - HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "14400" - HARBOR_METRIC_NAMESPACE: harbor - HARBOR_METRIC_SUBSYSTEM: exporter - HARBOR_REDIS_URL: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/1" - HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace - HARBOR_REDIS_TIMEOUT: "3600" - HARBOR_SERVICE_SCHEME: "http" - HARBOR_SERVICE_HOST: "harbor-core" - HARBOR_SERVICE_PORT: "80" - HARBOR_DATABASE_HOST: "172.20.43.1" - HARBOR_DATABASE_PORT: "5432" - HARBOR_DATABASE_USERNAME: "kspace_harbor" - HARBOR_DATABASE_DBNAME: "kspace_harbor" - HARBOR_DATABASE_SSLMODE: "disable" - HARBOR_DATABASE_MAX_IDLE_CONNS: "100" - HARBOR_DATABASE_MAX_OPEN_CONNS: "900" ---- -# Source: harbor/templates/jobservice/jobservice-cm-env.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-jobservice-env" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: - CORE_URL: "http://harbor-core:80" - TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" - REGISTRY_URL: "http://harbor-registry:5000" - REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" - REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" - - JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "3" - JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "3" - - LOG_LEVEL: "debug" - HTTP_PROXY: "" - HTTPS_PROXY: "" - NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - METRIC_NAMESPACE: harbor - METRIC_SUBSYSTEM: jobservice ---- -# Source: harbor/templates/jobservice/jobservice-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-jobservice" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: - config.yml: |+ - #Server listening port - protocol: "http" - port: 8080 - worker_pool: - workers: 10 - backend: "redis" - redis_pool: - redis_url: "redis://:MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge@dragonfly:6379/1" - namespace: "harbor_job_service_namespace" - idle_timeout_second: 3600 - job_loggers: - - name: "FILE" - level: DEBUG - settings: # Customized settings of logger - base_dir: "/var/log/jobs" - sweeper: - duration: 14 #days - settings: # Customized settings of sweeper - work_dir: "/var/log/jobs" - metric: - enabled: true - path: /metrics - port: 8001 - #Loggers for the job service - loggers: - - name: "STD_OUTPUT" - level: DEBUG - reaper: - # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 - max_update_hours: 24 - # the max time for execution in running state without new task created - max_dangling_hours: 168 ---- -# Source: harbor/templates/portal/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-portal" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - server { - listen 8080; - listen [::]:8080; - server_name localhost; - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; - location /devcenter-api-2.0 { - try_files $uri $uri/ /swagger-ui-index.html; - } - location / { - try_files $uri $uri/ /index.html; - } - location = /index.html { - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - } - } ---- -# Source: harbor/templates/registry/registry-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-registry" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: - config.yml: |+ - version: 0.1 - log: - level: debug - fields: - service: registry - storage: - s3: - region: us-east-1 - bucket: harbor-operator-e60e5943-234a-496d-ae74-933f6a67c530 - regionendpoint: https://external.minio-clusters.k-space.ee - cache: - layerinfo: redis - maintenance: - uploadpurging: - enabled: true - age: 168h - interval: 24h - dryrun: false - delete: - enabled: true - redirect: - disable: false - redis: - addr: dragonfly:6379 - db: 2 - password: MvYcuU0RaIu1SX7fY1m1JrgLUSaZJjge - readtimeout: 10s - writetimeout: 10s - dialtimeout: 10s - enableTLS: false - pool: - maxidle: 100 - maxactive: 500 - idletimeout: 60s - http: - addr: :5000 - relativeurls: false - # set via environment variable - # secret: placeholder - debug: - addr: :8001 - prometheus: - enabled: true - path: /metrics - auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd - validation: - disabled: true - compatibility: - schema1: - enabled: true - ctl-config.yml: |+ - --- - protocol: "http" - port: 8080 - log_level: debug - registry_config: "/etc/registry/config.yml" ---- -# Source: harbor/templates/registry/registryctl-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-registryctl" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -data: ---- -# Source: harbor/templates/jobservice/jobservice-pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: harbor-jobservice - namespace: "harbor-operator" - annotations: - helm.sh/resource-policy: keep - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: jobservice - app.kubernetes.io/component: jobservice -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 5Gi - storageClassName: longhorn ---- -# Source: harbor/templates/core/core-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: harbor-core - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -spec: - ports: - - name: http-web - port: 80 - targetPort: 8080 - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: core ---- -# Source: harbor/templates/exporter/exporter-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-exporter" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -spec: - ports: - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: exporter ---- -# Source: harbor/templates/jobservice/jobservice-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-jobservice" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -spec: - ports: - - name: http-jobservice - port: 80 - targetPort: 8080 - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: jobservice ---- -# Source: harbor/templates/portal/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-portal" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - release: harbor - app: "harbor" - component: portal ---- -# Source: harbor/templates/registry/registry-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-registry" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -spec: - ports: - - name: http-registry - port: 5000 - - - name: http-controller - port: 8080 - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: registry ---- -# Source: harbor/templates/core/core-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: harbor-core - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: core - app.kubernetes.io/component: core -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: core - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: core - app.kubernetes.io/component: core - annotations: - checksum/configmap: 53edfff371caa1358d16dc55ff64ef5bfe6f5ff19c4066ef0e52fe0d29191437 - checksum/secret: 5bce7bc29f9972e5e0c7941ca95359a5a68074e91d327eee63ab2cad9e60a3d6 - checksum/secret-jobservice: fc7154159feb53c4accc9273b50a432527101aae6d5aacb1447c0019527883c9 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - terminationGracePeriodSeconds: 120 - containers: - - name: core - image: goharbor/harbor-core:v2.13.0 - imagePullPolicy: IfNotPresent - startupProbe: - httpGet: - path: /api/v2.0/ping - scheme: HTTP - port: 8080 - failureThreshold: 360 - initialDelaySeconds: 10 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /api/v2.0/ping - scheme: HTTP - port: 8080 - failureThreshold: 2 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v2.0/ping - scheme: HTTP - port: 8080 - failureThreshold: 2 - periodSeconds: 10 - envFrom: - - configMapRef: - name: "harbor-core" - - secretRef: - name: "harbor-core" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: harbor-core - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: harbor-jobservice - key: JOBSERVICE_SECRET - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-postgres-password - key: password - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 8080 - volumeMounts: - - name: config - mountPath: /etc/core/app.conf - subPath: app.conf - - name: secret-key - mountPath: /etc/core/key - subPath: key - - name: token-service-private-key - mountPath: /etc/core/private_key.pem - subPath: tls.key - - name: ca-download - mountPath: /etc/core/ca - - name: psc - mountPath: /etc/core/token - volumes: - - name: config - configMap: - name: harbor-core - items: - - key: app.conf - path: app.conf - - name: secret-key - secret: - secretName: harbor-core - items: - - key: secretKey - path: key - - name: token-service-private-key - secret: - secretName: harbor-core - - name: ca-download - secret: - - name: psc - emptyDir: {} ---- -# Source: harbor/templates/exporter/exporter-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: harbor-exporter - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: exporter - app.kubernetes.io/component: exporter -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: exporter - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: exporter - app.kubernetes.io/component: exporter - annotations: - checksum/configmap: d37ae90c0cba9361dd0f112860f5813c4fa7a69929999934c5823acc5872bd57 - checksum/secret: f27e8195cce60fceb547a244386e5537de10e4b5a8d446266dda3f08e7d07aa1 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: exporter - image: goharbor/harbor-exporter:v2.13.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8001 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8001 - initialDelaySeconds: 30 - periodSeconds: 10 - args: ["-log-level", "debug"] - envFrom: - - configMapRef: - name: "harbor-exporter-env" - - secretRef: - name: "harbor-exporter" - env: - - name: HARBOR_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-postgres-password - key: password - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 8001 - volumeMounts: - volumes: - - name: config - secret: - secretName: "harbor-exporter" ---- -# Source: harbor/templates/jobservice/jobservice-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "harbor-jobservice" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: jobservice - app.kubernetes.io/component: jobservice -spec: - replicas: 1 - revisionHistoryLimit: 10 - strategy: - type: RollingUpdate - selector: - matchLabels: - release: harbor - app: "harbor" - component: jobservice - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: jobservice - app.kubernetes.io/component: jobservice - annotations: - checksum/configmap: ab59b1db8f4e515349c53859b33651de8c104235b67af5cd19a83ae46be28446 - checksum/configmap-env: 5fa7cae84a3894baf549f9f50e7e1e529b418a9264ad220a047cdbf7845bc08e - checksum/secret: efbb9ad12811e43b2ad3a85611cc18e37de6220c059511119f80e704ae40c1c3 - checksum/secret-core: a2530b411d3dec989d79c0f8e44a19e5f8a295ab4f9fbccf1bb827b67b130577 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - terminationGracePeriodSeconds: 120 - containers: - - name: jobservice - image: goharbor/harbor-jobservice:v2.13.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/v1/stats - scheme: HTTP - port: 8080 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v1/stats - scheme: HTTP - port: 8080 - initialDelaySeconds: 20 - periodSeconds: 10 - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: harbor-core - key: secret - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - envFrom: - - configMapRef: - name: "harbor-jobservice-env" - - secretRef: - name: "harbor-jobservice" - ports: - - containerPort: 8080 - volumeMounts: - - name: jobservice-config - mountPath: /etc/jobservice/config.yml - subPath: config.yml - - name: job-logs - mountPath: /var/log/jobs - subPath: - volumes: - - name: jobservice-config - configMap: - name: "harbor-jobservice" - - name: job-logs - persistentVolumeClaim: - claimName: harbor-jobservice ---- -# Source: harbor/templates/portal/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "harbor-portal" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: portal - app.kubernetes.io/component: portal -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: portal - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: portal - app.kubernetes.io/component: portal - annotations: - checksum/configmap: 4a8c44b3b4db968155f464771c3ee96c284b82ad21d850701e77748d78c7b1a3 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: portal - image: goharbor/harbor-portal:v2.13.0 - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - livenessProbe: - httpGet: - path: / - scheme: HTTP - port: 8080 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: HTTP - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 10 - ports: - - containerPort: 8080 - volumeMounts: - - name: portal-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - volumes: - - name: portal-config - configMap: - name: "harbor-portal" ---- -# Source: harbor/templates/registry/registry-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "harbor-registry" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: registry - app.kubernetes.io/component: registry -spec: - replicas: 1 - revisionHistoryLimit: 10 - strategy: - type: RollingUpdate - selector: - matchLabels: - release: harbor - app: "harbor" - component: registry - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - component: registry - app.kubernetes.io/component: registry - annotations: - checksum/configmap: b8975994d732c8c31013f961eec0019e4600aa162dcfd611aeec2d4f1da64e36 - checksum/secret: 3d5fb955519f6a87cec93aca10887013bff60851b8ead4ce898afd4275d2764f - checksum/secret-jobservice: 41630ce132329f2ad93b7e386e4b28b938c80346aa9b4d7971570d25c65f97f4 - checksum/secret-core: ee02b34f2fe5f6c6b4f575aee6fa8ae4bda2977c3a5792501e7158ca18975ef1 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - fsGroupChangePolicy: OnRootMismatch - automountServiceAccountToken: false - terminationGracePeriodSeconds: 120 - containers: - - name: registry - image: goharbor/registry-photon:v2.13.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - scheme: HTTP - port: 5000 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: HTTP - port: 5000 - initialDelaySeconds: 1 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - envFrom: - - secretRef: - name: "harbor-registry" - - secretRef: - name: harbor-minio-credentials - env: - ports: - - containerPort: 5000 - - containerPort: 8001 - volumeMounts: - - name: registry-data - mountPath: /storage - subPath: - - name: registry-htpasswd - mountPath: /etc/registry/passwd - subPath: passwd - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registryctl - image: goharbor/harbor-registryctl:v2.13.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - scheme: HTTP - port: 8080 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/health - scheme: HTTP - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - envFrom: - - configMapRef: - name: "harbor-registryctl" - - secretRef: - name: "harbor-registry" - - secretRef: - name: "harbor-registryctl" - - secretRef: - name: harbor-minio-credentials - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: harbor-core - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: harbor-jobservice - key: JOBSERVICE_SECRET - ports: - - containerPort: 8080 - volumeMounts: - - name: registry-data - mountPath: /storage - subPath: - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registry-config - mountPath: /etc/registryctl/config.yml - subPath: ctl-config.yml - volumes: - - name: registry-htpasswd - secret: - secretName: harbor-registry-htpasswd - - items: - - key: REGISTRY_HTPASSWD - path: passwd - - name: registry-config - configMap: - name: "harbor-registry" - - name: registry-data - emptyDir: {} ---- -# Source: harbor/templates/ingress/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: "harbor-ingress" - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" - annotations: - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee - ingress.kubernetes.io/proxy-body-size: "0" - ingress.kubernetes.io/ssl-redirect: "true" - kubernetes.io/ingress.class: traefik - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - traefik.ingress.kubernetes.io/router.entrypoints: websecure -spec: - tls: - - secretName: wildcard-tls - hosts: - - harbor.k-space.ee - rules: - - http: - paths: - - path: /api/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /service/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /v2/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /c/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: / - pathType: Prefix - backend: - service: - name: harbor-portal - port: - number: 80 - host: harbor.k-space.ee ---- -# Source: harbor/templates/metrics/metrics-svcmon.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: harbor - namespace: "harbor-operator" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.13.0" -spec: - jobLabel: app.kubernetes.io/name - endpoints: - - port: http-metrics - honorLabels: true - selector: - matchLabels: - release: harbor - app: "harbor" diff --git a/harbor/kustomization.yaml b/harbor/kustomization.yaml new file mode 100644 index 0000000..edf0e13 --- /dev/null +++ b/harbor/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: harbor-operator + +# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_ +helmCharts: +- includeCRDs: true + name: &name harbor + releaseName: *name + repo: https://helm.goharbor.io + valuesFile: values.yaml + version: 1.17.1 + +resources: +- ./application-extras.yml