From 024edc1c9bfeba9f15b860731464f017250a2a45 Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Fri, 23 Aug 2024 21:34:41 +0300 Subject: [PATCH] expose harbor via dedicated lb on storage nodes --- harbor/application.yml | 545 ++++++++++++++++++++++++++++++++++------- 1 file changed, 460 insertions(+), 85 deletions(-) diff --git a/harbor/application.yml b/harbor/application.yml index 847139e..1aaf158 100644 --- a/harbor/application.yml +++ b/harbor/application.yml @@ -1,4 +1,125 @@ --- +# Source: harbor/templates/core/core-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: harbor-core + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +type: Opaque +data: + secretKey: "bm90LWEtc2VjdXJlLWtleQ==" + secret: "SmhSWFBRek5wQ2NqdWxUbA==" + tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbk5zRWc2SE95OUtFODNjbFpHS1ZhRG1ST3hHM3UwcDRydGptVHd0Z3p4VDB0UlV0CjVvVEI1Uk5ER0QrTE9MQnBSM3VOaFlheDVIQW5WbEpYTnJsa21vQWpuelVMUHRldTNmWWdpbWlqK0ZCS1RnVTkKakdwbmV6TGRKMDh4R0doR2cvMFVJVjZEU2NRT2t5VTlOR2xGK1laRS90SjhjRzR6MFFxbFZWL0NpZVZWK0N2egpnbWc1MEt6MHJOTjJaSUNFL3M0d2ZGODNXVVV6MFZTRmZ2YnFCTnpKUkNJSyt0ektGWmFVcUx0amp3V2lwZTRMCjZGbUJlLzlDODkrNmF6a1ZlQ3QyMDdaanM5ck9NVVFpZ0dkRlNhczhRM0ZGVTVTaExxQUhnbVkyaE1ETlRBYnQKQVdtTzRwRlJFTXZlQ1BXazBINHU2QW1iejFKZ0tZRGdjUm01Y3dJREFRQUJBb0lCQURqamNtS3ZWOG95b3dlTwpLZUNicEtaMVlvZnk2QmtrYkZxMXplblRMWnhOZEdjTXRHWUx0aXIzN25pbjZ6MTNOZWU0RnQ3YnVEOHFzZ21yCnVYZmVpMjlCbENuVTJpeERtMmRqTWZBZy9YODgxNFl1Zm1FajRqNGJkM3dmUzZZWGc2T3hNUkRkTDI2Y2pkQ3UKUytGcllQYWJ6UUJDcE9FK0Jzc0ZPbXVaWEh3WVFOTERPbTZzWnlqR3VQZEZCZUlLa1ROSjJjWUZqQXBMd1dWdgp2NUwybnhWaHdwNXdqWWFPZmdVZUs1K2YwT3VXNFgva1dveGhHeVZLczJ2WUNwOTM1ZTk0KytwN05OOXVOQmExCmNKejhRY3FYQ0ZZRG0rbkswdVVacmlSR2E3elBKbmdjd0g2c3pMbHlpZ3YzeHZKbzBqZ2tnUjltNVF5TkV2cUwKNWdLY3Rra0NnWUVBeFJuOXBtdDlab3Y1RC92S3RPaDBKakNmVDQ4NzNRYkZmdUVydm95RVUyMit6MTZVL3hBbgpiTXVHSEU5dnJQWjFxWHlkdUNuYXRUY3RBTHRyQ1RicFhCTTRYQlV1d2phQzRnS3l6NVNNM1cvdFdsZ0xNeDIrCnBmZS9rTVE4N1VIMm5Ncnl2d1RGMG5VS2hDSG9VOGZsUGdhRUc5dzhlVC9uT1ByV3llZS9QVThDZ1lFQXk3cEMKNFpJRFgyWXpJRU1ueUpJY3BFYU5RaVFGTHppWk1WVllVVGc4dkcvczhGZGI5S3hiMjFQekR5SzZnSFc3dUs2TwpISjBacUtzcHBEYkNpUDVDb2tiM1JMWVM0eXZIWnBPdlF4QVRQanhURUNxMUVvSHVXNkdWUTBXYVY1ckFseEUzClBjV0dUcVNvTkd0NG5QWFFjNGZabVZlbFVyQWpNNWdDcFg4VTRKMENnWUFuUzdsQVZxblhxZ3hyM1YxYW1BV2cKSDQyRGhTRUFQZnRlQW5LQU9PK2cybjV5Ulg4Ykl4TlpJM0tIYm1icmF1K21iTXZkRGFzbStlc2svRGlveTZQVwowWllvOWFndTNFTlg0QVhhVU5tTXhHWGozeTNNY1Irell5TjBMMHVlV2NwYkZETTFWalJDYzBjM2RMTW5FUEZwClhrODBac0kvd2pmTkttVnNONkh2RFFLQmdCT0FDNkROdWhicWtHQTVMVmlzYTZOcHdXR2dVd0szRnlxNnNZNXMKcEp1ZzF2d1dVSTMxNVlEejR5TUN2dmxHeTZZY3h5dUQrZzNEL0dOa2ZuQmdiZjVjYnBTY0hPaXpxdzF0ZTJ3ZQo0TWluTzRnam5sdGNKbldNM04yb2p1SnR4SnR4SVdsL082RFJiK3c4a1RuczZYdjFkK1dPbHh0NEVwYUFxVmd2CjlzNmRBb0dBV3A2VUVtRXpXUThCSVNYWUl0a1NBMjc1N3BEUmw1YnoxNkg4L2htanFRWVFOeWg2WnVSRjV1TUwKRndldytHeHN4OHJWazdEUktuN2tRcHFSU0ZYOTJkOUREVkc4WW9uemRDSFZpemtqR0FwSUZNNUFmWG04TTZ2UQpOUjB5MU5Yd2ZMZ0FsNU1TK0thcVQwaGJjU3FkYjI0OUtFZ1pLcmEyZGpVSk1nNmhXTU09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" + tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJRENDQWdpZ0F3SUJBZ0lSQUtoRDl2ZlVWOE1IVGRHRXdadDViUDR3RFFZSktvWklodmNOQVFFTEJRQXcKR2pFWU1CWUdBMVVFQXhNUGFHRnlZbTl5TFhSdmEyVnVMV05oTUI0WERUSTBNRGd5TXpFNE1qZ3dNbG9YRFRJMQpNRGd5TXpFNE1qZ3dNbG93R2pFWU1CWUdBMVVFQXhNUGFHRnlZbTl5TFhSdmEyVnVMV05oTUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbk5zRWc2SE95OUtFODNjbFpHS1ZhRG1ST3hHM3UwcDQKcnRqbVR3dGd6eFQwdFJVdDVvVEI1Uk5ER0QrTE9MQnBSM3VOaFlheDVIQW5WbEpYTnJsa21vQWpuelVMUHRldQozZllnaW1paitGQktUZ1U5akdwbmV6TGRKMDh4R0doR2cvMFVJVjZEU2NRT2t5VTlOR2xGK1laRS90SjhjRzR6CjBRcWxWVi9DaWVWVitDdnpnbWc1MEt6MHJOTjJaSUNFL3M0d2ZGODNXVVV6MFZTRmZ2YnFCTnpKUkNJSyt0eksKRlphVXFMdGpqd1dpcGU0TDZGbUJlLzlDODkrNmF6a1ZlQ3QyMDdaanM5ck9NVVFpZ0dkRlNhczhRM0ZGVTVTaApMcUFIZ21ZMmhNRE5UQWJ0QVdtTzRwRlJFTXZlQ1BXazBINHU2QW1iejFKZ0tZRGdjUm01Y3dJREFRQUJvMkV3Clh6QU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUMKTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9xalpvcGlBOTZqTmZKVTRuNGNnQUlaWG1DaApNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDNVdTSG4rcXVZZzJGRkoyYU9FajNWRk9ISENkaU9qNE1xUlE3Cjh4dTVyL2s5QnZvUit6QUpqSHNqRUpCcGNpNjYwV2FBbkw3NWNpc1N2MnB5S3YwNmFzS1MwNEdENFRIVE1sa1QKRXc0Y3JwMWIrWVg1akRMenBtSEJBN2ZaUmNFdEhkT01PdENBaVV0UkVSMmZZeThyZXFxMFpEa1FlNkk3OElEQwpERHRnbC85bDFQZ0xMeDYxeWdEZ1p2aG1od0hiVkFIdU5nb2kwdkhjeldoelhFK1RTTzJ0VVVxMmxhYTV2Y0Z1CmxnK3g0YzVGRUhrdmc1S0FLellDczM4RHhDYmZpWXhyanYwYkZVcnNzRzRZWmRDYTJNOGg0NDJ5L3AveXpKZU0KN0UvTjdyeUpla3FTUFVMQ1JuVHhXL2FEV3VSQ1Fac21ZamV2UmxCTXJhNkdtckh6Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" + HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU=" + REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk" + CSRF_KEY: "dmFZRUtVQ0MySGxCRnRyeVdMcXF3U0dhMUNWOHVzUE8=" +--- +# Source: harbor/templates/exporter/exporter-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: harbor-exporter + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +type: Opaque +data: + HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU=" +--- +# Source: harbor/templates/jobservice/jobservice-secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-jobservice" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +type: Opaque +data: + JOBSERVICE_SECRET: "ZU1oS0lBajVQUVcyRjI1Vg==" + REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk" +--- +# Source: harbor/templates/registry/registry-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-registry" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +type: Opaque +data: + REGISTRY_HTTP_SECRET: "VWxMS0YwYkpZQVRnU0dSUg==" + REGISTRY_REDIS_PASSWORD: "TXZZY3VVMFJhSXUxU1g3ZlkxbTFKcmdMVVNhWkpqZ2U=" +--- +# Source: harbor/templates/registry/registry-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-registry-htpasswd" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +type: Opaque +data: + REGISTRY_HTPASSWD: "aGFyYm9yX3JlZ2lzdHJ5X3VzZXI6JDJhJDEwJDJzNFJMemFkMjNXYnUwNC5RZ1JrSi5JMWFLODhjWmFYdVRHOUh4Y1NGR2tsWjh1UmI5SUdx" +--- +# Source: harbor/templates/registry/registryctl-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-registryctl" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +type: Opaque +data: +--- # Source: harbor/templates/core/core-cm.yaml apiVersion: v1 kind: ConfigMap @@ -180,6 +301,180 @@ data: # the max time for execution in running state without new task created max_dangling_hours: 168 --- +# Source: harbor/templates/nginx/configmap-https.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: harbor-nginx + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "harbor-core:80"; + } + + upstream portal { + server "harbor-portal:80"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + listen 8443 ssl; + listen [::]:8443 ssl; + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass http://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass http://core/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass http://core/chartrepo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass http://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass http://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass http://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + listen 8080; + listen [::]:8080; + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +--- # Source: harbor/templates/portal/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -429,6 +724,39 @@ spec: app: "harbor" component: jobservice --- +# Source: harbor/templates/nginx/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: harbor + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" + annotations: + cert-manager.io/cluster-issuer: default + external-dns.alpha.kubernetes.io/hostname: harbor.k-space.ee + metallb.universe.tf/address-pool: elisa +spec: + type: LoadBalancer + ports: + - name: http + port: 80 + targetPort: 8080 + - name: https + port: 443 + targetPort: 8443 + selector: + release: harbor + app: "harbor" + component: nginx +--- # Source: harbor/templates/portal/service.yaml apiVersion: v1 kind: Service @@ -523,8 +851,8 @@ spec: app.kubernetes.io/component: core annotations: checksum/configmap: 9ea7f1881e4fe5b908355ee28e246b67c8c498d2f719dd74a5536a51ee2d9865 - checksum/secret: af720060dbb42f2109b7fd0811a83c48c55313f95c3ba2e6e68010be0a2b2cd4 - checksum/secret-jobservice: fdcf96de5337fccbcdac406929acbb799cb61e43c21be4f6affce7b2d7eaef3f + checksum/secret: ad9c2189410b47755f168b9cbb79d326a13d16176d96a521e287abbafc419df5 + checksum/secret-jobservice: d1b516e308114f8734b8eddf9260861e6c3d00e587c60491ad2c4e5f8c3e8b6f spec: securityContext: runAsUser: 10000 @@ -621,9 +949,15 @@ spec: secretName: harbor-core - name: ca-download secret: - secretName: "harbor-ingress" - name: psc emptyDir: {} + nodeSelector: + dedicated: storage + tolerations: + - effect: NoSchedule + key: dedicated + operator: Equal + value: storage --- # Source: harbor/templates/exporter/exporter-dpl.yaml apiVersion: apps/v1 @@ -761,8 +1095,8 @@ spec: annotations: checksum/configmap: 3a35bef831e58536bf86670117b43e2913a4c1a60d0e74d948559d7a7d564684 checksum/configmap-env: 80e8b81abf755707210d6112ad65167a7d53088b209f63c603d308ef68c4cfad - checksum/secret: 6902f5ee11437ee5149ff54e363487163c43e21ddce1b120ea5528f3def513c6 - checksum/secret-core: ed0bce05c92f40e7b854d7206e08d4c1581aac476956839e42075ab9cdd61e45 + checksum/secret: 611e10e564e1a519738a970fde36e25bcc66253e31b90c0bb456cc55d42cd5a7 + checksum/secret-core: bd3ce629c3ae3006f760f0552687212b8661ef62a9b8aea7cb476655be546e21 spec: securityContext: runAsUser: 10000 @@ -823,6 +1157,110 @@ spec: - name: job-logs persistentVolumeClaim: claimName: harbor-jobservice + nodeSelector: + dedicated: storage + tolerations: + - effect: NoSchedule + key: dedicated + operator: Equal + value: storage +--- +# Source: harbor/templates/nginx/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: harbor-nginx + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" + component: nginx + app.kubernetes.io/component: nginx +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + release: harbor + app: "harbor" + component: nginx + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.11.0" + component: nginx + app.kubernetes.io/component: nginx + annotations: + checksum/configmap: 7114a5d89af834358c44d0e87c66e2c69da2e3dd545c02472a416c8a7857b983 + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + containers: + - name: nginx + image: "goharbor/nginx-photon:v2.11.0" + imagePullPolicy: "IfNotPresent" + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 1 + periodSeconds: 10 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 8080 + - containerPort: 8443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: certificate + mountPath: /etc/nginx/cert + volumes: + - name: config + configMap: + name: harbor-nginx + - name: certificate + secret: + secretName: harbor-ingress + nodeSelector: + dedicated: storage + tolerations: + - effect: NoSchedule + key: dedicated + operator: Equal + value: storage --- # Source: harbor/templates/portal/deployment.yaml apiVersion: apps/v1 @@ -907,6 +1345,13 @@ spec: - name: portal-config configMap: name: "harbor-portal" + nodeSelector: + dedicated: storage + tolerations: + - effect: NoSchedule + key: dedicated + operator: Equal + value: storage --- # Source: harbor/templates/registry/registry-dpl.yaml apiVersion: apps/v1 @@ -951,9 +1396,9 @@ spec: app.kubernetes.io/component: registry annotations: checksum/configmap: b11f146e734a9ac7c3df9f83562e7ac5fea9e2b10b89118f19207c9b95104496 - checksum/secret: dca1f41d66de90e85f5979631e3653bd898df32609307e2e794a72004dec22f9 - checksum/secret-jobservice: 1728caf6daf5c1b1770da4133efe152d0a10260cb6e5271b7545696ff3b8a1f4 - checksum/secret-core: 7c8aefdcb5f56e17ceb9dc21105e5b98d5a9294b70e1bea13ef83cc40fb595e2 + checksum/secret: 0f5e88685eab94c5cbd47af720313509083331fcdbd9cae66b398fcda5db4d0f + checksum/secret-jobservice: 7a0f120fa4eeb574f5aa57abcc015d73eee4412bb4548488f26d13f3837416ee + checksum/secret-core: e354eacb10ba71353349bcbd04502278c8bcb0522adc2a26f213000305ab1327 spec: securityContext: runAsUser: 10000 @@ -1079,83 +1524,13 @@ spec: name: "harbor-registry" - name: registry-data emptyDir: {} ---- -# Source: harbor/templates/ingress/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: "harbor-ingress" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.11.0" - annotations: - cert-manager.io/cluster-issuer: default - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee - ingress.kubernetes.io/proxy-body-size: "0" - ingress.kubernetes.io/ssl-redirect: "true" - kubernetes.io/ingress.class: traefik - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" -spec: - tls: - - secretName: harbor-ingress - hosts: - - harbor.k-space.ee - rules: - - http: - paths: - - path: /api/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /service/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /v2/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /chartrepo/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: /c/ - pathType: Prefix - backend: - service: - name: harbor-core - port: - number: 80 - - path: / - pathType: Prefix - backend: - service: - name: harbor-portal - port: - number: 80 - host: harbor.k-space.ee + nodeSelector: + dedicated: storage + tolerations: + - effect: NoSchedule + key: dedicated + operator: Equal + value: storage --- # Source: harbor/templates/metrics/metrics-svcmon.yaml apiVersion: monitoring.coreos.com/v1