diff --git a/contrib/helm/harbor/templates/NOTES.txt b/contrib/helm/harbor/templates/NOTES.txt index b7ae4bc0d..ce1120810 100644 --- a/contrib/helm/harbor/templates/NOTES.txt +++ b/contrib/helm/harbor/templates/NOTES.txt @@ -1,26 +1,3 @@ - Please wait for several minutes for Harbor deployment to complete. -Then follow the steps below to use Harbor. - -1. Add the Harbor CA certificate to Docker by executing the following command: - - sudo mkdir -p /etc/docker/certs.d/{{ .Values.externalDomain }} - kubectl get secret \ - --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \ - -o jsonpath="{.data.ca\.crt}" | base64 --decode | \ - sudo tee /etc/docker/certs.d/{{ .Values.externalDomain }}/ca.crt - -2. Get Harbor admin password by executing the following command: - - kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-adminserver -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode; echo - -3. Add DNS resolution entry for Harbor FQDN {{ .Values.externalDomain }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts. -{{- if .Values.notary.enabled }} - Add DNS resolution entry for Notary FQDN {{ template "harbor.notaryFQDN" . }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts. -{{- end }} - -4. Access Harbor UI via https://{{ .Values.externalDomain }} - -5. Login Harbor with Docker CLI: - - docker login {{ .Values.externalDomain }} +Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}. +For more details, please visit https://github.com/vmware/harbor. \ No newline at end of file diff --git a/contrib/helm/harbor/templates/_helpers.tpl b/contrib/helm/harbor/templates/_helpers.tpl index 4dd6a0db7..eb316d03c 100644 --- a/contrib/helm/harbor/templates/_helpers.tpl +++ b/contrib/helm/harbor/templates/_helpers.tpl @@ -32,9 +32,9 @@ app: "{{ template "harbor.name" . }}" {{- define "harbor.externalURL" -}} {{- if .Values.externalPort -}} -{{- printf "%s:%s" .Values.externalDomain (toString .Values.externalPort) -}} +{{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}} {{- else -}} -{{- .Values.externalDomain -}} +{{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}} {{- end -}} {{- end -}} diff --git a/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml b/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml index af278e7b1..5de07836e 100644 --- a/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml +++ b/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml @@ -10,14 +10,14 @@ data: POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - EMAIL_HOST: "{{ .Values.adminserver.emailHost }}" - EMAIL_PORT: "{{ .Values.adminserver.emailPort }}" - EMAIL_USR: "{{ .Values.adminserver.emailUser }}" - EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}" - EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}" - EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}" - EMAIL_INSECURE: "{{ .Values.adminserver.emailInsecure }}" - EXT_ENDPOINT: "https://{{ .Values.externalDomain }}" + EMAIL_HOST: "{{ .Values.email.host }}" + EMAIL_PORT: "{{ .Values.email.port }}" + EMAIL_USR: "{{ .Values.email.username }}" + EMAIL_SSL: "{{ .Values.email.ssl }}" + EMAIL_FROM: "{{ .Values.email.from }}" + EMAIL_IDENTITY: "{{ .Values.email.identity }}" + EMAIL_INSECURE: "{{ .Values.email.insecure }}" + EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}" UI_URL: "http://{{ template "harbor.fullname" . }}-ui" JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000" @@ -26,16 +26,16 @@ data: NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443" LOG_LEVEL: "info" IMAGE_STORE_PATH: "/" # This is a temporary hack. - AUTH_MODE: "{{ .Values.adminserver.authenticationMode }}" - SELF_REGISTRATION: "{{ .Values.adminserver.selfRegistration }}" - LDAP_URL: "{{ .Values.adminserver.ldap.url }}" - LDAP_SEARCH_DN: "{{ .Values.adminserver.ldap.searchDN }}" - LDAP_BASE_DN: "{{ .Values.adminserver.ldap.baseDN }}" - LDAP_FILTER: "{{ .Values.adminserver.ldap.filter }}" - LDAP_UID: "{{ .Values.adminserver.ldap.uid }}" - LDAP_SCOPE: "{{ .Values.adminserver.ldap.scope }}" - LDAP_TIMEOUT: "{{ .Values.adminserver.ldap.timeout }}" - LDAP_VERIFY_CERT: "{{ .Values.adminserver.ldap.verifyCert }}" + AUTH_MODE: "{{ .Values.authenticationMode }}" + SELF_REGISTRATION: "{{ .Values.selfRegistration }}" + LDAP_URL: "{{ .Values.ldap.url }}" + LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}" + LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}" + LDAP_FILTER: "{{ .Values.ldap.filter }}" + LDAP_UID: "{{ .Values.ldap.uid }}" + LDAP_SCOPE: "{{ .Values.ldap.scope }}" + LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}" + LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}" DATABASE_TYPE: "postgresql" PROJECT_CREATION_RESTRICTION: "everyone" VERIFY_REMOTE_CERT: "off" diff --git a/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml b/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml index be9ff1627..5b2af470d 100644 --- a/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml +++ b/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml @@ -8,13 +8,13 @@ metadata: type: Opaque data: secretKey: {{ .Values.secretKey | b64enc | quote }} - EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }} - HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.adminPassword | b64enc | quote }} + EMAIL_PWD: {{ .Values.email.password | b64enc | quote }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }} JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }} UI_SECRET: {{ .Values.ui.secret | b64enc | quote }} -{{- if eq .Values.adminserver.authenticationMode "ldap_auth" }} - LDAP_SEARCH_PWD: {{ .Values.adminserver.ldap.searchPwd | b64enc | quote }} +{{- if eq .Values.authenticationMode "ldap_auth" }} + LDAP_SEARCH_PWD: {{ .Values.ldap.searchPwd | b64enc | quote }} {{- end }} {{ if .Values.clair.enabled }} CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }} diff --git a/contrib/helm/harbor/templates/ingress/ingress.yaml b/contrib/helm/harbor/templates/ingress/ingress.yaml index 06afa590c..1744d1695 100644 --- a/contrib/helm/harbor/templates/ingress/ingress.yaml +++ b/contrib/helm/harbor/templates/ingress/ingress.yaml @@ -1,4 +1,4 @@ -{{ if .Values.ingress.enabled }} +{{ if .Values.ingress.enabled }} apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -8,12 +8,16 @@ metadata: annotations: {{ toYaml .Values.ingress.annotations | indent 4 }} spec: -{{ if not .Values.insecureRegistry }} +{{ if eq .Values.externalProtocol "https" }} tls: - hosts: - "{{ .Values.externalDomain }}" - "{{ template "harbor.notaryFQDN" . }}" + {{ if eq .Values.ingress.tls.secretName "" }} secretName: "{{ template "harbor.fullname" . }}-ingress" + {{ else }} + secretName: {{ .Values.ingress.tls.secretName }} + {{ end }} {{ end }} rules: - host: "{{ .Values.externalDomain }}" @@ -43,11 +47,15 @@ metadata: nginx.ingress.kubernetes.io/rewrite-target: /registryproxy/v2 ingress.kubernetes.io/rewrite-target: /registryproxy/v2 spec: -{{ if not .Values.insecureRegistry }} +{{ if eq .Values.externalProtocol "https" }} tls: - hosts: - "{{ .Values.externalDomain }}" + {{ if eq .Values.ingress.tls.secretName "" }} secretName: "{{ template "harbor.fullname" . }}-ingress" + {{ else }} + secretName: {{ .Values.ingress.tls.secretName }} + {{ end }} {{ end }} rules: - host: "{{ .Values.externalDomain }}" @@ -57,6 +65,4 @@ spec: backend: serviceName: {{ template "harbor.fullname" . }}-ui servicePort: 80 - - {{ end }} \ No newline at end of file diff --git a/contrib/helm/harbor/templates/ingress/secret.yaml b/contrib/helm/harbor/templates/ingress/secret.yaml index f12dad65b..33d13ee36 100644 --- a/contrib/helm/harbor/templates/ingress/secret.yaml +++ b/contrib/helm/harbor/templates/ingress/secret.yaml @@ -1,5 +1,6 @@ -{{ if not .Values.insecureRegistry }} -{{ if .Values.generateCertificates }} +{{ if eq .Values.externalProtocol "https" }} +{{ if .Values.ingress.enabled }} +{{ if eq .Values.ingress.tls.secretName "" }} {{ $ca := genCA "harbor-ca" 3650 }} {{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }} apiVersion: v1 @@ -14,4 +15,5 @@ data: tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }} ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }} {{ end }} +{{ end }} {{ end }} \ No newline at end of file diff --git a/contrib/helm/harbor/templates/notary/notary-cm.yaml b/contrib/helm/harbor/templates/notary/notary-cm.yaml index b098320e5..520de9af9 100644 --- a/contrib/helm/harbor/templates/notary/notary-cm.yaml +++ b/contrib/helm/harbor/templates/notary/notary-cm.yaml @@ -37,7 +37,7 @@ data: "auth": { "type": "token", "options": { - "realm": "https://{{ template "harbor.externalURL" . }}/service/token", + "realm": "{{ template "harbor.externalURL" . }}/service/token", "service": "harbor-notary", "issuer": "harbor-token-issuer", "rootcertbundle": "/root.crt" diff --git a/contrib/helm/harbor/templates/registry/registry-cm.yaml b/contrib/helm/harbor/templates/registry/registry-cm.yaml index 4be545a82..e80a9e891 100644 --- a/contrib/helm/harbor/templates/registry/registry-cm.yaml +++ b/contrib/helm/harbor/templates/registry/registry-cm.yaml @@ -38,7 +38,7 @@ data: auth: token: issuer: harbor-token-issuer - realm: "https://{{ template "harbor.externalURL" . }}/service/token" + realm: "{{ template "harbor.externalURL" . }}/service/token" rootcertbundle: /etc/registry/root.crt service: harbor-registry diff --git a/contrib/helm/harbor/templates/ui/ui-dpl.yaml b/contrib/helm/harbor/templates/ui/ui-dpl.yaml index 6db0ef963..fd9ac06a3 100644 --- a/contrib/helm/harbor/templates/ui/ui-dpl.yaml +++ b/contrib/helm/harbor/templates/ui/ui-dpl.yaml @@ -50,11 +50,15 @@ spec: - name: ui-secrets-private-key mountPath: /etc/ui/private_key.pem subPath: private_key.pem - {{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }} + {{- if eq .Values.externalProtocol "https" }} + {{- if .Values.ingress.enabled }} + {{- if eq .Values.ingress.tls.secretName "" }} - name: ca-download mountPath: /etc/ui/ca/ca.crt subPath: ca.crt {{- end }} + {{- end }} + {{- end }} - name: psc mountPath: /etc/ui/token volumes: @@ -73,7 +77,9 @@ spec: items: - key: private_key.pem path: private_key.pem - {{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }} + {{- if eq .Values.externalProtocol "https" }} + {{- if .Values.ingress.enabled }} + {{- if eq .Values.ingress.tls.secretName "" }} - name: ca-download secret: secretName: "{{ template "harbor.fullname" . }}-ingress" @@ -81,6 +87,8 @@ spec: - key: ca.crt path: ca.crt {{- end }} + {{- end }} + {{- end }} - name: psc emptyDir: {} {{- with .Values.ui.nodeSelector }} diff --git a/contrib/helm/harbor/values.yaml b/contrib/helm/harbor/values.yaml index 339d742b0..279d30f10 100644 --- a/contrib/helm/harbor/values.yaml +++ b/contrib/helm/harbor/values.yaml @@ -1,49 +1,33 @@ -# Configure persisten Volumes per application -## Applications that require storage have a `volumes` definition which will be used -## when `persistence.enabled` is set to true. -## example -# mysql: -# volumes: -# data: -## Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 1Gi - -## Configure resource requests and limits per application -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -# mysql: -# resources: -# requests: -# memory: 256Mi -# cpu: 100m - persistence: enabled: true - -# The tag for Harbor docker images. -harborImageTag: &harbor_image_tag v1.5.0-chart-patch - -# The FQDN for Harbor service. +externalProtocol: https +# The FQDN for Harbor service externalDomain: harbor.my.domain -# externalPort is the Port for Harbor service, leave empty if the service is to be bound to -# port 80/443 +# The Port for Harbor service, leave empty if the service +# is to be bound to port 80/443 externalPort: 32700 -# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add -# Harbor FQDN as insecure-registries for your docker client. -insecureRegistry: false -generateCertificates: true -# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above. -tlsCrt: -tlsKey: -caCrt: +harborAdminPassword: Harbor12345 +authenticationMode: "db_auth" +selfRegistration: "on" +ldap: + url: "ldaps://ldapserver" + searchDN: "" + searchPassword: "" + baseDN: "" + filter: "(objectClass=person)" + uid: "uid" + scope: "2" + timeout: "5" + verifyCert: "True" +email: + host: "smtp.mydomain.com" + port: "25" + username: "sample_admin@mydomain.com" + password: "password" + ssl: "false" + insecure: "false" + from: "admin " + identity: "" # The secret key used for encryption. Must be a string of 16 chars. secretKey: not-a-secure-key @@ -54,36 +38,23 @@ ingress: enabled: true annotations: ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0" + tls: + # Fill the secretName if you want to use the certificate of + # yourself when Harbor serves with HTTPS. A certificate will + # be generated automatically by the chart if leave it empty + secretName: "" + +# The tag for Harbor docker images. +harborImageTag: &harbor_image_tag dev adminserver: image: repository: vmware/harbor-adminserver tag: *harbor_image_tag pullPolicy: IfNotPresent - emailHost: "smtp.mydomain.com" - emailPort: "25" - emailUser: "sample_admin@mydomain.com" - emailSsl: "false" - emailFrom: "admin " - emailIdentity: "" - emailInsecure: "False" - emailPwd: not-a-secure-password - adminPassword: Harbor12345 - authenticationMode: "db_auth" - selfRegistration: "on" - ldap: - url: "ldaps://ldapserver" - searchDN: "" - searchPassword: "" - baseDN: "" - filter: "(objectClass=person)" - uid: "uid" - scope: "2" - timeout: "5" - verifyCert: "True" - ## Persist data to a persistent volume volumes: config: # storageClass: "-" @@ -97,8 +68,6 @@ adminserver: tolerations: [] affinity: {} -## jobservice -# jobservice: image: repository: vmware/harbor-jobservice @@ -114,8 +83,6 @@ jobservice: tolerations: [] affinity: {} -## UI -# ui: image: repository: vmware/harbor-ui @@ -215,11 +182,10 @@ database: notaryServerDatabase: "notary_server" notarySignerDatabase: "notary_signer" - registry: image: repository: vmware/registry-photon - tag: v2.6.2-v1.5.0-chart-patch + tag: dev pullPolicy: IfNotPresent httpSecret: not-a-secure-secret logLevel: info @@ -289,17 +255,9 @@ registry: clair: enabled: true image: - repository: ywk253100/clair-photon - tag: v2.0.1-v1.5.0-chart-patch + repository: vmware/clair-photon + tag: dev pullPolicy: IfNotPresent -# resources: -# requests: -# memory: 256Mi -# cpu: 100m -# pgResources: -# requests: -# memory: 256Mi -# cpu: 100m volumes: pgData: # storageClass: "-" @@ -332,12 +290,12 @@ notary: server: image: repository: vmware/notary-server-photon - tag: v0.5.1-v1.5.0-chart-patch + tag: dev pullPolicy: IfNotPresent signer: image: repository: vmware/notary-signer-photon - tag: v0.5.1-v1.5.0-chart-patch + tag: dev pullPolicy: IfNotPresent env: NOTARY_SIGNER_DEFAULTALIAS: defaultalias