From c72a7db4be77b27b30bcae51e3abbe3bc69ffccd Mon Sep 17 00:00:00 2001 From: Wenkai Yin Date: Wed, 11 Jul 2018 17:02:24 +0800 Subject: [PATCH] Fix misc issues of Harbor charts 1. Fix the pull/push commands showed on UI are incorrect 2. Replace "insecureRegistry" with "externalProtocol" 3. Using the secret rather than pasting text if users want to use the certificate of themselves 4. Refine NOTES.txt --- contrib/helm/harbor/templates/NOTES.txt | 27 +--- contrib/helm/harbor/templates/_helpers.tpl | 4 +- .../templates/adminserver/adminserver-cm.yaml | 36 +++--- .../adminserver/adminserver-secrets.yaml | 8 +- .../harbor/templates/ingress/ingress.yaml | 16 ++- .../helm/harbor/templates/ingress/secret.yaml | 6 +- .../harbor/templates/notary/notary-cm.yaml | 2 +- .../templates/registry/registry-cm.yaml | 2 +- contrib/helm/harbor/templates/ui/ui-dpl.yaml | 12 +- contrib/helm/harbor/values.yaml | 122 ++++++------------ 10 files changed, 93 insertions(+), 142 deletions(-) diff --git a/contrib/helm/harbor/templates/NOTES.txt b/contrib/helm/harbor/templates/NOTES.txt index b7ae4bc0d..ce1120810 100644 --- a/contrib/helm/harbor/templates/NOTES.txt +++ b/contrib/helm/harbor/templates/NOTES.txt @@ -1,26 +1,3 @@ - Please wait for several minutes for Harbor deployment to complete. -Then follow the steps below to use Harbor. - -1. Add the Harbor CA certificate to Docker by executing the following command: - - sudo mkdir -p /etc/docker/certs.d/{{ .Values.externalDomain }} - kubectl get secret \ - --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \ - -o jsonpath="{.data.ca\.crt}" | base64 --decode | \ - sudo tee /etc/docker/certs.d/{{ .Values.externalDomain }}/ca.crt - -2. Get Harbor admin password by executing the following command: - - kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-adminserver -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode; echo - -3. Add DNS resolution entry for Harbor FQDN {{ .Values.externalDomain }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts. -{{- if .Values.notary.enabled }} - Add DNS resolution entry for Notary FQDN {{ template "harbor.notaryFQDN" . }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts. -{{- end }} - -4. Access Harbor UI via https://{{ .Values.externalDomain }} - -5. Login Harbor with Docker CLI: - - docker login {{ .Values.externalDomain }} +Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}. +For more details, please visit https://github.com/vmware/harbor. \ No newline at end of file diff --git a/contrib/helm/harbor/templates/_helpers.tpl b/contrib/helm/harbor/templates/_helpers.tpl index 4dd6a0db7..eb316d03c 100644 --- a/contrib/helm/harbor/templates/_helpers.tpl +++ b/contrib/helm/harbor/templates/_helpers.tpl @@ -32,9 +32,9 @@ app: "{{ template "harbor.name" . }}" {{- define "harbor.externalURL" -}} {{- if .Values.externalPort -}} -{{- printf "%s:%s" .Values.externalDomain (toString .Values.externalPort) -}} +{{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}} {{- else -}} -{{- .Values.externalDomain -}} +{{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}} {{- end -}} {{- end -}} diff --git a/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml b/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml index af278e7b1..5de07836e 100644 --- a/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml +++ b/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml @@ -10,14 +10,14 @@ data: POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" - EMAIL_HOST: "{{ .Values.adminserver.emailHost }}" - EMAIL_PORT: "{{ .Values.adminserver.emailPort }}" - EMAIL_USR: "{{ .Values.adminserver.emailUser }}" - EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}" - EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}" - EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}" - EMAIL_INSECURE: "{{ .Values.adminserver.emailInsecure }}" - EXT_ENDPOINT: "https://{{ .Values.externalDomain }}" + EMAIL_HOST: "{{ .Values.email.host }}" + EMAIL_PORT: "{{ .Values.email.port }}" + EMAIL_USR: "{{ .Values.email.username }}" + EMAIL_SSL: "{{ .Values.email.ssl }}" + EMAIL_FROM: "{{ .Values.email.from }}" + EMAIL_IDENTITY: "{{ .Values.email.identity }}" + EMAIL_INSECURE: "{{ .Values.email.insecure }}" + EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}" UI_URL: "http://{{ template "harbor.fullname" . }}-ui" JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000" @@ -26,16 +26,16 @@ data: NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443" LOG_LEVEL: "info" IMAGE_STORE_PATH: "/" # This is a temporary hack. - AUTH_MODE: "{{ .Values.adminserver.authenticationMode }}" - SELF_REGISTRATION: "{{ .Values.adminserver.selfRegistration }}" - LDAP_URL: "{{ .Values.adminserver.ldap.url }}" - LDAP_SEARCH_DN: "{{ .Values.adminserver.ldap.searchDN }}" - LDAP_BASE_DN: "{{ .Values.adminserver.ldap.baseDN }}" - LDAP_FILTER: "{{ .Values.adminserver.ldap.filter }}" - LDAP_UID: "{{ .Values.adminserver.ldap.uid }}" - LDAP_SCOPE: "{{ .Values.adminserver.ldap.scope }}" - LDAP_TIMEOUT: "{{ .Values.adminserver.ldap.timeout }}" - LDAP_VERIFY_CERT: "{{ .Values.adminserver.ldap.verifyCert }}" + AUTH_MODE: "{{ .Values.authenticationMode }}" + SELF_REGISTRATION: "{{ .Values.selfRegistration }}" + LDAP_URL: "{{ .Values.ldap.url }}" + LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}" + LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}" + LDAP_FILTER: "{{ .Values.ldap.filter }}" + LDAP_UID: "{{ .Values.ldap.uid }}" + LDAP_SCOPE: "{{ .Values.ldap.scope }}" + LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}" + LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}" DATABASE_TYPE: "postgresql" PROJECT_CREATION_RESTRICTION: "everyone" VERIFY_REMOTE_CERT: "off" diff --git a/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml b/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml index be9ff1627..5b2af470d 100644 --- a/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml +++ b/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml @@ -8,13 +8,13 @@ metadata: type: Opaque data: secretKey: {{ .Values.secretKey | b64enc | quote }} - EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }} - HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.adminPassword | b64enc | quote }} + EMAIL_PWD: {{ .Values.email.password | b64enc | quote }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }} JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }} UI_SECRET: {{ .Values.ui.secret | b64enc | quote }} -{{- if eq .Values.adminserver.authenticationMode "ldap_auth" }} - LDAP_SEARCH_PWD: {{ .Values.adminserver.ldap.searchPwd | b64enc | quote }} +{{- if eq .Values.authenticationMode "ldap_auth" }} + LDAP_SEARCH_PWD: {{ .Values.ldap.searchPwd | b64enc | quote }} {{- end }} {{ if .Values.clair.enabled }} CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }} diff --git a/contrib/helm/harbor/templates/ingress/ingress.yaml b/contrib/helm/harbor/templates/ingress/ingress.yaml index 06afa590c..1744d1695 100644 --- a/contrib/helm/harbor/templates/ingress/ingress.yaml +++ b/contrib/helm/harbor/templates/ingress/ingress.yaml @@ -1,4 +1,4 @@ -{{ if .Values.ingress.enabled }} +{{ if .Values.ingress.enabled }} apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -8,12 +8,16 @@ metadata: annotations: {{ toYaml .Values.ingress.annotations | indent 4 }} spec: -{{ if not .Values.insecureRegistry }} +{{ if eq .Values.externalProtocol "https" }} tls: - hosts: - "{{ .Values.externalDomain }}" - "{{ template "harbor.notaryFQDN" . }}" + {{ if eq .Values.ingress.tls.secretName "" }} secretName: "{{ template "harbor.fullname" . }}-ingress" + {{ else }} + secretName: {{ .Values.ingress.tls.secretName }} + {{ end }} {{ end }} rules: - host: "{{ .Values.externalDomain }}" @@ -43,11 +47,15 @@ metadata: nginx.ingress.kubernetes.io/rewrite-target: /registryproxy/v2 ingress.kubernetes.io/rewrite-target: /registryproxy/v2 spec: -{{ if not .Values.insecureRegistry }} +{{ if eq .Values.externalProtocol "https" }} tls: - hosts: - "{{ .Values.externalDomain }}" + {{ if eq .Values.ingress.tls.secretName "" }} secretName: "{{ template "harbor.fullname" . }}-ingress" + {{ else }} + secretName: {{ .Values.ingress.tls.secretName }} + {{ end }} {{ end }} rules: - host: "{{ .Values.externalDomain }}" @@ -57,6 +65,4 @@ spec: backend: serviceName: {{ template "harbor.fullname" . }}-ui servicePort: 80 - - {{ end }} \ No newline at end of file diff --git a/contrib/helm/harbor/templates/ingress/secret.yaml b/contrib/helm/harbor/templates/ingress/secret.yaml index f12dad65b..33d13ee36 100644 --- a/contrib/helm/harbor/templates/ingress/secret.yaml +++ b/contrib/helm/harbor/templates/ingress/secret.yaml @@ -1,5 +1,6 @@ -{{ if not .Values.insecureRegistry }} -{{ if .Values.generateCertificates }} +{{ if eq .Values.externalProtocol "https" }} +{{ if .Values.ingress.enabled }} +{{ if eq .Values.ingress.tls.secretName "" }} {{ $ca := genCA "harbor-ca" 3650 }} {{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }} apiVersion: v1 @@ -14,4 +15,5 @@ data: tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }} ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }} {{ end }} +{{ end }} {{ end }} \ No newline at end of file diff --git a/contrib/helm/harbor/templates/notary/notary-cm.yaml b/contrib/helm/harbor/templates/notary/notary-cm.yaml index b098320e5..520de9af9 100644 --- a/contrib/helm/harbor/templates/notary/notary-cm.yaml +++ b/contrib/helm/harbor/templates/notary/notary-cm.yaml @@ -37,7 +37,7 @@ data: "auth": { "type": "token", "options": { - "realm": "https://{{ template "harbor.externalURL" . }}/service/token", + "realm": "{{ template "harbor.externalURL" . }}/service/token", "service": "harbor-notary", "issuer": "harbor-token-issuer", "rootcertbundle": "/root.crt" diff --git a/contrib/helm/harbor/templates/registry/registry-cm.yaml b/contrib/helm/harbor/templates/registry/registry-cm.yaml index 4be545a82..e80a9e891 100644 --- a/contrib/helm/harbor/templates/registry/registry-cm.yaml +++ b/contrib/helm/harbor/templates/registry/registry-cm.yaml @@ -38,7 +38,7 @@ data: auth: token: issuer: harbor-token-issuer - realm: "https://{{ template "harbor.externalURL" . }}/service/token" + realm: "{{ template "harbor.externalURL" . }}/service/token" rootcertbundle: /etc/registry/root.crt service: harbor-registry diff --git a/contrib/helm/harbor/templates/ui/ui-dpl.yaml b/contrib/helm/harbor/templates/ui/ui-dpl.yaml index 6db0ef963..fd9ac06a3 100644 --- a/contrib/helm/harbor/templates/ui/ui-dpl.yaml +++ b/contrib/helm/harbor/templates/ui/ui-dpl.yaml @@ -50,11 +50,15 @@ spec: - name: ui-secrets-private-key mountPath: /etc/ui/private_key.pem subPath: private_key.pem - {{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }} + {{- if eq .Values.externalProtocol "https" }} + {{- if .Values.ingress.enabled }} + {{- if eq .Values.ingress.tls.secretName "" }} - name: ca-download mountPath: /etc/ui/ca/ca.crt subPath: ca.crt {{- end }} + {{- end }} + {{- end }} - name: psc mountPath: /etc/ui/token volumes: @@ -73,7 +77,9 @@ spec: items: - key: private_key.pem path: private_key.pem - {{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }} + {{- if eq .Values.externalProtocol "https" }} + {{- if .Values.ingress.enabled }} + {{- if eq .Values.ingress.tls.secretName "" }} - name: ca-download secret: secretName: "{{ template "harbor.fullname" . }}-ingress" @@ -81,6 +87,8 @@ spec: - key: ca.crt path: ca.crt {{- end }} + {{- end }} + {{- end }} - name: psc emptyDir: {} {{- with .Values.ui.nodeSelector }} diff --git a/contrib/helm/harbor/values.yaml b/contrib/helm/harbor/values.yaml index 339d742b0..279d30f10 100644 --- a/contrib/helm/harbor/values.yaml +++ b/contrib/helm/harbor/values.yaml @@ -1,49 +1,33 @@ -# Configure persisten Volumes per application -## Applications that require storage have a `volumes` definition which will be used -## when `persistence.enabled` is set to true. -## example -# mysql: -# volumes: -# data: -## Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 1Gi - -## Configure resource requests and limits per application -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -# mysql: -# resources: -# requests: -# memory: 256Mi -# cpu: 100m - persistence: enabled: true - -# The tag for Harbor docker images. -harborImageTag: &harbor_image_tag v1.5.0-chart-patch - -# The FQDN for Harbor service. +externalProtocol: https +# The FQDN for Harbor service externalDomain: harbor.my.domain -# externalPort is the Port for Harbor service, leave empty if the service is to be bound to -# port 80/443 +# The Port for Harbor service, leave empty if the service +# is to be bound to port 80/443 externalPort: 32700 -# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add -# Harbor FQDN as insecure-registries for your docker client. -insecureRegistry: false -generateCertificates: true -# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above. -tlsCrt: -tlsKey: -caCrt: +harborAdminPassword: Harbor12345 +authenticationMode: "db_auth" +selfRegistration: "on" +ldap: + url: "ldaps://ldapserver" + searchDN: "" + searchPassword: "" + baseDN: "" + filter: "(objectClass=person)" + uid: "uid" + scope: "2" + timeout: "5" + verifyCert: "True" +email: + host: "smtp.mydomain.com" + port: "25" + username: "sample_admin@mydomain.com" + password: "password" + ssl: "false" + insecure: "false" + from: "admin " + identity: "" # The secret key used for encryption. Must be a string of 16 chars. secretKey: not-a-secure-key @@ -54,36 +38,23 @@ ingress: enabled: true annotations: ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0" + tls: + # Fill the secretName if you want to use the certificate of + # yourself when Harbor serves with HTTPS. A certificate will + # be generated automatically by the chart if leave it empty + secretName: "" + +# The tag for Harbor docker images. +harborImageTag: &harbor_image_tag dev adminserver: image: repository: vmware/harbor-adminserver tag: *harbor_image_tag pullPolicy: IfNotPresent - emailHost: "smtp.mydomain.com" - emailPort: "25" - emailUser: "sample_admin@mydomain.com" - emailSsl: "false" - emailFrom: "admin " - emailIdentity: "" - emailInsecure: "False" - emailPwd: not-a-secure-password - adminPassword: Harbor12345 - authenticationMode: "db_auth" - selfRegistration: "on" - ldap: - url: "ldaps://ldapserver" - searchDN: "" - searchPassword: "" - baseDN: "" - filter: "(objectClass=person)" - uid: "uid" - scope: "2" - timeout: "5" - verifyCert: "True" - ## Persist data to a persistent volume volumes: config: # storageClass: "-" @@ -97,8 +68,6 @@ adminserver: tolerations: [] affinity: {} -## jobservice -# jobservice: image: repository: vmware/harbor-jobservice @@ -114,8 +83,6 @@ jobservice: tolerations: [] affinity: {} -## UI -# ui: image: repository: vmware/harbor-ui @@ -215,11 +182,10 @@ database: notaryServerDatabase: "notary_server" notarySignerDatabase: "notary_signer" - registry: image: repository: vmware/registry-photon - tag: v2.6.2-v1.5.0-chart-patch + tag: dev pullPolicy: IfNotPresent httpSecret: not-a-secure-secret logLevel: info @@ -289,17 +255,9 @@ registry: clair: enabled: true image: - repository: ywk253100/clair-photon - tag: v2.0.1-v1.5.0-chart-patch + repository: vmware/clair-photon + tag: dev pullPolicy: IfNotPresent -# resources: -# requests: -# memory: 256Mi -# cpu: 100m -# pgResources: -# requests: -# memory: 256Mi -# cpu: 100m volumes: pgData: # storageClass: "-" @@ -332,12 +290,12 @@ notary: server: image: repository: vmware/notary-server-photon - tag: v0.5.1-v1.5.0-chart-patch + tag: dev pullPolicy: IfNotPresent signer: image: repository: vmware/notary-signer-photon - tag: v0.5.1-v1.5.0-chart-patch + tag: dev pullPolicy: IfNotPresent env: NOTARY_SIGNER_DEFAULTALIAS: defaultalias