Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-28 13:15:33 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #5289 from ywk253100/180710_chart

Browse Source 
Fix misc issues of Harbor charts
This commit is contained in:
Daniel Jiang 2018-07-13 11:21:24 +08:00 committed by GitHub
commit 799a6b479a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 93 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
contrib/helm/harbor/templates/NOTES.txt
View File

@ -1,26 +1,3 @@
Please wait for several minutes for Harbor deployment to complete. Please wait for several minutes for Harbor deployment to complete.
Then follow the steps below to use Harbor. Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}.
For more details, please visit https://github.com/vmware/harbor.
1. Add the Harbor CA certificate to Docker by executing the following command:
sudo mkdir -p /etc/docker/certs.d/{{ .Values.externalDomain }}
kubectl get secret \
--namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \
-o jsonpath="{.data.ca\.crt}" | base64 --decode | \
sudo tee /etc/docker/certs.d/{{ .Values.externalDomain }}/ca.crt
2. Get Harbor admin password by executing the following command:
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-adminserver -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode; echo
3. Add DNS resolution entry for Harbor FQDN {{ .Values.externalDomain }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts.
{{- if .Values.notary.enabled }}
Add DNS resolution entry for Notary FQDN {{ template "harbor.notaryFQDN" . }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts.
{{- end }}
4. Access Harbor UI via https://{{ .Values.externalDomain }}
5. Login Harbor with Docker CLI:
docker login {{ .Values.externalDomain }}

4
contrib/helm/harbor/templates/_helpers.tpl
View File

@ -32,9 +32,9 @@ app: "{{ template "harbor.name" . }}"
{{- define "harbor.externalURL" -}} {{- define "harbor.externalURL" -}}
{{- if .Values.externalPort -}} {{- if .Values.externalPort -}}
{{- printf "%s:%s" .Values.externalDomain (toString .Values.externalPort) -}} {{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}}
{{- else -}} {{- else -}}
{{- .Values.externalDomain -}} {{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

36
contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml
View File

@ -10,14 +10,14 @@ data:
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
EMAIL_HOST: "{{ .Values.adminserver.emailHost }}" EMAIL_HOST: "{{ .Values.email.host }}"
EMAIL_PORT: "{{ .Values.adminserver.emailPort }}" EMAIL_PORT: "{{ .Values.email.port }}"
EMAIL_USR: "{{ .Values.adminserver.emailUser }}" EMAIL_USR: "{{ .Values.email.username }}"
EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}" EMAIL_SSL: "{{ .Values.email.ssl }}"
EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}" EMAIL_FROM: "{{ .Values.email.from }}"
EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}" EMAIL_IDENTITY: "{{ .Values.email.identity }}"
EMAIL_INSECURE: "{{ .Values.adminserver.emailInsecure }}" EMAIL_INSECURE: "{{ .Values.email.insecure }}"
EXT_ENDPOINT: "https://{{ .Values.externalDomain }}" EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}"
UI_URL: "http://{{ template "harbor.fullname" . }}-ui" UI_URL: "http://{{ template "harbor.fullname" . }}-ui"
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice" JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000" REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000"
@ -26,16 +26,16 @@ data:
NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443" NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443"
LOG_LEVEL: "info" LOG_LEVEL: "info"
IMAGE_STORE_PATH: "/" # This is a temporary hack. IMAGE_STORE_PATH: "/" # This is a temporary hack.
AUTH_MODE: "{{ .Values.adminserver.authenticationMode }}" AUTH_MODE: "{{ .Values.authenticationMode }}"
SELF_REGISTRATION: "{{ .Values.adminserver.selfRegistration }}" SELF_REGISTRATION: "{{ .Values.selfRegistration }}"
LDAP_URL: "{{ .Values.adminserver.ldap.url }}" LDAP_URL: "{{ .Values.ldap.url }}"
LDAP_SEARCH_DN: "{{ .Values.adminserver.ldap.searchDN }}" LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}"
LDAP_BASE_DN: "{{ .Values.adminserver.ldap.baseDN }}" LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}"
LDAP_FILTER: "{{ .Values.adminserver.ldap.filter }}" LDAP_FILTER: "{{ .Values.ldap.filter }}"
LDAP_UID: "{{ .Values.adminserver.ldap.uid }}" LDAP_UID: "{{ .Values.ldap.uid }}"
LDAP_SCOPE: "{{ .Values.adminserver.ldap.scope }}" LDAP_SCOPE: "{{ .Values.ldap.scope }}"
LDAP_TIMEOUT: "{{ .Values.adminserver.ldap.timeout }}" LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}"
LDAP_VERIFY_CERT: "{{ .Values.adminserver.ldap.verifyCert }}" LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}"
DATABASE_TYPE: "postgresql" DATABASE_TYPE: "postgresql"
PROJECT_CREATION_RESTRICTION: "everyone" PROJECT_CREATION_RESTRICTION: "everyone"
VERIFY_REMOTE_CERT: "off" VERIFY_REMOTE_CERT: "off"

8
contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml
View File

@ -8,13 +8,13 @@ metadata:
type: Opaque type: Opaque
data: data:
secretKey: {{ .Values.secretKey | b64enc | quote }} secretKey: {{ .Values.secretKey | b64enc | quote }}
EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }} EMAIL_PWD: {{ .Values.email.password | b64enc | quote }}
HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.adminPassword | b64enc | quote }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }} POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }} JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
UI_SECRET: {{ .Values.ui.secret | b64enc | quote }} UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
{{- if eq .Values.adminserver.authenticationMode "ldap_auth" }} {{- if eq .Values.authenticationMode "ldap_auth" }}
LDAP_SEARCH_PWD: {{ .Values.adminserver.ldap.searchPwd | b64enc | quote }} LDAP_SEARCH_PWD: {{ .Values.ldap.searchPwd | b64enc | quote }}
{{- end }} {{- end }}
{{ if .Values.clair.enabled }} {{ if .Values.clair.enabled }}
CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }} CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }}

14
contrib/helm/harbor/templates/ingress/ingress.yaml
View File

@ -8,12 +8,16 @@ metadata:
annotations: annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }} {{ toYaml .Values.ingress.annotations | indent 4 }}
spec: spec:
{{ if not .Values.insecureRegistry }} {{ if eq .Values.externalProtocol "https" }}
tls: tls:
- hosts: - hosts:
- "{{ .Values.externalDomain }}" - "{{ .Values.externalDomain }}"
- "{{ template "harbor.notaryFQDN" . }}" - "{{ template "harbor.notaryFQDN" . }}"
{{ if eq .Values.ingress.tls.secretName "" }}
secretName: "{{ template "harbor.fullname" . }}-ingress" secretName: "{{ template "harbor.fullname" . }}-ingress"
{{ else }}
secretName: {{ .Values.ingress.tls.secretName }}
{{ end }}
{{ end }} {{ end }}
rules: rules:
- host: "{{ .Values.externalDomain }}" - host: "{{ .Values.externalDomain }}"
@ -43,11 +47,15 @@ metadata:
nginx.ingress.kubernetes.io/rewrite-target: /registryproxy/v2 nginx.ingress.kubernetes.io/rewrite-target: /registryproxy/v2
ingress.kubernetes.io/rewrite-target: /registryproxy/v2 ingress.kubernetes.io/rewrite-target: /registryproxy/v2
spec: spec:
{{ if not .Values.insecureRegistry }} {{ if eq .Values.externalProtocol "https" }}
tls: tls:
- hosts: - hosts:
- "{{ .Values.externalDomain }}" - "{{ .Values.externalDomain }}"
{{ if eq .Values.ingress.tls.secretName "" }}
secretName: "{{ template "harbor.fullname" . }}-ingress" secretName: "{{ template "harbor.fullname" . }}-ingress"
{{ else }}
secretName: {{ .Values.ingress.tls.secretName }}
{{ end }}
{{ end }} {{ end }}
rules: rules:
- host: "{{ .Values.externalDomain }}" - host: "{{ .Values.externalDomain }}"
@ -57,6 +65,4 @@ spec:
backend: backend:
serviceName: {{ template "harbor.fullname" . }}-ui serviceName: {{ template "harbor.fullname" . }}-ui
servicePort: 80 servicePort: 80
{{ end }} {{ end }}

6
contrib/helm/harbor/templates/ingress/secret.yaml
View File

@ -1,5 +1,6 @@
{{ if not .Values.insecureRegistry }} {{ if eq .Values.externalProtocol "https" }}
{{ if .Values.generateCertificates }} {{ if .Values.ingress.enabled }}
{{ if eq .Values.ingress.tls.secretName "" }}
{{ $ca := genCA "harbor-ca" 3650 }} {{ $ca := genCA "harbor-ca" 3650 }}
{{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }} {{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }}
apiVersion: v1 apiVersion: v1
@ -15,3 +16,4 @@ data:
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }} ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }}

2
contrib/helm/harbor/templates/notary/notary-cm.yaml
View File

@ -37,7 +37,7 @@ data:
"auth": { "auth": {
"type": "token", "type": "token",
"options": { "options": {
"realm": "https://{{ template "harbor.externalURL" . }}/service/token", "realm": "{{ template "harbor.externalURL" . }}/service/token",
"service": "harbor-notary", "service": "harbor-notary",
"issuer": "harbor-token-issuer", "issuer": "harbor-token-issuer",
"rootcertbundle": "/root.crt" "rootcertbundle": "/root.crt"

2
contrib/helm/harbor/templates/registry/registry-cm.yaml
View File

@ -38,7 +38,7 @@ data:
auth: auth:
token: token:
issuer: harbor-token-issuer issuer: harbor-token-issuer
realm: "https://{{ template "harbor.externalURL" . }}/service/token" realm: "{{ template "harbor.externalURL" . }}/service/token"
rootcertbundle: /etc/registry/root.crt rootcertbundle: /etc/registry/root.crt
service: harbor-registry service: harbor-registry

12
contrib/helm/harbor/templates/ui/ui-dpl.yaml
View File

@ -50,11 +50,15 @@ spec:
- name: ui-secrets-private-key - name: ui-secrets-private-key
mountPath: /etc/ui/private_key.pem mountPath: /etc/ui/private_key.pem
subPath: private_key.pem subPath: private_key.pem
{{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }} {{- if eq .Values.externalProtocol "https" }}
{{- if .Values.ingress.enabled }}
{{- if eq .Values.ingress.tls.secretName "" }}
- name: ca-download - name: ca-download
mountPath: /etc/ui/ca/ca.crt mountPath: /etc/ui/ca/ca.crt
subPath: ca.crt subPath: ca.crt
{{- end }} {{- end }}
{{- end }}
{{- end }}
- name: psc - name: psc
mountPath: /etc/ui/token mountPath: /etc/ui/token
volumes: volumes:
@ -73,7 +77,9 @@ spec:
items: items:
- key: private_key.pem - key: private_key.pem
path: private_key.pem path: private_key.pem
{{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }} {{- if eq .Values.externalProtocol "https" }}
{{- if .Values.ingress.enabled }}
{{- if eq .Values.ingress.tls.secretName "" }}
- name: ca-download - name: ca-download
secret: secret:
secretName: "{{ template "harbor.fullname" . }}-ingress" secretName: "{{ template "harbor.fullname" . }}-ingress"
@ -81,6 +87,8 @@ spec:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt
{{- end }} {{- end }}
{{- end }}
{{- end }}
- name: psc - name: psc
emptyDir: {} emptyDir: {}
{{- with .Values.ui.nodeSelector }} {{- with .Values.ui.nodeSelector }}

122
contrib/helm/harbor/values.yaml
View File

@ -1,49 +1,33 @@
# Configure persisten Volumes per application
## Applications that require storage have a `volumes` definition which will be used
## when `persistence.enabled` is set to true.
## example
# mysql:
# volumes:
# data:
## Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 1Gi
## Configure resource requests and limits per application
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
# mysql:
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
persistence: persistence:
enabled: true enabled: true
externalProtocol: https
# The tag for Harbor docker images. # The FQDN for Harbor service
harborImageTag: &harbor_image_tag v1.5.0-chart-patch
# The FQDN for Harbor service.
externalDomain: harbor.my.domain externalDomain: harbor.my.domain
# externalPort is the Port for Harbor service, leave empty if the service is to be bound to # The Port for Harbor service, leave empty if the service
# port 80/443 # is to be bound to port 80/443
externalPort: 32700 externalPort: 32700
# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add harborAdminPassword: Harbor12345
# Harbor FQDN as insecure-registries for your docker client. authenticationMode: "db_auth"
insecureRegistry: false selfRegistration: "on"
generateCertificates: true ldap:
# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above. url: "ldaps://ldapserver"
tlsCrt: searchDN: ""
tlsKey: searchPassword: ""
caCrt: baseDN: ""
filter: "(objectClass=person)"
uid: "uid"
scope: "2"
timeout: "5"
verifyCert: "True"
email:
host: "smtp.mydomain.com"
port: "25"
username: "sample_admin@mydomain.com"
password: "password"
ssl: "false"
insecure: "false"
from: "admin <sample_admin@mydomain.com>"
identity: ""
# The secret key used for encryption. Must be a string of 16 chars. # The secret key used for encryption. Must be a string of 16 chars.
secretKey: not-a-secure-key secretKey: not-a-secure-key
@ -54,36 +38,23 @@ ingress:
enabled: true enabled: true
annotations: annotations:
ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0" ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0"
tls:
# Fill the secretName if you want to use the certificate of
# yourself when Harbor serves with HTTPS. A certificate will
# be generated automatically by the chart if leave it empty
secretName: ""
# The tag for Harbor docker images.
harborImageTag: &harbor_image_tag dev
adminserver: adminserver:
image: image:
repository: vmware/harbor-adminserver repository: vmware/harbor-adminserver
tag: *harbor_image_tag tag: *harbor_image_tag
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
emailHost: "smtp.mydomain.com"
emailPort: "25"
emailUser: "sample_admin@mydomain.com"
emailSsl: "false"
emailFrom: "admin <sample_admin@mydomain.com>"
emailIdentity: ""
emailInsecure: "False"
emailPwd: not-a-secure-password
adminPassword: Harbor12345
authenticationMode: "db_auth"
selfRegistration: "on"
ldap:
url: "ldaps://ldapserver"
searchDN: ""
searchPassword: ""
baseDN: ""
filter: "(objectClass=person)"
uid: "uid"
scope: "2"
timeout: "5"
verifyCert: "True"
## Persist data to a persistent volume
volumes: volumes:
config: config:
# storageClass: "-" # storageClass: "-"
@ -97,8 +68,6 @@ adminserver:
tolerations: [] tolerations: []
affinity: {} affinity: {}
## jobservice
#
jobservice: jobservice:
image: image:
repository: vmware/harbor-jobservice repository: vmware/harbor-jobservice
@ -114,8 +83,6 @@ jobservice:
tolerations: [] tolerations: []
affinity: {} affinity: {}
## UI
#
ui: ui:
image: image:
repository: vmware/harbor-ui repository: vmware/harbor-ui
@ -215,11 +182,10 @@ database:
notaryServerDatabase: "notary_server" notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer" notarySignerDatabase: "notary_signer"
registry: registry:
image: image:
repository: vmware/registry-photon repository: vmware/registry-photon
tag: v2.6.2-v1.5.0-chart-patch tag: dev
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
httpSecret: not-a-secure-secret httpSecret: not-a-secure-secret
logLevel: info logLevel: info
@ -289,17 +255,9 @@ registry:
clair: clair:
enabled: true enabled: true
image: image:
repository: ywk253100/clair-photon repository: vmware/clair-photon
tag: v2.0.1-v1.5.0-chart-patch tag: dev
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
# pgResources:
# requests:
# memory: 256Mi
# cpu: 100m
volumes: volumes:
pgData: pgData:
# storageClass: "-" # storageClass: "-"
@ -332,12 +290,12 @@ notary:
server: server:
image: image:
repository: vmware/notary-server-photon repository: vmware/notary-server-photon
tag: v0.5.1-v1.5.0-chart-patch tag: dev
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
signer: signer:
image: image:
repository: vmware/notary-signer-photon repository: vmware/notary-signer-photon
tag: v0.5.1-v1.5.0-chart-patch tag: dev
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
NOTARY_SIGNER_DEFAULTALIAS: defaultalias NOTARY_SIGNER_DEFAULTALIAS: defaultalias