mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-24 19:25:19 +01:00
Merge pull request #5289 from ywk253100/180710_chart
Fix misc issues of Harbor charts
This commit is contained in:
commit
799a6b479a
@ -1,26 +1,3 @@
|
||||
|
||||
Please wait for several minutes for Harbor deployment to complete.
|
||||
Then follow the steps below to use Harbor.
|
||||
|
||||
1. Add the Harbor CA certificate to Docker by executing the following command:
|
||||
|
||||
sudo mkdir -p /etc/docker/certs.d/{{ .Values.externalDomain }}
|
||||
kubectl get secret \
|
||||
--namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \
|
||||
-o jsonpath="{.data.ca\.crt}" | base64 --decode | \
|
||||
sudo tee /etc/docker/certs.d/{{ .Values.externalDomain }}/ca.crt
|
||||
|
||||
2. Get Harbor admin password by executing the following command:
|
||||
|
||||
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-adminserver -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode; echo
|
||||
|
||||
3. Add DNS resolution entry for Harbor FQDN {{ .Values.externalDomain }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts.
|
||||
{{- if .Values.notary.enabled }}
|
||||
Add DNS resolution entry for Notary FQDN {{ template "harbor.notaryFQDN" . }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts.
|
||||
{{- end }}
|
||||
|
||||
4. Access Harbor UI via https://{{ .Values.externalDomain }}
|
||||
|
||||
5. Login Harbor with Docker CLI:
|
||||
|
||||
docker login {{ .Values.externalDomain }}
|
||||
Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}.
|
||||
For more details, please visit https://github.com/vmware/harbor.
|
@ -32,9 +32,9 @@ app: "{{ template "harbor.name" . }}"
|
||||
|
||||
{{- define "harbor.externalURL" -}}
|
||||
{{- if .Values.externalPort -}}
|
||||
{{- printf "%s:%s" .Values.externalDomain (toString .Values.externalPort) -}}
|
||||
{{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}}
|
||||
{{- else -}}
|
||||
{{- .Values.externalDomain -}}
|
||||
{{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
|
@ -10,14 +10,14 @@ data:
|
||||
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
|
||||
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
|
||||
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
|
||||
EMAIL_HOST: "{{ .Values.adminserver.emailHost }}"
|
||||
EMAIL_PORT: "{{ .Values.adminserver.emailPort }}"
|
||||
EMAIL_USR: "{{ .Values.adminserver.emailUser }}"
|
||||
EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}"
|
||||
EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}"
|
||||
EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}"
|
||||
EMAIL_INSECURE: "{{ .Values.adminserver.emailInsecure }}"
|
||||
EXT_ENDPOINT: "https://{{ .Values.externalDomain }}"
|
||||
EMAIL_HOST: "{{ .Values.email.host }}"
|
||||
EMAIL_PORT: "{{ .Values.email.port }}"
|
||||
EMAIL_USR: "{{ .Values.email.username }}"
|
||||
EMAIL_SSL: "{{ .Values.email.ssl }}"
|
||||
EMAIL_FROM: "{{ .Values.email.from }}"
|
||||
EMAIL_IDENTITY: "{{ .Values.email.identity }}"
|
||||
EMAIL_INSECURE: "{{ .Values.email.insecure }}"
|
||||
EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}"
|
||||
UI_URL: "http://{{ template "harbor.fullname" . }}-ui"
|
||||
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
|
||||
REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000"
|
||||
@ -26,16 +26,16 @@ data:
|
||||
NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443"
|
||||
LOG_LEVEL: "info"
|
||||
IMAGE_STORE_PATH: "/" # This is a temporary hack.
|
||||
AUTH_MODE: "{{ .Values.adminserver.authenticationMode }}"
|
||||
SELF_REGISTRATION: "{{ .Values.adminserver.selfRegistration }}"
|
||||
LDAP_URL: "{{ .Values.adminserver.ldap.url }}"
|
||||
LDAP_SEARCH_DN: "{{ .Values.adminserver.ldap.searchDN }}"
|
||||
LDAP_BASE_DN: "{{ .Values.adminserver.ldap.baseDN }}"
|
||||
LDAP_FILTER: "{{ .Values.adminserver.ldap.filter }}"
|
||||
LDAP_UID: "{{ .Values.adminserver.ldap.uid }}"
|
||||
LDAP_SCOPE: "{{ .Values.adminserver.ldap.scope }}"
|
||||
LDAP_TIMEOUT: "{{ .Values.adminserver.ldap.timeout }}"
|
||||
LDAP_VERIFY_CERT: "{{ .Values.adminserver.ldap.verifyCert }}"
|
||||
AUTH_MODE: "{{ .Values.authenticationMode }}"
|
||||
SELF_REGISTRATION: "{{ .Values.selfRegistration }}"
|
||||
LDAP_URL: "{{ .Values.ldap.url }}"
|
||||
LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}"
|
||||
LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}"
|
||||
LDAP_FILTER: "{{ .Values.ldap.filter }}"
|
||||
LDAP_UID: "{{ .Values.ldap.uid }}"
|
||||
LDAP_SCOPE: "{{ .Values.ldap.scope }}"
|
||||
LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}"
|
||||
LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}"
|
||||
DATABASE_TYPE: "postgresql"
|
||||
PROJECT_CREATION_RESTRICTION: "everyone"
|
||||
VERIFY_REMOTE_CERT: "off"
|
||||
|
@ -8,13 +8,13 @@ metadata:
|
||||
type: Opaque
|
||||
data:
|
||||
secretKey: {{ .Values.secretKey | b64enc | quote }}
|
||||
EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.adminPassword | b64enc | quote }}
|
||||
EMAIL_PWD: {{ .Values.email.password | b64enc | quote }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
|
||||
POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }}
|
||||
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
|
||||
UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
|
||||
{{- if eq .Values.adminserver.authenticationMode "ldap_auth" }}
|
||||
LDAP_SEARCH_PWD: {{ .Values.adminserver.ldap.searchPwd | b64enc | quote }}
|
||||
{{- if eq .Values.authenticationMode "ldap_auth" }}
|
||||
LDAP_SEARCH_PWD: {{ .Values.ldap.searchPwd | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{ if .Values.clair.enabled }}
|
||||
CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }}
|
||||
|
@ -1,4 +1,4 @@
|
||||
{{ if .Values.ingress.enabled }}
|
||||
{{ if .Values.ingress.enabled }}
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
@ -8,12 +8,16 @@ metadata:
|
||||
annotations:
|
||||
{{ toYaml .Values.ingress.annotations | indent 4 }}
|
||||
spec:
|
||||
{{ if not .Values.insecureRegistry }}
|
||||
{{ if eq .Values.externalProtocol "https" }}
|
||||
tls:
|
||||
- hosts:
|
||||
- "{{ .Values.externalDomain }}"
|
||||
- "{{ template "harbor.notaryFQDN" . }}"
|
||||
{{ if eq .Values.ingress.tls.secretName "" }}
|
||||
secretName: "{{ template "harbor.fullname" . }}-ingress"
|
||||
{{ else }}
|
||||
secretName: {{ .Values.ingress.tls.secretName }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
rules:
|
||||
- host: "{{ .Values.externalDomain }}"
|
||||
@ -43,11 +47,15 @@ metadata:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /registryproxy/v2
|
||||
ingress.kubernetes.io/rewrite-target: /registryproxy/v2
|
||||
spec:
|
||||
{{ if not .Values.insecureRegistry }}
|
||||
{{ if eq .Values.externalProtocol "https" }}
|
||||
tls:
|
||||
- hosts:
|
||||
- "{{ .Values.externalDomain }}"
|
||||
{{ if eq .Values.ingress.tls.secretName "" }}
|
||||
secretName: "{{ template "harbor.fullname" . }}-ingress"
|
||||
{{ else }}
|
||||
secretName: {{ .Values.ingress.tls.secretName }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
rules:
|
||||
- host: "{{ .Values.externalDomain }}"
|
||||
@ -57,6 +65,4 @@ spec:
|
||||
backend:
|
||||
serviceName: {{ template "harbor.fullname" . }}-ui
|
||||
servicePort: 80
|
||||
|
||||
|
||||
{{ end }}
|
@ -1,5 +1,6 @@
|
||||
{{ if not .Values.insecureRegistry }}
|
||||
{{ if .Values.generateCertificates }}
|
||||
{{ if eq .Values.externalProtocol "https" }}
|
||||
{{ if .Values.ingress.enabled }}
|
||||
{{ if eq .Values.ingress.tls.secretName "" }}
|
||||
{{ $ca := genCA "harbor-ca" 3650 }}
|
||||
{{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }}
|
||||
apiVersion: v1
|
||||
@ -15,3 +16,4 @@ data:
|
||||
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
@ -37,7 +37,7 @@ data:
|
||||
"auth": {
|
||||
"type": "token",
|
||||
"options": {
|
||||
"realm": "https://{{ template "harbor.externalURL" . }}/service/token",
|
||||
"realm": "{{ template "harbor.externalURL" . }}/service/token",
|
||||
"service": "harbor-notary",
|
||||
"issuer": "harbor-token-issuer",
|
||||
"rootcertbundle": "/root.crt"
|
||||
|
@ -38,7 +38,7 @@ data:
|
||||
auth:
|
||||
token:
|
||||
issuer: harbor-token-issuer
|
||||
realm: "https://{{ template "harbor.externalURL" . }}/service/token"
|
||||
realm: "{{ template "harbor.externalURL" . }}/service/token"
|
||||
rootcertbundle: /etc/registry/root.crt
|
||||
service: harbor-registry
|
||||
|
||||
|
@ -50,11 +50,15 @@ spec:
|
||||
- name: ui-secrets-private-key
|
||||
mountPath: /etc/ui/private_key.pem
|
||||
subPath: private_key.pem
|
||||
{{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }}
|
||||
{{- if eq .Values.externalProtocol "https" }}
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- if eq .Values.ingress.tls.secretName "" }}
|
||||
- name: ca-download
|
||||
mountPath: /etc/ui/ca/ca.crt
|
||||
subPath: ca.crt
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: psc
|
||||
mountPath: /etc/ui/token
|
||||
volumes:
|
||||
@ -73,7 +77,9 @@ spec:
|
||||
items:
|
||||
- key: private_key.pem
|
||||
path: private_key.pem
|
||||
{{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }}
|
||||
{{- if eq .Values.externalProtocol "https" }}
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- if eq .Values.ingress.tls.secretName "" }}
|
||||
- name: ca-download
|
||||
secret:
|
||||
secretName: "{{ template "harbor.fullname" . }}-ingress"
|
||||
@ -81,6 +87,8 @@ spec:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: psc
|
||||
emptyDir: {}
|
||||
{{- with .Values.ui.nodeSelector }}
|
||||
|
@ -1,49 +1,33 @@
|
||||
# Configure persisten Volumes per application
|
||||
## Applications that require storage have a `volumes` definition which will be used
|
||||
## when `persistence.enabled` is set to true.
|
||||
## example
|
||||
# mysql:
|
||||
# volumes:
|
||||
# data:
|
||||
## Persistent Volume Storage Class
|
||||
## If defined, storageClassName: <storageClass>
|
||||
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||
## If undefined (the default) or set to null, no storageClassName spec is
|
||||
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
||||
## GKE, AWS & OpenStack)
|
||||
##
|
||||
# storageClass: "-"
|
||||
# accessMode: ReadWriteOnce
|
||||
# size: 1Gi
|
||||
|
||||
## Configure resource requests and limits per application
|
||||
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
||||
##
|
||||
# mysql:
|
||||
# resources:
|
||||
# requests:
|
||||
# memory: 256Mi
|
||||
# cpu: 100m
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
|
||||
# The tag for Harbor docker images.
|
||||
harborImageTag: &harbor_image_tag v1.5.0-chart-patch
|
||||
|
||||
# The FQDN for Harbor service.
|
||||
externalProtocol: https
|
||||
# The FQDN for Harbor service
|
||||
externalDomain: harbor.my.domain
|
||||
# externalPort is the Port for Harbor service, leave empty if the service is to be bound to
|
||||
# port 80/443
|
||||
# The Port for Harbor service, leave empty if the service
|
||||
# is to be bound to port 80/443
|
||||
externalPort: 32700
|
||||
# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
|
||||
# Harbor FQDN as insecure-registries for your docker client.
|
||||
insecureRegistry: false
|
||||
generateCertificates: true
|
||||
# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
|
||||
tlsCrt:
|
||||
tlsKey:
|
||||
caCrt:
|
||||
harborAdminPassword: Harbor12345
|
||||
authenticationMode: "db_auth"
|
||||
selfRegistration: "on"
|
||||
ldap:
|
||||
url: "ldaps://ldapserver"
|
||||
searchDN: ""
|
||||
searchPassword: ""
|
||||
baseDN: ""
|
||||
filter: "(objectClass=person)"
|
||||
uid: "uid"
|
||||
scope: "2"
|
||||
timeout: "5"
|
||||
verifyCert: "True"
|
||||
email:
|
||||
host: "smtp.mydomain.com"
|
||||
port: "25"
|
||||
username: "sample_admin@mydomain.com"
|
||||
password: "password"
|
||||
ssl: "false"
|
||||
insecure: "false"
|
||||
from: "admin <sample_admin@mydomain.com>"
|
||||
identity: ""
|
||||
|
||||
# The secret key used for encryption. Must be a string of 16 chars.
|
||||
secretKey: not-a-secure-key
|
||||
@ -54,36 +38,23 @@ ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
ingress.kubernetes.io/proxy-body-size: "0"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
tls:
|
||||
# Fill the secretName if you want to use the certificate of
|
||||
# yourself when Harbor serves with HTTPS. A certificate will
|
||||
# be generated automatically by the chart if leave it empty
|
||||
secretName: ""
|
||||
|
||||
# The tag for Harbor docker images.
|
||||
harborImageTag: &harbor_image_tag dev
|
||||
|
||||
adminserver:
|
||||
image:
|
||||
repository: vmware/harbor-adminserver
|
||||
tag: *harbor_image_tag
|
||||
pullPolicy: IfNotPresent
|
||||
emailHost: "smtp.mydomain.com"
|
||||
emailPort: "25"
|
||||
emailUser: "sample_admin@mydomain.com"
|
||||
emailSsl: "false"
|
||||
emailFrom: "admin <sample_admin@mydomain.com>"
|
||||
emailIdentity: ""
|
||||
emailInsecure: "False"
|
||||
emailPwd: not-a-secure-password
|
||||
adminPassword: Harbor12345
|
||||
authenticationMode: "db_auth"
|
||||
selfRegistration: "on"
|
||||
ldap:
|
||||
url: "ldaps://ldapserver"
|
||||
searchDN: ""
|
||||
searchPassword: ""
|
||||
baseDN: ""
|
||||
filter: "(objectClass=person)"
|
||||
uid: "uid"
|
||||
scope: "2"
|
||||
timeout: "5"
|
||||
verifyCert: "True"
|
||||
## Persist data to a persistent volume
|
||||
volumes:
|
||||
config:
|
||||
# storageClass: "-"
|
||||
@ -97,8 +68,6 @@ adminserver:
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
|
||||
## jobservice
|
||||
#
|
||||
jobservice:
|
||||
image:
|
||||
repository: vmware/harbor-jobservice
|
||||
@ -114,8 +83,6 @@ jobservice:
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
|
||||
## UI
|
||||
#
|
||||
ui:
|
||||
image:
|
||||
repository: vmware/harbor-ui
|
||||
@ -215,11 +182,10 @@ database:
|
||||
notaryServerDatabase: "notary_server"
|
||||
notarySignerDatabase: "notary_signer"
|
||||
|
||||
|
||||
registry:
|
||||
image:
|
||||
repository: vmware/registry-photon
|
||||
tag: v2.6.2-v1.5.0-chart-patch
|
||||
tag: dev
|
||||
pullPolicy: IfNotPresent
|
||||
httpSecret: not-a-secure-secret
|
||||
logLevel: info
|
||||
@ -289,17 +255,9 @@ registry:
|
||||
clair:
|
||||
enabled: true
|
||||
image:
|
||||
repository: ywk253100/clair-photon
|
||||
tag: v2.0.1-v1.5.0-chart-patch
|
||||
repository: vmware/clair-photon
|
||||
tag: dev
|
||||
pullPolicy: IfNotPresent
|
||||
# resources:
|
||||
# requests:
|
||||
# memory: 256Mi
|
||||
# cpu: 100m
|
||||
# pgResources:
|
||||
# requests:
|
||||
# memory: 256Mi
|
||||
# cpu: 100m
|
||||
volumes:
|
||||
pgData:
|
||||
# storageClass: "-"
|
||||
@ -332,12 +290,12 @@ notary:
|
||||
server:
|
||||
image:
|
||||
repository: vmware/notary-server-photon
|
||||
tag: v0.5.1-v1.5.0-chart-patch
|
||||
tag: dev
|
||||
pullPolicy: IfNotPresent
|
||||
signer:
|
||||
image:
|
||||
repository: vmware/notary-signer-photon
|
||||
tag: v0.5.1-v1.5.0-chart-patch
|
||||
tag: dev
|
||||
pullPolicy: IfNotPresent
|
||||
env:
|
||||
NOTARY_SIGNER_DEFAULTALIAS: defaultalias
|
||||
|
Loading…
Reference in New Issue
Block a user