mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-28 21:25:55 +01:00
Merge branch 'main' into reduce-image-size
This commit is contained in:
commit
b99feb0d58
@ -80,6 +80,7 @@ func (artifact *Artifact) SetAdditionLink(addition, version string) {
|
||||
artifact.AdditionLinks[addition] = &AdditionLink{HREF: href, Absolute: false}
|
||||
}
|
||||
|
||||
// SetSBOMAdditionLink set the link of SBOM addition
|
||||
func (artifact *Artifact) SetSBOMAdditionLink(sbomDgst string, version string) {
|
||||
if artifact.AdditionLinks == nil {
|
||||
artifact.AdditionLinks = make(map[string]*AdditionLink)
|
||||
@ -88,7 +89,7 @@ func (artifact *Artifact) SetSBOMAdditionLink(sbomDgst string, version string) {
|
||||
projectName, repo := utils.ParseRepository(artifact.RepositoryName)
|
||||
// encode slash as %252F
|
||||
repo = repository.Encode(repo)
|
||||
href := fmt.Sprintf("/api/%s/projects/%s/repositories/%s/artifacts/%s/additions/%s", version, projectName, repo, sbomDgst, addition)
|
||||
href := fmt.Sprintf("/api/%s/projects/%s/repositories/%s/artifacts/%s/additions/sbom", version, projectName, repo, sbomDgst)
|
||||
|
||||
artifact.AdditionLinks[addition] = &AdditionLink{HREF: href, Absolute: false}
|
||||
}
|
||||
|
62
src/go.mod
62
src/go.mod
@ -8,7 +8,7 @@ require (
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190726115642-cd293c93fd97
|
||||
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
|
||||
github.com/aws/aws-sdk-go v1.53.14
|
||||
github.com/beego/beego/v2 v2.0.6
|
||||
github.com/beego/beego/v2 v2.2.1
|
||||
github.com/beego/i18n v0.0.0-20140604031826-e87155e8f0c0
|
||||
github.com/bmatcuk/doublestar v1.3.4
|
||||
github.com/casbin/casbin v1.9.1
|
||||
@ -16,7 +16,7 @@ require (
|
||||
github.com/cloudevents/sdk-go/v2 v2.15.2
|
||||
github.com/coreos/go-oidc/v3 v3.10.0
|
||||
github.com/dghubble/sling v1.1.0
|
||||
github.com/docker/distribution v2.8.2+incompatible
|
||||
github.com/docker/distribution v2.8.3+incompatible
|
||||
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
|
||||
github.com/go-asn1-ber/asn1-ber v1.5.7
|
||||
github.com/go-ldap/ldap/v3 v3.4.6
|
||||
@ -33,7 +33,7 @@ require (
|
||||
github.com/golang-jwt/jwt/v5 v5.2.1
|
||||
github.com/golang-migrate/migrate/v4 v4.17.1
|
||||
github.com/gomodule/redigo v2.0.0+incompatible
|
||||
github.com/google/go-containerregistry v0.19.0
|
||||
github.com/google/go-containerregistry v0.19.2
|
||||
github.com/google/uuid v1.6.0
|
||||
github.com/gorilla/csrf v1.7.2
|
||||
github.com/gorilla/handlers v1.5.2
|
||||
@ -56,31 +56,30 @@ require (
|
||||
github.com/vmihailenco/msgpack/v5 v5.4.1
|
||||
github.com/volcengine/volcengine-go-sdk v1.0.138
|
||||
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.51.0
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0
|
||||
go.opentelemetry.io/otel v1.27.0
|
||||
go.opentelemetry.io/otel/exporters/jaeger v1.0.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0
|
||||
go.opentelemetry.io/otel/sdk v1.26.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0
|
||||
go.opentelemetry.io/otel/sdk v1.27.0
|
||||
go.opentelemetry.io/otel/trace v1.27.0
|
||||
go.uber.org/ratelimit v0.3.1
|
||||
golang.org/x/crypto v0.23.0
|
||||
golang.org/x/net v0.25.0
|
||||
golang.org/x/oauth2 v0.19.0
|
||||
golang.org/x/sync v0.6.0
|
||||
golang.org/x/text v0.15.0
|
||||
golang.org/x/crypto v0.24.0
|
||||
golang.org/x/net v0.26.0
|
||||
golang.org/x/oauth2 v0.20.0
|
||||
golang.org/x/sync v0.7.0
|
||||
golang.org/x/text v0.16.0
|
||||
golang.org/x/time v0.5.0
|
||||
gopkg.in/h2non/gock.v1 v1.1.2
|
||||
gopkg.in/yaml.v2 v2.4.0
|
||||
helm.sh/helm/v3 v3.14.4
|
||||
k8s.io/api v0.30.0
|
||||
k8s.io/apimachinery v0.30.0
|
||||
k8s.io/client-go v0.29.0
|
||||
helm.sh/helm/v3 v3.15.2
|
||||
k8s.io/api v0.30.2
|
||||
k8s.io/apimachinery v0.30.2
|
||||
k8s.io/client-go v0.30.0
|
||||
sigs.k8s.io/yaml v1.4.0
|
||||
)
|
||||
|
||||
require (
|
||||
cloud.google.com/go/compute v1.24.0 // indirect
|
||||
cloud.google.com/go/compute/metadata v0.2.3 // indirect
|
||||
cloud.google.com/go/compute/metadata v0.3.0 // indirect
|
||||
github.com/Azure/azure-sdk-for-go v37.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest/autorest v0.11.27 // indirect
|
||||
@ -101,8 +100,8 @@ require (
|
||||
github.com/denverdino/aliyungo v0.0.0-20191227032621-df38c6fa730c // indirect
|
||||
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
|
||||
github.com/dnaeon/go-vcr v1.2.0 // indirect
|
||||
github.com/docker/cli v24.0.6+incompatible // indirect
|
||||
github.com/docker/docker v24.0.9+incompatible // indirect
|
||||
github.com/docker/cli v25.0.1+incompatible // indirect
|
||||
github.com/docker/docker v25.0.5+incompatible // indirect
|
||||
github.com/docker/docker-credential-helpers v0.7.0 // indirect
|
||||
github.com/docker/go-metrics v0.0.1 // indirect
|
||||
github.com/felixge/httpsnoop v1.0.4 // indirect
|
||||
@ -118,7 +117,7 @@ require (
|
||||
github.com/google/go-querystring v1.1.0 // indirect
|
||||
github.com/google/gofuzz v1.2.0 // indirect
|
||||
github.com/gorilla/securecookie v1.1.2 // indirect
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
|
||||
github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
|
||||
github.com/hashicorp/errwrap v1.1.0 // indirect
|
||||
github.com/hashicorp/go-multierror v1.1.1 // indirect
|
||||
@ -160,24 +159,25 @@ require (
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
github.com/stretchr/objx v0.5.2 // indirect
|
||||
github.com/subosito/gotenv v1.2.0 // indirect
|
||||
github.com/valyala/bytebufferpool v1.0.0 // indirect
|
||||
github.com/vbatts/tar-split v0.11.3 // indirect
|
||||
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
|
||||
github.com/volcengine/volc-sdk-golang v1.0.23 // indirect
|
||||
go.mongodb.org/mongo-driver v1.14.0 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.27.0 // indirect
|
||||
go.opentelemetry.io/proto/otlp v1.2.0 // indirect
|
||||
go.uber.org/atomic v1.7.0 // indirect
|
||||
go.uber.org/multierr v1.6.0 // indirect
|
||||
go.uber.org/zap v1.19.0 // indirect
|
||||
golang.org/x/sys v0.20.0 // indirect
|
||||
golang.org/x/term v0.20.0 // indirect
|
||||
google.golang.org/api v0.162.0 // indirect
|
||||
go.uber.org/atomic v1.9.0 // indirect
|
||||
go.uber.org/multierr v1.7.0 // indirect
|
||||
go.uber.org/zap v1.19.1 // indirect
|
||||
golang.org/x/sys v0.21.0 // indirect
|
||||
golang.org/x/term v0.21.0 // indirect
|
||||
google.golang.org/api v0.169.0 // indirect
|
||||
google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8 // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
|
||||
google.golang.org/grpc v1.63.2 // indirect
|
||||
google.golang.org/protobuf v1.33.0 // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
|
||||
google.golang.org/grpc v1.64.0 // indirect
|
||||
google.golang.org/protobuf v1.34.1 // indirect
|
||||
gopkg.in/inf.v0 v0.9.1 // indirect
|
||||
gopkg.in/ini.v1 v1.62.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
|
149
src/go.sum
149
src/go.sum
@ -5,15 +5,15 @@ cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxK
|
||||
cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
|
||||
cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
|
||||
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
|
||||
cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg=
|
||||
cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40=
|
||||
cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
|
||||
cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
|
||||
cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
|
||||
cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
|
||||
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
|
||||
cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
|
||||
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
|
||||
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
|
||||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
|
||||
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
|
||||
github.com/Azure/azure-sdk-for-go v37.2.0+incompatible h1:LTdcd2GK+cv+e7yhWCN8S7yf3eblBypKFZsPfKjCQ7E=
|
||||
github.com/Azure/azure-sdk-for-go v37.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
|
||||
@ -79,8 +79,8 @@ github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevB
|
||||
github.com/aws/aws-sdk-go v1.53.14 h1:SzhkC2Pzag0iRW8WBb80RzKdGXDydJR9LAMs2GyKJ2M=
|
||||
github.com/aws/aws-sdk-go v1.53.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
|
||||
github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
|
||||
github.com/beego/beego/v2 v2.0.6 h1:21Aqz3+RzUE1yP9a5xdU6LK54n9Z7NLEJtR4PE7NrPQ=
|
||||
github.com/beego/beego/v2 v2.0.6/go.mod h1:CH2/JIaB4ceGYVQlYqTAFft4pVk/ol1ZkakUrUvAyns=
|
||||
github.com/beego/beego/v2 v2.2.1 h1:5RatpEOKnw6sm76hj6lQvEFi4Tco+E21VQomnVB7NsA=
|
||||
github.com/beego/beego/v2 v2.2.1/go.mod h1:X4hHhM2AXn0hN2tbyz5X/PD7v5JUdE4IihZApiljpNA=
|
||||
github.com/beego/i18n v0.0.0-20140604031826-e87155e8f0c0 h1:fQaDnUQvBXHHQdGBu9hz8nPznB4BeiPQokvmQVjmNEw=
|
||||
github.com/beego/i18n v0.0.0-20140604031826-e87155e8f0c0/go.mod h1:KLeFCpAMq2+50NkXC8iiJxLLiiTfTqrGtKEVm+2fk7s=
|
||||
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
|
||||
@ -134,16 +134,18 @@ github.com/dhui/dktest v0.4.1 h1:/w+IWuDXVymg3IrRJCHHOkMK10m9aNVMOyD0X12YVTg=
|
||||
github.com/dhui/dktest v0.4.1/go.mod h1:DdOqcUpL7vgyP4GlF3X3w7HbSlz8cEQzwewPveYEQbA=
|
||||
github.com/distribution/distribution v2.8.2+incompatible h1:k9+4DKdOG+quPFZXT/mUsiQrGu9vYCp+dXpuPkuqhk8=
|
||||
github.com/distribution/distribution v2.8.2+incompatible/go.mod h1:EgLm2NgWtdKgzF9NpMzUKgzmR7AMmb0VQi2B+ZzDRjc=
|
||||
github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
|
||||
github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
|
||||
github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
|
||||
github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
|
||||
github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=
|
||||
github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
|
||||
github.com/docker/docker v24.0.9+incompatible h1:HPGzNmwfLZWdxHqK9/II92pyi1EpYKsAqcl4G0Of9v0=
|
||||
github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbTO1lpcGSkU=
|
||||
github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
|
||||
github.com/docker/docker v25.0.5+incompatible h1:UmQydMduGkrD5nQde1mecF/YnSbTOaPeFIeP5C4W+DE=
|
||||
github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
|
||||
github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
|
||||
github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
|
||||
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
|
||||
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
|
||||
github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
|
||||
github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
|
||||
github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
|
||||
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
|
||||
@ -219,8 +221,8 @@ github.com/go-openapi/validate v0.22.3 h1:KxG9mu5HBRYbecRb37KRCihvGGtND2aXziBAv0
|
||||
github.com/go-openapi/validate v0.22.3/go.mod h1:kVxh31KbfsxU8ZyoHaDbLBWU5CnMdqBUEtadQ2G4d5M=
|
||||
github.com/go-redis/redis/v8 v8.11.4 h1:kHoYkfZP6+pe04aFTnhDH6GDROa5yJdHJVNxV3F46Tg=
|
||||
github.com/go-redis/redis/v8 v8.11.4/go.mod h1:2Z2wHZXdQpCDXEGzqMockDpNyYvi2l4Pxt6RJr792+w=
|
||||
github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
|
||||
github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
|
||||
github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
|
||||
github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
|
||||
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
|
||||
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
|
||||
github.com/gocarina/gocsv v0.0.0-20210516172204-ca9e8a8ddea8 h1:hp1oqdzmv37vPLYFGjuM/RmUgUMfD9vQfMszc54l55Y=
|
||||
@ -279,8 +281,8 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
|
||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-containerregistry v0.19.0 h1:uIsMRBV7m/HDkDxE/nXMnv1q+lOOSPlQ/ywc5JbB8Ic=
|
||||
github.com/google/go-containerregistry v0.19.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
|
||||
github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w=
|
||||
github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
|
||||
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
|
||||
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
|
||||
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||
@ -309,8 +311,8 @@ github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pw
|
||||
github.com/graph-gophers/dataloader v5.0.0+incompatible h1:R+yjsbrNq1Mo3aPG+Z/EKYrXrXXUNJHOgbRt+U6jOug=
|
||||
github.com/graph-gophers/dataloader v5.0.0+incompatible/go.mod h1:jk4jk0c5ZISbKaMe8WsVopGB5/15GvGHMdMdPtwlRp4=
|
||||
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
|
||||
github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
|
||||
github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
|
||||
github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
|
||||
@ -450,8 +452,8 @@ github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
|
||||
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
|
||||
github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
|
||||
github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
|
||||
github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
|
||||
github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
|
||||
github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
|
||||
github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
|
||||
@ -548,8 +550,8 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
|
||||
github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
|
||||
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
|
||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
|
||||
github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
|
||||
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
|
||||
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
|
||||
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
|
||||
github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
|
||||
github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
|
||||
@ -640,22 +642,22 @@ go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGc
|
||||
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
|
||||
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.51.0 h1:rXpHmgy1pMXlfv3W1T5ctoDA3QeTFjNq/YwCmwrfr8Q=
|
||||
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.51.0/go.mod h1:9uIRD3NZrM7QMQEGeKhr7V4xSDTMku3MPOVs8iZ3VVk=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
|
||||
go.opentelemetry.io/otel v1.0.0/go.mod h1:AjRVh9A5/5DE7S+mZtTR6t8vpKKryam+0lREnfmS4cg=
|
||||
go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
|
||||
go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
|
||||
go.opentelemetry.io/otel/exporters/jaeger v1.0.0 h1:cLhx8llHw02h5JTqGqaRbYn+QVKHmrzD9vEbKnSPk5U=
|
||||
go.opentelemetry.io/otel/exporters/jaeger v1.0.0/go.mod h1:q10N1AolE1JjqKrFJK2tYw0iZpmX+HBaXBtuCzRnBGQ=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 h1:1wp/gyxsuYtuE/JFxsQRtcCDtMrO2qMvlfXALU5wkzI=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0/go.mod h1:gbTHmghkGgqxMomVQQMur1Nba4M0MQ8AYThXDUjsJ38=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 h1:QY7/0NeRPKlzusf40ZE4t1VlMKbqSNT7cJRYzWuja0s=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0/go.mod h1:HVkSiDhTM9BoUJU8qE6j2eSWLLXvi1USXjyd2BXT8PY=
|
||||
go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
|
||||
go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
|
||||
go.opentelemetry.io/otel/sdk v1.0.0/go.mod h1:PCrDHlSy5x1kjezSdL37PhbFUMjrsLRshJ2zCzeXwbM=
|
||||
go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
|
||||
go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
|
||||
go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI=
|
||||
go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A=
|
||||
go.opentelemetry.io/otel/trace v1.0.0/go.mod h1:PXTWqayeFUlJV1YDNhsJYB184+IvAH814St6o6ajzIs=
|
||||
go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
|
||||
go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
|
||||
@ -665,15 +667,17 @@ go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||
go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
|
||||
go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
|
||||
go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
|
||||
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
|
||||
go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
|
||||
go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
|
||||
go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
|
||||
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
|
||||
go.uber.org/goleak v1.1.11-0.20210813005559-691160354723 h1:sHOAIxRGBp443oHZIPB+HsUGaksVCXVQENPxwTfQdH4=
|
||||
go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
|
||||
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
|
||||
go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
|
||||
go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
|
||||
go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
|
||||
go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
|
||||
go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
|
||||
go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
|
||||
go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
|
||||
go.uber.org/ratelimit v0.3.1/go.mod h1:6euWsTB6U/Nb3X++xEUXA8ciPJvr19Q/0h1+oDcJhRk=
|
||||
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
|
||||
@ -681,8 +685,8 @@ go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
|
||||
go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
|
||||
go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
|
||||
go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
|
||||
go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
|
||||
go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
|
||||
go.uber.org/zap v1.19.1 h1:ue41HOKd1vGURxrmeKIgELGb3jPW9DMUDGtsinblHwI=
|
||||
go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
|
||||
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
@ -699,8 +703,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
|
||||
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||
golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
|
||||
golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
|
||||
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
|
||||
golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
|
||||
golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
|
||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
||||
@ -714,7 +718,6 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl
|
||||
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
|
||||
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
|
||||
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
|
||||
@ -726,8 +729,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
|
||||
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
|
||||
golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
|
||||
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
@ -754,13 +757,13 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
|
||||
golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
|
||||
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
|
||||
golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
|
||||
golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
|
||||
golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
|
||||
golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
|
||||
golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
@ -771,8 +774,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
|
||||
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
|
||||
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
|
||||
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
@ -813,16 +816,16 @@ golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
|
||||
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
|
||||
golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
||||
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
|
||||
golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
|
||||
golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
|
||||
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
|
||||
golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
|
||||
golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
@ -833,8 +836,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
|
||||
golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
|
||||
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
|
||||
golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
|
||||
golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
|
||||
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
|
||||
@ -856,7 +859,6 @@ golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtn
|
||||
golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||
@ -865,10 +867,11 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
|
||||
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
|
||||
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
|
||||
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
|
||||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
|
||||
golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
|
||||
golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
|
||||
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
|
||||
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
|
||||
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
@ -891,12 +894,10 @@ google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvx
|
||||
google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
|
||||
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
|
||||
google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
|
||||
google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY=
|
||||
google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de h1:jFNzHPIeuzhdRwVhbZdiym9q0ory/xY3sA+v2wPg8I0=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda h1:LI5DOvAxUPMv/50agcLLoo+AdWc1irS9Rzz4vPuD1V4=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 h1:P8OJ/WCl/Xo4E4zoe4/bifHpSmmKwARqyqE4nW6J2GQ=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:RGnPtTG7r4i8sPlNyDeikXF99hMM+hN6QMm4ooG9g2g=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 h1:AgADTJarZTBqgjiUzRgfaBchgYB3/WFTC80GPwsMcRI=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
|
||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||
@ -905,8 +906,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ
|
||||
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||
google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
|
||||
google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
|
||||
google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
|
||||
google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
|
||||
google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
|
||||
google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
|
||||
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
|
||||
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
|
||||
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
|
||||
@ -918,8 +919,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
|
||||
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
|
||||
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
|
||||
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
|
||||
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
|
||||
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
|
||||
google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
|
||||
google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
@ -955,18 +956,18 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
|
||||
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
|
||||
helm.sh/helm/v3 v3.14.4 h1:6FSpEfqyDalHq3kUr4gOMThhgY55kXUEjdQoyODYnrM=
|
||||
helm.sh/helm/v3 v3.14.4/go.mod h1:Tje7LL4gprZpuBNTbG34d1Xn5NmRT3OWfBRwpOSer9I=
|
||||
helm.sh/helm/v3 v3.15.2 h1:/3XINUFinJOBjQplGnjw92eLGpgXXp1L8chWPkCkDuw=
|
||||
helm.sh/helm/v3 v3.15.2/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ=
|
||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
|
||||
k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
|
||||
k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
|
||||
k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
|
||||
k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
|
||||
k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8=
|
||||
k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38=
|
||||
k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI=
|
||||
k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI=
|
||||
k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg=
|
||||
k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
|
||||
k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ=
|
||||
k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY=
|
||||
k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
|
||||
k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
|
||||
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
|
||||
|
@ -47,7 +47,7 @@ func (dbg *DBGetter) Retrieve(logID string) ([]byte, error) {
|
||||
sz := int64(len(jobLog.Content))
|
||||
var buf []byte
|
||||
sizeLimit := logSizeLimit()
|
||||
if sizeLimit <= 0 {
|
||||
if sizeLimit <= 0 || sz <= sizeLimit {
|
||||
buf = []byte(jobLog.Content)
|
||||
return buf, nil
|
||||
}
|
||||
|
@ -7,6 +7,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/goharbor/harbor/src/common/dao"
|
||||
"github.com/goharbor/harbor/src/jobservice/config"
|
||||
"github.com/goharbor/harbor/src/jobservice/logger/backend"
|
||||
"github.com/goharbor/harbor/src/jobservice/logger/sweeper"
|
||||
"github.com/goharbor/harbor/src/lib/log"
|
||||
@ -44,9 +45,11 @@ func TestDBGetter(t *testing.T) {
|
||||
err = l.Close()
|
||||
require.NoError(t, err)
|
||||
|
||||
_ = config.DefaultConfig.Load("../../config_test.yml", true)
|
||||
dbGetter := NewDBGetter()
|
||||
ll, err := dbGetter.Retrieve(uuid)
|
||||
require.Nil(t, err)
|
||||
require.NotEqual(t, 0, len(ll))
|
||||
log.Infof("get logger %s", ll)
|
||||
|
||||
err = sweeper.PrepareDBSweep()
|
||||
|
@ -64,7 +64,14 @@ import (
|
||||
// },
|
||||
// }
|
||||
// }
|
||||
func QuerySetter(ctx context.Context, model interface{}, query *q.Query) (orm.QuerySeter, error) {
|
||||
|
||||
type Config struct {
|
||||
DisableSort bool
|
||||
}
|
||||
|
||||
type Option func(*Config)
|
||||
|
||||
func QuerySetter(ctx context.Context, model interface{}, query *q.Query, options ...Option) (orm.QuerySeter, error) {
|
||||
t := reflect.TypeOf(model)
|
||||
if t.Kind() != reflect.Ptr {
|
||||
return nil, fmt.Errorf("<orm.QuerySetter> cannot use non-ptr model struct `%s`", getFullName(t.Elem()))
|
||||
@ -82,8 +89,12 @@ func QuerySetter(ctx context.Context, model interface{}, query *q.Query) (orm.Qu
|
||||
// set filters
|
||||
qs = setFilters(ctx, qs, query, metadata)
|
||||
|
||||
opts := newConfig(options...)
|
||||
// sorting
|
||||
qs = setSorts(qs, query, metadata)
|
||||
// Do not set sort when sort disabled. e.g. for Count()
|
||||
if !opts.DisableSort {
|
||||
qs = setSorts(qs, query, metadata)
|
||||
}
|
||||
|
||||
// pagination
|
||||
if query.PageSize > 0 {
|
||||
@ -96,6 +107,20 @@ func QuerySetter(ctx context.Context, model interface{}, query *q.Query) (orm.Qu
|
||||
return qs, nil
|
||||
}
|
||||
|
||||
func WithSortDisabled(disableSort bool) Option {
|
||||
return func(cfg *Config) {
|
||||
cfg.DisableSort = disableSort
|
||||
}
|
||||
}
|
||||
|
||||
func newConfig(opts ...Option) *Config {
|
||||
config := &Config{}
|
||||
for _, opt := range opts {
|
||||
opt(config)
|
||||
}
|
||||
return config
|
||||
}
|
||||
|
||||
// PaginationOnRawSQL append page information to the raw sql
|
||||
// It should be called after the order by
|
||||
// e.g.
|
||||
@ -121,7 +146,7 @@ func QuerySetterForCount(ctx context.Context, model interface{}, query *q.Query,
|
||||
query.Sorts = nil
|
||||
query.PageSize = 0
|
||||
query.PageNumber = 0
|
||||
return QuerySetter(ctx, model, query)
|
||||
return QuerySetter(ctx, model, query, WithSortDisabled(true))
|
||||
}
|
||||
|
||||
// set filters according to the query
|
||||
|
@ -93,7 +93,7 @@ func (d *dao) Count(ctx context.Context, query *q.Query) (int64, error) {
|
||||
Keywords: query.Keywords,
|
||||
}
|
||||
}
|
||||
qs, err := querySetter(ctx, query)
|
||||
qs, err := querySetter(ctx, query, orm.WithSortDisabled(true))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
@ -282,8 +282,8 @@ func (d *dao) DeleteReferences(ctx context.Context, parentID int64) error {
|
||||
return err
|
||||
}
|
||||
|
||||
func querySetter(ctx context.Context, query *q.Query) (beegoorm.QuerySeter, error) {
|
||||
qs, err := orm.QuerySetter(ctx, &Artifact{}, query)
|
||||
func querySetter(ctx context.Context, query *q.Query, options ...orm.Option) (beegoorm.QuerySeter, error) {
|
||||
qs, err := orm.QuerySetter(ctx, &Artifact{}, query, options...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"gopkg.in/yaml.v2"
|
||||
helm_chart "helm.sh/helm/v3/pkg/chart"
|
||||
"helm.sh/helm/v3/pkg/chart/loader"
|
||||
)
|
||||
@ -30,8 +31,9 @@ var (
|
||||
)
|
||||
|
||||
const (
|
||||
readmeFileName = "README.MD"
|
||||
valuesFileName = "VALUES.YAML"
|
||||
readmeFileName = "README.MD"
|
||||
valuesFileName = "VALUES.YAML"
|
||||
dependenciesFileName = "REQUIREMENTS.YAML"
|
||||
)
|
||||
|
||||
// Operator ...
|
||||
@ -64,7 +66,7 @@ func (cho *operator) GetDetails(content []byte) (*VersionDetails, error) {
|
||||
depts := make([]*helm_chart.Dependency, 0)
|
||||
|
||||
// for APIVersionV2, the dependency is in the Chart.yaml
|
||||
if chartData.Metadata.APIVersion == helm_chart.APIVersionV1 {
|
||||
if chartData.Metadata.APIVersion == helm_chart.APIVersionV2 {
|
||||
depts = chartData.Metadata.Dependencies
|
||||
}
|
||||
|
||||
@ -77,10 +79,26 @@ func (cho *operator) GetDetails(content []byte) (*VersionDetails, error) {
|
||||
|
||||
// Append other files like 'README.md' 'values.yaml'
|
||||
for _, v := range chartData.Raw {
|
||||
// for APIVersionV1, the dependency is in the requirements.yaml
|
||||
if strings.ToUpper(v.Name) == dependenciesFileName && chartData.Metadata.APIVersion == helm_chart.APIVersionV1 {
|
||||
depMap := make(map[string][]*helm_chart.Dependency)
|
||||
if err := yaml.Unmarshal(v.Data, &depMap); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
deps, ok := depMap["dependencies"]
|
||||
if !ok {
|
||||
return nil, errors.New("invalid requirements.yaml, no dependencies found")
|
||||
}
|
||||
depts = deps
|
||||
continue
|
||||
}
|
||||
|
||||
if strings.ToUpper(v.Name) == readmeFileName {
|
||||
files[readmeFileName] = string(v.Data)
|
||||
continue
|
||||
}
|
||||
|
||||
if strings.ToUpper(v.Name) == valuesFileName {
|
||||
files[valuesFileName] = string(v.Data)
|
||||
continue
|
||||
|
File diff suppressed because one or more lines are too long
6
src/pkg/chart/testdata/harbor-schema1/.helmignore
vendored
Normal file
6
src/pkg/chart/testdata/harbor-schema1/.helmignore
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
.github/*
|
||||
docs/*
|
||||
.git/*
|
||||
.gitignore
|
||||
CONTRIBUTING.md
|
||||
test/*
|
24
src/pkg/chart/testdata/harbor-schema1/Chart.yaml
vendored
Normal file
24
src/pkg/chart/testdata/harbor-schema1/Chart.yaml
vendored
Normal file
@ -0,0 +1,24 @@
|
||||
apiVersion: v1
|
||||
appVersion: 2.11.0
|
||||
description: An open source trusted cloud native registry that stores, signs, and
|
||||
scans content
|
||||
home: https://goharbor.io
|
||||
icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png
|
||||
keywords:
|
||||
- docker
|
||||
- registry
|
||||
- harbor
|
||||
maintainers:
|
||||
- email: yan-yw.wang@broadcom.com
|
||||
name: Yan Wang
|
||||
- email: wenkai.yin@broadcom.com
|
||||
name: Wenkai Yin
|
||||
- email: miner.yang@broadcom.com
|
||||
name: Miner Yang
|
||||
- email: shengwen.yu@broadcom.com
|
||||
name: Shengwen Yu
|
||||
name: harbor
|
||||
sources:
|
||||
- https://github.com/goharbor/harbor
|
||||
- https://github.com/goharbor/harbor-helm
|
||||
version: 1.15.0
|
201
src/pkg/chart/testdata/harbor-schema1/LICENSE
vendored
Normal file
201
src/pkg/chart/testdata/harbor-schema1/LICENSE
vendored
Normal file
@ -0,0 +1,201 @@
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright [yyyy] [name of copyright owner]
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
422
src/pkg/chart/testdata/harbor-schema1/README.md
vendored
Normal file
422
src/pkg/chart/testdata/harbor-schema1/README.md
vendored
Normal file
@ -0,0 +1,422 @@
|
||||
# Helm Chart for Harbor
|
||||
|
||||
**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment.
|
||||
|
||||
This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor)
|
||||
|
||||
## Introduction
|
||||
|
||||
This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes cluster 1.20+
|
||||
- Helm v3.2.0+
|
||||
|
||||
## Installation
|
||||
|
||||
### Add Helm repository
|
||||
|
||||
```bash
|
||||
helm repo add harbor https://helm.goharbor.io
|
||||
```
|
||||
|
||||
### Configure the chart
|
||||
|
||||
The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first).
|
||||
|
||||
#### Configure how to expose Harbor service
|
||||
|
||||
- **Ingress**: The ingress controller must be installed in the Kubernetes cluster.
|
||||
**Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details.
|
||||
- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
|
||||
- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
|
||||
- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer.
|
||||
|
||||
#### Configure the external URL
|
||||
|
||||
The external URL for Harbor core service is used to:
|
||||
|
||||
1. populate the docker/helm commands showed on portal
|
||||
2. populate the token service URL returned to docker client
|
||||
|
||||
Format: `protocol://domain[:port]`. Usually:
|
||||
|
||||
- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core`
|
||||
- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name`
|
||||
- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node
|
||||
- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider
|
||||
|
||||
If Harbor is deployed behind the proxy, set it as the URL of proxy.
|
||||
|
||||
#### Configure how to persist data
|
||||
|
||||
- **Disable**: The data does not survive the termination of a pod.
|
||||
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use.
|
||||
- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`.
|
||||
|
||||
#### Configure the other items listed in [configuration](#configuration) section
|
||||
|
||||
### Install the chart
|
||||
|
||||
Install the Harbor helm chart with a release name `my-release`:
|
||||
```bash
|
||||
helm install my-release harbor/harbor
|
||||
```
|
||||
|
||||
## Uninstallation
|
||||
|
||||
To uninstall/delete the `my-release` deployment:
|
||||
```bash
|
||||
helm uninstall my-release
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
The following table lists the configurable parameters of the Harbor chart and the default values.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
|-----------------------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
|
||||
| **Expose** | | |
|
||||
| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` |
|
||||
| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` |
|
||||
| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` |
|
||||
| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | |
|
||||
| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | |
|
||||
| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
|
||||
| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` |
|
||||
| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | |
|
||||
| `expose.ingress.annotations` | The annotations used commonly for ingresses | |
|
||||
| `expose.ingress.labels` | The labels specific to ingress | {} |
|
||||
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
|
||||
| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} |
|
||||
| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
|
||||
| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` |
|
||||
| `expose.clusterIP.annotations` | The annotations used commonly for clusterIP | |
|
||||
| `expose.clusterIP.labels` | The labels specific to clusterIP | {} |
|
||||
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
|
||||
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` |
|
||||
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` |
|
||||
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` |
|
||||
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` |
|
||||
| `expose.nodePort.annotations` | The annotations used commonly for nodePort | |
|
||||
| `expose.nodePort.labels` | The labels specific to nodePort | {} |
|
||||
| `expose.loadBalancer.name` | The name of service | `harbor` |
|
||||
| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` |
|
||||
| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
|
||||
| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` |
|
||||
| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} |
|
||||
| `expose.loadBalancer.labels` | The labels specific to loadBalancer | {} |
|
||||
| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] |
|
||||
| **Internal TLS** | | |
|
||||
| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` |
|
||||
| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false`
|
||||
| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` |
|
||||
| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | |
|
||||
| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | |
|
||||
| **IPFamily** | | |
|
||||
| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` |
|
||||
| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` |
|
||||
| **Persistence** | | |
|
||||
| `persistence.enabled` | Enable the data persistence or not | `true` |
|
||||
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` |
|
||||
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
|
||||
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
|
||||
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | |
|
||||
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
|
||||
| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
|
||||
| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
|
||||
| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | |
|
||||
| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | |
|
||||
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` |
|
||||
| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | |
|
||||
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` |
|
||||
| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` |
|
||||
| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` |
|
||||
| **General** | | |
|
||||
| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
|
||||
| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | |
|
||||
| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | |
|
||||
| `imagePullPolicy` | The image pull policy | |
|
||||
| `imagePullSecrets` | The imagePullSecrets names for all deployments | |
|
||||
| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` |
|
||||
| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` |
|
||||
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
|
||||
| `existingSecretAdminPassword` | The name of secret where admin password can be found. | |
|
||||
| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` |
|
||||
| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | |
|
||||
| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
|
||||
| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` |
|
||||
| `proxy.httpProxy` | The URL of the HTTP proxy server | |
|
||||
| `proxy.httpsProxy` | The URL of the HTTPS proxy server | |
|
||||
| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
|
||||
| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy |
|
||||
| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` |
|
||||
| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | |
|
||||
| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` |
|
||||
| `nginx.image.tag` | Image tag | `dev` |
|
||||
| `nginx.replicas` | The replica count | `1` |
|
||||
| `nginx.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `nginx.resources` | The [resources] to allocate for container | undefined |
|
||||
| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `nginx.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `nginx.affinity` | Node/Pod affinities | `{}` |
|
||||
| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
|
||||
| `nginx.priorityClassName` | The priority class to run the pod as | |
|
||||
| **Portal** | | |
|
||||
| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` |
|
||||
| `portal.image.tag` | Tag for portal image | `dev` |
|
||||
| `portal.replicas` | The replica count | `1` |
|
||||
| `portal.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `portal.resources` | The [resources] to allocate for container | undefined |
|
||||
| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `portal.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `portal.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `portal.affinity` | Node/Pod affinities | `{}` |
|
||||
| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
|
||||
| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` |
|
||||
| `portal.priorityClassName` | The priority class to run the pod as | |
|
||||
| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Core** | | |
|
||||
| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` |
|
||||
| `core.image.tag` | Tag for Harbor core image | `dev` |
|
||||
| `core.replicas` | The replica count | `1` |
|
||||
| `core.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` |
|
||||
| `core.resources` | The [resources] to allocate for container | undefined |
|
||||
| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `core.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `core.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `core.affinity` | Node/Pod affinities | `{}` |
|
||||
| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
|
||||
| `core.serviceAnnotations` | Annotations to add to the core service | `{}` |
|
||||
| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | |
|
||||
| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` |
|
||||
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
|
||||
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | |
|
||||
| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | |
|
||||
| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | |
|
||||
| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | |
|
||||
| `core.priorityClassName` | The priority class to run the pod as | |
|
||||
| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | |
|
||||
| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` |
|
||||
| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` |
|
||||
| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Jobservice** | | |
|
||||
| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` |
|
||||
| `jobservice.image.tag` | Tag for jobservice image | `dev` |
|
||||
| `jobservice.replicas` | The replica count | `1` |
|
||||
| `jobservice.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `jobservice.maxJobWorkers` | The max job workers | `10` |
|
||||
| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` |
|
||||
| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` |
|
||||
| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` |
|
||||
| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` |
|
||||
| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` |
|
||||
| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` |
|
||||
| `jobservice.resources` | The [resources] to allocate for container | undefined |
|
||||
| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `jobservice.affinity` | Node/Pod affinities | `{}` |
|
||||
| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
|
||||
| `jobservice.priorityClassName` | The priority class to run the pod as | |
|
||||
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
|
||||
| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Registry** | | |
|
||||
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
|
||||
| `registry.registry.image.tag` | Tag for registry image | `dev` |
|
||||
| `registry.registry.resources` | The [resources] to allocate for container | undefined |
|
||||
| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` |
|
||||
| `registry.controller.image.tag` | Tag for registry controller image | `dev` |
|
||||
| `registry.controller.resources` | The [resources] to allocate for container | undefined |
|
||||
| `registry.replicas` | The replica count | `1` |
|
||||
| `registry.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `registry.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `registry.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `registry.affinity` | Node/Pod affinities | `{}` |
|
||||
| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | |
|
||||
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
|
||||
| `registry.priorityClassName` | The priority class to run the pod as | |
|
||||
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
|
||||
| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` |
|
||||
| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
|
||||
| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` |
|
||||
| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined |
|
||||
| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` |
|
||||
| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` |
|
||||
| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` |
|
||||
| `registry.upload_purging.interval` | The interval of the purge operations | `24h` |
|
||||
| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` |
|
||||
| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **[Trivy][trivy]** | | |
|
||||
| `trivy.enabled` | The flag to enable Trivy scanner | `true` |
|
||||
| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` |
|
||||
| `trivy.image.tag` | Tag for Trivy adapter image | `dev` |
|
||||
| `trivy.resources` | The [resources] to allocate for Trivy adapter container | |
|
||||
| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `trivy.replicas` | The number of Pod replicas | `1` |
|
||||
| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` |
|
||||
| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` |
|
||||
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
|
||||
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
|
||||
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
|
||||
| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` |
|
||||
| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` |
|
||||
| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` |
|
||||
| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` |
|
||||
| `trivy.timeout` | The duration to wait for scan completion | `5m0s` |
|
||||
| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | |
|
||||
| `trivy.priorityClassName` | The priority class to run the pod as | |
|
||||
| `trivy.topologySpreadConstraints` | The priority class to run the pod as | |
|
||||
| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Database** | | |
|
||||
| `database.type` | If external database is used, set it to `external` | `internal` |
|
||||
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
|
||||
| `database.internal.image.tag` | Tag for database image | `dev` |
|
||||
| `database.internal.password` | The password for database | `changeit` |
|
||||
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
|
||||
| `database.internal.resources` | The [resources] to allocate for container | undefined |
|
||||
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined |
|
||||
| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined |
|
||||
| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `database.internal.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `database.internal.affinity` | Node/Pod affinities | `{}` |
|
||||
| `database.internal.priorityClassName` | The priority class to run the pod as | |
|
||||
| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 |
|
||||
| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 |
|
||||
| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` |
|
||||
| `database.external.host` | The hostname of external database | `192.168.0.1` |
|
||||
| `database.external.port` | The port of external database | `5432` |
|
||||
| `database.external.username` | The username of external database | `user` |
|
||||
| `database.external.password` | The password of external database | `password` |
|
||||
| `database.external.coreDatabase` | The database used by core service | `registry` |
|
||||
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
|
||||
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
|
||||
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
|
||||
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
|
||||
| `database.podAnnotations` | Annotations to add to the database pod | `{}` |
|
||||
| **Redis** | | |
|
||||
| `redis.type` | If external redis is used, set it to `external` | `internal` |
|
||||
| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` |
|
||||
| `redis.internal.image.tag` | Tag for redis image | `dev` |
|
||||
| `redis.internal.resources` | The [resources] to allocate for container | undefined |
|
||||
| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `redis.internal.affinity` | Node/Pod affinities | `{}` |
|
||||
| `redis.internal.priorityClassName` | The priority class to run the pod as | |
|
||||
| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
|
||||
| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` |
|
||||
| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` |
|
||||
| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
|
||||
| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
|
||||
| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` |
|
||||
| `redis.external.addr` | The addr of external Redis: <host_redis>:<port_redis>. When using sentinel, it should be <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> | `192.168.0.2:6379` |
|
||||
| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | |
|
||||
| `redis.external.coreDatabaseIndex` | The database index for core | `0` |
|
||||
| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
|
||||
| `redis.external.registryDatabaseIndex` | The database index for registry | `2` |
|
||||
| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` |
|
||||
| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
|
||||
| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
|
||||
| `redis.external.username` | The username of external Redis | |
|
||||
| `redis.external.password` | The password of external Redis | |
|
||||
| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` |
|
||||
| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
|
||||
| **Exporter** | | |
|
||||
| `exporter.replicas` | The replica count | `1` |
|
||||
| `exporter.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` |
|
||||
| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` |
|
||||
| `exporter.image.tag` | Tag for exporter image | `dev` |
|
||||
| `exporter.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `exporter.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `exporter.affinity` | Node/Pod affinities | `{}` |
|
||||
| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` |
|
||||
| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` |
|
||||
| `exporter.priorityClassName` | The priority class to run the pod as | |
|
||||
| **Metrics** | | |
|
||||
| `metrics.enabled` | if enable harbor metrics | `false` |
|
||||
| `metrics.core.path` | the url path for core metrics | `/metrics` |
|
||||
| `metrics.core.port` | the port for core metrics | `8001` |
|
||||
| `metrics.registry.path` | the url path for registry metrics | `/metrics` |
|
||||
| `metrics.registry.port` | the port for registry metrics | `8001` |
|
||||
| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` |
|
||||
| `metrics.exporter.port` | the port for exporter metrics | `8001` |
|
||||
| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` |
|
||||
| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` |
|
||||
| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` |
|
||||
| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` |
|
||||
| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` |
|
||||
| **Trace** | | |
|
||||
| `trace.enabled` | Enable tracing or not | `false` |
|
||||
| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` |
|
||||
| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` |
|
||||
| `trace.namespace` | Namespace used to differentiate different harbor services | |
|
||||
| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | |
|
||||
| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` |
|
||||
| `trace.jaeger.username` | The username of jaeger | |
|
||||
| `trace.jaeger.password` | The password of jaeger | |
|
||||
| `trace.jaeger.agent_host` | The agent host of jaeger | |
|
||||
| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` |
|
||||
| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` |
|
||||
| `trace.otel.url_path` | The URL path of otel | `/v1/traces` |
|
||||
| `trace.otel.compression` | Whether enable compression or not for otel | `false` |
|
||||
| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` |
|
||||
| `trace.otel.timeout` | The timeout in seconds of otel | `10` |
|
||||
| **Cache** | | |
|
||||
| `cache.enabled` | Enable cache layer or not | `false` |
|
||||
| `cache.expireHours` | The expire hours of cache layer | `24` |
|
||||
|
||||
[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
[trivy]: https://github.com/aquasecurity/trivy
|
||||
[trivy-db]: https://github.com/aquasecurity/trivy-db
|
||||
[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db
|
||||
[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting
|
10
src/pkg/chart/testdata/harbor-schema1/requirements.yaml
vendored
Normal file
10
src/pkg/chart/testdata/harbor-schema1/requirements.yaml
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
# NOTICE: Harbor chart is not dependent on other charts. This is just a mock for UT coverage.
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
version: 1.0.0
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
condition: postgresql.enabled
|
||||
- name: redis
|
||||
version: 2.0.0
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
condition: redis.enabled
|
3
src/pkg/chart/testdata/harbor-schema1/templates/NOTES.txt
vendored
Normal file
3
src/pkg/chart/testdata/harbor-schema1/templates/NOTES.txt
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
Please wait for several minutes for Harbor deployment to complete.
|
||||
Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}
|
||||
For more details, please visit https://github.com/goharbor/harbor
|
581
src/pkg/chart/testdata/harbor-schema1/templates/_helpers.tpl
vendored
Normal file
581
src/pkg/chart/testdata/harbor-schema1/templates/_helpers.tpl
vendored
Normal file
@ -0,0 +1,581 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "harbor.name" -}}
|
||||
{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "harbor.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default "harbor" .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* Helm required labels: legacy */}}
|
||||
{{- define "harbor.legacy.labels" -}}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
chart: {{ .Chart.Name }}
|
||||
app: "{{ template "harbor.name" . }}"
|
||||
{{- end -}}
|
||||
|
||||
{{/* Helm required labels */}}
|
||||
{{- define "harbor.labels" -}}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
chart: {{ .Chart.Name }}
|
||||
app: "{{ template "harbor.name" . }}"
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/name: {{ include "harbor.name" . }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/part-of: {{ include "harbor.name" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* matchLabels */}}
|
||||
{{- define "harbor.matchLabels" -}}
|
||||
release: {{ .Release.Name }}
|
||||
app: "{{ template "harbor.name" . }}"
|
||||
{{- end -}}
|
||||
|
||||
{{/* Helper for printing values from existing secrets*/}}
|
||||
{{- define "harbor.secretKeyHelper" -}}
|
||||
{{- if and (not (empty .data)) (hasKey .data .key) }}
|
||||
{{- index .data .key | b64dec -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.autoGenCert" -}}
|
||||
{{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
|
||||
{{- printf "true" -}}
|
||||
{{- else -}}
|
||||
{{- printf "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.autoGenCertForIngress" -}}
|
||||
{{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}}
|
||||
{{- printf "true" -}}
|
||||
{{- else -}}
|
||||
{{- printf "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.autoGenCertForNginx" -}}
|
||||
{{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}}
|
||||
{{- printf "true" -}}
|
||||
{{- else -}}
|
||||
{{- printf "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.host" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- template "harbor.database" . }}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.host -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.port" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "5432" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.port -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.username" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "postgres" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.username -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.rawPassword" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}}
|
||||
{{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}}
|
||||
{{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.internal.password -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.password -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.escapedRawPassword" -}}
|
||||
{{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.encryptedPassword" -}}
|
||||
{{- include "harbor.database.rawPassword" . | b64enc | quote -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.coreDatabase" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "registry" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.coreDatabase -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.sslmode" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "disable" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.sslmode -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.scheme" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*host:port*/
|
||||
{{- define "harbor.redis.addr" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.masterSet" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.password" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary "" .external.password (eq .type "internal") }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- define "harbor.redis.pwdfromsecret" -}}
|
||||
{{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.cred" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- if (and (eq .type "external" ) (.external.existingSecret)) }}
|
||||
{{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }}
|
||||
{{- else }}
|
||||
{{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]host:port[/master_set]*/
|
||||
{{- define "harbor.redis.url" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
|
||||
{{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForCore" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index*/
|
||||
{{- define "harbor.redis.urlForJobservice" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForRegistry" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForTrivy" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForHarbor" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForCache" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.dbForRegistry" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.portal" -}}
|
||||
{{- printf "%s-portal" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.core" -}}
|
||||
{{- printf "%s-core" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis" -}}
|
||||
{{- printf "%s-redis" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.jobservice" -}}
|
||||
{{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.registry" -}}
|
||||
{{- printf "%s-registry" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.registryCtl" -}}
|
||||
{{- printf "%s-registryctl" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database" -}}
|
||||
{{- printf "%s-database" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.trivy" -}}
|
||||
{{- printf "%s-trivy" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.nginx" -}}
|
||||
{{- printf "%s-nginx" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.exporter" -}}
|
||||
{{- printf "%s-exporter" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.ingress" -}}
|
||||
{{- printf "%s-ingress" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.noProxy" -}}
|
||||
{{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.caBundleVolume" -}}
|
||||
- name: ca-bundle-certs
|
||||
secret:
|
||||
secretName: {{ .Values.caBundleSecretName }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.caBundleVolumeMount" -}}
|
||||
- name: ca-bundle-certs
|
||||
mountPath: /harbor_cust_cert/custom-ca.crt
|
||||
subPath: ca.crt
|
||||
{{- end -}}
|
||||
|
||||
{{/* scheme for all components because it only support http mode */}}
|
||||
{{- define "harbor.component.scheme" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "https" -}}
|
||||
{{- else -}}
|
||||
{{- printf "http" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* core component container port */}}
|
||||
{{- define "harbor.core.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* core component service port */}}
|
||||
{{- define "harbor.core.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "80" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* jobservice component container port */}}
|
||||
{{- define "harbor.jobservice.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* jobservice component service port */}}
|
||||
{{- define "harbor.jobservice.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "80" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* portal component container port */}}
|
||||
{{- define "harbor.portal.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* portal component service port */}}
|
||||
{{- define "harbor.portal.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "80" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registry component container port */}}
|
||||
{{- define "harbor.registry.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "5443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "5000" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registry component service port */}}
|
||||
{{- define "harbor.registry.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "5443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "5000" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registryctl component container port */}}
|
||||
{{- define "harbor.registryctl.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registryctl component service port */}}
|
||||
{{- define "harbor.registryctl.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* trivy component container port */}}
|
||||
{{- define "harbor.trivy.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* trivy component service port */}}
|
||||
{{- define "harbor.trivy.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* CORE_URL */}}
|
||||
{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}}
|
||||
{{- define "harbor.coreURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* JOBSERVICE_URL */}}
|
||||
{{- define "harbor.jobserviceURL" -}}
|
||||
{{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* PORTAL_URL */}}
|
||||
{{- define "harbor.portalURL" -}}
|
||||
{{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* REGISTRY_URL */}}
|
||||
{{- define "harbor.registryURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* REGISTRY_CONTROLLER_URL */}}
|
||||
{{- define "harbor.registryControllerURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* TOKEN_SERVICE_URL */}}
|
||||
{{- define "harbor.tokenServiceURL" -}}
|
||||
{{- printf "%s/service/token" (include "harbor.coreURL" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* TRIVY_ADAPTER_URL */}}
|
||||
{{- define "harbor.trivyAdapterURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.core.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.core.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.jobservice.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.jobservice.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.portal.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.portal.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.registry.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.registry.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.trivy.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.trivy.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.tlsCoreSecretForIngress" -}}
|
||||
{{- if eq .Values.expose.tls.certSource "none" -}}
|
||||
{{- printf "" -}}
|
||||
{{- else if eq .Values.expose.tls.certSource "secret" -}}
|
||||
{{- .Values.expose.tls.secret.secretName -}}
|
||||
{{- else -}}
|
||||
{{- include "harbor.ingress" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.tlsSecretForNginx" -}}
|
||||
{{- if eq .Values.expose.tls.certSource "secret" -}}
|
||||
{{- .Values.expose.tls.secret.secretName -}}
|
||||
{{- else -}}
|
||||
{{- include "harbor.nginx" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.metricsPortName" -}}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
{{- printf "https-metrics" -}}
|
||||
{{- else -}}
|
||||
{{- printf "http-metrics" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvs" -}}
|
||||
TRACE_ENABLED: "{{ .Values.trace.enabled }}"
|
||||
TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}"
|
||||
TRACE_NAMESPACE: "{{ .Values.trace.namespace }}"
|
||||
{{- if .Values.trace.attributes }}
|
||||
TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.trace.provider "jaeger" }}
|
||||
TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}"
|
||||
TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}"
|
||||
TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}"
|
||||
TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}"
|
||||
{{- else }}
|
||||
TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}"
|
||||
TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}"
|
||||
TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}"
|
||||
TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}"
|
||||
TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}"
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvsForCore" -}}
|
||||
{{- if .Values.trace.enabled }}
|
||||
TRACE_SERVICE_NAME: "harbor-core"
|
||||
{{ include "harbor.traceEnvs" . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvsForJobservice" -}}
|
||||
{{- if .Values.trace.enabled }}
|
||||
TRACE_SERVICE_NAME: "harbor-jobservice"
|
||||
{{ include "harbor.traceEnvs" . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvsForRegistryCtl" -}}
|
||||
{{- if .Values.trace.enabled }}
|
||||
TRACE_SERVICE_NAME: "harbor-registryctl"
|
||||
{{ include "harbor.traceEnvs" . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceJaegerPassword" -}}
|
||||
{{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }}
|
||||
TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}"
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Allow KubeVersion to be overridden. */}}
|
||||
{{- define "harbor.ingress.kubeVersion" -}}
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}}
|
||||
{{- end -}}
|
90
src/pkg/chart/testdata/harbor-schema1/templates/core/core-cm.yaml
vendored
Normal file
90
src/pkg/chart/testdata/harbor-schema1/templates/core/core-cm.yaml
vendored
Normal file
@ -0,0 +1,90 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
app.conf: |+
|
||||
appname = Harbor
|
||||
runmode = prod
|
||||
enablegzip = true
|
||||
|
||||
[prod]
|
||||
httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }}
|
||||
PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}"
|
||||
DATABASE_TYPE: "postgresql"
|
||||
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
|
||||
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
|
||||
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
|
||||
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
|
||||
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
|
||||
POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
|
||||
POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
|
||||
EXT_ENDPOINT: "{{ .Values.externalURL }}"
|
||||
CORE_URL: "{{ template "harbor.coreURL" . }}"
|
||||
JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
|
||||
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
|
||||
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
|
||||
CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}"
|
||||
WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
|
||||
TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}"
|
||||
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
|
||||
LOG_LEVEL: "{{ .Values.logLevel }}"
|
||||
CONFIG_PATH: "/etc/core/app.conf"
|
||||
CHART_CACHE_DRIVER: "redis"
|
||||
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
|
||||
_REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}"
|
||||
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }}
|
||||
_REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}"
|
||||
{{- end }}
|
||||
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
|
||||
_REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
|
||||
{{- end }}
|
||||
PORTAL_URL: "{{ template "harbor.portalURL" . }}"
|
||||
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
|
||||
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
|
||||
{{- if .Values.uaaSecretName }}
|
||||
UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt"
|
||||
{{- end }}
|
||||
{{- if has "core" .Values.proxy.components }}
|
||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory"
|
||||
{{- if .Values.metrics.enabled}}
|
||||
METRIC_ENABLE: "true"
|
||||
METRIC_PATH: "{{ .Values.metrics.core.path }}"
|
||||
METRIC_PORT: "{{ .Values.metrics.core.port }}"
|
||||
METRIC_NAMESPACE: harbor
|
||||
METRIC_SUBSYSTEM: core
|
||||
{{- end }}
|
||||
|
||||
{{- if hasKey .Values.core "gcTimeWindowHours" }}
|
||||
#make the GC time window configurable for testing
|
||||
GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}"
|
||||
{{- end }}
|
||||
{{- template "harbor.traceEnvsForCore" . }}
|
||||
|
||||
{{- if .Values.core.artifactPullAsyncFlushDuration }}
|
||||
ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.core.gdpr}}
|
||||
{{- if .Values.core.gdpr.deleteUser}}
|
||||
GDPR_DELETE_USER: "true"
|
||||
{{- end }}
|
||||
{{- if .Values.core.gdpr.auditLogsCompliant}}
|
||||
GDPR_AUDIT_LOGS: "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.cache.enabled }}
|
||||
CACHE_ENABLED: "true"
|
||||
CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.core.quotaUpdateProvider }}
|
||||
QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}"
|
||||
{{- end }}
|
257
src/pkg/chart/testdata/harbor-schema1/templates/core/core-dpl.yaml
vendored
Normal file
257
src/pkg/chart/testdata/harbor-schema1/templates/core/core-dpl.yaml
vendored
Normal file
@ -0,0 +1,257 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: core
|
||||
app.kubernetes.io/component: core
|
||||
spec:
|
||||
replicas: {{ .Values.core.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: core
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: core
|
||||
app.kubernetes.io/component: core
|
||||
{{- if .Values.core.podLabels }}
|
||||
{{ toYaml .Values.core.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
|
||||
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.podAnnotations }}
|
||||
{{ toYaml .Values.core.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.core.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.core.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- with .Values.core.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: core
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: core
|
||||
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if .Values.core.startupProbe.enabled }}
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /api/v2.0/ping
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.core.containerPort" . }}
|
||||
failureThreshold: 360
|
||||
initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }}
|
||||
periodSeconds: 10
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /api/v2.0/ping
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.core.containerPort" . }}
|
||||
failureThreshold: 2
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /api/v2.0/ping
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.core.containerPort" . }}
|
||||
failureThreshold: 2
|
||||
periodSeconds: 10
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
env:
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
|
||||
key: secret
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
key: {{ .Values.jobservice.existingSecretKey }}
|
||||
{{- else }}
|
||||
key: JOBSERVICE_SECRET
|
||||
{{- end }}
|
||||
{{- if .Values.existingSecretAdminPassword }}
|
||||
- name: HARBOR_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.existingSecretAdminPassword }}
|
||||
key: {{ .Values.existingSecretAdminPasswordKey }}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: INTERNAL_TLS_KEY_PATH
|
||||
value: /etc/harbor/ssl/core/tls.key
|
||||
- name: INTERNAL_TLS_CERT_PATH
|
||||
value: /etc/harbor/ssl/core/tls.crt
|
||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
||||
value: /etc/harbor/ssl/core/ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.database.external.existingSecret }}
|
||||
- name: POSTGRESQL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.database.external.existingSecret }}
|
||||
key: password
|
||||
{{- end }}
|
||||
{{- if .Values.registry.credentials.existingSecret }}
|
||||
- name: REGISTRY_CREDENTIAL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.registry.credentials.existingSecret }}
|
||||
key: REGISTRY_PASSWD
|
||||
{{- end }}
|
||||
{{- if .Values.core.existingXsrfSecret }}
|
||||
- name: CSRF_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.core.existingXsrfSecret }}
|
||||
key: {{ .Values.core.existingXsrfSecretKey }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.extraEnvVars }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.core.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/core/app.conf
|
||||
subPath: app.conf
|
||||
- name: secret-key
|
||||
mountPath: /etc/core/key
|
||||
subPath: key
|
||||
- name: token-service-private-key
|
||||
mountPath: /etc/core/private_key.pem
|
||||
subPath: tls.key
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: ca-download
|
||||
mountPath: /etc/core/ca
|
||||
{{- end }}
|
||||
{{- if .Values.uaaSecretName }}
|
||||
- name: auth-ca-cert
|
||||
mountPath: /etc/core/auth-ca/auth-ca.crt
|
||||
subPath: auth-ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
mountPath: /etc/harbor/ssl/core
|
||||
{{- end }}
|
||||
- name: psc
|
||||
mountPath: /etc/core/token
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.core.resources | indent 10 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "harbor.core" . }}
|
||||
items:
|
||||
- key: app.conf
|
||||
path: app.conf
|
||||
- name: secret-key
|
||||
secret:
|
||||
{{- if .Values.existingSecretSecretKey }}
|
||||
secretName: {{ .Values.existingSecretSecretKey }}
|
||||
{{- else }}
|
||||
secretName: {{ template "harbor.core" . }}
|
||||
{{- end }}
|
||||
items:
|
||||
- key: secretKey
|
||||
path: key
|
||||
- name: token-service-private-key
|
||||
secret:
|
||||
{{- if .Values.core.secretName }}
|
||||
secretName: {{ .Values.core.secretName }}
|
||||
{{- else }}
|
||||
secretName: {{ template "harbor.core" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: ca-download
|
||||
secret:
|
||||
{{- if .Values.caSecretName }}
|
||||
secretName: {{ .Values.caSecretName }}
|
||||
{{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }}
|
||||
secretName: "{{ template "harbor.ingress" . }}"
|
||||
{{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
||||
secretName: {{ template "harbor.tlsSecretForNginx" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.uaaSecretName }}
|
||||
- name: auth-ca-cert
|
||||
secret:
|
||||
secretName: {{ .Values.uaaSecretName }}
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: auth-ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.core.secretName" . }}
|
||||
{{- end }}
|
||||
- name: psc
|
||||
emptyDir: {}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.priorityClassName }}
|
||||
priorityClassName: {{ .Values.core.priorityClassName }}
|
||||
{{- end }}
|
77
src/pkg/chart/testdata/harbor-schema1/templates/core/core-pre-upgrade-job.yaml
vendored
Normal file
77
src/pkg/chart/testdata/harbor-schema1/templates/core/core-pre-upgrade-job.yaml
vendored
Normal file
@ -0,0 +1,77 @@
|
||||
{{- if .Values.enableMigrateHelmHook }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: migration-job
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: migrator
|
||||
annotations:
|
||||
# This is what defines this resource as a hook. Without this line, the
|
||||
# job is considered part of the release.
|
||||
"helm.sh/hook": pre-upgrade
|
||||
"helm.sh/hook-weight": "-5"
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.matchLabels" . | indent 8 }}
|
||||
component: migrator
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.core.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.core.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
containers:
|
||||
- name: core-job
|
||||
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
command: ["/harbor/harbor_core", "-mode=migrate"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
{{- if .Values.database.external.existingSecret }}
|
||||
env:
|
||||
- name: POSTGRESQL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.database.external.existingSecret }}
|
||||
key: password
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/core/app.conf
|
||||
subPath: app.conf
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "harbor.core" . }}
|
||||
items:
|
||||
- key: app.conf
|
||||
path: app.conf
|
||||
{{- with .Values.core.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
36
src/pkg/chart/testdata/harbor-schema1/templates/core/core-secret.yaml
vendored
Normal file
36
src/pkg/chart/testdata/harbor-schema1/templates/core/core-secret.yaml
vendored
Normal file
@ -0,0 +1,36 @@
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.existingSecretSecretKey }}
|
||||
secretKey: {{ .Values.secretKey | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.existingSecret }}
|
||||
secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.secretName }}
|
||||
{{- $ca := genCA "harbor-token-ca" 365 }}
|
||||
tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
|
||||
tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.existingSecretAdminPassword }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.database.external.existingSecret }}
|
||||
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end }}
|
||||
{{- if not .Values.registry.credentials.existingSecret }}
|
||||
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.existingXsrfSecret }}
|
||||
CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.configureUserSettings }}
|
||||
CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- template "harbor.traceJaegerPassword" . }}
|
25
src/pkg/chart/testdata/harbor-schema1/templates/core/core-svc.yaml
vendored
Normal file
25
src/pkg/chart/testdata/harbor-schema1/templates/core/core-svc.yaml
vendored
Normal file
@ -0,0 +1,25 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- with .Values.core.serviceAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }}
|
||||
type: NodePort
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }}
|
||||
port: {{ template "harbor.core.servicePort" . }}
|
||||
targetPort: {{ template "harbor.core.containerPort" . }}
|
||||
{{- if .Values.metrics.enabled}}
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.core.port }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: core
|
15
src/pkg/chart/testdata/harbor-schema1/templates/core/core-tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/core/core-tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
11
src/pkg/chart/testdata/harbor-schema1/templates/database/database-secret.yaml
vendored
Normal file
11
src/pkg/chart/testdata/harbor-schema1/templates/database/database-secret.yaml
vendored
Normal file
@ -0,0 +1,11 @@
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end -}}
|
162
src/pkg/chart/testdata/harbor-schema1/templates/database/database-ss.yaml
vendored
Normal file
162
src/pkg/chart/testdata/harbor-schema1/templates/database/database-ss.yaml
vendored
Normal file
@ -0,0 +1,162 @@
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- $database := .Values.persistence.persistentVolumeClaim.database -}}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: database
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: "{{ template "harbor.database" . }}"
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: database
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: database
|
||||
app.kubernetes.io/component: database
|
||||
{{- if .Values.database.podLabels }}
|
||||
{{ toYaml .Values.database.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }}
|
||||
{{- if .Values.database.podAnnotations }}
|
||||
{{ toYaml .Values.database.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 999
|
||||
fsGroup: 999
|
||||
{{- if .Values.database.internal.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
initContainers:
|
||||
# with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume
|
||||
# this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph
|
||||
# use this init container to correct the permission
|
||||
# as "fsGroup" applied before the init container running, the container has enough permission to execute the command
|
||||
- name: "data-permissions-ensurer"
|
||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
command: ["/bin/sh"]
|
||||
args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
|
||||
{{- if .Values.database.internal.initContainer.permissions.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: database-data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
subPath: {{ $database.subPath }}
|
||||
{{- with .Values.database.internal.extrInitContainers }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: database
|
||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /docker-healthcheck.sh
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }}
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /docker-healthcheck.sh
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }}
|
||||
{{- if .Values.database.internal.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.database.internal.resources | indent 10 }}
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
env:
|
||||
# put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
|
||||
# more detail refer to https://github.com/goharbor/harbor-helm/issues/756
|
||||
- name: PGDATA
|
||||
value: "/var/lib/postgresql/data/pgdata"
|
||||
{{- with .Values.database.internal.extraEnvVars }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: database-data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
subPath: {{ $database.subPath }}
|
||||
- name: shm-volume
|
||||
mountPath: /dev/shm
|
||||
volumes:
|
||||
- name: shm-volume
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
sizeLimit: {{ .Values.database.internal.shmSizeLimit }}
|
||||
{{- if not .Values.persistence.enabled }}
|
||||
- name: "database-data"
|
||||
emptyDir: {}
|
||||
{{- else if $database.existingClaim }}
|
||||
- name: "database-data"
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ $database.existingClaim }}
|
||||
{{- end -}}
|
||||
{{- with .Values.database.internal.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.database.internal.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.database.internal.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.database.internal.priorityClassName }}
|
||||
priorityClassName: {{ .Values.database.internal.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled (not $database.existingClaim) }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: "database-data"
|
||||
labels:
|
||||
{{ include "harbor.legacy.labels" . | indent 8 }}
|
||||
annotations:
|
||||
{{- range $key, $value := $database.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes: [{{ $database.accessMode | quote }}]
|
||||
{{- if $database.storageClass }}
|
||||
{{- if (eq "-" $database.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $database.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $database.size | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
14
src/pkg/chart/testdata/harbor-schema1/templates/database/database-svc.yaml
vendored
Normal file
14
src/pkg/chart/testdata/harbor-schema1/templates/database/database-svc.yaml
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 5432
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: database
|
||||
{{- end -}}
|
35
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-cm-env.yaml
vendored
Normal file
35
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-cm-env.yaml
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.exporter" . }}-env"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
{{- if has "jobservice" .Values.proxy.components }}
|
||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
LOG_LEVEL: "{{ .Values.logLevel }}"
|
||||
HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}"
|
||||
HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}"
|
||||
HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}"
|
||||
HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}"
|
||||
HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}"
|
||||
HARBOR_METRIC_NAMESPACE: harbor
|
||||
HARBOR_METRIC_SUBSYSTEM: exporter
|
||||
HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}"
|
||||
HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace
|
||||
HARBOR_REDIS_TIMEOUT: "3600"
|
||||
HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}"
|
||||
HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}"
|
||||
HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}"
|
||||
HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}"
|
||||
HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}"
|
||||
HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}"
|
||||
HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}"
|
||||
HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
|
||||
HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
|
||||
HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
|
||||
{{- end}}
|
146
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-dpl.yaml
vendored
Normal file
146
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-dpl.yaml
vendored
Normal file
@ -0,0 +1,146 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "harbor.exporter" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: exporter
|
||||
app.kubernetes.io/component: exporter
|
||||
spec:
|
||||
replicas: {{ .Values.exporter.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: exporter
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: exporter
|
||||
app.kubernetes.io/component: exporter
|
||||
{{- if .Values.exporter.podLabels }}
|
||||
{{ toYaml .Values.exporter.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/exporter/exporter-cm-env.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/exporter/exporter-secret.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.podAnnotations }}
|
||||
{{ toYaml .Values.exporter.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.exporter.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.exporter.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }}
|
||||
{{- with .Values.exporter.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: exporter
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: exporter
|
||||
image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: {{ .Values.metrics.exporter.port }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: {{ .Values.metrics.exporter.port }}
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
args: ["-log-level", "{{ .Values.logLevel }}"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.exporter" . }}-env"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.exporter" . }}"
|
||||
env:
|
||||
{{- if .Values.database.external.existingSecret }}
|
||||
- name: HARBOR_DATABASE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.database.external.existingSecret }}
|
||||
key: password
|
||||
{{- end }}
|
||||
{{- if .Values.existingSecretAdminPassword }}
|
||||
- name: HARBOR_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.existingSecretAdminPassword }}
|
||||
key: {{ .Values.existingSecretAdminPasswordKey }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.exporter.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.extraEnvVars }}
|
||||
env:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ .Values.metrics.exporter.port }}
|
||||
volumeMounts:
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
mountPath: /etc/harbor/ssl/core
|
||||
# There are some metric data are collectd from harbor core.
|
||||
# When internal TLS is enabled, the Exporter need the CA file to collect these data.
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
secret:
|
||||
secretName: "{{ template "harbor.exporter" . }}"
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.core.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.priorityClassName }}
|
||||
priorityClassName: {{ .Values.exporter.priorityClassName }}
|
||||
{{- end }}
|
||||
{{ end }}
|
16
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-secret.yaml
vendored
Normal file
16
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-secret.yaml
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.exporter" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.existingSecretAdminPassword }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.database.external.existingSecret }}
|
||||
HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
15
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-svc.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/exporter/exporter-svc.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.exporter" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.exporter.port }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: exporter
|
||||
{{ end }}
|
142
src/pkg/chart/testdata/harbor-schema1/templates/ingress/ingress.yaml
vendored
Normal file
142
src/pkg/chart/testdata/harbor-schema1/templates/ingress/ingress.yaml
vendored
Normal file
@ -0,0 +1,142 @@
|
||||
{{- if eq .Values.expose.type "ingress" }}
|
||||
{{- $ingress := .Values.expose.ingress -}}
|
||||
{{- $tls := .Values.expose.tls -}}
|
||||
{{- if eq .Values.expose.ingress.controller "gce" }}
|
||||
{{- $_ := set . "portal_path" "/*" -}}
|
||||
{{- $_ := set . "api_path" "/api/*" -}}
|
||||
{{- $_ := set . "service_path" "/service/*" -}}
|
||||
{{- $_ := set . "v2_path" "/v2/*" -}}
|
||||
{{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
|
||||
{{- $_ := set . "controller_path" "/c/*" -}}
|
||||
{{- else if eq .Values.expose.ingress.controller "ncp" }}
|
||||
{{- $_ := set . "portal_path" "/.*" -}}
|
||||
{{- $_ := set . "api_path" "/api/.*" -}}
|
||||
{{- $_ := set . "service_path" "/service/.*" -}}
|
||||
{{- $_ := set . "v2_path" "/v2/.*" -}}
|
||||
{{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
|
||||
{{- $_ := set . "controller_path" "/c/.*" -}}
|
||||
{{- else }}
|
||||
{{- $_ := set . "portal_path" "/" -}}
|
||||
{{- $_ := set . "api_path" "/api/" -}}
|
||||
{{- $_ := set . "service_path" "/service/" -}}
|
||||
{{- $_ := set . "v2_path" "/v2/" -}}
|
||||
{{- $_ := set . "chartrepo_path" "/chartrepo/" -}}
|
||||
{{- $_ := set . "controller_path" "/c/" -}}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }}
|
||||
apiVersion: extensions/v1beta1
|
||||
{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
{{- else }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
{{- end }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: "{{ template "harbor.ingress" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if $ingress.labels }}
|
||||
{{ toYaml $ingress.labels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ toYaml $ingress.annotations | indent 4 }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
{{- end }}
|
||||
{{- if eq .Values.expose.ingress.controller "ncp" }}
|
||||
ncp/use-regex: "true"
|
||||
{{- if $tls.enabled }}
|
||||
ncp/http-redirect: "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if $ingress.className }}
|
||||
ingressClassName: {{ $ingress.className }}
|
||||
{{- end }}
|
||||
{{- if $tls.enabled }}
|
||||
tls:
|
||||
- secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
|
||||
{{- if $ingress.hosts.core }}
|
||||
hosts:
|
||||
- {{ $ingress.hosts.core }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- http:
|
||||
paths:
|
||||
{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
|
||||
- path: {{ .api_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .service_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .v2_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .chartrepo_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .controller_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .portal_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.portal" . }}
|
||||
servicePort: {{ template "harbor.portal.servicePort" . }}
|
||||
{{- else }}
|
||||
- path: {{ .api_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .service_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .v2_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .chartrepo_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .controller_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .portal_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.portal" . }}
|
||||
port:
|
||||
number: {{ template "harbor.portal.servicePort" . }}
|
||||
{{- end }}
|
||||
{{- if $ingress.hosts.core }}
|
||||
host: {{ $ingress.hosts.core }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
15
src/pkg/chart/testdata/harbor-schema1/templates/ingress/secret.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/ingress/secret.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
|
||||
{{- $ca := genCA "harbor-ca" 365 }}
|
||||
{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.ingress" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
81
src/pkg/chart/testdata/harbor-schema1/templates/internal/auto-tls.yaml
vendored
Normal file
81
src/pkg/chart/testdata/harbor-schema1/templates/internal/auto-tls.yaml
vendored
Normal file
@ -0,0 +1,81 @@
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
{{- $ca := genCA "harbor-internal-ca" 365 }}
|
||||
{{- $coreCN := (include "harbor.core" .) }}
|
||||
{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
|
||||
{{- $jsCN := (include "harbor.jobservice" .) }}
|
||||
{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
|
||||
{{- $regCN := (include "harbor.registry" .) }}
|
||||
{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
|
||||
{{- $portalCN := (include "harbor.portal" .) }}
|
||||
{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $coreCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $coreCrt.Key | b64enc | quote }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $jsCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $jsCrt.Key | b64enc | quote }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $regCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $regCrt.Key | b64enc | quote }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $portalCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $portalCrt.Key | b64enc | quote }}
|
||||
|
||||
{{- if and .Values.trivy.enabled}}
|
||||
---
|
||||
{{- $trivyCN := (include "harbor.trivy" .) }}
|
||||
{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $trivyCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $trivyCrt.Key | b64enc | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
34
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-cm-env.yaml
vendored
Normal file
34
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-cm-env.yaml
vendored
Normal file
@ -0,0 +1,34 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}-env"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
CORE_URL: "{{ template "harbor.coreURL" . }}"
|
||||
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
|
||||
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
|
||||
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
|
||||
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
|
||||
|
||||
JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}"
|
||||
JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}"
|
||||
|
||||
{{- if has "jobservice" .Values.proxy.components }}
|
||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled}}
|
||||
METRIC_NAMESPACE: harbor
|
||||
METRIC_SUBSYSTEM: jobservice
|
||||
{{- end }}
|
||||
{{- template "harbor.traceEnvsForJobservice" . }}
|
||||
{{- if .Values.cache.enabled }}
|
||||
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
|
||||
CACHE_ENABLED: "true"
|
||||
CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
|
||||
{{- end }}
|
||||
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
|
||||
_REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
|
||||
{{- end }}
|
57
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-cm.yaml
vendored
Normal file
57
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-cm.yaml
vendored
Normal file
@ -0,0 +1,57 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
config.yml: |+
|
||||
#Server listening port
|
||||
protocol: "{{ template "harbor.component.scheme" . }}"
|
||||
port: {{ template "harbor.jobservice.containerPort". }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
https_config:
|
||||
cert: "/etc/harbor/ssl/jobservice/tls.crt"
|
||||
key: "/etc/harbor/ssl/jobservice/tls.key"
|
||||
{{- end }}
|
||||
worker_pool:
|
||||
workers: {{ .Values.jobservice.maxJobWorkers }}
|
||||
backend: "redis"
|
||||
redis_pool:
|
||||
redis_url: "{{ template "harbor.redis.urlForJobservice" . }}"
|
||||
namespace: "harbor_job_service_namespace"
|
||||
idle_timeout_second: 3600
|
||||
job_loggers:
|
||||
{{- if has "file" .Values.jobservice.jobLoggers }}
|
||||
- name: "FILE"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
settings: # Customized settings of logger
|
||||
base_dir: "/var/log/jobs"
|
||||
sweeper:
|
||||
duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
|
||||
settings: # Customized settings of sweeper
|
||||
work_dir: "/var/log/jobs"
|
||||
{{- end }}
|
||||
{{- if has "database" .Values.jobservice.jobLoggers }}
|
||||
- name: "DB"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
sweeper:
|
||||
duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
|
||||
{{- end }}
|
||||
{{- if has "stdout" .Values.jobservice.jobLoggers }}
|
||||
- name: "STD_OUTPUT"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
{{- end }}
|
||||
metric:
|
||||
enabled: {{ .Values.metrics.enabled }}
|
||||
path: {{ .Values.metrics.jobservice.path }}
|
||||
port: {{ .Values.metrics.jobservice.port }}
|
||||
#Loggers for the job service
|
||||
loggers:
|
||||
- name: "STD_OUTPUT"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
reaper:
|
||||
# the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
|
||||
max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }}
|
||||
# the max time for execution in running state without new task created
|
||||
max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }}
|
182
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-dpl.yaml
vendored
Normal file
182
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-dpl.yaml
vendored
Normal file
@ -0,0 +1,182 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: jobservice
|
||||
app.kubernetes.io/component: jobservice
|
||||
spec:
|
||||
replicas: {{ .Values.jobservice.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
{{- if eq .Values.updateStrategy.type "Recreate" }}
|
||||
rollingUpdate: null
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: jobservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: jobservice
|
||||
app.kubernetes.io/component: jobservice
|
||||
{{- if .Values.jobservice.podLabels }}
|
||||
{{ toYaml .Values.jobservice.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
|
||||
checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
|
||||
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.jobservice.podAnnotations }}
|
||||
{{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.jobservice.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- with .Values.jobservice.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: jobservice
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: jobservice
|
||||
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /api/v1/stats
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.jobservice.containerPort" . }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /api/v1/stats
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.jobservice.containerPort" . }}
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 10
|
||||
{{- if .Values.jobservice.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.jobservice.resources | indent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
|
||||
key: secret
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.jobservice.existingSecret }}
|
||||
key: {{ .Values.jobservice.existingSecretKey }}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: INTERNAL_TLS_KEY_PATH
|
||||
value: /etc/harbor/ssl/jobservice/tls.key
|
||||
- name: INTERNAL_TLS_CERT_PATH
|
||||
value: /etc/harbor/ssl/jobservice/tls.crt
|
||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
||||
value: /etc/harbor/ssl/jobservice/ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.registry.credentials.existingSecret }}
|
||||
- name: REGISTRY_CREDENTIAL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.registry.credentials.existingSecret }}
|
||||
key: REGISTRY_PASSWD
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.extraEnvVars }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.jobservice" . }}-env"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.jobservice.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: jobservice-config
|
||||
mountPath: /etc/jobservice/config.yml
|
||||
subPath: config.yml
|
||||
- name: job-logs
|
||||
mountPath: /var/log/jobs
|
||||
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: jobservice-internal-certs
|
||||
mountPath: /etc/harbor/ssl/jobservice
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: jobservice-config
|
||||
configMap:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
- name: job-logs
|
||||
{{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }}
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }}
|
||||
{{- else }}
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: jobservice-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.jobservice.priorityClassName }}
|
||||
priorityClassName: {{ .Values.jobservice.priorityClassName }}
|
||||
{{- end }}
|
31
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-pvc.yaml
vendored
Normal file
31
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-pvc.yaml
vendored
Normal file
@ -0,0 +1,31 @@
|
||||
{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}}
|
||||
{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }}
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: {{ template "harbor.jobservice" . }}
|
||||
annotations:
|
||||
{{- range $key, $value := $jobLog.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.persistence.resourcePolicy "keep" }}
|
||||
helm.sh/resource-policy: keep
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: jobservice
|
||||
app.kubernetes.io/component: jobservice
|
||||
spec:
|
||||
accessModes:
|
||||
- {{ $jobLog.accessMode }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $jobLog.size }}
|
||||
{{- if $jobLog.storageClass }}
|
||||
{{- if eq "-" $jobLog.storageClass }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: {{ $jobLog.storageClass }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
16
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-secrets.yaml
vendored
Normal file
16
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-secrets.yaml
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.jobservice.existingSecret }}
|
||||
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.registry.credentials.existingSecret }}
|
||||
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- template "harbor.traceJaegerPassword" . }}
|
18
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-svc.yaml
vendored
Normal file
18
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-svc.yaml
vendored
Normal file
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }}
|
||||
port: {{ template "harbor.jobservice.servicePort" . }}
|
||||
targetPort: {{ template "harbor.jobservice.containerPort" . }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.jobservice.port }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: jobservice
|
15
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/jobservice/jobservice-tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
28
src/pkg/chart/testdata/harbor-schema1/templates/metrics/metrics-svcmon.yaml
vendored
Normal file
28
src/pkg/chart/testdata/harbor-schema1/templates/metrics/metrics-svcmon.yaml
vendored
Normal file
@ -0,0 +1,28 @@
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "harbor.fullname" . }}
|
||||
labels: {{ include "harbor.labels" . | nindent 4 }}
|
||||
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
|
||||
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: app.kubernetes.io/name
|
||||
endpoints:
|
||||
- port: {{ template "harbor.metricsPortName" . }}
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
honorLabels: true
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings:
|
||||
{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings:
|
||||
{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }}
|
||||
{{- end }}
|
150
src/pkg/chart/testdata/harbor-schema1/templates/nginx/configmap-http.yaml
vendored
Normal file
150
src/pkg/chart/testdata/harbor-schema1/templates/nginx/configmap-http.yaml
vendored
Normal file
@ -0,0 +1,150 @@
|
||||
{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }}
|
||||
{{- $scheme := (include "harbor.component.scheme" .) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
nginx.conf: |+
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 3096;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
client_body_temp_path /tmp/client_body_temp;
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
tcp_nodelay on;
|
||||
|
||||
# this is necessary for us to be able to disable request buffering in all cases
|
||||
proxy_http_version 1.1;
|
||||
|
||||
upstream core {
|
||||
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
|
||||
}
|
||||
|
||||
upstream portal {
|
||||
server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }};
|
||||
}
|
||||
|
||||
log_format timed_combined '[$time_local]:$remote_addr - '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'$request_time $upstream_response_time $pipe';
|
||||
|
||||
access_log /dev/stdout timed_combined;
|
||||
|
||||
map $http_x_forwarded_proto $x_forwarded_proto {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
|
||||
server {
|
||||
{{- if .Values.ipFamily.ipv4.enabled}}
|
||||
listen 8080;
|
||||
{{- end}}
|
||||
{{- if .Values.ipFamily.ipv6.enabled }}
|
||||
listen [::]:8080;
|
||||
{{- end }}
|
||||
server_tokens off;
|
||||
# disable any limits to avoid HTTP 413 for large image uploads
|
||||
client_max_body_size 0;
|
||||
|
||||
# Add extra headers
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
|
||||
location / {
|
||||
proxy_pass {{ $scheme }}://portal/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_pass {{ $scheme }}://core/api/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /chartrepo/ {
|
||||
proxy_pass {{ $scheme }}://core/chartrepo/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /c/ {
|
||||
proxy_pass {{ $scheme }}://core/c/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /v1/ {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location /v2/ {
|
||||
proxy_pass {{ $scheme }}://core/v2/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
proxy_send_timeout 900;
|
||||
proxy_read_timeout 900;
|
||||
}
|
||||
|
||||
location /service/ {
|
||||
proxy_pass {{ $scheme }}://core/service/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /service/notifications {
|
||||
return 404;
|
||||
}
|
||||
}
|
||||
}
|
||||
{{- end }}
|
187
src/pkg/chart/testdata/harbor-schema1/templates/nginx/configmap-https.yaml
vendored
Normal file
187
src/pkg/chart/testdata/harbor-schema1/templates/nginx/configmap-https.yaml
vendored
Normal file
@ -0,0 +1,187 @@
|
||||
{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
|
||||
{{- $scheme := (include "harbor.component.scheme" .) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
nginx.conf: |+
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 3096;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
client_body_temp_path /tmp/client_body_temp;
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
tcp_nodelay on;
|
||||
|
||||
# this is necessary for us to be able to disable request buffering in all cases
|
||||
proxy_http_version 1.1;
|
||||
|
||||
upstream core {
|
||||
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
|
||||
}
|
||||
|
||||
upstream portal {
|
||||
server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
|
||||
}
|
||||
|
||||
log_format timed_combined '[$time_local]:$remote_addr - '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'$request_time $upstream_response_time $pipe';
|
||||
|
||||
access_log /dev/stdout timed_combined;
|
||||
|
||||
map $http_x_forwarded_proto $x_forwarded_proto {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
|
||||
server {
|
||||
{{- if .Values.ipFamily.ipv4.enabled }}
|
||||
listen 8443 ssl;
|
||||
{{- end}}
|
||||
{{- if .Values.ipFamily.ipv6.enabled }}
|
||||
listen [::]:8443 ssl;
|
||||
{{- end }}
|
||||
# server_name harbordomain.com;
|
||||
server_tokens off;
|
||||
# SSL
|
||||
ssl_certificate /etc/nginx/cert/tls.crt;
|
||||
ssl_certificate_key /etc/nginx/cert/tls.key;
|
||||
|
||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
{{- if .Values.internalTLS.strong_ssl_ciphers }}
|
||||
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
||||
{{ else }}
|
||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||
{{- end }}
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
# disable any limits to avoid HTTP 413 for large image uploads
|
||||
client_max_body_size 0;
|
||||
|
||||
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
||||
chunked_transfer_encoding on;
|
||||
|
||||
# Add extra headers
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
|
||||
location / {
|
||||
proxy_pass {{ $scheme }}://portal/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; HttpOnly; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_pass {{ $scheme }}://core/api/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /chartrepo/ {
|
||||
proxy_pass {{ $scheme }}://core/chartrepo/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /c/ {
|
||||
proxy_pass {{ $scheme }}://core/c/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /v1/ {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location /v2/ {
|
||||
proxy_pass {{ $scheme }}://core/v2/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /service/ {
|
||||
proxy_pass {{ $scheme }}://core/service/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /service/notifications {
|
||||
return 404;
|
||||
}
|
||||
}
|
||||
server {
|
||||
{{- if .Values.ipFamily.ipv4.enabled }}
|
||||
listen 8080;
|
||||
{{- end}}
|
||||
{{- if .Values.ipFamily.ipv6.enabled }}
|
||||
listen [::]:8080;
|
||||
{{- end}}
|
||||
#server_name harbordomain.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
{{- end }}
|
132
src/pkg/chart/testdata/harbor-schema1/templates/nginx/deployment.yaml
vendored
Normal file
132
src/pkg/chart/testdata/harbor-schema1/templates/nginx/deployment.yaml
vendored
Normal file
@ -0,0 +1,132 @@
|
||||
{{- if ne .Values.expose.type "ingress" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: nginx
|
||||
app.kubernetes.io/component: nginx
|
||||
spec:
|
||||
replicas: {{ .Values.nginx.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: nginx
|
||||
app.kubernetes.io/component: nginx
|
||||
{{- if .Values.nginx.podLabels }}
|
||||
{{ toYaml .Values.nginx.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if not .Values.expose.tls.enabled }}
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }}
|
||||
{{- else }}
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.nginx.podAnnotations }}
|
||||
{{ toYaml .Values.nginx.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.nginx.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.nginx.serviceAccountName }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }}
|
||||
{{- with .Values.nginx.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: nginx
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: nginx
|
||||
image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
|
||||
{{- $_ := set . "scheme" "HTTP" -}}
|
||||
{{- $_ := set . "port" "8080" -}}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
{{- $_ := set . "scheme" "HTTPS" -}}
|
||||
{{- $_ := set . "port" "8443" -}}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: {{ .scheme }}
|
||||
path: /
|
||||
port: {{ .port }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
scheme: {{ .scheme }}
|
||||
path: /
|
||||
port: {{ .port }}
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
{{- if .Values.nginx.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.nginx.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.extraEnvVars }}
|
||||
env:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- containerPort: 8443
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: certificate
|
||||
mountPath: /etc/nginx/cert
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: certificate
|
||||
secret:
|
||||
secretName: {{ template "harbor.tlsSecretForNginx" . }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nginx.priorityClassName }}
|
||||
priorityClassName: {{ .Values.nginx.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
23
src/pkg/chart/testdata/harbor-schema1/templates/nginx/secret.yaml
vendored
Normal file
23
src/pkg/chart/testdata/harbor-schema1/templates/nginx/secret.yaml
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
||||
{{- $ca := genCA "harbor-ca" 365 }}
|
||||
{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
|
||||
{{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- else }}
|
||||
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
94
src/pkg/chart/testdata/harbor-schema1/templates/nginx/service.yaml
vendored
Normal file
94
src/pkg/chart/testdata/harbor-schema1/templates/nginx/service.yaml
vendored
Normal file
@ -0,0 +1,94 @@
|
||||
{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
{{- if eq .Values.expose.type "clusterIP" }}
|
||||
{{- $clusterIP := .Values.expose.clusterIP }}
|
||||
name: {{ $clusterIP.name }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if .Values.expose.clusterIP.labels }}
|
||||
{{ toYaml $clusterIP.labels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with $clusterIP.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
{{- if .Values.expose.clusterIP.staticClusterIP }}
|
||||
clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ $clusterIP.ports.httpPort }}
|
||||
targetPort: 8080
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ $clusterIP.ports.httpsPort }}
|
||||
targetPort: 8443
|
||||
{{- end }}
|
||||
{{- else if eq .Values.expose.type "nodePort" }}
|
||||
{{- $nodePort := .Values.expose.nodePort }}
|
||||
name: {{ $nodePort.name }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if .Values.expose.nodePort.labels }}
|
||||
{{ toYaml $nodePort.labels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with $nodePort.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ $nodePort.ports.http.port }}
|
||||
targetPort: 8080
|
||||
{{- if $nodePort.ports.http.nodePort }}
|
||||
nodePort: {{ $nodePort.ports.http.nodePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ $nodePort.ports.https.port }}
|
||||
targetPort: 8443
|
||||
{{- if $nodePort.ports.https.nodePort }}
|
||||
nodePort: {{ $nodePort.ports.https.nodePort }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.expose.type "loadBalancer" }}
|
||||
{{- $loadBalancer := .Values.expose.loadBalancer }}
|
||||
name: {{ $loadBalancer.name }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if .Values.expose.loadBalancer.labels }}
|
||||
{{ toYaml $loadBalancer.labels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with $loadBalancer.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
{{- with $loadBalancer.sourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $loadBalancer.IP }}
|
||||
loadBalancerIP: {{ $loadBalancer.IP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ $loadBalancer.ports.httpPort }}
|
||||
targetPort: 8080
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ $loadBalancer.ports.httpsPort }}
|
||||
targetPort: 8443
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: nginx
|
||||
{{- end }}
|
67
src/pkg/chart/testdata/harbor-schema1/templates/portal/configmap.yaml
vendored
Normal file
67
src/pkg/chart/testdata/harbor-schema1/templates/portal/configmap.yaml
vendored
Normal file
@ -0,0 +1,67 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.portal" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
nginx.conf: |+
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
http {
|
||||
client_body_temp_path /tmp/client_body_temp;
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
server {
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
{{- if .Values.ipFamily.ipv4.enabled}}
|
||||
listen {{ template "harbor.portal.containerPort" . }} ssl;
|
||||
{{- end }}
|
||||
{{- if .Values.ipFamily.ipv6.enabled}}
|
||||
listen [::]:{{ template "harbor.portal.containerPort" . }} ssl;
|
||||
{{- end }}
|
||||
# SSL
|
||||
ssl_certificate /etc/harbor/ssl/portal/tls.crt;
|
||||
ssl_certificate_key /etc/harbor/ssl/portal/tls.key;
|
||||
|
||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
{{- if .Values.internalTLS.strong_ssl_ciphers }}
|
||||
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
||||
{{ else }}
|
||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||
{{- end }}
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
{{- else }}
|
||||
{{- if .Values.ipFamily.ipv4.enabled }}
|
||||
listen {{ template "harbor.portal.containerPort" . }};
|
||||
{{- end }}
|
||||
{{- if .Values.ipFamily.ipv6.enabled}}
|
||||
listen [::]:{{ template "harbor.portal.containerPort" . }};
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
server_name localhost;
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
include /etc/nginx/mime.types;
|
||||
gzip on;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
location /devcenter-api-2.0 {
|
||||
try_files $uri $uri/ /swagger-ui-index.html;
|
||||
}
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
location = /index.html {
|
||||
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
||||
}
|
||||
}
|
||||
}
|
123
src/pkg/chart/testdata/harbor-schema1/templates/portal/deployment.yaml
vendored
Normal file
123
src/pkg/chart/testdata/harbor-schema1/templates/portal/deployment.yaml
vendored
Normal file
@ -0,0 +1,123 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: "{{ template "harbor.portal" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: portal
|
||||
app.kubernetes.io/component: portal
|
||||
spec:
|
||||
replicas: {{ .Values.portal.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: portal
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: portal
|
||||
app.kubernetes.io/component: portal
|
||||
{{- if .Values.portal.podLabels }}
|
||||
{{ toYaml .Values.portal.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }}
|
||||
{{- if .Values.portal.podAnnotations }}
|
||||
{{ toYaml .Values.portal.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.portal.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.portal.serviceAccountName }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }}
|
||||
{{- with .Values.portal.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: portal
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.portal.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: portal
|
||||
image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if .Values.portal.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.portal.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.portal.extraEnvVars }}
|
||||
env:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.portal.containerPort" . }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.portal.containerPort" . }}
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.portal.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: portal-config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: portal-internal-certs
|
||||
mountPath: /etc/harbor/ssl/portal
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: portal-config
|
||||
configMap:
|
||||
name: "{{ template "harbor.portal" . }}"
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: portal-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.portal.secretName" . }}
|
||||
{{- end }}
|
||||
{{- with .Values.portal.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.portal.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.portal.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.portal.priorityClassName }}
|
||||
priorityClassName: {{ .Values.portal.priorityClassName }}
|
||||
{{- end }}
|
20
src/pkg/chart/testdata/harbor-schema1/templates/portal/service.yaml
vendored
Normal file
20
src/pkg/chart/testdata/harbor-schema1/templates/portal/service.yaml
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.portal" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- with .Values.portal.serviceAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }}
|
||||
type: NodePort
|
||||
{{- end }}
|
||||
ports:
|
||||
- port: {{ template "harbor.portal.servicePort" . }}
|
||||
targetPort: {{ template "harbor.portal.containerPort" . }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: portal
|
15
src/pkg/chart/testdata/harbor-schema1/templates/portal/tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/portal/tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
14
src/pkg/chart/testdata/harbor-schema1/templates/redis/service.yaml
vendored
Normal file
14
src/pkg/chart/testdata/harbor-schema1/templates/redis/service.yaml
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
{{- if eq .Values.redis.type "internal" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "harbor.redis" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 6379
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: redis
|
||||
{{- end -}}
|
125
src/pkg/chart/testdata/harbor-schema1/templates/redis/statefulset.yaml
vendored
Normal file
125
src/pkg/chart/testdata/harbor-schema1/templates/redis/statefulset.yaml
vendored
Normal file
@ -0,0 +1,125 @@
|
||||
{{- if eq .Values.redis.type "internal" -}}
|
||||
{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ template "harbor.redis" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: redis
|
||||
app.kubernetes.io/component: redis
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: {{ template "harbor.redis" . }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: redis
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: redis
|
||||
app.kubernetes.io/component: redis
|
||||
{{- if .Values.redis.podLabels }}
|
||||
{{ toYaml .Values.redis.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.redis.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.redis.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 999
|
||||
fsGroup: 999
|
||||
{{- if .Values.redis.internal.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.redis.internal.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- with .Values.redis.internal.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: redis
|
||||
image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: 6379
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: 6379
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
{{- if .Values.redis.internal.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.redis.internal.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.redis.internal.extraEnvVars }}
|
||||
env:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/redis
|
||||
subPath: {{ $redis.subPath }}
|
||||
{{- if not .Values.persistence.enabled }}
|
||||
volumes:
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else if $redis.existingClaim }}
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ $redis.existingClaim }}
|
||||
{{- end -}}
|
||||
{{- with .Values.redis.internal.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.redis.internal.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.redis.internal.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.redis.internal.priorityClassName }}
|
||||
priorityClassName: {{ .Values.redis.internal.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled (not $redis.existingClaim) }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
labels:
|
||||
{{ include "harbor.legacy.labels" . | indent 8 }}
|
||||
annotations:
|
||||
{{- range $key, $value := $redis.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes: [{{ $redis.accessMode | quote }}]
|
||||
{{- if $redis.storageClass }}
|
||||
{{- if (eq "-" $redis.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $redis.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $redis.size | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
246
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-cm.yaml
vendored
Normal file
246
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-cm.yaml
vendored
Normal file
@ -0,0 +1,246 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
config.yml: |+
|
||||
version: 0.1
|
||||
log:
|
||||
{{- if eq .Values.logLevel "warning" }}
|
||||
level: warn
|
||||
{{- else if eq .Values.logLevel "fatal" }}
|
||||
level: error
|
||||
{{- else }}
|
||||
level: {{ .Values.logLevel }}
|
||||
{{- end }}
|
||||
fields:
|
||||
service: registry
|
||||
storage:
|
||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
||||
{{- $type := $storage.type }}
|
||||
{{- if eq $type "filesystem" }}
|
||||
filesystem:
|
||||
rootdirectory: {{ $storage.filesystem.rootdirectory }}
|
||||
{{- if $storage.filesystem.maxthreads }}
|
||||
maxthreads: {{ $storage.filesystem.maxthreads }}
|
||||
{{- end }}
|
||||
{{- else if eq $type "azure" }}
|
||||
azure:
|
||||
accountname: {{ $storage.azure.accountname }}
|
||||
container: {{ $storage.azure.container }}
|
||||
{{- if $storage.azure.realm }}
|
||||
realm: {{ $storage.azure.realm }}
|
||||
{{- end }}
|
||||
{{- else if eq $type "gcs" }}
|
||||
gcs:
|
||||
bucket: {{ $storage.gcs.bucket }}
|
||||
{{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }}
|
||||
keyfile: /etc/registry/gcs-key.json
|
||||
{{- end }}
|
||||
{{- if $storage.gcs.rootdirectory }}
|
||||
rootdirectory: {{ $storage.gcs.rootdirectory }}
|
||||
{{- end }}
|
||||
{{- if $storage.gcs.chunksize }}
|
||||
chunksize: {{ $storage.gcs.chunksize }}
|
||||
{{- end }}
|
||||
{{- else if eq $type "s3" }}
|
||||
s3:
|
||||
region: {{ $storage.s3.region }}
|
||||
bucket: {{ $storage.s3.bucket }}
|
||||
{{- if $storage.s3.regionendpoint }}
|
||||
regionendpoint: {{ $storage.s3.regionendpoint }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.encrypt }}
|
||||
encrypt: {{ $storage.s3.encrypt }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.keyid }}
|
||||
keyid: {{ $storage.s3.keyid }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.secure }}
|
||||
secure: {{ $storage.s3.secure }}
|
||||
{{- end }}
|
||||
{{- if and $storage.s3.secure $storage.s3.skipverify }}
|
||||
skipverify: {{ $storage.s3.skipverify }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.v4auth }}
|
||||
v4auth: {{ $storage.s3.v4auth }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.chunksize }}
|
||||
chunksize: {{ $storage.s3.chunksize }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.rootdirectory }}
|
||||
rootdirectory: {{ $storage.s3.rootdirectory }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.storageclass }}
|
||||
storageclass: {{ $storage.s3.storageclass }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.multipartcopychunksize }}
|
||||
multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.multipartcopymaxconcurrency }}
|
||||
multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }}
|
||||
{{- end }}
|
||||
{{- if $storage.s3.multipartcopythresholdsize }}
|
||||
multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }}
|
||||
{{- end }}
|
||||
{{- else if eq $type "swift" }}
|
||||
swift:
|
||||
authurl: {{ $storage.swift.authurl }}
|
||||
username: {{ $storage.swift.username }}
|
||||
container: {{ $storage.swift.container }}
|
||||
{{- if $storage.swift.region }}
|
||||
region: {{ $storage.swift.region }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.tenant }}
|
||||
tenant: {{ $storage.swift.tenant }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.tenantid }}
|
||||
tenantid: {{ $storage.swift.tenantid }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.domain }}
|
||||
domain: {{ $storage.swift.domain }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.domainid }}
|
||||
domainid: {{ $storage.swift.domainid }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.trustid }}
|
||||
trustid: {{ $storage.swift.trustid }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.insecureskipverify }}
|
||||
insecureskipverify: {{ $storage.swift.insecureskipverify }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.chunksize }}
|
||||
chunksize: {{ $storage.swift.chunksize }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.prefix }}
|
||||
prefix: {{ $storage.swift.prefix }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.authversion }}
|
||||
authversion: {{ $storage.swift.authversion }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.endpointtype }}
|
||||
endpointtype: {{ $storage.swift.endpointtype }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.tempurlcontainerkey }}
|
||||
tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.tempurlmethods }}
|
||||
tempurlmethods: {{ $storage.swift.tempurlmethods }}
|
||||
{{- end }}
|
||||
{{- else if eq $type "oss" }}
|
||||
oss:
|
||||
accesskeyid: {{ $storage.oss.accesskeyid }}
|
||||
region: {{ $storage.oss.region }}
|
||||
bucket: {{ $storage.oss.bucket }}
|
||||
{{- if $storage.oss.endpoint }}
|
||||
endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }}
|
||||
{{- end }}
|
||||
{{- if $storage.oss.internal }}
|
||||
internal: {{ $storage.oss.internal }}
|
||||
{{- end }}
|
||||
{{- if $storage.oss.encrypt }}
|
||||
encrypt: {{ $storage.oss.encrypt }}
|
||||
{{- end }}
|
||||
{{- if $storage.oss.secure }}
|
||||
secure: {{ $storage.oss.secure }}
|
||||
{{- end }}
|
||||
{{- if $storage.oss.chunksize }}
|
||||
chunksize: {{ $storage.oss.chunksize }}
|
||||
{{- end }}
|
||||
{{- if $storage.oss.rootdirectory }}
|
||||
rootdirectory: {{ $storage.oss.rootdirectory }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
cache:
|
||||
layerinfo: redis
|
||||
maintenance:
|
||||
uploadpurging:
|
||||
{{- if .Values.registry.upload_purging.enabled }}
|
||||
enabled: true
|
||||
age: {{ .Values.registry.upload_purging.age }}
|
||||
interval: {{ .Values.registry.upload_purging.interval }}
|
||||
dryrun: {{ .Values.registry.upload_purging.dryrun }}
|
||||
{{- else }}
|
||||
enabled: false
|
||||
{{- end }}
|
||||
delete:
|
||||
enabled: true
|
||||
redirect:
|
||||
disable: {{ $storage.disableredirect }}
|
||||
redis:
|
||||
addr: {{ template "harbor.redis.addr" . }}
|
||||
{{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }}
|
||||
sentinelMasterSet: {{ template "harbor.redis.masterSet" . }}
|
||||
{{- end }}
|
||||
db: {{ template "harbor.redis.dbForRegistry" . }}
|
||||
{{- if not (eq (include "harbor.redis.password" .) "") }}
|
||||
password: {{ template "harbor.redis.password" . }}
|
||||
{{- end }}
|
||||
readtimeout: 10s
|
||||
writetimeout: 10s
|
||||
dialtimeout: 10s
|
||||
pool:
|
||||
maxidle: 100
|
||||
maxactive: 500
|
||||
idletimeout: 60s
|
||||
http:
|
||||
addr: :{{ template "harbor.registry.containerPort" . }}
|
||||
relativeurls: {{ .Values.registry.relativeurls }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
tls:
|
||||
certificate: /etc/harbor/ssl/registry/tls.crt
|
||||
key: /etc/harbor/ssl/registry/tls.key
|
||||
minimumtls: tls1.2
|
||||
{{- end }}
|
||||
# set via environment variable
|
||||
# secret: placeholder
|
||||
debug:
|
||||
{{- if .Values.metrics.enabled}}
|
||||
addr: :{{ .Values.metrics.registry.port }}
|
||||
prometheus:
|
||||
enabled: true
|
||||
path: {{ .Values.metrics.registry.path }}
|
||||
{{- else }}
|
||||
addr: localhost:5001
|
||||
{{- end }}
|
||||
auth:
|
||||
htpasswd:
|
||||
realm: harbor-registry-basic-realm
|
||||
path: /etc/registry/passwd
|
||||
validation:
|
||||
disabled: true
|
||||
compatibility:
|
||||
schema1:
|
||||
enabled: true
|
||||
|
||||
{{- if .Values.registry.middleware.enabled }}
|
||||
{{- $middleware := .Values.registry.middleware }}
|
||||
{{- $middlewareType := $middleware.type }}
|
||||
{{- if eq $middlewareType "cloudFront" }}
|
||||
middleware:
|
||||
storage:
|
||||
- name: cloudfront
|
||||
options:
|
||||
baseurl: {{ $middleware.cloudFront.baseurl }}
|
||||
privatekey: /etc/registry/pk.pem
|
||||
keypairid: {{ $middleware.cloudFront.keypairid }}
|
||||
duration: {{ $middleware.cloudFront.duration }}
|
||||
ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ctl-config.yml: |+
|
||||
---
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
protocol: "https"
|
||||
port: 8443
|
||||
https_config:
|
||||
cert: "/etc/harbor/ssl/registry/tls.crt"
|
||||
key: "/etc/harbor/ssl/registry/tls.key"
|
||||
{{- else }}
|
||||
protocol: "http"
|
||||
port: 8080
|
||||
{{- end }}
|
||||
log_level: {{ .Values.logLevel }}
|
||||
registry_config: "/etc/registry/config.yml"
|
431
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-dpl.yaml
vendored
Normal file
431
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-dpl.yaml
vendored
Normal file
@ -0,0 +1,431 @@
|
||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
||||
{{- $type := $storage.type }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: registry
|
||||
app.kubernetes.io/component: registry
|
||||
spec:
|
||||
replicas: {{ .Values.registry.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
{{- if eq .Values.updateStrategy.type "Recreate" }}
|
||||
rollingUpdate: null
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: registry
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: registry
|
||||
app.kubernetes.io/component: registry
|
||||
{{- if .Values.registry.podLabels }}
|
||||
{{ toYaml .Values.registry.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
|
||||
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
|
||||
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.registry.podAnnotations }}
|
||||
{{ toYaml .Values.registry.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
{{- if .Values.registry.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.registry.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- with .Values.registry.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: registry
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.registry.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: registry
|
||||
image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.registry.containerPort" . }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.registry.containerPort" . }}
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
{{- if .Values.registry.registry.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.registry.registry.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
args: ["serve", "/etc/registry/config.yml"]
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
{{- if .Values.persistence.imageChartStorage.s3.existingSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if .Values.registry.existingSecret }}
|
||||
- name: REGISTRY_HTTP_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.registry.existingSecret }}
|
||||
key: {{ .Values.registry.existingSecretKey }}
|
||||
{{- end }}
|
||||
{{- if has "registry" .Values.proxy.components }}
|
||||
- name: HTTP_PROXY
|
||||
value: "{{ .Values.proxy.httpProxy }}"
|
||||
- name: HTTPS_PROXY
|
||||
value: "{{ .Values.proxy.httpsProxy }}"
|
||||
- name: NO_PROXY
|
||||
value: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: INTERNAL_TLS_KEY_PATH
|
||||
value: /etc/harbor/ssl/registry/tls.key
|
||||
- name: INTERNAL_TLS_CERT_PATH
|
||||
value: /etc/harbor/ssl/registry/tls.crt
|
||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
||||
value: /etc/harbor/ssl/registry/ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.redis.external.existingSecret }}
|
||||
- name: REGISTRY_REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.redis.external.existingSecret }}
|
||||
key: REDIS_PASSWORD
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
|
||||
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
|
||||
key: AZURE_STORAGE_ACCESS_KEY
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
key: REGISTRY_STORAGE_SWIFT_PASSWORD
|
||||
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
key: REGISTRY_STORAGE_SWIFT_SECRETKEY
|
||||
optional: true
|
||||
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
|
||||
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
|
||||
key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
|
||||
optional: true
|
||||
{{- end}}
|
||||
{{- with .Values.registry.registry.extraEnvVars }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.registry.containerPort" . }}
|
||||
- containerPort: {{ ternary .Values.metrics.registry.port 5001 .Values.metrics.enabled }}
|
||||
volumeMounts:
|
||||
- name: registry-data
|
||||
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
|
||||
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
|
||||
- name: registry-htpasswd
|
||||
mountPath: /etc/registry/passwd
|
||||
subPath: passwd
|
||||
- name: registry-config
|
||||
mountPath: /etc/registry/config.yml
|
||||
subPath: config.yml
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: registry-internal-certs
|
||||
mountPath: /etc/harbor/ssl/registry
|
||||
{{- end }}
|
||||
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }}
|
||||
- name: gcs-key
|
||||
mountPath: /etc/registry/gcs-key.json
|
||||
subPath: gcs-key.json
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
||||
- name: storage-service-ca
|
||||
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
|
||||
subPath: ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.registry.middleware.enabled }}
|
||||
{{- if eq .Values.registry.middleware.type "cloudFront" }}
|
||||
- name: cloudfront-key
|
||||
mountPath: /etc/registry/pk.pem
|
||||
subPath: pk.pem
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
- name: registryctl
|
||||
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /api/health
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.registryctl.containerPort" . }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /api/health
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.registryctl.containerPort" . }}
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
{{- if .Values.registry.controller.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.registry.controller.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.registryCtl" . }}"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.registryCtl" . }}"
|
||||
{{- if .Values.persistence.imageChartStorage.s3.existingSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if .Values.registry.existingSecret }}
|
||||
- name: REGISTRY_HTTP_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.registry.existingSecret }}
|
||||
key: {{ .Values.registry.existingSecretKey }}
|
||||
{{- end }}
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
|
||||
key: secret
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
key: {{ .Values.jobservice.existingSecretKey }}
|
||||
{{- else }}
|
||||
key: JOBSERVICE_SECRET
|
||||
{{- end }}
|
||||
{{- if has "registry" .Values.proxy.components }}
|
||||
- name: HTTP_PROXY
|
||||
value: "{{ .Values.proxy.httpProxy }}"
|
||||
- name: HTTPS_PROXY
|
||||
value: "{{ .Values.proxy.httpsProxy }}"
|
||||
- name: NO_PROXY
|
||||
value: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: INTERNAL_TLS_KEY_PATH
|
||||
value: /etc/harbor/ssl/registry/tls.key
|
||||
- name: INTERNAL_TLS_CERT_PATH
|
||||
value: /etc/harbor/ssl/registry/tls.crt
|
||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
||||
value: /etc/harbor/ssl/registry/ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.redis.external.existingSecret }}
|
||||
- name: REGISTRY_REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.redis.external.existingSecret }}
|
||||
key: REDIS_PASSWORD
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
|
||||
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
|
||||
key: AZURE_STORAGE_ACCESS_KEY
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
key: REGISTRY_STORAGE_SWIFT_PASSWORD
|
||||
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
key: REGISTRY_STORAGE_SWIFT_SECRETKEY
|
||||
optional: true
|
||||
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
|
||||
key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
|
||||
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
|
||||
key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
|
||||
optional: true
|
||||
{{- end}}
|
||||
{{- with .Values.registry.controller.extraEnvVars }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.registryctl.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: registry-data
|
||||
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
|
||||
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
|
||||
- name: registry-config
|
||||
mountPath: /etc/registry/config.yml
|
||||
subPath: config.yml
|
||||
- name: registry-config
|
||||
mountPath: /etc/registryctl/config.yml
|
||||
subPath: ctl-config.yml
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: registry-internal-certs
|
||||
mountPath: /etc/harbor/ssl/registry
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
||||
- name: storage-service-ca
|
||||
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
|
||||
subPath: ca.crt
|
||||
{{- end }}
|
||||
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
|
||||
- name: gcs-key
|
||||
mountPath: /etc/registry/gcs-key.json
|
||||
subPath: gcs-key.json
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: registry-htpasswd
|
||||
secret:
|
||||
{{- if not .Values.registry.credentials.existingSecret }}
|
||||
secretName: {{ template "harbor.registry" . }}-htpasswd
|
||||
{{ else }}
|
||||
secretName: {{ .Values.registry.credentials.existingSecret }}
|
||||
{{- end }}
|
||||
items:
|
||||
- key: REGISTRY_HTPASSWD
|
||||
path: passwd
|
||||
- name: registry-config
|
||||
configMap:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
- name: registry-data
|
||||
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }}
|
||||
{{- else }}
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: registry-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.registry.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
|
||||
- name: gcs-key
|
||||
secret:
|
||||
{{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
|
||||
secretName: {{ $storage.gcs.existingSecret }}
|
||||
{{- else }}
|
||||
secretName: {{ template "harbor.registry" . }}
|
||||
{{- end }}
|
||||
items:
|
||||
- key: GCS_KEY_DATA
|
||||
path: gcs-key.json
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
|
||||
- name: storage-service-ca
|
||||
secret:
|
||||
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
|
||||
{{- end }}
|
||||
{{- if .Values.registry.middleware.enabled }}
|
||||
{{- if eq .Values.registry.middleware.type "cloudFront" }}
|
||||
- name: cloudfront-key
|
||||
secret:
|
||||
secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }}
|
||||
items:
|
||||
- key: CLOUDFRONT_KEY_DATA
|
||||
path: pk.pem
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.registry.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.registry.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.registry.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.registry.priorityClassName }}
|
||||
priorityClassName: {{ .Values.registry.priorityClassName }}
|
||||
{{- end }}
|
33
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-pvc.yaml
vendored
Normal file
33
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-pvc.yaml
vendored
Normal file
@ -0,0 +1,33 @@
|
||||
{{- if .Values.persistence.enabled }}
|
||||
{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}}
|
||||
{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: {{ template "harbor.registry" . }}
|
||||
annotations:
|
||||
{{- range $key, $value := $registry.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.persistence.resourcePolicy "keep" }}
|
||||
helm.sh/resource-policy: keep
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: registry
|
||||
app.kubernetes.io/component: registry
|
||||
spec:
|
||||
accessModes:
|
||||
- {{ $registry.accessMode }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $registry.size }}
|
||||
{{- if $registry.storageClass }}
|
||||
{{- if eq "-" $registry.storageClass }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: {{ $registry.storageClass }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
55
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-secret.yaml
vendored
Normal file
55
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-secret.yaml
vendored
Normal file
@ -0,0 +1,55 @@
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.registry.existingSecret }}
|
||||
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.redis.external.existingSecret }}
|
||||
REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- $storage := .Values.persistence.imageChartStorage }}
|
||||
{{- $type := $storage.type }}
|
||||
{{- if and (eq $type "azure") (not $storage.azure.existingSecret) }}
|
||||
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
|
||||
{{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }}
|
||||
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
|
||||
{{- else if eq $type "s3" }}
|
||||
{{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }}
|
||||
REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
|
||||
REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }}
|
||||
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
|
||||
{{- if $storage.swift.secretkey }}
|
||||
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $storage.swift.accesskey }}
|
||||
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }}
|
||||
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.registry.credentials.existingSecret }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.registry" . }}-htpasswd"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if .Values.registry.credentials.htpasswdString }}
|
||||
REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }}
|
||||
{{- else }}
|
||||
REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
20
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-svc.yaml
vendored
Normal file
20
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-svc.yaml
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.registry" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }}
|
||||
port: {{ template "harbor.registry.servicePort" . }}
|
||||
|
||||
- name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }}
|
||||
port: {{ template "harbor.registryctl.servicePort" . }}
|
||||
{{- if .Values.metrics.enabled}}
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.registry.port }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: registry
|
15
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/registry/registry-tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
8
src/pkg/chart/testdata/harbor-schema1/templates/registry/registryctl-cm.yaml
vendored
Normal file
8
src/pkg/chart/testdata/harbor-schema1/templates/registry/registryctl-cm.yaml
vendored
Normal file
@ -0,0 +1,8 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.registryCtl" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
{{- template "harbor.traceEnvsForRegistryCtl" . }}
|
9
src/pkg/chart/testdata/harbor-schema1/templates/registry/registryctl-secret.yaml
vendored
Normal file
9
src/pkg/chart/testdata/harbor-schema1/templates/registry/registryctl-secret.yaml
vendored
Normal file
@ -0,0 +1,9 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.registryCtl" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- template "harbor.traceJaegerPassword" . }}
|
12
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-secret.yaml
vendored
Normal file
12
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-secret.yaml
vendored
Normal file
@ -0,0 +1,12 @@
|
||||
{{- if .Values.trivy.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.trivy" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }}
|
||||
gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
|
||||
{{- end }}
|
230
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-sts.yaml
vendored
Normal file
230
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-sts.yaml
vendored
Normal file
@ -0,0 +1,230 @@
|
||||
{{- if .Values.trivy.enabled }}
|
||||
{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ template "harbor.trivy" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: trivy
|
||||
app.kubernetes.io/component: trivy
|
||||
spec:
|
||||
replicas: {{ .Values.trivy.replicas }}
|
||||
serviceName: {{ template "harbor.trivy" . }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: trivy
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: trivy
|
||||
app.kubernetes.io/component: trivy
|
||||
{{- if .Values.trivy.podLabels }}
|
||||
{{ toYaml .Values.trivy.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.trivy.podAnnotations }}
|
||||
{{ toYaml .Values.trivy.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.trivy.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.trivy.serviceAccountName }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }}
|
||||
{{- with .Values.trivy.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: trivy
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.trivy.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: trivy
|
||||
image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if has "trivy" .Values.proxy.components }}
|
||||
- name: HTTP_PROXY
|
||||
value: "{{ .Values.proxy.httpProxy }}"
|
||||
- name: HTTPS_PROXY
|
||||
value: "{{ .Values.proxy.httpsProxy }}"
|
||||
- name: NO_PROXY
|
||||
value: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
- name: "SCANNER_LOG_LEVEL"
|
||||
value: {{ .Values.logLevel | quote }}
|
||||
- name: "SCANNER_TRIVY_CACHE_DIR"
|
||||
value: "/home/scanner/.cache/trivy"
|
||||
- name: "SCANNER_TRIVY_REPORTS_DIR"
|
||||
value: "/home/scanner/.cache/reports"
|
||||
- name: "SCANNER_TRIVY_DEBUG_MODE"
|
||||
value: {{ .Values.trivy.debugMode | quote }}
|
||||
- name: "SCANNER_TRIVY_VULN_TYPE"
|
||||
value: {{ .Values.trivy.vulnType | quote }}
|
||||
- name: "SCANNER_TRIVY_TIMEOUT"
|
||||
value: {{ .Values.trivy.timeout | quote }}
|
||||
- name: "SCANNER_TRIVY_GITHUB_TOKEN"
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ template "harbor.trivy" . }}
|
||||
key: gitHubToken
|
||||
- name: "SCANNER_TRIVY_SEVERITY"
|
||||
value: {{ .Values.trivy.severity | quote }}
|
||||
- name: "SCANNER_TRIVY_IGNORE_UNFIXED"
|
||||
value: {{ .Values.trivy.ignoreUnfixed | default false | quote }}
|
||||
- name: "SCANNER_TRIVY_SKIP_UPDATE"
|
||||
value: {{ .Values.trivy.skipUpdate | default false | quote }}
|
||||
- name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE"
|
||||
value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }}
|
||||
- name: "SCANNER_TRIVY_OFFLINE_SCAN"
|
||||
value: {{ .Values.trivy.offlineScan | default false | quote }}
|
||||
- name: "SCANNER_TRIVY_SECURITY_CHECKS"
|
||||
value: {{ .Values.trivy.securityCheck | quote }}
|
||||
- name: "SCANNER_TRIVY_INSECURE"
|
||||
value: {{ .Values.trivy.insecure | default false | quote }}
|
||||
- name: SCANNER_API_SERVER_ADDR
|
||||
value: ":{{ template "harbor.trivy.containerPort" . }}"
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: SCANNER_API_SERVER_TLS_KEY
|
||||
value: /etc/harbor/ssl/trivy/tls.key
|
||||
- name: SCANNER_API_SERVER_TLS_CERTIFICATE
|
||||
value: /etc/harbor/ssl/trivy/tls.crt
|
||||
{{- end }}
|
||||
- name: "SCANNER_REDIS_URL"
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ template "harbor.trivy" . }}
|
||||
key: redisURL
|
||||
- name: "SCANNER_STORE_REDIS_URL"
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ template "harbor.trivy" . }}
|
||||
key: redisURL
|
||||
- name: "SCANNER_JOB_QUEUE_REDIS_URL"
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ template "harbor.trivy" . }}
|
||||
key: redisURL
|
||||
{{- with .Values.trivy.extraEnvVars }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: api-server
|
||||
containerPort: {{ template "harbor.trivy.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /home/scanner/.cache
|
||||
subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }}
|
||||
readOnly: false
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: trivy-internal-certs
|
||||
mountPath: /etc/harbor/ssl/trivy
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 10 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
path: /probe/healthy
|
||||
port: api-server
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
failureThreshold: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
path: /probe/ready
|
||||
port: api-server
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
resources:
|
||||
{{ toYaml .Values.trivy.resources | indent 12 }}
|
||||
{{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
|
||||
volumes:
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: trivy-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.trivy.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.persistence.enabled }}
|
||||
- name: "data"
|
||||
emptyDir: {}
|
||||
{{- else if $trivy.existingClaim }}
|
||||
- name: "data"
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ $trivy.existingClaim }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.trivy.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.trivy.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.trivy.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.trivy.priorityClassName }}
|
||||
priorityClassName: {{ .Values.trivy.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
labels:
|
||||
{{ include "harbor.legacy.labels" . | indent 8 }}
|
||||
annotations:
|
||||
{{- range $key, $value := $trivy.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes: [{{ $trivy.accessMode | quote }}]
|
||||
{{- if $trivy.storageClass }}
|
||||
{{- if (eq "-" $trivy.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $trivy.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $trivy.size | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
16
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-svc.yaml
vendored
Normal file
16
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-svc.yaml
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
{{ if .Values.trivy.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.trivy" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }}
|
||||
protocol: TCP
|
||||
port: {{ template "harbor.trivy.servicePort" . }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: trivy
|
||||
{{ end }}
|
15
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema1/templates/trivy/trivy-tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
1058
src/pkg/chart/testdata/harbor-schema1/values.yaml
vendored
Normal file
1058
src/pkg/chart/testdata/harbor-schema1/values.yaml
vendored
Normal file
File diff suppressed because it is too large
Load Diff
6
src/pkg/chart/testdata/harbor-schema2/.helmignore
vendored
Normal file
6
src/pkg/chart/testdata/harbor-schema2/.helmignore
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
.github/*
|
||||
docs/*
|
||||
.git/*
|
||||
.gitignore
|
||||
CONTRIBUTING.md
|
||||
test/*
|
34
src/pkg/chart/testdata/harbor-schema2/Chart.yaml
vendored
Normal file
34
src/pkg/chart/testdata/harbor-schema2/Chart.yaml
vendored
Normal file
@ -0,0 +1,34 @@
|
||||
apiVersion: v2
|
||||
appVersion: 2.11.0
|
||||
description: An open source trusted cloud native registry that stores, signs, and
|
||||
scans content
|
||||
home: https://goharbor.io
|
||||
icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png
|
||||
keywords:
|
||||
- docker
|
||||
- registry
|
||||
- harbor
|
||||
maintainers:
|
||||
- email: yan-yw.wang@broadcom.com
|
||||
name: Yan Wang
|
||||
- email: wenkai.yin@broadcom.com
|
||||
name: Wenkai Yin
|
||||
- email: miner.yang@broadcom.com
|
||||
name: Miner Yang
|
||||
- email: shengwen.yu@broadcom.com
|
||||
name: Shengwen Yu
|
||||
name: harbor
|
||||
sources:
|
||||
- https://github.com/goharbor/harbor
|
||||
- https://github.com/goharbor/harbor-helm
|
||||
version: 1.15.0
|
||||
# NOTICE: Harbor chart is not dependent on other charts. This is just a mock for UT coverage.
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
version: 1.0.0
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
condition: postgresql.enabled
|
||||
- name: redis
|
||||
version: 2.0.0
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
condition: redis.enabled
|
201
src/pkg/chart/testdata/harbor-schema2/LICENSE
vendored
Normal file
201
src/pkg/chart/testdata/harbor-schema2/LICENSE
vendored
Normal file
@ -0,0 +1,201 @@
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright [yyyy] [name of copyright owner]
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
422
src/pkg/chart/testdata/harbor-schema2/README.md
vendored
Normal file
422
src/pkg/chart/testdata/harbor-schema2/README.md
vendored
Normal file
@ -0,0 +1,422 @@
|
||||
# Helm Chart for Harbor
|
||||
|
||||
**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment.
|
||||
|
||||
This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor)
|
||||
|
||||
## Introduction
|
||||
|
||||
This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes cluster 1.20+
|
||||
- Helm v3.2.0+
|
||||
|
||||
## Installation
|
||||
|
||||
### Add Helm repository
|
||||
|
||||
```bash
|
||||
helm repo add harbor https://helm.goharbor.io
|
||||
```
|
||||
|
||||
### Configure the chart
|
||||
|
||||
The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first).
|
||||
|
||||
#### Configure how to expose Harbor service
|
||||
|
||||
- **Ingress**: The ingress controller must be installed in the Kubernetes cluster.
|
||||
**Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details.
|
||||
- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
|
||||
- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
|
||||
- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer.
|
||||
|
||||
#### Configure the external URL
|
||||
|
||||
The external URL for Harbor core service is used to:
|
||||
|
||||
1. populate the docker/helm commands showed on portal
|
||||
2. populate the token service URL returned to docker client
|
||||
|
||||
Format: `protocol://domain[:port]`. Usually:
|
||||
|
||||
- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core`
|
||||
- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name`
|
||||
- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node
|
||||
- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider
|
||||
|
||||
If Harbor is deployed behind the proxy, set it as the URL of proxy.
|
||||
|
||||
#### Configure how to persist data
|
||||
|
||||
- **Disable**: The data does not survive the termination of a pod.
|
||||
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use.
|
||||
- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`.
|
||||
|
||||
#### Configure the other items listed in [configuration](#configuration) section
|
||||
|
||||
### Install the chart
|
||||
|
||||
Install the Harbor helm chart with a release name `my-release`:
|
||||
```bash
|
||||
helm install my-release harbor/harbor
|
||||
```
|
||||
|
||||
## Uninstallation
|
||||
|
||||
To uninstall/delete the `my-release` deployment:
|
||||
```bash
|
||||
helm uninstall my-release
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
The following table lists the configurable parameters of the Harbor chart and the default values.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
|-----------------------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
|
||||
| **Expose** | | |
|
||||
| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` |
|
||||
| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` |
|
||||
| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` |
|
||||
| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | |
|
||||
| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | |
|
||||
| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
|
||||
| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` |
|
||||
| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | |
|
||||
| `expose.ingress.annotations` | The annotations used commonly for ingresses | |
|
||||
| `expose.ingress.labels` | The labels specific to ingress | {} |
|
||||
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
|
||||
| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} |
|
||||
| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
|
||||
| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` |
|
||||
| `expose.clusterIP.annotations` | The annotations used commonly for clusterIP | |
|
||||
| `expose.clusterIP.labels` | The labels specific to clusterIP | {} |
|
||||
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
|
||||
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` |
|
||||
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` |
|
||||
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` |
|
||||
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` |
|
||||
| `expose.nodePort.annotations` | The annotations used commonly for nodePort | |
|
||||
| `expose.nodePort.labels` | The labels specific to nodePort | {} |
|
||||
| `expose.loadBalancer.name` | The name of service | `harbor` |
|
||||
| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` |
|
||||
| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
|
||||
| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` |
|
||||
| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} |
|
||||
| `expose.loadBalancer.labels` | The labels specific to loadBalancer | {} |
|
||||
| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] |
|
||||
| **Internal TLS** | | |
|
||||
| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` |
|
||||
| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false`
|
||||
| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` |
|
||||
| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | |
|
||||
| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
|
||||
| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | |
|
||||
| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | |
|
||||
| **IPFamily** | | |
|
||||
| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` |
|
||||
| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` |
|
||||
| **Persistence** | | |
|
||||
| `persistence.enabled` | Enable the data persistence or not | `true` |
|
||||
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` |
|
||||
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
|
||||
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
|
||||
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | |
|
||||
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
|
||||
| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | |
|
||||
| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | |
|
||||
| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
|
||||
| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
|
||||
| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | |
|
||||
| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` |
|
||||
| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` |
|
||||
| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | |
|
||||
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` |
|
||||
| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | |
|
||||
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` |
|
||||
| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` |
|
||||
| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` |
|
||||
| **General** | | |
|
||||
| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
|
||||
| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | |
|
||||
| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | |
|
||||
| `imagePullPolicy` | The image pull policy | |
|
||||
| `imagePullSecrets` | The imagePullSecrets names for all deployments | |
|
||||
| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` |
|
||||
| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` |
|
||||
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
|
||||
| `existingSecretAdminPassword` | The name of secret where admin password can be found. | |
|
||||
| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` |
|
||||
| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | |
|
||||
| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
|
||||
| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` |
|
||||
| `proxy.httpProxy` | The URL of the HTTP proxy server | |
|
||||
| `proxy.httpsProxy` | The URL of the HTTPS proxy server | |
|
||||
| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
|
||||
| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy |
|
||||
| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` |
|
||||
| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | |
|
||||
| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` |
|
||||
| `nginx.image.tag` | Image tag | `dev` |
|
||||
| `nginx.replicas` | The replica count | `1` |
|
||||
| `nginx.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `nginx.resources` | The [resources] to allocate for container | undefined |
|
||||
| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `nginx.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `nginx.affinity` | Node/Pod affinities | `{}` |
|
||||
| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
|
||||
| `nginx.priorityClassName` | The priority class to run the pod as | |
|
||||
| **Portal** | | |
|
||||
| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` |
|
||||
| `portal.image.tag` | Tag for portal image | `dev` |
|
||||
| `portal.replicas` | The replica count | `1` |
|
||||
| `portal.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `portal.resources` | The [resources] to allocate for container | undefined |
|
||||
| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `portal.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `portal.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `portal.affinity` | Node/Pod affinities | `{}` |
|
||||
| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
|
||||
| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` |
|
||||
| `portal.priorityClassName` | The priority class to run the pod as | |
|
||||
| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Core** | | |
|
||||
| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` |
|
||||
| `core.image.tag` | Tag for Harbor core image | `dev` |
|
||||
| `core.replicas` | The replica count | `1` |
|
||||
| `core.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` |
|
||||
| `core.resources` | The [resources] to allocate for container | undefined |
|
||||
| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `core.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `core.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `core.affinity` | Node/Pod affinities | `{}` |
|
||||
| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
|
||||
| `core.serviceAnnotations` | Annotations to add to the core service | `{}` |
|
||||
| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | |
|
||||
| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` |
|
||||
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
|
||||
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | |
|
||||
| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | |
|
||||
| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | |
|
||||
| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | |
|
||||
| `core.priorityClassName` | The priority class to run the pod as | |
|
||||
| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | |
|
||||
| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` |
|
||||
| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` |
|
||||
| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Jobservice** | | |
|
||||
| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` |
|
||||
| `jobservice.image.tag` | Tag for jobservice image | `dev` |
|
||||
| `jobservice.replicas` | The replica count | `1` |
|
||||
| `jobservice.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `jobservice.maxJobWorkers` | The max job workers | `10` |
|
||||
| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` |
|
||||
| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` |
|
||||
| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` |
|
||||
| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` |
|
||||
| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` |
|
||||
| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` |
|
||||
| `jobservice.resources` | The [resources] to allocate for container | undefined |
|
||||
| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `jobservice.affinity` | Node/Pod affinities | `{}` |
|
||||
| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
|
||||
| `jobservice.priorityClassName` | The priority class to run the pod as | |
|
||||
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
|
||||
| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Registry** | | |
|
||||
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
|
||||
| `registry.registry.image.tag` | Tag for registry image | `dev` |
|
||||
| `registry.registry.resources` | The [resources] to allocate for container | undefined |
|
||||
| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` |
|
||||
| `registry.controller.image.tag` | Tag for registry controller image | `dev` |
|
||||
| `registry.controller.resources` | The [resources] to allocate for container | undefined |
|
||||
| `registry.replicas` | The replica count | `1` |
|
||||
| `registry.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `registry.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `registry.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `registry.affinity` | Node/Pod affinities | `{}` |
|
||||
| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | |
|
||||
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
|
||||
| `registry.priorityClassName` | The priority class to run the pod as | |
|
||||
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
|
||||
| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` |
|
||||
| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
|
||||
| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` |
|
||||
| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined |
|
||||
| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` |
|
||||
| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` |
|
||||
| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` |
|
||||
| `registry.upload_purging.interval` | The interval of the purge operations | `24h` |
|
||||
| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` |
|
||||
| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **[Trivy][trivy]** | | |
|
||||
| `trivy.enabled` | The flag to enable Trivy scanner | `true` |
|
||||
| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` |
|
||||
| `trivy.image.tag` | Tag for Trivy adapter image | `dev` |
|
||||
| `trivy.resources` | The [resources] to allocate for Trivy adapter container | |
|
||||
| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `trivy.replicas` | The number of Pod replicas | `1` |
|
||||
| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` |
|
||||
| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` |
|
||||
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
|
||||
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
|
||||
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
|
||||
| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` |
|
||||
| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` |
|
||||
| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` |
|
||||
| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` |
|
||||
| `trivy.timeout` | The duration to wait for scan completion | `5m0s` |
|
||||
| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | |
|
||||
| `trivy.priorityClassName` | The priority class to run the pod as | |
|
||||
| `trivy.topologySpreadConstraints` | The priority class to run the pod as | |
|
||||
| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
|
||||
| **Database** | | |
|
||||
| `database.type` | If external database is used, set it to `external` | `internal` |
|
||||
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
|
||||
| `database.internal.image.tag` | Tag for database image | `dev` |
|
||||
| `database.internal.password` | The password for database | `changeit` |
|
||||
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
|
||||
| `database.internal.resources` | The [resources] to allocate for container | undefined |
|
||||
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined |
|
||||
| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined |
|
||||
| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `database.internal.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `database.internal.affinity` | Node/Pod affinities | `{}` |
|
||||
| `database.internal.priorityClassName` | The priority class to run the pod as | |
|
||||
| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 |
|
||||
| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 |
|
||||
| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` |
|
||||
| `database.external.host` | The hostname of external database | `192.168.0.1` |
|
||||
| `database.external.port` | The port of external database | `5432` |
|
||||
| `database.external.username` | The username of external database | `user` |
|
||||
| `database.external.password` | The password of external database | `password` |
|
||||
| `database.external.coreDatabase` | The database used by core service | `registry` |
|
||||
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
|
||||
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
|
||||
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
|
||||
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
|
||||
| `database.podAnnotations` | Annotations to add to the database pod | `{}` |
|
||||
| **Redis** | | |
|
||||
| `redis.type` | If external redis is used, set it to `external` | `internal` |
|
||||
| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` |
|
||||
| `redis.internal.image.tag` | Tag for redis image | `dev` |
|
||||
| `redis.internal.resources` | The [resources] to allocate for container | undefined |
|
||||
| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `redis.internal.affinity` | Node/Pod affinities | `{}` |
|
||||
| `redis.internal.priorityClassName` | The priority class to run the pod as | |
|
||||
| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
|
||||
| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` |
|
||||
| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` |
|
||||
| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
|
||||
| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
|
||||
| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` |
|
||||
| `redis.external.addr` | The addr of external Redis: <host_redis>:<port_redis>. When using sentinel, it should be <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> | `192.168.0.2:6379` |
|
||||
| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | |
|
||||
| `redis.external.coreDatabaseIndex` | The database index for core | `0` |
|
||||
| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
|
||||
| `redis.external.registryDatabaseIndex` | The database index for registry | `2` |
|
||||
| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` |
|
||||
| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
|
||||
| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
|
||||
| `redis.external.username` | The username of external Redis | |
|
||||
| `redis.external.password` | The password of external Redis | |
|
||||
| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` |
|
||||
| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
|
||||
| **Exporter** | | |
|
||||
| `exporter.replicas` | The replica count | `1` |
|
||||
| `exporter.revisionHistoryLimit` | The revision history limit | `10` |
|
||||
| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` |
|
||||
| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` |
|
||||
| `exporter.image.tag` | Tag for exporter image | `dev` |
|
||||
| `exporter.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `exporter.tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `exporter.affinity` | Node/Pod affinities | `{}` |
|
||||
| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
|
||||
| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
|
||||
| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` |
|
||||
| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` |
|
||||
| `exporter.priorityClassName` | The priority class to run the pod as | |
|
||||
| **Metrics** | | |
|
||||
| `metrics.enabled` | if enable harbor metrics | `false` |
|
||||
| `metrics.core.path` | the url path for core metrics | `/metrics` |
|
||||
| `metrics.core.port` | the port for core metrics | `8001` |
|
||||
| `metrics.registry.path` | the url path for registry metrics | `/metrics` |
|
||||
| `metrics.registry.port` | the port for registry metrics | `8001` |
|
||||
| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` |
|
||||
| `metrics.exporter.port` | the port for exporter metrics | `8001` |
|
||||
| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` |
|
||||
| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` |
|
||||
| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` |
|
||||
| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` |
|
||||
| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` |
|
||||
| **Trace** | | |
|
||||
| `trace.enabled` | Enable tracing or not | `false` |
|
||||
| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` |
|
||||
| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` |
|
||||
| `trace.namespace` | Namespace used to differentiate different harbor services | |
|
||||
| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | |
|
||||
| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` |
|
||||
| `trace.jaeger.username` | The username of jaeger | |
|
||||
| `trace.jaeger.password` | The password of jaeger | |
|
||||
| `trace.jaeger.agent_host` | The agent host of jaeger | |
|
||||
| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` |
|
||||
| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` |
|
||||
| `trace.otel.url_path` | The URL path of otel | `/v1/traces` |
|
||||
| `trace.otel.compression` | Whether enable compression or not for otel | `false` |
|
||||
| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` |
|
||||
| `trace.otel.timeout` | The timeout in seconds of otel | `10` |
|
||||
| **Cache** | | |
|
||||
| `cache.enabled` | Enable cache layer or not | `false` |
|
||||
| `cache.expireHours` | The expire hours of cache layer | `24` |
|
||||
|
||||
[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
[trivy]: https://github.com/aquasecurity/trivy
|
||||
[trivy-db]: https://github.com/aquasecurity/trivy-db
|
||||
[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db
|
||||
[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting
|
3
src/pkg/chart/testdata/harbor-schema2/templates/NOTES.txt
vendored
Normal file
3
src/pkg/chart/testdata/harbor-schema2/templates/NOTES.txt
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
Please wait for several minutes for Harbor deployment to complete.
|
||||
Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}
|
||||
For more details, please visit https://github.com/goharbor/harbor
|
581
src/pkg/chart/testdata/harbor-schema2/templates/_helpers.tpl
vendored
Normal file
581
src/pkg/chart/testdata/harbor-schema2/templates/_helpers.tpl
vendored
Normal file
@ -0,0 +1,581 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "harbor.name" -}}
|
||||
{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "harbor.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default "harbor" .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* Helm required labels: legacy */}}
|
||||
{{- define "harbor.legacy.labels" -}}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
chart: {{ .Chart.Name }}
|
||||
app: "{{ template "harbor.name" . }}"
|
||||
{{- end -}}
|
||||
|
||||
{{/* Helm required labels */}}
|
||||
{{- define "harbor.labels" -}}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
chart: {{ .Chart.Name }}
|
||||
app: "{{ template "harbor.name" . }}"
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/name: {{ include "harbor.name" . }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/part-of: {{ include "harbor.name" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* matchLabels */}}
|
||||
{{- define "harbor.matchLabels" -}}
|
||||
release: {{ .Release.Name }}
|
||||
app: "{{ template "harbor.name" . }}"
|
||||
{{- end -}}
|
||||
|
||||
{{/* Helper for printing values from existing secrets*/}}
|
||||
{{- define "harbor.secretKeyHelper" -}}
|
||||
{{- if and (not (empty .data)) (hasKey .data .key) }}
|
||||
{{- index .data .key | b64dec -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.autoGenCert" -}}
|
||||
{{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
|
||||
{{- printf "true" -}}
|
||||
{{- else -}}
|
||||
{{- printf "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.autoGenCertForIngress" -}}
|
||||
{{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}}
|
||||
{{- printf "true" -}}
|
||||
{{- else -}}
|
||||
{{- printf "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.autoGenCertForNginx" -}}
|
||||
{{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}}
|
||||
{{- printf "true" -}}
|
||||
{{- else -}}
|
||||
{{- printf "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.host" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- template "harbor.database" . }}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.host -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.port" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "5432" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.port -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.username" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "postgres" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.username -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.rawPassword" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}}
|
||||
{{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}}
|
||||
{{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.internal.password -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.password -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.escapedRawPassword" -}}
|
||||
{{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.encryptedPassword" -}}
|
||||
{{- include "harbor.database.rawPassword" . | b64enc | quote -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.coreDatabase" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "registry" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.coreDatabase -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database.sslmode" -}}
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- printf "%s" "disable" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.database.external.sslmode -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.scheme" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*host:port*/
|
||||
{{- define "harbor.redis.addr" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.masterSet" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.password" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary "" .external.password (eq .type "internal") }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- define "harbor.redis.pwdfromsecret" -}}
|
||||
{{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.cred" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- if (and (eq .type "external" ) (.external.existingSecret)) }}
|
||||
{{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }}
|
||||
{{- else }}
|
||||
{{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]host:port[/master_set]*/
|
||||
{{- define "harbor.redis.url" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
|
||||
{{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForCore" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index*/
|
||||
{{- define "harbor.redis.urlForJobservice" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForRegistry" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForTrivy" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForHarbor" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/
|
||||
{{- define "harbor.redis.urlForCache" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }}
|
||||
{{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis.dbForRegistry" -}}
|
||||
{{- with .Values.redis }}
|
||||
{{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.portal" -}}
|
||||
{{- printf "%s-portal" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.core" -}}
|
||||
{{- printf "%s-core" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.redis" -}}
|
||||
{{- printf "%s-redis" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.jobservice" -}}
|
||||
{{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.registry" -}}
|
||||
{{- printf "%s-registry" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.registryCtl" -}}
|
||||
{{- printf "%s-registryctl" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.database" -}}
|
||||
{{- printf "%s-database" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.trivy" -}}
|
||||
{{- printf "%s-trivy" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.nginx" -}}
|
||||
{{- printf "%s-nginx" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.exporter" -}}
|
||||
{{- printf "%s-exporter" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.ingress" -}}
|
||||
{{- printf "%s-ingress" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.noProxy" -}}
|
||||
{{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.caBundleVolume" -}}
|
||||
- name: ca-bundle-certs
|
||||
secret:
|
||||
secretName: {{ .Values.caBundleSecretName }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.caBundleVolumeMount" -}}
|
||||
- name: ca-bundle-certs
|
||||
mountPath: /harbor_cust_cert/custom-ca.crt
|
||||
subPath: ca.crt
|
||||
{{- end -}}
|
||||
|
||||
{{/* scheme for all components because it only support http mode */}}
|
||||
{{- define "harbor.component.scheme" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "https" -}}
|
||||
{{- else -}}
|
||||
{{- printf "http" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* core component container port */}}
|
||||
{{- define "harbor.core.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* core component service port */}}
|
||||
{{- define "harbor.core.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "80" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* jobservice component container port */}}
|
||||
{{- define "harbor.jobservice.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* jobservice component service port */}}
|
||||
{{- define "harbor.jobservice.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "80" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* portal component container port */}}
|
||||
{{- define "harbor.portal.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* portal component service port */}}
|
||||
{{- define "harbor.portal.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "80" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registry component container port */}}
|
||||
{{- define "harbor.registry.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "5443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "5000" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registry component service port */}}
|
||||
{{- define "harbor.registry.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "5443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "5000" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registryctl component container port */}}
|
||||
{{- define "harbor.registryctl.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* registryctl component service port */}}
|
||||
{{- define "harbor.registryctl.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* trivy component container port */}}
|
||||
{{- define "harbor.trivy.containerPort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* trivy component service port */}}
|
||||
{{- define "harbor.trivy.servicePort" -}}
|
||||
{{- if .Values.internalTLS.enabled -}}
|
||||
{{- printf "8443" -}}
|
||||
{{- else -}}
|
||||
{{- printf "8080" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* CORE_URL */}}
|
||||
{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}}
|
||||
{{- define "harbor.coreURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* JOBSERVICE_URL */}}
|
||||
{{- define "harbor.jobserviceURL" -}}
|
||||
{{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* PORTAL_URL */}}
|
||||
{{- define "harbor.portalURL" -}}
|
||||
{{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* REGISTRY_URL */}}
|
||||
{{- define "harbor.registryURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* REGISTRY_CONTROLLER_URL */}}
|
||||
{{- define "harbor.registryControllerURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* TOKEN_SERVICE_URL */}}
|
||||
{{- define "harbor.tokenServiceURL" -}}
|
||||
{{- printf "%s/service/token" (include "harbor.coreURL" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* TRIVY_ADAPTER_URL */}}
|
||||
{{- define "harbor.trivyAdapterURL" -}}
|
||||
{{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.core.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.core.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.jobservice.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.jobservice.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.portal.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.portal.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.registry.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.registry.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.internalTLS.trivy.secretName" -}}
|
||||
{{- if eq .Values.internalTLS.certSource "secret" -}}
|
||||
{{- .Values.internalTLS.trivy.secretName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.tlsCoreSecretForIngress" -}}
|
||||
{{- if eq .Values.expose.tls.certSource "none" -}}
|
||||
{{- printf "" -}}
|
||||
{{- else if eq .Values.expose.tls.certSource "secret" -}}
|
||||
{{- .Values.expose.tls.secret.secretName -}}
|
||||
{{- else -}}
|
||||
{{- include "harbor.ingress" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.tlsSecretForNginx" -}}
|
||||
{{- if eq .Values.expose.tls.certSource "secret" -}}
|
||||
{{- .Values.expose.tls.secret.secretName -}}
|
||||
{{- else -}}
|
||||
{{- include "harbor.nginx" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.metricsPortName" -}}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
{{- printf "https-metrics" -}}
|
||||
{{- else -}}
|
||||
{{- printf "http-metrics" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvs" -}}
|
||||
TRACE_ENABLED: "{{ .Values.trace.enabled }}"
|
||||
TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}"
|
||||
TRACE_NAMESPACE: "{{ .Values.trace.namespace }}"
|
||||
{{- if .Values.trace.attributes }}
|
||||
TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.trace.provider "jaeger" }}
|
||||
TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}"
|
||||
TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}"
|
||||
TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}"
|
||||
TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}"
|
||||
{{- else }}
|
||||
TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}"
|
||||
TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}"
|
||||
TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}"
|
||||
TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}"
|
||||
TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}"
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvsForCore" -}}
|
||||
{{- if .Values.trace.enabled }}
|
||||
TRACE_SERVICE_NAME: "harbor-core"
|
||||
{{ include "harbor.traceEnvs" . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvsForJobservice" -}}
|
||||
{{- if .Values.trace.enabled }}
|
||||
TRACE_SERVICE_NAME: "harbor-jobservice"
|
||||
{{ include "harbor.traceEnvs" . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceEnvsForRegistryCtl" -}}
|
||||
{{- if .Values.trace.enabled }}
|
||||
TRACE_SERVICE_NAME: "harbor-registryctl"
|
||||
{{ include "harbor.traceEnvs" . }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "harbor.traceJaegerPassword" -}}
|
||||
{{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }}
|
||||
TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}"
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Allow KubeVersion to be overridden. */}}
|
||||
{{- define "harbor.ingress.kubeVersion" -}}
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}}
|
||||
{{- end -}}
|
90
src/pkg/chart/testdata/harbor-schema2/templates/core/core-cm.yaml
vendored
Normal file
90
src/pkg/chart/testdata/harbor-schema2/templates/core/core-cm.yaml
vendored
Normal file
@ -0,0 +1,90 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
app.conf: |+
|
||||
appname = Harbor
|
||||
runmode = prod
|
||||
enablegzip = true
|
||||
|
||||
[prod]
|
||||
httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }}
|
||||
PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}"
|
||||
DATABASE_TYPE: "postgresql"
|
||||
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
|
||||
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
|
||||
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
|
||||
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
|
||||
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
|
||||
POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
|
||||
POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
|
||||
EXT_ENDPOINT: "{{ .Values.externalURL }}"
|
||||
CORE_URL: "{{ template "harbor.coreURL" . }}"
|
||||
JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
|
||||
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
|
||||
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
|
||||
CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}"
|
||||
WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
|
||||
TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}"
|
||||
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
|
||||
LOG_LEVEL: "{{ .Values.logLevel }}"
|
||||
CONFIG_PATH: "/etc/core/app.conf"
|
||||
CHART_CACHE_DRIVER: "redis"
|
||||
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
|
||||
_REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}"
|
||||
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }}
|
||||
_REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}"
|
||||
{{- end }}
|
||||
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
|
||||
_REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
|
||||
{{- end }}
|
||||
PORTAL_URL: "{{ template "harbor.portalURL" . }}"
|
||||
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
|
||||
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
|
||||
{{- if .Values.uaaSecretName }}
|
||||
UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt"
|
||||
{{- end }}
|
||||
{{- if has "core" .Values.proxy.components }}
|
||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory"
|
||||
{{- if .Values.metrics.enabled}}
|
||||
METRIC_ENABLE: "true"
|
||||
METRIC_PATH: "{{ .Values.metrics.core.path }}"
|
||||
METRIC_PORT: "{{ .Values.metrics.core.port }}"
|
||||
METRIC_NAMESPACE: harbor
|
||||
METRIC_SUBSYSTEM: core
|
||||
{{- end }}
|
||||
|
||||
{{- if hasKey .Values.core "gcTimeWindowHours" }}
|
||||
#make the GC time window configurable for testing
|
||||
GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}"
|
||||
{{- end }}
|
||||
{{- template "harbor.traceEnvsForCore" . }}
|
||||
|
||||
{{- if .Values.core.artifactPullAsyncFlushDuration }}
|
||||
ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.core.gdpr}}
|
||||
{{- if .Values.core.gdpr.deleteUser}}
|
||||
GDPR_DELETE_USER: "true"
|
||||
{{- end }}
|
||||
{{- if .Values.core.gdpr.auditLogsCompliant}}
|
||||
GDPR_AUDIT_LOGS: "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.cache.enabled }}
|
||||
CACHE_ENABLED: "true"
|
||||
CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.core.quotaUpdateProvider }}
|
||||
QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}"
|
||||
{{- end }}
|
257
src/pkg/chart/testdata/harbor-schema2/templates/core/core-dpl.yaml
vendored
Normal file
257
src/pkg/chart/testdata/harbor-schema2/templates/core/core-dpl.yaml
vendored
Normal file
@ -0,0 +1,257 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: core
|
||||
app.kubernetes.io/component: core
|
||||
spec:
|
||||
replicas: {{ .Values.core.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: core
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: core
|
||||
app.kubernetes.io/component: core
|
||||
{{- if .Values.core.podLabels }}
|
||||
{{ toYaml .Values.core.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
|
||||
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.podAnnotations }}
|
||||
{{ toYaml .Values.core.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.core.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.core.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- with .Values.core.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: core
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: core
|
||||
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if .Values.core.startupProbe.enabled }}
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /api/v2.0/ping
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.core.containerPort" . }}
|
||||
failureThreshold: 360
|
||||
initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }}
|
||||
periodSeconds: 10
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /api/v2.0/ping
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.core.containerPort" . }}
|
||||
failureThreshold: 2
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /api/v2.0/ping
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.core.containerPort" . }}
|
||||
failureThreshold: 2
|
||||
periodSeconds: 10
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
env:
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
|
||||
key: secret
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
key: {{ .Values.jobservice.existingSecretKey }}
|
||||
{{- else }}
|
||||
key: JOBSERVICE_SECRET
|
||||
{{- end }}
|
||||
{{- if .Values.existingSecretAdminPassword }}
|
||||
- name: HARBOR_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.existingSecretAdminPassword }}
|
||||
key: {{ .Values.existingSecretAdminPasswordKey }}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: INTERNAL_TLS_KEY_PATH
|
||||
value: /etc/harbor/ssl/core/tls.key
|
||||
- name: INTERNAL_TLS_CERT_PATH
|
||||
value: /etc/harbor/ssl/core/tls.crt
|
||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
||||
value: /etc/harbor/ssl/core/ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.database.external.existingSecret }}
|
||||
- name: POSTGRESQL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.database.external.existingSecret }}
|
||||
key: password
|
||||
{{- end }}
|
||||
{{- if .Values.registry.credentials.existingSecret }}
|
||||
- name: REGISTRY_CREDENTIAL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.registry.credentials.existingSecret }}
|
||||
key: REGISTRY_PASSWD
|
||||
{{- end }}
|
||||
{{- if .Values.core.existingXsrfSecret }}
|
||||
- name: CSRF_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.core.existingXsrfSecret }}
|
||||
key: {{ .Values.core.existingXsrfSecretKey }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.extraEnvVars }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.core.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/core/app.conf
|
||||
subPath: app.conf
|
||||
- name: secret-key
|
||||
mountPath: /etc/core/key
|
||||
subPath: key
|
||||
- name: token-service-private-key
|
||||
mountPath: /etc/core/private_key.pem
|
||||
subPath: tls.key
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: ca-download
|
||||
mountPath: /etc/core/ca
|
||||
{{- end }}
|
||||
{{- if .Values.uaaSecretName }}
|
||||
- name: auth-ca-cert
|
||||
mountPath: /etc/core/auth-ca/auth-ca.crt
|
||||
subPath: auth-ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
mountPath: /etc/harbor/ssl/core
|
||||
{{- end }}
|
||||
- name: psc
|
||||
mountPath: /etc/core/token
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.core.resources | indent 10 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "harbor.core" . }}
|
||||
items:
|
||||
- key: app.conf
|
||||
path: app.conf
|
||||
- name: secret-key
|
||||
secret:
|
||||
{{- if .Values.existingSecretSecretKey }}
|
||||
secretName: {{ .Values.existingSecretSecretKey }}
|
||||
{{- else }}
|
||||
secretName: {{ template "harbor.core" . }}
|
||||
{{- end }}
|
||||
items:
|
||||
- key: secretKey
|
||||
path: key
|
||||
- name: token-service-private-key
|
||||
secret:
|
||||
{{- if .Values.core.secretName }}
|
||||
secretName: {{ .Values.core.secretName }}
|
||||
{{- else }}
|
||||
secretName: {{ template "harbor.core" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: ca-download
|
||||
secret:
|
||||
{{- if .Values.caSecretName }}
|
||||
secretName: {{ .Values.caSecretName }}
|
||||
{{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }}
|
||||
secretName: "{{ template "harbor.ingress" . }}"
|
||||
{{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
||||
secretName: {{ template "harbor.tlsSecretForNginx" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.uaaSecretName }}
|
||||
- name: auth-ca-cert
|
||||
secret:
|
||||
secretName: {{ .Values.uaaSecretName }}
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: auth-ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.core.secretName" . }}
|
||||
{{- end }}
|
||||
- name: psc
|
||||
emptyDir: {}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.priorityClassName }}
|
||||
priorityClassName: {{ .Values.core.priorityClassName }}
|
||||
{{- end }}
|
77
src/pkg/chart/testdata/harbor-schema2/templates/core/core-pre-upgrade-job.yaml
vendored
Normal file
77
src/pkg/chart/testdata/harbor-schema2/templates/core/core-pre-upgrade-job.yaml
vendored
Normal file
@ -0,0 +1,77 @@
|
||||
{{- if .Values.enableMigrateHelmHook }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: migration-job
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: migrator
|
||||
annotations:
|
||||
# This is what defines this resource as a hook. Without this line, the
|
||||
# job is considered part of the release.
|
||||
"helm.sh/hook": pre-upgrade
|
||||
"helm.sh/hook-weight": "-5"
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.matchLabels" . | indent 8 }}
|
||||
component: migrator
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.core.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.core.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
containers:
|
||||
- name: core-job
|
||||
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
command: ["/harbor/harbor_core", "-mode=migrate"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.core" . }}"
|
||||
{{- if .Values.database.external.existingSecret }}
|
||||
env:
|
||||
- name: POSTGRESQL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.database.external.existingSecret }}
|
||||
key: password
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/core/app.conf
|
||||
subPath: app.conf
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "harbor.core" . }}
|
||||
items:
|
||||
- key: app.conf
|
||||
path: app.conf
|
||||
{{- with .Values.core.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.core.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
36
src/pkg/chart/testdata/harbor-schema2/templates/core/core-secret.yaml
vendored
Normal file
36
src/pkg/chart/testdata/harbor-schema2/templates/core/core-secret.yaml
vendored
Normal file
@ -0,0 +1,36 @@
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.existingSecretSecretKey }}
|
||||
secretKey: {{ .Values.secretKey | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.existingSecret }}
|
||||
secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.secretName }}
|
||||
{{- $ca := genCA "harbor-token-ca" 365 }}
|
||||
tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
|
||||
tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.existingSecretAdminPassword }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.database.external.existingSecret }}
|
||||
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end }}
|
||||
{{- if not .Values.registry.credentials.existingSecret }}
|
||||
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.existingXsrfSecret }}
|
||||
CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.configureUserSettings }}
|
||||
CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- template "harbor.traceJaegerPassword" . }}
|
25
src/pkg/chart/testdata/harbor-schema2/templates/core/core-svc.yaml
vendored
Normal file
25
src/pkg/chart/testdata/harbor-schema2/templates/core/core-svc.yaml
vendored
Normal file
@ -0,0 +1,25 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "harbor.core" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- with .Values.core.serviceAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }}
|
||||
type: NodePort
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }}
|
||||
port: {{ template "harbor.core.servicePort" . }}
|
||||
targetPort: {{ template "harbor.core.containerPort" . }}
|
||||
{{- if .Values.metrics.enabled}}
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.core.port }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: core
|
15
src/pkg/chart/testdata/harbor-schema2/templates/core/core-tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema2/templates/core/core-tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
11
src/pkg/chart/testdata/harbor-schema2/templates/database/database-secret.yaml
vendored
Normal file
11
src/pkg/chart/testdata/harbor-schema2/templates/database/database-secret.yaml
vendored
Normal file
@ -0,0 +1,11 @@
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end -}}
|
162
src/pkg/chart/testdata/harbor-schema2/templates/database/database-ss.yaml
vendored
Normal file
162
src/pkg/chart/testdata/harbor-schema2/templates/database/database-ss.yaml
vendored
Normal file
@ -0,0 +1,162 @@
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
{{- $database := .Values.persistence.persistentVolumeClaim.database -}}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: database
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: "{{ template "harbor.database" . }}"
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: database
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: database
|
||||
app.kubernetes.io/component: database
|
||||
{{- if .Values.database.podLabels }}
|
||||
{{ toYaml .Values.database.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }}
|
||||
{{- if .Values.database.podAnnotations }}
|
||||
{{ toYaml .Values.database.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 999
|
||||
fsGroup: 999
|
||||
{{- if .Values.database.internal.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
initContainers:
|
||||
# with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume
|
||||
# this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph
|
||||
# use this init container to correct the permission
|
||||
# as "fsGroup" applied before the init container running, the container has enough permission to execute the command
|
||||
- name: "data-permissions-ensurer"
|
||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
command: ["/bin/sh"]
|
||||
args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
|
||||
{{- if .Values.database.internal.initContainer.permissions.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: database-data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
subPath: {{ $database.subPath }}
|
||||
{{- with .Values.database.internal.extrInitContainers }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: database
|
||||
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /docker-healthcheck.sh
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }}
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /docker-healthcheck.sh
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }}
|
||||
{{- if .Values.database.internal.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.database.internal.resources | indent 10 }}
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
env:
|
||||
# put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
|
||||
# more detail refer to https://github.com/goharbor/harbor-helm/issues/756
|
||||
- name: PGDATA
|
||||
value: "/var/lib/postgresql/data/pgdata"
|
||||
{{- with .Values.database.internal.extraEnvVars }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: database-data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
subPath: {{ $database.subPath }}
|
||||
- name: shm-volume
|
||||
mountPath: /dev/shm
|
||||
volumes:
|
||||
- name: shm-volume
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
sizeLimit: {{ .Values.database.internal.shmSizeLimit }}
|
||||
{{- if not .Values.persistence.enabled }}
|
||||
- name: "database-data"
|
||||
emptyDir: {}
|
||||
{{- else if $database.existingClaim }}
|
||||
- name: "database-data"
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ $database.existingClaim }}
|
||||
{{- end -}}
|
||||
{{- with .Values.database.internal.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.database.internal.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.database.internal.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.database.internal.priorityClassName }}
|
||||
priorityClassName: {{ .Values.database.internal.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled (not $database.existingClaim) }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: "database-data"
|
||||
labels:
|
||||
{{ include "harbor.legacy.labels" . | indent 8 }}
|
||||
annotations:
|
||||
{{- range $key, $value := $database.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes: [{{ $database.accessMode | quote }}]
|
||||
{{- if $database.storageClass }}
|
||||
{{- if (eq "-" $database.storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $database.storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $database.size | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
14
src/pkg/chart/testdata/harbor-schema2/templates/database/database-svc.yaml
vendored
Normal file
14
src/pkg/chart/testdata/harbor-schema2/templates/database/database-svc.yaml
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
{{- if eq .Values.database.type "internal" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.database" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 5432
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: database
|
||||
{{- end -}}
|
35
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-cm-env.yaml
vendored
Normal file
35
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-cm-env.yaml
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.exporter" . }}-env"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
{{- if has "jobservice" .Values.proxy.components }}
|
||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
LOG_LEVEL: "{{ .Values.logLevel }}"
|
||||
HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}"
|
||||
HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}"
|
||||
HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}"
|
||||
HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}"
|
||||
HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}"
|
||||
HARBOR_METRIC_NAMESPACE: harbor
|
||||
HARBOR_METRIC_SUBSYSTEM: exporter
|
||||
HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}"
|
||||
HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace
|
||||
HARBOR_REDIS_TIMEOUT: "3600"
|
||||
HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}"
|
||||
HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}"
|
||||
HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}"
|
||||
HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}"
|
||||
HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}"
|
||||
HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}"
|
||||
HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}"
|
||||
HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
|
||||
HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
|
||||
HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
|
||||
{{- end}}
|
146
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-dpl.yaml
vendored
Normal file
146
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-dpl.yaml
vendored
Normal file
@ -0,0 +1,146 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "harbor.exporter" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: exporter
|
||||
app.kubernetes.io/component: exporter
|
||||
spec:
|
||||
replicas: {{ .Values.exporter.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: exporter
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: exporter
|
||||
app.kubernetes.io/component: exporter
|
||||
{{- if .Values.exporter.podLabels }}
|
||||
{{ toYaml .Values.exporter.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/exporter/exporter-cm-env.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/exporter/exporter-secret.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.podAnnotations }}
|
||||
{{ toYaml .Values.exporter.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.exporter.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.exporter.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }}
|
||||
{{- with .Values.exporter.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: exporter
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: exporter
|
||||
image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: {{ .Values.metrics.exporter.port }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: {{ .Values.metrics.exporter.port }}
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
args: ["-log-level", "{{ .Values.logLevel }}"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.exporter" . }}-env"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.exporter" . }}"
|
||||
env:
|
||||
{{- if .Values.database.external.existingSecret }}
|
||||
- name: HARBOR_DATABASE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.database.external.existingSecret }}
|
||||
key: password
|
||||
{{- end }}
|
||||
{{- if .Values.existingSecretAdminPassword }}
|
||||
- name: HARBOR_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.existingSecretAdminPassword }}
|
||||
key: {{ .Values.existingSecretAdminPasswordKey }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.exporter.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.extraEnvVars }}
|
||||
env:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ .Values.metrics.exporter.port }}
|
||||
volumeMounts:
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
mountPath: /etc/harbor/ssl/core
|
||||
# There are some metric data are collectd from harbor core.
|
||||
# When internal TLS is enabled, the Exporter need the CA file to collect these data.
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
secret:
|
||||
secretName: "{{ template "harbor.exporter" . }}"
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: core-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.core.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.exporter.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.priorityClassName }}
|
||||
priorityClassName: {{ .Values.exporter.priorityClassName }}
|
||||
{{- end }}
|
||||
{{ end }}
|
16
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-secret.yaml
vendored
Normal file
16
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-secret.yaml
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.exporter" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.existingSecretAdminPassword }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.database.external.existingSecret }}
|
||||
HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
15
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-svc.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema2/templates/exporter/exporter-svc.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if .Values.metrics.enabled}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.exporter" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.exporter.port }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: exporter
|
||||
{{ end }}
|
142
src/pkg/chart/testdata/harbor-schema2/templates/ingress/ingress.yaml
vendored
Normal file
142
src/pkg/chart/testdata/harbor-schema2/templates/ingress/ingress.yaml
vendored
Normal file
@ -0,0 +1,142 @@
|
||||
{{- if eq .Values.expose.type "ingress" }}
|
||||
{{- $ingress := .Values.expose.ingress -}}
|
||||
{{- $tls := .Values.expose.tls -}}
|
||||
{{- if eq .Values.expose.ingress.controller "gce" }}
|
||||
{{- $_ := set . "portal_path" "/*" -}}
|
||||
{{- $_ := set . "api_path" "/api/*" -}}
|
||||
{{- $_ := set . "service_path" "/service/*" -}}
|
||||
{{- $_ := set . "v2_path" "/v2/*" -}}
|
||||
{{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
|
||||
{{- $_ := set . "controller_path" "/c/*" -}}
|
||||
{{- else if eq .Values.expose.ingress.controller "ncp" }}
|
||||
{{- $_ := set . "portal_path" "/.*" -}}
|
||||
{{- $_ := set . "api_path" "/api/.*" -}}
|
||||
{{- $_ := set . "service_path" "/service/.*" -}}
|
||||
{{- $_ := set . "v2_path" "/v2/.*" -}}
|
||||
{{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
|
||||
{{- $_ := set . "controller_path" "/c/.*" -}}
|
||||
{{- else }}
|
||||
{{- $_ := set . "portal_path" "/" -}}
|
||||
{{- $_ := set . "api_path" "/api/" -}}
|
||||
{{- $_ := set . "service_path" "/service/" -}}
|
||||
{{- $_ := set . "v2_path" "/v2/" -}}
|
||||
{{- $_ := set . "chartrepo_path" "/chartrepo/" -}}
|
||||
{{- $_ := set . "controller_path" "/c/" -}}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }}
|
||||
apiVersion: extensions/v1beta1
|
||||
{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
{{- else }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
{{- end }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: "{{ template "harbor.ingress" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if $ingress.labels }}
|
||||
{{ toYaml $ingress.labels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ toYaml $ingress.annotations | indent 4 }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
{{- end }}
|
||||
{{- if eq .Values.expose.ingress.controller "ncp" }}
|
||||
ncp/use-regex: "true"
|
||||
{{- if $tls.enabled }}
|
||||
ncp/http-redirect: "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if $ingress.className }}
|
||||
ingressClassName: {{ $ingress.className }}
|
||||
{{- end }}
|
||||
{{- if $tls.enabled }}
|
||||
tls:
|
||||
- secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
|
||||
{{- if $ingress.hosts.core }}
|
||||
hosts:
|
||||
- {{ $ingress.hosts.core }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- http:
|
||||
paths:
|
||||
{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
|
||||
- path: {{ .api_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .service_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .v2_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .chartrepo_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .controller_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.core" . }}
|
||||
servicePort: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .portal_path }}
|
||||
backend:
|
||||
serviceName: {{ template "harbor.portal" . }}
|
||||
servicePort: {{ template "harbor.portal.servicePort" . }}
|
||||
{{- else }}
|
||||
- path: {{ .api_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .service_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .v2_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .chartrepo_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .controller_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.core" . }}
|
||||
port:
|
||||
number: {{ template "harbor.core.servicePort" . }}
|
||||
- path: {{ .portal_path }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ template "harbor.portal" . }}
|
||||
port:
|
||||
number: {{ template "harbor.portal.servicePort" . }}
|
||||
{{- end }}
|
||||
{{- if $ingress.hosts.core }}
|
||||
host: {{ $ingress.hosts.core }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
15
src/pkg/chart/testdata/harbor-schema2/templates/ingress/secret.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema2/templates/ingress/secret.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
|
||||
{{- $ca := genCA "harbor-ca" 365 }}
|
||||
{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.ingress" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
81
src/pkg/chart/testdata/harbor-schema2/templates/internal/auto-tls.yaml
vendored
Normal file
81
src/pkg/chart/testdata/harbor-schema2/templates/internal/auto-tls.yaml
vendored
Normal file
@ -0,0 +1,81 @@
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
{{- $ca := genCA "harbor-internal-ca" 365 }}
|
||||
{{- $coreCN := (include "harbor.core" .) }}
|
||||
{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
|
||||
{{- $jsCN := (include "harbor.jobservice" .) }}
|
||||
{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
|
||||
{{- $regCN := (include "harbor.registry" .) }}
|
||||
{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
|
||||
{{- $portalCN := (include "harbor.portal" .) }}
|
||||
{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.core.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $coreCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $coreCrt.Key | b64enc | quote }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $jsCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $jsCrt.Key | b64enc | quote }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $regCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $regCrt.Key | b64enc | quote }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $portalCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $portalCrt.Key | b64enc | quote }}
|
||||
|
||||
{{- if and .Values.trivy.enabled}}
|
||||
---
|
||||
{{- $trivyCN := (include "harbor.trivy" .) }}
|
||||
{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
tls.crt: {{ $trivyCrt.Cert | b64enc | quote }}
|
||||
tls.key: {{ $trivyCrt.Key | b64enc | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
34
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-cm-env.yaml
vendored
Normal file
34
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-cm-env.yaml
vendored
Normal file
@ -0,0 +1,34 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}-env"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
CORE_URL: "{{ template "harbor.coreURL" . }}"
|
||||
TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
|
||||
REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
|
||||
REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
|
||||
REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
|
||||
|
||||
JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}"
|
||||
JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}"
|
||||
|
||||
{{- if has "jobservice" .Values.proxy.components }}
|
||||
HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
|
||||
HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
|
||||
NO_PROXY: "{{ template "harbor.noProxy" . }}"
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled}}
|
||||
METRIC_NAMESPACE: harbor
|
||||
METRIC_SUBSYSTEM: jobservice
|
||||
{{- end }}
|
||||
{{- template "harbor.traceEnvsForJobservice" . }}
|
||||
{{- if .Values.cache.enabled }}
|
||||
_REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
|
||||
CACHE_ENABLED: "true"
|
||||
CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
|
||||
{{- end }}
|
||||
{{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
|
||||
_REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
|
||||
{{- end }}
|
57
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-cm.yaml
vendored
Normal file
57
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-cm.yaml
vendored
Normal file
@ -0,0 +1,57 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
config.yml: |+
|
||||
#Server listening port
|
||||
protocol: "{{ template "harbor.component.scheme" . }}"
|
||||
port: {{ template "harbor.jobservice.containerPort". }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
https_config:
|
||||
cert: "/etc/harbor/ssl/jobservice/tls.crt"
|
||||
key: "/etc/harbor/ssl/jobservice/tls.key"
|
||||
{{- end }}
|
||||
worker_pool:
|
||||
workers: {{ .Values.jobservice.maxJobWorkers }}
|
||||
backend: "redis"
|
||||
redis_pool:
|
||||
redis_url: "{{ template "harbor.redis.urlForJobservice" . }}"
|
||||
namespace: "harbor_job_service_namespace"
|
||||
idle_timeout_second: 3600
|
||||
job_loggers:
|
||||
{{- if has "file" .Values.jobservice.jobLoggers }}
|
||||
- name: "FILE"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
settings: # Customized settings of logger
|
||||
base_dir: "/var/log/jobs"
|
||||
sweeper:
|
||||
duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
|
||||
settings: # Customized settings of sweeper
|
||||
work_dir: "/var/log/jobs"
|
||||
{{- end }}
|
||||
{{- if has "database" .Values.jobservice.jobLoggers }}
|
||||
- name: "DB"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
sweeper:
|
||||
duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
|
||||
{{- end }}
|
||||
{{- if has "stdout" .Values.jobservice.jobLoggers }}
|
||||
- name: "STD_OUTPUT"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
{{- end }}
|
||||
metric:
|
||||
enabled: {{ .Values.metrics.enabled }}
|
||||
path: {{ .Values.metrics.jobservice.path }}
|
||||
port: {{ .Values.metrics.jobservice.port }}
|
||||
#Loggers for the job service
|
||||
loggers:
|
||||
- name: "STD_OUTPUT"
|
||||
level: {{ .Values.logLevel | upper }}
|
||||
reaper:
|
||||
# the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
|
||||
max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }}
|
||||
# the max time for execution in running state without new task created
|
||||
max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }}
|
182
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-dpl.yaml
vendored
Normal file
182
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-dpl.yaml
vendored
Normal file
@ -0,0 +1,182 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: jobservice
|
||||
app.kubernetes.io/component: jobservice
|
||||
spec:
|
||||
replicas: {{ .Values.jobservice.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
{{- if eq .Values.updateStrategy.type "Recreate" }}
|
||||
rollingUpdate: null
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: jobservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: jobservice
|
||||
app.kubernetes.io/component: jobservice
|
||||
{{- if .Values.jobservice.podLabels }}
|
||||
{{ toYaml .Values.jobservice.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
|
||||
checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
|
||||
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
|
||||
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
|
||||
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
|
||||
checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.jobservice.podAnnotations }}
|
||||
{{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- if .Values.jobservice.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
|
||||
{{- end -}}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- with .Values.jobservice.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: jobservice
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: jobservice
|
||||
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /api/v1/stats
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.jobservice.containerPort" . }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /api/v1/stats
|
||||
scheme: {{ include "harbor.component.scheme" . | upper }}
|
||||
port: {{ template "harbor.jobservice.containerPort" . }}
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 10
|
||||
{{- if .Values.jobservice.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.jobservice.resources | indent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
|
||||
key: secret
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.jobservice.existingSecret }}
|
||||
key: {{ .Values.jobservice.existingSecretKey }}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
- name: INTERNAL_TLS_KEY_PATH
|
||||
value: /etc/harbor/ssl/jobservice/tls.key
|
||||
- name: INTERNAL_TLS_CERT_PATH
|
||||
value: /etc/harbor/ssl/jobservice/tls.crt
|
||||
- name: INTERNAL_TLS_TRUST_CA_PATH
|
||||
value: /etc/harbor/ssl/jobservice/ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.registry.credentials.existingSecret }}
|
||||
- name: REGISTRY_CREDENTIAL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.registry.credentials.existingSecret }}
|
||||
key: REGISTRY_PASSWD
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.extraEnvVars }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ template "harbor.jobservice" . }}-env"
|
||||
- secretRef:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
ports:
|
||||
- containerPort: {{ template "harbor.jobservice.containerPort" . }}
|
||||
volumeMounts:
|
||||
- name: jobservice-config
|
||||
mountPath: /etc/jobservice/config.yml
|
||||
subPath: config.yml
|
||||
- name: job-logs
|
||||
mountPath: /var/log/jobs
|
||||
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: jobservice-internal-certs
|
||||
mountPath: /etc/harbor/ssl/jobservice
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: jobservice-config
|
||||
configMap:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
- name: job-logs
|
||||
{{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }}
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }}
|
||||
{{- else }}
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: jobservice-internal-certs
|
||||
secret:
|
||||
secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.caBundleSecretName }}
|
||||
{{ include "harbor.caBundleVolume" . | indent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobservice.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.jobservice.priorityClassName }}
|
||||
priorityClassName: {{ .Values.jobservice.priorityClassName }}
|
||||
{{- end }}
|
31
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-pvc.yaml
vendored
Normal file
31
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-pvc.yaml
vendored
Normal file
@ -0,0 +1,31 @@
|
||||
{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}}
|
||||
{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }}
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: {{ template "harbor.jobservice" . }}
|
||||
annotations:
|
||||
{{- range $key, $value := $jobLog.annotations }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.persistence.resourcePolicy "keep" }}
|
||||
helm.sh/resource-policy: keep
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: jobservice
|
||||
app.kubernetes.io/component: jobservice
|
||||
spec:
|
||||
accessModes:
|
||||
- {{ $jobLog.accessMode }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ $jobLog.size }}
|
||||
{{- if $jobLog.storageClass }}
|
||||
{{- if eq "-" $jobLog.storageClass }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: {{ $jobLog.storageClass }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
16
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-secrets.yaml
vendored
Normal file
16
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-secrets.yaml
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.jobservice.existingSecret }}
|
||||
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.registry.credentials.existingSecret }}
|
||||
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- template "harbor.traceJaegerPassword" . }}
|
18
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-svc.yaml
vendored
Normal file
18
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-svc.yaml
vendored
Normal file
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: "{{ template "harbor.jobservice" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }}
|
||||
port: {{ template "harbor.jobservice.servicePort" . }}
|
||||
targetPort: {{ template "harbor.jobservice.containerPort" . }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: {{ template "harbor.metricsPortName" . }}
|
||||
port: {{ .Values.metrics.jobservice.port }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: jobservice
|
15
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-tls.yaml
vendored
Normal file
15
src/pkg/chart/testdata/harbor-schema2/templates/jobservice/jobservice-tls.yaml
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
{{- if eq .Values.internalTLS.certSource "manual" }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
|
||||
tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }}
|
||||
tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
28
src/pkg/chart/testdata/harbor-schema2/templates/metrics/metrics-svcmon.yaml
vendored
Normal file
28
src/pkg/chart/testdata/harbor-schema2/templates/metrics/metrics-svcmon.yaml
vendored
Normal file
@ -0,0 +1,28 @@
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "harbor.fullname" . }}
|
||||
labels: {{ include "harbor.labels" . | nindent 4 }}
|
||||
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
|
||||
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: app.kubernetes.io/name
|
||||
endpoints:
|
||||
- port: {{ template "harbor.metricsPortName" . }}
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
honorLabels: true
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings:
|
||||
{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings:
|
||||
{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }}
|
||||
{{- end }}
|
150
src/pkg/chart/testdata/harbor-schema2/templates/nginx/configmap-http.yaml
vendored
Normal file
150
src/pkg/chart/testdata/harbor-schema2/templates/nginx/configmap-http.yaml
vendored
Normal file
@ -0,0 +1,150 @@
|
||||
{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }}
|
||||
{{- $scheme := (include "harbor.component.scheme" .) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
nginx.conf: |+
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 3096;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
client_body_temp_path /tmp/client_body_temp;
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
tcp_nodelay on;
|
||||
|
||||
# this is necessary for us to be able to disable request buffering in all cases
|
||||
proxy_http_version 1.1;
|
||||
|
||||
upstream core {
|
||||
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
|
||||
}
|
||||
|
||||
upstream portal {
|
||||
server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }};
|
||||
}
|
||||
|
||||
log_format timed_combined '[$time_local]:$remote_addr - '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'$request_time $upstream_response_time $pipe';
|
||||
|
||||
access_log /dev/stdout timed_combined;
|
||||
|
||||
map $http_x_forwarded_proto $x_forwarded_proto {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
|
||||
server {
|
||||
{{- if .Values.ipFamily.ipv4.enabled}}
|
||||
listen 8080;
|
||||
{{- end}}
|
||||
{{- if .Values.ipFamily.ipv6.enabled }}
|
||||
listen [::]:8080;
|
||||
{{- end }}
|
||||
server_tokens off;
|
||||
# disable any limits to avoid HTTP 413 for large image uploads
|
||||
client_max_body_size 0;
|
||||
|
||||
# Add extra headers
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
|
||||
location / {
|
||||
proxy_pass {{ $scheme }}://portal/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_pass {{ $scheme }}://core/api/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /chartrepo/ {
|
||||
proxy_pass {{ $scheme }}://core/chartrepo/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /c/ {
|
||||
proxy_pass {{ $scheme }}://core/c/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /v1/ {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location /v2/ {
|
||||
proxy_pass {{ $scheme }}://core/v2/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
proxy_send_timeout 900;
|
||||
proxy_read_timeout 900;
|
||||
}
|
||||
|
||||
location /service/ {
|
||||
proxy_pass {{ $scheme }}://core/service/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /service/notifications {
|
||||
return 404;
|
||||
}
|
||||
}
|
||||
}
|
||||
{{- end }}
|
187
src/pkg/chart/testdata/harbor-schema2/templates/nginx/configmap-https.yaml
vendored
Normal file
187
src/pkg/chart/testdata/harbor-schema2/templates/nginx/configmap-https.yaml
vendored
Normal file
@ -0,0 +1,187 @@
|
||||
{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
|
||||
{{- $scheme := (include "harbor.component.scheme" .) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
nginx.conf: |+
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 3096;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
client_body_temp_path /tmp/client_body_temp;
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
tcp_nodelay on;
|
||||
|
||||
# this is necessary for us to be able to disable request buffering in all cases
|
||||
proxy_http_version 1.1;
|
||||
|
||||
upstream core {
|
||||
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
|
||||
}
|
||||
|
||||
upstream portal {
|
||||
server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
|
||||
}
|
||||
|
||||
log_format timed_combined '[$time_local]:$remote_addr - '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'$request_time $upstream_response_time $pipe';
|
||||
|
||||
access_log /dev/stdout timed_combined;
|
||||
|
||||
map $http_x_forwarded_proto $x_forwarded_proto {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
|
||||
server {
|
||||
{{- if .Values.ipFamily.ipv4.enabled }}
|
||||
listen 8443 ssl;
|
||||
{{- end}}
|
||||
{{- if .Values.ipFamily.ipv6.enabled }}
|
||||
listen [::]:8443 ssl;
|
||||
{{- end }}
|
||||
# server_name harbordomain.com;
|
||||
server_tokens off;
|
||||
# SSL
|
||||
ssl_certificate /etc/nginx/cert/tls.crt;
|
||||
ssl_certificate_key /etc/nginx/cert/tls.key;
|
||||
|
||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
{{- if .Values.internalTLS.strong_ssl_ciphers }}
|
||||
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
||||
{{ else }}
|
||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||
{{- end }}
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
# disable any limits to avoid HTTP 413 for large image uploads
|
||||
client_max_body_size 0;
|
||||
|
||||
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
||||
chunked_transfer_encoding on;
|
||||
|
||||
# Add extra headers
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
|
||||
location / {
|
||||
proxy_pass {{ $scheme }}://portal/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; HttpOnly; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_pass {{ $scheme }}://core/api/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /chartrepo/ {
|
||||
proxy_pass {{ $scheme }}://core/chartrepo/;
|
||||
{{- if and .Values.internalTLS.enabled }}
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_session_reuse on;
|
||||
{{- end }}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /c/ {
|
||||
proxy_pass {{ $scheme }}://core/c/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /v1/ {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location /v2/ {
|
||||
proxy_pass {{ $scheme }}://core/v2/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /service/ {
|
||||
proxy_pass {{ $scheme }}://core/service/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
|
||||
|
||||
proxy_cookie_path / "/; Secure";
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
}
|
||||
|
||||
location /service/notifications {
|
||||
return 404;
|
||||
}
|
||||
}
|
||||
server {
|
||||
{{- if .Values.ipFamily.ipv4.enabled }}
|
||||
listen 8080;
|
||||
{{- end}}
|
||||
{{- if .Values.ipFamily.ipv6.enabled }}
|
||||
listen [::]:8080;
|
||||
{{- end}}
|
||||
#server_name harbordomain.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
{{- end }}
|
132
src/pkg/chart/testdata/harbor-schema2/templates/nginx/deployment.yaml
vendored
Normal file
132
src/pkg/chart/testdata/harbor-schema2/templates/nginx/deployment.yaml
vendored
Normal file
@ -0,0 +1,132 @@
|
||||
{{- if ne .Values.expose.type "ingress" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
component: nginx
|
||||
app.kubernetes.io/component: nginx
|
||||
spec:
|
||||
replicas: {{ .Values.nginx.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" . | indent 6 }}
|
||||
component: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 8 }}
|
||||
component: nginx
|
||||
app.kubernetes.io/component: nginx
|
||||
{{- if .Values.nginx.podLabels }}
|
||||
{{ toYaml .Values.nginx.podLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if not .Values.expose.tls.enabled }}
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }}
|
||||
{{- else }}
|
||||
checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.nginx.podAnnotations }}
|
||||
{{ toYaml .Values.nginx.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.nginx.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.nginx.serviceAccountName }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
runAsUser: 10000
|
||||
fsGroup: 10000
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }}
|
||||
{{- with .Values.nginx.topologySpreadConstraints}}
|
||||
topologySpreadConstraints:
|
||||
{{- range . }}
|
||||
- {{ . | toYaml | indent 8 | trim }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{ include "harbor.matchLabels" $ | indent 12 }}
|
||||
component: nginx
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: nginx
|
||||
image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
|
||||
{{- $_ := set . "scheme" "HTTP" -}}
|
||||
{{- $_ := set . "port" "8080" -}}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
{{- $_ := set . "scheme" "HTTPS" -}}
|
||||
{{- $_ := set . "port" "8443" -}}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: {{ .scheme }}
|
||||
path: /
|
||||
port: {{ .port }}
|
||||
initialDelaySeconds: 300
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
scheme: {{ .scheme }}
|
||||
path: /
|
||||
port: {{ .port }}
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 10
|
||||
{{- if .Values.nginx.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.nginx.resources | indent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.extraEnvVars }}
|
||||
env:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.containerSecurityContext) }}
|
||||
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- containerPort: 8443
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: certificate
|
||||
mountPath: /etc/nginx/cert
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: certificate
|
||||
secret:
|
||||
secretName: {{ template "harbor.tlsSecretForNginx" . }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nginx.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nginx.priorityClassName }}
|
||||
priorityClassName: {{ .Values.nginx.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
23
src/pkg/chart/testdata/harbor-schema2/templates/nginx/secret.yaml
vendored
Normal file
23
src/pkg/chart/testdata/harbor-schema2/templates/nginx/secret.yaml
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
|
||||
{{- $ca := genCA "harbor-ca" 365 }}
|
||||
{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "harbor.nginx" . }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
|
||||
{{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- else }}
|
||||
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
94
src/pkg/chart/testdata/harbor-schema2/templates/nginx/service.yaml
vendored
Normal file
94
src/pkg/chart/testdata/harbor-schema2/templates/nginx/service.yaml
vendored
Normal file
@ -0,0 +1,94 @@
|
||||
{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
{{- if eq .Values.expose.type "clusterIP" }}
|
||||
{{- $clusterIP := .Values.expose.clusterIP }}
|
||||
name: {{ $clusterIP.name }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if .Values.expose.clusterIP.labels }}
|
||||
{{ toYaml $clusterIP.labels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with $clusterIP.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
{{- if .Values.expose.clusterIP.staticClusterIP }}
|
||||
clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ $clusterIP.ports.httpPort }}
|
||||
targetPort: 8080
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ $clusterIP.ports.httpsPort }}
|
||||
targetPort: 8443
|
||||
{{- end }}
|
||||
{{- else if eq .Values.expose.type "nodePort" }}
|
||||
{{- $nodePort := .Values.expose.nodePort }}
|
||||
name: {{ $nodePort.name }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if .Values.expose.nodePort.labels }}
|
||||
{{ toYaml $nodePort.labels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with $nodePort.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ $nodePort.ports.http.port }}
|
||||
targetPort: 8080
|
||||
{{- if $nodePort.ports.http.nodePort }}
|
||||
nodePort: {{ $nodePort.ports.http.nodePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ $nodePort.ports.https.port }}
|
||||
targetPort: 8443
|
||||
{{- if $nodePort.ports.https.nodePort }}
|
||||
nodePort: {{ $nodePort.ports.https.nodePort }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.expose.type "loadBalancer" }}
|
||||
{{- $loadBalancer := .Values.expose.loadBalancer }}
|
||||
name: {{ $loadBalancer.name }}
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
{{- if .Values.expose.loadBalancer.labels }}
|
||||
{{ toYaml $loadBalancer.labels | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with $loadBalancer.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
{{- with $loadBalancer.sourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $loadBalancer.IP }}
|
||||
loadBalancerIP: {{ $loadBalancer.IP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ $loadBalancer.ports.httpPort }}
|
||||
targetPort: 8080
|
||||
{{- if .Values.expose.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ $loadBalancer.ports.httpsPort }}
|
||||
targetPort: 8443
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{ include "harbor.matchLabels" . | indent 4 }}
|
||||
component: nginx
|
||||
{{- end }}
|
67
src/pkg/chart/testdata/harbor-schema2/templates/portal/configmap.yaml
vendored
Normal file
67
src/pkg/chart/testdata/harbor-schema2/templates/portal/configmap.yaml
vendored
Normal file
@ -0,0 +1,67 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "harbor.portal" . }}"
|
||||
labels:
|
||||
{{ include "harbor.labels" . | indent 4 }}
|
||||
data:
|
||||
nginx.conf: |+
|
||||
worker_processes auto;
|
||||
pid /tmp/nginx.pid;
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
http {
|
||||
client_body_temp_path /tmp/client_body_temp;
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
server {
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
{{- if .Values.ipFamily.ipv4.enabled}}
|
||||
listen {{ template "harbor.portal.containerPort" . }} ssl;
|
||||
{{- end }}
|
||||
{{- if .Values.ipFamily.ipv6.enabled}}
|
||||
listen [::]:{{ template "harbor.portal.containerPort" . }} ssl;
|
||||
{{- end }}
|
||||
# SSL
|
||||
ssl_certificate /etc/harbor/ssl/portal/tls.crt;
|
||||
ssl_certificate_key /etc/harbor/ssl/portal/tls.key;
|
||||
|
||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
{{- if .Values.internalTLS.strong_ssl_ciphers }}
|
||||
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
||||
{{ else }}
|
||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||
{{- end }}
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
{{- else }}
|
||||
{{- if .Values.ipFamily.ipv4.enabled }}
|
||||
listen {{ template "harbor.portal.containerPort" . }};
|
||||
{{- end }}
|
||||
{{- if .Values.ipFamily.ipv6.enabled}}
|
||||
listen [::]:{{ template "harbor.portal.containerPort" . }};
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
server_name localhost;
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
include /etc/nginx/mime.types;
|
||||
gzip on;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
location /devcenter-api-2.0 {
|
||||
try_files $uri $uri/ /swagger-ui-index.html;
|
||||
}
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
location = /index.html {
|
||||
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
||||
}
|
||||
}
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user