Fix misc issues of Harbor charts

1. Fix the pull/push commands showed on UI are incorrect 2. Replace "insecureRegistry" with "externalProtocol" 3. Using the secret rather than pasting text if users want to use the certificate of themselves 4. Refine NOTES.txt
2024-11-24 19:25:19 +01:00 · 2018-07-11 17:02:24 +08:00 · 2018-07-11 17:02:24 +08:00 · c72a7db4be
commit c72a7db4be
parent 5357b7ea76
10 changed files with 93 additions and 142 deletions
--- a/contrib/helm/harbor/templates/NOTES.txt
+++ b/contrib/helm/harbor/templates/NOTES.txt
@ -1,26 +1,3 @@
-
 Please wait for several minutes for Harbor deployment to complete.
-Then follow the steps below to use Harbor.
-
-1. Add the Harbor CA certificate to Docker by executing the following command:
-
-  sudo mkdir -p /etc/docker/certs.d/{{ .Values.externalDomain }}
-  kubectl get secret \
-    --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \
-    -o jsonpath="{.data.ca\.crt}" | base64 --decode | \
-    sudo tee /etc/docker/certs.d/{{ .Values.externalDomain }}/ca.crt
-
-2. Get Harbor admin password by executing the following command:
-
-  kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-adminserver -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode; echo
-
-3. Add DNS resolution entry for Harbor FQDN {{ .Values.externalDomain }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts.
-{{- if .Values.notary.enabled }}
-   Add DNS resolution entry for Notary FQDN {{ template "harbor.notaryFQDN" . }} to K8s Ingress Controller IP on DNS Server or in file /etc/hosts.
-{{- end }}
-
-4. Access Harbor UI via https://{{ .Values.externalDomain }}
-
-5. Login Harbor with Docker CLI:
-
-  docker login {{ .Values.externalDomain }}
+Then you should be able to visit the UI portal at {{ template "harbor.externalURL" . }}. 
+For more details, please visit https://github.com/vmware/harbor.
--- a/contrib/helm/harbor/templates/_helpers.tpl
+++ b/contrib/helm/harbor/templates/_helpers.tpl
@ -32,9 +32,9 @@ app: "{{ template "harbor.name" . }}"

 {{- define "harbor.externalURL" -}}
 {{- if .Values.externalPort -}}
-{{- printf "%s:%s" .Values.externalDomain (toString .Values.externalPort) -}}
+{{- printf "%s://%s:%s" .Values.externalProtocol .Values.externalDomain (toString .Values.externalPort) -}}
 {{- else -}}
-{{- .Values.externalDomain -}}
+{{- printf "%s://%s" .Values.externalProtocol .Values.externalDomain -}}
 {{- end -}}
 {{- end -}}

--- a/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml
+++ b/contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml
@ -10,14 +10,14 @@ data:
  POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
  POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
  POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
-  EMAIL_HOST: "{{ .Values.adminserver.emailHost }}"
-  EMAIL_PORT: "{{ .Values.adminserver.emailPort }}"
-  EMAIL_USR: "{{ .Values.adminserver.emailUser }}"
-  EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}"
-  EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}"
-  EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}"
-  EMAIL_INSECURE: "{{ .Values.adminserver.emailInsecure }}"
-  EXT_ENDPOINT: "https://{{ .Values.externalDomain }}"
+  EMAIL_HOST: "{{ .Values.email.host }}"
+  EMAIL_PORT: "{{ .Values.email.port }}"
+  EMAIL_USR: "{{ .Values.email.username }}"
+  EMAIL_SSL: "{{ .Values.email.ssl }}"
+  EMAIL_FROM: "{{ .Values.email.from }}"
+  EMAIL_IDENTITY: "{{ .Values.email.identity }}"
+  EMAIL_INSECURE: "{{ .Values.email.insecure }}"
+  EXT_ENDPOINT: "{{ template "harbor.externalURL" . }}"
  UI_URL: "http://{{ template "harbor.fullname" . }}-ui"
  JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
  REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000"
@ -26,16 +26,16 @@ data:
  NOTARY_URL: "http://{{ template "harbor.notaryServiceName" . }}:4443"
  LOG_LEVEL: "info"
  IMAGE_STORE_PATH: "/" # This is a temporary hack.
-  AUTH_MODE: "{{ .Values.adminserver.authenticationMode }}"
-  SELF_REGISTRATION: "{{ .Values.adminserver.selfRegistration }}"
-  LDAP_URL: "{{ .Values.adminserver.ldap.url }}"
-  LDAP_SEARCH_DN: "{{ .Values.adminserver.ldap.searchDN }}"
-  LDAP_BASE_DN: "{{ .Values.adminserver.ldap.baseDN }}"
-  LDAP_FILTER: "{{ .Values.adminserver.ldap.filter }}"
-  LDAP_UID: "{{ .Values.adminserver.ldap.uid }}"
-  LDAP_SCOPE: "{{ .Values.adminserver.ldap.scope }}"
-  LDAP_TIMEOUT: "{{ .Values.adminserver.ldap.timeout }}"
-  LDAP_VERIFY_CERT: "{{ .Values.adminserver.ldap.verifyCert }}"
+  AUTH_MODE: "{{ .Values.authenticationMode }}"
+  SELF_REGISTRATION: "{{ .Values.selfRegistration }}"
+  LDAP_URL: "{{ .Values.ldap.url }}"
+  LDAP_SEARCH_DN: "{{ .Values.ldap.searchDN }}"
+  LDAP_BASE_DN: "{{ .Values.ldap.baseDN }}"
+  LDAP_FILTER: "{{ .Values.ldap.filter }}"
+  LDAP_UID: "{{ .Values.ldap.uid }}"
+  LDAP_SCOPE: "{{ .Values.ldap.scope }}"
+  LDAP_TIMEOUT: "{{ .Values.ldap.timeout }}"
+  LDAP_VERIFY_CERT: "{{ .Values.ldap.verifyCert }}"
  DATABASE_TYPE: "postgresql"
  PROJECT_CREATION_RESTRICTION: "everyone"
  VERIFY_REMOTE_CERT: "off"
--- a/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml
+++ b/contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml
@ -8,13 +8,13 @@ metadata:
 type: Opaque
 data:
  secretKey: {{ .Values.secretKey | b64enc | quote }}
-  EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }}
-  HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.adminPassword | b64enc | quote }}
+  EMAIL_PWD: {{ .Values.email.password | b64enc | quote }}
+  HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
  POSTGRESQL_PASSWORD: {{ template "harbor.database.password" . }}
  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
  UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
-{{- if eq .Values.adminserver.authenticationMode "ldap_auth" }} 
-  LDAP_SEARCH_PWD: {{ .Values.adminserver.ldap.searchPwd | b64enc | quote }} 
+{{- if eq .Values.authenticationMode "ldap_auth" }} 
+  LDAP_SEARCH_PWD: {{ .Values.ldap.searchPwd | b64enc | quote }} 
 {{- end }}
 {{ if .Values.clair.enabled }}
  CLAIR_DB_PASSWORD: {{ template "harbor.database.password" . }}
--- a/contrib/helm/harbor/templates/ingress/ingress.yaml
+++ b/contrib/helm/harbor/templates/ingress/ingress.yaml
@ -1,4 +1,4 @@
-{{ if .Values.ingress.enabled  }}
+{{ if .Values.ingress.enabled }}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@ -8,12 +8,16 @@ metadata:
  annotations:
 {{ toYaml .Values.ingress.annotations | indent 4 }}
 spec:
-{{ if not .Values.insecureRegistry }}
+{{ if eq .Values.externalProtocol "https" }}
  tls:
  - hosts:
    - "{{ .Values.externalDomain }}"
    - "{{ template "harbor.notaryFQDN" . }}"
+    {{ if eq .Values.ingress.tls.secretName "" }}
    secretName: "{{ template "harbor.fullname" . }}-ingress"
+    {{ else }}
+    secretName: {{ .Values.ingress.tls.secretName }}
+    {{ end }}
 {{ end }}
  rules:
  - host: "{{ .Values.externalDomain }}"
@ -43,11 +47,15 @@ metadata:
    nginx.ingress.kubernetes.io/rewrite-target: /registryproxy/v2
    ingress.kubernetes.io/rewrite-target: /registryproxy/v2
 spec:
-{{ if not .Values.insecureRegistry }}
+{{ if eq .Values.externalProtocol "https" }}
  tls:
  - hosts:
    - "{{ .Values.externalDomain }}"
+    {{ if eq .Values.ingress.tls.secretName "" }}
    secretName: "{{ template "harbor.fullname" . }}-ingress"
+    {{ else }}
+    secretName: {{ .Values.ingress.tls.secretName }}
+    {{ end }}
 {{ end }}
  rules:
  - host: "{{ .Values.externalDomain }}"
@ -57,6 +65,4 @@ spec:
        backend:
          serviceName: {{ template "harbor.fullname" . }}-ui
          servicePort: 80
-
-
 {{ end }}
--- a/contrib/helm/harbor/templates/ingress/secret.yaml
+++ b/contrib/helm/harbor/templates/ingress/secret.yaml
@ -1,5 +1,6 @@
-{{ if not .Values.insecureRegistry }}
-{{ if .Values.generateCertificates }}
+{{ if eq .Values.externalProtocol "https" }}
+{{ if .Values.ingress.enabled }}
+{{ if eq .Values.ingress.tls.secretName "" }}
 {{ $ca := genCA "harbor-ca" 3650 }}
 {{ $cert := genSignedCert (include "harbor.certCommonName" .) nil nil 3650 $ca }}
 apiVersion: v1
@ -15,3 +16,4 @@ data:
  ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
 {{ end }}
 {{ end }}
+{{ end }}
--- a/contrib/helm/harbor/templates/notary/notary-cm.yaml
+++ b/contrib/helm/harbor/templates/notary/notary-cm.yaml
@ -37,7 +37,7 @@ data:
      "auth": {
          "type": "token",
          "options": {
-              "realm": "https://{{ template "harbor.externalURL" . }}/service/token",
+              "realm": "{{ template "harbor.externalURL" . }}/service/token",
              "service": "harbor-notary",
              "issuer": "harbor-token-issuer",
              "rootcertbundle": "/root.crt"
--- a/contrib/helm/harbor/templates/registry/registry-cm.yaml
+++ b/contrib/helm/harbor/templates/registry/registry-cm.yaml
@ -38,7 +38,7 @@ data:
    auth:
      token:
        issuer: harbor-token-issuer
-        realm: "https://{{ template "harbor.externalURL" . }}/service/token"
+        realm: "{{ template "harbor.externalURL" . }}/service/token"
        rootcertbundle: /etc/registry/root.crt
        service: harbor-registry

--- a/contrib/helm/harbor/templates/ui/ui-dpl.yaml
+++ b/contrib/helm/harbor/templates/ui/ui-dpl.yaml
@ -50,11 +50,15 @@ spec:
        - name: ui-secrets-private-key
          mountPath: /etc/ui/private_key.pem
          subPath: private_key.pem
-        {{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }}
+        {{- if eq .Values.externalProtocol "https" }}
+        {{- if .Values.ingress.enabled }}
+        {{- if eq .Values.ingress.tls.secretName "" }}
        - name: ca-download
          mountPath: /etc/ui/ca/ca.crt
          subPath: ca.crt
        {{- end }}
+        {{- end }}
+        {{- end }}
        - name: psc
          mountPath: /etc/ui/token
      volumes:
@ -73,7 +77,9 @@ spec:
          items:
            - key: private_key.pem
              path: private_key.pem
-      {{- if and (not .Values.insecureRegistry) .Values.ingress.enabled }}
+      {{- if eq .Values.externalProtocol "https" }}
+      {{- if .Values.ingress.enabled }}
+      {{- if eq .Values.ingress.tls.secretName "" }}
      - name: ca-download
        secret:
          secretName: "{{ template "harbor.fullname" . }}-ingress"
@ -81,6 +87,8 @@ spec:
            - key: ca.crt
              path: ca.crt
      {{- end }}
+      {{- end }}
+      {{- end }}
      - name: psc
        emptyDir: {}
    {{- with .Values.ui.nodeSelector }}
--- a/contrib/helm/harbor/values.yaml
+++ b/contrib/helm/harbor/values.yaml
@ -1,49 +1,33 @@
-# Configure persisten Volumes per application
-## Applications that require storage have a `volumes` definition which will be used
-## when `persistence.enabled` is set to true.
-## example
-# mysql:
-#   volumes:
-#     data:
-## Persistent Volume Storage Class
-## If defined, storageClassName: <storageClass>
-## If set to "-", storageClassName: "", which disables dynamic provisioning
-## If undefined (the default) or set to null, no storageClassName spec is
-##   set, choosing the default provisioner.  (gp2 on AWS, standard on
-##   GKE, AWS & OpenStack)
-##
-#     storageClass: "-"
-#     accessMode: ReadWriteOnce
-#     size: 1Gi
-
-## Configure resource requests and limits per application
-## ref: http://kubernetes.io/docs/user-guide/compute-resources/
-##
-# mysql:
-#   resources:
-#     requests:
-#       memory: 256Mi
-#       cpu: 100m
-
 persistence:
  enabled: true
-
-# The tag for Harbor docker images.
-harborImageTag: &harbor_image_tag v1.5.0-chart-patch
-
-# The FQDN for Harbor service.
+externalProtocol: https
+# The FQDN for Harbor service
 externalDomain: harbor.my.domain
-# externalPort is the Port for Harbor service, leave empty if the service is to be bound to
-# port 80/443
+# The Port for Harbor service, leave empty if the service 
+# is to be bound to port 80/443
 externalPort: 32700
-# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
-# Harbor FQDN as insecure-registries for your docker client.
-insecureRegistry: false
-generateCertificates: true
-# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
-tlsCrt:
-tlsKey:
-caCrt:
+harborAdminPassword: Harbor12345
+authenticationMode: "db_auth"
+selfRegistration: "on"
+ldap:
+  url: "ldaps://ldapserver"
+  searchDN: ""
+  searchPassword: ""
+  baseDN: ""
+  filter: "(objectClass=person)"
+  uid: "uid"
+  scope: "2"
+  timeout: "5"
+  verifyCert: "True"
+email:
+  host: "smtp.mydomain.com"
+  port: "25"
+  username: "sample_admin@mydomain.com"
+  password: "password"
+  ssl: "false"
+  insecure: "false"
+  from: "admin <sample_admin@mydomain.com>"
+  identity: ""

 # The secret key used for encryption. Must be a string of 16 chars.
 secretKey: not-a-secure-key
@ -54,36 +38,23 @@ ingress:
  enabled: true
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  tls:
+    # Fill the secretName if you want to use the certificate of 
+    # yourself when Harbor serves with HTTPS. A certificate will 
+    # be generated automatically by the chart if leave it empty
+    secretName: ""
+
+# The tag for Harbor docker images.
+harborImageTag: &harbor_image_tag dev

 adminserver:
  image:
    repository: vmware/harbor-adminserver
    tag: *harbor_image_tag
    pullPolicy: IfNotPresent
-  emailHost: "smtp.mydomain.com"
-  emailPort: "25"
-  emailUser: "sample_admin@mydomain.com"
-  emailSsl: "false"
-  emailFrom: "admin <sample_admin@mydomain.com>"
-  emailIdentity: ""
-  emailInsecure: "False"
-  emailPwd: not-a-secure-password
-  adminPassword: Harbor12345
-  authenticationMode: "db_auth"
-  selfRegistration: "on"
-  ldap:
-    url: "ldaps://ldapserver"
-    searchDN: ""
-    searchPassword: ""
-    baseDN: ""
-    filter: "(objectClass=person)"
-    uid: "uid"
-    scope: "2"
-    timeout: "5"
-    verifyCert: "True"
-  ## Persist data to a persistent volume
  volumes:
    config:
      # storageClass: "-"
@ -97,8 +68,6 @@ adminserver:
  tolerations: []
  affinity: {}

-## jobservice
-#
 jobservice:
  image:
    repository: vmware/harbor-jobservice
@ -114,8 +83,6 @@ jobservice:
  tolerations: []
  affinity: {}

-## UI
-#
 ui:
  image:
    repository: vmware/harbor-ui
@ -215,11 +182,10 @@ database:
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"

-
 registry:
  image:
    repository: vmware/registry-photon
-    tag: v2.6.2-v1.5.0-chart-patch
+    tag: dev
    pullPolicy: IfNotPresent
  httpSecret: not-a-secure-secret
  logLevel: info
@ -289,17 +255,9 @@ registry:
 clair:
  enabled: true
  image:
-    repository: ywk253100/clair-photon
-    tag: v2.0.1-v1.5.0-chart-patch
+    repository: vmware/clair-photon
+    tag: dev
    pullPolicy: IfNotPresent
-# resources:
-#  requests:
-#    memory: 256Mi
-#    cpu: 100m
-# pgResources:
-#  requests:
-#    memory: 256Mi
-#    cpu: 100m
  volumes:
    pgData:
      # storageClass: "-"
@ -332,12 +290,12 @@ notary:
  server:
    image:
      repository: vmware/notary-server-photon
-      tag: v0.5.1-v1.5.0-chart-patch
+      tag: dev
      pullPolicy: IfNotPresent
  signer:
    image:
      repository: vmware/notary-signer-photon
-      tag: v0.5.1-v1.5.0-chart-patch
+      tag: dev
      pullPolicy: IfNotPresent
    env:
      NOTARY_SIGNER_DEFAULTALIAS: defaultalias