Upstream
/
harbor
mirror of https://github.com/goharbor/harbor.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update Harbor helm chart to deploy Harbor 1.4.0 release (#4373) 

* Update Harbor helm chart to deploy Harbor 1.4.0 release

* Change version to 0.1.0 and fix a doc error

* Fix auth_mode default value

* Refine doc and fix a typo
This commit is contained in:
Jesse Hu 2018-03-09 18:47:13 +08:00 committed by Daniel Jiang
parent 03bf000770
commit dab5dd9879
32 changed files with 242 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
contrib/helm/harbor/Chart.yaml
View File

@ -1,7 +1,7 @@
name: harbor
version: 0.0.1
appVersion: 1.3.0
description: An Enterprise-class Docker Registry Harbor by VMware
version: 0.1.0
appVersion: 1.4.0
description: An Enterprise-class Docker Registry by VMware
keywords:
- vmware
- docker
@ -10,8 +10,10 @@ keywords:
home: https://github.com/vmware/harbor
icon: https://github.com/vmware/harbor/blob/master/docs/img/harbor_logo.png
sources:
- https://github.com/vmware/harbor
- https://github.com/vmware/harbor/tree/master/contrib/helm/harbor
maintainers:
- name: Jesse Hu
email: huh@vmware.com
- name: paulczar
email: username.taken@gmail.com
engine: gotpl

108
contrib/helm/harbor/README.md
View File

@ -4,24 +4,75 @@
## Introduction
This is an experimental monolithic chart that installs and configures VMWare Harbor and its dependencies. The initial implementation of this includes all of the components required to run Harbor. As upstream harbor becomes more cloud native we will be able to break apart the monolith and utitlize helm dependencies.
This chart installs and configures Harbor.
## Prerequisites
- Kubernetes 1.7+ with Beta APIs enabled
- Kubernetes cluster 1.8+ with Beta APIs enabled
- Kubernetes Ingress Controller is enabled
- kubectl CLI 1.8+
- PV provisioner support in the underlying infrastructure
## Setup a Kubernetes cluster
You can use any tools to setup a K8s cluster.
In this guide, we use [minikube](https://github.com/kubernetes/minikube) to setup a K8s cluster as the dev/test env.
```bash
# Start minikube
minikube start --vm-driver=none
# Enable Ingress Controller
minikube addons enable ingress
```
## Installing the Chart
To install the chart with the release name `my-release`:
First install [Helm CLI](https://github.com/kubernetes/helm#install), then initialize Helm.
```bash
$ git clone https://github.com/vmware/harbor.git
$ cd harbor/contrib/helm/harbor
$ helm install --name my-release incubator/harbor
helm init --canary-image
```
The command deploys Harbor on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
Download Harbor helm chart code.
```bash
git clone https://github.com/vmware/harbor
cd harbor/contrib/helm/harbor
```
### Insecure Registry Mode
If setting Harbor Registry as insecure-registries for docker,
you don't need to generate Root CA and SSL certificate for the Harbor ingress controller.
Install the Harbor helm chart with a release name `my-release`:
```bash
helm install . --debug --name my-release --set externalDomain=harbor.my.domain,insecureRegistry=true
```
**Make sure** `harbor.my.domain` resolves to the K8s Ingress Controller IP on the machines where you run docker or access Harbor UI.
You can add `harbor.my.domain` and IP mapping in the DNS server, or in /etc/hosts, or use the FQDN `harbor.<IP>.xip.io`.
Then add `"insecure-registries": ["harbor.my.domain"]` in the docker daemon config file and restart docker service.
### Secure Registry Mode
By default this chart will generate a root CA and SSL certificate for your Harbor.
You can also use your own CA signed certificate:
open values.yaml, set the value of 'externalDomain' to your Harbor FQDN, and
set value of 'tlsCrt', 'tlsKey', 'caCrt'. The common name of the certificate must match your Harbor FQDN.
Install the Harbor helm chart with a release name `my-release`:
```bash
helm install . --debug --name my-release --set externalDomain=harbor.my.domain
```
Follow the `NOTES` section in the command output to get Harbor admin password and **add Harbor root CA into docker trusted certificates**.
The command deploys Harbor on the Kubernetes cluster in the default configuration.
The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
@ -30,26 +81,29 @@ The command deploys Harbor on the Kubernetes cluster in the default configuratio
To uninstall/delete the `my-release` deployment:
```bash
$ helm delete my-release
helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following tables lists the configurable parameters of the Percona chart and their default values.
The following tables lists the configurable parameters of the Harbor chart and the default values.
| Parameter | Description | Default |
| ----------------------- | ---------------------------------- | ----------------------- |
| **Harbor** |
| `externalDomain` | domain harbor will run on (https://*harbor.url*/) |`harbor.192.168.99.100.xip.io` |
| `tls_crt` | TLS certificate to use for Harbor's https endpoint | see values.yaml |
| `tls_key` | TLS key to use for Harbor's https endpoint | see values.yaml |
| `ca_crt` | CA Cert for self signed TLS cert | see values.yaml |
| `harborImageTag` | The tag for Harbor docker images | `v1.4.0` |
| `externalDomain` | Harbor will run on (https://`externalDomain`/). Recommend using K8s Ingress Controller FQDN as `externalDomain`, or make sure this FQDN resolves to the K8s Ingress Controller IP. | `harbor.my.domain` |
| `insecureRegistry` | If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add Harbor FQDN as insecure-registries for your docker client. | `false` |
| `tlsCrt` | TLS certificate to use for Harbor's https endpoint. Its CN must match `externalDomain`. | auto-generated |
| `tlsKey` | TLS key to use for Harbor's https endpoint | auto-generated |
| `caCrt` | CA Cert for self signed TLS cert | auto-generated |
| `persistence.enabled` | enable persistent data storage | `false` |
| `secretKey` | The secret key used for encryption. Must be a string of 16 chars. | `not-a-secure-key` |
| **Adminserver** |
| `adminserver.image.repository` | Repository for adminserver image | `vmware/harbor-adminserver` |
| `adminserver.image.tag` | Tag for adminserver image | `v1.3.0` |
| `adminserver.image.tag` | Tag for adminserver image | `v1.4.0` |
| `adminserver.image.pullPolicy` | Pull Policy for adminserver image | `IfNotPresent` |
| `adminserver.emailHost` | email server | `smtp.mydomain.com` |
| `adminserver.emailPort` | email port | `25` |
@ -64,14 +118,14 @@ The following tables lists the configurable parameters of the Percona chart and
| `adminserver.volumes` | used to create PVCs if persistence is enabled (see instructions in values.yaml) | see values.yaml |
| **Jobservice** |
| `jobservice.image.repository` | Repository for jobservice image | `vmware/harbor-jobservice` |
| `jobservice.image.tag` | Tag for jobservice image | `v1.3.0` |
| `jobservice.image.tag` | Tag for jobservice image | `v1.4.0` |
| `jobservice.image.pullPolicy` | Pull Policy for jobservice image | `IfNotPresent` |
| `jobservice.key` | jobservice key | `not-a-secure-key` |
| `jobservice.secret` | jobservice secret | `not-a-secure-secret` |
| `jobservice.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| **UI** |
| `ui.image.repository` | Repository for ui image | `vmware/harbor-ui` |
| `ui.image.tag` | Tag for ui image | `v1.3.0` |
| `ui.image.tag` | Tag for ui image | `v1.4.0` |
| `ui.image.pullPolicy` | Pull Policy for ui image | `IfNotPresent` |
| `ui.key` | ui key | `not-a-secure-key` |
| `ui.secret` | ui secret | `not-a-secure-secret` |
@ -79,7 +133,7 @@ The following tables lists the configurable parameters of the Percona chart and
| `ui.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| **MySQL** |
| `mysql.image.repository` | Repository for mysql image | `vmware/harbor-mysql` |
| `mysql.image.tag` | Tag for mysql image | `v1.3.0` |
| `mysql.image.tag` | Tag for mysql image | `v1.4.0` |
| `mysql.image.pullPolicy` | Pull Policy for mysql image | `IfNotPresent` |
| `mysql.host` | MySQL Server | `~` |
| `mysql.port` | MySQL Port | `3306` |
@ -89,22 +143,18 @@ The following tables lists the configurable parameters of the Percona chart and
| `mysql.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `mysql.volumes` | used to create PVCs if persistence is enabled (see instructions in values.yaml) | see values.yaml |
| **Registry** |
| `registry.image.repository` | Repository for registry image | `vmware/harbor-registry` |
| `registry.image.tag` | Tag for registry image | `v1.3.0` |
| `registry.image.repository` | Repository for registry image | `vmware/registry-photon` |
| `registry.image.tag` | Tag for registry image | `v2.6.2-v1.4.0` |
| `registry.image.pullPolicy` | Pull Policy for registry image | `IfNotPresent` |
| `registry.rootCrt` | registry root cert | see values.yaml |
| `registry.httpSecret` | registry secret | `not-a-secure-secret` |
| `registry.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| `registry.volumes` | used to create PVCs if persistence is enabled (see instructions in values.yaml) | see values.yaml |
| **Clair** |
| `clair.enabled` | Enable clair? | `false` |
| `clair.enabled` | Enable clair? | `true` |
| `clair.image.repository` | Repository for clair image | `vmware/clair-photon` |
| `clair.image.tag` | Tag for clair image | `v2.0.1-v1.4.0`
| `clair.postgresPassword` | password for clair postgres | see values.yaml |
| `clair.image.repository` | Repository for clair image | `vmware/clair` |
| `clair.image.tag` | Tag for clair image | `v2.0.1-photon` |
| `clair.image.pullPolicy` | Pull Policy for clair image | `IfNotPresent` |
| `clair.pgImage.repository` | Repository for clair postgres image | `postgres` |
| `clair.pgImage.tag` | Tag for clair postgres image | `9.6.4` |
| `clair.pgImage.pullPolicy` | Pull Policy for clair postgres image | `IfNotPresent` |
| `clair.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined | `clair.pgResources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container | undefined |
| | | |
@ -112,13 +162,13 @@ The following tables lists the configurable parameters of the Percona chart and
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
```bash
$ helm install --name my-release --set mysql.pass=baconeggs .
helm install --name my-release --set mysql.pass=baconeggs .
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install --name my-release -f /path/to/values.yaml .
helm install --name my-release -f /path/to/values.yaml .
```
> **Tip**: You can use the default [values.yaml](values.yaml)

21
contrib/helm/harbor/templates/NOTES.txt
View File

@ -1,15 +1,20 @@
To add the CA certificate to docker copy the contents of the following command into /etc/docker/certs.d/{{ .Values.externalDomain }}:
$ kubectl get secret \
Add the Harbor CA certificate to Docker by executing the following command:
sudo mkdir -p /etc/docker/certs.d/{{ .Values.externalDomain }}
kubectl get secret \
--namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \
-o jsonpath="{.data.ca\.crt}" | base64 --decode
-o jsonpath="{.data.ca\.crt}" | base64 --decode | \
sudo tee /etc/docker/certs.d/{{ .Values.externalDomain }}/ca.crt
Access Harbor via: https://{{ .Values.externalDomain }}
Get Harbor admin password by executing the following command:
login to harbor with docker cli:
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-adminserver -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode; echo
docker login {{ .Values.externalDomain }}
Add Harbor FQDN {{ .Values.externalDomain }} to K8s Ingress Controller IP resolution on DNS Server or in file /etc/hosts.
To get your admin password run the following (not yet ready):
Access Harbor UI via https://{{ .Values.externalDomain }}
$ kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }} -o jsonpath="{.data.}" | base64 --decode; echo
Login Harbor with Docker CLI:
docker login {{ .Values.externalDomain }}

4
contrib/helm/harbor/templates/_helpers.tpl
View File

@ -17,7 +17,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{/* Helm required labels */}}
{{- define "helm.labels" -}}
{{- define "harbor.labels" -}}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
@ -25,7 +25,7 @@ app: "{{ template "harbor.name" . }}"
{{- end -}}
{{/* matchLabels */}}
{{- define "helm.matchLabels" -}}
{{- define "harbor.matchLabels" -}}
release: {{ .Release.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}}

23
contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml
View File

@ -3,7 +3,8 @@ kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: adminserver
data:
{{ if .Values.mysql.host -}}
MYSQL_HOST: "{{ .Values.mysql.host }}"
@ -19,21 +20,26 @@ data:
EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}"
EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}"
EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}"
EMAIL_INSECURE: "{{ .Values.adminserver.emailInsecure }}"
EXT_ENDPOINT: "https://{{ .Values.externalDomain }}"
UI_URL: "http://{{ template "harbor.fullname" . }}-ui"
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000"
TOKEN_SERVICE_URL: "http://{{ template "harbor.fullname" . }}-ui/service/token"
WITH_NOTARY: "{{ .Values.notary.enabled }}"
LOG_LEVEL: "info"
IMAGE_STORE_PATH: "/"
AUTH_MODE: "database"
IMAGE_STORE_PATH: "/" # This is a temporary hack.
AUTH_MODE: "db_auth"
SELF_REGISTRATION: "on"
LDAP_URL: "ldaps://ldapserver"
LDAP_SEARCH_DN: ""
LDAP_BASE_DN: ""
LDAP_FILTER: "(objectClass=person)"
LDAP_UID: "uid"
LDAP_SCOPE: "3"
LDAP_SCOPE: "2"
LDAP_TIMEOUT: "5"
LDAP_TIMEOUT: "5"
LDAP_VERIFY_CERT: "True"
DATABASE_TYPE: "mysql"
PROJECT_CREATION_RESTRICTION: "everyone"
VERIFY_REMOTE_CERT: "off"
@ -45,3 +51,12 @@ data:
RESET: "false"
WITH_CLAIR: "{{ .Values.clair.enabled }}"
CLAIR_DB_HOST: "{{ template "harbor.fullname" . }}-clair-pg"
CLAIR_DB_PORT: "5432"
CLAIR_DB: "postgres"
CLAIR_DB_USERNAME: "postgres"
CLAIR_DB_PASSWORD: "{{ .Values.clair.postgresPassword }}"
UAA_ENDPOINT: ""
UAA_CLIENTID: ""
UAA_CLIENTSECRET: ""
UAA_VERIFY_CERT: "True"
REGISTRY_STORAGE_PROVIDER_NAME: "filesystem"

5
contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml
View File

@ -3,10 +3,11 @@ kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: adminserver
type: Opaque
data:
key: {{ .Values.adminserver.key | b64enc | quote }}
secretKey: {{ .Values.secretKey | b64enc | quote }}
EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }}
HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.harborAdminPassword | b64enc | quote }}
MYSQL_PWD: {{ .Values.mysql.pass | b64enc | quote }}

11
contrib/helm/harbor/templates/adminserver/adminserver-ss.yaml
View File

@ -3,20 +3,21 @@ kind: StatefulSet
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: adminserver
spec:
replicas: 1
serviceName: "{{ template "harbor.fullname" . }}"
serviceName: "{{ template "harbor.fullname" . }}-adminserver"
selector:
matchLabels:
{{ include "helm.matchLabels" . | indent 6 }}
{{ include "harbor.matchLabels" . | indent 6 }}
component: adminserver
template:
metadata:
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: adminserver
component: adminserver
spec:
containers:
- name: adminserver
@ -53,7 +54,7 @@ spec:
secret:
secretName: "{{ template "harbor.fullname" . }}-adminserver"
items:
- key: key
- key: secretKey
path: key
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:

6
contrib/helm/harbor/templates/adminserver/adminserver-svc.yaml
View File

@ -2,12 +2,10 @@ apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-adminserver"
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
ports:
- port: 80
targetPort: 8080
selector:
{{ include "helm.matchLabels" . | indent 4 }}
component: adminserver
{{ include "harbor.matchLabels" . | indent 4 }}
component: adminserver

3
contrib/helm/harbor/templates/clair/clair-cm.yaml
View File

@ -4,7 +4,8 @@ kind: ConfigMap
metadata:
name: {{ template "harbor.fullname" . }}
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: clair
data:
config.yaml: |
clair:

10
contrib/helm/harbor/templates/clair/clair-dpl.yaml
View File

@ -4,14 +4,18 @@ kind: Deployment
metadata:
name: {{ template "harbor.fullname" . }}-clair
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: clair
spec:
replicas: 1
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: clair
template:
metadata:
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: clair
spec:
containers:
@ -34,4 +38,4 @@ spec:
items:
- key: config.yaml
path: config.yaml
{{ end }}
{{ end }}

24
contrib/helm/harbor/templates/clair/clair-svc.yaml
View File

@ -1,19 +1,4 @@
{{ if .Values.clair.enabled }}
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-clair"
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
ports:
- port: 6060
selector:
app: "{{ template "harbor.fullname" . }}"
component: adminserver
release: {{ .Release.Name }}
---
---
# clair host isn't configurable yet. this creates a service
# to get it working for now.
# see https://github.com/vmware/harbor/issues/3250
@ -21,11 +6,12 @@ apiVersion: v1
kind: Service
metadata:
name: clair
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 6060
selector:
app: "{{ template "harbor.fullname" . }}"
component: adminserver
release: {{ .Release.Name }}
{{ end }}
{{ include "harbor.matchLabels" . | indent 4 }}
component: clair
{{ end }}

4
contrib/helm/harbor/templates/clair/postgres-secret.yaml
View File

@ -4,8 +4,8 @@ kind: Secret
metadata:
name: {{ template "harbor.fullname" . }}-clair-pg-config
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
POSTGRES_PASSWORD: {{ .Values.clair.postgresPassword | b64enc | quote }}
{{ end }}
{{ end }}

10
contrib/helm/harbor/templates/clair/postgres-ss.yaml
View File

@ -4,19 +4,19 @@ kind: StatefulSet
metadata:
name: {{ template "harbor.fullname" . }}-clair-pg
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: clair-pg
spec:
serviceName: "{{ template "harbor.fullname" . }}-clair-pg"
selector:
matchLabels:
{{ include "helm.matchLabels" . | indent 6 }}
{{ include "harbor.matchLabels" . | indent 6 }}
component: clair-pg
template:
metadata:
name: {{ template "harbor.fullname" . }}-clair-pg
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: clair-pg
spec:
containers:
@ -55,7 +55,7 @@ spec:
- metadata:
name: pgdata
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
spec:
accessModes: [{{ .Values.clair.volumes.pgData.accessMode | quote }}]
{{- if .Values.clair.volumes.pgData.storageClass }}
@ -69,4 +69,4 @@ spec:
requests:
storage: {{ .Values.clair.volumes.pgData.size | quote }}
{{- end -}}
{{- end -}}
{{- end -}}

22
contrib/helm/harbor/templates/clair/postgres-svc.yaml
View File

@ -4,27 +4,11 @@ kind: Service
metadata:
name: {{ template "harbor.fullname" . }}-clair-pg
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 5432
selector:
{{ include "helm.matchLabels" . | indent 4 }}
{{ include "harbor.matchLabels" . | indent 4 }}
component: clair-pg
---
# clairdb host isn't configurable yet. this creates a service
# to get it working for now.
# see https://github.com/vmware/harbor/commit/f63588855f8d3b1b138d3be63ca165bb52ab930c
apiVersion: v1
kind: Service
metadata:
name: postgres
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
ports:
- port: 5432
selector:
{{ include "helm.matchLabels" . | indent 4 }}
component: clair-pg
{{ end }}
{{ end }}

12
contrib/helm/harbor/templates/ingress/ingress.yaml
View File

@ -3,16 +3,16 @@ kind: Ingress
metadata:
name: "{{ template "harbor.fullname" . }}-ingress"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/body-size: "0"
ingress.kubernetes.io/proxy-body-size: "0"
{{ toYaml .Values.ingress.annotations | indent 4 }}
spec:
{{ if not .Values.insecureRegistry }}
tls:
- hosts:
- "{{ .Values.externalDomain }}"
secretName: "{{ template "harbor.fullname" . }}-ingress"
{{ end }}
rules:
- host: "{{ .Values.externalDomain }}"
http:
@ -25,7 +25,3 @@ spec:
backend:
serviceName: {{ template "harbor.fullname" . }}-registry
servicePort: 5000
- path: /v1
backend:
serviceName: {{ template "harbor.fullname" . }}-fake-service
servicePort: 5000

12
contrib/helm/harbor/templates/ingress/secret.yaml
View File

@ -1,11 +1,15 @@
{{ if not .Values.insecureRegistry }}
{{ $ca := genCA "harbor-ca" 365 }}
{{ $cert := genSignedCert .Values.externalDomain nil nil 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-ingress"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.tlsCrt | b64enc | quote }}
tls.key: {{ .Values.tlsKey | b64enc | quote }}
ca.crt: {{ .Values.caCrt | b64enc | quote }}
tls.crt: {{ .Values.tlsCrt | default $cert.Cert | b64enc | quote }}
tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }}
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
{{ end }}

2
contrib/helm/harbor/templates/jobservice/jobservice-cm.yaml
View File

@ -3,7 +3,7 @@ kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-jobservice"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
data:
app.conf: |+
appname = jobservice

10
contrib/helm/harbor/templates/jobservice/jobservice-dpl.yaml
View File

@ -3,14 +3,18 @@ kind: Deployment
metadata:
name: "{{ template "harbor.fullname" . }}-jobservice"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: jobservice
spec:
replicas: 1
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: jobservice
template:
metadata:
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: jobservice
spec:
containers:
@ -50,7 +54,7 @@ spec:
secret:
secretName: "{{ template "harbor.fullname" . }}-jobservice"
items:
- key: key
- key: secretKey
path: key
- name: job-logs
emptyDir: {}

6
contrib/helm/harbor/templates/jobservice/jobservice-secrets.yaml
View File

@ -3,9 +3,9 @@ kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-jobservice"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
secretKey: {{ .Values.secretKey | b64enc | quote }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
key: {{ .Values.jobservice.key | b64enc | quote }}
UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}

4
contrib/helm/harbor/templates/jobservice/jobservice-svc.yaml
View File

@ -3,11 +3,11 @@ kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-jobservice"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 80
targetPort: 8080
selector:
{{ include "helm.matchLabels" . | indent 4 }}
{{ include "harbor.matchLabels" . | indent 4 }}
component: jobservice

2
contrib/helm/harbor/templates/mysql/mysql-secret.yaml
View File

@ -3,7 +3,7 @@ kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-mysql"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
mysqlRootPassword: {{ .Values.mysql.pass | b64enc | quote }}

8
contrib/helm/harbor/templates/mysql/mysql-ss.yaml
View File

@ -3,19 +3,19 @@ kind: StatefulSet
metadata:
name: "{{ template "harbor.fullname" . }}-mysql"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: mysql
spec:
replicas: 1
serviceName: "{{ template "harbor.fullname" . }}-mysql"
selector:
matchLabels:
{{ include "helm.matchLabels" . | indent 6 }}
{{ include "harbor.matchLabels" . | indent 6 }}
component: mysql
template:
metadata:
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: mysql
spec:
containers:
@ -43,7 +43,7 @@ spec:
- metadata:
name: "mysql-data"
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
spec:
accessModes: [{{ .Values.mysql.volumes.data.accessMode | quote }}]
{{- if .Values.mysql.volumes.data.storageClass }}

6
contrib/helm/harbor/templates/mysql/mysql-svc.yaml
View File

@ -3,10 +3,10 @@ kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-mysql"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 3306
selector:
{{ include "helm.matchLabels" . | indent 4 }}
component: mysql
{{ include "harbor.matchLabels" . | indent 4 }}
component: mysql

2
contrib/helm/harbor/templates/registry/registry-cm.yaml
View File

@ -3,7 +3,7 @@ kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-registry"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
data:
config.yml: |+
version: 0.1

4
contrib/helm/harbor/templates/registry/registry-secret.yaml
View File

@ -3,8 +3,8 @@ kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-registry"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
httpSecret: {{ .Values.registry.httpSecret | b64enc | quote }}
root.crt: {{ .Values.registry.rootCrt | b64enc | quote }}
root.crt: {{ .Values.registry.rootCrt | b64enc | quote }}

12
contrib/helm/harbor/templates/registry/registry-ss.yaml
View File

@ -3,19 +3,19 @@ kind: StatefulSet
metadata:
name: "{{ template "harbor.fullname" . }}-registry"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: registry
spec:
replicas: 1
serviceName: "{{ template "harbor.fullname" . }}-registry"
selector:
matchLabels:
{{ include "helm.matchLabels" . | indent 6 }}
{{ include "harbor.matchLabels" . | indent 6 }}
component: registry
template:
metadata:
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: registry
spec:
containers:
@ -61,8 +61,8 @@ spec:
volumeClaimTemplates:
- metadata:
name: "registry-data"
labels:
{{ include "helm.labels" . | indent 8 }}
labels:
{{ include "harbor.labels" . | indent 8 }}
spec:
accessModes: [{{ .Values.registry.volumes.data.accessMode | quote }}]
{{- if .Values.registry.volumes.data.storageClass }}
@ -76,4 +76,4 @@ spec:
requests:
storage: {{ .Values.registry.volumes.data.size | quote }}
{{- end -}}
{{- end -}}
{{- end -}}

6
contrib/helm/harbor/templates/registry/registry-svc.yaml
View File

@ -3,10 +3,10 @@ kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-registry"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 5000
selector:
{{ include "helm.matchLabels" . | indent 4 }}
component: registry
{{ include "harbor.matchLabels" . | indent 4 }}
component: registry

2
contrib/helm/harbor/templates/ui/ui-cm.yaml
View File

@ -3,7 +3,7 @@ kind: ConfigMap
metadata:
name: "{{ template "harbor.fullname" . }}-ui"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
data:
app.conf: |+
appname = Harbor

6
contrib/helm/harbor/templates/ui/ui-dpl.yaml
View File

@ -3,14 +3,14 @@ kind: Deployment
metadata:
name: "{{ template "harbor.fullname" . }}-ui"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
component: ui
spec:
replicas: 1
template:
metadata:
labels:
{{ include "helm.labels" . | indent 8 }}
{{ include "harbor.matchLabels" . | indent 8 }}
component: ui
spec:
containers:
@ -64,7 +64,7 @@ spec:
secret:
secretName: "{{ template "harbor.fullname" . }}-ui"
items:
- key: key
- key: secretKey
path: key
- name: ui-secrets-private-key
secret:

6
contrib/helm/harbor/templates/ui/ui-secrets.yaml
View File

@ -3,10 +3,10 @@ kind: Secret
metadata:
name: "{{ template "harbor.fullname" . }}-ui"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
secretKey: {{ .Values.secretKey | b64enc | quote }}
secret: {{ .Values.ui.secret | b64enc | quote }}
key: {{ .Values.ui.key | b64enc | quote }}
private_key.pem: {{ .Values.ui.privateKeyPem | b64enc | quote }}
jobserviceSecret: {{ .Values.jobservice.secret | b64enc | quote }}
jobserviceSecret: {{ .Values.jobservice.secret | b64enc | quote }}

4
contrib/helm/harbor/templates/ui/ui-svc.yaml
View File

@ -3,11 +3,11 @@ kind: Service
metadata:
name: "{{ template "harbor.fullname" . }}-ui"
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 80
targetPort: 8080
selector:
{{ include "helm.matchLabels" . | indent 4 }}
{{ include "harbor.matchLabels" . | indent 4 }}
component: ui

117
contrib/helm/harbor/values.yaml
View File

@ -1,5 +1,5 @@
# Configure persisten Volumes per application
## Applications that require storage have a `volumes` defintion which will be used
## Applications that require storage have a `volumes` definition which will be used
## when `persistence.enabled` is set to true.
## example
# mysql:
@ -28,81 +28,34 @@
persistence:
enabled: false
externalDomain: harbor.192.168.99.100.xip.io
## tls_crt, tls_key, ca_crt should match the domain above
# The tag for Harbor docker images.
harborImageTag: &harbor_image_tag v1.4.0
tlsCrt: |
-----BEGIN CERTIFICATE-----
MIIDJDCCAgygAwIBAgIJAKNSg1jp3l2oMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB3Rlc3QtY2EwHhcNMTgwMTEzMTg1NTIwWhcNMTgwMzE0MTg1NTIwWjAnMSUw
IwYDVQQDDBxoYXJib3IuMTkyLjE2OC45OS4xMDAueGlwLmlvMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlAD8tlryoGsweXCwDgfyPGkaM9hXsVLW2PH
/vGWBVMXOdxpFhuvH7tXmqN3Ek39YQjcsb+nHAGx7ynx6KFtvzcXCjGfeI1yuoN0
8H2sfV7yxtkVLu/uJGb8mSfsw9ubOR/zMbrsD1oH0tzi3cnW0kcbY0u0Xp/5g0PP
+tig0X+PDfumK/W6KnTOAmnfNTJwhhlljako+lveT5EjVtQMdJmV16PZJwCDA4b9
2U8EkLOjXcSg2ad03XxASGUuG8oMLHNXF0zcJ9421DviaRQGJUSjR571t/YCc2KK
AQVZ/zSI5duQVysfMZrjiuvSQfKSWRVY6z0JAWH7+Dx+1u8ilwIDAQABo2gwZjAJ
BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwEwLQYDVR0RBCYwJIIcaGFyYm9yLjE5Mi4xNjguOTkuMTAwLnhpcC5pb4cE
wKhjZDANBgkqhkiG9w0BAQsFAAOCAQEATgS0Y2wQiCQrVfiDFSIxtIBK2af0qtoA
J4DZ/1Jo01uGycFCyt9KOKbmFubrJu9NHuACL9od3RI37k6L73lV2zB3sS4NEcH2
SvF+rOE7gmtgJULHCDFEWSMxHdUFwcdG1trRVe+9Gyp/LGdC4yyycmwquz7YXf+r
7b5r26rFAYmO8rWYtDt4clC3JSR3O1BmF5ktRNzUtRvrzr3UuwYz0Wy72S/Sa+Iu
RnassP8mg6PCppeGccYFcFihL9kDl4g4Xu/PaMiKdxjdeAV6xAd7VbKBZSi/ljnF
OUUUi7MDJuUWbHEb0XrEXNzihBzf7bu4I2MftQidIg6LwWjiYZRHmw==
-----END CERTIFICATE-----
tlsKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxlAD8tlryoGsweXCwDgfyPGkaM9hXsVLW2PH/vGWBVMXOdxp
FhuvH7tXmqN3Ek39YQjcsb+nHAGx7ynx6KFtvzcXCjGfeI1yuoN08H2sfV7yxtkV
Lu/uJGb8mSfsw9ubOR/zMbrsD1oH0tzi3cnW0kcbY0u0Xp/5g0PP+tig0X+PDfum
K/W6KnTOAmnfNTJwhhlljako+lveT5EjVtQMdJmV16PZJwCDA4b92U8EkLOjXcSg
2ad03XxASGUuG8oMLHNXF0zcJ9421DviaRQGJUSjR571t/YCc2KKAQVZ/zSI5duQ
VysfMZrjiuvSQfKSWRVY6z0JAWH7+Dx+1u8ilwIDAQABAoIBAQC2QDDwzRm/2N6w
r3wEdU/YtyJWZEfi9cRkb9YMGW+64vrUZRh6heSyb9R5vEKgouX6eE+CV1S3a2Ng
HZdBKKIYegOFjcc13iCTAl7E6WpNKaZKUpSiN0QPVkpMYqG3+am0nQU+Lb/l9+J6
yh8Anw763vhvj9Jqp/CBzx9jNBTPkh6u02Ayhegn7BBIpxk3LmdWSFn4IBXSxnMs
6B9h8motQFXRJDFm37YFl3834jNWilJT2Z/MCumoAGwNhOFFd5wZM5St1jvfFQlw
A44+AbnOf9sArukXa2NA/HHs6hZHt9GN10kbMBj9wbQRN960OKK4P6+8vVrJ+gUu
iodHLiaxAoGBAP+hlsJvqatgLJmqrODpWrhRqXxWNYs3VJXR5XEEtygVMe2FT7a6
pu5GWgjpQUHFqgqSNpRiJnxdI+AELH6AkeTMg4EyCoaJJKaitMslnCvQHL5oQjIb
IjJrxk/EObxh/7NuSf/nzUBfmhJhZ/pz6LbBLqiy35Cpq106XVC/XSMJAoGBAMaZ
Qd2nUQPhR7+wxDT38duKRIendYd4BiGqc7z9M91+HLjNg9W7cRPx6bUCaN5E4uwx
PzixsHmWc5H1bDgf9ymAMvexfB3BTXfO9tRn6nZu+XbcN6eJejKYj2iVMjDZrVHu
FZzrusRwPXI1I+b8rnKvNF+wf9DQcIVl7VW1G2CfAoGBAMLPSizzG8JWkKaqwwTD
0TcWRKtUp4loqTVjuA7hIROS03HHXnBK3lxHkOWpnOma0XMs6hs6kUnFUUmu5Jmj
MYvDr5QNpqfQa/XxmQYXq2RYPQ9+NLQqqWzzZTX0vGsr48nCCvLSnECqmqfXQ35C
Rt6/aed2KZn9M3Lgv6yBqWDBAoGAIEXjeDuqZLEFUddN6zWnrf+IJ2tFJCCTDoF+
kWWsOgA2dqmfFOqC87TKP8oGdKhJIAzYs0Pc48VZPozdazl2lt3oamwDOWqiRifx
4I6KgXiDPZeHy8gBfZthIqOsJlgZXEkOZhPApA+BTL/p9610Q9rI7gvmmW5l+qeX
q+fkbQ0CgYBYwF4lcMrON5k8cwZMTyPMwOsY+TsxpsoqUqPPHm9JW2DZDQ1f7oEm
1b6zTkwtqbnQX7vKosEivCbeQLN0XOZms+BM/KIwcuZjKxy/rkMNaFcqWlOvktug
hk8Jkkt1dANV5rNPYEkt7G+PiL7ApOV6fGvJRA4f8+RFrfPFtku4Sw==
-----END RSA PRIVATE KEY-----
caCrt: |
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIJAPRSQQK2Q7dsMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB3Rlc3QtY2EwHhcNMTgwMTEzMTg1NTIwWhcNMjgwMTExMTg1NTIwWjASMRAw
DgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
znp0w37dGXlUgAXx5p4cwQ/XEiZGA1NorbcV3RTox3wX4b0bFJwKij8hLFMRZrEd
f40AxvQnyTcoX80c0w1M+3fG/pq5PhsfjrphX/EZ/rYJDZkO4vz60H8uc2g9AgVR
IvYbMobX7KcRruyi2dnt22q6O6Xy0pCkTE/+UAgcbwUCNDA9H/+8RhmXkAEaIyc8
y5vIpwfjiSdX6Kqv5zg0ZRESE+s9g6+U4NfwHbeUqfl6/ZuP8xXy2az3tdTqN8l0
dCMjv/dpLzPAOaZhzj+BYN1iVMTFhm6FzszkdTuvJliCIUJeyIqvzqz+k+ai8xR9
s0hrZrTzmN2id5J5cWSWawIDAQABo1AwTjAdBgNVHQ4EFgQU1L/db3zQjJW8ycmd
3D3jh4/HtJEwHwYDVR0jBBgwFoAU1L/db3zQjJW8ycmd3D3jh4/HtJEwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJrNwGShGJhmVSoBsSi+4tEa98UC8
7ULKyvaK+RPYKb4K2igMFHZD3KhaayShEG3rw/Y53hdmU+3I82tQ+txGmQoqicxg
BwAODdvixH5gP4idh7G1Q6tDvgJGGl2HvcE8fzbVIO3qDKefPlif20eX2gUc/Ut5
gyiyJutOQKVjEUb5bmUaeRyTXo8Vf2TIhIRfdXHg2ueWj2lDWbtVxQbn/m7aSqON
9YN5xfXY36tpVp40RV1J36FUskkhgc/DZcgEMYdAr2XrjDS1A0TnEaDatQUgYgpd
J0oP9V+2FMfDFvIhX5tNrEuIIFMyO+HR0wxV7huTUeus4knyXBZur3If+g==
-----END CERTIFICATE-----
# The FQDN for Harbor service.
externalDomain: harbor.my.domain
# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
# Harbor FQDN as insecure-registries for your docker client.
insecureRegistry: false
# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
tlsCrt:
tlsKey:
caCrt:
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: not-a-secure-key
# These annotations allow the registry to work behind the nginx
# ingress controller.
ingress:
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/body-size: "0"
ingress.kubernetes.io/proxy-body-size: "0"
adminserver:
image:
repository: vmware/harbor-adminserver
tag: v1.3.0
tag: *harbor_image_tag
pullPolicy: IfNotPresent
emailHost: "smtp.mydomain.com"
emailPort: "25"
@ -110,7 +63,7 @@ adminserver:
emailSsl: "false"
emailFrom: "admin <sample_admin@mydomain.com>"
emailIdentity: ""
key: not-a-secure-key
emailInsecure: "False"
emailPwd: not-a-secure-password
harborAdminPassword: Harbor12345
## Persist data to a persistent volume
@ -129,9 +82,8 @@ adminserver:
jobservice:
image:
repository: vmware/harbor-jobservice
tag: v1.3.0
tag: *harbor_image_tag
pullPolicy: IfNotPresent
key: not-a-secure-key
secret: not-a-secure-secret
# resources:
# requests:
@ -143,10 +95,9 @@ jobservice:
ui:
image:
repository: vmware/harbor-ui
tag: v1.3.0
tag: *harbor_image_tag
pullPolicy: IfNotPresent
secret: not-a-secure-secret
key: not-a-secure-key
privateKeyPem: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA4WYbxdrFGG6RnfyYKlHYML3lEqtA9cYWWOynE9BeaEr/cMnM
@ -211,7 +162,7 @@ ui:
mysql:
image:
repository: vmware/harbor-db
tag: v1.3.0
tag: *harbor_image_tag
pullPolicy: IfNotPresent
# If left blank will use the included mysql service name.
host: ~
@ -231,8 +182,8 @@ mysql:
registry:
image:
repository: registry
tag: "2.6.2"
repository: vmware/registry-photon
tag: v2.6.2-v1.4.0
pullPolicy: IfNotPresent
httpSecret: not-a-secure-secret
logLevel:
@ -296,12 +247,12 @@ registry:
## Enabling it will just break things.
#
clair:
enabled: false
postgresPassword: not-a-secure-password
enabled: true
image:
repository: vmware/clair
tag: v2.0.1-photon
repository: vmware/clair-photon
tag: v2.0.1-v1.4.0
pullPolicy: IfNotPresent
postgresPassword: not-a-secure-password
pgImage:
repository: postgres
tag: "9.6.4"