Merge pull request #4682 from draeron/master

[Chart] Add switch for ingress TLS certificate generation
This commit is contained in:
Jesse Hu 2018-04-17 18:02:03 +08:00 committed by GitHub
commit dcfd72528f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 19 additions and 1 deletions

View File

@ -1,5 +1,5 @@
name: harbor
version: 0.1.1
version: 0.1.2
appVersion: 1.4.0
description: An Enterprise-class Docker Registry by VMware
keywords:

View File

@ -57,11 +57,25 @@ You can add `harbor.my.domain` and IP mapping in the DNS server, or in /etc/host
Follow the `NOTES` section in the command output to get Harbor admin password and **add Harbor root CA into docker trusted certificates**.
If you are using an external service like [cert-manager](https://github.com/jetstack/cert-manager) for generating the TLS certificates,
you will want to disable the certificate generation by helm by setting the value `generateCertificates` to _false_. Then the ingress' annotations will be scanned
by _cert-manager_ and the appropriate secret will get created and updated by the service.
If using acme's certificates, do not forget to add the following annotation to
your ingress.
```yaml
ingress:
annotations:
kubernetes.io/tls-acme: "true"
```
The command deploys Harbor on the Kubernetes cluster in the default configuration.
The [configuration](#configuration) section lists the parameters that can be configured in values.yaml or via '--set' params during installation.
> **Tip**: List all releases using `helm list`
### Insecure Registry Mode
If setting Harbor Registry as insecure-registries for docker,
@ -96,6 +110,7 @@ The following tables lists the configurable parameters of the Harbor chart and t
| `harborImageTag` | The tag for Harbor docker images | `v1.4.0` |
| `externalDomain` | Harbor will run on (https://`externalDomain`/). Recommend using K8s Ingress Controller FQDN as `externalDomain`, or make sure this FQDN resolves to the K8s Ingress Controller IP. | `harbor.my.domain` |
| `insecureRegistry` | If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add Harbor FQDN as insecure-registries for your docker client. | `false` |
| `generateCertificates` | Set to false if TLS certificate will be managed by an external service | `true` |
| `tlsCrt` | TLS certificate to use for Harbor's https endpoint. Its CN must match `externalDomain`. | auto-generated |
| `tlsKey` | TLS key to use for Harbor's https endpoint | auto-generated |
| `caCrt` | CA Cert for self signed TLS cert | auto-generated |

View File

@ -1,4 +1,5 @@
{{ if not .Values.insecureRegistry }}
{{ if .Values.generateCertificates }}
{{ $ca := genCA "harbor-ca" 365 }}
{{ $cert := genSignedCert .Values.externalDomain nil nil 365 $ca }}
apiVersion: v1
@ -13,3 +14,4 @@ data:
tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }}
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
{{ end }}
{{ end }}

View File

@ -36,6 +36,7 @@ externalDomain: harbor.my.domain
# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
# Harbor FQDN as insecure-registries for your docker client.
insecureRegistry: false
generateCertificates: true
# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
tlsCrt:
tlsKey: