mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-27 04:35:16 +01:00
Merge pull request #4682 from draeron/master
[Chart] Add switch for ingress TLS certificate generation
This commit is contained in:
commit
dcfd72528f
@ -1,5 +1,5 @@
|
|||||||
name: harbor
|
name: harbor
|
||||||
version: 0.1.1
|
version: 0.1.2
|
||||||
appVersion: 1.4.0
|
appVersion: 1.4.0
|
||||||
description: An Enterprise-class Docker Registry by VMware
|
description: An Enterprise-class Docker Registry by VMware
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -57,11 +57,25 @@ You can add `harbor.my.domain` and IP mapping in the DNS server, or in /etc/host
|
|||||||
|
|
||||||
Follow the `NOTES` section in the command output to get Harbor admin password and **add Harbor root CA into docker trusted certificates**.
|
Follow the `NOTES` section in the command output to get Harbor admin password and **add Harbor root CA into docker trusted certificates**.
|
||||||
|
|
||||||
|
If you are using an external service like [cert-manager](https://github.com/jetstack/cert-manager) for generating the TLS certificates,
|
||||||
|
you will want to disable the certificate generation by helm by setting the value `generateCertificates` to _false_. Then the ingress' annotations will be scanned
|
||||||
|
by _cert-manager_ and the appropriate secret will get created and updated by the service.
|
||||||
|
|
||||||
|
If using acme's certificates, do not forget to add the following annotation to
|
||||||
|
your ingress.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/tls-acme: "true"
|
||||||
|
```
|
||||||
|
|
||||||
The command deploys Harbor on the Kubernetes cluster in the default configuration.
|
The command deploys Harbor on the Kubernetes cluster in the default configuration.
|
||||||
The [configuration](#configuration) section lists the parameters that can be configured in values.yaml or via '--set' params during installation.
|
The [configuration](#configuration) section lists the parameters that can be configured in values.yaml or via '--set' params during installation.
|
||||||
|
|
||||||
> **Tip**: List all releases using `helm list`
|
> **Tip**: List all releases using `helm list`
|
||||||
|
|
||||||
|
|
||||||
### Insecure Registry Mode
|
### Insecure Registry Mode
|
||||||
|
|
||||||
If setting Harbor Registry as insecure-registries for docker,
|
If setting Harbor Registry as insecure-registries for docker,
|
||||||
@ -96,6 +110,7 @@ The following tables lists the configurable parameters of the Harbor chart and t
|
|||||||
| `harborImageTag` | The tag for Harbor docker images | `v1.4.0` |
|
| `harborImageTag` | The tag for Harbor docker images | `v1.4.0` |
|
||||||
| `externalDomain` | Harbor will run on (https://`externalDomain`/). Recommend using K8s Ingress Controller FQDN as `externalDomain`, or make sure this FQDN resolves to the K8s Ingress Controller IP. | `harbor.my.domain` |
|
| `externalDomain` | Harbor will run on (https://`externalDomain`/). Recommend using K8s Ingress Controller FQDN as `externalDomain`, or make sure this FQDN resolves to the K8s Ingress Controller IP. | `harbor.my.domain` |
|
||||||
| `insecureRegistry` | If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add Harbor FQDN as insecure-registries for your docker client. | `false` |
|
| `insecureRegistry` | If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add Harbor FQDN as insecure-registries for your docker client. | `false` |
|
||||||
|
| `generateCertificates` | Set to false if TLS certificate will be managed by an external service | `true` |
|
||||||
| `tlsCrt` | TLS certificate to use for Harbor's https endpoint. Its CN must match `externalDomain`. | auto-generated |
|
| `tlsCrt` | TLS certificate to use for Harbor's https endpoint. Its CN must match `externalDomain`. | auto-generated |
|
||||||
| `tlsKey` | TLS key to use for Harbor's https endpoint | auto-generated |
|
| `tlsKey` | TLS key to use for Harbor's https endpoint | auto-generated |
|
||||||
| `caCrt` | CA Cert for self signed TLS cert | auto-generated |
|
| `caCrt` | CA Cert for self signed TLS cert | auto-generated |
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
{{ if not .Values.insecureRegistry }}
|
{{ if not .Values.insecureRegistry }}
|
||||||
|
{{ if .Values.generateCertificates }}
|
||||||
{{ $ca := genCA "harbor-ca" 365 }}
|
{{ $ca := genCA "harbor-ca" 365 }}
|
||||||
{{ $cert := genSignedCert .Values.externalDomain nil nil 365 $ca }}
|
{{ $cert := genSignedCert .Values.externalDomain nil nil 365 $ca }}
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
@ -13,3 +14,4 @@ data:
|
|||||||
tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }}
|
tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }}
|
||||||
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
|
ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
@ -36,6 +36,7 @@ externalDomain: harbor.my.domain
|
|||||||
# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
|
# If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
|
||||||
# Harbor FQDN as insecure-registries for your docker client.
|
# Harbor FQDN as insecure-registries for your docker client.
|
||||||
insecureRegistry: false
|
insecureRegistry: false
|
||||||
|
generateCertificates: true
|
||||||
# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
|
# The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
|
||||||
tlsCrt:
|
tlsCrt:
|
||||||
tlsKey:
|
tlsKey:
|
||||||
|
Loading…
Reference in New Issue
Block a user