mirror of
https://github.com/bitnami/charts.git
synced 2026-04-03 15:57:08 +08:00
[bitnami/harbor] Add service account for Harbor resources (#27067)
* [bitnami/harbor] feat: add service account for harbor resources Signed-off-by: Long Bao <longbao128@gmail.com> Signed-off-by: Long Bao <long.nguyen.bao@trustingsocial.com> * [bitnami/harbor] fix: lint for trivy Signed-off-by: Long Bao <longbao128@gmail.com> Signed-off-by: Long Bao <long.nguyen.bao@trustingsocial.com> * fix: automountServiceAccountToken at pod level Signed-off-by: Long Bao <longbao128@gmail.com> Signed-off-by: Long Bao <long.nguyen.bao@trustingsocial.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update values description Signed-off-by: Miguel Ruiz <miruiz@vmware.com> Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * Bump major version Signed-off-by: Miguel Ruiz <miruiz@vmware.com> Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md upgrading notes Signed-off-by: Miguel Ruiz <miruiz@vmware.com> Signed-off-by: Miguel Ruiz <miruiz@vmware.com> --------- Signed-off-by: Long Bao <longbao128@gmail.com> Signed-off-by: Long Bao <long.nguyen.bao@trustingsocial.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Long Bao <73820219+longnbao@users.noreply.github.com> Signed-off-by: Miguel Ruiz <miruiz@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Miguel Ruiz <miruiz@vmware.com>
This commit is contained in:
Long Bao
@@ -1,8 +1,13 @@
|
||||
# Changelog
|
||||
|
||||
## 21.4.7 (2024-07-03)
|
||||
## 22.0.0 (2024-07-09)
|
||||
|
||||
* [bitnami/harbor] Release 21.4.7 ([#27691](https://github.com/bitnami/charts/pull/27691))
|
||||
* [bitnami/harbor] Add service account for Harbor resources ([#27067](https://github.com/bitnami/charts/pull/27067))
|
||||
|
||||
## <small>21.4.7 (2024-07-03)</small>
|
||||
|
||||
* [bitnami/*] Update README changing TAC wording (#27530) ([52dfed6](https://github.com/bitnami/charts/commit/52dfed6bac44d791efabfaf06f15daddc4fefb0c)), closes [#27530](https://github.com/bitnami/charts/issues/27530)
|
||||
* [bitnami/harbor] Release 21.4.7 (#27691) ([6b5d149](https://github.com/bitnami/charts/commit/6b5d14984d42ec77ecb495e82be4fe40a6f16f91)), closes [#27691](https://github.com/bitnami/charts/issues/27691)
|
||||
|
||||
## <small>21.4.6 (2024-06-18)</small>
|
||||
|
||||
|
||||
@@ -55,4 +55,4 @@ maintainers:
|
||||
name: harbor
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/harbor
|
||||
version: 21.4.7
|
||||
version: 22.0.0
|
||||
|
||||
@@ -424,8 +424,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `nginx.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `nginx.updateStrategy.type` | NGINX deployment strategy type - only really applicable for deployments with RWO PVs attached | `RollingUpdate` |
|
||||
| `nginx.lifecycleHooks` | LifecycleHook for the NGINX container(s) to automate configuration before or after startup | `{}` |
|
||||
| `nginx.serviceAccountName` | Set the service account name for the NGINX pods | `""` |
|
||||
| `nginx.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `nginx.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
|
||||
| `nginx.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `nginx.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `nginx.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `nginx.hostAliases` | NGINX pods host aliases | `[]` |
|
||||
| `nginx.podLabels` | Add additional labels to the NGINX pods (evaluated as a template) | `{}` |
|
||||
| `nginx.podAnnotations` | Annotations to add to the NGINX pods (evaluated as a template) | `{}` |
|
||||
@@ -535,8 +538,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `portal.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `portal.pdb.minAvailable` and `portal.pdb.maxUnavailable` are empty. | `""` |
|
||||
| `portal.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Harbor Portal pods | `[]` |
|
||||
| `portal.extraVolumes` | Optionally specify extra list of additional volumes for the Harbor Portal pods | `[]` |
|
||||
| `portal.serviceAccountName` | Set the service account name for the Harbor Portal pods | `""` |
|
||||
| `portal.automountServiceAccountToken` | Automount service account token | `false` |
|
||||
| `portal.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `portal.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
|
||||
| `portal.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `portal.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `portal.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `portal.service.ports.http` | Harbor Portal HTTP service port | `80` |
|
||||
| `portal.service.ports.https` | Harbor Portal HTTPS service port | `443` |
|
||||
| `portal.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
@@ -640,8 +646,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `core.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `core.pdb.minAvailable` and `core.pdb.maxUnavailable` are empty. | `""` |
|
||||
| `core.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Harbor Core pods | `[]` |
|
||||
| `core.extraVolumes` | Optionally specify extra list of additional volumes for the Harbor Core pods | `[]` |
|
||||
| `core.serviceAccountName` | Set the service account name for the Harbor Core pods | `""` |
|
||||
| `core.automountServiceAccountToken` | Automount service account token | `false` |
|
||||
| `core.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `core.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
|
||||
| `core.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `core.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `core.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `core.service.ports.http` | Harbor Core HTTP service port | `80` |
|
||||
| `core.service.ports.https` | Harbor Core HTTPS service port | `443` |
|
||||
| `core.service.ports.metrics` | Harbor Core metrics service port | `8001` |
|
||||
@@ -740,8 +749,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `jobservice.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `jobservice.pdb.minAvailable` and `jobservice.pdb.maxUnavailable` are empty. | `""` |
|
||||
| `jobservice.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Harbor Jobservice pods | `[]` |
|
||||
| `jobservice.extraVolumes` | Optionally specify extra list of additional volumes for the Harbor Jobservice pods | `[]` |
|
||||
| `jobservice.serviceAccountName` | Set the service account name for the Harbor Jobservice pods | `""` |
|
||||
| `jobservice.automountServiceAccountToken` | Automount service account token | `false` |
|
||||
| `jobservice.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `jobservice.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
|
||||
| `jobservice.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `jobservice.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `jobservice.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `jobservice.service.ports.http` | Harbor Jobservice HTTP service port | `80` |
|
||||
| `jobservice.service.ports.https` | Harbor Jobservice HTTPS service port | `443` |
|
||||
| `jobservice.service.ports.metrics` | Harbor Jobservice HTTPS service port | `8001` |
|
||||
@@ -798,8 +810,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `registry.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` |
|
||||
| `registry.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `registry.pdb.minAvailable` and `registry.pdb.maxUnavailable` are empty. | `""` |
|
||||
| `registry.extraVolumes` | Optionally specify extra list of additional volumes for the Harbor Registry pods | `[]` |
|
||||
| `registry.serviceAccountName` | Set the service account name for the Registry pods | `""` |
|
||||
| `registry.automountServiceAccountToken` | Automount service account token | `false` |
|
||||
| `registry.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `registry.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
|
||||
| `registry.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `registry.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `registry.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `registry.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `registry.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `registry.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
@@ -1001,8 +1016,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `trivy.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `trivy.pdb.minAvailable` and `trivy.pdb.maxUnavailable` are empty. | `""` |
|
||||
| `trivy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Trivy pods | `[]` |
|
||||
| `trivy.extraVolumes` | Optionally specify extra list of additional volumes for the Trivy pods | `[]` |
|
||||
| `trivy.serviceAccountName` | Set the service account name for the Trivy pods | `""` |
|
||||
| `trivy.automountServiceAccountToken` | Automount service account token | `false` |
|
||||
| `trivy.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `trivy.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
|
||||
| `trivy.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `trivy.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `trivy.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `trivy.service.ports.http` | Trivy HTTP service port | `8080` |
|
||||
| `trivy.service.ports.https` | Trivy HTTPS service port | `8443` |
|
||||
| `trivy.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
@@ -1081,7 +1099,6 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `exporter.affinity` | Harbor Exporter Affinity for pod assignment | `{}` |
|
||||
| `exporter.priorityClassName` | Exporter pods Priority Class Name | `""` |
|
||||
| `exporter.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
|
||||
| `exporter.serviceAccountName` | Name of the serviceAccountName for Harbor Exporter pods | `""` |
|
||||
| `exporter.nodeSelector` | Harbor Exporter Node labels for pod assignment | `{}` |
|
||||
| `exporter.tolerations` | Harbor Exporter Tolerations for pod assignment | `[]` |
|
||||
| `exporter.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
@@ -1092,7 +1109,11 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `exporter.extraVolumeMounts` | | `[]` |
|
||||
| `exporter.extraVolumes` | | `[]` |
|
||||
| `exporter.sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` |
|
||||
| `exporter.automountServiceAccountToken` | Automount service account token | `false` |
|
||||
| `exporter.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `exporter.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
|
||||
| `exporter.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `exporter.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `exporter.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| `exporter.service.ports.metrics` | Exporter HTTP service port | `8001` |
|
||||
| `exporter.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `exporter.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
@@ -1196,6 +1217,20 @@ Find more information about how to deal with common errors related to Bitnami's
|
||||
|
||||
## Upgrading
|
||||
|
||||
### To 22.0.0
|
||||
|
||||
This major version renames the following values:
|
||||
|
||||
- `nginx.serviceAccountName` was renamed as `nginx.serviceAccount.name`.
|
||||
- `portal.serviceAccountName` was renamed as `portal.serviceAccount.name`.
|
||||
- `core.serviceAccountName` was renamed as `core.serviceAccount.name`.
|
||||
- `jobservice.serviceAccountName` was renamed as `jobservice.serviceAccount.name`.
|
||||
- `registry.serviceAccountName` was renamed as `registry.serviceAccount.name`.
|
||||
- `trivy.serviceAccountName` was renamed as `trivy.serviceAccount.name`.
|
||||
- `exporter.serviceAccountName` was renamed as `exporter.serviceAccount.name`.
|
||||
|
||||
Additionally, this major version adds support for serviceAccount creation in the Helm chart.
|
||||
|
||||
### To 21.0.0
|
||||
|
||||
This major bump changes the following security defaults:
|
||||
@@ -1443,4 +1478,4 @@ Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
limitations under the License.
|
||||
|
||||
@@ -468,3 +468,80 @@ TRACE_OTEL_TIMEOUT: {{ .Values.tracing.otel.timeout | quote }}
|
||||
TRACE_OTEL_INSECURE: {{ .Values.tracing.otel.insecure | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Harbor Core
|
||||
*/}}
|
||||
{{- define "harbor.core.serviceAccountName" -}}
|
||||
{{- if .Values.core.serviceAccount.create -}}
|
||||
{{ default (include "harbor.core" .) .Values.core.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.core.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Harbor Registry
|
||||
*/}}
|
||||
{{- define "harbor.registry.serviceAccountName" -}}
|
||||
{{- if .Values.registry.serviceAccount.create -}}
|
||||
{{ default (include "harbor.registry" .) .Values.registry.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.registry.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Harbor Portal
|
||||
*/}}
|
||||
{{- define "harbor.portal.serviceAccountName" -}}
|
||||
{{- if .Values.portal.serviceAccount.create -}}
|
||||
{{ default (include "harbor.portal" .) .Values.portal.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.portal.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Harbor Jobservice
|
||||
*/}}
|
||||
{{- define "harbor.jobservice.serviceAccountName" -}}
|
||||
{{- if .Values.jobservice.serviceAccount.create -}}
|
||||
{{ default (include "harbor.jobservice" .) .Values.jobservice.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.jobservice.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Harbor Exporter
|
||||
*/}}
|
||||
{{- define "harbor.exporter.serviceAccountName" -}}
|
||||
{{- if .Values.exporter.serviceAccount.create -}}
|
||||
{{ default (include "harbor.exporter" .) .Values.exporter.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.exporter.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Trivy
|
||||
*/}}
|
||||
{{- define "harbor.trivy.serviceAccountName" -}}
|
||||
{{- if .Values.trivy.serviceAccount.create -}}
|
||||
{{ default (include "harbor.trivy" .) .Values.trivy.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.trivy.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use for the Harbor Nginx
|
||||
*/}}
|
||||
{{- define "harbor.nginx.serviceAccountName" -}}
|
||||
{{- if .Values.nginx.serviceAccount.create -}}
|
||||
{{ default (include "harbor.nginx" .) .Values.nginx.serviceAccount.name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.nginx.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -69,9 +69,7 @@ spec:
|
||||
{{- if .Values.core.schedulerName }}
|
||||
schedulerName: {{ .Values.core.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.core.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.core.serviceAccountName" . }}
|
||||
{{- if .Values.core.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.core.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
19
bitnami/harbor/templates/core/core-service-account.yaml
Normal file
19
bitnami/harbor/templates/core/core-service-account.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.core.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.core.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: core
|
||||
{{- if or .Values.core.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.core.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.core.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -67,9 +67,7 @@ spec:
|
||||
{{- if .Values.exporter.schedulerName }}
|
||||
schedulerName: {{ .Values.exporter.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.exporter.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.exporter.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.exporter.serviceAccountName" .}}
|
||||
{{- if .Values.exporter.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.exporter.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.exporter.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.exporter.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: exporter
|
||||
{{- if or .Values.exporter.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.exporter.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.exporter.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -69,9 +69,7 @@ spec:
|
||||
{{- if .Values.jobservice.schedulerName }}
|
||||
schedulerName: {{ .Values.jobservice.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.jobservice.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.jobservice.serviceAccountName" . }}
|
||||
{{- if .Values.jobservice.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.jobservice.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.jobservice.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.jobservice.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: jobservice
|
||||
{{- if or .Values.jobservice.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.jobservice.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.jobservice.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -70,9 +70,7 @@ spec:
|
||||
{{- if .Values.nginx.schedulerName }}
|
||||
schedulerName: {{ .Values.nginx.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.nginx.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.nginx.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.nginx.serviceAccountName" . }}
|
||||
{{- if .Values.nginx.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.nginx.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
19
bitnami/harbor/templates/nginx/service-account.yaml
Normal file
19
bitnami/harbor/templates/nginx/service-account.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.nginx.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.nginx.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: nginx
|
||||
{{- if or .Values.nginx.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.nginx.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.nginx.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -64,9 +64,7 @@ spec:
|
||||
{{- if .Values.portal.schedulerName }}
|
||||
schedulerName: {{ .Values.portal.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.portal.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.portal.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.portal.serviceAccountName" . }}
|
||||
{{- if .Values.portal.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.portal.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
19
bitnami/harbor/templates/portal/portal-service-account.yaml
Normal file
19
bitnami/harbor/templates/portal/portal-service-account.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.portal.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.portal.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: portal
|
||||
{{- if or .Values.portal.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.portal.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.portal.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -68,9 +68,7 @@ spec:
|
||||
{{- if .Values.registry.schedulerName }}
|
||||
schedulerName: {{ .Values.registry.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.registry.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.registry.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.registry.serviceAccountName" . }}
|
||||
{{- if .Values.registry.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.registry.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.registry.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.registry.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: registry
|
||||
{{- if or .Values.registry.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.registry.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.registry.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
19
bitnami/harbor/templates/trivy/trivy-service-account.yaml
Normal file
19
bitnami/harbor/templates/trivy/trivy-service-account.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
{{- /*
|
||||
Copyright Broadcom, Inc. All Rights Reserved.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.trivy.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "harbor.trivy.serviceAccountName" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: trivy
|
||||
{{- if or .Values.trivy.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.trivy.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.trivy.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -66,9 +66,7 @@ spec:
|
||||
{{- if .Values.trivy.schedulerName }}
|
||||
schedulerName: {{ .Values.trivy.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.trivy.serviceAccountName }}
|
||||
serviceAccountName: {{ .Values.trivy.serviceAccountName }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "harbor.trivy.serviceAccountName" . }}
|
||||
{{- if .Values.trivy.podSecurityContext.enabled }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.trivy.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -838,12 +838,25 @@ nginx:
|
||||
## @param nginx.lifecycleHooks LifecycleHook for the NGINX container(s) to automate configuration before or after startup
|
||||
##
|
||||
lifecycleHooks: {}
|
||||
## @param nginx.serviceAccountName Set the service account name for the NGINX pods
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param nginx.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Harbor Nginx ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param nginx.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: false
|
||||
## @param nginx.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param nginx.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param nginx.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## @param nginx.hostAliases NGINX pods host aliases
|
||||
##
|
||||
hostAliases: []
|
||||
@@ -1288,12 +1301,25 @@ portal:
|
||||
## @param portal.extraVolumes Optionally specify extra list of additional volumes for the Harbor Portal pods
|
||||
##
|
||||
extraVolumes: []
|
||||
## @param portal.serviceAccountName Set the service account name for the Harbor Portal pods
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param portal.automountServiceAccountToken Automount service account token
|
||||
## @param portal.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Harbor Portal ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param portal.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: false
|
||||
## @param portal.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param portal.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param portal.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## Harbor Portal service configuration
|
||||
##
|
||||
service:
|
||||
@@ -1703,12 +1729,25 @@ core:
|
||||
## @param core.extraVolumes Optionally specify extra list of additional volumes for the Harbor Core pods
|
||||
##
|
||||
extraVolumes: []
|
||||
## @param core.serviceAccountName Set the service account name for the Harbor Core pods
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param core.automountServiceAccountToken Automount service account token
|
||||
## @param core.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Harbor Core ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param core.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: false
|
||||
## @param core.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param core.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param core.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## Harbor Core service configuration
|
||||
##
|
||||
service:
|
||||
@@ -2090,12 +2129,25 @@ jobservice:
|
||||
## @param jobservice.extraVolumes Optionally specify extra list of additional volumes for the Harbor Jobservice pods
|
||||
##
|
||||
extraVolumes: []
|
||||
## @param jobservice.serviceAccountName Set the service account name for the Harbor Jobservice pods
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param jobservice.automountServiceAccountToken Automount service account token
|
||||
## @param jobservice.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Harbor Jobservice ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param jobservice.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: false
|
||||
## @param jobservice.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param jobservice.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param jobservice.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## Harbor Jobservice service configuration
|
||||
##
|
||||
service:
|
||||
@@ -2348,12 +2400,25 @@ registry:
|
||||
## @param registry.extraVolumes Optionally specify extra list of additional volumes for the Harbor Registry pods
|
||||
##
|
||||
extraVolumes: []
|
||||
## @param registry.serviceAccountName Set the service account name for the Registry pods
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param registry.automountServiceAccountToken Automount service account token
|
||||
## @param registry.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Harbor Registry ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param registry.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: true
|
||||
## @param registry.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param registry.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param registry.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## Network Policies
|
||||
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
##
|
||||
@@ -3086,12 +3151,25 @@ trivy:
|
||||
## @param trivy.extraVolumes Optionally specify extra list of additional volumes for the Trivy pods
|
||||
##
|
||||
extraVolumes: []
|
||||
## @param trivy.serviceAccountName Set the service account name for the Trivy pods
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param trivy.automountServiceAccountToken Automount service account token
|
||||
## @param trivy.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Trivy ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param trivy.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: false
|
||||
## @param trivy.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param trivy.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param trivy.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## Trivy service configuration
|
||||
##
|
||||
service:
|
||||
@@ -3388,10 +3466,6 @@ exporter:
|
||||
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
||||
##
|
||||
schedulerName: ""
|
||||
## @param exporter.serviceAccountName Name of the serviceAccountName for Harbor Exporter pods
|
||||
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
||||
##
|
||||
serviceAccountName: ""
|
||||
## @param exporter.nodeSelector Harbor Exporter Node labels for pod assignment
|
||||
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
|
||||
##
|
||||
@@ -3426,9 +3500,25 @@ exporter:
|
||||
## @param exporter.sidecars Attach additional containers to the pod (evaluated as a template)
|
||||
##
|
||||
sidecars: []
|
||||
## @param exporter.automountServiceAccountToken Automount service account token
|
||||
## @param exporter.automountServiceAccountToken Mount Service Account token in pod
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## Harbor Exporter ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
## @param exporter.serviceAccount.create Specifies whether a ServiceAccount should be created
|
||||
##
|
||||
create: false
|
||||
## @param exporter.serviceAccount.name The name of the ServiceAccount to use.
|
||||
## If not set and create is true, a name is generated using the common.names.fullname template
|
||||
##
|
||||
name: ""
|
||||
## @param exporter.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
|
||||
##
|
||||
automountServiceAccountToken: false
|
||||
## @param exporter.serviceAccount.annotations Additional custom annotations for the ServiceAccount
|
||||
##
|
||||
annotations: {}
|
||||
## Exporter service configuration
|
||||
##
|
||||
service:
|
||||
|
||||
Reference in New Issue
Block a user