Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-10 15:07:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/harbor] Major change: Add Trivy and adapt to Bitnami standards (#2544)

Browse Source 
* [bitnami/harbor] Major change: Add Trivy and

* Update gitignore

* Remove .vscode

* Add common

* Final changes

* Remove notifier from clair.yaml

* Update trivy to use bitnami image

* Apply changes

* Update image

* Remove useless stuff

* Add Internal TLS

* Update Chart.yaml

* Update values.yaml

* Update configmap-https.yaml

* Update core-secret-envvars.yaml

* [bitnami/harbor] Update components versions

Signed-off-by: Bitnami Containers <containers@bitnami.com>

Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
Javier J. Salmerón-García
2020-06-10 22:03:00 +02:00
committed by GitHub
parent ceae2e693b
commit 83b56abeed
59 changed files with 5891 additions and 2142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bitnami/harbor/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v1
name: harbor
version: 5.4.0
appVersion: 1.10.2
version: 6.0.0
appVersion: 2.0.0
description: Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content
keywords:
- docker

941
bitnami/harbor/README.md
View File

@@ -51,271 +51,631 @@ Additionaly, if `persistence.resourcePolicy` is set to `keep`, you should manual
## Parameters
The following table lists the configurable parameters of the Harbor chart and the default values. They can be configured in `values.yaml` or set via `--set` flag during installation.
The following tables list the configurable parameters of the Harbor chart and their default values per section/component:
| Parameter | Description | Default |
|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| **Global** | | |
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
| **Expose** | | |
| `service.type` | The way how to expose the service: `Ingress`, `ClusterIP`, `NodePort` or `LoadBalancer` | `ClusterIP` |
| `service.tls.enabled` | Enable the tls or not | `true` |
| `service.ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` |
| `service.tls.secretName` | Fill the name of secret if you want to use your own TLS certificate. The secret contains keys named: `tls.crt` - the certificate (required), `tls.key` - the private key (required), `ca.crt` - the certificate of CA (optional), this enables the download link on portal to download the certificate of CA. These files will be generated automatically if the `secretName` is not set | `nil` |
| `service.tls.notarySecretName` | By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the `service.type` is `ingress`. | `nil` |
| `service.tls.commonName` | The common name used to generate the certificate, it's necessary when the `service.type` is `ClusterIP` or `NodePort` and `service.tls.secretName` is null | `nil` |
| `service.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `service.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` |
| `service.ingress.annotations` | The annotations used in ingress | `nil` |
| `service.clusterIP.name` | The name of ClusterIP service | `harbor` |
| `service.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` |
| `service.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` |
| `service.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `service.nodePort.name` | The name of NodePort service | `harbor` |
| `service.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` |
| `service.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` |
| `service.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` |
| `service.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` |
| `service.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `service.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` |
| `service.loadBalancer.name` | The name of service | `harbor` |
| `service.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` |
| `service.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving with HTTP | `30002` |
| `service.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `nil` |
| `service.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} |
| `service.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] |
| **Persistence** | | |
| `persistence.enabled` | Enable the data persistence or not | `true` |
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` |
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | `nil` |
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | `nil` |
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | `nil` |
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | `nil` |
| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | `nil` |
| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | `nil` |
| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` |
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which do not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` |
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` |
| **General** | | |
| `nameOverride` | String to partially override harbor.fullname template with a string (will prepend the release name) | `nil` |
| `fullnameOverride` | String to fully override harbor.fullname template with a string | `nil` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.resources` | Init container resource requests/limit | `nil` |
| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
| `imagePullPolicy` | The image pull policy | `IfNotPresent` |
| `logLevel` | The log level | `debug` |
| `forcePassword` | Option to ensure all passwords and keys are set by the user | `false` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | _random 10 character long alphanumeric string_ |
| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| **Nginx** (if expose the service via `ingress`, the Nginx will not be used) | | |
| `nginxImage.registry` | Registry for Nginx image | `docker.io` |
| `nginxImage.repository` | Repository for Nginx image | `bitnami/nginx` |
| `nginxImage.tag` | Tag for Nginx image | `{TAG_NAME}` |
| `nginx.replicas` | The replica count | `1` |
| `nginx.resources` | The [resources] to allocate for container | undefined |
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `nginx.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `nginx.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
| `nginx.behindReverseProxy` | If nginx is behind another reverse proxy, set to true | `false` |
| **Portal** | | |
| `portalImage.registry` | Registry for portal image | `docker.io` |
| `portalImage.repository` | Repository for portal image | `bitnami/harbor-portal` |
| `portalImage.tag` | Tag for portal image | `{TAG_NAME}` |
| `portalImage.pullPolicy` | Harbor Portal image pull policy | `IfNotPresent` |
| `portalImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `portalImage.debug` | Specify if debug logs should be enabled | `false` |
| `portal.replicas` | The replica count | `1` |
| `portal.resources` | The [resources] to allocate for container | undefined |
| `portal.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `portal.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `portal.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
| `portal.livenessProbe` | Liveness probe configuration for Portal | `Check values.yaml file` |
| `portal.readinessProbe` | Readines probe configuration for Portal | `Check values.yaml file` |
| **Core** | | |
| `coreImage.registry` | Registry for core image | `docker.io` |
| `coreImage.repository` | Repository for Harbor core image | `bitnami/harbor-core` |
| `coreImage.tag` | Tag for Harbor core image | `{TAG_NAME}` |
| `coreImage.pullPolicy` | Harbor Core image pull policy | `IfNotPresent` |
| `coreImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `coreImage.debug` | Specify if debug logs should be enabled | `false` |
| `core.replicas` | The replica count | `1` |
| `core.resources` | The [resources] to allocate for container | undefined |
| `core.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `core.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `core.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.secret` | Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `nil` |
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | `nil` |
| `core.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Has to be configured as string, because it is passed through the `tpl` function. See Values.yaml | `` |
| `core.livenessProbe` | Liveness probe configuration for Core | `Check values.yaml file` |
| `core.readinessProbe` | Readines probe configuration for Core | `Check values.yaml file` |
| **Jobservice** | | |
| `jobserviceImage.registry` | Registry for jobservice image | `docker.io` |
| `jobserviceImage.repository` | Repository for jobservice image | `bitnami/harbor-jobservice` |
| `jobserviceImage.tag` | Tag for jobservice image | `{TAG_NAME}` |
| `jobserviceImage.pullPolicy` | Harbor Jobservice image pull policy | `IfNotPresent` |
| `jobserviceImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `jobserviceImage.debug` | Specify if debug logs should be enabled | `false` |
| `jobservice.replicas` | The replica count | `1` |
| `jobservice.strategy` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `jobservice.maxJobWorkers` | The max job workers | `10` |
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
| `jobservice.resources` | The [resources] to allocate for container | undefined |
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `jobservice.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `jobservice.secret` | Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `jobservice.livenessProbe` | Liveness probe configuration for Job Service | `Check values.yaml file` |
| `jobservice.readinessProbe` | Readines probe configuration for Job Service | `Check values.yaml file` |
| **Registry** | | |
| `registryImage.registry` | Registry for registry image | `docker.io` |
| `registryImage.repository` | Repository for registry image | `bitnami/harbor-registry` |
| `registryImage.tag` | Tag for registry image | `{TAG_NAME}` |
| `registryImage.pullPolicy` | Harbor Registry image pull policy | `IfNotPresent` |
| `registryImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `registryImage.debug` | Specify if debug logs should be enabled | `false` |
| `registry.registry.resources` | The [resources] to allocate for container | undefined |
| `registry.registry.livenessProbe` | Liveness probe configuration for Registry | `Check values.yaml file` |
| `registry.registry.readinessProbe` | Readines probe configuration for Registry | `Check values.yaml file` |
| `registryctlImage.registry` | Registry for registryctl image | `docker.io` |
| `registryctlImage.repository` | Repository for registryctl controller image | `bitnami/harbor-registryctl` |
| `registryctlImage.tag` | Tag for registrycrtl controller image | `{TAG_NAME}` |
| `registryctlImage.pullPolicy` | Harbor Registryctl image pull policy | `IfNotPresent` |
| `registryctlImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `registryctlImage.debug` | Specify if debug logs should be enabled | `false` |
| `registry.controller.resources` | The [resources] to allocate for container | undefined |
| `registry.controller.livenessProbe` | Liveness probe configuration for Registryctl | `Check values.yaml file` |
| `registry.controller.readinessProbe` | Readines probe configuration for Registryctl | `Check values.yaml file` |
| `registry.replicas` | The replica count | `1` |
| `registry.strategy` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `registry.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `registry.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `registry.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `nil` |
| `registry.relativeurls` | Make the registry return relative URLs in Location headers. | `false` |
| **Chartmuseum** | | |
| `chartMuseumImage.registry` | Registry for ChartMuseum image | `docker.io` |
| `chartMuseumImage.repository` | Repository for clair image | `bitnami/chartmuseum` |
| `chartMuseumImage.tag` | Tag for ChartMuseum image | `{TAG_NAME}` |
| `chartMuseumImage.pullPolicy` | ChartMuseum image pull policy | `IfNotPresent` |
| `chartMuseumImage.debug` | Specify if debug logs should be enabled | `false` |
| `chartmuseum.enabled` | Enable ChartMuseum | `true` |
| `chartmuseum.replicas` | Number of ChartMuseum replicas | `1` |
| `chartmuseum.strategy` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `chartmuseum.port` | ChartMuseum listen port | `8080` |
| `chartmuseum.useRedisCache` | Specify if ChartMuseum will use redis cache | `true` |
| `chartmuseum.absoluteUrl` | Specify an absolute URL for ChartMuseum registry | `false` |
| `chartmuseum.chartRepoName` | Specify the endpoint for the chartmuseum registry. Only applicable if `chartmuseum.absoluteUrl` is `true` | `chartsRepo` |
| `chartmuseum.depth` | Support for multitenancy. More info [here](https://chartmuseum.com/docs/#multitenancy) | `1` |
| `chartmuseum.logJson` | Print logs on JSON format | `false` |
| `chartmuseum.disableMetrics` | Disable prometheus metrics exposure | `false` |
| `chartmuseum.disableApi` | Disable all the routes prefixed with `/api` | `false` |
| `chartmuseum.disableStatefiles` | Disable use of index-cache.yaml | `false` |
| `chartmuseum.allowOverwrite` | Allow chart versions to be re-uploaded without force querystring | `true` |
| `chartmuseum.anonymousGet` | Allow anonymous GET operations | `false` |
| `chartmuseum.enableTLS` | Enable use of TLS access | `false` |
| `chartmuseum.contextPath` | Set the base context path for ChartMuseum | `nil` |
| `chartmuseum.indexLimit` | Limit the number of parallels indexes for ChartMuseum | `nil` |
| `chartmuseum.chartPostFormFieldName` | Form field which will be queried for the chart file content | `nil` |
| `chartmuseum.provPostFormFieldName` | Form field which will be queried for the provenance file content | `nil` |
| `chartmuseum.extraEnvVars` | Allow to pass extra environment variables to the chartmuseum image | `nil` |
| `chartmuseum.livenessProbe` | Liveness probe configuration | `Check values.yaml file` |
| `chartmuseum.readinessProbe` | Readiness probe configuration | `Check values.yaml file` |
| **Clair** | | |
| `clairImage.registry` | Registry for clair image | `docker.io` |
| `clairImage.repository` | Repository for clair image | `bitnami/harbor-clair` |
| `clairImage.tag` | Tag for clair image | `{TAG_NAME}` |
| `clairImage.pullPolicy` | Harbor clair image pull policy | `IfNotPresent` |
| `clairImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `clairImage.debug` | Specify if debug logs should be enabled | `false` |
| `clairAdapterImage.registry` | Registry for clair adapter image | `docker.io` |
| `clairAdapterImage.repository` | Repository for clair adapter image | `bitnami/harbor-adapter-clair` |
| `clairAdapterImage.tag` | Tag for clair adapter image | `{TAG_NAME}` |
| `clairAdapterImage.pullPolicy` | Harbor clair adapter image pull policy | `IfNotPresent` |
| `clairAdapterImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `clairAdapterImage.debug` | Specify if debug logs should be enabled | `false` |
| `clair.enabled` | Enable Clair | `true` |
| `clair.replicas` | The replica count | `1` |
| `clair.httpProxy` | The http proxy used to update vulnerabilities database from internet | undefined |
| `clair.httpsProxy` | The https proxy used to update vulnerabilities database from internet | undefined |
| `clair.updatersInterval` | The interval of clair updaters (hours), set to 0 to disable | `12` |
| `clair.resource` | The [resources] to allocate for container | undefined |
| `clair.adapter.resource` | The [resources] to allocate for container | undefined |
| `clair.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `clair.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `clair.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` |
| `clair.livenessProbe` | Liveness probe configuration | `Check values.yaml file` |
| `clair.readinessProbe` | Readiness probe configuration | `Check values.yaml file` |
| **Notary** | | |
| `notary.enabled` | Enable Notary | `true` |
| `notaryServerImage.registry` | Registry for notary server image | `docker.io` |
| `notaryServerImage.repository` | Repository for notary server image | `bitnami/harbor-notary-server` |
| `notaryServerImage.tag` | Tag for notary server image | `1.10.1-debian-10-r0` |
| `notaryServerImage.pullPolicy` | Harbor notary server image pull policy | `IfNotPresent` |
| `notarySignerImage.registry` | Registry for notary signer images | `docker.io` |
| `notarySignerImage.repository` | Repository for notary signer image | `bitnami/harbor-notary-signer` |
| `notarySignerImage.tag` | Tag for notary signer image | `1.10.1-debian-10-r0` |
| `notarySignerImage.pullPolicy` | Harbor notary signer image pull policy | `IfNotPresent` |
| `notary.server.replicas` | The replica count | `1` |
| `notary.server.resources` | The [resources] to allocate for container | `{}` |
| `notary.signer.replicas` | The replica count | `1` |
| `notary.signer.resources` | The [resources] to allocate for container | `{}` |
| `notary.nodeSelector` | Node labels for pod assignment | `{}` |
| `notary.tolerations` | Tolerations for pod assignment | `[]` |
| `notary.affinity` | Node/Pod affinities | `{}` |
| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` |
| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | `nil` |
| **PostgreSQL** | | |
| `postgresql.enabled` | If external database is used, set it to `false` | `true` |
| `postgresql.postgresqlUsername` | Postgresql username | `postgres` |
| `postgresql.postgresqlPassword` | Postgresql password | `not-a-secure-database-password` |
| `postgresql.replication.enabled` | Enable replicated postgresql | `false` |
| `postgresql.persistence.enabled` | Enable persistence for PostgreSQL | `true` |
| `postgresql.initdbScripts` | Initdb scripts to create Harbor databases | `See values.yaml file` |
| `externalDatabase.host` | Host of the external database | `localhost` |
| `externalDatabase.port` | Port of the external database | `5432` |
| `externalDatabase.user` | Existing username in the external db | `bn_harbor` |
| `externalDatabase.password` | Password for the above username | `nil` |
| `externalDatabase.database` | Name of the existing database | `bitnami_harbor` |
| `externalDatabase.coreDatabase` | External database name for core | `nil` |
| `externalDatabase.clairDatabase` | External database name for clair | `nil` |
| `externalDatabase.clairUsername` | The username used by clair. If not set, externalDatabase.user is used | `nil` |
| `externalDatabase.clairPassword` | The password used by clair. If not set, externalDatabase.password is used | `nil` |
| `externalDatabase.notaryServerDatabase` | External database name for notary server | `nil` |
| `externalDatabase.notaryServerUsername` | The username used by Notary server. If not set, externalDatabase.user is used | `nil` |
| `externalDatabase.notaryServerPassword` | The password used by Notary server. If not set, externalDatabase.password is used | `nil` |
| `externalDatabase.notarySignerDatabase` | External database name for notary signer | `nil` |
| `externalDatabase.notarySignerUsername` | The username used by Notary signer. If not set, externalDatabase.user is used | `nil` |
| `externalDatabase.notarySignerPassword` | The password used by Notary signer. If not set, externalDatabase.password is used | `nil` |
| `externalDatabase.sslmode` | External database ssl mode | `nil` |
| **Redis** | | |
| `redis.enabled` | If external redis is used, set it to `false` | `true` |
| `redis.password` | Redis password | `nil` |
| `redis.usePassword` | Use redis password | `false` |
| `redis.cluster.enabled` | Enable cluster redis | `false` |
| `redis.master.persistence.enabled` | Enable persistence for master Redis | `true` |
| `redis.slave.persistence.enabled` | Enable persistence for slave Redis | `true` |
| `externalRedis.host` | Host of the external redis | `localhost` |
| `externalRedis.port` | Port of the external redis | `6379` |
| `externalRedis.password` | Password for the external redis | `nil` |
| `externalRedis.coreDatabaseIndex` | Index for core database | `0` |
| `externalRedis.jobserviceDatabaseIndex` | Index for jobservice database | `1` |
| `externalRedis.registryDatabaseIndex` | Index for registry database | `2` |
| `externalRedis.chartmuseumDatabaseIndex` | Index for chartmuseum database | `3` |
### Global Parameters
| Parameter | Description | Default |
|---------------------------|-------------------------------------------------|---------------------------------------------------------|
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
### Common Parameters
| Parameter | Description | Default |
|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `commonLabels` | Labels to add to all deployed objects | `nil` |
| `commonAnnotations` | Annotations to add to all deployed objects | `[]` |
| `internalTLS.enabled` | Use TLS in all Harbor containers objects | `false` |
| `logLevel` | The log level | `debug` |
| `forcePassword` | Option to ensure all passwords and keys are set by the user | `false` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | _random 10 character long alphanumeric string_ |
| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` |
| `fullnameOverride` | String to fully override common.names.fullname template with a string | `nil` |
| `containerSecurityContext` | Container security podSecurityContext | `{ runAsUser: 1001, runAsNonRoot: true }` |
| `podSecurityContext` | Pod security context | `{ fsGroup: 1001 }` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.resources` | Init container resource requests/limit | `nil` |
| `proxy.httpProxy` | The URL of the HTTP proxy server | |
| `proxy.httpsProxy` | The URL of the HTTPS proxy server | |
| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, clair |
| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` |
### Traffic Exposure Parameters
| **Parameter** | Description | Default |
|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|
| `service.type` | The way how to expose the service: `Ingress`, `ClusterIP`, `NodePort` or `LoadBalancer` | `ClusterIP` |
| `service.tls.enabled` | Enable the tls or not (for external access) | `true` |
| `service.tls.existingSecret` | Fill the name of secret if you want to use your own TLS certificate. The secret contains keys named: `tls.crt` - the certificate (required), `tls.key` - the private key (required), `ca.crt` - the certificate of CA (optional), this enables the download link on portal to download the certificate of CA. These files will be generated automatically if the `secretName` is not set | `nil` |
| `service.tls.notaryExistingSecret` | By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the `service.type` is `ingress`. | `nil` |
| `service.tls.commonName` | The common name used to generate the certificate, it's necessary when the `service.type` is `ClusterIP` or `NodePort` and `service.tls.existingSecret` is null | `nil` |
| `service.ports.http` | The service port Harbor listens on when serving with HTTP | `80` |
| `service.ports.https` | The service port Harbor listens on when serving with HTTPS | `443` |
| `service.ports.notary` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `service.nodePorts.http` | The service nodePort Harbor listens on when serving with HTTP | `80` |
| `service.nodePorts.https` | The service nodePort Harbor listens on when serving with HTTPS | `443` |
| `service.nodePorts.notaryPort` | The service nodePort Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `service.annotations` | The annotations attached to the loadBalancer service | {} |
| `service.loadBalancerIP` | Load Balancer IP | `nil` |
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `service.loadBalancerSourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] |
| `ingress.enabled` | Deploy ingress rules | `false` |
| `ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` |
| `ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` |
| `ingress.annotations` | The annotations used in ingress | `nil` |
### Persistence Parameters
| Parameter | Description | Default |
|---------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|
| `persistence.enabled` | Enable the data persistence or not | `true` |
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `keep` |
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | `nil` |
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | `nil` |
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | `nil` |
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.jobservice.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | `nil` |
| `persistence.persistentVolumeClaim.jobservice.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | `nil` |
| `persistence.persistentVolumeClaim.jobservice.subPath` | The sub path used in the volume | `nil` |
| `persistence.persistentVolumeClaim.jobservice.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.jobservice.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.chartmuseum.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | `nil` |
| `persistence.persistentVolumeClaim.chartmuseum.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | `nil` |
| `persistence.persistentVolumeClaim.chartmuseum.subPath` | The sub path used in the volume | `nil` |
| `persistence.persistentVolumeClaim.chartmuseum.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.chartmuseum.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | `nil` |
| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used(the default). Set it to `-` to disable dynamic provisioning | `nil` |
| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `5Gi` |
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which do not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail | `false` |
| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and chartmuseum's containers. | |
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail | `filesystem` |
| `persistence.imageChartStorage.azure.accountname` | Azure storage type setting: Name of the Azure account | `nil` |
| `persistence.imageChartStorage.azure.accountkey` | Azure storage type setting: Key of the Azure account | `nil` |
| `persistence.imageChartStorage.azure.container` | Azure storage type setting: Container | `nil` |
| `persistence.imageChartStorage.azure.storagePrefix` | Azure storage type setting: Storage prefix | `nil` |
| `persistence.imageChartStorage.azure.realm` | Azure storage type setting: Realm of the Azure account | `nil` |
| `persistence.imageChartStorage.gcs.accountname` | GCS storage type setting: Name of the bucket | `nil` |
| `persistence.imageChartStorage.gcs.encodedkey` | GCS storage type setting: Base64 encoded key | `nil` |
| `persistence.imageChartStorage.gcs.bucket` | GCS storage type setting: Bucket name | `nil` |
| `persistence.imageChartStorage.gcs.rootdirectory` | GCS storage type setting: Root directory name | `nil` |
| `persistence.imageChartStorage.gcs.chunksize` | GCS storage type setting: Chunk size name | `nil` |
| `persistence.imageChartStorage.s3.accesskey` | S3 storage type setting: Access key name | `nil` |
| `persistence.imageChartStorage.s3.secretkey` | S3 storage type setting: Secret Key name | `nil` |
| `persistence.imageChartStorage.s3.regionendpoint` | S3 storage type setting: Region Endpoint | `nil` |
| `persistence.imageChartStorage.s3.encrypt` | S3 storage type setting: Encrypt | `nil` |
| `persistence.imageChartStorage.s3.keyid` | S3 storage type setting: Key ID | `nil` |
| `persistence.imageChartStorage.s3.region` | S3 storage type setting: Region | `nil` |
| `persistence.imageChartStorage.s3.secure` | S3 storage type setting: Secure | `nil` |
| `persistence.imageChartStorage.s3.v4auth` | S3 storage type setting: V4 authorization | `nil` |
| `persistence.imageChartStorage.s3.chunksize` | S3 storage type setting: V4 authorization | `nil` |
| `persistence.imageChartStorage.s3.bucket` | S3 storage type setting: Bucket name | `nil` |
| `persistence.imageChartStorage.s3.rootdirectory` | S3 storage type setting: Root directory name | `nil` |
| `persistence.imageChartStorage.s3.storageclass` | S3 storage type setting: Storage class | `nil` |
| `persistence.imageChartStorage.s3.sse` | S3 storage type setting: SSE name | `nil` |
| `persistence.imageChartStorage.swift.authurl` | Swift storage type setting: Authentication url | `nil` |
| `persistence.imageChartStorage.swift.username` | Swift storage type setting: Authentication url | `nil` |
| `persistence.imageChartStorage.swift.password` | Swift storage type setting: Password | `nil` |
| `persistence.imageChartStorage.swift.container` | Swift storage type setting: Container | `nil` |
| `persistence.imageChartStorage.swift.region` | Swift storage type setting: Region | `nil` |
| `persistence.imageChartStorage.swift.tenant` | Swift storage type setting: Tenant | `nil` |
| `persistence.imageChartStorage.swift.tenantid` | Swift storage type setting: TenantID | `nil` |
| `persistence.imageChartStorage.swift.domain` | Swift storage type setting: Domain | `nil` |
| `persistence.imageChartStorage.swift.domainid` | Swift storage type setting: DomainID | `nil` |
| `persistence.imageChartStorage.swift.insecureskipverify` | Swift storage type setting: Verification | `nil` |
| `persistence.imageChartStorage.swift.trustid` | Swift storage type setting: TrustID | `nil` |
| `persistence.imageChartStorage.swift.chunksize` | Swift storage type setting: Chunk | `nil` |
| `persistence.imageChartStorage.swift.prefix` | Swift storage type setting: Prefix | `nil` |
| `persistence.imageChartStorage.swift.secretkey` | Swift storage type setting: Secre Key | `nil` |
| `persistence.imageChartStorage.swift.accesskey` | Swift storage type setting: Access Key | `nil` |
| `persistence.imageChartStorage.swift.authversion` | Swift storage type setting: Auth | `nil` |
| `persistence.imageChartStorage.swift.endpointtype` | Swift storage type setting: Endpoint | `nil` |
| `persistence.imageChartStorage.swift.tempurlcontainerkey` | Swift storage type setting: Temp URL container key | `nil` |
| `persistence.imageChartStorage.swift.tempurlmethods` | Swift storage type setting: Temp URL methods | `nil` |
| `persistence.imageChartStorage.oss.accesskeyid` | OSS storage type setting: Access key ID | `nil` |
| `persistence.imageChartStorage.oss.endpoint` | OSS storage type setting: Endpoint | `nil` |
| `persistence.imageChartStorage.oss.internal` | OSS storage type setting: Internal | `nil` |
| `persistence.imageChartStorage.oss.encrypt` | OSS storage type setting: Encrypt | `nil` |
| `persistence.imageChartStorage.oss.secure` | OSS storage type setting: Secure | `nil` |
| `persistence.imageChartStorage.oss.chunksize` | OSS storage type setting: Chunk | `nil` |
| `persistence.imageChartStorage.oss.rootdirectory` | OSS storage type setting: Directory | `nil` |
| `persistence.imageChartStorage.oss.secretkey` | OSS storage type setting: Secret key | `nil` |
| `persistence.imageChartStorage.oss.accesskeysecret` | OSS storage type setting: Access key secret name containing the token | `nil` |
| `persistence.imageChartStorage.oss.region` | OSS storage type setting: Region name | `nil` |
| `persistence.imageChartStorage.oss.bucket` | OSS storage type setting: Bucket name | `nil` |
| `persistence.imageChartStorage.filesystem.rootdirectory` | Filesystem storage type setting: Storage root directory | `nil` |
| `persistence.imageChartStorage.filesystem.maxthreads` | Filesystem storage type setting: Maximum threads directory | `nil` |
### Nginx Parameters
> NOTE: If you expose the service via `ingress`, the Nginx will not be used
| Parameter | Description | Default |
|------------------------------|-----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `nginxImage.registry` | Registry for Nginx image | `docker.io` |
| `nginxImage.repository` | Repository for Nginx image | `bitnami/nginx` |
| `nginxImage.tag` | Tag for Nginx image | `{TAG_NAME}` |
| `nginxImage.pullPolicy` | Harbor Portal image pull policy | `IfNotPresent` |
| `nginxImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `nginxImage.debug` | Specify if debug logs should be enabled | `false` |
| `nginx.replicas` | The replica count | `1` |
| `nginx.resources` | The [resources] to allocate for container | undefined |
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `nginx.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `nginx.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
| `nginx.behindReverseProxy` | If nginx is behind another reverse proxy, set to true | `false` |
| `nginx.extraEnvVars` | Array containing extra env vars | `nil` |
| `nginx.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `nginx.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `nginx.command` | Override default container command (useful when using custom images) | `nil` |
| `nginx.args` | Override default container args (useful when using custom images) | `nil` |
| `nginx.livenessProbe` | Liveness probe configuration | `Check values.yaml file` |
| `nginx.readinessProbe` | Readiness probe configuration | `Check values.yaml file` |
| `nginx.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `nginx.customLivenessProbe` | Override default liveness probe | `nil` |
| `nginx.customReadinessProbe` | Override default readiness probe | `nil` |
| `nginx.updateStrategy` | Deployment update strategy | `nil` |
| `nginx.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `nginx.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `nginx.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `nginx.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `nginx.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
### Harbor Portal Parameters
| Parameter | Description | Default |
|-------------------------------|-----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `portalImage.registry` | Registry for portal image | `docker.io` |
| `portalImage.repository` | Repository for portal image | `bitnami/harbor-portal` |
| `portalImage.tag` | Tag for portal image | `{TAG_NAME}` |
| `portalImage.pullPolicy` | Harbor Portal image pull policy | `IfNotPresent` |
| `portalImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `portalImage.debug` | Specify if debug logs should be enabled | `false` |
| `portal.replicas` | The replica count | `1` |
| `portal.resources` | The [resources] to allocate for container | undefined |
| `portal.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `portal.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `portal.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
| `portal.livenessProbe` | Liveness probe configuration for Portal | `Check values.yaml file` |
| `portal.readinessProbe` | Readines probe configuration for Portal | `Check values.yaml file` |
| `portal.extraEnvVars` | Array containing extra env vars | `nil` |
| `portal.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `portal.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `portal.command` | Override default container command (useful when using custom images) | `nil` |
| `portal.args` | Override default container args (useful when using custom images) | `nil` |
| `portal.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `portal.customLivenessProbe` | Override default liveness probe | `nil` |
| `portal.customReadinessProbe` | Override default readiness probe | `nil` |
| `portal.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `portal.updateStrategy` | Deployment update strategy | `nil` |
| `portal.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `portal.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `portal.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `portal.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `portal.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
### Harbor Core Parameters
| Parameter | Description | Default |
|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `coreImage.registry` | Registry for core image | `docker.io` |
| `coreImage.repository` | Repository for Harbor core image | `bitnami/harbor-core` |
| `coreImage.tag` | Tag for Harbor core image | `{TAG_NAME}` |
| `coreImage.pullPolicy` | Harbor Core image pull policy | `IfNotPresent` |
| `coreImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `coreImage.debug` | Specify if debug logs should be enabled | `false` |
| `core.secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| `core.uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | `` |
| `core.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `core.csrfKey` | CSRF key | `` |
| `core.replicas` | The replica count | `1` |
| `core.resources` | The [resources] to allocate for container | undefined |
| `core.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `core.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `core.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.secret` | Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `nil` |
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | `nil` |
| `core.livenessProbe` | Liveness probe configuration for Core | `Check values.yaml file` |
| `core.readinessProbe` | Readines probe configuration for Core | `Check values.yaml file` |
| `core.extraEnvVars` | Array containing extra env vars | `nil` |
| `core.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `core.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `core.command` | Override default container command (useful when using custom images) | `nil` |
| `core.args` | Override default container args (useful when using custom images) | `nil` |
| `core.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `core.customLivenessProbe` | Override default liveness probe | `nil` |
| `core.customReadinessProbe` | Override default readiness probe | `nil` |
| `core.updateStrategy` | Deployment update strategy | `nil` |
| `core.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `core.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `core.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `core.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `core.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
### Harbor Jobservice Parameters
| Parameter | Description | Default |
|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `jobserviceImage.registry` | Registry for jobservice image | `docker.io` |
| `jobserviceImage.repository` | Repository for jobservice image | `bitnami/harbor-jobservice` |
| `jobserviceImage.tag` | Tag for jobservice image | `{TAG_NAME}` |
| `jobserviceImage.pullPolicy` | Harbor Jobservice image pull policy | `IfNotPresent` |
| `jobserviceImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `jobserviceImage.debug` | Specify if debug logs should be enabled | `false` |
| `jobservice.replicas` | The replica count | `1` |
| `jobservice.updateStrategy.type` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `jobservice.maxJobWorkers` | The max job workers | `10` |
| `jobservice.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
| `jobservice.resources` | The [resources] to allocate for container | undefined |
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `jobservice.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `jobservice.secret` | Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `jobservice.livenessProbe` | Liveness probe configuration for Job Service | `Check values.yaml file` |
| `jobservice.readinessProbe` | Readines probe configuration for Job Service | `Check values.yaml file` |
| `jobservice.extraEnvVars` | Array containing extra env vars | `nil` |
| `jobservice.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `jobservice.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `jobservice.command` | Override default container command (useful when using custom images) | `nil` |
| `jobservice.args` | Override default container args (useful when using custom images) | `nil` |
| `jobservice.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `jobservice.customLivenessProbe` | Override default liveness probe | `nil` |
| `jobservice.customReadinessProbe` | Override default readiness probe | `nil` |
| `jobservice.updateStrategy` | Deployment update strategy | `nil` |
| `jobservice.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `jobservice.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `jobservice.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `jobservice.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `jobservice.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
### Harbor Registry Parameters
| Parameter | Description | Default |
|---------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| `registryImage.registry` | Registry for registry image | `docker.io` |
| `registryImage.repository` | Repository for registry image | `bitnami/harbor-registry` |
| `registryImage.tag` | Tag for registry image | `{TAG_NAME}` |
| `registryImage.pullPolicy` | Harbor Registry image pull policy | `IfNotPresent` |
| `registryImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `registryImage.debug` | Specify if debug logs should be enabled | `false` |
| `registryctlImage.registry` | Registry for registryctl image | `docker.io` |
| `registryctlImage.repository` | Repository for registryctl controller image | `bitnami/harbor-registryctl` |
| `registryctlImage.tag` | Tag for registrycrtl controller image | `{TAG_NAME}` |
| `registryctlImage.pullPolicy` | Harbor Registryctl image pull policy | `IfNotPresent` |
| `registryctlImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `registryctlImage.debug` | Specify if debug logs should be enabled | `false` |
| `registry.relativeurls` | Make the registry return relative URLs in Location headers. | `false` |
| `registry.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `registry.replicas` | The replica count | `1` |
| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` |
| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
| `registry.credentials.htpasswd` | The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html): `htpasswd -nbBC10 $username $password`. More details see [official_docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m` |
| `registry.updateStrategy.type` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `registry.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `registry.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `registry.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `registry.middleware.enabled` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | |
| `registry.middleware.type` | CDN type for the middleware | |
| `registry.middleware.cloudFront.baseurl` | CloudFront CDN settings: Base URL | |
| `registry.middleware.cloudFront.keypairid` | CloudFront CDN settings: Keypair ID | |
| `registry.middleware.cloudFront.duration` | CloudFront CDN settings: Duration | |
| `registry.middleware.cloudFront.ipfilteredby` | CloudFront CDN settings: IP filters | |
| `registry.middleware.cloudFront.privateKeySecret` | CloudFront CDN settings: Secret name with the private key | |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `nil` |
| `registry.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `registry.updateStrategy` | Deployment update strategy | `nil` |
| `registry.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `registry.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `registry.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
| `registry.server.resources` | The [resources] to allocate for container | undefined |
| `registry.server.livenessProbe` | Liveness probe configuration for Registry | `Check values.yaml file` |
| `registry.server.readinessProbe` | Readines probe configuration for Registry | `Check values.yaml file` |
| `registry.server.extraEnvVars` | Array containing extra env vars | `nil` |
| `registry.server.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `registry.server.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `registry.server.command` | Override default container command (useful when using custom images) | `nil` |
| `registry.server.args` | Override default container args (useful when using custom images) | `nil` |
| `registry.server.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `registry.server.customLivenessProbe` | Override default liveness probe | `nil` |
| `registry.server.customReadinessProbe` | Override default readiness probe | `nil` |
| `registry.server.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `registry.controller.resources` | The [resources] to allocate for container | undefined |
| `registry.controller.livenessProbe` | Liveness probe configuration for Registry | `Check values.yaml file` |
| `registry.controller.readinessProbe` | Readines probe configuration for Registry | `Check values.yaml file` |
| `registry.controller.extraEnvVars` | Array containing extra env vars | `nil` |
| `registry.controller.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `registry.controller.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `registry.controller.command` | Override default container command (useful when using custom images) | `nil` |
| `registry.controller.args` | Override default container args (useful when using custom images) | `nil` |
| `registry.controller.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `registry.controller.customLivenessProbe` | Override default liveness probe | `nil` |
| `registry.controller.customReadinessProbe` | Override default readiness probe | `nil` |
| `registry.controller.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
### ChartMuseum Parameters
| Parameter | Description | Default |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `chartMuseumImage.registry` | Registry for ChartMuseum image | `docker.io` |
| `chartMuseumImage.repository` | Repository for clair image | `bitnami/chartmuseum` |
| `chartMuseumImage.tag` | Tag for ChartMuseum image | `{TAG_NAME}` |
| `chartMuseumImage.pullPolicy` | ChartMuseum image pull policy | `IfNotPresent` |
| `chartMuseumImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `chartMuseumImage.debug` | Specify if debug logs should be enabled | `false` |
| `chartmuseum.enabled` | Enable ChartMuseum | `true` |
| `chartmuseum.replicas` | Number of ChartMuseum replicas | `1` |
| `chartmuseum.resources` | The [resources] to allocate for container | undefined |
| `chartmuseum.updateStrategy` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `chartmuseum.useRedisCache` | Specify if ChartMuseum will use redis cache | `true` |
| `chartmuseum.absoluteUrl` | Specify an absolute URL for ChartMuseum registry | `false` |
| `chartmuseum.chartRepoName` | Specify the endpoint for the chartmuseum registry. Only applicable if `chartmuseum.absoluteUrl` is `true` | `chartsRepo` |
| `chartmuseum.maxUploadSize` | Maximum upload size | `nil` |
| `chartmuseum.maxStorageObjects` | Maximum storage objects | `nil` |
| `chartmuseum.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `chartmuseum.depth` | Support for multitenancy. More info [here](https://chartmuseum.com/docs/#multitenancy) | `1` |
| `chartmuseum.logJson` | Print logs on JSON format | `false` |
| `chartmuseum.disableMetrics` | Disable prometheus metrics exposure | `false` |
| `chartmuseum.disableApi` | Disable all the routes prefixed with `/api` | `false` |
| `chartmuseum.disableStatefiles` | Disable use of index-cache.yaml | `false` |
| `chartmuseum.allowOverwrite` | Allow chart versions to be re-uploaded without force querystring | `true` |
| `chartmuseum.anonymousGet` | Allow anonymous GET operations | `false` |
| `chartmuseum.contextPath` | Set the base context path for ChartMuseum | `nil` |
| `chartmuseum.indexLimit` | Limit the number of parallels indexes for ChartMuseum | `nil` |
| `chartmuseum.chartPostFormFieldName` | Form field which will be queried for the chart file content | `nil` |
| `chartmuseum.provPostFormFieldName` | Form field which will be queried for the provenance file content | `nil` |
| `chartmuseum.extraEnvVars` | Allow to pass extra environment variables to the chartmuseum image | `nil` |
| `chartmuseum.livenessProbe` | Liveness probe configuration | `Check values.yaml file` |
| `chartmuseum.readinessProbe` | Readiness probe configuration | `Check values.yaml file` |
| `chartmuseum.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `chartmuseum.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `chartmuseum.podAnnotations` | Annotations to add to the chartmuseum pod | `{}` |
| `chartmuseum.extraEnvVars` | Array containing extra env vars | `nil` |
| `chartmuseum.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `chartmuseum.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `chartmuseum.command` | Override default container command (useful when using custom images) | `nil` |
| `chartmuseum.args` | Override default container args (useful when using custom images) | `nil` |
| `chartmuseum.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `chartmuseum.customLivenessProbe` | Override default liveness probe | `nil` |
| `chartmuseum.customReadinessProbe` | Override default readiness probe | `nil` |
| `chartmuseum.updateStrategy` | Deployment update strategy | `nil` |
| `chartmuseum.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `chartmuseum.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `chartmuseum.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `chartmuseum.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `chartmuseum.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
### Clair Parameters
| Parameter | Description | Default |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `clairImage.registry` | Registry for clair image | `docker.io` |
| `clairImage.repository` | Repository for clair image | `bitnami/harbor-clair` |
| `clairImage.tag` | Tag for clair image | `{TAG_NAME}` |
| `clairImage.pullPolicy` | Harbor clair image pull policy | `IfNotPresent` |
| `clairImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `clairImage.debug` | Specify if debug logs should be enabled | `false` |
| `clairAdapterImage.registry` | Registry for clair adapter image | `docker.io` |
| `clairAdapterImage.repository` | Repository for clair adapter image | `bitnami/harbor-adapter-clair` |
| `clairAdapterImage.tag` | Tag for clair adapter image | `{TAG_NAME}` |
| `clairAdapterImage.pullPolicy` | Harbor clair adapter image pull policy | `IfNotPresent` |
| `clairAdapterImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `clairAdapterImage.debug` | Specify if debug logs should be enabled | `false` |
| `clair.updateStrategy` | The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported | `RollingUpdate` |
| `clair.enabled` | Enable Clair | `true` |
| `clair.replicas` | The replica count | `1` |
| `clair.httpProxy` | The http proxy used to update vulnerabilities database from internet | undefined |
| `clair.httpsProxy` | The https proxy used to update vulnerabilities database from internet | undefined |
| `clair.updatersInterval` | The interval of clair updaters (hours), set to 0 to disable | `12` |
| `clair.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `clair.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `clair.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `clair.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `clair.podAnnotations` | Annotations to add to the clair pod | `{}` |
| `clair.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
| `clair.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `clair.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `clair.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `clair.server.resources` | The [resources] to allocate for container | undefined |
| `clair.server.livenessProbe` | Liveness probe configuration | `Check values.yaml file` |
| `clair.server.readinessProbe` | Readiness probe configuration | `Check values.yaml file` |
| `clair.server.extraEnvVars` | Array containing extra env vars | `nil` |
| `clair.server.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `clair.server.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `clair.server.command` | Override default container command (useful when using custom images) | `nil` |
| `clair.server.args` | Override default container args (useful when using custom images) | `nil` |
| `clair.server.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `clair.server.customLivenessProbe` | Override default liveness probe | `nil` |
| `clair.server.customReadinessProbe` | Override default readiness probe | `nil` |
| `clair.server.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `clair.adapter.resources` | The [resources] to allocate for container | undefined |
| `clair.adapter.livenessProbe` | Liveness probe configuration | `Check values.yaml file` |
| `clair.adapter.readinessProbe` | Readiness probe configuration | `Check values.yaml file` |
| `clair.adapter.extraEnvVars` | Array containing extra env vars | `nil` |
| `clair.adapter.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `clair.adapter.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `clair.adapter.command` | Override default container command (useful when using custom images) | `nil` |
| `clair.adapter.args` | Override default container args (useful when using custom images) | `nil` |
| `clair.adapter.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `clair.adapter.customLivenessProbe` | Override default liveness probe | `nil` |
| `clair.adapter.customReadinessProbe` | Override default readiness probe | `nil` |
| `clair.adapter.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
### Notary Parameters
| Parameter | Description | Default |
|--------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `notary.enabled` | Enable Notary | `true` |
| `notaryServerImage.registry` | Registry for notary server image | `docker.io` |
| `notaryServerImage.repository` | Repository for notary server image | `bitnami/harbor-notary-server` |
| `notaryServerImage.tag` | Tag for notary server image | `1.10.1-debian-10-r0` |
| `notaryServerImage.debug` | Specify if debug logs should be enabled | `false` |
| `notaryServerImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `notaryServerImage.pullPolicy` | Harbor notary server image pull policy | `IfNotPresent` |
| `notarySignerImage.registry` | Registry for notary signer images | `docker.io` |
| `notarySignerImage.debug` | Specify if debug logs should be enabled | `false` |
| `notarySignerImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `notarySignerImage.repository` | Repository for notary signer image | `bitnami/harbor-notary-signer` |
| `notarySignerImage.tag` | Tag for notary signer image | `1.10.1-debian-10-r0` |
| `notarySignerImage.pullPolicy` | Harbor notary signer image pull policy | `IfNotPresent` |
| `notary.server.replicas` | The replica count | `1` |
| `notary.server.resources` | The [resources] to allocate for container | `{}` |
| `notary.signer.replicas` | The replica count | `1` |
| `notary.signer.resources` | The [resources] to allocate for container | `{}` |
| `notary.server.nodeSelector` | Node labels for pod assignment | `{}` |
| `notary.server.tolerations` | Tolerations for pod assignment | `[]` |
| `notary.server.affinity` | Node/Pod affinities | `{}` |
| `notary.server.podAnnotations` | Annotations to add to the notary pod | `{}` |
| `notary.signer.nodeSelector` | Node labels for pod assignment | `{}` |
| `notary.signer.tolerations` | Tolerations for pod assignment | `[]` |
| `notary.signer.affinity` | Node/Pod affinities | `{}` |
| `notary.signer.podAnnotations` | Annotations to add to the notary pod | `{}` |
| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | `nil` |
| `notary.server.extraEnvVars` | Array containing extra env vars | `nil` |
| `notary.server.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `notary.server.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `notary.server.command` | Override default container command (useful when using custom images) | `nil` |
| `notary.server.args` | Override default container args (useful when using custom images) | `nil` |
| `notary.server.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `notary.server.customLivenessProbe` | Override default liveness probe | `nil` |
| `notary.server.customReadinessProbe` | Override default readiness probe | `nil` |
| `notary.server.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `notary.server.livenessProbe` | Liveness probe configuration for Portal | `Check values.yaml file` |
| `notary.server.readinessProbe` | Readines probe configuration for Portal | `Check values.yaml file` |
| `notary.server.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `notary.server.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `notary.server.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `notary.server.updateStrategy` | Deployment update strategy | `nil` |
| `notary.server.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
| `notary.signer.extraEnvVars` | Array containing extra env vars | `nil` |
| `notary.signer.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `notary.signer.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `notary.signer.command` | Override default container command (useful when using custom images) | `nil` |
| `notary.signer.args` | Override default container args (useful when using custom images) | `nil` |
| `notary.signer.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `notary.signer.customLivenessProbe` | Override default liveness probe | `nil` |
| `notary.signer.customReadinessProbe` | Override default readiness probe | `nil` |
| `notary.signer.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `notary.signer.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
| `notary.signer.podAnnotations` | Annotations to add to the notary.signer pod | `{}` |
| `notary.signer.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `notary.signer.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `notary.signer.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `notary.signer.livenessProbe` | Liveness probe configuration for Portal | `Check values.yaml file` |
| `notary.signer.readinessProbe` | Readines probe configuration for Portal | `Check values.yaml file` |
| `notary.signer.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `notary.signer.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `notary.signer.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `notary.signer.updateStrategy` | Deployment update strategy | `nil` |
### Harbor Trivy Parameters
| Parameter | Description | Default |
|--------------------------------------|-----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `trivy.enabled` | Enable Trivy | `true` |
| `trivyImage.registry` | Registry for trivy image | `docker.io` |
| `trivyImage.repository` | Repository for trivy image | `bitnami/harbor-trivy` |
| `trivyImage.tag` | Tag for trivy image | `{TAG_NAME}` |
| `trivyImage.pullPolicy` | Harbor trivy image pull policy | `IfNotPresent` |
| `trivyImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `trivyImage.debug` | Specify if debug logs should be enabled | `false` |
| `trivy.automountServiceAccountToken` | Automount service account token in the Trivy containers | `false` |
| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` |
| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` |
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
| `trivy.skipUpdate` | The flag to disable Trivy DB downloads from GitHub | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB | |
| `trivy.tls.existingSecret` | Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated | `nil` |
| `trivy.cacheDir` | Directory to store the cache | "/opt/bitnami/trivy/tmp/cache |
| `trivy.replicas` | The replica count | `1` |
| `trivy.resources` | The resources to allocate for container | undefined |
| `trivy.nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `trivy.tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `trivy.affinity` | Node/Pod affinities | `{}` (The value is evaluated as a template) |
| `trivy.podAnnotations` | Annotations to add to the trivy pod | `{}` |
| `trivy.livenessProbe` | Liveness probe configuration for trivy | `Check values.yaml file` |
| `trivy.readinessProbe` | Readines probe configuration for trivy | `Check values.yaml file` |
| `trivy.extraEnvVars` | Array containing extra env vars | `nil` |
| `trivy.extraEnvVarsCM` | ConfigMap containing extra env vars | `nil` |
| `trivy.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `nil` |
| `trivy.command` | Override default container command (useful when using custom images) | `nil` |
| `trivy.args` | Override default container args (useful when using custom images) | `nil` |
| `trivy.lifecycleHooks` | LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | `` |
| `trivy.customLivenessProbe` | Override default liveness probe | `nil` |
| `trivy.customReadinessProbe` | Override default readiness probe | `nil` |
| `trivy.updateStrategy` | Deployment update strategy | `nil` |
| `trivy.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `nil` |
| `trivy.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `nil` |
| `trivy.sidecars` | Attach additional containers to the pod (evaluated as a template) | `nil` |
| `trivy.initContainers` | Add additional init containers to the pod (evaluated as a template) | `nil` |
| `trivy.podLabels` | Add additional labels to the pod (evaluated as a template) | `nil` |
### PostgreSQL Parameters
| Parameter | Description | Default |
|-----------------------------------------|-----------------------------------------------------------------------------------------------------------|----------------------------------|
| `postgresql.enabled` | If external database is used, set it to `false` | `true` |
| `postgresql.nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` |
| `postgresql.postgresqlUsername` | Postgresql username | `postgres` |
| `postgresql.postgresqlPassword` | Postgresql password | `not-a-secure-database-password` |
| `postgresql.replication.enabled` | Enable replicated postgresql | `false` |
| `postgresql.persistence.enabled` | Enable persistence for PostgreSQL | `true` |
| `postgresql.initdbScripts` | Initdb scripts to create Harbor databases | `See values.yaml file` |
| `externalDatabase.host` | Host of the external database | `localhost` |
| `externalDatabase.port` | Port of the external database | `5432` |
| `externalDatabase.user` | Existing username in the external db | `bn_harbor` |
| `externalDatabase.password` | Password for the above username | `nil` |
| `externalDatabase.coreDatabase` | External database name for core | `nil` |
| `externalDatabase.clairDatabase` | External database name for clair | `nil` |
| `externalDatabase.clairUsername` | External database username for clair | `nil` |
| `externalDatabase.clairPassword` | External database password for clair | `nil` |
| `externalDatabase.notaryServerDatabase` | External database name for notary server | `nil` |
| `externalDatabase.notaryServerUsername` | External database username for notary server | `nil` |
| `externalDatabase.notaryServerPassword` | External database password for notary server | `nil` |
| `externalDatabase.notarySignerDatabase` | External database name for notary signer | `nil` |
| `externalDatabase.notarySignerUsername` | External database username for notary signer | `nil` |
| `externalDatabase.notarySignerPassword` | External database password for notary signer | `nil` |
| `externalDatabase.sslmode` | External database ssl mode | `nil` |
### Redis Parameters
| Parameter | Description | Default |
|-------------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------|
| `redis.enabled` | If external redis is used, set it to `false` | `true` |
| `redis.nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` |
| `redis.password` | Redis password | `nil` |
| `redis.usePassword` | Use redis password | `false` |
| `redis.cluster.enabled` | Enable cluster redis | `false` |
| `redis.master.persistence.enabled` | Enable persistence for master Redis | `true` |
| `redis.slave.persistence.enabled` | Enable persistence for slave Redis | `true` |
| `externalRedis.host` | Host of the external redis | `localhost` |
| `externalRedis.port` | Port of the external redis | `6379` |
| `externalRedis.password` | Password for the external redis | `nil` |
| `externalRedis.jobserviceDatabaseIndex` | Index for jobservice database | `1` |
| `externalRedis.registryDatabaseIndex` | Index for registry database | `2` |
| `externalRedis.chartmuseumDatabaseIndex` | Index for chartmuseum database | `3` |
| `externalRedis.clairAdapterDatabaseIndex` | Index for chartmuseum database | `3` |
| `externalRedis.trivyAdapterDatabaseIndex` | Index for chartmuseum database | `3` |
[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
@@ -349,8 +709,8 @@ This chart includes a `values-production.yaml` file where you can find some para
- The way how to expose the service: `Ingress`, `ClusterIP`, `NodePort` or `LoadBalancer`:
```diff
- service.type: ClusterIP
+ service.type: Ingress
- ingress.enabled: false
+ ingress.enabled: true
```
- The common name used to generate the certificate. It's necessary when the `service.type` is `ClusterIP` or `NodePort` and `service.tls.secretName` is null:
@@ -385,6 +745,47 @@ This chart includes a `values-production.yaml` file where you can find some para
- **NodePort**: Exposes the service on each Nodes IP at a static port (the NodePort). Youll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
- **LoadBalancer**: Exposes the service externally using a cloud providers load balancer.
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as any of the Harbor components (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter inside each component subsection. Simply define your container according to the Kubernetes container spec.
```yaml
core:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Similarly, you can add extra init containers using the `initContainers` parameter.
```yaml
core:
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Adding extra environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property inside each component subsection.
```yaml
core:
extraEnvVars:
- name: LOG_LEVEL
value: error
```
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the .extraEnvVarsCM` or the `extraEnvVarsSecret` values inside each component subsection.
### Configure the external URL:
The external URL for Harbor core service is used to:
@@ -394,7 +795,7 @@ The external URL for Harbor core service is used to:
Format: `protocol://domain[:port]`. Usually:
- if expose the service via `Ingress`, the `domain` should be the value of `service.ingress.hosts.core`
- if expose the service via `Ingress`, the `domain` should be the value of `ingress.hosts.core`
- if expose the service via `ClusterIP`, the `domain` should be the value of `service.clusterIP.name`
- if expose the service via `NodePort`, the `domain` should be the IP address of one Kubernetes node
- if expose the service via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider
@@ -425,6 +826,12 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
## Upgrade
## 6.0.0
The chart was changed to adapt to the common Bitnami chart standards. Now it includes common elements such as sidecar and init container support, custom commands, custom liveness/readiness probes, extra environment variables support, extra pod annotations and labels, among others. In addition, it adds a new Trivy deployment for image scanning.
No issues are expected between upgrades but please double check the updated parameter list as some of them could have been renamed.
## 4.0.0
PostgreSQL and Redis dependencies were updated to the use the latest major versions, `8.x.x` and `10.x.x`, respectively. These major versions do not include changes that should break backwards compatibilities, check the links below for more information:

12
bitnami/harbor/ci/values-production.yaml
View File

@@ -1,18 +1,16 @@
# Test values file for generating all of the yaml and check that
# the rendering is correct
service:
type: Ingress
ingress:
enabled: true
volumePermissions:
enabled: true
internalTLS:
enabled: true
redis:
enabled: true
cluster:
enabled: true
postgresql:
enabled: true
replication:
enabled: true

5
bitnami/harbor/conf/clair.yaml
View File

@@ -14,8 +14,3 @@ clair:
timeout: 300s
updater:
interval: {{ .Values.clair.updatersInterval }}h
notifier:
attempts: 3
renotifyinterval: 2h
http:
endpoint: "http://{{ template "harbor.core" . }}/service/notifications/clair"

2
bitnami/harbor/conf/notary-server.json
View File

@@ -7,7 +7,7 @@
"hostname": "{{ template "harbor.notary-signer" . }}",
"port": "7899",
{{- if not .Values.notary.secretName }}
"tls_ca_file": "./notary-signer-ca.crt",
"tls_ca_file": "/etc/notary/notary-signer-ca.crt",
{{- else }}
"tls_ca_file": "/etc/ssl/notary/cert/notary-signer-ca.crt",
{{- end }}

4
bitnami/harbor/conf/notary-signer.json
View File

@@ -2,8 +2,8 @@
"server": {
"grpc_addr": ":7899",
{{- if not .Values.notary.secretName }}
"tls_cert_file": "./notary-signer.crt",
"tls_key_file": "./notary-signer.key"
"tls_cert_file": "/etc/notary/notary-signer.crt",
"tls_key_file": "/etc/notary/notary-signer.key"
{{- else }}
"tls_cert_file": "/etc/ssl/notary/cert/notary-signer.crt",
"tls_key_file": "/etc/ssl/notary/cert/notary-signer.key"

11
bitnami/harbor/requirements.lock
View File

@@ -1,9 +1,12 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 8.9.6
version: 8.10.5
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 10.6.13
digest: sha256:ea2ff851522d75c72d63f07f2b7a31111d3f3e46e5e630c659af79973a7b273c
generated: "2020-05-12T10:43:04.290206566Z"
version: 10.7.0
- name: common
repository: https://charts.bitnami.com/bitnami
version: 0.3.1
digest: sha256:9eb7a5be328ae777bb5e6f6a30dde9f489cabea76e156c5e032a77125146e57b
generated: "2020-06-10T18:58:44.99379479Z"

3
bitnami/harbor/requirements.yaml
View File

@@ -7,3 +7,6 @@ dependencies:
version: 10.x.x
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled
- name: common
version: 0.x.x
repository: https://charts.bitnami.com/bitnami

16
bitnami/harbor/templates/NOTES.txt
View File

@@ -2,36 +2,36 @@
1. Get the Harbor URL:
{{- if contains "Ingress" .Values.service.type }}
{{- if .Values.ingress.enabled }}
You should be able to access your new Harbor installation through {{ include "harbor.externalUrl" . }}
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ .Values.service.loadBalancer.name }}'
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}'
{{- $port:=.Values.service.loadBalancer.ports.httpPort | toString }}
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ .Values.service.loadBalancer.name }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo "Harbor URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.loadBalancer.ports.httpPort }}{{ end }}/"
{{- $port:=.Values.service.ports.http | toString }}
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo "Harbor URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.ports.http }}{{ end }}/"
{{- else if contains "ClusterIP" .Values.service.type }}
{{- if .Values.service.tls.enabled }}
echo "Harbor URL: https://127.0.0.1:8443/"
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Values.service.clusterIP.name }} 8443:{{ .Values.service.clusterIP.ports.httpsPort }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} 8443:{{ .Values.service.ports.https }}
{{- else }}
echo "Harbor URL: http://127.0.0.1:8080/"
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Values.service.clusterIP.name }} 8080:{{ .Values.service.clusterIP.ports.httpPort }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} 8080:{{ .Values.service.ports.http }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ .Values.service.nodePort.name }})
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "Harbor URL: http://$NODE_IP:$NODE_PORT/"

814
bitnami/harbor/templates/_helpers.tpl
View File

File diff suppressed because it is too large Load Diff

118
bitnami/harbor/templates/chartmuseum/chartmuseum-cm-envvars.yaml
View File

@@ -3,25 +3,35 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.chartmuseum" . }}-envvars
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
PORT: {{ .Values.chartmuseum.port | quote }}
PORT: {{ include "harbor.chartmuseum.containerPort" . | quote }}
{{- if .Values.internalTLS.enabled }}
TLS_CERT: "/bitnami/certs/tls.crt"
TLS_KEY: "/bitnami/certs/tls.key"
{{- end }}
{{- if .Values.chartmuseum.useRedisCache }}
CACHE: "redis"
CACHE_REDIS_ADDR: "{{ include "harbor.redis.host" . }}:{{ include "harbor.redis.port" . }}"
CACHE_REDIS_DB: "{{ include "harbor.redis.chartmuseumDatabaseIndex" . }}"
CACHE_REDIS_ADDR: {{ printf "%s:%s" ( include "harbor.redis.host" . ) ( include "harbor.redis.port" . ) | quote }}
CACHE_REDIS_DB: {{ include "harbor.redis.chartmuseumDatabaseIndex" . | quote }}
{{- end }}
# The user is hardcoded because the core binary has it hardcoded so it is not configurable.
BASIC_AUTH_USER: "chart_controller"
{{- if .Values.chartmuseum.absoluteUrl }}
CHART_URL: "{{ template "harbor.externalUrl" . }}/{{ .Values.chartmuseum.chartRepoName }}"
CHART_URL: {{ printf "%s/%s" ( include "harbor.externalUrl" . ) .Values.chartmuseum.chartRepoName | quote }}
{{- end }}
DEPTH: {{ .Values.chartmuseum.depth | quote }}
{{- if or (eq .Values.logLevel "debug") .Values.chartMuseumImage.debug }}
DEBUG: "1"
DEBUG: "true"
{{- else }}
DEBUG: "0"
DEBUG: "false"
{{- end }}
LOG_JSON: {{ .Values.chartmuseum.logJson | quote }}
DISABLE_METRICS: {{ .Values.chartmuseum.disableMetrics | quote }}
@@ -35,74 +45,82 @@ data:
{{- if .Values.chartmuseum.indexLimit }}
INDEX_LIMIT: {{ .Values.chartmuseum.indexLimit | quote }}
{{- end }}
{{- if .Values.chartmuseum.maxUploadSize }}
MAX_UPLOAD_SIZE: {{ .Values.chartmuseum.maxUploadSize | quote }}
{{- end }}
{{- if .Values.chartmuseum.maxStorageObjects }}
MAX_STORAGE_OBJECTS: {{ .Values.chartmuseum.maxStorageObjects | quote }}
{{- end }}
{{- if .Values.chartmuseum.chartPostFormFieldName }}
CHART_POST_FORM_FIELD_NAME: {{ .Values.chartmuseum.chartPostFormFieldName | quote }}
{{- end }}
{{- if .Values.chartmuseum.provPostFormFieldName }}
PROV_POST_FORM_FIELD_NAME: {{ .Values.chartmuseum.provPostFormFieldName | quote }}
{{- end }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $storageType := $storage.type }}
{{- if eq $storageType "filesystem" }}
{{- if eq .Values.persistence.imageChartStorage.type "filesystem" }}
STORAGE: "local"
STORAGE_LOCAL_ROOTDIR: "/bitnami/data"
{{- else if eq $storageType "azure" }}
{{- else if eq .Values.persistence.imageChartStorage.type "azure" }}
STORAGE: "microsoft"
STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }}
AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }}
STORAGE_MICROSOFT_PREFIX: {{ $storage.azure.storagePrefix }}
{{- else if eq $storageType "gcs" }}
STORAGE_MICROSOFT_CONTAINER: {{ .Values.persistence.imageChartStorage.azure.container | quote }}
AZURE_STORAGE_ACCOUNT: {{ .Values.persistence.imageChartStorage.azure.accountname | quote }}
STORAGE_MICROSOFT_PREFIX: {{ .Values.persistence.imageChartStorage.azure.storagePrefix | quote }}
AZURE_BASE_URL: {{ .Values.persistence.imageChartStorage.azure.realm | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "gcs" }}
STORAGE: "google"
STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
STORAGE_GOOGLE_BUCKET: {{ .Values.persistence.imageChartStorage.gcs.bucket }}
GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
{{- if $storage.gcs.rootdirectory }}
STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
{{- if .Values.persistence.imageChartStorage.gcs.rootdirectory }}
STORAGE_GOOGLE_PREFIX: {{ .Values.persistence.imageChartStorage.gcs.rootdirectory | quote }}
{{- end }}
{{- else if eq $storageType "s3" }}
{{- else if eq .Values.persistence.imageChartStorage.type "s3" }}
STORAGE: "amazon"
STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }}
{{- if $storage.s3.rootdirectory }}
STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }}
STORAGE_AMAZON_BUCKET: {{ .Values.persistence.imageChartStorage.s3.bucket | quote }}
{{- if .Values.persistence.imageChartStorage.s3.rootdirectory }}
STORAGE_AMAZON_PREFIX: {{ .Values.persistence.imageChartStorage.s3.rootdirectory | quote }}
{{- end }}
STORAGE_AMAZON_REGION: {{ $storage.s3.region }}
{{- if $storage.s3.regionendpoint }}
STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }}
STORAGE_AMAZON_REGION: {{ .Values.persistence.imageChartStorage.s3.region | quote }}
{{- if .Values.persistence.imageChartStorage.s3.regionendpoint }}
STORAGE_AMAZON_ENDPOINT: {{ .Values.persistence.imageChartStorage.s3.regionendpoint | quote }}
{{- end }}
{{- if $storage.s3.accesskey }}
AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }}
{{- if .Values.persistence.imageChartStorage.s3.accesskey }}
AWS_ACCESS_KEY_ID: {{ .Values.persistence.imageChartStorage.s3.accesskey | quote }}
{{- end }}
{{- else if eq $storageType "swift" }}
{{- if .Values.persistence.imageChartStorage.s3.keyid }}
STORAGE_AMAZON_SSE: {{ .Values.persistence.imageChartStorage.s3.sse | quote }}
{{- end }}
{{- else if eq .Values.persistence.imageChartStorage.type "swift" }}
STORAGE: "openstack"
STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }}
{{- if $storage.swift.secretkey }}
STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }}
STORAGE_OPENSTACK_CONTAINER: {{ .Values.persistence.imageChartStorage.swift.container | quote }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
STORAGE_OPENSTACK_PREFIX: {{ .Values.persistence.imageChartStorage.swift.prefix | quote }}
{{- end }}
{{- if $storage.swift.secretkey }}
STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
STORAGE_OPENSTACK_REGION: {{ .Values.persistence.imageChartStorage.swift.region | quote }}
{{- end }}
OS_AUTH_URL: {{ $storage.swift.authurl }}
OS_USERNAME: {{ $storage.swift.username }}
{{- if $storage.swift.secretkey }}
OS_PROJECT_ID: {{ $storage.swift.tenantid }}
OS_AUTH_URL: {{ .Values.persistence.imageChartStorage.swift.authurl | quote }}
OS_USERNAME: {{ .Values.persistence.imageChartStorage.swift.username | quote }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
OS_PROJECT_ID: {{ .Values.persistence.imageChartStorage.swift.tenantid | quote }}
{{- end }}
{{- if $storage.swift.secretkey }}
OS_PROJECT_NAME: {{ $storage.swift.tenant }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
OS_PROJECT_NAME: {{ .Values.persistence.imageChartStorage.swift.tenant | quote }}
{{- end }}
{{- if $storage.swift.secretkey }}
OS_DOMAIN_ID: {{ $storage.swift.domainid }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
OS_DOMAIN_ID: {{ .Values.persistence.imageChartStorage.swift.domainid | quote }}
{{- end }}
{{- if $storage.swift.secretkey }}
OS_DOMAIN_NAME: {{ $storage.swift.domain }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
OS_DOMAIN_NAME: {{ .Values.persistence.imageChartStorage.swift.domain | quote }}
{{- end }}
{{- else if eq $storageType "oss" }}
{{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
STORAGE: "alibaba"
STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }}
{{- if $storage.oss.secretkey }}
STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }}
STORAGE_ALIBABA_BUCKET: {{ .Values.persistence.imageChartStorage.oss.bucket | quote }}
{{- if .Values.persistence.imageChartStorage.oss.secretkey }}
STORAGE_ALIBABA_PREFIX: {{ .Values.persistence.imageChartStorage.oss.rootdirectory | quote }}
{{- end }}
{{- if $storage.oss.secretkey }}
STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }}
{{- if .Values.persistence.imageChartStorage.oss.secretkey }}
STORAGE_ALIBABA_ENDPOINT: {{ .Values.persistence.imageChartStorage.oss.endpoint | quote }}
{{- end }}
ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }}
ALIBABA_CLOUD_ACCESS_KEY_ID: {{ .Values.persistence.imageChartStorage.oss.accesskeyid | quote }}
{{- end }}
{{- end }}

123
bitnami/harbor/templates/chartmuseum/chartmuseum-dpl.yaml
View File

@@ -3,47 +3,75 @@ apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.chartmuseum" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.chartmuseum.replicas }}
{{- if .Values.chartmuseum.strategy }}
strategy: {{- toYaml .Values.chartmuseum.strategy | nindent 4 }}
{{- end }}
{{- if .Values.chartmuseum.updateStrategy }}
strategy: {{- toYaml .Values.chartmuseum.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: chartmuseum
template:
metadata:
labels: {{- include "harbor.matchLabels" . | nindent 8 }}
labels: {{- include "common.labels.matchLabels" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.chartmuseum.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
annotations:
checksum/configmap-envvars: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm-envvars.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.chartmuseum.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.chartmuseum.podAnnotations }}
{{- include "harbor.tplValue" (dict "value" .Values.chartmuseum.podAnnotations "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.chartmuseum.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.chartmuseum.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.chartmuseum.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.chartmuseum.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.chartmuseum.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.chartmuseum.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.chartmuseum.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: chartmuseum
image: {{ include "harbor.chartMuseumImage" . }}
imagePullPolicy: {{ .Values.chartMuseumImage.pullPolicy | quote }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.chartmuseum.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.chartmuseum.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.chartmuseum.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.chartmuseum.resources }}
resources: {{- toYaml .Values.chartmuseum.resources | nindent 12 }}
{{- end }}
@@ -52,39 +80,55 @@ spec:
httpGet:
path: /health
port: http
{{- if .Values.chartmuseum.enableTLS }}
scheme: "HTTPS"
{{- end }}
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.chartmuseum.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.chartmuseum.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.chartmuseum.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.chartmuseum.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.chartmuseum.livenessProbe.failureThreshold }}
{{- else if .Values.chartmuseum.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.chartmuseum.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /health
port: http
{{- if .Values.chartmuseum.enableTLS }}
scheme: "HTTPS"
{{- end }}
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.chartmuseum.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.chartmuseum.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.chartmuseum.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.chartmuseum.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.chartmuseum.readinessProbe.failureThreshold }}
{{- else if .Values.chartmuseum.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "harbor.chartmuseum" . }}-envvars
- secretRef:
name: {{ include "harbor.chartmuseum" . }}-secret
{{- if .Values.chartmuseum.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.chartmuseum.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.chartmuseum.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.chartmuseum.extraEnvVarsSecret "context" $) }}
{{- end }}
env:
- name: DEBUG
value: {{ ternary "1" "0" .Values.chartMuseumImage.debug | quote }}
{{- if .Values.extraEnvVars }}
{{- toYaml .Values.extraEnvVars | indent 12 }}
{{- if has "chartmuseum" .Values.proxy.components }}
- name: HTTP_PROXY
value: {{ .Values.proxy.httpProxy | quote }}
- name: HTTPS_PROXY
value: {{ .Values.proxy.httpsProxy | quote }}
- name: NO_PROXY
value: {{ include "harbor.noProxy" . | quote }}
{{- end }}
{{- if .Values.chartmuseum.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: BASIC_AUTH_PASS
valueFrom:
@@ -93,20 +137,32 @@ spec:
name: {{ include "harbor.core" . }}
key: secret
ports:
- containerPort: {{ .Values.chartmuseum.port }}
- containerPort: {{ include "harbor.chartmuseum.containerPort" . }}
name: http
volumeMounts:
- name: chartmuseum-data
mountPath: /bitnami/data
subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
mountPath: /etc/chartmuseum/gcs-key.json
subPath: gcs-key.json
{{- end }}
{{- if .Values.chartmuseum.enableTLS }}
{{- if .Values.internalTLS.enabled }}
- name: tls-certs
mountPath: /bitnami/certs
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
mountPath: /etc/pki/tls/certs/ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if .Values.chartmuseum.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.chartmuseum.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: chartmuseum-data
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
@@ -123,14 +179,17 @@ spec:
- key: GCS_KEY_DATA
path: gcs-key.json
{{- end }}
{{- if .Values.chartmuseum.enableTLS }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
secret:
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: tls-certs
secret:
secretName: {{ include "harbor.chartmuseum" . }}-secret
items:
- key: TLS_CERT
path: server.crt
- key: TLS_KEY
path: server.key
secretName: {{ include "harbor.chartmuseum.tls.secretName" . }}
{{- end }}
{{- if .Values.chartmuseum.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.extraVolumes "context" $) | nindent 6 }}
{{- end }}
{{- end }}

20
bitnami/harbor/templates/chartmuseum/chartmuseum-pvc.yaml
View File

@@ -1,24 +1,28 @@
{{- if .Values.chartmuseum.enabled }}
{{- $persistence := .Values.persistence -}}
{{- if $persistence.enabled }}
{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}}
{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }}
{{- if .Values.persistence.enabled }}
{{- if and (not .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "harbor.chartmuseum" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
{{- if eq $persistence.resourcePolicy "keep" }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
annotations:
helm.sh/resource-policy: keep
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
accessModes:
- {{ $chartmuseum.accessMode }}
- {{ .Values.persistence.persistentVolumeClaim.chartmuseum.accessMode }}
resources:
requests:
storage: {{ $chartmuseum.size }}
storage: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.size }}
{{ include "harbor.chartmuseum.storageClass" . }}
{{- end }}
{{- end }}

36
bitnami/harbor/templates/chartmuseum/chartmuseum-secret.yaml
View File

@@ -3,30 +3,30 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.chartmuseum" . }}-secret
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.chartmuseum.useRedisCache }}
CACHE_REDIS_PASSWORD: {{ include "harbor.redis.rawPassword" . | b64enc | quote }}
{{- end }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $storageType := $storage.type }}
{{- if eq $storageType "azure" }}
AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | quote }}
{{- else if eq $storageType "gcs" }}
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
{{- else if eq $storageType "s3" }}
{{- if $storage.s3.secretkey }}
AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- if eq .Values.persistence.imageChartStorage.type "azure" }}
AZURE_STORAGE_ACCESS_KEY: {{ .Values.persistence.imageChartStorage.azure.accountkey | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "gcs" }}
GCS_KEY_DATA: {{ .Values.persistence.imageChartStorage.gcs.encodedkey | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "s3" }}
{{- if .Values.persistence.imageChartStorage.s3.secretkey }}
AWS_SECRET_ACCESS_KEY: {{ .Values.persistence.imageChartStorage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $storageType "swift" }}
OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- else if eq $storageType "oss" }}
ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- if .Values.chartmuseum.enableTLS }}
TLS_CERT: {{ .Files.Get "cert/tls.crt" | b64enc }}
TLS_KEY: {{ .Files.Get "cert/tls.key" | b64enc }}
{{- else if eq .Values.persistence.imageChartStorage.type "swift" }}
OS_PASSWORD: {{ .Values.persistence.imageChartStorage.swift.password | b64enc | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- end }}

12
bitnami/harbor/templates/chartmuseum/chartmuseum-svc.yaml
View File

@@ -3,13 +3,19 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.chartmuseum" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- port: 80
- port: {{ include "harbor.chartmuseum.servicePort" . }}
name: http
targetPort: http
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: chartmuseum
{{- end }}

205
bitnami/harbor/templates/clair/clair-dpl.yaml
View File

@@ -3,74 +3,135 @@ apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.clair" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: clair
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.clair.replicas }}
{{- if .Values.clair.updateStrategy }}
strategy: {{- toYaml .Values.clair.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: clair
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.clair.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: clair
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.clair.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.clair.podAnnotations }}
{{- include "harbor.tplValue" (dict "value" .Values.clair.podAnnotations "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- if .Values.clair.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.clair.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.clair.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.clair.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.clair.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.clair.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.clair.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.clair.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.clair.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.clair.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.clair.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: clair
image: {{ include "harbor.clairImage" . }}
imagePullPolicy: {{ .Values.clairImage.pullPolicy | quote }}
{{- if .Values.clair.livenessProbe.enabled }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.server.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.clair.server.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.server.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.clair.server.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.server.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.clair.server.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.server.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /health
port: 6061
initialDelaySeconds: {{ .Values.clair.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.clair.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.server.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.server.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.server.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.server.livenessProbe.failureThreshold }}
{{- else if .Values.clair.server.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.clair.server.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.readinessProbe.enabled }}
{{- if .Values.clair.server.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /health
port: 6061
initialDelaySeconds: {{ .Values.clair.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.clair.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.server.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.server.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.server.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.server.readinessProbe.failureThreshold }}
{{- else if .Values.clair.server.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.clair.server.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.clairImage.debug | quote }}
{{- if has "clair" .Values.proxy.components }}
{{- if .Values.clair.httpProxy }}
- name: HTTP_PROXY
value: {{ .Values.clair.httpProxy }}
value: {{ .Values.clair.httpProxy | quote }}
{{- end }}
{{- if .Values.clair.httpsProxy }}
- name: HTTPS_PROXY
value: {{ .Values.clair.httpsProxy }}
value: {{ .Values.clair.httpsProxy | quote }}
{{- end }}
- name: NO_PROXY
value: "{{ include "harbor.registry" . }},{{ include "harbor.core" . }}"
{{- if .Values.clair.resources }}
resources: {{- toYaml .Values.clair.resources | nindent 12 }}
value: {{ include "harbor.noProxy" . | quote }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_KEY_PATH
value: /bitnami/certs/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /bitnami/certs/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /bitnami/certs/ca.crt
{{- end }}
{{- if .Values.clair.server.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.server.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.clair.server.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.clair.server.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.clair.server.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.clair.server.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.clair.server.resources }}
resources: {{- toYaml .Values.clair.server.resources | nindent 12 }}
{{- end }}
ports:
- containerPort: 6060
@@ -78,30 +139,51 @@ spec:
- name: config
mountPath: /etc/clair/config.yaml
subPath: config.yaml
{{- if .Values.clair.server.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.server.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
- name: adapter
image: {{ include "harbor.clairAdapterImage" . }}
imagePullPolicy: {{ .Values.clairAdapterImage.pullPolicy }}
{{- if .Values.clair.livenessProbe.enabled }}
{{- if .Values.clair.adapter.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.adapter.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.adapter.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.adapter.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /probe/healthy
port: 8080
initialDelaySeconds: {{ .Values.clair.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.livenessProbe.failureThreshold }}
port: {{ include "harbor.clairAdapter.containerPort" . }}
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.clair.adapter.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.adapter.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.adapter.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.adapter.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.adapter.livenessProbe.failureThreshold }}
{{- else if .Values.clair.adapter.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.readinessProbe.enabled }}
{{- if .Values.clair.adapter.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /probe/ready
port: 8080
initialDelaySeconds: {{ .Values.clair.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.readinessProbe.failureThreshold }}
port: {{ include "harbor.clairAdapter.containerPort" . }}
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.clair.adapter.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.clair.adapter.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.clair.adapter.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.clair.adapter.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.clair.adapter.readinessProbe.failureThreshold }}
{{- else if .Values.clair.adapter.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
@@ -113,13 +195,54 @@ spec:
value: {{ include "harbor.redisForClairAdapter" . }}
- name: SCANNER_CLAIR_DATABASE_URL
value: {{ include "harbor.database.clair" . }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: SCANNER_API_SERVER_ADDR
value: {{ printf ":%s" ( include "harbor.clairAdapter.containerPort" . ) | quote }}
- name: SCANNER_API_SERVER_TLS_KEY
value: /bitnami/certs/tls.key
- name: SCANNER_API_SERVER_TLS_CERTIFICATE
value: /bitnami/certs/tls.crt
{{- end }}
{{- if .Values.clair.adapter.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.clair.adapter.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.clair.adapter.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.clair.adapter.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.clair.adapter.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.clair.adapter.resources }}
resources: {{ toYaml .Values.clair.adapter.resources | nindent 12 }}
resources: {{- toYaml .Values.clair.adapter.resources | nindent 12 }}
{{- end }}
ports:
- containerPort: 8080
volumeMounts:
{{- if .Values.internalTLS.enabled }}
- name: clair-internal-certs
mountPath: /bitnami/certs
{{- end }}
{{- if .Values.clair.adapter.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: config
secret:
secretName: "{{ template "harbor.clair" . }}"
secretName: {{ include "harbor.clair" . | quote }}
{{- if .Values.internalTLS.enabled }}
- name: clair-internal-certs
secret:
secretName: {{ template "harbor.clair.tls.secretName" . }}
{{- end }}
{{- if .Values.clair.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.extraVolumes "context" $) | nindent 6 }}
{{- end }}
{{- end }}

11
bitnami/harbor/templates/clair/clair-secret.yaml
View File

@@ -3,9 +3,16 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.clair" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }}
redis: {{ include "harbor.redisForClairAdapter" . | b64enc }}
database: {{ include "harbor.database.clair" . | b64enc }}
{{- end }}

12
bitnami/harbor/templates/clair/clair-svc.yaml
View File

@@ -3,8 +3,14 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.clair" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: clair
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- name: clair
@@ -12,7 +18,7 @@ spec:
- name: health
port: 6061
- name: adapter
port: 8080
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
port: {{ include "harbor.clairAdapter.servicePort" . }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: clair
{{- end }}

72
bitnami/harbor/templates/core/core-cm-envvars.yaml
View File

@@ -2,41 +2,55 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.core" . }}-envvars
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
DATABASE_TYPE: "postgresql"
POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
EXT_ENDPOINT: "{{ template "harbor.externalUrl" . }}"
CORE_URL: "http://{{ template "harbor.core" . }}"
JOBSERVICE_URL: "http://{{ template "harbor.fullname" . }}-jobservice"
REGISTRY_URL: "http://{{ template "harbor.registry" . }}:5000"
TOKEN_SERVICE_URL: "http://{{ template "harbor.core" . }}/service/token"
WITH_NOTARY: "{{ .Values.notary.enabled }}"
NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
POSTGRESQL_HOST: {{ include "harbor.database.host" . | quote }}
POSTGRESQL_PORT: {{ include "harbor.database.port" . | quote }}
POSTGRESQL_USERNAME: {{ include "harbor.database.username" . | quote }}
POSTGRESQL_DATABASE: {{ include "harbor.database.coreDatabase" . | quote }}
POSTGRESQL_SSLMODE: {{ include "harbor.database.sslmode" . | quote }}
EXT_ENDPOINT: {{ include "harbor.externalUrl" . | quote }}
CORE_URL: {{ include "harbor.core.url" . | quote }}
JOBSERVICE_URL: {{ include "harbor.jobservice.url" . | quote }}
REGISTRY_URL: {{ include "harbor.registry.url" . | quote }}
TOKEN_SERVICE_URL: {{ include "harbor.tokenService.url" . | quote }}
WITH_NOTARY: {{ .Values.notary.enabled | quote }}
NOTARY_URL: {{ printf "http://%s:4443" (include "harbor.notary-server" .) | quote }}
CFG_EXPIRATION: "5"
ADMIRAL_URL: "NA"
WITH_CLAIR: "{{ .Values.clair.enabled }}"
CLAIR_DB_HOST: "{{ template "harbor.database.host" . }}"
CLAIR_DB_PORT: "{{ template "harbor.database.port" . }}"
CLAIR_DB_USERNAME: "{{ template "harbor.database.clairUsername" . }}"
CLAIR_DB: "{{ template "harbor.database.clairDatabase" . }}"
CLAIR_DB_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
CLAIR_URL: "http://{{ template "harbor.clair" . }}:6060"
CLAIR_ADAPTER_URL: "http://{{ template "harbor.clair" . }}:8080"
REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
CHART_REPOSITORY_URL: "http://{{ template "harbor.chartmuseum" . }}"
LOG_LEVEL: "{{ .Values.logLevel }}"
WITH_CLAIR: {{ .Values.clair.enabled | quote }}
CLAIR_DB_HOST: {{ include "harbor.database.host" . | quote }}
CLAIR_DB_PORT: {{ include "harbor.database.port" . | quote }}
CLAIR_DB_USERNAME: {{ include "harbor.database.clairUsername" . | quote }}
CLAIR_DB: {{ include "harbor.database.clairDatabase" . | quote }}
CLAIR_DB_SSLMODE: {{ include "harbor.database.sslmode" . | quote }}
CLAIR_URL: {{ printf "http://%s:6060" (include "harbor.clair" .) | quote }}
CLAIR_ADAPTER_URL: {{ include "harbor.clairAdapter.url" . | quote }}
WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
TRIVY_ADAPTER_URL: {{ include "harbor.trivy.url" . | quote }}
REGISTRY_STORAGE_PROVIDER_NAME: {{ .Values.persistence.imageChartStorage.type | quote }}
WITH_CHARTMUSEUM: {{ .Values.chartmuseum.enabled | quote }}
CHART_REPOSITORY_URL: {{ include "harbor.chartmuseum.url" . | quote }}
LOG_LEVEL: {{ .Values.logLevel | quote }}
CONFIG_PATH: "/etc/core/app.conf"
SYNC_REGISTRY: "false"
CHART_CACHE_DRIVER: "redis"
PORTAL_URL: "http://{{ template "harbor.portal" . }}"
REGISTRYCTL_URL: "http://{{ template "harbor.registry" . }}:8080"
CLAIR_HEALTH_CHECK_SERVER_URL: "http://{{ template "harbor.clair" . }}:6061"
{{- if .Values.uaaSecretName }}
PORTAL_URL: {{ include "harbor.portal.url" . | quote }}
REGISTRY_CONTROLLER_URL: {{ include "harbor.registryCtl.url" . | quote }}
REGISTRY_CREDENTIAL_USERNAME: {{ .Values.registry.credentials.username | quote }}
{{- if .Values.core.uaaSecretName }}
UAA_CA_ROOT: "/etc/core/ca/auth-ca.crt"
{{- end }}
{{- if has "core" .Values.proxy.components }}
HTTP_PROXY: {{ .Values.proxy.httpProxy | quote }}
HTTPS_PROXY: {{ .Values.proxy.httpsProxy | quote }}
NO_PROXY: {{ include "harbor.noProxy" . | quote }}
{{- end }}

9
bitnami/harbor/templates/core/core-cm.yaml
View File

@@ -2,7 +2,14 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.core" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
app.conf: |+
appname = Harbor

118
bitnami/harbor/templates/core/core-dpl.yaml
View File

@@ -2,16 +2,31 @@ apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.core" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.core.replicas }}
{{- if .Values.core.updateStrategy }}
strategy: {{- toYaml .Values.core.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: core
template:
metadata:
labels: {{- include "harbor.matchLabels" . | nindent 8 }}
labels: {{- include "common.labels.matchLabels" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.core.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: core
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
@@ -19,60 +34,86 @@ spec:
checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
checksum/secret-envvars: {{ include (print $.Template.BasePath "/core/core-secret-envvars.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.core.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.core.podAnnotations }}
{{- include "harbor.tplValue" (dict "value" .Values.core.podAnnotations "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.core.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.core.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.core.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.core.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.core.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.core.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.core.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.core.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.core.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.core.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.core.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: core
image: {{ include "harbor.coreImage" . }}
imagePullPolicy: {{ .Values.coreImage.pullPolicy | quote }}
{{- if .Values.lifecycleHooks }}
lifecycle:
{{ tpl .Values.lifecycleHooks . | indent 12 }}
{{- if .Values.core.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.core.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.core.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.core.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.core.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.core.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.core.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /api/ping
path: /api/v2.0/ping
scheme: {{ include "harbor.component.scheme" . | upper }}
port: http
initialDelaySeconds: {{ .Values.core.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.core.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.core.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.core.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.core.livenessProbe.failureThreshold }}
{{- else if .Values.core.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.core.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.core.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /api/ping
path: /api/v2.0/ping
scheme: {{ include "harbor.component.scheme" . | upper }}
port: http
initialDelaySeconds: {{ .Values.core.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.core.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.core.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.core.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.core.readinessProbe.failureThreshold }}
{{- else if .Values.core.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.core.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "harbor.core" . }}-envvars
- secretRef:
name: {{ include "harbor.core" . }}-envvars
{{- if .Values.core.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.core.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.core.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.core.extraEnvVarsSecret "context" $) }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.coreImage.debug | quote }}
@@ -86,8 +127,21 @@ spec:
secretKeyRef:
name: {{ include "harbor.jobservice" . }}
key: secret
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /bitnami/certs/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /bitnami/certs/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /bitnami/certs/ca.crt
{{- end }}
{{- if .Values.core.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
ports:
- containerPort: 8080
- containerPort: {{ include "harbor.core.containerPort" . }}
name: http
volumeMounts:
- name: config
@@ -99,20 +153,30 @@ spec:
- name: token-service-private-key
mountPath: /etc/core/private_key.pem
subPath: tls.key
{{- if .Values.internalTLS.enabled }}
- name: core-internal-certs
mountPath: /bitnami/certs/
{{- end }}
{{- if .Values.service.tls.enabled }}
- name: ca-download
mountPath: /etc/core/ca
{{- end }}
{{- if .Values.uaaSecretName }}
{{- if .Values.core.uaaSecretName }}
- name: auth-ca-cert
mountPath: /etc/core/ca/auth-ca.crt
subPath: auth-ca.crt
{{- end }}
- name: psc
mountPath: /etc/core/token
{{- if .Values.core.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.core.resources }}
resources: {{- toYaml .Values.core.resources | nindent 12 }}
{{- end }}
{{- if .Values.core.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
@@ -131,8 +195,13 @@ spec:
{{- if .Values.core.secretName }}
secretName: {{ .Values.core.secretName }}
{{- else }}
secretName: {{ template "harbor.core" . }}
secretName: {{ include "harbor.core" . }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: core-internal-certs
secret:
secretName: {{ include "harbor.core.tls.secretName" . }}
{{- end }}
{{- if .Values.service.tls.enabled }}
- name: ca-download
secret:
@@ -141,16 +210,19 @@ spec:
{{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }}
secretName: {{ include "harbor.nginx" . }}
{{- else }}
secretName: {{ .Values.service.tls.secretName }}
secretName: {{ .Values.service.tls.existingSecret }}
{{- end }}
{{- end }}
{{- if .Values.uaaSecretName }}
{{- if .Values.core.uaaSecretName }}
- name: auth-ca-cert
secret:
secretName: {{ .Values.uaaSecretName }}
secretName: {{ .Values.core.uaaSecretName }}
items:
- key: ca.crt
path: auth-ca.crt
{{- end }}
- name: psc
emptyDir: {}
{{- if .Values.core.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.extraVolumes "context" $) | nindent 6 }}
{{- end }}

22
bitnami/harbor/templates/core/core-secret-envvars.yaml
View File

@@ -2,15 +2,29 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.core" . }}-envvars
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
_REDIS_URL: "{{ include "harbor.redisForCore" . | b64enc }}"
_REDIS_URL_REG: "{{ include "harbor.redisForGC" . | b64enc }}"
_REDIS_URL: {{ include "harbor.redisForCore" . | b64enc | quote }}
_REDIS_URL_REG: {{ include "harbor.redisForGC" . | b64enc | quote }}
REGISTRY_CREDENTIAL_USERNAME: {{ .Values.registry.credentials.username | b64enc | quote }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- if .Values.core.csrfKey }}
CSRF_KEY: {{ .Values.core.csrfKey | quote }}
{{- else }}
CSRF_KEY: {{ randAlphaNum 32 | quote }}
{{- end }}
{{- if .Values.harborAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- else if (not .Values.forcePassword) }}
HARBOR_ADMIN_PASSWORD: "{{ randAlphaNum 10 | b64enc }}"
HARBOR_ADMIN_PASSWORD: {{ randAlphaNum 10 | b64enc | quote }}
{{ else }}
HARBOR_ADMIN_PASSWORD: {{ required "A Harbor Admin Password is required!" .Values.harborAdminPassword }}
{{- end }}

15
bitnami/harbor/templates/core/core-secret.yaml
View File

@@ -2,15 +2,22 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.core" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.secretKey }}
secretKey: {{ .Values.secretKey | b64enc | quote }}
{{- if .Values.core.secretKey }}
secretKey: {{ .Values.core.secretKey | b64enc | quote }}
{{- else if (not .Values.forcePassword) }}
secretKey: {{ randAlphaNum 16 | b64enc | quote }}
{{- else }}
secretKey: {{ required "A secret key is required!" .Values.secretKey }}
secretKey: {{ required "A secret key is required!" .Values.core.secretKey }}
{{- end }}
{{- if .Values.core.secret }}

15
bitnami/harbor/templates/core/core-svc.yaml
View File

@@ -2,14 +2,21 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.core" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if (eq .Values.service.ingress.controller "gce") }}
{{- if (eq .Values.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports:
- name: http
port: 80
port: {{ include "harbor.core.servicePort" . }}
targetPort: http
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: core

5
bitnami/harbor/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,5 @@
{{- if .Values.extraDeploy }}
apiVersion: v1
kind: List
items: {{- include "common.tplvalues.render" (dict "value" .Values.extraDeploy "context" $) | nindent 2 }}
{{- end }}

106
bitnami/harbor/templates/ingress/ingress.yaml
View File

@@ -1,14 +1,12 @@
{{- if eq .Values.service.type "Ingress" }}
{{- $ingress := .Values.service.ingress -}}
{{- $tls := .Values.service.tls -}}
{{- if eq .Values.service.ingress.controller "gce" }}
{{- if .Values.ingress.enabled }}
{{- if eq .Values.ingress.controller "gce" }}
{{- $_ := set . "portal_path" "/*" -}}
{{- $_ := set . "api_path" "/api/*" -}}
{{- $_ := set . "service_path" "/service/*" -}}
{{- $_ := set . "v2_path" "/v2/*" -}}
{{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
{{- $_ := set . "controller_path" "/c/*" -}}
{{- else if eq .Values.service.ingress.controller "ncp" }}
{{- else if eq .Values.ingress.controller "ncp" }}
{{- $_ := set . "portal_path" "/" -}}
{{- $_ := set . "api_path" "/api/.*" -}}
{{- $_ := set . "service_path" "/service/.*" -}}
@@ -23,41 +21,53 @@
{{- $_ := set . "chartrepo_path" "/chartrepo/" -}}
{{- $_ := set . "controller_path" "/c/" -}}
{{- end }}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ include "harbor.ingress" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
{{- if $ingress.annotations }}
annotations: {{- toYaml $ingress.annotations | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.internalTLS.enabled }}
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- end }}
{{- if .Values.ingress.annotations }}
{{- toYaml .Values.ingress.annotations | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if $tls.enabled }}
{{- if .Values.service.tls.enabled }}
tls:
{{- if $tls.secretName }}
- secretName: {{ $tls.secretName }}
{{- if .Values.service.tls.existingSecret }}
- secretName: {{ .Values.service.tls.existingSecret }}
{{- else }}
- secretName: {{ include "harbor.ingress" . }}
{{- end }}
{{- if $ingress.hosts.core }}
{{- if .Values.ingress.hosts.core }}
hosts:
- {{ $ingress.hosts.core }}
- {{ .Values.ingress.hosts.core }}
{{- end }}
{{- if .Values.notary.enabled }}
{{- if $tls.notarySecretName }}
- secretName: "{{ $tls.notarySecretName }}"
{{- else if $tls.secretName }}
- secretName: "{{ $tls.secretName }}"
{{- if .Values.service.tls.notaryExistingSecret }}
- secretName: {{ .Values.service.tls.notaryExistingSecret | quote }}
{{- else if .Values.service.tls.existingSecret }}
- secretName: {{ .Values.service.tls.existingSecret | quote }}
{{- else }}
- secretName: "{{ template "harbor.ingress" . }}"
- secretName: {{ include "harbor.ingress" . | quote }}
{{- end }}
{{- if $ingress.hosts.notary }}
{{- if .Values.ingress.hosts.notary }}
hosts:
- {{ $ingress.hosts.notary }}
- {{ .Values.ingress.hosts.notary }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.service.ingress.controller "ncp" }}
{{- if eq .Values.ingress.controller "ncp" }}
backend:
serviceName: {{ include "harbor.portal" . }}
servicePort: http
@@ -89,18 +99,56 @@ spec:
backend:
serviceName: {{ include "harbor.core" . }}
servicePort: http
{{- if $ingress.hosts.core }}
host: {{ $ingress.hosts.core }}
{{- if .Values.ingress.hosts.core }}
host: {{ .Values.ingress.hosts.core }}
{{- end }}
{{- if .Values.notary.enabled }}
{{- if .Values.notary.enabled }}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ include "harbor.ingress-notary" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.ingress.annotations }}
{{- toYaml .Values.ingress.annotations | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.service.tls.enabled }}
tls:
{{- if .Values.service.tls.notaryExistingSecret }}
- secretName: {{ .Values.service.tls.notaryExistingSecret }}
{{- else if .Values.service.tls.existingSecret }}
- secretName: {{ .Values.service.tls.existingSecret }}
{{- else }}
- secretName: {{ include "harbor.ingress" . }}
{{- end }}
{{- if .Values.ingress.hosts.notary }}
hosts:
- {{ .Values.ingress.hosts.notary }}
{{- end }}
{{- end }}
{{- if eq .Values.ingress.controller "ncp" }}
backend:
serviceName: {{ template "harbor.notary-server" . }}
servicePort: 4443
{{- end }}
rules:
- http:
paths:
- path: /
backend:
serviceName: {{ include "harbor.notary-server" . }}
servicePort: notary-server
{{- if $ingress.hosts.notary }}
host: {{ $ingress.hosts.notary }}
serviceName: {{ template "harbor.notary-server" . }}
servicePort: 4443
{{- if .Values.ingress.hosts.notary }}
host: {{ .Values.ingress.hosts.notary }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

10
bitnami/harbor/templates/ingress/secret.yaml
View File

@@ -1,11 +1,17 @@
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
{{- $ca := genCA "harbor-ca" 365 }}
{{- $cert := genSignedCert .Values.service.ingress.hosts.core nil (list .Values.service.ingress.hosts.core .Values.service.ingress.hosts.notary) 365 $ca }}
{{- $cert := genSignedCert .Values.ingress.hosts.core nil (list .Values.ingress.hosts.core .Values.ingress.hosts.notary) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.ingress" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc | quote }}

139
bitnami/harbor/templates/internal/internal-crt-secret.yaml Normal file
View File

@@ -0,0 +1,139 @@
{{- if .Values.internalTLS.enabled }}
{{- $ca := genCA "harbor-internal-ca" 365 }}
{{- if not .Values.core.tls.existingSecret }}
---
{{- $coreCN := include "harbor.core" . }}
{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.core" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: core
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $coreCrt.Cert | b64enc | quote }}
tls.key: {{ $coreCrt.Key | b64enc | quote }}
{{- end }}
{{- if not .Values.jobservice.tls.existingSecret }}
---
{{- $jsCN := include "harbor.jobservice" . }}
{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.jobservice" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $jsCrt.Cert | b64enc | quote }}
tls.key: {{ $jsCrt.Key | b64enc | quote }}
{{- end }}
---
{{- if not .Values.registry.tls.existingSecret }}
{{- $regCN := include "harbor.registry" . }}
{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.registry" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: registry
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $regCrt.Cert | b64enc | quote }}
tls.key: {{ $regCrt.Key | b64enc | quote }}
{{- end }}
---
{{- if not .Values.portal.tls.existingSecret }}
{{- $portalCN := include "harbor.portal" . }}
{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.portal" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: portal
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $portalCrt.Cert | b64enc | quote }}
tls.key: {{ $portalCrt.Key | b64enc | quote }}
{{- end }}
{{- if and .Values.chartmuseum.enabled (not .Values.chartmuseum.tls.existingSecret) }}
---
{{- $chartCN := include "harbor.chartmuseum" . }}
{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.chartmuseum" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: chartmuseum
type: kubernetes.io/tls
data:
tls.ca: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $chartCrt.Cert | b64enc | quote }}
tls.key: {{ $chartCrt.Key | b64enc | quote }}
{{- end }}
{{- if and .Values.clair.enabled (not .Values.clair.tls.existingSecret) }}
---
{{- $clairCN := include "harbor.clair" . }}
{{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.clair" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: clair
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $clairCrt.Cert | b64enc | quote }}
tls.key: {{ $clairCrt.Key | b64enc | quote }}
{{- end }}
{{- if and .Values.trivy.enabled (not .Values.trivy.tls.existingSecret) }}
---
{{- $trivyCN := include "harbor.trivy" . }}
{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.trivy" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: trivy
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $trivyCrt.Cert | b64enc | quote }}
tls.key: {{ $trivyCrt.Key | b64enc | quote }}
{{- end }}
{{- end }}

24
bitnami/harbor/templates/jobservice/jobservice-cm-envvars.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.jobservice" . }}-envvars
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
CORE_URL: {{ include "harbor.core.url" . | quote }}
TOKEN_SERVICE_URL: {{ include "harbor.tokenService.url" . | quote }}
REGISTRY_URL: {{ include "harbor.registry.url" . | quote }}
REGISTRY_CONTROLLER_URL: {{ include "harbor.registryCtl.url" . | quote }}
REGISTRY_CREDENTIAL_USERNAME: {{ .Values.registry.credentials.username | quote }}
{{- if has "jobservice" .Values.proxy.components }}
HTTP_PROXY: {{ .Values.proxy.httpProxy | quote }}
HTTPS_PROXY: {{ .Values.proxy.httpsProxy | quote }}
NO_PROXY: {{ include "harbor.noProxy" . | quote }}
{{- end }}
LOG_LEVEL: {{ .Values.logLevel | quote }}

19
bitnami/harbor/templates/jobservice/jobservice-cm.yaml
View File

@@ -2,11 +2,24 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.jobservice" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
config.yml: |+
protocol: "http"
port: 8080
#Server listening port
protocol: {{ include "harbor.component.scheme" . | quote }}
port: {{ include "harbor.jobservice.containerPort" . }}
{{- if .Values.internalTLS.enabled }}
https_config:
cert: "/bitnami/certs/tls.crt"
key: "/bitnami/certs/tls.key"
{{- end }}
worker_pool:
workers: {{ .Values.jobservice.maxJobWorkers }}
backend: "redis"

122
bitnami/harbor/templates/jobservice/jobservice-dpl.yaml
View File

@@ -2,45 +2,60 @@ apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.jobservice" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.jobservice.replicas }}
{{- if .Values.jobservice.strategy }}
strategy: {{- toYaml .Values.jobservice.strategy | nindent 4 }}
{{- end }}
{{- if .Values.jobservice.updateStrategy }}
strategy: {{- toYaml .Values.jobservice.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: jobservice
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.jobservice.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: jobservice
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-envvars.yaml") . | sha256sum }}
checksum/secret-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-secret-envvars.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.core.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.jobservice.podAnnotations }}
{{- include "harbor.tplValue" (dict "value" .Values.jobservice.podAnnotations "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.jobservice.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.jobservice.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.jobservice.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.jobservice.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.jobservice.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.jobservice.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ include "harbor.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@@ -49,7 +64,7 @@ spec:
- -c
- |
mkdir -p "/var/log/jobs"
chown -R "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}" "/var/log/jobs"
chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "/var/log/jobs"
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
@@ -60,31 +75,52 @@ spec:
mountPath: /var/log/jobs
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
{{- end }}
{{- if .Values.jobservice.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: jobservice
image: {{ include "harbor.jobserviceImage" . }}
imagePullPolicy: {{ .Values.jobserviceImage.pullPolicy | quote }}
{{- if .Values.jobservice.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.jobservice.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.jobservice.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /api/v1/stats
port: http
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.jobservice.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.jobservice.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.jobservice.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.jobservice.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.jobservice.livenessProbe.failureThreshold }}
{{- else if .Values.jobservice.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.jobservice.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /api/v1/stats
port: http
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.jobservice.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.jobservice.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.jobservice.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.jobservice.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.jobservice.readinessProbe.failureThreshold }}
{{- else if .Values.jobservice.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.jobservice.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.jobservice.resources }}
resources: {{- toYaml .Values.jobservice.resources | nindent 12 }}
@@ -102,14 +138,34 @@ spec:
secretKeyRef:
name: {{ include "harbor.jobservice" . }}
key: secret
- name: CORE_URL
value: "http://{{ template "harbor.core" . }}"
- name: REGISTRY_CONTROLLER_URL
value: "http://{{ template "harbor.registry" . }}:8080"
- name: LOG_LEVEL
value: debug
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /bitnami/certs/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /bitnami/certs/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /bitnami/certs/ca.crt
{{- end }}
{{- if .Values.jobservice.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ template "harbor.jobservice" . }}-envvars
- secretRef:
name: {{ template "harbor.jobservice" . }}-envvars
{{- if .Values.jobservice.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.jobservice.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.jobservice.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.jobservice.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- containerPort: 8080
- containerPort: {{ include "harbor.jobservice.containerPort" . }}
name: http
volumeMounts:
- name: jobservice-config
@@ -118,6 +174,16 @@ spec:
- name: job-logs
mountPath: /var/log/jobs
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
{{- if .Values.internalTLS.enabled }}
- name: jobservice-internal-certs
mountPath: /bitnami/certs/
{{- end }}
{{- if .Values.jobservice.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.jobservice.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: jobservice-config
configMap:
@@ -129,3 +195,11 @@ spec:
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: jobservice-internal-certs
secret:
secretName: {{ include "harbor.jobservice.tls.secretName" . }}
{{- end }}
{{- if .Values.jobservice.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.extraVolumes "context" $) | nindent 6 }}
{{- end }}

21
bitnami/harbor/templates/jobservice/jobservice-pvc.yaml
View File

@@ -1,22 +1,27 @@
{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}}
{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }}
{{- if and .Values.persistence.enabled (not .Values.persistence.persistentVolumeClaim.jobservice.existingClaim) }}
{{- if eq .Values.jobservice.jobLogger "file" }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "harbor.jobservice" . }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
annotations:
{{- if eq .Values.persistence.resourcePolicy "keep" }}
helm.sh/resource-policy: keep
{{- end }}
labels: {{- include "harbor.labels" . | nindent 4 }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
accessModes:
- {{ $jobservice.accessMode }}
- {{ .Values.persistence.persistentVolumeClaim.jobservice.accessMode }}
resources:
requests:
storage: {{ $jobservice.size }}
{{ include "harbor.jobservice.storageClass" . }}
storage: {{ .Values.persistence.persistentVolumeClaim.jobservice.size }}
{{- include "harbor.jobservice.storageClass" . | nindent 2 }}
{{- end }}
{{- end }}

15
bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.jobservice" . }}-envvars
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}

9
bitnami/harbor/templates/jobservice/jobservice-secrets.yaml
View File

@@ -2,7 +2,14 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ template "harbor.jobservice" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}

13
bitnami/harbor/templates/jobservice/jobservice-svc.yaml
View File

@@ -2,11 +2,18 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.jobservice" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: jobservice
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
port: {{ include "harbor.jobservice.servicePort" . }}
targetPort: http
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: jobservice

54
bitnami/harbor/templates/nginx/configmap-http.yaml
View File

@@ -1,12 +1,21 @@
{{- if and (ne .Values.service.type "Ingress") (not .Values.service.tls.enabled) }}
{{- if and (not .Values.ingress.enabled) (not .Values.service.tls.enabled) }}
{{- $scheme := include "harbor.component.scheme" . -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.nginx" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: nginx
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
nginx.conf: |+
worker_processes auto;
pid /opt/bitnami/nginx/tmp/nginx.pid;
events {
worker_connections 1024;
@@ -15,40 +24,43 @@ data:
}
http {
client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2;
proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2;
fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2;
uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server {{ template "harbor.core" . }};
server {{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }};
}
upstream portal {
server {{ template "harbor.portal" . }};
server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }};
}
log_format timed_combined '$remote_addr - '
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2;
proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2;
fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2;
uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
server {
listen 8080;
server_tokens off;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# Add extra headers
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
proxy_pass http://portal/;
proxy_pass {{ $scheme }}://portal/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -62,7 +74,11 @@ data:
}
location /api/ {
proxy_pass http://core/api/;
proxy_pass {{ $scheme }}://core/api/;
{{- if and .Values.internalTLS.enabled }}
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
{{- end }}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -76,7 +92,11 @@ data:
}
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_pass {{ $scheme }}://core/chartrepo/;
{{- if and .Values.internalTLS.enabled }}
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
{{- end }}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -90,7 +110,7 @@ data:
}
location /c/ {
proxy_pass http://core/c/;
proxy_pass {{ $scheme }}://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -108,7 +128,7 @@ data:
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_pass {{ $scheme }}://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -122,7 +142,7 @@ data:
}
location /service/ {
proxy_pass http://core/service/;
proxy_pass {{ $scheme }}://core/service/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

68
bitnami/harbor/templates/nginx/configmap-https.yaml
View File

@@ -1,12 +1,21 @@
{{- if and (ne .Values.service.type "Ingress") .Values.service.tls.enabled }}
{{- if and (not .Values.ingress.enabled) .Values.service.tls.enabled }}
{{- $scheme := (include "harbor.component.scheme" .) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.nginx" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: nginx
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
nginx.conf: |+
worker_processes auto;
pid /opt/bitnami/nginx/tmp/nginx.pid;
events {
worker_connections 1024;
@@ -15,17 +24,23 @@ data:
}
http {
client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2;
proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2;
fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2;
uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server {{ template "harbor.core" . }};
server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
}
upstream portal {
server {{ template "harbor.portal" . }};
server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
}
{{- if .Values.notary.enabled }}
@@ -34,19 +49,13 @@ data:
}
{{- end }}
log_format timed_combined 'remote_addr - '
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2;
proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2;
fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2;
uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
{{- if .Values.notary.enabled }}
server {
listen 4443 ssl;
@@ -85,7 +94,6 @@ data:
server {
listen 8443 ssl;
# server_name harbordomain.com;
server_tokens off;
# SSL
ssl_certificate /etc/nginx/cert/tls.crt;
@@ -103,8 +111,13 @@ data:
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
# Add extra headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
proxy_pass http://portal/;
proxy_pass {{ $scheme }}://portal/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -114,14 +127,18 @@ data:
{{- end }}
# Add Secure flag when serving HTTPS
proxy_cookie_path / "/; secure";
proxy_cookie_path / "/; HttpOnly; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ {
proxy_pass http://core/api/;
proxy_pass {{ $scheme }}://core/api/;
{{- if and .Values.internalTLS.enabled }}
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
{{- end }}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -129,13 +146,18 @@ data:
{{- if not .Values.nginx.behindReverseProxy }}
proxy_set_header X-Forwarded-Proto $scheme;
{{- end }}
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_pass {{ $scheme }}://core/chartrepo/;
{{- if and .Values.internalTLS.enabled }}
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
{{- end }}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -143,13 +165,14 @@ data:
{{- if not .Values.nginx.behindReverseProxy }}
proxy_set_header X-Forwarded-Proto $scheme;
{{- end }}
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ {
proxy_pass http://core/c/;
proxy_pass {{ $scheme }}://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -157,6 +180,7 @@ data:
{{- if not .Values.nginx.behindReverseProxy }}
proxy_set_header X-Forwarded-Proto $scheme;
{{- end }}
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
@@ -167,7 +191,7 @@ data:
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_pass {{ $scheme }}://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -181,7 +205,7 @@ data:
}
location /service/ {
proxy_pass http://core/service/;
proxy_pass {{ $scheme }}://core/service/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -189,6 +213,7 @@ data:
{{- if not .Values.nginx.behindReverseProxy }}
proxy_set_header X-Forwarded-Proto $scheme;
{{- end }}
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
@@ -198,10 +223,9 @@ data:
return 404;
}
}
server {
server {
listen 8080;
#server_name harbordomain.com;
return 301 https://$host$request_uri:8443;
return 301 https://$host$request_uri;
}
}
{{- end }}

83
bitnami/harbor/templates/nginx/deployment.yaml
View File

@@ -1,18 +1,33 @@
{{- if ne .Values.service.type "Ingress" }}
{{- if not .Values.ingress.enabled }}
apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.nginx" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: nginx
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.nginx.replicas }}
{{- if .Values.nginx.updateStrategy }}
strategy: {{- toYaml .Values.nginx.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: nginx
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.nginx.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.nginx.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: nginx
annotations:
{{- if not .Values.service.tls.enabled }}
@@ -24,28 +39,38 @@ spec:
checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.nginx.podAnnotations }}
annotations: {{- include "harbor.tplValue" (dict "value" .Values.nginx.podAnnotations "context" $) | nindent 8 }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.nginx.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.nginx.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nginx.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.nginx.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nginx.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.nginx.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nginx.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: nginx
image: {{ include "harbor.nginxImage" . }}
imagePullPolicy: {{ .Values.nginxImage.pullPolicy | quote }}
{{- if .Values.nginx.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.nginx.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.nginx.livenessProbe.enabled }}
livenessProbe:
httpGet:
@@ -59,6 +84,8 @@ spec:
timeoutSeconds: {{ .Values.nginx.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }}
{{- else if .Values.nginx.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.nginx.readinessProbe.enabled }}
readinessProbe:
@@ -73,10 +100,27 @@ spec:
timeoutSeconds: {{ .Values.nginx.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.nginx.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.nginx.readinessProbe.failureThreshold }}
{{- else if .Values.nginx.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.nginxImage.debug | quote }}
{{- if .Values.nginx.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.nginx.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.nginx.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.nginx.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.nginx.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.nginx.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.nginx.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.nginx.resources }}
resources: {{- toYaml .Values.nginx.resources | nindent 12 }}
{{- end }}
@@ -95,6 +139,12 @@ spec:
- name: certificate
mountPath: /etc/nginx/cert
{{- end }}
{{- if .Values.nginx.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.nginx.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.nginx.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.nginx.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
@@ -102,10 +152,13 @@ spec:
{{- if .Values.service.tls.enabled }}
- name: certificate
secret:
{{- if .Values.service.tls.secretName }}
secretName: {{ .Values.service.tls.secretName }}
{{- if .Values.service.tls.existingSecret }}
secretName: {{ .Values.service.tls.existingSecret }}
{{- else }}
secretName: {{ include "harbor.nginx" . }}
{{- end }}
{{- end }}
{{- if .Values.nginx.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.nginx.extraVolumes "context" $) | nindent 6 }}
{{- end }}
{{- end }}

9
bitnami/harbor/templates/nginx/secret.yaml
View File

@@ -5,7 +5,14 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.nginx" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: nginx
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}

111
bitnami/harbor/templates/nginx/service.yaml
View File

@@ -1,85 +1,60 @@
{{- if ne .Values.service.type "Ingress" }}
{{- if not .Values.ingress.enabled }}
apiVersion: v1
kind: Service
metadata:
{{- if eq .Values.service.type "ClusterIP" }}
{{- $clusterIP := .Values.service.clusterIP }}
name: {{ $clusterIP.name }}
labels: {{- include "harbor.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- name: http
port: {{ $clusterIP.ports.httpPort }}
targetPort: 8080
{{- if .Values.service.tls.enabled }}
- name: https
port: {{ $clusterIP.ports.httpsPort }}
targetPort: 8443
name: {{ include "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $clusterIP.ports.notaryPort }}
targetPort: 4443
{{- end }}
{{- else if eq .Values.service.type "NodePort" }}
{{- $nodePort := .Values.service.nodePort }}
name: {{ $nodePort.name }}
labels: {{- include "harbor.labels" . | nindent 4 }}
spec:
type: NodePort
ports:
- name: http
port: {{ $nodePort.ports.http.port }}
targetPort: 8080
{{- if $nodePort.ports.http.nodePort }}
nodePort: {{ $nodePort.ports.http.nodePort }}
{{- end }}
{{- if .Values.service.tls.enabled }}
- name: https
port: {{ $nodePort.ports.https.port }}
targetPort: 8443
{{- if $nodePort.ports.https.nodePort }}
nodePort: {{ $nodePort.ports.https.nodePort }}
{{- end }}
{{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $nodePort.ports.notary.port }}
targetPort: 4443
{{- if $nodePort.ports.notary.nodePort }}
nodePort: {{ $nodePort.ports.notary.nodePort }}
{{- end }}
{{- end }}
{{- else if eq .Values.service.type "LoadBalancer" }}
{{- $loadBalancer := .Values.service.loadBalancer }}
name: {{ $loadBalancer.name }}
labels: {{- include "harbor.labels" . | nindent 4 }}
{{- with $loadBalancer.annotations }}
app.kubernetes.io/component: nginx
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: LoadBalancer
{{- with $loadBalancer.sourceRanges }}
loadBalancerSourceRanges:
{{- toYaml . | nindent 4 }}
type: {{ .Values.service.type }}
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges) }}
loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports:
- name: http
port: {{ $loadBalancer.ports.httpPort }}
targetPort: 8080
port: {{ .Values.service.ports.http }}
targetPort: http
{{- if and .Values.service.nodePorts.http }}
nodePort: {{ .Values.service.nodePorts.http }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.service.tls.enabled }}
- name: https
port: {{ $loadBalancer.ports.httpsPort }}
targetPort: 8443
port: {{ .Values.service.ports.https }}
targetPort: https
{{- if and .Values.service.nodePorts.https }}
nodePort: {{ .Values.service.nodePorts.https }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- end }}
{{- if .Values.notary.enabled }}
- name: notary
port: {{ $loadBalancer.ports.notaryPort }}
targetPort: 4443
port: {{ .Values.service.ports.notary }}
targetPort: notary
{{- if and .Values.service.nodePorts.notary }}
nodePort: {{ .Values.service.nodePorts.notary }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- end }}
{{- end }}
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: nginx
{{- end }}

11
bitnami/harbor/templates/notary/notary-secret.yaml
View File

@@ -3,8 +3,15 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.notary-server" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
component: notary
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: notary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if not .Values.notary.secretName }}
{{ $ca := genCA "harbor-notary-ca" 365 }}

113
bitnami/harbor/templates/notary/notary-server.yaml
View File

@@ -3,46 +3,74 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "harbor.notary-server" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
component: notary-server
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: notary-server
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.notary.server.replicas }}
{{- if .Values.notary.server.updateStrategy }}
strategy: {{- toYaml .Values.notary.server.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
component: notary-server
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: notary-server
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
component: notary-server
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.notary.server.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.server.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: notary-server
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.notary.podAnnotations }}
annotations: {{- include "harbor.tplValue" (dict "value" .Values.notary.podAnnotations "context" $) | nindent 8 }}
{{- if .Values.notary.server.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- if .Values.notary.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.notary.affinity "context" $) | nindent 8 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.notary.server.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.notary.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.notary.nodeSelector "context" $) | nindent 8 }}
{{- if .Values.notary.server.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.notary.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.notary.tolerations "context" $) | nindent 8 }}
{{- if .Values.notary.server.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.notary.server.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: notary-server
image: "{{ template "harbor.notaryServerImage" . }}"
image: {{ include "harbor.notaryServerImage" . | quote }}
imagePullPolicy: {{ .Values.notaryServerImage.pullPolicy | quote }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.server.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.server.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.server.resources }}
resources: {{- toYaml .Values.notary.server.resources | nindent 12 }}
{{- end }}
{{- if .Values.notary.server.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.notaryServerImage.debug | quote }}
@@ -50,6 +78,18 @@ spec:
value: migrations/server/postgresql
- name: DB_URL
value: {{ include "harbor.database.notaryServer" . }}
{{- if .Values.notary.server.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.server.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.notary.server.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.notary.server.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.notary.server.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.notary.server.extraEnvVarsSecret "context" $) }}
{{- end }}
volumeMounts:
- name: notary-config
mountPath: /etc/notary
@@ -61,9 +101,39 @@ spec:
mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt
subPath: ca
{{- end }}
{{- if .Values.notary.server.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.server.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
ports:
- containerPort: 4443
name: notary-server
{{- if .Values.notary.server.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: notary-server
initialDelaySeconds: {{ .Values.notary.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.notary.server.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.notary.server.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.notary.server.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.notary.server.livenessProbe.failureThreshold }}
{{- else if .Values.notary.server.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.server.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: notary-server
initialDelaySeconds: {{ .Values.notary.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.notary.server.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.notary.server.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.notary.server.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.notary.server.readinessProbe.failureThreshold }}
{{- else if .Values.notary.server.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.notary.server.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.server.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.server.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: notary-config
secret:
@@ -80,4 +150,7 @@ spec:
secret:
secretName: {{ .Values.notary.secretName }}
{{- end }}
{{- if .Values.notary.server.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.server.extraVolumes "context" $) | nindent 6 }}
{{- end }}
{{- end }}

116
bitnami/harbor/templates/notary/notary-signer.yaml
View File

@@ -3,42 +3,70 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "harbor.notary-signer" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
component: notary-signer
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: notary-signer
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.notary.signer.replicas }}
{{- if .Values.notary.signer.updateStrategy }}
strategy: {{- toYaml .Values.notary.signer.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
component: notary-signer
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: notary-signer
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
component: notary-signer
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.notary.signer.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: notary-signer
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
{{- if .Values.notary.podAnnotations }}
annotations: {{- include "harbor.tplValue" (dict "value" .Values.notary.podAnnotations "context" $) | nindent 8 }}
{{- if .Values.notary.signer.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- if .Values.notary.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.notary.affinity "context" $) | nindent 8 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.notary.signer.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.notary.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.notary.nodeSelector "context" $) | nindent 8 }}
{{- if .Values.notary.signer.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.notary.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.notary.tolerations "context" $) | nindent 8 }}
{{- if .Values.notary.signer.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.notary.signer.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: notary-signer
image: {{ include "harbor.notarySignerImage" . }}
imagePullPolicy: {{ .Values.notarySignerImage.pullPolicy | quote }}
{{- if .Values.notary.signer.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.signer.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.signer.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.signer.resources }}
resources: {{- toYaml .Values.notary.signer.resources | nindent 12 }}
{{- end }}
@@ -48,9 +76,21 @@ spec:
- name: MIGRATIONS_PATH
value: migrations/signer/postgresql
- name: DB_URL
value: "{{ template "harbor.database.notarySigner" . }}"
value: {{ include "harbor.database.notarySigner" . | quote }}
- name: NOTARY_SIGNER_DEFAULTALIAS
value: defaultalias
{{- if .Values.notary.signer.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.notary.signer.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.notary.signer.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.notary.signer.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.notary.signer.extraEnvVarsSecret "context" $) }}
{{- end }}
volumeMounts:
- name: notary-config
mountPath: /etc/notary
@@ -65,6 +105,39 @@ spec:
mountPath: /etc/ssl/notary/cert/notary-signer.key
subPath: key
{{- end }}
{{- if .Values.notary.signer.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
ports:
- containerPort: 7899
name: notary-signer
{{- if .Values.notary.signer.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: notary-signer
initialDelaySeconds: {{ .Values.notary.signer.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.notary.signer.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.notary.signer.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.notary.signer.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.notary.signer.livenessProbe.failureThreshold }}
{{- else if .Values.notary.signer.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.signer.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: notary-signer
initialDelaySeconds: {{ .Values.notary.signer.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.notary.signer.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.notary.signer.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.notary.signer.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.notary.signer.readinessProbe.failureThreshold }}
{{- else if .Values.notary.signer.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.notary.signer.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: notary-config
secret:
@@ -74,4 +147,7 @@ spec:
secret:
secretName: {{ .Values.notary.secretName }}
{{- end }}
{{- if .Values.notary.signer.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.notary.signer.extraVolumes "context" $) | nindent 6 }}
{{- end }}
{{- end }}

30
bitnami/harbor/templates/notary/notary-svc.yaml
View File

@@ -3,26 +3,40 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.notary-server" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if (eq .Values.service.ingress.controller "gce") }}
{{- if (eq .Values.ingress.controller "gce") }}
type: NodePort
{{- end }}
ports:
- name: notary-server
port: 4443
targetPort: notary-server
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
component: notary-server
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: notary-server
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.notary-signer" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- port: 7899
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
component: notary-signer
- name: notary-signer
port: 7899
targetPort: notary-signer
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: notary-signer
{{- end }}

56
bitnami/harbor/templates/portal/portal-cm.yaml Normal file
View File

@@ -0,0 +1,56 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.portal" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: portal
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
nginx.conf: |+
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
client_body_temp_path /tmp/client_body_temp;
proxy_temp_path /tmp/proxy_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
{{- if .Values.internalTLS.enabled }}
listen {{ template "harbor.portal.containerPort" . }} ssl;
# SSL
ssl_certificate /etc/harbor/tls/portal.crt;
ssl_certificate_key /etc/harbor/tls/portal.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
{{- else }}
listen {{ template "harbor.portal.containerPort" . }};
{{- end }}
server_name localhost;
root /usr/share/nginx/html;
index index.html index.htm;
include /etc/nginx/mime.types;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
try_files $uri $uri/ /index.html;
}
location = /index.html {
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
}
}

106
bitnami/harbor/templates/portal/portal-dpl.yaml
View File

@@ -2,68 +2,144 @@ apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.portal" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: portal
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.portal.replicas }}
{{- if .Values.portal.updateStrategy }}
strategy: {{- toYaml .Values.portal.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: portal
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.portal.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: portal
{{- if .Values.portal.podAnnotations }}
annotations: {{- include "harbor.tplValue" (dict "value" .Values.portal.podAnnotations "context" $) | nindent 8 }}
{{- end }}
annotations:
{{- if and .Values.internalTLS.enabled (not .Values.portal.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.portal.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.portal.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.portal.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.portal.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.portal.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.portal.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.portal.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.portal.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.portal.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.portal.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.portal.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.portal.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: portal
image: {{ include "harbor.portalImage" . }}
imagePullPolicy: {{ .Values.portalImage.pullPolicy | quote }}
{{- if .Values.portal.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.portal.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.portal.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.portal.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.portal.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.portal.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.portal.resources }}
resources: {{- toYaml .Values.portal.resources | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.portal.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /
port: http
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.portal.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.portal.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.portal.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.portal.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.portal.livenessProbe.failureThreshold }}
{{- else if .Values.portal.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.portal.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.portal.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /
port: http
scheme: {{ include "harbor.component.scheme" . | upper }}
initialDelaySeconds: {{ .Values.portal.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.portal.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.portal.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.portal.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.portal.readinessProbe.failureThreshold }}
{{- else if .Values.portal.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.portal.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.portalImage.debug | quote }}
{{- if .Values.portal.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.portal.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.portal.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.portal.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.portal.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- containerPort: 8080
- containerPort: {{ include "harbor.portal.containerPort" . }}
name: http
{{- if .Values.portal.extraVolumeMounts }}
volumeMounts:
- name: portal-config
mountPath: /opt/bitnami/nginx/conf/nginx.conf
subPath: nginx.conf
{{- if .Values.internalTLS.enabled }}
- name: portal-internal-certs
mountPath: /bitnami/certs/
{{- end }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.portal.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.sidecars "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.portal.extraVolumes }}
volumes:
- name: portal-config
configMap:
name: {{ include "harbor.portal" . }}
{{- if .Values.internalTLS.enabled }}
- name: portal-internal-certs
secret:
secretName: {{ include "harbor.portal.tls.secretName" . }}
{{- end }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.extraVolumes "context" $) | nindent 6 }}
{{- end }}

15
bitnami/harbor/templates/portal/portal-svc.yaml
View File

@@ -2,14 +2,17 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.portal" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
spec:
{{- if (eq .Values.service.ingress.controller "gce") }}
type: NodePort
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
port: {{ include "harbor.portal.servicePort" . }}
targetPort: http
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: portal

209
bitnami/harbor/templates/registry/registry-cm.yaml
View File

@@ -2,7 +2,13 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "harbor.registry" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
config.yml: |+
version: 0.1
@@ -11,122 +17,123 @@ data:
fields:
service: registry
storage:
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
{{- if eq $type "filesystem" }}
{{- if eq .Values.persistence.imageChartStorage.type "filesystem" }}
filesystem:
rootdirectory: {{ $storage.filesystem.rootdirectory }}
{{- if $storage.filesystem.maxthreads }}
maxthreads: {{ $storage.filesystem.maxthreads }}
rootdirectory: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
{{- if .Values.persistence.imageChartStorage.filesystem.maxthreads }}
maxthreads: {{ .Values.persistence.imageChartStorage.filesystem.maxthreads }}
{{- end }}
{{- else if eq $type "azure" }}
{{- else if eq .Values.persistence.imageChartStorage.type "azure" }}
azure:
accountname: {{ $storage.azure.accountname }}
container: {{ $storage.azure.container }}
{{- if $storage.azure.realm }}
realm: {{ $storage.azure.realm }}
accountname: {{ .Values.persistence.imageChartStorage.azure.accountname }}
container: {{ .Values.persistence.imageChartStorage.azure.container }}
{{- if .Values.persistence.imageChartStorage.azure.realm }}
realm: {{ .Values.persistence.imageChartStorage.azure.realm }}
{{- end }}
{{- else if eq $type "gcs" }}
{{- else if eq .Values.persistence.imageChartStorage.type "gcs" }}
gcs:
bucket: {{ $storage.gcs.bucket }}
bucket: {{ .Values.persistence.imageChartStorage.gcs.bucket }}
keyfile: /etc/registry/gcs-key.json
{{- if $storage.gcs.rootdirectory }}
rootdirectory: {{ $storage.gcs.rootdirectory }}
{{- if .Values.persistence.imageChartStorage.gcs.rootdirectory }}
rootdirectory: {{ .Values.persistence.imageChartStorage.gcs.rootdirectory }}
{{- end }}
{{- if $storage.gcs.chunksize }}
chunksize: {{ $storage.gcs.chunksize }}
{{- if .Values.persistence.imageChartStorage.gcs.chunksize }}
chunksize: {{ .Values.persistence.imageChartStorage.gcs.chunksize }}
{{- end }}
{{- else if eq $type "s3" }}
{{- else if eq .Values.persistence.imageChartStorage.type "s3" }}
s3:
region: {{ $storage.s3.region }}
bucket: {{ $storage.s3.bucket }}
{{- if $storage.s3.regionendpoint }}
regionendpoint: {{ $storage.s3.regionendpoint }}
region: {{ .Values.persistence.imageChartStorage.s3.region }}
bucket: {{ .Values.persistence.imageChartStorage.s3.bucket }}
{{- if .Values.persistence.imageChartStorage.s3.regionendpoint }}
regionendpoint: {{ .Values.persistence.imageChartStorage.s3.regionendpoint }}
{{- end }}
{{- if $storage.s3.encrypt }}
encrypt: {{ $storage.s3.encrypt }}
{{- if .Values.persistence.imageChartStorage.s3.encrypt }}
encrypt: {{ .Values.persistence.imageChartStorage.s3.encrypt }}
{{- end }}
{{- if $storage.s3.secure }}
secure: {{ $storage.s3.secure }}
{{- if .Values.persistence.imageChartStorage.s3.keyid }}
keyid: {{ .Values.persistence.imageChartStorage.s3.keyid }}
{{- end }}
{{- if $storage.s3.v4auth }}
v4auth: {{ $storage.s3.v4auth }}
{{- if .Values.persistence.imageChartStorage.s3.secure }}
secure: {{ .Values.persistence.imageChartStorage.s3.secure }}
{{- end }}
{{- if $storage.s3.chunksize }}
chunksize: {{ $storage.s3.chunksize }}
{{- if .Values.persistence.imageChartStorage.s3.v4auth }}
v4auth: {{ .Values.persistence.imageChartStorage.s3.v4auth }}
{{- end }}
{{- if $storage.s3.rootdirectory }}
rootdirectory: {{ $storage.s3.rootdirectory }}
{{- if .Values.persistence.imageChartStorage.s3.chunksize }}
chunksize: {{ .Values.persistence.imageChartStorage.s3.chunksize }}
{{- end }}
{{- if $storage.s3.storageclass }}
storageclass: {{ $storage.s3.storageclass }}
{{- if .Values.persistence.imageChartStorage.s3.rootdirectory }}
rootdirectory: {{ .Values.persistence.imageChartStorage.s3.rootdirectory }}
{{- end }}
{{- else if eq $type "swift" }}
{{- if .Values.persistence.imageChartStorage.s3.storageclass }}
storageclass: {{ .Values.persistence.imageChartStorage.s3.storageclass }}
{{- end }}
{{- else if eq .Values.persistence.imageChartStorage.type "swift" }}
swift:
authurl: {{ $storage.swift.authurl }}
username: {{ $storage.swift.username }}
container: {{ $storage.swift.container }}
{{- if $storage.swift.region }}
region: {{ $storage.swift.region }}
authurl: {{ .Values.persistence.imageChartStorage.swift.authurl }}
username: {{ .Values.persistence.imageChartStorage.swift.username }}
container: {{ .Values.persistence.imageChartStorage.swift.container }}
{{- if .Values.persistence.imageChartStorage.swift.region }}
region: {{ .Values.persistence.imageChartStorage.swift.region }}
{{- end }}
{{- if $storage.swift.tenant }}
tenant: {{ $storage.swift.tenant }}
{{- if .Values.persistence.imageChartStorage.swift.tenant }}
tenant: {{ .Values.persistence.imageChartStorage.swift.tenant }}
{{- end }}
{{- if $storage.swift.tenantid }}
tenantid: {{ $storage.swift.tenantid }}
{{- if .Values.persistence.imageChartStorage.swift.tenantid }}
tenantid: {{ .Values.persistence.imageChartStorage.swift.tenantid }}
{{- end }}
{{- if $storage.swift.domain }}
domain: {{ $storage.swift.domain }}
{{- if .Values.persistence.imageChartStorage.swift.domain }}
domain: {{ .Values.persistence.imageChartStorage.swift.domain }}
{{- end }}
{{- if $storage.swift.domainid }}
domainid: {{ $storage.swift.domainid }}
{{- if .Values.persistence.imageChartStorage.swift.domainid }}
domainid: {{ .Values.persistence.imageChartStorage.swift.domainid }}
{{- end }}
{{- if $storage.swift.trustid }}
trustid: {{ $storage.swift.trustid }}
{{- if .Values.persistence.imageChartStorage.swift.trustid }}
trustid: {{ .Values.persistence.imageChartStorage.swift.trustid }}
{{- end }}
{{- if $storage.swift.insecureskipverify }}
insecureskipverify: {{ $storage.swift.insecureskipverify }}
{{- if .Values.persistence.imageChartStorage.swift.insecureskipverify }}
insecureskipverify: {{ .Values.persistence.imageChartStorage.swift.insecureskipverify }}
{{- end }}
{{- if $storage.swift.chunksize }}
chunksize: {{ $storage.swift.chunksize }}
{{- if .Values.persistence.imageChartStorage.swift.chunksize }}
chunksize: {{ .Values.persistence.imageChartStorage.swift.chunksize }}
{{- end }}
{{- if $storage.swift.prefix }}
prefix: {{ $storage.swift.prefix }}
{{- if .Values.persistence.imageChartStorage.swift.prefix }}
prefix: {{ .Values.persistence.imageChartStorage.swift.prefix }}
{{- end }}
{{- if $storage.swift.authversion }}
authversion: {{ $storage.swift.authversion }}
{{- if .Values.persistence.imageChartStorage.swift.authversion }}
authversion: {{ .Values.persistence.imageChartStorage.swift.authversion }}
{{- end }}
{{- if $storage.swift.endpointtype }}
endpointtype: {{ $storage.swift.endpointtype }}
{{- if .Values.persistence.imageChartStorage.swift.endpointtype }}
endpointtype: {{ .Values.persistence.imageChartStorage.swift.endpointtype }}
{{- end }}
{{- if $storage.swift.tempurlcontainerkey }}
tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }}
{{- if .Values.persistence.imageChartStorage.swift.tempurlcontainerkey }}
tempurlcontainerkey: {{ .Values.persistence.imageChartStorage.swift.tempurlcontainerkey }}
{{- end }}
{{- if $storage.swift.tempurlmethods }}
tempurlmethods: {{ $storage.swift.tempurlmethods }}
{{- if .Values.persistence.imageChartStorage.swift.tempurlmethods }}
tempurlmethods: {{ .Values.persistence.imageChartStorage.swift.tempurlmethods }}
{{- end }}
{{- else if eq $type "oss" }}
{{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
oss:
accesskeyid: {{ $storage.oss.accesskeyid }}
region: {{ $storage.oss.region }}
bucket: {{ $storage.oss.bucket }}
{{- if $storage.oss.endpoint }}
endpoint: {{ $storage.oss.endpoint }}
accesskeyid: {{ .Values.persistence.imageChartStorage.oss.accesskeyid }}
region: {{ .Values.persistence.imageChartStorage.oss.region }}
bucket: {{ .Values.persistence.imageChartStorage.oss.bucket }}
{{- if .Values.persistence.imageChartStorage.oss.endpoint }}
endpoint: {{ .Values.persistence.imageChartStorage.oss.endpoint }}
{{- end }}
{{- if $storage.oss.internal }}
internal: {{ $storage.oss.internal }}
{{- if .Values.persistence.imageChartStorage.oss.internal }}
internal: {{ .Values.persistence.imageChartStorage.oss.internal }}
{{- end }}
{{- if $storage.oss.encrypt }}
encrypt: {{ $storage.oss.encrypt }}
{{- if .Values.persistence.imageChartStorage.oss.encrypt }}
encrypt: {{ .Values.persistence.imageChartStorage.oss.encrypt }}
{{- end }}
{{- if $storage.oss.secure }}
secure: {{ $storage.oss.secure }}
{{- if .Values.persistence.imageChartStorage.oss.secure }}
secure: {{ .Values.persistence.imageChartStorage.oss.secure }}
{{- end }}
{{- if $storage.oss.chunksize }}
chunksize: {{ $storage.oss.chunksize }}
{{- if .Values.persistence.imageChartStorage.oss.chunksize }}
chunksize: {{ .Values.persistence.imageChartStorage.oss.chunksize }}
{{- end }}
{{- if $storage.oss.rootdirectory }}
rootdirectory: {{ $storage.oss.rootdirectory }}
{{- if .Values.persistence.imageChartStorage.oss.rootdirectory }}
rootdirectory: {{ .Values.persistence.imageChartStorage.oss.rootdirectory }}
{{- end }}
{{- end }}
cache:
@@ -137,25 +144,43 @@ data:
delete:
enabled: true
redirect:
disable: {{ $storage.disableredirect }}
disable: {{ .Values.persistence.imageChartStorage.disableredirect }}
redis:
addr: "{{ template "harbor.redis.host" . }}:{{ template "harbor.redis.port" . }}"
db: {{ template "harbor.redis.registryDatabaseIndex" . }}
http:
relativeurls: {{ .Values.registry.relativeurls }}
addr: :5000
addr: :{{ include "harbor.registry.containerPort" . }}
{{- if .Values.internalTLS.enabled }}
tls:
certificate: /bitnami/certs/tls.crt
key: /bitnami/certs/tls.key
minimumtls: tls1.2
{{- end }}
# set via environment variable
# secret: placeholder
debug:
addr: localhost:5001
auth:
token:
issuer: harbor-token-issuer
realm: "{{ template "harbor.externalUrl" . }}/service/token"
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
htpasswd:
realm: harbor-registry-basic-realm
path: /etc/registry/passwd
validation:
disabled: true
{{- if .Values.registry.middleware.enabled }}
{{- if eq .Values.registry.middleware.type "cloudFront" }}
middleware:
storage:
- name: cloudfront
options:
baseurl: {{ .Values.registry.middleware.cloudFront.baseurl }}
privatekey: /etc/registry/pk.pem
keypairid: {{ .Values.registry.middleware.cloudFront.keypairid }}
duration: {{ .Values.registry.middleware.cloudFront.duration }}
ipfilteredby: {{ .Values.registry.middleware.cloudFront.ipfilteredby }}
{{- end }}
{{- end }}
notifications:
endpoints:
- name: harbor
@@ -166,6 +191,14 @@ data:
backoff: 1s
ctl-config.yml: |+
---
{{- if .Values.internalTLS.enabled }}
protocol: "https"
port: 8443
https_config:
cert: "/bitnami/certs/tls.crt"
key: "/bitnami/certs/tls.key"
{{- else }}
protocol: "http"
port: 8080
{{- end }}
log_level: {{ .Values.logLevel }}

239
bitnami/harbor/templates/registry/registry-dpl.yaml
View File

@@ -2,46 +2,59 @@ apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "harbor.registry" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: registry
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.registry.replicas }}
{{- if .Values.registry.strategy }}
strategy: {{- toYaml .Values.registry.strategy | nindent 4 }}
{{- end }}
{{- if .Values.registry.updateStrategy }}
strategy: {{- toYaml .Values.registry.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "harbor.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: registry
template:
metadata:
labels: {{- include "harbor.labels" . | nindent 8 }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.registry.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: registry
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.registry.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.registry.podAnnotations }}
{{- include "harbor.tplValue" (dict "value" .Values.registry.podAnnotations "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "harbor.imagePullSecrets" . | indent 6 }}
{{- include "harbor.imagePullSecrets" . | nindent 6 }}
{{- if .Values.registry.affinity }}
affinity: {{- include "harbor.tplValue" (dict "value" .Values.registry.affinity "context" $) | nindent 8 }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.registry.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.registry.nodeSelector }}
nodeSelector: {{- include "harbor.tplValue" (dict "value" .Values.registry.nodeSelector "context" $) | nindent 8 }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.registry.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.registry.tolerations }}
tolerations: {{- include "harbor.tplValue" (dict "value" .Values.registry.tolerations "context" $) | nindent 8 }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.registry.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ include "harbor.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@@ -50,7 +63,7 @@ spec:
- -c
- |
mkdir -p "{{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}"
chown -R "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}" "{{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}"
chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "{{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}"
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
@@ -61,43 +74,93 @@ spec:
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
{{- end }}
{{- if .Values.registry.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: registry
image: {{ include "harbor.registryImage" . }}
imagePullPolicy: {{ .Values.registryImage.pullPolicy | quote }}
{{- if .Values.registry.registry.livenessProbe.enabled }}
{{- if .Values.registry.server.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.registry.server.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.server.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.registry.server.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.server.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /
scheme: {{ include "harbor.component.scheme" . | upper }}
port: registry
initialDelaySeconds: {{ .Values.registry.registry.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.registry.registry.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.registry.registry.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.registry.registry.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.registry.registry.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.registry.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.registry.server.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.registry.server.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.registry.server.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.registry.server.livenessProbe.failureThreshold }}
{{- else if .Values.registry.server.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.registry.server.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.registry.readinessProbe.enabled }}
{{- if .Values.registry.server.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /
scheme: {{ include "harbor.component.scheme" . | upper }}
port: registry
initialDelaySeconds: {{ .Values.registry.registry.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.registry.registry.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.registry.registry.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.registry.registry.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.registry.registry.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.registry.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.registry.server.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.registry.server.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.registry.server.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.registry.server.readinessProbe.failureThreshold }}
{{- else if .Values.registry.server.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.registry.server.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.registry.resources }}
resources: {{- toYaml .Values.registry.registry.resources | nindent 12 }}
{{- if .Values.registry.server.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.registry.server.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.server.resources }}
resources: {{- toYaml .Values.registry.server.resources | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.registryImage.debug | quote }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /bitnami/certs/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /bitnami/certs/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /bitnami/certs/ca.crt
{{- end }}
{{- if has "chartmuseum" .Values.proxy.components }}
- name: HTTP_PROXY
value: {{ .Values.proxy.httpProxy | quote }}
- name: HTTPS_PROXY
value: {{ .Values.proxy.httpsProxy | quote }}
- name: NO_PROXY
value: {{ include "harbor.noProxy" . | quote }}
{{- end }}
{{- if .Values.registry.server.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.server.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
- secretRef:
name: {{ include "harbor.registry" . }}
{{- if .Values.registry.server.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.server.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.registry.server.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.server.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- containerPort: 5000
- containerPort: {{ include "harbor.registry.containerPort" . }}
name: registry
- containerPort: 5001
name: debug
@@ -108,38 +171,78 @@ spec:
- name: registry-root-certificate
mountPath: /etc/registry/root.crt
subPath: tls.crt
- name: registry-htpasswd
mountPath: /etc/registry/passwd
subPath: passwd
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
{{- if .Values.internalTLS.enabled }}
- name: registry-internal-certs
mountPath: /bitnami/certs/
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
subPath: gcs-key.json
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if .Values.registry.middleware.enabled }}
{{- if eq .Values.registry.middleware.type "cloudFront" }}
- name: cloudfront-key
mountPath: /etc/registry/pk.pem
subPath: pk.pem
{{- end }}
{{- end }}
{{- if .Values.registry.server.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.server.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
- name: registryctl
image: {{ include "harbor.registryctlImage" . }}
imagePullPolicy: {{ .Values.registryctlImage.pullPolicy | quote }}
{{- if .Values.registry.controller.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.controller.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.controller.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.controller.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /api/health
scheme: {{ include "harbor.component.scheme" . | upper }}
port: registryctl
initialDelaySeconds: {{ .Values.registry.controller.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.registry.controller.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.registry.controller.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.registry.controller.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.registry.controller.livenessProbe.failureThreshold }}
{{- else if .Values.registry.controller.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.controller.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /api/health
scheme: {{ include "harbor.component.scheme" . | upper }}
port: registryctl
initialDelaySeconds: {{ .Values.registry.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.registry.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.registry.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.registry.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.registry.controller.readinessProbe.failureThreshold }}
{{- else if .Values.registry.controller.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.controller.resources }}
resources: {{- toYaml .Values.registry.controller.resources | nindent 12 }}
@@ -147,6 +250,14 @@ spec:
envFrom:
- secretRef:
name: {{ include "harbor.registry" . }}
{{- if .Values.registry.controller.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.controller.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.registry.controller.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.controller.extraEnvVarsSecret "context" $) }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.registryctlImage.debug | quote }}
@@ -160,20 +271,59 @@ spec:
secretKeyRef:
name: {{ include "harbor.jobservice" . }}
key: secret
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /bitnami/certs/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /bitnami/certs/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /bitnami/certs/ca.crt
{{- end }}
{{- if .Values.registry.controller.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
ports:
- containerPort: 8080
- containerPort: {{ include "harbor.registryCtl.containerPort" . }}
name: registryctl
volumeMounts:
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
{{- if .Values.internalTLS.enabled }}
- name: registry-internal-certs
mountPath: /bitnami/certs/
{{- end }}
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
- name: registry-config
mountPath: /etc/registryctl/config.yml
subPath: ctl-config.yml
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
subPath: gcs-key.json
{{- end }}
{{- if .Values.registry.controller.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.controller.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.registry.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: registry-htpasswd
secret:
secretName: {{ template "harbor.registry" . }}
items:
- key: REGISTRY_HTPASSWD
path: passwd
- name: registry-root-certificate
secret:
{{- if .Values.core.secretName }}
@@ -181,6 +331,11 @@ spec:
{{- else }}
secretName: {{ include "harbor.core" . }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: registry-internal-certs
secret:
secretName: {{ include "harbor.registry.tls.secretName" . }}
{{- end }}
- name: registry-config
configMap:
name: {{ include "harbor.registry" . }}
@@ -199,3 +354,21 @@ spec:
- key: GCS_KEY_DATA
path: gcs-key.json
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
secret:
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
{{- end }}
{{- if .Values.registry.middleware.enabled }}
{{- if eq .Values.registry.middleware.type "cloudFront" }}
- name: cloudfront-key
secret:
secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }}
items:
- key: CLOUDFRONT_KEY_DATA
path: pk.pem
{{- end }}
{{- end }}
{{- if .Values.registry.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.extraVolumes "context" $) | nindent 6 }}
{{- end }}

17
bitnami/harbor/templates/registry/registry-pvc.yaml
View File

@@ -1,6 +1,5 @@
{{- if .Values.persistence.enabled }}
{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}}
{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
{{- if and (not .Values.persistence.persistentVolumeClaim.registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
@@ -9,14 +8,20 @@ metadata:
annotations:
helm.sh/resource-policy: keep
{{- end }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: registry
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
accessModes:
- {{ $registry.accessMode }}
- {{ .Values.persistence.persistentVolumeClaim.registry.accessMode }}
resources:
requests:
storage: {{ $registry.size }}
{{ include "harbor.registry.storageClass" . }}
storage: {{ .Values.persistence.persistentVolumeClaim.registry.size }}
{{- include "harbor.registry.storageClass" . | nindent 2 }}
{{- end }}
{{- end }}

45
bitnami/harbor/templates/registry/registry-secret.yaml
View File

@@ -2,32 +2,37 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.registry" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }}
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.rawPassword" .) | b64enc | quote }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
{{- if eq $type "azure" }}
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if eq $type "gcs" }}
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
{{- else if eq $type "s3" }}
{{- if $storage.s3.accesskey }}
REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
{{- if eq .Values.persistence.imageChartStorage.type "azure" }}
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ .Values.persistence.imageChartStorage.azure.accountkey | b64enc | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "gcs" }}
GCS_KEY_DATA: {{ .Values.persistence.imageChartStorage.gcs.encodedkey | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "s3" }}
{{- if .Values.persistence.imageChartStorage.s3.accesskey }}
REGISTRY_STORAGE_S3_ACCESSKEY: {{ .Values.persistence.imageChartStorage.s3.accesskey | b64enc | quote }}
{{- end }}
{{- if $storage.s3.secretkey }}
REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- if .Values.persistence.imageChartStorage.s3.secretkey }}
REGISTRY_STORAGE_S3_SECRETKEY: {{ .Values.persistence.imageChartStorage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $type "swift" }}
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- if $storage.swift.secretkey }}
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "swift" }}
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ .Values.persistence.imageChartStorage.swift.password | b64enc | quote }}
{{- if .Values.persistence.imageChartStorage.swift.secretkey }}
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ .Values.persistence.imageChartStorage.swift.secretkey | b64enc | quote }}
{{- end }}
{{- if $storage.swift.accesskey }}
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
{{- if .Values.persistence.imageChartStorage.swift.accesskey }}
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ .Values.persistence.imageChartStorage.swift.accesskey | b64enc | quote }}
{{- end }}
{{- else if eq $type "oss" }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }}
{{- end }}

10
bitnami/harbor/templates/registry/registry-svc.yaml
View File

@@ -2,12 +2,18 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.registry" . }}
labels: {{- include "harbor.labels" . | nindent 4 }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- name: registry
port: 5000
- name: controller
port: 8080
selector: {{- include "harbor.matchLabels" . | nindent 4 }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: registry

29
bitnami/harbor/templates/trivy/trivy-cm-envvars.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.trivy" . }}-envvars
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: trivy
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
SCANNER_LOG_LEVEL: {{ .Values.logLevel | quote }}
SCANNER_TRIVY_CACHE_DIR: {{ printf "%s/%s" .Values.trivy.cacheDir "trivy" | quote }}
SCANNER_TRIVY_REPORTS_DIR: {{ printf "%s/%s" .Values.trivy.cacheDir "reports" | quote }}
SCANNER_TRIVY_DEBUG_MODE: {{ .Values.trivy.debugMode | quote }}
SCANNER_TRIVY_VULN_TYPE: {{ .Values.trivy.vulnType | quote }}
SCANNER_TRIVY_SEVERITY: {{ .Values.trivy.severity | quote }}
SCANNER_TRIVY_IGNORE_UNFIXED: {{ .Values.trivy.ignoreUnfixed | quote }}
SCANNER_TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
SCANNER_TRIVY_INSECURE: {{ .Values.trivy.insecure | quote }}
SCANNER_API_SERVER_ADDR: {{ printf ":%s" (include "harbor.trivy.containerPort" .) | quote }}
{{- if .Values.internalTLS.enabled }}
INTERNAL_TLS_ENABLED: "true"
SCANNER_API_SERVER_TLS_KEY: /bitnami/certs/tls.key
SCANNER_API_SERVER_TLS_CERTIFICATE: /bitnami/certs/tls.crt
SCANNER_API_SERVER_CLIENT_CAS: /bitnami/certs/ca.crt
{{- end }}

19
bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.trivy.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "harbor.trivy" . }}-envvars
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: trivy
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
SCANNER_TRIVY_GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
SCANNER_STORE_REDIS_URL: {{ include "harbor.redisForTrivyAdapter" . | b64enc }}
SCANNER_JOB_QUEUE_REDIS_URL: {{ include "harbor.redisForTrivyAdapter" . | b64enc }}
{{- end }}

186
bitnami/harbor/templates/trivy/trivy-sts.yaml Normal file
View File

@@ -0,0 +1,186 @@
{{- if .Values.trivy.enabled }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "harbor.trivy" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: trivy
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.trivy.replicas }}
serviceName: {{ template "harbor.trivy" . }}
updateStrategy: {{- toYaml .Values.trivy.updateStrategy | nindent 4 }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: trivy
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 8 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.trivy.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.podLabels "context" $) | nindent 8 }}
{{- end }}
app.kubernetes.io/component: trivy
annotations:
checksum/configmap-env: {{ include (print $.Template.BasePath "/trivy/trivy-cm-envvars.yaml") . | sha256sum }}
checksum/secret-env: {{ include (print $.Template.BasePath "/trivy/trivy-secret-envvars.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.trivy.tls.existingSecret) }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/internal-crt-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.trivy.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.trivy.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.trivy.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.trivy.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ include "harbor.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- sh
- -c
- |
mkdir -p "{{ .Values.trivy.cacheDir }}"
mkdir -p "{{ .Values.trivy.cacheDir }}/trivy"
mkdir -p "{{ .Values.trivy.cacheDir }}/reports"
chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "{{ .Values.trivy.cacheDir }}"
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: job-logs
mountPath: /var/log/jobs
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
{{- end }}
{{- if .Values.trivy.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: trivy
image: {{ include "harbor.trivyImage" . }}
imagePullPolicy: {{ .Values.trivyImage.pullPolicy | quote }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.trivy.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.trivy.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.trivyImage.debug | quote }}
{{- if .Values.trivy.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ template "harbor.trivy" . }}-envvars
- secretRef:
name: {{ template "harbor.trivy" . }}-envvars
{{- if .Values.trivy.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.trivy.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.trivy.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.trivy.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- name: api-server
containerPort: {{ template "harbor.trivy.containerPort" . }}
volumeMounts:
- name: data
mountPath: {{ .Values.trivy.cacheDir }}
readOnly: false
{{- if .Values.internalTLS.enabled }}
- name: trivy-internal-certs
mountPath: /bitnami/certs/
{{- end }}
{{- if .Values.trivy.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.trivy.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.trivy.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /probe/healthy
port: http
initialDelaySeconds: {{ .Values.trivy.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.trivy.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.trivy.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.trivy.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.trivy.livenessProbe.failureThreshold }}
{{- else if .Values.trivy.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.trivy.readinessProbe.enabled }}
readinessProbe:
httpGet:
scheme: HTTP
path: /probe/ready
port: api-server
initialDelaySeconds: {{ .Values.trivy.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.trivy.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.trivy.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.trivy.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.trivy.readinessProbe.failureThreshold }}
{{- else if .Values.trivy.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
resources: {{- toYaml .Values.trivy.resources | nindent 12 }}
{{- if .Values.trivy.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.internalTLS.enabled }}
- name: trivy-internal-certs
secret:
secretName: {{ include "harbor.trivy.tls.secretName" . }}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- end }}
{{- if .Values.trivy.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
labels: {{- include "common.labels.standard" . | nindent 10 }}
spec:
accessModes:
- {{ .Values.persistence.persistentVolumeClaim.trivy.accessMode | quote }}
{{- include "harbor.trivy.storageClass" . | nindent 8 }}
resources:
requests:
storage: {{ .Values.persistence.persistentVolumeClaim.trivy.size | quote }}
{{- end }}
{{- end }}

22
bitnami/harbor/templates/trivy/trivy-svc.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{ if .Values.trivy.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "harbor.trivy" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: trivy
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ports:
- name: api-server
protocol: TCP
port: {{ include "harbor.trivy.servicePort" . }}
targetPort: api-server
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: trivy
{{ end }}

1680
bitnami/harbor/values-production.yaml
View File

File diff suppressed because it is too large Load Diff

1681
bitnami/harbor/values.yaml
View File

File diff suppressed because it is too large Load Diff

41
githooks/functions/libyamllint.sh
View File

@@ -1,6 +1,32 @@
#!/bin/bash
render_and_yaml_lint() {
render_and_yaml_lint_full() {
local -r chart_path="${1:?missing_chart}"
local -r values="${2:?missing_values}"
local -r repo_path="$(git rev-parse --show-toplevel)"
local -r display_chart_path=${chart_path#"$repo_path/"}
local -r display_values=${values#"$repo_path/"}
local -r lint_rules="{extends: default, rules: {line-length: disable, trailing-spaces: disable, truthy: enable, document-start: disable, empty-lines: {max-end: 2} }}"
local -r helm_version="$(helm version --template={{.Version}})"
local -r helm_three="^v3.*"
local rendered_template
if [[ "$helm_version" =~ $helm_three ]]; then
rendered_template=$(helm template --values "$values" "$chart_path" 2> /dev/null)
else
rendered_template=$(helm template --values "$values" "$chart_path" 2> /dev/null)
fi
if ! echo "$rendered_template" | yamllint -s -d "$lint_rules" - > /dev/null 2>&1; then
printf '\033[0;31m\U0001F6AB (helm template --values %s | yamllint -s -d "%s" -) failed\n\033[0m' "$display_values" "$display_chart_path""$lint_rules"
false
else
true
fi
}
render_and_yaml_lint_file() {
local -r chart_path="${1:?missing_chart}"
local -r path="${2:?missing_file}"
local -r values="${3:?missing_values}"
@@ -78,11 +104,14 @@ run_yaml_lint_chart() {
if [[ ! -f "$values_file" ]];then
continue
fi
for yaml_file in $(< "$template_yaml_file_list"); do
if ! render_and_yaml_lint "$chart_path" "$yaml_file" "$values_file"; then
test_failed=1
fi
done
if ! render_and_yaml_lint_full "$chart_path" "$values_file"; then
printf '\033[0;31m\U0001F6AB Going file by file to get the cause of the issue'
for yaml_file in $(< "$template_yaml_file_list"); do
if ! render_and_yaml_lint_file "$chart_path" "$yaml_file" "$values_file"; then
test_failed=1
fi
done
fi
done
rm "$ci_values_file_list"