Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-04-02 07:17:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

[harbor] Add support for providing own root CA (#3536)

Browse Source
This commit is contained in:
Paul Czarkowski
2020-10-22 02:07:39 -05:00
committed by GitHub
parent 94e0dd6a25
commit 93e3294026
11 changed files with 68 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/harbor/Chart.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v1
name: harbor
version: 8.0.0
version: 8.1.0
appVersion: 2.1.0
description: Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content
keywords:

2
bitnami/harbor/README.md
View File

@@ -65,6 +65,8 @@ The following tables list the configurable parameters of the Harbor chart and th
| Parameter | Description | Default |
|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `caBundleSecretName` | The custom ca bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components. | `nil` |
| `commonLabels` | Labels to add to all deployed objects | `nil` |
| `commonAnnotations` | Annotations to add to all deployed objects | `[]` |
| `internalTLS.enabled` | Use TLS in all the supported containers: chartmuseum, clair, core, jobservice, portal, registry and trivy | `false` |

12
bitnami/harbor/templates/_helpers.tpl
View File

@@ -28,6 +28,18 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{- end -}}
{{- define "harbor.caBundleVolume" -}}
- name: ca-bundle-certs
secret:
secretName: {{ .Values.caBundleSecretName }}
{{- end -}}
{{- define "harbor.caBundleVolumeMount" -}}
- name: ca-bundle-certs
mountPath: /harbor_cust_cert/custom-ca.crt
subPath: ca.crt
{{- end -}}
{{/* Scheme for all components except notary because it only support http mode */}}
{{- define "harbor.component.scheme" -}}
{{- if .Values.internalTLS.enabled -}}

6
bitnami/harbor/templates/chartmuseum/chartmuseum-dpl.yaml
View File

@@ -166,6 +166,9 @@ spec:
- name: storage-service-ca
mountPath: /harbor_cust_cert/ca-bundle.crt
subPath: ca.crt
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- end }}
{{- if .Values.chartmuseum.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.chartmuseum.extraVolumeMounts "context" $) | nindent 12 }}
@@ -194,6 +197,9 @@ spec:
secret:
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 8 }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: internal-tls-certs
secret:

10
bitnami/harbor/templates/clair/clair-dpl.yaml
View File

@@ -132,6 +132,9 @@ spec:
- name: config
mountPath: /etc/clair/config.yaml
subPath: config.yaml
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: internal-tls-certs
mountPath: /etc/harbor/ssl/clair
@@ -224,9 +227,13 @@ spec:
- name: internal-tls-certs
mountPath: /etc/harbor/ssl/clair
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if .Values.clair.adapter.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.adapter.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.clair.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.sidecars "context" $) | nindent 8 }}
{{- end }}
@@ -239,6 +246,9 @@ spec:
secret:
secretName: {{ template "harbor.clair.tls.secretName" . }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 8 }}
{{- end }}
{{- if .Values.clair.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.clair.extraVolumes "context" $) | nindent 6 }}
{{- end }}

6
bitnami/harbor/templates/core/core-dpl.yaml
View File

@@ -168,6 +168,9 @@ spec:
{{- end }}
- name: psc
mountPath: /etc/core/token
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if .Values.core.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -190,6 +193,9 @@ spec:
items:
- key: secretKey
path: key
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 8 }}
{{- end }}
- name: token-service-private-key
secret:
{{- if .Values.core.secretName }}

6
bitnami/harbor/templates/jobservice/jobservice-dpl.yaml
View File

@@ -178,6 +178,9 @@ spec:
- name: internal-tls-certs
mountPath: /etc/harbor/ssl/jobservice
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if .Values.jobservice.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -195,6 +198,9 @@ spec:
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 8 }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: internal-tls-certs
secret:

9
bitnami/harbor/templates/registry/registry-dpl.yaml
View File

@@ -181,6 +181,9 @@ spec:
- name: internal-tls-certs
mountPath: /etc/harbor/ssl/registry
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
@@ -306,6 +309,9 @@ spec:
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
@@ -346,6 +352,9 @@ spec:
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 8 }}
{{- end }}
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
- name: gcs-key
secret:

6
bitnami/harbor/templates/trivy/trivy-sts.yaml
View File

@@ -122,6 +122,9 @@ spec:
- name: internal-tls-certs
mountPath: /etc/harbor/ssl/trivy
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 12 }}
{{- end }}
{{- if .Values.trivy.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -166,6 +169,9 @@ spec:
secret:
secretName: {{ include "harbor.trivy.tls.secretName" . }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 8 }}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}

5
bitnami/harbor/values-production.yaml
View File

@@ -359,6 +359,11 @@ volumePermissions:
internalTLS:
enabled: true
## The custom ca bundle secret, the secret must contain key named "ca.crt"
## which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
##
# caBundleSecretName: ""
## Service parameters
##
service:

5
bitnami/harbor/values.yaml
View File

@@ -359,6 +359,11 @@ volumePermissions:
internalTLS:
enabled: false
## The custom ca bundle secret, the secret must contain key named "ca.crt"
## which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
##
# caBundleSecretName: ""
## Service parameters
##
service: