new way of doin

helm-charts/harbor/templates/jobservice/jobservice-cm-env.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ template "harbor.jobservice" . }}-env"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+data:
+  CORE_URL: "{{ template "harbor.coreURL" . }}"
+  TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
+  REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
+  REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
+  REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
+
+  JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}"
+  JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}"
+
+  {{- if has "jobservice" .Values.proxy.components }}
+  HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
+  HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
+  NO_PROXY: "{{ template "harbor.noProxy" . }}"
+  {{- end }}
+  {{- if .Values.metrics.enabled}}
+  METRIC_NAMESPACE: harbor
+  METRIC_SUBSYSTEM: jobservice
+  {{- end }}
+  {{- template "harbor.traceEnvsForJobservice" . }}
+  {{- if .Values.cache.enabled }}
+  _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
+  CACHE_ENABLED: "true"
+  CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
+  {{- end }}
+  {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
+  _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
+  {{- end }}

helm-charts/harbor/templates/jobservice/jobservice-cm.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ template "harbor.jobservice" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+data:
+  config.yml: |+
+    #Server listening port
+    protocol: "{{ template "harbor.component.scheme" . }}"
+    port: {{ template "harbor.jobservice.containerPort". }}
+    {{- if .Values.internalTLS.enabled }}
+    https_config:
+      cert: "/etc/harbor/ssl/jobservice/tls.crt"
+      key: "/etc/harbor/ssl/jobservice/tls.key"
+    {{- end }}
+    worker_pool:
+      workers: {{ .Values.jobservice.maxJobWorkers }}
+      backend: "redis"
+      redis_pool:
+        redis_url: "{{ template "harbor.redis.urlForJobservice" . }}"
+        namespace: "harbor_job_service_namespace"
+        idle_timeout_second: 3600
+    job_loggers:
+      {{- if has "file" .Values.jobservice.jobLoggers }}
+      - name: "FILE"
+        level: {{ .Values.logLevel | upper }}
+        settings: # Customized settings of logger
+          base_dir: "/var/log/jobs"
+        sweeper:
+          duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
+          settings: # Customized settings of sweeper
+            work_dir: "/var/log/jobs"
+      {{- end }}
+      {{- if has "database" .Values.jobservice.jobLoggers }}
+      - name: "DB"
+        level: {{ .Values.logLevel | upper }}
+        sweeper:
+          duration: {{ .Values.jobservice.loggerSweeperDuration }} #days
+      {{- end }}
+      {{- if has "stdout" .Values.jobservice.jobLoggers }}
+      - name: "STD_OUTPUT"
+        level: {{ .Values.logLevel | upper }}
+      {{- end }}
+    metric:
+      enabled: {{ .Values.metrics.enabled }}
+      path: {{ .Values.metrics.jobservice.path }}
+      port: {{ .Values.metrics.jobservice.port }}
+    #Loggers for the job service
+    loggers:
+      - name: "STD_OUTPUT"
+        level: {{ .Values.logLevel | upper }}
+    reaper:
+      # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
+      max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }}
+      # the max time for execution in running state without new task created
+      max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }}

helm-charts/harbor/templates/jobservice/jobservice-dpl.yaml

@@ -0,0 +1,166 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ template "harbor.jobservice" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+    component: jobservice
+spec:
+  replicas: {{ .Values.jobservice.replicas }}
+  revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+    {{- if eq .Values.updateStrategy.type "Recreate" }}
+    rollingUpdate: null
+    {{- end }}
+  selector:
+    matchLabels:
+{{ include "harbor.matchLabels" . | indent 6 }}
+      component: jobservice
+  template:
+    metadata:
+      labels:
+{{ include "harbor.labels" . | indent 8 }}
+        component: jobservice
+{{- if .Values.jobservice.podLabels }}
+{{ toYaml .Values.jobservice.podLabels | indent 8 }}
+{{- end }}
+      annotations:
+        checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
+        checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
+        checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
+{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
+        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
+{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
+        checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }}
+{{- end }}
+{{- if .Values.jobservice.podAnnotations }}
+{{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+      securityContext:
+        runAsUser: 10000
+        fsGroup: 10000
+{{- if .Values.jobservice.serviceAccountName }}
+      serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
+{{- end -}}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }}
+      terminationGracePeriodSeconds: 120
+{{- with .Values.jobservice.topologySpreadConstraints}}
+      topologySpreadConstraints:
+{{- range . }}
+      - {{ . | toYaml | indent 8 | trim }}
+        labelSelector:
+          matchLabels:
+{{ include "harbor.matchLabels" $ | indent 12 }}
+            component: jobservice
+{{- end }}
+{{- end }}
+      containers:
+      - name: jobservice
+        image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        livenessProbe:
+          httpGet:
+            path: /api/v1/stats
+            scheme: {{ include "harbor.component.scheme" . | upper }}
+            port: {{ template "harbor.jobservice.containerPort" . }}
+          initialDelaySeconds: 300
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /api/v1/stats
+            scheme: {{ include "harbor.component.scheme" . | upper }}
+            port: {{ template "harbor.jobservice.containerPort" . }}
+          initialDelaySeconds: 20
+          periodSeconds: 10
+{{- if .Values.jobservice.resources }}
+        resources:
+{{ toYaml .Values.jobservice.resources | indent 10 }}
+{{- end }}
+        env:
+          - name: CORE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "harbor.core" . }}
+                key: secret
+          {{- if .Values.internalTLS.enabled }}
+          - name: INTERNAL_TLS_ENABLED
+            value: "true"
+          - name: INTERNAL_TLS_KEY_PATH
+            value: /etc/harbor/ssl/jobservice/tls.key
+          - name: INTERNAL_TLS_CERT_PATH
+            value: /etc/harbor/ssl/jobservice/tls.crt
+          - name: INTERNAL_TLS_TRUST_CA_PATH
+            value: /etc/harbor/ssl/jobservice/ca.crt
+          {{- end }}
+          {{- if .Values.registry.credentials.existingSecret }}
+          - name: REGISTRY_CREDENTIAL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.registry.credentials.existingSecret }}
+                key: REGISTRY_PASSWD
+          {{- end }}
+{{- with .Values.jobservice.extraEnvVars }}
+{{- toYaml . | nindent 10 }}
+{{- end }}
+        envFrom:
+        - configMapRef:
+            name: "{{ template "harbor.jobservice" . }}-env"
+        - secretRef:
+            name: "{{ template "harbor.jobservice" . }}"
+        ports:
+        - containerPort: {{ template "harbor.jobservice.containerPort" . }}
+        volumeMounts:
+        - name: jobservice-config
+          mountPath: /etc/jobservice/config.yml
+          subPath: config.yml
+        - name: job-logs
+          mountPath: /var/log/jobs
+          subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }}
+        {{- if .Values.internalTLS.enabled }}
+        - name: jobservice-internal-certs
+          mountPath: /etc/harbor/ssl/jobservice
+        {{- end }}
+        {{- if .Values.caBundleSecretName }}
+{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
+      volumes:
+      - name: jobservice-config
+        configMap:
+          name: "{{ template "harbor.jobservice" . }}"
+      - name: job-logs
+        {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }}
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
+      {{- if .Values.internalTLS.enabled }}
+      - name: jobservice-internal-certs
+        secret:
+          secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }}
+      {{- end }}
+      {{- if .Values.caBundleSecretName }}
+{{ include "harbor.caBundleVolume" . | indent 6 }}
+      {{- end }}
+    {{- with .Values.jobservice.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.jobservice.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.jobservice.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- if .Values.jobservice.priorityClassName }}
+      priorityClassName: {{ .Values.jobservice.priorityClassName }}
+    {{- end }}

helm-charts/harbor/templates/jobservice/jobservice-pvc.yaml

@@ -0,0 +1,30 @@
+{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}}
+{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "harbor.jobservice" . }}
+  annotations:
+  {{- range $key, $value := $jobLog.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- if eq .Values.persistence.resourcePolicy "keep" }}
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+    component: jobservice
+spec:
+  accessModes: 
+    - {{ $jobLog.accessMode }}
+  resources:
+    requests:
+      storage: {{ $jobLog.size }}
+  {{- if $jobLog.storageClass }}
+    {{- if eq "-" $jobLog.storageClass }}
+  storageClassName: ""
+    {{- else }}
+  storageClassName: {{ $jobLog.storageClass }}
+    {{- end }}
+  {{- end }}
+{{- end }}

helm-charts/harbor/templates/jobservice/jobservice-secrets.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.jobservice" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: Opaque
+data:
+  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+  {{- if not .Values.registry.credentials.existingSecret }}
+  REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
+  {{- end }}
+  {{- template "harbor.traceJaegerPassword" . }}

helm-charts/harbor/templates/jobservice/jobservice-svc.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ template "harbor.jobservice" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+spec:
+  ports:
+    - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }}
+      port: {{ template "harbor.jobservice.servicePort" . }}
+      targetPort: {{ template "harbor.jobservice.containerPort" . }}
+{{- if .Values.metrics.enabled }}
+    - name: {{ template "harbor.metricsPortName" . }}
+      port: {{ .Values.metrics.jobservice.port }}
+{{- end }}
+  selector:
+{{ include "harbor.matchLabels" . | indent 4 }}
+    component: jobservice

helm-charts/harbor/templates/jobservice/jobservice-tls.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }}
+{{- end }}
+{{- end }}