hogweed1/k8s
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add kfk
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Simple_Not
2023-12-06 12:57:14 +10:00
parent 278324f8c7
commit 29ee425ddf
83 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
check-charts/harbor/templates/registry/registry-cm.yaml Normal file
View File

@@ -0,0 +1,246 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.registry" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
config.yml: |+
version: 0.1
log:
{{- if eq .Values.logLevel "warning" }}
level: warn
{{- else if eq .Values.logLevel "fatal" }}
level: error
{{- else }}
level: {{ .Values.logLevel }}
{{- end }}
fields:
service: registry
storage:
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
{{- if eq $type "filesystem" }}
filesystem:
rootdirectory: {{ $storage.filesystem.rootdirectory }}
{{- if $storage.filesystem.maxthreads }}
maxthreads: {{ $storage.filesystem.maxthreads }}
{{- end }}
{{- else if eq $type "azure" }}
azure:
accountname: {{ $storage.azure.accountname }}
container: {{ $storage.azure.container }}
{{- if $storage.azure.realm }}
realm: {{ $storage.azure.realm }}
{{- end }}
{{- else if eq $type "gcs" }}
gcs:
bucket: {{ $storage.gcs.bucket }}
{{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }}
keyfile: /etc/registry/gcs-key.json
{{- end }}
{{- if $storage.gcs.rootdirectory }}
rootdirectory: {{ $storage.gcs.rootdirectory }}
{{- end }}
{{- if $storage.gcs.chunksize }}
chunksize: {{ $storage.gcs.chunksize }}
{{- end }}
{{- else if eq $type "s3" }}
s3:
region: {{ $storage.s3.region }}
bucket: {{ $storage.s3.bucket }}
{{- if $storage.s3.regionendpoint }}
regionendpoint: {{ $storage.s3.regionendpoint }}
{{- end }}
{{- if $storage.s3.encrypt }}
encrypt: {{ $storage.s3.encrypt }}
{{- end }}
{{- if $storage.s3.keyid }}
keyid: {{ $storage.s3.keyid }}
{{- end }}
{{- if $storage.s3.secure }}
secure: {{ $storage.s3.secure }}
{{- end }}
{{- if and $storage.s3.secure $storage.s3.skipverify }}
skipverify: {{ $storage.s3.skipverify }}
{{- end }}
{{- if $storage.s3.v4auth }}
v4auth: {{ $storage.s3.v4auth }}
{{- end }}
{{- if $storage.s3.chunksize }}
chunksize: {{ $storage.s3.chunksize }}
{{- end }}
{{- if $storage.s3.rootdirectory }}
rootdirectory: {{ $storage.s3.rootdirectory }}
{{- end }}
{{- if $storage.s3.storageclass }}
storageclass: {{ $storage.s3.storageclass }}
{{- end }}
{{- if $storage.s3.multipartcopychunksize }}
multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }}
{{- end }}
{{- if $storage.s3.multipartcopymaxconcurrency }}
multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }}
{{- end }}
{{- if $storage.s3.multipartcopythresholdsize }}
multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }}
{{- end }}
{{- else if eq $type "swift" }}
swift:
authurl: {{ $storage.swift.authurl }}
username: {{ $storage.swift.username }}
container: {{ $storage.swift.container }}
{{- if $storage.swift.region }}
region: {{ $storage.swift.region }}
{{- end }}
{{- if $storage.swift.tenant }}
tenant: {{ $storage.swift.tenant }}
{{- end }}
{{- if $storage.swift.tenantid }}
tenantid: {{ $storage.swift.tenantid }}
{{- end }}
{{- if $storage.swift.domain }}
domain: {{ $storage.swift.domain }}
{{- end }}
{{- if $storage.swift.domainid }}
domainid: {{ $storage.swift.domainid }}
{{- end }}
{{- if $storage.swift.trustid }}
trustid: {{ $storage.swift.trustid }}
{{- end }}
{{- if $storage.swift.insecureskipverify }}
insecureskipverify: {{ $storage.swift.insecureskipverify }}
{{- end }}
{{- if $storage.swift.chunksize }}
chunksize: {{ $storage.swift.chunksize }}
{{- end }}
{{- if $storage.swift.prefix }}
prefix: {{ $storage.swift.prefix }}
{{- end }}
{{- if $storage.swift.authversion }}
authversion: {{ $storage.swift.authversion }}
{{- end }}
{{- if $storage.swift.endpointtype }}
endpointtype: {{ $storage.swift.endpointtype }}
{{- end }}
{{- if $storage.swift.tempurlcontainerkey }}
tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }}
{{- end }}
{{- if $storage.swift.tempurlmethods }}
tempurlmethods: {{ $storage.swift.tempurlmethods }}
{{- end }}
{{- else if eq $type "oss" }}
oss:
accesskeyid: {{ $storage.oss.accesskeyid }}
region: {{ $storage.oss.region }}
bucket: {{ $storage.oss.bucket }}
{{- if $storage.oss.endpoint }}
endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }}
{{- end }}
{{- if $storage.oss.internal }}
internal: {{ $storage.oss.internal }}
{{- end }}
{{- if $storage.oss.encrypt }}
encrypt: {{ $storage.oss.encrypt }}
{{- end }}
{{- if $storage.oss.secure }}
secure: {{ $storage.oss.secure }}
{{- end }}
{{- if $storage.oss.chunksize }}
chunksize: {{ $storage.oss.chunksize }}
{{- end }}
{{- if $storage.oss.rootdirectory }}
rootdirectory: {{ $storage.oss.rootdirectory }}
{{- end }}
{{- end }}
cache:
layerinfo: redis
maintenance:
uploadpurging:
{{- if .Values.registry.upload_purging.enabled }}
enabled: true
age: {{ .Values.registry.upload_purging.age }}
interval: {{ .Values.registry.upload_purging.interval }}
dryrun: {{ .Values.registry.upload_purging.dryrun }}
{{- else }}
enabled: false
{{- end }}
delete:
enabled: true
redirect:
disable: {{ $storage.disableredirect }}
redis:
addr: {{ template "harbor.redis.addr" . }}
{{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }}
sentinelMasterSet: {{ template "harbor.redis.masterSet" . }}
{{- end }}
db: {{ template "harbor.redis.dbForRegistry" . }}
{{- if not (eq (include "harbor.redis.password" .) "") }}
password: {{ template "harbor.redis.password" . }}
{{- end }}
readtimeout: 10s
writetimeout: 10s
dialtimeout: 10s
pool:
maxidle: 100
maxactive: 500
idletimeout: 60s
http:
addr: :{{ template "harbor.registry.containerPort" . }}
relativeurls: {{ .Values.registry.relativeurls }}
{{- if .Values.internalTLS.enabled }}
tls:
certificate: /etc/harbor/ssl/registry/tls.crt
key: /etc/harbor/ssl/registry/tls.key
minimumtls: tls1.2
{{- end }}
# set via environment variable
# secret: placeholder
debug:
{{- if .Values.metrics.enabled}}
addr: :{{ .Values.metrics.registry.port }}
prometheus:
enabled: true
path: {{ .Values.metrics.registry.path }}
{{- else }}
addr: localhost:5001
{{- end }}
auth:
htpasswd:
realm: harbor-registry-basic-realm
path: /etc/registry/passwd
validation:
disabled: true
compatibility:
schema1:
enabled: true
{{- if .Values.registry.middleware.enabled }}
{{- $middleware := .Values.registry.middleware }}
{{- $middlewareType := $middleware.type }}
{{- if eq $middlewareType "cloudFront" }}
middleware:
storage:
- name: cloudfront
options:
baseurl: {{ $middleware.cloudFront.baseurl }}
privatekey: /etc/registry/pk.pem
keypairid: {{ $middleware.cloudFront.keypairid }}
duration: {{ $middleware.cloudFront.duration }}
ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }}
{{- end }}
{{- end }}
ctl-config.yml: |+
---
{{- if .Values.internalTLS.enabled }}
protocol: "https"
port: 8443
https_config:
cert: "/etc/harbor/ssl/registry/tls.crt"
key: "/etc/harbor/ssl/registry/tls.key"
{{- else }}
protocol: "http"
port: 8080
{{- end }}
log_level: {{ .Values.logLevel }}
registry_config: "/etc/registry/config.yml"

347
check-charts/harbor/templates/registry/registry-dpl.yaml Normal file
View File

@@ -0,0 +1,347 @@
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ template "harbor.registry" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
component: registry
spec:
replicas: {{ .Values.registry.replicas }}
revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }}
strategy:
type: {{ .Values.updateStrategy.type }}
{{- if eq .Values.updateStrategy.type "Recreate" }}
rollingUpdate: null
{{- end }}
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: registry
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: registry
{{- if .Values.registry.podLabels }}
{{ toYaml .Values.registry.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.registry.podAnnotations }}
{{ toYaml .Values.registry.podAnnotations | indent 8 }}
{{- end }}
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
{{- if .Values.registry.serviceAccountName }}
serviceAccountName: {{ .Values.registry.serviceAccountName }}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
{{- with .Values.registry.topologySpreadConstraints}}
topologySpreadConstraints:
{{- range . }}
- {{ . | toYaml | indent 8 | trim }}
labelSelector:
matchLabels:
{{ include "harbor.matchLabels" $ | indent 12 }}
component: registry
{{- end }}
{{- end }}
containers:
- name: registry
image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.registry.containerPort" . }}
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.registry.containerPort" . }}
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.registry.registry.resources }}
resources:
{{ toYaml .Values.registry.registry.resources | indent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"]
envFrom:
- secretRef:
name: "{{ template "harbor.registry" . }}"
{{- if .Values.persistence.imageChartStorage.s3.existingSecret }}
- secretRef:
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
{{- end }}
env:
{{- if has "registry" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
- name: HTTPS_PROXY
value: "{{ .Values.proxy.httpsProxy }}"
- name: NO_PROXY
value: "{{ template "harbor.noProxy" . }}"
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /etc/harbor/ssl/registry/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /etc/harbor/ssl/registry/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/registry/ca.crt
{{- end }}
{{- if .Values.redis.external.existingSecret }}
- name: REGISTRY_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.redis.external.existingSecret }}
key: REDIS_PASSWORD
{{- end }}
{{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
key: AZURE_STORAGE_ACCESS_KEY
{{- end }}
{{- with .Values.registry.registry.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.registry.containerPort" . }}
- containerPort: 5001
volumeMounts:
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
- name: registry-htpasswd
mountPath: /etc/registry/passwd
subPath: passwd
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
{{- if .Values.internalTLS.enabled }}
- name: registry-internal-certs
mountPath: /etc/harbor/ssl/registry
{{- end }}
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
subPath: gcs-key.json
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if .Values.registry.middleware.enabled }}
{{- if eq .Values.registry.middleware.type "cloudFront" }}
- name: cloudfront-key
mountPath: /etc/registry/pk.pem
subPath: pk.pem
{{- end }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
- name: registryctl
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /api/health
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.registryctl.containerPort" . }}
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/health
scheme: {{ include "harbor.component.scheme" . | upper }}
port: {{ template "harbor.registryctl.containerPort" . }}
initialDelaySeconds: 1
periodSeconds: 10
{{- if .Values.registry.controller.resources }}
resources:
{{ toYaml .Values.registry.controller.resources | indent 10 }}
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "harbor.registryCtl" . }}"
- secretRef:
name: "{{ template "harbor.registry" . }}"
- secretRef:
name: "{{ template "harbor.registryCtl" . }}"
{{- if .Values.persistence.imageChartStorage.s3.existingSecret }}
- secretRef:
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
{{- end }}
env:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.jobservice" . }}
key: JOBSERVICE_SECRET
{{- if has "registry" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
- name: HTTPS_PROXY
value: "{{ .Values.proxy.httpsProxy }}"
- name: NO_PROXY
value: "{{ template "harbor.noProxy" . }}"
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
- name: INTERNAL_TLS_KEY_PATH
value: /etc/harbor/ssl/registry/tls.key
- name: INTERNAL_TLS_CERT_PATH
value: /etc/harbor/ssl/registry/tls.crt
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/registry/ca.crt
{{- end }}
{{- if .Values.redis.external.existingSecret }}
- name: REGISTRY_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.redis.external.existingSecret }}
key: REDIS_PASSWORD
{{- end }}
{{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
key: AZURE_STORAGE_ACCESS_KEY
{{- end }}
{{- with .Values.registry.controller.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.registryctl.containerPort" . }}
volumeMounts:
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
- name: registry-config
mountPath: /etc/registryctl/config.yml
subPath: ctl-config.yml
{{- if .Values.internalTLS.enabled }}
- name: registry-internal-certs
mountPath: /etc/harbor/ssl/registry
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
mountPath: /harbor_cust_cert/custom-ca-bundle.crt
subPath: ca.crt
{{- end }}
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
- name: gcs-key
mountPath: /etc/registry/gcs-key.json
subPath: gcs-key.json
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
{{- end }}
volumes:
- name: registry-htpasswd
secret:
{{- if not .Values.registry.credentials.existingSecret }}
secretName: {{ template "harbor.registry" . }}-htpasswd
{{ else }}
secretName: {{ .Values.registry.credentials.existingSecret }}
{{- end }}
items:
- key: REGISTRY_HTPASSWD
path: passwd
- name: registry-config
configMap:
name: "{{ template "harbor.registry" . }}"
- name: registry-data
{{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: registry-internal-certs
secret:
secretName: {{ template "harbor.internalTLS.registry.secretName" . }}
{{- end }}
{{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
- name: gcs-key
secret:
{{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
secretName: {{ $storage.gcs.existingSecret }}
{{- else }}
secretName: {{ template "harbor.registry" . }}
{{- end }}
items:
- key: GCS_KEY_DATA
path: gcs-key.json
{{- end }}
{{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
- name: storage-service-ca
secret:
secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
{{- end }}
{{- if .Values.registry.middleware.enabled }}
{{- if eq .Values.registry.middleware.type "cloudFront" }}
- name: cloudfront-key
secret:
secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }}
items:
- key: CLOUDFRONT_KEY_DATA
path: pk.pem
{{- end }}
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 6 }}
{{- end }}
{{- with .Values.registry.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.registry.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.registry.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.registry.priorityClassName }}
priorityClassName: {{ .Values.registry.priorityClassName }}
{{- end }}

32
check-charts/harbor/templates/registry/registry-pvc.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.persistence.enabled }}
{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}}
{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "harbor.registry" . }}
annotations:
{{- range $key, $value := $registry.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if eq .Values.persistence.resourcePolicy "keep" }}
helm.sh/resource-policy: keep
{{- end }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: registry
spec:
accessModes:
- {{ $registry.accessMode }}
resources:
requests:
storage: {{ $registry.size }}
{{- if $registry.storageClass }}
{{- if eq "-" $registry.storageClass }}
storageClassName: ""
{{- else }}
storageClassName: {{ $registry.storageClass }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

52
check-charts/harbor/templates/registry/registry-secret.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registry" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- if not .Values.redis.external.existingSecret }}
REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
{{- end }}
{{- $storage := .Values.persistence.imageChartStorage }}
{{- $type := $storage.type }}
{{- if and (eq $type "azure") (not $storage.azure.existingSecret) }}
REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
{{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }}
GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
{{- else if eq $type "s3" }}
{{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }}
REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
{{- end }}
{{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $type "swift" }}
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- if $storage.swift.secretkey }}
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
{{- end }}
{{- if $storage.swift.accesskey }}
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
{{- end }}
{{- else if eq $type "oss" }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registry" . }}-htpasswd"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if .Values.registry.credentials.htpasswdString }}
REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }}
{{- else }}
REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
{{- end }}

20
check-charts/harbor/templates/registry/registry-svc.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.registry" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }}
port: {{ template "harbor.registry.servicePort" . }}
- name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }}
port: {{ template "harbor.registryctl.servicePort" . }}
{{- if .Values.metrics.enabled}}
- name: {{ template "harbor.metricsPortName" . }}
port: {{ .Values.metrics.registry.port }}
{{- end }}
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: registry

15
check-charts/harbor/templates/registry/registry-tls.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if and .Values.internalTLS.enabled }}
{{- if eq .Values.internalTLS.certSource "manual" }}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }}
tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }}
{{- end }}
{{- end }}

8
check-charts/harbor/templates/registry/registryctl-cm.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "harbor.registryCtl" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
data:
{{- template "harbor.traceEnvsForRegistryCtl" . }}

9
check-charts/harbor/templates/registry/registryctl-secret.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registryCtl" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- template "harbor.traceJaegerPassword" . }}