Merge pull request #407 from flanksource/moshloop

harbor fixes

manifests/harbor/chartmuseum.yaml

@@ -0,0 +1,164 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "harbor-chartmuseum"
+  namespace: harbor
+  labels:
+    app: "harbor"
+data:
+  PORT: "9443"
+  CACHE: "redis"
+  CACHE_REDIS_ADDR: "harbor-redis:6379"
+  CACHE_REDIS_DB: "3"
+  BASIC_AUTH_USER: "chart_controller"
+  DEPTH: "1"
+  DEBUG: "false"
+  LOG_JSON: "true"
+  DISABLE_METRICS: "false"
+  DISABLE_API: "false"
+  DISABLE_STATEFILES: "false"
+  ALLOW_OVERWRITE: "true"
+  AUTH_ANONYMOUS_GET: "false"
+  TLS_CERT: "/etc/harbor/ssl/chartmuseum.crt"
+  TLS_KEY: "/etc/harbor/ssl/chartmuseum.key"
+  CONTEXT_PATH: ""
+  INDEX_LIMIT: "0"
+  MAX_STORAGE_OBJECTS: "0"
+  MAX_UPLOAD_SIZE: "20971520"
+  CHART_POST_FORM_FIELD_NAME: "chart"
+  PROV_POST_FORM_FIELD_NAME: "prov"
+  {{ if .harbor.chartPVC }}
+  STORAGE: "local"
+  STORAGE_LOCAL_ROOTDIR: "/chart_storage"
+  {{ else }}
+  STORAGE: "amazon"
+  STORAGE_AMAZON_BUCKET: "{{.harbor.bucket}}"
+  STORAGE_AMAZON_REGION: "{{.s3.region}}"
+  STORAGE_AMAZON_ENDPOINT: "{{.s3.endpoint}}"
+  AWS_ACCESS_KEY_ID: "{{.s3.access_key}}"
+  {{ end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "harbor-chartmuseum"
+  namespace: harbor
+  labels:
+    app: "harbor"
+spec:
+  ports:
+    - port: 443
+      targetPort: 9443
+  selector:
+    app: "harbor"
+    component: chartmuseum
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "harbor-chartmuseum"
+  namespace: harbor
+  labels:
+    app: "harbor"
+    component: chartmuseum
+  annotations:
+    reload/all: "true" # restart on cm/secret change
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: "harbor"
+      component: chartmuseum
+  template:
+    metadata:
+      labels:
+        app: "harbor"
+        component: chartmuseum
+    spec:
+      securityContext:
+        fsGroup: 10000
+      containers:
+        - name: chartmuseum
+          {{- if .harbor.version | strings.HasPrefix "v1" }}
+          image: goharbor/chartmuseum-photon:v0.9.0-{{.harbor.version}}
+          {{ else }}
+          image: goharbor/chartmuseum-photon:{{.harbor.version}}
+          {{ end }}
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9443
+              scheme: HTTPS
+            initialDelaySeconds: 300
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 9443
+              scheme: HTTPS
+            initialDelaySeconds: 1
+            periodSeconds: 10
+          envFrom:
+            - configMapRef:
+                name: "harbor-chartmuseum"
+            - secretRef:
+                name: "harbor-chartmuseum"
+          env:
+            - name: INTERNAL_TLS_ENABLED
+              value: "true"
+            - name: INTERNAL_TLS_KEY_PATH
+              value: /etc/harbor/ssl/chartmuseum.key
+            - name: INTERNAL_TLS_CERT_PATH
+              value: /etc/harbor/ssl/chartmuseum.crt
+            - name: INTERNAL_TLS_TRUST_CA_PATH
+              value: /harbor_cust_cert/harbor_internal_ca.crt
+            - name: BASIC_AUTH_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: harbor-core
+                  key: secret
+          ports:
+            - containerPort: 9443
+          volumeMounts:
+            - name: chartmuseum-data
+              mountPath: /chart_storage
+              subPath:
+            - name: chart-internal-certs
+              mountPath: /harbor_cust_cert/harbor_internal_ca.crt
+              subPath: ca.crt
+            - name: chart-internal-certs
+              mountPath: /etc/harbor/ssl/chartmuseum.crt
+              subPath: tls.crt
+            - name: chart-internal-certs
+              mountPath: /etc/harbor/ssl/chartmuseum.key
+              subPath: tls.key
+
+      volumes:
+        - name: chart-internal-certs
+          secret:
+            secretName: chart-internal-certs
+        - name: chartmuseum-data
+          {{ if .harbor.chartPVC }}
+          persistentVolumeClaim:
+            claimName: {{.harbor.chartPVC}}
+          {{ else }}
+          emptyDir: {}
+          {{ end }}
+
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: "chart-internal-certs"
+  namespace: harbor
+spec:
+  secretName: chart-internal-certs
+  dnsNames:
+    - harbor-chartmuseum
+  issuerRef:
+    name: default-issuer
+    kind: ClusterIssuer

manifests/harbor/clair.yaml

@@ -0,0 +1,117 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "harbor-clair"
+  namespace: harbor
+  labels:
+    app: "harbor"
+spec:
+  ports:
+    - name: adapter
+      port: 8080
+  selector:
+    app: "harbor"
+    component: clair
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: harbor-clair
+  namespace: harbor
+  annotations:
+    reload/all: "true" # restart on cm/secret change
+  labels:
+    app: "harbor"
+    component: clair
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "harbor"
+      component: clair
+  template:
+    metadata:
+      labels:
+        app: "harbor"
+        component: clair
+    spec:
+      securityContext:
+        fsGroup: 10000
+      containers:
+        - name: clair
+          {{- if .harbor.version | strings.HasPrefix "v1" }}
+          image: goharbor/clair-photon:v{{.harbor.clairVersion}}-{{.harbor.version}}
+          {{- else }}
+          image: goharbor/clair-photon:{{.harbor.version}}
+          {{- end }}
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 6061
+            initialDelaySeconds: 300
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 6061
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          args: ["-log-level", "{{.harbor.logLevel}}"]
+          env:
+            - name: HTTP_PROXY
+              value: ""
+            - name: HTTPS_PROXY
+              value: ""
+            - name: NO_PROXY
+              value: "harbor-core,harbor-jobservice,harbor-database,harbor-chartmuseum,harbor-clair,harbor-notary-server,harbor-notary-signer,harbor-registry,harbor-portal,127.0.0.1,localhost,.local,.internal"
+          ports:
+            - containerPort: 6060
+          volumeMounts:
+            - name: config
+              mountPath: /etc/clair/config.yaml
+              subPath: config.yaml
+        - name: adapter
+          {{- if .harbor.version | strings.HasPrefix "v1" }}
+          image: goharbor/clair-adapter-photon:v1.0.1-{{.harbor.version}}
+          {{- else }}
+          image: goharbor/clair-adapter-photon:{{.harbor.version}}
+          {{- end }}
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            httpGet:
+              path: /probe/healthy
+              port: 8080
+            initialDelaySeconds: 300
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /probe/ready
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          env:
+            - name: SCANNER_CLAIR_URL
+              # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin
+              value: "http://127.0.0.1:6060"
+            - name: SCANNER_STORE_REDIS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: harbor-clair
+                  key: redis
+            - name: SCANNER_CLAIR_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: harbor-clair
+                  key: database
+            - name: SCANNER_LOG_LEVEL
+              value: "{{.harbor.logLevel}}"
+          ports:
+            - containerPort: 8080
+      volumes:
+        - name: config
+          secret:
+            secretName: "harbor-clair"
+---