-
Notifications
You must be signed in to change notification settings - Fork 164
/
harbor.gotmpl
48 lines (46 loc) · 2.11 KB
/
harbor.gotmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{{- $v := .Environment.Values }}
{{- $c := $v.charts }}
{{- $o := $v.oidc }}
{{- $h := $c | get "harbor" dict }}
{{- $k := $c | get "keycloak" dict }}
{{- $ns := $v.otomi.hasCloudLB | ternary "ingress" "istio-system" }}
{{- $skipVerify := eq ($v.charts | get "cert-manager.stage") "staging" }}
{{- $hasKeycloak := $k | get "enabled" true }}
{{- $realm := $k | get "realm" "master" }}
{{- $keycloakIssuer := printf "https://keycloak.%s/realms/%s" $v.cluster.domain $realm }}
{{- $hasHarbor := $h | get "enabled" false -}}
{{- $teams := keys $v.teamConfig.teams }}
{{- $teamNames := list -}}
{{- range $teams -}}
{{- $teamNames = print "team-" . | append $teamNames -}}
{{- end -}}
tasks:
harbor:
type: job
enabled: {{ $hasHarbor }}
description: Configure OIDC as a primary auhentication method and populate teams to harbor projects
init:
image:
repository: {{ $c | get "jobs.harbor.init.image.repository" "otomi/tools" }}
tag: {{ $c | get "jobs.harbor.init.image.tag" $v.toolsVersion }}
pullPolicy: {{ $c | get "jobs.harbor.init.image.pullPolicy" "IfNotPresent" }}
# move secret for harbor to use
script: kubectl -n {{ $ns }} get secret harbor-{{ $v.cluster.domain | replace "." "-" }} -o yaml --export | kubectl -n harbor apply -f -
image:
repository: {{ $c | get "jobs.harbor.image.repository" "otomi/tasks" }}
tag: {{ $c | get "jobs.harbor.image.tag" "v0.2.1" }}
pullPolicy: {{ $c | get "jobs.harbor.image.pullPolicy" "IfNotPresent" }}
secret:
HARBOR_PASSWORD: {{ $h | get "adminPassword" "bladibla" }}
HARBOR_USER: admin
OIDC_CLIENT_ID: {{ $o.clientID }}
OIDC_CLIENT_SECRET: {{ $o.clientSecret }}
env:
HARBOR_BASE_URL: "http://harbor-harbor-core.harbor/api/v2.0"
TEAM_NAMES: '{{ $teamNames | toJson }}'
OIDC_ENDPOINT: '{{ $hasKeycloak | ternary $keycloakIssuer $o.issuer }}'
OIDC_GROUPS_CLAIM: 'groups'
OIDC_NAME: 'keycloak'
OIDC_SCOPE: 'openid'
OIDC_VERIFY_CERT: '{{ not $skipVerify }}'
script: {{ if $skipVerify }}export NODE_EXTRA_CA_CERTS=/fakeroot.pem && {{ end }}npm run tasks:harbor