Skip to content

S
system-charts
Commit 7e3b437e by gitlawr Committed by Craig Jellick
Options

Add global registry support

Add globalRegistryMode to enable deploying the Harbor as a global registry in Rancher. It use the same domain as Rancher server in ingress rules, and use the same tls-rancher-ingress secret for TLS.
parent e51158a9
Showing with 281 additions and 29 deletions
charts/harbor/v1.7.5-rancher1/templates/NOTES.txt
Please wait for several minutes for Harbor deployment to complete.
Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.
{{- if .Values.globalRegistryMode -}}
Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.
{{- else -}}
Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}/registry.
{{- end -}}
For more details, please visit https://github.com/goharbor/harbor.
\ No newline at end of file
charts/harbor/v1.7.5-rancher1/templates/_helpers.tpl
......@@ -31,7 +31,9 @@ app: "{{ template "harbor.name" . }}"
{{- end -}}
{{- define "harbor.autoGenCert" -}}
{{- if and .Values.expose.tls.enabled (not .Values.expose.tls.secretName) -}}
{{- if .Values.globalRegistryMode -}}
{{- printf "false" -}}
{{- else if and .Values.expose.tls.enabled (not .Values.expose.tls.secretName) -}}
{{- printf "true" -}}
{{- else -}}
{{- printf "false" -}}
......@@ -266,6 +268,10 @@ host:port,pool_size,password
{{- printf "%s-notary-signer" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.proxy" -}}
{{- printf "%s-proxy" (include "harbor.fullname" .) -}}
{{- end -}}
{{- define "harbor.nginx" -}}
{{- printf "%s-nginx" (include "harbor.fullname" .) -}}
{{- end -}}
......@@ -296,3 +302,11 @@ when the type is "clusterIP" or "nodePort" and "secretName" is null
{{- $trimURL := (include "harbor.externalURL" .) | trimPrefix "https://" | trimPrefix "http://" -}}
{{ regexReplaceAll ":.*$" $trimURL "${1}" }}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
charts/harbor/v1.7.5-rancher1/templates/adminserver/adminserver-dpl.yaml
......@@ -27,7 +27,7 @@ spec:
spec:
containers:
- name: adminserver
image: {{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
livenessProbe:
httpGet:
......@@ -80,6 +80,7 @@ spec:
path: key
{{- with .Values.adminserver.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.adminserver.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/chartmuseum/chartmuseum-dpl.yaml
......@@ -27,7 +27,7 @@ spec:
spec:
containers:
- name: chartmuseum
image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
......@@ -85,6 +85,7 @@ spec:
{{- end }}
{{- with .Values.chartmuseum.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.chartmuseum.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/clair/clair-dpl.yaml
......@@ -25,7 +25,7 @@ spec:
spec:
containers:
- name: clair
image: {{ .Values.clair.image.repository }}:{{ .Values.clair.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.clair.image.repository }}:{{ .Values.clair.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
......@@ -70,6 +70,7 @@ spec:
path: config.yaml
{{- with .Values.clair.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.clair.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/core/core-dpl.yaml
......@@ -26,7 +26,7 @@ spec:
spec:
containers:
- name: core
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
......@@ -98,7 +98,12 @@ spec:
{{- end }}
- name: ca-download
secret:
{{- if eq (include "harbor.autoGenCert" .) "true" }}
{{- if .Values.globalRegistryMode }}
secretName: "tls-rancher"
items:
- key: tls.crt
path: ca.crt
{{- else if eq (include "harbor.autoGenCert" .) "true" }}
secretName: {{ template "harbor.ingress.core" . }}
items:
- key: ca.crt
......@@ -113,6 +118,7 @@ spec:
emptyDir: {}
{{- with .Values.core.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.core.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/database/database-ss.yaml
......@@ -27,7 +27,7 @@ spec:
spec:
initContainers:
- name: "remove-lost-found"
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
volumeMounts:
......@@ -35,7 +35,7 @@ spec:
mountPath: /var/lib/postgresql/data
containers:
- name: database
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
exec:
......@@ -72,6 +72,7 @@ spec:
{{- end -}}
{{- with .Values.database.internal.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.database.internal.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/ingress/ingress.yaml
......@@ -13,12 +13,33 @@ spec:
tls:
- hosts:
- {{ $ingress.host }}
{{- if $tls.secretName }}
{{- if .Values.globalRegistryMode }}
secretName: "tls-rancher-ingress"
{{- else if $tls.secretName }}
secretName: {{ $tls.secretName }}
{{- else }}
secretName: "{{ template "harbor.ingress.core" . }}"
{{- end }}
{{- if eq .Values.expose.ingress.controller "gce" }}
{{- if .Values.globalRegistryMode }}
rules:
- http:
paths:
- path: /v2/
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /api/projects
backend:
serviceName: {{ template "harbor.core" . }}
servicePort: 80
- path: /registry/
backend:
serviceName: {{ template "harbor.proxy" . }}
servicePort: 80
{{- if $ingress.host }}
host: {{ $ingress.host }}
{{- end }}
{{- else if eq .Values.expose.ingress.controller "gce" }}
rules:
- http:
paths:
......
charts/harbor/v1.7.5-rancher1/templates/ingress/notary-ingress.yaml
{{- if not .Values.globalRegistryMode }}
{{- if .Values.notary.enabled }}
{{- if eq .Values.expose.type "ingress" }}
{{- $ingress := .Values.expose.ingress -}}
......@@ -30,4 +31,5 @@ spec:
host: {{ $ingress.host }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
{{- end }}
{{- end }}
\ No newline at end of file
charts/harbor/v1.7.5-rancher1/templates/jobservice/jobservice-dpl.yaml
......@@ -26,7 +26,7 @@ spec:
spec:
containers:
- name: jobservice
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
......@@ -83,6 +83,7 @@ spec:
{{- end }}
{{- with .Values.jobservice.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.jobservice.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/nginx/deployment.yaml
......@@ -28,7 +28,7 @@ spec:
spec:
containers:
- name: nginx
image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
livenessProbe:
httpGet:
......@@ -68,6 +68,7 @@ spec:
{{- end }}
{{- with .Values.nginx.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.nginx.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/notary/notary-cm.yaml
......@@ -43,7 +43,11 @@ data:
"auth": {
"type": "token",
"options": {
{{- if .Values.globalRegistryMode }}
"realm": "{{ template "harbor.externalURL" . }}/registry/service/token",
{{- else }}
"realm": "{{ template "harbor.externalURL" . }}/service/token",
{{- end }}
"service": "harbor-notary",
"issuer": "harbor-token-issuer",
"rootcertbundle": "/root.crt"
......
charts/harbor/v1.7.5-rancher1/templates/notary/notary-server.yaml
......@@ -26,7 +26,7 @@ spec:
spec:
containers:
- name: notary-server
image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.server.resources }}
resources:
......@@ -66,6 +66,7 @@ spec:
{{- end }}
{{- with .Values.notary.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/notary/notary-signer.yaml
......@@ -22,7 +22,7 @@ spec:
spec:
containers:
- name: notary-signer
image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.signer.resources }}
resources:
......@@ -60,6 +60,7 @@ spec:
{{- end }}
{{- with .Values.notary.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.notary.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/portal/deployment.yaml
......@@ -23,7 +23,7 @@ spec:
spec:
containers:
- name: portal
image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.portal.resources }}
resources:
......@@ -45,6 +45,7 @@ spec:
- containerPort: 80
{{- with .Values.portal.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.portal.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/proxy/configmap.yaml 0 → 100644
{{ if .Values.globalRegistryMode }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "harbor.proxy" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: proxy
data:
default.conf: |
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location = /registry {
return 302 /registry/;
}
location /registry/service/ {
proxy_pass http://{{ template "harbor.core" . }}/service/;
}
location /registry/api/ {
proxy_pass http://{{ template "harbor.core" . }}/api/;
}
{{ if .Values.chartmuseum.enabled }}
location /registry/chartrepo/ {
proxy_pass http://{{ template "harbor.core" . }}/chartrepo/;
}
{{ end }}
location /registry/c/ {
proxy_pass http://{{ template "harbor.core" . }}/c/;
}
{{ if .Values.notary.enabled }}
location /registry/notary/ {
proxy_pass http://{{ template "harbor.notary-server" . }}:4443/;
}
{{ end }}
location /registry/ {
proxy_pass http://{{ template "harbor.portal" . }}/;
include filters.conf;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
filters.conf: |
sub_filter_types application/javascript;
sub_filter 'src="main' 'src="/registry/main';
sub_filter 'src="runtime' 'src="/registry/runtime';
sub_filter 'src="scripts' 'src="/registry/scripts';
sub_filter '"/c/login"' '"/registry/c/login"';
sub_filter '"/c/log_out"' '"/registry/c/log_out"';
sub_filter '"/c/userExists"' '"/registry/c/userExists"';
sub_filter '"/c/reset"' '"/registry/c/reset"';
sub_filter '"/c/sendEmail' '"/registry/c/sendEmail';
sub_filter '"/c/oidc_login"' '"/registry/c/oidc_login"';
sub_filter '"/api/' '"/registry/api/';
sub_filter '"/service/' '"/registry/service/';
sub_filter '"/chartrepo/' '"/registry/chartrepo/';
sub_filter '<base href="/">' '<base href="/registry">';
sub_filter 'href="favicon.ico' 'href="/registry/favicon.ico';
sub_filter 'href="styles' 'href="/registry/styles';
sub_filter '"images/harbor-logo.svg"' '"/registry/images/harbor-logo.svg"';
sub_filter '"/images/helm-gray.svg"' '"/registry/images/helm-gray.svg"';
sub_filter '"images/harbor-black-logo.png' '"/registry/images/harbor-black-logo.png';
#sub_filter '"static/images' '"registry/static/images';
sub_filter '"../../../images' '"/registry/images';
sub_filter '"/swagger.json"' '"/registry/swagger.json"';
sub_filter '"i18n/lang/"' '"/registry/i18n/lang/"';
sub_filter '"/language' '"/registry/language';
sub_filter 'http.get("setting.json"' 'http.get("/registry/setting.json"';
sub_filter_once off;
proxy_set_header Accept-Encoding "";
{{ end }}
charts/harbor/v1.7.5-rancher1/templates/proxy/deployment.yaml 0 → 100644
{{ if .Values.globalRegistryMode }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "harbor.proxy" . }}
labels:
{{ include "harbor.labels" . | indent 4 }}
component: proxy
spec:
replicas: 1
selector:
matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
component: proxy
template:
metadata:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: proxy
spec:
containers:
- name: nginx
image: {{ template "system_default_registry" . }}{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
imagePullPolicy: {{ .Values.proxy.image.pullPolicy }}
resources:
{{ toYaml .Values.proxy.resources | indent 10 }}
ports:
- containerPort: 80
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d
readOnly: true
- mountPath: /etc/nginx/filters.conf
name: filter-config
subPath: filters.conf
readOnly: true
volumes:
- name: nginx-config
configMap:
name: "{{ template "harbor.proxy" . }}"
items:
- key: default.conf
path: default.conf
- name: filter-config
configMap:
name: "{{ template "harbor.proxy" . }}"
items:
- key: filters.conf
path: filters.conf
{{- with .Values.proxy.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.proxy.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.proxy.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{ end }}
\ No newline at end of file
charts/harbor/v1.7.5-rancher1/templates/proxy/service.yaml 0 → 100644
{{ if .Values.globalRegistryMode }}
apiVersion: v1
kind: Service
metadata:
name: "{{ template "harbor.proxy" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
spec:
ports:
- port: 80
selector:
{{ include "harbor.matchLabels" . | indent 4 }}
component: proxy
{{ end }}
\ No newline at end of file
charts/harbor/v1.7.5-rancher1/templates/redis/statefulset.yaml
......@@ -26,7 +26,7 @@ spec:
spec:
containers:
- name: redis
image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
tcpSocket:
......@@ -58,6 +58,7 @@ spec:
{{- end -}}
{{- with .Values.redis.internal.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.redis.internal.affinity }}
......
charts/harbor/v1.7.5-rancher1/templates/registry/registry-cm.yaml
......@@ -47,8 +47,8 @@ data:
{{- if $storage.s3.encrypt }}
encrypt: {{ $storage.s3.encrypt }}
{{- end }}
{{- if $storage.s3.secure }}
secure: {{ $storage.s3.secure }}
{{- if $storage.s3.insecure }}
secure: false
{{- end }}
{{- if $storage.s3.v4auth }}
v4auth: {{ $storage.s3.v4auth }}
......@@ -120,8 +120,8 @@ data:
{{- if $storage.oss.encrypt }}
encrypt: {{ $storage.oss.encrypt }}
{{- end }}
{{- if $storage.oss.secure }}
secure: {{ $storage.oss.secure }}
{{- if $storage.oss.insecure }}
secure: false
{{- end }}
{{- if $storage.oss.chunksize }}
chunksize: {{ $storage.oss.chunksize }}
......@@ -152,7 +152,11 @@ data:
auth:
token:
issuer: harbor-token-issuer
{{- if .Values.globalRegistryMode }}
realm: "{{ template "harbor.externalURL" . }}/registry/service/token"
{{- else }}
realm: "{{ template "harbor.externalURL" . }}/service/token"
{{- end }}
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
validation:
......
charts/harbor/v1.7.5-rancher1/templates/registry/registry-dpl.yaml
......@@ -27,7 +27,7 @@ spec:
spec:
containers:
- name: registry
image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
......@@ -68,7 +68,7 @@ spec:
subPath: gcs-key.json
{{- end }}
- name: registryctl
image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
image: {{ template "system_default_registry" . }}{{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
......@@ -141,6 +141,7 @@ spec:
{{- end }}
{{- with .Values.registry.nodeSelector }}
nodeSelector:
beta.kubernetes.io/os: linux
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.registry.affinity }}
......
charts/harbor/v1.7.5-rancher1/values.yaml
......@@ -67,6 +67,9 @@ expose:
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://harbor.local
# Use the Harbor instance as the global registry in Rancher
globalRegistryMode: true
# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamicly.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
......@@ -159,7 +162,7 @@ imageChartStorage:
#regionendpoint: http://myobjects.local
#encrypt: false
#keyid: mykeyid
#secure: true
#insecure: false
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
......@@ -192,7 +195,7 @@ imageChartStorage:
#endpoint: endpoint
#internal: false
#encrypt: false
#secure: true
#insecure: false
#chunksize: 10M
#rootdirectory: rootdirectory
......@@ -204,6 +207,23 @@ harborAdminPassword: "Harbor12345"
# The secret key used for encryption. Must be a string of 16 chars.
secretKey: "not-a-secure-key"
# nginx proxy adapter for global registry, it is used when globalRegistryMode is true.
proxy:
image:
repository: library/nginx
tag: 1.14.2
pullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
# limits:
# cpu: 50m
# memory: 64Mi
nodeSelector: {}
tolerations: []
affinity: {}
# If expose the service via "ingress", the Nginx will not be used
nginx:
image:
......@@ -488,4 +508,7 @@ redis:
chartmuseumDatabaseIndex: "3"
password: ""
## Additional deployment annotations
podAnnotations: {}
\ No newline at end of file
podAnnotations: {}
global:
systemDefaultRegistry: ""
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment