diff --git a/charts/dev/harbor/Chart.yaml b/charts/dev/harbor/Chart.yaml new file mode 100644 index 00000000..2f2b25c5 --- /dev/null +++ b/charts/dev/harbor/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: harbor +version: 1.0.0 +# http://goharbor.io/harbor-helm +# https://github.com/goharbor/harbor-helm/ +dependencies: + - name: harbor + version: 1.14.0 + repository: http://goharbor.io/harbor-helm diff --git a/charts/dev/harbor/values.yaml b/charts/dev/harbor/values.yaml new file mode 100644 index 00000000..544ea5ce --- /dev/null +++ b/charts/dev/harbor/values.yaml @@ -0,0 +1,87 @@ +harbor: + externalURL: "https://harbor.example.com" + expose: + type: ingress + tls: + enabled: true + certSource: auto + auto: + commonName: "harbor" + secret: + secretName: "selfsigned" + #secretName: "letsencrypt-prod" + ingress: + hosts: + core: "harbor.example.com" + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "nginx" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + # Please change cluster issue to prod when you are happy + cert-manager.io/cluster-issuer: "selfsigned" + #cert-manager.io/cluster-issuer: "letsencrypt-prod" + # ingress-specific labels + labels: {} + database: + type: external + external: + host: "dbspg03.fds.rl.ac.uk" + port: "5432" + coreDatabase: "cloud_harbor_registry_dev" + username: "cloud_harbor_registry_dev_user" + # if using existing secret, the key must be "password" + password: "changeit" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + jobservice: + replicas: 2 + jobLoggers: + - database + registry: + replicas: 2 + trivy: + replicas: 2 + exporter: + replicas: 2 + portal: + replicas: 2 + core: + replicas: 2 + persistence: + enabled: false + resourcePolicy: "" + imageChartStorage: + disableredirect: false + type: s3 + s3: + bucket: harbor-bucket + accesskey: awsaccesskey + secretkey: awssecretkey + regionendpoint: s3.echo.stfc.ac.uk + encrypt: true + secure: true + skipverify: true \ No newline at end of file diff --git a/clusters/dev/worker/apps.yaml b/clusters/dev/worker/apps.yaml index 8cbbb641..a0d2a822 100644 --- a/clusters/dev/worker/apps.yaml +++ b/clusters/dev/worker/apps.yaml @@ -65,6 +65,12 @@ spec: valuesFile: ../../../clusters/dev/worker/opensearch-values.yaml secretsFile: ../../../secrets/dev/worker/apps/opensearch.yaml + - name: harbor + chartName: harbor + namespace: harbor + valuesFile: ../../../clusters/dev/worker/harbor-values.yaml + secretsFile: ../../../secrets/dev/worker/apps/harbor.yaml + syncPolicy: # Don't remove everything if we remove the appset preserveResourcesOnDeletion: true diff --git a/clusters/dev/worker/harbor-values.yaml b/clusters/dev/worker/harbor-values.yaml new file mode 100644 index 00000000..439ecbd7 --- /dev/null +++ b/clusters/dev/worker/harbor-values.yaml @@ -0,0 +1,5 @@ +harbor: + externalURL: "https://harbor.staging-worker.nubes.stfc.ac.uk" + ingress: + hosts: + core: "harbor.staging-worker.nubes.stfc.ac.uk" \ No newline at end of file diff --git a/secrets/dev/worker/apps/harbor.yaml b/secrets/dev/worker/apps/harbor.yaml new file mode 100644 index 00000000..e70da83b --- /dev/null +++ b/secrets/dev/worker/apps/harbor.yaml @@ -0,0 +1,90 @@ +harbor: + database: + password: ENC[AES256_GCM,data:626o2Ea7Z+PC,iv:oXsMlICRBtIsgZxIk5cOymYKz4oKovkkUn47QcahFwg=,tag:f3Get4kBPuGax3aFm7joGQ==,type:str] + s3: + bucket: ENC[AES256_GCM,data:bfFNXme8wY+mnw==,iv:+RzVLT1CLq0NCwcF1wa3N8qthE8HOltbhR387bYMaWo=,tag:YoBdqI1NQWzGDjdaMYLwuQ==,type:str] + accesskey: ENC[AES256_GCM,data:xumLSkEIhZkkyPlt,iv:Lo+3vW5EhacFWumBz2yf33wzbgIyzBPn3U3aglqyK2E=,tag:MEx50+nJ4q0sOkEakyUKsQ==,type:str] + secretkey: ENC[AES256_GCM,data:QMUJ7OHBycLNqETH,iv:i2I7xq6yEtYdlDa5aGcNXDVRg7eI8lgDiaAxlqnOYh8=,tag:iNcetZmX8kRhhF6jr97bWA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1x0t4j6qxqy42usha0u658r4f5p5d48y8knfuchyu2sc2rywtacgsryp0t6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRE5RRytINmFxR1doY1VH + djVaSkhmR0V5aGROV3VxNkVOMWRHNDhjK2dnCm43V2o0VGRYL2hORGNVdCtDUG5O + eWhNVU8vL1d1N3AvRzVHYzBqSHlodFkKLS0tIGtPM3BLSTBPeWcyeCt3K3gxaHdC + SDZoMGQxM0VYbTNQWlVhUmo0T0J3RWsK3X3IW81Hzws+O762BpD3FIWFtTV+on4J + 5XjrQh+QZRG3ZULeSe0wHrdyVY96jPdMICTXHuQIwoihpMhVpyGczg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1acqcungzwkt807d3jt94ngtdt0vhk9kec4ps4a22cpaah57jw4xsl7q4xc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxRi9uS2krZmt2QzZtdnBu + VXgrbDFxZkYweEV3UEQ0Qk4vYzlvam5FV1JVClB5eVUzbzFlUmlkR09GekFnUm1s + VzZ5NkYyNmRRVTFLUVFYcmdUd3BLS0UKLS0tIEJwRjVnUDFnNExKVGlhWGt5ajcr + eFJXTzVLV3h6a2dnS3QzNUYwYjkvMncKFAizgC/aC7I1xSMDAqJoj+Y5oAhaAH8Z + 0Z78yXQmXic6FSWQLJcNdQqucPmOEXi1w4d9un6DXPUEk6tczGIe3g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h3dmygqf4v6jg3nxk5sr9jkp27w3q83sqnqxdd5n92xf3w6fs5kshakrxn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cmJmUEs0cjlwc0RZUTNt + WEFzenFqSlIyK1lnZlpqK0ZKWDJRSTJDMUhRCkxZNHdzRzRJZnJaTEpCOWxpRERo + OGFrc3B6L0lGbjNiZVR4VzN2TUhLOVkKLS0tIEgwVXhaYzFoWEVSV3FHZFFlWmtR + VC9lcGUrbkFFaXZHazIyU2RicFBVSUEK0nYs2zgVICksi25aY0t/kobByn9MVm0P + fcGaH4Y6YkswE1G8MI7dB0D8211qL8wWQDKsbT34+L2+XZyfUQSifQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age12khufkd7z25eqgpjjyy0zcrq6kpjxzekmff5zhq7q54tajm4e58qul35x0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdmY4RFFvR3NIbnkzOGpU + anpQM0s5cXB1KytYSnM2Z2pHQnpXT0tXcEZjClBrcnpnTjhLTDM0UWhoWFpBSzZj + OWVFbXhtK2swTDNUN253dlFjWmdQOE0KLS0tIDNwV2RoRngxUHp1Wmh2cGp0S3NK + eXNtTXJZM3Z4SXNWakx6WTB3bUVpWUkK620OfCLW631iP2+D/whzRjjdckjLVIg8 + LfRk/0u+jjku84kHkMm39RwYjUFZnnPnB1aL4nQaJ4EG8YBrn2vKxQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16fufeddr0arrns268526gxethxgkh3g0euf8cn37kuwfmq3h23psutz4q8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTd291L2FnOUZYOGx6YnV4 + SUw5enN0MXFHcDBWT09DQUtSYjZwQlJ2ZlRjCkZ4a0ZicFpiSzM2dmc4MFhZRHFK + d1ZLWGQ3RlF5SFUwd2wwaGFhdCthTmcKLS0tIGd6akVXenZrWmxETWFrN3YxWjdF + d2F2djkvY3hPYVhicWt5M2RjQnpDL3cKPyC/B/Z6XSbECRlF7E3jGLxQ+9xYeY8z + R7LGLsj71qQpjLPPVruo0xPLdtQBrkhgI7Vs7NA/s9Jz4fCitBSAdQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a8e4gxw67kp27s3hssfxyem3e8jwaha3huz0sttfngeu60pk5pxqkfpg3d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEczZZcXAxNlI4SFgvWlZI + UlpKRmtrZndzUW5DRWRwdkFwalNkNmxvaXc4CjV2MEltUXpwTmxCSmxVVEJsOFNp + b21pZ1ZBM0NEcEdocVZzRG43VXFqWlkKLS0tIEp1dUFKQVVadzdhWS9UaDZ4ODNh + SE1BUExlWThtS0E5ZXJMcWJaVkgrMlEK+UNDNwhmMjEi4eMIf+cCUFA+elfeZdJd + ppKO8llO5T1OC1BFmLVzKVQW8yGfXz904oL9HJZbw7Ob/wIeUEvQZA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1drky6caal0j2x58yzpw9tyflcpdpmcjqy8nss7zfvspszg0xfpdsyzu8s4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTks5QThwamJSM2ZyNFpX + MVhEOVFDM1kxVGJ6MCtKZk5PeitraW5UaDBzCjU3YS9HVzVJRWxIRWZ1WlQ3dWhF + ZmFqZldsc1MyWjBIR0cvL1VNdkI2SVkKLS0tIHNyZlpzeVRkQWlTV2JjN0Rvcldt + RUo2czlaRXg4NzFCbEtON0tIUDBNUVUKh4ZzcCE0kbFYu2wHeFBN8wYP3P0j5nks + XkhHIyaOTOsb80O5YLt9p9qO9I99d09v0POl2TxoRGDDsTel+hqpvg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m57vjw60dpr02ghka8kh2xlqsa0ggxauau2y488zdh89vu760qgqh8lcge + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTWFLS0k5eC9weHZNQ2Fx + c3BrdVM2TmZ5V1JaOUdYZGFWYnFNWXREMkNvCmhnYmJsYzBjVlhrNGFlOFNMT2g4 + UHFYMkRBV0VIdmVPT2pyd3JxU3YwTlkKLS0tIG1CUjdtMTUxTUlJTUxpZHE3eDBo + bHdoV0l3ZFpJaERaUUozS1hKdmxrdTgKqv5ZyOHNf+46hN+SVPB1Ip2Dl/bCZkiA + 29Tqnas+vAUy+uGHIChQXCiR4xDzGicEuuGADsykxu8xGZdn9fwRpA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-16T10:20:49Z" + mac: ENC[AES256_GCM,data:0p2aEVYsUptWMbM9vGcfgXaILzi/QAFJOR0u/yulzPbwjWzIZ4nYv2gJ+Z+67KabCsftGt0ySfPiZX1v9QCRc1QCWTHvykGfZJ6r5zu8zMnwRa8NkOHivJLm1Yq2wKY8rCvtH81PeNGHllgHFnveyu02pII1BHQ1ZB0O9KTQyp0=,iv:pt7cebk8wToeuMopghgsv5Hsk3nkLctGaq7UN2/xiG4=,tag:ljmGEROO/DVZ5rsKbTMzrQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1