DEP: Deploy harbor instance

charts/dev/harbor/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: harbor
+version: 1.0.0
+# http://goharbor.io/harbor-helm
+# https://github.com/goharbor/harbor-helm/
+dependencies:
+  - name: harbor
+    version: 1.14.0
+    repository: http://goharbor.io/harbor-helm

charts/dev/harbor/values.yaml

@@ -0,0 +1,87 @@
+harbor:
+  externalURL: "https://harbor.example.com"
+  expose:
+    type: ingress
+    tls:
+      enabled: true
+      certSource: auto
+      auto:
+        commonName: "harbor"
+      secret:
+        secretName: "selfsigned"
+        #secretName: "letsencrypt-prod"
+    ingress:
+      hosts:
+        core: "harbor.example.com"
+      controller: default
+      ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress
+      kubeVersionOverride: ""
+      className: "nginx"
+      annotations:
+        # note different ingress controllers may require a different ssl-redirect annotation
+        # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below
+        ingress.kubernetes.io/ssl-redirect: "true"
+        ingress.kubernetes.io/proxy-body-size: "0"
+        nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/proxy-body-size: "0"
+        # Please change cluster issue to prod when you are happy 
+        cert-manager.io/cluster-issuer: "selfsigned"
+        #cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      # ingress-specific labels
+      labels: {}
+  database:
+    type: external
+    external:
+      host: "dbspg03.fds.rl.ac.uk"
+      port: "5432"
+      coreDatabase: "cloud_harbor_registry_dev"
+      username: "cloud_harbor_registry_dev_user"
+      # if using existing secret, the key must be "password"
+      password: "changeit"
+      # "disable" - No SSL
+      # "require" - Always SSL (skip verification)
+      # "verify-ca" - Always SSL (verify that the certificate presented by the
+      # server was signed by a trusted CA)
+      # "verify-full" - Always SSL (verify that the certification presented by the
+      # server was signed by a trusted CA and the server host name matches the one
+      # in the certificate)
+      sslmode: "disable"
+    # The maximum number of connections in the idle connection pool per pod (core+exporter).
+    # If it <=0, no idle connections are retained.
+    maxIdleConns: 100
+    # The maximum number of open connections to the database per pod (core+exporter).
+    # If it <= 0, then there is no limit on the number of open connections.
+    # Note: the default number of connections is 1024 for postgre of harbor.
+    maxOpenConns: 900
+    ## Additional deployment annotations
+    podAnnotations: {}
+    ## Additional deployment labels
+    podLabels: {}
+  jobservice:
+    replicas: 2
+    jobLoggers: 
+      - database
+  registry:
+    replicas: 2
+  trivy:
+    replicas: 2
+  exporter:
+    replicas: 2
+  portal:
+    replicas: 2
+  core:
+    replicas: 2
+  persistence:
+    enabled: false
+    resourcePolicy: ""
+    imageChartStorage:
+      disableredirect: false
+      type: s3
+      s3:
+        bucket: harbor-bucket
+        accesskey: awsaccesskey
+        secretkey: awssecretkey
+        regionendpoint: s3.echo.stfc.ac.uk
+        encrypt: true
+        secure: true
+        skipverify: true

clusters/dev/worker/apps.yaml

@@ -65,6 +65,12 @@ spec:
             valuesFile: ../../../clusters/dev/worker/opensearch-values.yaml
             secretsFile: ../../../secrets/dev/worker/apps/opensearch.yaml
 
+          - name: harbor
+            chartName: harbor
+            namespace: harbor
+            valuesFile: ../../../clusters/dev/worker/harbor-values.yaml
+            secretsFile: ../../../secrets/dev/worker/apps/harbor.yaml
+
   syncPolicy:
     # Don't remove everything if we remove the appset
     preserveResourcesOnDeletion: true

clusters/dev/worker/harbor-values.yaml

@@ -0,0 +1,5 @@
+harbor:
+  externalURL: "https://harbor.staging-worker.nubes.stfc.ac.uk"
+  ingress:
+  hosts:
+    core: "harbor.staging-worker.nubes.stfc.ac.uk"

secrets/dev/worker/apps/harbor.yaml

@@ -0,0 +1,90 @@
+harbor:
+    database:
+        password: ENC[AES256_GCM,data:626o2Ea7Z+PC,iv:oXsMlICRBtIsgZxIk5cOymYKz4oKovkkUn47QcahFwg=,tag:f3Get4kBPuGax3aFm7joGQ==,type:str]
+    s3:
+        bucket: ENC[AES256_GCM,data:bfFNXme8wY+mnw==,iv:+RzVLT1CLq0NCwcF1wa3N8qthE8HOltbhR387bYMaWo=,tag:YoBdqI1NQWzGDjdaMYLwuQ==,type:str]
+        accesskey: ENC[AES256_GCM,data:xumLSkEIhZkkyPlt,iv:Lo+3vW5EhacFWumBz2yf33wzbgIyzBPn3U3aglqyK2E=,tag:MEx50+nJ4q0sOkEakyUKsQ==,type:str]
+        secretkey: ENC[AES256_GCM,data:QMUJ7OHBycLNqETH,iv:i2I7xq6yEtYdlDa5aGcNXDVRg7eI8lgDiaAxlqnOYh8=,tag:iNcetZmX8kRhhF6jr97bWA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1x0t4j6qxqy42usha0u658r4f5p5d48y8knfuchyu2sc2rywtacgsryp0t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRE5RRytINmFxR1doY1VH
+            djVaSkhmR0V5aGROV3VxNkVOMWRHNDhjK2dnCm43V2o0VGRYL2hORGNVdCtDUG5O
+            eWhNVU8vL1d1N3AvRzVHYzBqSHlodFkKLS0tIGtPM3BLSTBPeWcyeCt3K3gxaHdC
+            SDZoMGQxM0VYbTNQWlVhUmo0T0J3RWsK3X3IW81Hzws+O762BpD3FIWFtTV+on4J
+            5XjrQh+QZRG3ZULeSe0wHrdyVY96jPdMICTXHuQIwoihpMhVpyGczg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1acqcungzwkt807d3jt94ngtdt0vhk9kec4ps4a22cpaah57jw4xsl7q4xc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxRi9uS2krZmt2QzZtdnBu
+            VXgrbDFxZkYweEV3UEQ0Qk4vYzlvam5FV1JVClB5eVUzbzFlUmlkR09GekFnUm1s
+            VzZ5NkYyNmRRVTFLUVFYcmdUd3BLS0UKLS0tIEJwRjVnUDFnNExKVGlhWGt5ajcr
+            eFJXTzVLV3h6a2dnS3QzNUYwYjkvMncKFAizgC/aC7I1xSMDAqJoj+Y5oAhaAH8Z
+            0Z78yXQmXic6FSWQLJcNdQqucPmOEXi1w4d9un6DXPUEk6tczGIe3g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1h3dmygqf4v6jg3nxk5sr9jkp27w3q83sqnqxdd5n92xf3w6fs5kshakrxn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cmJmUEs0cjlwc0RZUTNt
+            WEFzenFqSlIyK1lnZlpqK0ZKWDJRSTJDMUhRCkxZNHdzRzRJZnJaTEpCOWxpRERo
+            OGFrc3B6L0lGbjNiZVR4VzN2TUhLOVkKLS0tIEgwVXhaYzFoWEVSV3FHZFFlWmtR
+            VC9lcGUrbkFFaXZHazIyU2RicFBVSUEK0nYs2zgVICksi25aY0t/kobByn9MVm0P
+            fcGaH4Y6YkswE1G8MI7dB0D8211qL8wWQDKsbT34+L2+XZyfUQSifQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12khufkd7z25eqgpjjyy0zcrq6kpjxzekmff5zhq7q54tajm4e58qul35x0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdmY4RFFvR3NIbnkzOGpU
+            anpQM0s5cXB1KytYSnM2Z2pHQnpXT0tXcEZjClBrcnpnTjhLTDM0UWhoWFpBSzZj
+            OWVFbXhtK2swTDNUN253dlFjWmdQOE0KLS0tIDNwV2RoRngxUHp1Wmh2cGp0S3NK
+            eXNtTXJZM3Z4SXNWakx6WTB3bUVpWUkK620OfCLW631iP2+D/whzRjjdckjLVIg8
+            LfRk/0u+jjku84kHkMm39RwYjUFZnnPnB1aL4nQaJ4EG8YBrn2vKxQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16fufeddr0arrns268526gxethxgkh3g0euf8cn37kuwfmq3h23psutz4q8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTd291L2FnOUZYOGx6YnV4
+            SUw5enN0MXFHcDBWT09DQUtSYjZwQlJ2ZlRjCkZ4a0ZicFpiSzM2dmc4MFhZRHFK
+            d1ZLWGQ3RlF5SFUwd2wwaGFhdCthTmcKLS0tIGd6akVXenZrWmxETWFrN3YxWjdF
+            d2F2djkvY3hPYVhicWt5M2RjQnpDL3cKPyC/B/Z6XSbECRlF7E3jGLxQ+9xYeY8z
+            R7LGLsj71qQpjLPPVruo0xPLdtQBrkhgI7Vs7NA/s9Jz4fCitBSAdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8e4gxw67kp27s3hssfxyem3e8jwaha3huz0sttfngeu60pk5pxqkfpg3d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEczZZcXAxNlI4SFgvWlZI
+            UlpKRmtrZndzUW5DRWRwdkFwalNkNmxvaXc4CjV2MEltUXpwTmxCSmxVVEJsOFNp
+            b21pZ1ZBM0NEcEdocVZzRG43VXFqWlkKLS0tIEp1dUFKQVVadzdhWS9UaDZ4ODNh
+            SE1BUExlWThtS0E5ZXJMcWJaVkgrMlEK+UNDNwhmMjEi4eMIf+cCUFA+elfeZdJd
+            ppKO8llO5T1OC1BFmLVzKVQW8yGfXz904oL9HJZbw7Ob/wIeUEvQZA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1drky6caal0j2x58yzpw9tyflcpdpmcjqy8nss7zfvspszg0xfpdsyzu8s4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTks5QThwamJSM2ZyNFpX
+            MVhEOVFDM1kxVGJ6MCtKZk5PeitraW5UaDBzCjU3YS9HVzVJRWxIRWZ1WlQ3dWhF
+            ZmFqZldsc1MyWjBIR0cvL1VNdkI2SVkKLS0tIHNyZlpzeVRkQWlTV2JjN0Rvcldt
+            RUo2czlaRXg4NzFCbEtON0tIUDBNUVUKh4ZzcCE0kbFYu2wHeFBN8wYP3P0j5nks
+            XkhHIyaOTOsb80O5YLt9p9qO9I99d09v0POl2TxoRGDDsTel+hqpvg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m57vjw60dpr02ghka8kh2xlqsa0ggxauau2y488zdh89vu760qgqh8lcge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTWFLS0k5eC9weHZNQ2Fx
+            c3BrdVM2TmZ5V1JaOUdYZGFWYnFNWXREMkNvCmhnYmJsYzBjVlhrNGFlOFNMT2g4
+            UHFYMkRBV0VIdmVPT2pyd3JxU3YwTlkKLS0tIG1CUjdtMTUxTUlJTUxpZHE3eDBo
+            bHdoV0l3ZFpJaERaUUozS1hKdmxrdTgKqv5ZyOHNf+46hN+SVPB1Ip2Dl/bCZkiA
+            29Tqnas+vAUy+uGHIChQXCiR4xDzGicEuuGADsykxu8xGZdn9fwRpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-16T10:20:49Z"
+    mac: ENC[AES256_GCM,data:0p2aEVYsUptWMbM9vGcfgXaILzi/QAFJOR0u/yulzPbwjWzIZ4nYv2gJ+Z+67KabCsftGt0ySfPiZX1v9QCRc1QCWTHvykGfZJ6r5zu8zMnwRa8NkOHivJLm1Yq2wKY8rCvtH81PeNGHllgHFnveyu02pII1BHQ1ZB0O9KTQyp0=,iv:pt7cebk8wToeuMopghgsv5Hsk3nkLctGaq7UN2/xiG4=,tag:ljmGEROO/DVZ5rsKbTMzrQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1