alauda changes

alauda · Sep 12, 2024 · 9e5e583 · 9e5e583
1 parent 119d567
commit 9e5e583
Show file tree

Hide file tree

Showing 21 changed files with 471 additions and 82 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -172,8 +172,13 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
 {{- define "harbor.redis.url" -}}
   {{- with .Values.redis }}
     {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
+    {{- if eq .type "internal" }}
+    {{- $cred := ternary (printf ":%s@" (.internal.password | urlquery)) "" .internal.usePassword }}
+    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
+    {{- else }}
     {{- $cred := ternary (printf ":%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
     {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
+    {{- end }}
   {{- end }}
 {{- end -}}
 

diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml
@@ -50,7 +50,7 @@ data:
   HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
   NO_PROXY: "{{ template "harbor.noProxy" . }}"
   {{- end }}
-  PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr"
+  PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry"
   {{- if .Values.metrics.enabled}}
   METRIC_ENABLE: "true"
   METRIC_PATH: "{{ .Values.metrics.core.path }}"

diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -42,9 +42,35 @@ spec:
       {{- end }}
       automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }}
       terminationGracePeriodSeconds: 120
+      initContainers:
+      - name: prepare-env-files
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if .Values.core.resources }}
+        resources:
+{{ toYaml .Values.core.resources | indent 12 }}
+{{- end }}
+        command:
+          - sh
+          - -c
+          - |
+            set -e
+            cp -v /etc/core-secret/* /etc/env-files/
+            if [ -d /etc/core-admin-secret ]; then
+              cp -v /etc/core-admin-secret/* /etc/env-files/
+            fi
+        volumeMounts:
+          - mountPath: /etc/env-files
+            name: env-files
+          - mountPath: /etc/core-secret
+            name: core-secret
+{{- if .Values.harborAdminPasswordRef }}
+          - mountPath: /etc/core-admin-secret
+            name: core-admin-secret
+{{- end }}
       containers:
       - name: core
-        image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.core.repository }}:{{ .Values.global.images.core.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.core.startupProbe.enabled }}
         startupProbe:
@@ -73,8 +99,6 @@ spec:
         envFrom:
         - configMapRef:
             name: "{{ template "harbor.core" . }}"
-        - secretRef:
-            name: "{{ template "harbor.core" . }}"
         env:
           - name: CORE_SECRET
             valueFrom:
@@ -113,6 +137,8 @@ spec:
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
         volumeMounts:
+        - name: env-files
+          mountPath: /etc/env-files
         - name: config
           mountPath: /etc/core/app.conf
           subPath: app.conf
@@ -145,6 +171,16 @@ spec:
 {{ toYaml .Values.core.resources | indent 10 }}
 {{- end }}
       volumes:
+      - emptyDir: {}
+        name: env-files
+      - name: core-secret
+        secret:
+          secretName: "{{ template "harbor.core" . }}"
+      {{- if .Values.harborAdminPasswordRef }}
+      - name: core-admin-secret
+        secret:
+          secretName: {{ .Values.harborAdminPasswordRef | quote }}
+      {{- end }}
       - name: config
         configMap:
           name: {{ template "harbor.core" . }}

diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: migration-job
+  name: {{ template "harbor.core" . }}-migration-job
   labels:
 {{ include "harbor.labels" . | indent 4 }}
     component: migrator
@@ -12,6 +12,7 @@ metadata:
     "helm.sh/hook": pre-upgrade
     "helm.sh/hook-weight": "-5"
 spec:
+  ttlSecondsAfterFinished: 300
   template:
     metadata:
       labels:
@@ -32,7 +33,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: core-job
-        image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.core.repository }}:{{ .Values.global.images.core.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/harbor/harbor_core", "-mode=migrate"]
         envFrom:

diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -36,7 +36,7 @@ spec:
       automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }}
       containers:
       - name: exporter
-        image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.exporter.repository }}:{{ .Values.global.images.exporter.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         livenessProbe:
           httpGet:
@@ -56,6 +56,10 @@ spec:
             name: "{{ template "harbor.exporter" . }}-env"
         - secretRef:
             name: "{{ template "harbor.exporter" . }}"
+        {{- if .Values.harborAdminPasswordRef }}
+        - secretRef:
+            name: {{ .Values.harborAdminPasswordRef | quote }}
+        {{- end }}
         env:
         {{- if .Values.database.external.existingSecret }}
         - name: HARBOR_DATABASE_PASSWORD

diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml
@@ -7,8 +7,10 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if eq .Values.harborAdminPasswordRef "" }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
-{{- if not .Values.database.external.existingSecret }}
+  {{- end }}
+  {{- if not .Values.database.external.existingSecret }}
   HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
-{{- end }}
+  {{- end }}
 {{- end }}
diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml
@@ -44,6 +44,9 @@ metadata:
 {{ toYaml $ingress.harbor.labels | indent 4 }}
 {{- end }}
   annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
 {{ toYaml $ingress.annotations | indent 4 }}
 {{- if .Values.internalTLS.enabled }}
     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml
@@ -1,6 +1,6 @@
 {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
-{{- $ca := genCA "harbor-ca" 365 }}
-{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }}
+{{- $ca := genCA "harbor-ca" 3650 }}
+{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 3650 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/templates/internal/auto-tls.yaml b/templates/internal/auto-tls.yaml
@@ -1,13 +1,13 @@
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
-{{- $ca := genCA "harbor-internal-ca" 365 }}
+{{- $ca := genCA "harbor-internal-ca" 3650 }}
 {{- $coreCN := (include "harbor.core" .) }}
-{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
+{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 3650 $ca }}
 {{- $jsCN := (include "harbor.jobservice" .) }}
-{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
+{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 3650 $ca }}
 {{- $regCN := (include "harbor.registry" .) }}
-{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
+{{- $regCrt := genSignedCert $regCN nil (list $regCN) 3650 $ca }}
 {{- $portalCN := (include "harbor.portal" .) }}
-{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
+{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 3650 $ca }}
 
 ---
 apiVersion: v1
@@ -64,7 +64,7 @@ data:
 {{- if .Values.chartmuseum.enabled }}
 ---
 {{- $chartCN := (include "harbor.chartmuseum" .) }}
-{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }}
+{{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 3650 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -36,6 +36,40 @@ spec:
 {{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
 {{- end }}
     spec:
+      initContainers:
+      - name: prepare-env-files
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if .Values.core.resources }}
+        resources:
+{{ toYaml .Values.core.resources | indent 10 }}
+{{- end }}
+        command:
+          - sh
+          - -c
+          - |
+            set -e
+            cp -v /etc/jobservice-secret/* /etc/env-files/
+        volumeMounts:
+          - mountPath: /etc/env-files
+            name: env-files
+          - mountPath: /etc/jobservice-secret
+            name: jobservice-secret
+      - name: "change-permission"
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if .Values.jobservice.resources }}
+        resources:
+{{ toYaml .Values.jobservice.resources | indent 10 }}
+{{- end }}
+        command: ["/bin/sh"]
+        args: ["-c", "if ! stat -c '%u:%g' /var/log/jobs/ | grep -q '10000:10000'; then chown -R 10000:10000 /var/log/jobs/; fi"]
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - name: job-logs
+          mountPath: /var/log/jobs
+          subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
@@ -50,7 +84,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: jobservice
-        image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.jobservice.repository }}:{{ .Values.global.images.jobservice.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         livenessProbe:
           httpGet:
@@ -96,11 +130,11 @@ spec:
         envFrom:
         - configMapRef:
             name: "{{ template "harbor.jobservice" . }}-env"
-        - secretRef:
-            name: "{{ template "harbor.jobservice" . }}"
         ports:
         - containerPort: {{ template "harbor.jobservice.containerPort" . }}
         volumeMounts:
+        - name: env-files
+          mountPath: /etc/env-files
         - name: jobservice-config
           mountPath: /etc/jobservice/config.yml
           subPath: config.yml
@@ -115,16 +149,27 @@ spec:
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
       volumes:
+      - emptyDir: {}
+        name: env-files
+      - name: jobservice-secret
+        secret:
+          secretName: "{{ template "harbor.jobservice" . }}"
       - name: jobservice-config
         configMap:
           name: "{{ template "harbor.jobservice" . }}"
       - name: job-logs
         {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }}
         persistentVolumeClaim:
-          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }}
+          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
+        {{- else }}
+        {{- if and (.Values.persistence.hostPath.jobservice.host.nodeName) (.Values.persistence.hostPath.jobservice.host.path) }}
+        hostPath:
+          path: {{ .Values.persistence.hostPath.jobservice.host.path }}
+          type: DirectoryOrCreate
         {{- else }}
         emptyDir: {}
         {{- end }}
+        {{- end }}
       {{- if .Values.internalTLS.enabled }}
       - name: jobservice-internal-certs
         secret:
@@ -133,9 +178,16 @@ spec:
       {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
       {{- end }}
+    {{- if .Values.jobservice.nodeSelector }}
     {{- with .Values.jobservice.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- else }}
+    {{- if .Values.persistence.hostPath.jobservice.host.nodeName }}
+      nodeSelector:
+        kubernetes.io/hostname: {{ .Values.persistence.hostPath.jobservice.host.nodeName }}
+    {{- end }}
     {{- end }}
     {{- with .Values.jobservice.affinity }}
       affinity:

diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml
@@ -44,7 +44,7 @@ spec:
       automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }}
       containers:
       - name: nginx
-        image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
+        image: "{{ .Values.global.registry.address }}/{{ .Values.global.images.nginx.repository }}:{{ .Values.global.images.nginx.tag }}"
         imagePullPolicy: "{{ .Values.imagePullPolicy }}"
         {{- $_ := set . "scheme" "HTTP" -}}
         {{- $_ := set . "port" "8080" -}}

diff --git a/templates/nginx/secret.yaml b/templates/nginx/secret.yaml
@@ -1,5 +1,5 @@
 {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
-{{- $ca := genCA "harbor-ca" 365 }}
+{{- $ca := genCA "harbor-ca" 3650 }}
 {{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
 apiVersion: v1
 kind: Secret
@@ -10,12 +10,12 @@ metadata:
 type: Opaque
 data:
   {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
-  {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
+  {{- $cert := genSignedCert $cn (list $cn) nil 3650 $ca }}
   tls.crt: {{ $cert.Cert | b64enc | quote }}
   tls.key: {{ $cert.Key | b64enc | quote }}
   ca.crt: {{ $ca.Cert | b64enc | quote }}
   {{- else }}
-  {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
+  {{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca }}
   tls.crt: {{ $cert.Cert | b64enc | quote }}
   tls.key: {{ $cert.Key | b64enc | quote }}
   ca.crt: {{ $ca.Cert | b64enc | quote }}

diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml
@@ -4,7 +4,7 @@ kind: Service
 metadata:
 {{- if eq .Values.expose.type "clusterIP" }}
 {{- $clusterIP := .Values.expose.clusterIP }}
-  name: {{ $clusterIP.name }}
+  name: {{ template "harbor.fullname" .}}-{{ $clusterIP.name }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 {{- with $clusterIP.annotations }}
@@ -29,7 +29,7 @@ spec:
     {{- end }}
 {{- else if eq .Values.expose.type "nodePort" }}
 {{- $nodePort := .Values.expose.nodePort }}
-  name: {{ $nodePort.name }}
+  name: {{ template "harbor.fullname" .}}-{{ $nodePort.name }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
@@ -59,7 +59,7 @@ spec:
     {{- end }}
 {{- else if eq .Values.expose.type "loadBalancer" }}
 {{- $loadBalancer := .Values.expose.loadBalancer }}
-  name: {{ $loadBalancer.name }}
+  name: {{ template "harbor.fullname" .}}-{{ $loadBalancer.name }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 {{- with $loadBalancer.annotations }}

diff --git a/templates/notary/notary-secret.yaml b/templates/notary/notary-secret.yaml
@@ -9,8 +9,8 @@ metadata:
 type: Opaque
 data:
   {{- if not .Values.notary.secretName }}
-  {{- $ca := genCA "harbor-notary-ca" 365 }}
-  {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil (list (include "harbor.notary-signer" .)) 365 $ca }}
+  {{- $ca := genCA "harbor-notary-ca" 3650 }}
+  {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil (list (include "harbor.notary-signer" .)) 3650 $ca }}
   ca.crt: {{ $ca.Cert | b64enc | quote }}
   tls.crt: {{ $cert.Cert | b64enc | quote }}
   tls.key: {{ $cert.Key | b64enc | quote }}