alauda · airycanon · Sep 12, 2024 · Sep 13, 2024 · Sep 13, 2024 · Sep 13, 2024
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -59,7 +59,7 @@ jobs:
             kubectl -n default logs -l "component=$name" --all-containers > /tmp/harbor/$name.log ; \
           done
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: harbor_${{ matrix.k8s_version }}_${{ runner.os }}
@@ -71,7 +71,7 @@ jobs:
           mkdir -p /tmp/logs
           kind export logs --name kind-cluster-${{ matrix.k8s_version }} /tmp/logs
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: kind_v${{ matrix.k8s_version }}

diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Helm Chart for Harbor
+# Helm Chart for Harbor DEF
 
 **Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment.
 

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -190,7 +190,13 @@ app: "{{ template "harbor.name" . }}"
 {{- define "harbor.redis.url" -}}
   {{- with .Values.redis }}
     {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
-    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}}
+    {{- if eq .type "internal" }}
+    {{- $cred := ternary (printf ":%s@" (.internal.password | urlquery)) "" .internal.usePassword }}
+    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
+    {{- else }}
+    {{- $cred := ternary (printf ":%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
+    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
+    {{- end }}
   {{- end }}
 {{- end -}}
 

diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml
@@ -40,7 +40,7 @@ data:
   {{- end }}
   {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }}
   _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}"
-  {{- end }}  
+  {{- end }}
   PORTAL_URL: "{{ template "harbor.portalURL" . }}"
   REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
   REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
@@ -84,7 +84,7 @@ data:
   CACHE_ENABLED: "true"
   CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}"
   {{- end }}
-  
+
   {{- if .Values.core.quotaUpdateProvider }}
   QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}"
   {{- end }}
diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -63,7 +63,7 @@ spec:
       {{- end }}
       containers:
       - name: core
-        image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
+        image: {{ .Values.global.dockerMirror.address }}/{{ .Values.global.images.core.repository }}:{{ .Values.global.images.core.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.core.startupProbe.enabled }}
         startupProbe:
@@ -156,6 +156,8 @@ spec:
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
         volumeMounts:
+        - name: env-files
+          mountPath: /etc/env-files
         - name: config
           mountPath: /etc/core/app.conf
           subPath: app.conf
@@ -188,6 +190,16 @@ spec:
 {{ toYaml .Values.core.resources | indent 10 }}
 {{- end }}
       volumes:
+      - emptyDir: {}
+        name: env-files
+      - name: core-secret
+        secret:
+          secretName: "{{ template "harbor.core" . }}"
+      {{- if .Values.harborAdminPasswordRef }}
+      - name: core-admin-secret
+        secret:
+          secretName: {{ .Values.harborAdminPasswordRef | quote }}
+      {{- end }}
       - name: config
         configMap:
           name: {{ template "harbor.core" . }}

diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: migration-job
+  name: {{ template "harbor.core" . }}-migration-job
   labels:
 {{ include "harbor.labels" . | indent 4 }}
     component: migrator
@@ -12,6 +12,7 @@ metadata:
     "helm.sh/hook": pre-upgrade
     "helm.sh/hook-weight": "-5"
 spec:
+  ttlSecondsAfterFinished: 300
   template:
     metadata:
       labels:
@@ -32,7 +33,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: core-job
-        image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
+        image: {{ .Values.global.dockerMirror.address }}/{{ .Values.global.images.core.repository }}:{{ .Values.global.images.core.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/harbor/harbor_core", "-mode=migrate"]
         envFrom:

diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -58,7 +58,7 @@ spec:
 {{- end }}
       containers:
       - name: exporter
-        image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
+        image: {{ .Values.global.dockerMirror.address }}/{{ .Values.global.images.exporter.repository }}:{{ .Values.global.images.exporter.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         livenessProbe:
           httpGet:

diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml
@@ -41,6 +41,9 @@ metadata:
 {{ toYaml $ingress.labels | indent 4 }}
 {{- end }}
   annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
 {{ toYaml $ingress.annotations | indent 4 }}
 {{- if .Values.internalTLS.enabled }}
     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml
@@ -1,6 +1,6 @@
 {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
-{{- $ca := genCA "harbor-ca" 365 }}
-{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
+{{- $ca := genCA "harbor-ca" 3650 }}
+{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 3650 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/templates/internal/auto-tls.yaml b/templates/internal/auto-tls.yaml
@@ -1,13 +1,13 @@
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
-{{- $ca := genCA "harbor-internal-ca" 365 }}
+{{- $ca := genCA "harbor-internal-ca" 3650 }}
 {{- $coreCN := (include "harbor.core" .) }}
-{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
+{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 3650 $ca }}
 {{- $jsCN := (include "harbor.jobservice" .) }}
-{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
+{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 3650 $ca }}
 {{- $regCN := (include "harbor.registry" .) }}
-{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
+{{- $regCrt := genSignedCert $regCN nil (list $regCN) 3650 $ca }}
 {{- $portalCN := (include "harbor.portal" .) }}
-{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
+{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 3650 $ca }}
 
 ---
 apiVersion: v1

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -41,6 +41,40 @@ spec:
 {{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
 {{- end }}
     spec:
+      initContainers:
+      - name: prepare-env-files
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if .Values.core.resources }}
+        resources:
+{{ toYaml .Values.core.resources | indent 10 }}
+{{- end }}
+        command:
+          - sh
+          - -c
+          - |
+            set -e
+            cp -v /etc/jobservice-secret/* /etc/env-files/
+        volumeMounts:
+          - mountPath: /etc/env-files
+            name: env-files
+          - mountPath: /etc/jobservice-secret
+            name: jobservice-secret
+      - name: "change-permission"
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if .Values.jobservice.resources }}
+        resources:
+{{ toYaml .Values.jobservice.resources | indent 10 }}
+{{- end }}
+        command: ["/bin/sh"]
+        args: ["-c", "if ! stat -c '%u:%g' /var/log/jobs/ | grep -q '10000:10000'; then chown -R 10000:10000 /var/log/jobs/; fi"]
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - name: job-logs
+          mountPath: /var/log/jobs
+          subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
@@ -69,7 +103,7 @@ spec:
       {{- end }}
       containers:
       - name: jobservice
-        image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
+        image: {{ .Values.global.dockerMirror.address }}/{{ .Values.global.images.jobservice.repository }}:{{ .Values.global.images.jobservice.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         livenessProbe:
           httpGet:
@@ -133,6 +167,8 @@ spec:
         ports:
         - containerPort: {{ template "harbor.jobservice.containerPort" . }}
         volumeMounts:
+        - name: env-files
+          mountPath: /etc/env-files
         - name: jobservice-config
           mountPath: /etc/jobservice/config.yml
           subPath: config.yml
@@ -147,16 +183,27 @@ spec:
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
       volumes:
+      - emptyDir: {}
+        name: env-files
+      - name: jobservice-secret
+        secret:
+          secretName: "{{ template "harbor.jobservice" . }}"
       - name: jobservice-config
         configMap:
           name: "{{ template "harbor.jobservice" . }}"
       - name: job-logs
         {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }}
         persistentVolumeClaim:
-          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }}
+          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
+        {{- else }}
+        {{- if and (.Values.persistence.hostPath.jobservice.host.nodeName) (.Values.persistence.hostPath.jobservice.host.path) }}
+        hostPath:
+          path: {{ .Values.persistence.hostPath.jobservice.host.path }}
+          type: DirectoryOrCreate
         {{- else }}
         emptyDir: {}
         {{- end }}
+        {{- end }}
       {{- if .Values.internalTLS.enabled }}
       - name: jobservice-internal-certs
         secret:
@@ -165,9 +212,16 @@ spec:
       {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
       {{- end }}
+    {{- if .Values.jobservice.nodeSelector }}
     {{- with .Values.jobservice.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- else }}
+    {{- if .Values.persistence.hostPath.jobservice.host.nodeName }}
+      nodeSelector:
+        kubernetes.io/hostname: {{ .Values.persistence.hostPath.jobservice.host.nodeName }}
+    {{- end }}
     {{- end }}
     {{- with .Values.jobservice.affinity }}
       affinity:

diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml
@@ -59,7 +59,7 @@ spec:
 {{- end }}
       containers:
       - name: nginx
-        image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
+        image: "{{ .Values.global.dockerMirror.address }}/{{ .Values.global.images.nginx.repository }}:{{ .Values.global.images.nginx.tag }}"
         imagePullPolicy: "{{ .Values.imagePullPolicy }}"
         {{- $_ := set . "scheme" "HTTP" -}}
         {{- $_ := set . "port" "8080" -}}

diff --git a/templates/nginx/secret.yaml b/templates/nginx/secret.yaml
@@ -1,5 +1,5 @@
 {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
-{{- $ca := genCA "harbor-ca" 365 }}
+{{- $ca := genCA "harbor-ca" 3650 }}
 {{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
 apiVersion: v1
 kind: Secret
@@ -10,12 +10,12 @@ metadata:
 type: Opaque
 data:
   {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
-  {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
+  {{- $cert := genSignedCert $cn (list $cn) nil 3650 $ca }}
   tls.crt: {{ $cert.Cert | b64enc | quote }}
   tls.key: {{ $cert.Key | b64enc | quote }}
   ca.crt: {{ $ca.Cert | b64enc | quote }}
   {{- else }}
-  {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
+  {{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca }}
   tls.crt: {{ $cert.Cert | b64enc | quote }}
   tls.key: {{ $cert.Key | b64enc | quote }}
   ca.crt: {{ $ca.Cert | b64enc | quote }}

diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml
@@ -4,7 +4,7 @@ kind: Service
 metadata:
 {{- if eq .Values.expose.type "clusterIP" }}
 {{- $clusterIP := .Values.expose.clusterIP }}
-  name: {{ $clusterIP.name }}
+  name: {{ template "harbor.fullname" .}}-{{ $clusterIP.name }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 {{- if .Values.expose.clusterIP.labels }}
@@ -30,7 +30,7 @@ spec:
     {{- end }}
 {{- else if eq .Values.expose.type "nodePort" }}
 {{- $nodePort := .Values.expose.nodePort }}
-  name: {{ $nodePort.name }}
+  name: {{ template "harbor.fullname" .}}-{{ $nodePort.name }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 {{- if .Values.expose.nodePort.labels }}
@@ -59,7 +59,7 @@ spec:
     {{- end }}
 {{- else if eq .Values.expose.type "loadBalancer" }}
 {{- $loadBalancer := .Values.expose.loadBalancer }}
-  name: {{ $loadBalancer.name }}
+  name: {{ template "harbor.fullname" .}}-{{ $loadBalancer.name }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 {{- if .Values.expose.loadBalancer.labels }}

diff --git a/templates/notary/notary-secret.yaml b/templates/notary/notary-secret.yaml
diff --git a/templates/portal/configmap.yaml b/templates/portal/configmap.yaml
@@ -57,6 +57,14 @@ data:
             location /devcenter-api-2.0 {
                 try_files $uri $uri/ /swagger-ui-index.html;
             }
+            {{- if not .Values.portal.swagger.enabled }}
+            location = /swagger.json {
+                return 404;
+            }
+            location = /swagger.yaml {
+                return 404;
+            }
+            {{- end }}
             location / {
                 try_files $uri $uri/ /index.html;
             }

diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml
@@ -60,7 +60,7 @@ spec:
       {{- end }}
       containers:
       - name: portal
-        image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
+        image: {{ .Values.global.dockerMirror.address }}/{{ .Values.global.images.portal.repository }}:{{ .Values.global.images.portal.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
 {{- if .Values.portal.resources }}
         resources: