From 2312900e81aac8bddcbec2f970ebdf55f42fff86 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Tue, 24 Mar 2026 22:14:40 +0000 Subject: [PATCH] chore: Update manifests after change --- clusters/cl01tl/manifests/harbor/-.yaml | 1 - .../Cluster-harbor-postgresql-18-cluster.yaml | 66 +++++ .../harbor/ConfigMap-harbor-core.yaml | 62 ++++ .../harbor/ConfigMap-harbor-exporter-env.yaml | 40 +++ .../ConfigMap-harbor-jobservice-env.yaml | 32 +++ .../harbor/ConfigMap-harbor-jobservice.yaml | 43 +++ .../harbor/ConfigMap-harbor-portal.yaml | 49 ++++ .../harbor/ConfigMap-harbor-registry.yaml | 73 +++++ .../harbor/ConfigMap-harbor-registryctl.yaml | 16 ++ .../ConfigMap-harbor-valkey-init-scripts.yaml | 87 ++++++ .../harbor/Deployment-harbor-core.yaml | 152 ++++++++++ .../harbor/Deployment-harbor-exporter.yaml | 96 +++++++ .../harbor/Deployment-harbor-jobservice.yaml | 116 ++++++++ .../harbor/Deployment-harbor-portal.yaml | 83 ++++++ .../harbor/Deployment-harbor-registry.yaml | 177 ++++++++++++ ...tgresql-18-backup-garage-local-secret.yaml | 38 +++ ...-harbor-postgresql-18-recovery-secret.yaml | 38 +++ .../harbor/ExternalSecret-harbor-secret.yaml | 98 +++++++ .../harbor/HTTPRoute-harbor-route.yaml | 39 +++ .../manifests/harbor/Job-migration-job.yaml | 68 +++++ ...bor-postgresql-18-backup-garage-local.yaml | 33 +++ ...ctStore-harbor-postgresql-18-recovery.yaml | 32 +++ ...PersistentVolumeClaim-harbor-registry.yaml | 26 ++ .../harbor/PodMonitor-harbor-valkey.yaml | 23 ++ ...Rule-harbor-postgresql-18-alert-rules.yaml | 270 ++++++++++++++++++ .../harbor/PrometheusRule-harbor-valkey.yaml | 47 +++ ...resql-18-scheduled-backup-live-backup.yaml | 24 ++ .../manifests/harbor/Secret-harbor-core.yaml | 17 ++ .../harbor/Secret-harbor-exporter.yaml | 17 ++ .../harbor/Secret-harbor-jobservice.yaml | 17 ++ .../harbor/Secret-harbor-registry.yaml | 18 ++ .../harbor/Secret-harbor-registryctl.yaml | 17 ++ .../manifests/harbor/Secret-harbor-trivy.yaml | 19 ++ .../manifests/harbor/Service-harbor-core.yaml | 26 ++ .../harbor/Service-harbor-exporter.yaml | 23 ++ .../harbor/Service-harbor-jobservice.yaml | 26 ++ .../harbor/Service-harbor-portal.yaml | 23 ++ .../harbor/Service-harbor-registry.yaml | 27 ++ .../harbor/Service-harbor-trivy.yaml | 24 ++ .../Service-harbor-valkey-headless.yaml | 23 ++ .../harbor/Service-harbor-valkey-metrics.yaml | 23 ++ .../harbor/Service-harbor-valkey-read.yaml | 21 ++ .../harbor/Service-harbor-valkey.yaml | 22 ++ .../harbor/ServiceAccount-harbor-valkey.yaml | 11 + .../harbor/ServiceMonitor-harbor-valkey.yaml | 24 ++ .../harbor/ServiceMonitor-harbor.yaml | 24 ++ .../harbor/StatefulSet-harbor-trivy.yaml | 167 +++++++++++ .../harbor/StatefulSet-harbor-valkey.yaml | 129 +++++++++ 48 files changed, 2526 insertions(+), 1 deletion(-) delete mode 100644 clusters/cl01tl/manifests/harbor/-.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Cluster-harbor-postgresql-18-cluster.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-core.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-exporter-env.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice-env.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-portal.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registry.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registryctl.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ConfigMap-harbor-valkey-init-scripts.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Deployment-harbor-core.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Deployment-harbor-exporter.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Deployment-harbor-jobservice.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Deployment-harbor-portal.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Deployment-harbor-registry.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-backup-garage-local-secret.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-recovery-secret.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml create mode 100644 clusters/cl01tl/manifests/harbor/HTTPRoute-harbor-route.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Job-migration-job.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-backup-garage-local.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-recovery.yaml create mode 100644 clusters/cl01tl/manifests/harbor/PersistentVolumeClaim-harbor-registry.yaml create mode 100644 clusters/cl01tl/manifests/harbor/PodMonitor-harbor-valkey.yaml create mode 100644 clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-postgresql-18-alert-rules.yaml create mode 100644 clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-valkey.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ScheduledBackup-harbor-postgresql-18-scheduled-backup-live-backup.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Secret-harbor-core.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Secret-harbor-exporter.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Secret-harbor-jobservice.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Secret-harbor-registry.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Secret-harbor-registryctl.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Secret-harbor-trivy.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-core.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-exporter.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-jobservice.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-portal.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-registry.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-trivy.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-valkey-headless.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-valkey-metrics.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-valkey-read.yaml create mode 100644 clusters/cl01tl/manifests/harbor/Service-harbor-valkey.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ServiceAccount-harbor-valkey.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor-valkey.yaml create mode 100644 clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor.yaml create mode 100644 clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml create mode 100644 clusters/cl01tl/manifests/harbor/StatefulSet-harbor-valkey.yaml diff --git a/clusters/cl01tl/manifests/harbor/-.yaml b/clusters/cl01tl/manifests/harbor/-.yaml deleted file mode 100644 index 8b1378917..000000000 --- a/clusters/cl01tl/manifests/harbor/-.yaml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/clusters/cl01tl/manifests/harbor/Cluster-harbor-postgresql-18-cluster.yaml b/clusters/cl01tl/manifests/harbor/Cluster-harbor-postgresql-18-cluster.yaml new file mode 100644 index 000000000..678beaa3b --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Cluster-harbor-postgresql-18-cluster.yaml @@ -0,0 +1,66 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: harbor-postgresql-18-cluster + namespace: harbor + labels: + app.kubernetes.io/name: harbor-postgresql-18-cluster + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm +spec: + instances: 3 + imageName: "ghcr.io/cloudnative-pg/postgresql:18.3-standard-trixie" + imagePullPolicy: IfNotPresent + postgresUID: 26 + postgresGID: 26 + storage: + size: 10Gi + storageClass: local-path + walStorage: + size: 2Gi + storageClass: local-path + resources: + limits: + hugepages-2Mi: 256Mi + requests: + cpu: 100m + memory: 256Mi + affinity: + enablePodAntiAffinity: true + topologyKey: kubernetes.io/hostname + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + logLevel: info + enableSuperuserAccess: false + enablePDB: true + postgresql: + parameters: + hot_standby_feedback: "on" + max_slot_wal_keep_size: 2000MB + shared_buffers: 128MB + monitoring: + enablePodMonitor: true + disableDefaultQueries: false + plugins: + - name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: true + parameters: + barmanObjectName: "harbor-postgresql-18-backup-garage-local" + serverName: "harbor-postgresql-18-backup-2" + bootstrap: + recovery: + database: app + source: harbor-postgresql-18-backup-2 + externalClusters: + - name: harbor-postgresql-18-backup-2 + plugin: + name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: false + parameters: + barmanObjectName: "harbor-postgresql-18-recovery" + serverName: harbor-postgresql-18-backup-2 diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-core.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-core.yaml new file mode 100644 index 000000000..dc4b45ac1 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-core.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: harbor-core + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: + app.conf: | + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = 8080 + PORT: "8080" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "harbor-postgresql-18-cluster-rw" + POSTGRESQL_PORT: "5432" + POSTGRESQL_USERNAME: "app" + POSTGRESQL_DATABASE: "app" + POSTGRESQL_SSLMODE: "disable" + POSTGRESQL_MAX_IDLE_CONNS: "100" + POSTGRESQL_MAX_OPEN_CONNS: "900" + EXT_ENDPOINT: "https://harbor.alexlebens.net" + CORE_URL: "http://harbor-core:80" + JOBSERVICE_URL: "http://harbor-jobservice" + REGISTRY_URL: "http://harbor-registry:5000" + TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" + CORE_LOCAL_URL: "http://127.0.0.1:8080" + WITH_TRIVY: "true" + TRIVY_ADAPTER_URL: "http://harbor-trivy:8080" + REGISTRY_STORAGE_PROVIDER_NAME: "filesystem" + LOG_LEVEL: "info" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "redis://harbor-valkey.harbor:6379/0?idle_timeout_seconds=30" + _REDIS_URL_REG: "redis://harbor-valkey.harbor:6379/2?idle_timeout_seconds=30" + PORTAL_URL: "http://harbor-portal" + REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" + REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" + HTTP_PROXY: "" + HTTPS_PROXY: "" + NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,ali-acr,aws-ecr,google-gcr,docker-registry,github-ghcr,jfrog-artifactory" + REPLICATION_ADAPTER_WHITELIST: "ali-acr,aws-ecr,azure-acr,docker-hub,docker-registry,github-ghcr,google-gcr,harbor,huawei-SWR,jfrog-artifactory,tencent-tcr,volcengine-cr" + METRIC_ENABLE: "true" + METRIC_PATH: "/metrics" + METRIC_PORT: "8001" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "24" + QUOTA_UPDATE_PROVIDER: "db" diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-exporter-env.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-exporter-env.yaml new file mode 100644 index 000000000..ac517fe5c --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-exporter-env.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "harbor-exporter-env" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: + HTTP_PROXY: "" + HTTPS_PROXY: "" + NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" + LOG_LEVEL: "info" + HARBOR_EXPORTER_PORT: "8001" + HARBOR_EXPORTER_METRICS_PATH: "/metrics" + HARBOR_EXPORTER_METRICS_ENABLED: "true" + HARBOR_EXPORTER_CACHE_TIME: "23" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "14400" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "redis://harbor-valkey.harbor:6379/1" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "http" + HARBOR_SERVICE_HOST: "harbor-core" + HARBOR_SERVICE_PORT: "80" + HARBOR_DATABASE_HOST: "harbor-postgresql-18-cluster-rw" + HARBOR_DATABASE_PORT: "5432" + HARBOR_DATABASE_USERNAME: "app" + HARBOR_DATABASE_DBNAME: "app" + HARBOR_DATABASE_SSLMODE: "disable" + HARBOR_DATABASE_MAX_IDLE_CONNS: "100" + HARBOR_DATABASE_MAX_OPEN_CONNS: "900" diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice-env.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice-env.yaml new file mode 100644 index 000000000..a27bff9a3 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice-env.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "harbor-jobservice-env" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: + CORE_URL: "http://harbor-core:80" + TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" + REGISTRY_URL: "http://harbor-registry:5000" + REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" + REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "3" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "3" + LOG_LEVEL: "info" + HTTP_PROXY: "" + HTTPS_PROXY: "" + NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + _REDIS_URL_CORE: "redis://harbor-valkey.harbor:6379/0?idle_timeout_seconds=30" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "24" diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice.yaml new file mode 100644 index 000000000..fc59f1c67 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-jobservice.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "harbor-jobservice" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: + config.yml: | + #Server listening port + protocol: "http" + port: 8080 + worker_pool: + workers: 10 + backend: "redis" + redis_pool: + redis_url: "redis://harbor-valkey.harbor:6379/1" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + - name: "STD_OUTPUT" + level: INFO + metric: + enabled: true + path: /metrics + port: 8001 + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: INFO + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-portal.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-portal.yaml new file mode 100644 index 000000000..6ff264164 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-portal.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "harbor-portal" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: + nginx.conf: | + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + listen 8080; + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registry.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registry.yaml new file mode 100644 index 000000000..43587f0ea --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registry.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "harbor-registry" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: + config.yml: | + version: 0.1 + log: + level: info + fields: + service: registry + storage: + filesystem: + rootdirectory: /storage + cache: + layerinfo: redis + maintenance: + uploadpurging: + enabled: true + age: 72h + interval: 24h + dryrun: false + delete: + enabled: true + redirect: + disable: false + redis: + addr: harbor-valkey.harbor:6379 + db: 2 + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + enableTLS: false + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :5000 + relativeurls: true + # set via environment variable + # secret: placeholder + debug: + addr: :8001 + prometheus: + enabled: true + path: /metrics + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + ctl-config.yml: | + --- + protocol: "http" + port: 8080 + log_level: info + registry_config: "/etc/registry/config.yml" diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registryctl.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registryctl.yaml new file mode 100644 index 000000000..f5538a114 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-registryctl.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "harbor-registryctl" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +data: diff --git a/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-valkey-init-scripts.yaml new file mode 100644 index 000000000..bb39d138d --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ConfigMap-harbor-valkey-init-scripts.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: harbor-valkey-init-scripts + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="harbor-valkey-0.harbor-valkey-headless.harbor.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip harbor-valkey-$POD_INDEX.harbor-valkey-headless.harbor.svc.cluster.local" + } >>"$VALKEY_CONFIG" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/harbor/Deployment-harbor-core.yaml b/clusters/cl01tl/manifests/harbor/Deployment-harbor-core.yaml new file mode 100644 index 000000000..380c0c051 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Deployment-harbor-core.yaml @@ -0,0 +1,152 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: harbor-core + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: core + app.kubernetes.io/component: core +spec: + replicas: 2 + revisionHistoryLimit: 10 + selector: + matchLabels: + release: harbor + app: "harbor" + component: core + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: core + app.kubernetes.io/component: core + annotations: + checksum/configmap: 641bbb72f9900d6197857c2f9fb6f0bdc95af2a2e3883dfec940c519b299da5d + checksum/secret: 59669814fb7baa809e9428f8ded55a9bf9281f6bfedaa638b53b49cff7b66e22 + checksum/secret-jobservice: f3a0135630d8fa98235c6c6341ee8e42262bad005727f86ce3f0a0679271f1ed + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + terminationGracePeriodSeconds: 120 + containers: + - name: core + image: ghcr.io/goharbor/harbor-core:v2.15.0@sha256:32a13f6693a278261e9c9cb7eb606c5e2aa021308ae44fdc73225755048500a8 + imagePullPolicy: IfNotPresent + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: HTTP + port: 8080 + failureThreshold: 360 + initialDelaySeconds: 10 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: HTTP + port: 8080 + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: HTTP + port: 8080 + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "harbor-core" + - secretRef: + name: "harbor-core" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: JOBSERVICE_SECRET + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-secret + key: HARBOR_ADMIN_PASSWORD + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-postgresql-18-cluster-app + key: password + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-secret + key: REGISTRY_PASSWD + - name: CSRF_KEY + valueFrom: + secretKeyRef: + name: harbor-secret + key: CSRF_KEY + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 8080 + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + - name: psc + mountPath: /etc/core/token + volumes: + - name: config + configMap: + name: harbor-core + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + secretName: harbor-secret + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + secretName: harbor-secret + - name: psc + emptyDir: {} diff --git a/clusters/cl01tl/manifests/harbor/Deployment-harbor-exporter.yaml b/clusters/cl01tl/manifests/harbor/Deployment-harbor-exporter.yaml new file mode 100644 index 000000000..3d5c83e7f --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Deployment-harbor-exporter.yaml @@ -0,0 +1,96 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: harbor-exporter + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: exporter + app.kubernetes.io/component: exporter +spec: + replicas: 2 + revisionHistoryLimit: 10 + selector: + matchLabels: + release: harbor + app: "harbor" + component: exporter + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: exporter + app.kubernetes.io/component: exporter + annotations: + checksum/configmap: 5293f455659091cb2f6ed1113095a6dbb04f8364748670cb5d4630ca689d73d8 + checksum/secret: bb03df1fde79526e9aaa86ec987c17ba77e4b5cbeb4ff140100971d53b061347 + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + containers: + - name: exporter + image: ghcr.io/goharbor/harbor-exporter:v2.15.0@sha256:ad065e4e1a0ee900a0bb1a03d57028ed4b51dc04933f5c1cb5c4aee301a72ddb + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8001 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: 8001 + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "info"] + envFrom: + - configMapRef: + name: "harbor-exporter-env" + - secretRef: + name: "harbor-exporter" + env: + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-postgresql-18-cluster-app + key: password + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-secret + key: HARBOR_ADMIN_PASSWORD + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 8001 + volumeMounts: + volumes: + - name: config + secret: + secretName: "harbor-exporter" diff --git a/clusters/cl01tl/manifests/harbor/Deployment-harbor-jobservice.yaml b/clusters/cl01tl/manifests/harbor/Deployment-harbor-jobservice.yaml new file mode 100644 index 000000000..476a1a0ef --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Deployment-harbor-jobservice.yaml @@ -0,0 +1,116 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "harbor-jobservice" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: jobservice + app.kubernetes.io/component: jobservice +spec: + replicas: 2 + revisionHistoryLimit: 10 + strategy: + type: Recreate + rollingUpdate: null + selector: + matchLabels: + release: harbor + app: "harbor" + component: jobservice + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: jobservice + app.kubernetes.io/component: jobservice + annotations: + checksum/configmap: fd35a180d4111bc06151e7a8a1b824387e09f2aae58e69ecea24f8540abaebbd + checksum/configmap-env: e01b3437c4423c0fbcfcb609680c3186f3a09d00297883f6b19f117a44d2a88c + checksum/secret: f3a0135630d8fa98235c6c6341ee8e42262bad005727f86ce3f0a0679271f1ed + checksum/secret-core: 59669814fb7baa809e9428f8ded55a9bf9281f6bfedaa638b53b49cff7b66e22 + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + terminationGracePeriodSeconds: 120 + containers: + - name: jobservice + image: ghcr.io/goharbor/harbor-jobservice:v2.15.0@sha256:a22c7cccba4673b26ffb96f5c37971d85d879dd837bc82448e01c0170b68cf28 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: HTTP + port: 8080 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: HTTP + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: JOBSERVICE_SECRET + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-secret + key: REGISTRY_PASSWD + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + envFrom: + - configMapRef: + name: "harbor-jobservice-env" + - secretRef: + name: "harbor-jobservice" + ports: + - containerPort: 8080 + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: + volumes: + - name: jobservice-config + configMap: + name: "harbor-jobservice" + - name: job-logs + emptyDir: {} diff --git a/clusters/cl01tl/manifests/harbor/Deployment-harbor-portal.yaml b/clusters/cl01tl/manifests/harbor/Deployment-harbor-portal.yaml new file mode 100644 index 000000000..c64e077ed --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Deployment-harbor-portal.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "harbor-portal" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: portal + app.kubernetes.io/component: portal +spec: + replicas: 2 + revisionHistoryLimit: 10 + selector: + matchLabels: + release: harbor + app: "harbor" + component: portal + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: portal + app.kubernetes.io/component: portal + annotations: + checksum/configmap: 67a5d24a4be2482eaeeeb0b460a525257bcc917634227bef22888ba007496c12 + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + containers: + - name: portal + image: ghcr.io/goharbor/harbor-portal:v2.15.0@sha256:541d5fa95bf77240d46a438f86245cdfd6afa6dd7fdd0cf4dd4c905af6a980b1 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + path: / + scheme: HTTP + port: 8080 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: HTTP + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: 8080 + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + volumes: + - name: portal-config + configMap: + name: "harbor-portal" diff --git a/clusters/cl01tl/manifests/harbor/Deployment-harbor-registry.yaml b/clusters/cl01tl/manifests/harbor/Deployment-harbor-registry.yaml new file mode 100644 index 000000000..8173f7e95 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Deployment-harbor-registry.yaml @@ -0,0 +1,177 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "harbor-registry" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: registry + app.kubernetes.io/component: registry +spec: + replicas: 1 + revisionHistoryLimit: 10 + strategy: + type: Recreate + rollingUpdate: null + selector: + matchLabels: + release: harbor + app: "harbor" + component: registry + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: registry + app.kubernetes.io/component: registry + annotations: + checksum/configmap: 77823f5f18ace686e7928407a3f045ee24ae0a3bd616a88a110e4a504b03f7ca + checksum/secret: 47a7c4b7d3c8e57c96d426d6085e3d3c9dfed0b5590c1c5a46f3ea642e876775 + checksum/secret-jobservice: f3a0135630d8fa98235c6c6341ee8e42262bad005727f86ce3f0a0679271f1ed + checksum/secret-core: 59669814fb7baa809e9428f8ded55a9bf9281f6bfedaa638b53b49cff7b66e22 + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + automountServiceAccountToken: false + terminationGracePeriodSeconds: 120 + containers: + - name: registry + image: goharbor/registry-photon:v2.15.0@sha256:beb49fd16cf0906c04a2bf51a22f7210289e7cc2ae43a733e2a0364380aceae6 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + scheme: HTTP + port: 5000 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: HTTP + port: 5000 + initialDelaySeconds: 1 + periodSeconds: 10 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + envFrom: + - secretRef: + name: "harbor-registry" + env: + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: REGISTRY_HTTP_SECRET + ports: + - containerPort: 5000 + - containerPort: 8001 + volumeMounts: + - name: registry-data + mountPath: /storage + subPath: + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registryctl + image: ghcr.io/goharbor/harbor-registryctl:v2.15.0@sha256:463172f71d3a1e8d4f9e3b4e687a447f41fbc3126316d8c150dba04a903bbc47 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/health + scheme: HTTP + port: 8080 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: HTTP + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 10 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + envFrom: + - configMapRef: + name: "harbor-registryctl" + - secretRef: + name: "harbor-registry" + - secretRef: + name: "harbor-registryctl" + env: + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: REGISTRY_HTTP_SECRET + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: harbor-secret + key: JOBSERVICE_SECRET + ports: + - containerPort: 8080 + volumeMounts: + - name: registry-data + mountPath: /storage + subPath: + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + volumes: + - name: registry-htpasswd + secret: + secretName: harbor-secret + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "harbor-registry" + - name: registry-data + persistentVolumeClaim: + claimName: harbor-registry diff --git a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-backup-garage-local-secret.yaml b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-backup-garage-local-secret.yaml new file mode 100644 index 000000000..041e463e3 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-backup-garage-local-secret.yaml @@ -0,0 +1,38 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: harbor-postgresql-18-backup-garage-local-secret + namespace: harbor + labels: + app.kubernetes.io/name: harbor-postgresql-18-backup-garage-local-secret + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-recovery-secret.yaml b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-recovery-secret.yaml new file mode 100644 index 000000000..67c7ade47 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-postgresql-18-recovery-secret.yaml @@ -0,0 +1,38 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: harbor-postgresql-18-recovery-secret + namespace: harbor + labels: + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: harbor-postgresql-18-recovery-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml new file mode 100644 index 000000000..64e5f06ca --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml @@ -0,0 +1,98 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: harbor-secret + namespace: harbor + labels: + app.kubernetes.io/name: harbor-secret + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: HARBOR_ADMIN_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: admin-password + - secretKey: secretKey + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: secretKey + - secretKey: CSRF_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: CSRF_KEY + - secretKey: secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: secret + - secretKey: tls.crt + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: tls.crt + - secretKey: tls.key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: tls.key + - secretKey: JOBSERVICE_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/jobservice + metadataPolicy: None + property: JOBSERVICE_SECRET + - secretKey: REGISTRY_HTTP_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_HTTP_SECRET + - secretKey: REGISTRY_REDIS_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_REDIS_PASSWORD + - secretKey: REGISTRY_HTPASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_HTPASSWD + - secretKey: REGISTRY_CREDENTIAL_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_CREDENTIAL_PASSWORD + - secretKey: REGISTRY_PASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_CREDENTIAL_PASSWORD diff --git a/clusters/cl01tl/manifests/harbor/HTTPRoute-harbor-route.yaml b/clusters/cl01tl/manifests/harbor/HTTPRoute-harbor-route.yaml new file mode 100644 index 000000000..8fe170bc0 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/HTTPRoute-harbor-route.yaml @@ -0,0 +1,39 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: "harbor-route" + namespace: "harbor" +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - harbor.alexlebens.net + rules: + - matches: + - path: + type: PathPrefix + value: /api/ + - path: + type: PathPrefix + value: /service/ + - path: + type: PathPrefix + value: /v2/ + - path: + type: PathPrefix + value: /c/ + backendRefs: + - name: harbor-core + namespace: "harbor" + port: 80 + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: harbor-portal + namespace: "harbor" + port: 80 diff --git a/clusters/cl01tl/manifests/harbor/Job-migration-job.yaml b/clusters/cl01tl/manifests/harbor/Job-migration-job.yaml new file mode 100644 index 000000000..4a18374ac --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Job-migration-job.yaml @@ -0,0 +1,68 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: migrator + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: + release: harbor + app: "harbor" + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: ghcr.io/goharbor/harbor-core:v2.15.0@sha256:32a13f6693a278261e9c9cb7eb606c5e2aa021308ae44fdc73225755048500a8 + imagePullPolicy: IfNotPresent + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "harbor-core" + - secretRef: + name: "harbor-core" + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: harbor-postgresql-18-cluster-app + key: password + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: harbor-core + items: + - key: app.conf + path: app.conf diff --git a/clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-backup-garage-local.yaml b/clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-backup-garage-local.yaml new file mode 100644 index 000000000..8c623f08b --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-backup-garage-local.yaml @@ -0,0 +1,33 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: harbor-postgresql-18-backup-garage-local + namespace: harbor + labels: + app.kubernetes.io/name: harbor-postgresql-18-backup-garage-local + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm +spec: + retentionPolicy: 7d + instanceSidecarConfiguration: + env: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required + configuration: + destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + s3Credentials: + accessKeyId: + name: harbor-postgresql-18-backup-garage-local-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: harbor-postgresql-18-backup-garage-local-secret + key: ACCESS_SECRET_KEY + region: + name: harbor-postgresql-18-backup-garage-local-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-recovery.yaml b/clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-recovery.yaml new file mode 100644 index 000000000..9af3f8068 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ObjectStore-harbor-postgresql-18-recovery.yaml @@ -0,0 +1,32 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: "harbor-postgresql-18-recovery" + namespace: harbor + labels: + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "harbor-postgresql-18-recovery" +spec: + configuration: + destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + wal: + compression: snappy + maxParallel: 1 + data: + compression: snappy + jobs: 1 + s3Credentials: + accessKeyId: + name: harbor-postgresql-18-recovery-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: harbor-postgresql-18-recovery-secret + key: ACCESS_SECRET_KEY + region: + name: harbor-postgresql-18-recovery-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/harbor/PersistentVolumeClaim-harbor-registry.yaml b/clusters/cl01tl/manifests/harbor/PersistentVolumeClaim-harbor-registry.yaml new file mode 100644 index 000000000..5441f355b --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/PersistentVolumeClaim-harbor-registry.yaml @@ -0,0 +1,26 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: harbor-registry + namespace: "harbor" + annotations: + helm.sh/resource-policy: keep + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: registry + app.kubernetes.io/component: registry +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Gi + storageClassName: ceph-block diff --git a/clusters/cl01tl/manifests/harbor/PodMonitor-harbor-valkey.yaml b/clusters/cl01tl/manifests/harbor/PodMonitor-harbor-valkey.yaml new file mode 100644 index 000000000..78a85264c --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/PodMonitor-harbor-valkey.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: harbor-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - harbor + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor diff --git a/clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-postgresql-18-alert-rules.yaml b/clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-postgresql-18-alert-rules.yaml new file mode 100644 index 000000000..e76a120f0 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-postgresql-18-alert-rules.yaml @@ -0,0 +1,270 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: harbor-postgresql-18-alert-rules + namespace: harbor + labels: + app.kubernetes.io/name: harbor-postgresql-18-alert-rules + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm +spec: + groups: + - name: cloudnative-pg/harbor-postgresql-18 + rules: + - alert: CNPGClusterBackendsWaitingWarning + annotations: + summary: CNPG Cluster a backend is waiting for longer than 5 minutes. + description: |- + Pod {{ $labels.pod }} + has been waiting for longer than 5 minutes + expr: | + cnpg_backends_waiting_total{namespace="harbor"} > 300 + for: 1m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterDatabaseDeadlockConflictsWarning + annotations: + summary: CNPG Cluster has over 10 deadlock conflicts. + description: |- + There are over 10 deadlock conflicts in + {{ $labels.pod }} + expr: | + cnpg_pg_stat_database_deadlocks{namespace="harbor"} > 10 + for: 1m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterHACritical + annotations: + summary: CNPG Cluster has no standby replicas! + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe + risk of data loss and downtime if the primary instance fails. + + The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint + will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. + + This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less + instances. The replaced instance may need some time to catch-up with the cluster primary instance. + + This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this + case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="harbor"} - cnpg_pg_replication_is_wal_receiver_up{namespace="harbor"}) < 1 + for: 5m + labels: + severity: critical + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterHAWarning + annotations: + summary: CNPG Cluster less than 2 standby replicas. + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting + your cluster at risk if another instance fails. The cluster is still able to operate normally, although + the `-ro` and `-r` endpoints operate at reduced capacity. + + This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may + need some time to catch-up with the cluster primary instance. + + This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. + In this case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="harbor"} - cnpg_pg_replication_is_wal_receiver_up{namespace="harbor"}) < 2 + for: 5m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsCritical + annotations: + summary: CNPG Instance maximum number of connections critical! + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="harbor", pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="harbor", pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 95 + for: 5m + labels: + severity: critical + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsWarning + annotations: + summary: CNPG Instance is approaching the maximum number of connections. + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="harbor", pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="harbor", pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 80 + for: 5m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterHighReplicationLag + annotations: + summary: CNPG Cluster high replication lag + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" is experiencing a high replication lag of + {{`{{`}} $value {{`}}`}}ms. + + High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md + expr: | + max(cnpg_pg_replication_lag{namespace="harbor",pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 + for: 5m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterInstancesOnSameNode + annotations: + summary: CNPG Cluster instances are located on the same node. + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" has {{`{{`}} $value {{`}}`}} + instances on the same node {{`{{`}} $labels.node {{`}}`}}. + + A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md + expr: | + count by (node) (kube_pod_info{namespace="harbor", pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) > 1 + for: 5m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterLongRunningTransactionWarning + annotations: + summary: CNPG Cluster query is taking longer than 5 minutes. + description: |- + CloudNativePG Cluster Pod {{ $labels.pod }} + is taking more than 5 minutes (300 seconds) for a query. + expr: |- + cnpg_backends_max_tx_duration_seconds{namespace="harbor"} > 300 + for: 1m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceCritical + annotations: + summary: CNPG Instance is running out of disk space! + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" is running extremely low on disk space. Check attached PVCs! + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.9 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.9 + for: 5m + labels: + severity: critical + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceWarning + annotations: + summary: CNPG Instance is running out of disk space. + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" is running low on disk space. Check attached PVCs. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.7 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.7 + for: 5m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterOffline + annotations: + summary: CNPG Cluster has no running instances! + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" has no ready instances. + + Having an offline cluster means your applications will not be able to access the database, leading to + potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md + expr: | + (count(cnpg_collector_up{namespace="harbor",pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 + for: 5m + labels: + severity: critical + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterPGDatabaseXidAgeWarning + annotations: + summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. + description: |- + Over 300,000,000 transactions from frozen xid + on pod {{ $labels.pod }} + expr: | + cnpg_pg_database_xid_age{namespace="harbor"} > 300000000 + for: 1m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterPGReplicationWarning + annotations: + summary: CNPG Cluster standby is lagging behind the primary. + description: |- + Standby is lagging behind by over 300 seconds (5 minutes) + expr: | + cnpg_pg_replication_lag{namespace="harbor"} > 300 + for: 1m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterReplicaFailingReplicationWarning + annotations: + summary: CNPG Cluster has a replica is failing to replicate. + description: |- + Replica {{ $labels.pod }} + is failing to replicate + expr: | + cnpg_pg_replication_in_recovery{namespace="harbor"} > cnpg_pg_replication_is_wal_receiver_up{namespace="harbor"} + for: 1m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster + - alert: CNPGClusterZoneSpreadWarning + annotations: + summary: CNPG Cluster instances in the same zone. + description: |- + CloudNativePG Cluster "harbor/harbor-postgresql-18-cluster" has instances in the same availability zone. + + A disaster in one availability zone will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md + expr: | + 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="harbor", pod=~"harbor-postgresql-18-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 + for: 5m + labels: + severity: warning + namespace: harbor + cnpg_cluster: harbor-postgresql-18-cluster diff --git a/clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-valkey.yaml b/clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-valkey.yaml new file mode 100644 index 000000000..207953012 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/PrometheusRule-harbor-valkey.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: harbor-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: harbor-valkey + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="harbor-valkey-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="harbor-valkey-metrics"} * 100 + / + redis_memory_max_bytes{service="harbor-valkey-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="harbor-valkey-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/harbor/ScheduledBackup-harbor-postgresql-18-scheduled-backup-live-backup.yaml b/clusters/cl01tl/manifests/harbor/ScheduledBackup-harbor-postgresql-18-scheduled-backup-live-backup.yaml new file mode 100644 index 000000000..25d103264 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ScheduledBackup-harbor-postgresql-18-scheduled-backup-live-backup.yaml @@ -0,0 +1,24 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: "harbor-postgresql-18-scheduled-backup-live-backup" + namespace: harbor + labels: + app.kubernetes.io/name: "harbor-postgresql-18-scheduled-backup-live-backup" + helm.sh/chart: postgres-18-cluster-7.10.0 + app.kubernetes.io/instance: harbor + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "7.10.0" + app.kubernetes.io/managed-by: Helm +spec: + immediate: true + suspend: false + schedule: "0 35 14 * * *" + backupOwnerReference: self + cluster: + name: harbor-postgresql-18-cluster + method: plugin + pluginConfiguration: + name: barman-cloud.cloudnative-pg.io + parameters: + barmanObjectName: "harbor-postgresql-18-backup-garage-local" diff --git a/clusters/cl01tl/manifests/harbor/Secret-harbor-core.yaml b/clusters/cl01tl/manifests/harbor/Secret-harbor-core.yaml new file mode 100644 index 000000000..5210357a5 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Secret-harbor-core.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: harbor-core + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +type: Opaque +data: diff --git a/clusters/cl01tl/manifests/harbor/Secret-harbor-exporter.yaml b/clusters/cl01tl/manifests/harbor/Secret-harbor-exporter.yaml new file mode 100644 index 000000000..9f9b8389d --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Secret-harbor-exporter.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: harbor-exporter + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +type: Opaque +data: diff --git a/clusters/cl01tl/manifests/harbor/Secret-harbor-jobservice.yaml b/clusters/cl01tl/manifests/harbor/Secret-harbor-jobservice.yaml new file mode 100644 index 000000000..aa4daa692 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Secret-harbor-jobservice.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-jobservice" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +type: Opaque +data: diff --git a/clusters/cl01tl/manifests/harbor/Secret-harbor-registry.yaml b/clusters/cl01tl/manifests/harbor/Secret-harbor-registry.yaml new file mode 100644 index 000000000..2df0b1c11 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Secret-harbor-registry.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-registry" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +type: Opaque +data: + REGISTRY_REDIS_PASSWORD: "" diff --git a/clusters/cl01tl/manifests/harbor/Secret-harbor-registryctl.yaml b/clusters/cl01tl/manifests/harbor/Secret-harbor-registryctl.yaml new file mode 100644 index 000000000..f8a539754 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Secret-harbor-registryctl.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "harbor-registryctl" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +type: Opaque +data: diff --git a/clusters/cl01tl/manifests/harbor/Secret-harbor-trivy.yaml b/clusters/cl01tl/manifests/harbor/Secret-harbor-trivy.yaml new file mode 100644 index 000000000..68bf1dbb2 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Secret-harbor-trivy.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: harbor-trivy + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +type: Opaque +data: + redisURL: cmVkaXM6Ly9oYXJib3ItdmFsa2V5LmhhcmJvcjo2Mzc5LzU/aWRsZV90aW1lb3V0X3NlY29uZHM9MzA= + gitHubToken: "" diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-core.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-core.yaml new file mode 100644 index 000000000..b2363f693 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-core.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + name: harbor-core + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + ports: + - name: http-web + port: 80 + targetPort: 8080 + - name: http-metrics + port: 8001 + selector: + release: harbor + app: "harbor" + component: core diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-exporter.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-exporter.yaml new file mode 100644 index 000000000..9d37b52c7 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-exporter.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: "harbor-exporter" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + ports: + - name: http-metrics + port: 8001 + selector: + release: harbor + app: "harbor" + component: exporter diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-jobservice.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-jobservice.yaml new file mode 100644 index 000000000..dfcf49440 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-jobservice.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + name: "harbor-jobservice" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + ports: + - name: http-jobservice + port: 80 + targetPort: 8080 + - name: http-metrics + port: 8001 + selector: + release: harbor + app: "harbor" + component: jobservice diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-portal.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-portal.yaml new file mode 100644 index 000000000..5ac7443e2 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-portal.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: "harbor-portal" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + ports: + - port: 80 + targetPort: 8080 + selector: + release: harbor + app: "harbor" + component: portal diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-registry.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-registry.yaml new file mode 100644 index 000000000..358f8deaa --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-registry.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + name: "harbor-registry" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + ports: + - name: http-registry + port: 5000 + - name: http-controller + port: 8080 + - name: http-metrics + port: 8001 + selector: + release: harbor + app: "harbor" + component: registry diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-trivy.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-trivy.yaml new file mode 100644 index 000000000..2b75dcef9 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-trivy.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: "harbor-trivy" + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + ports: + - name: http-trivy + protocol: TCP + port: 8080 + selector: + release: harbor + app: "harbor" + component: trivy diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-headless.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-headless.yaml new file mode 100644 index 000000000..a29eb4a35 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: harbor-valkey-headless + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: headless +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-metrics.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-metrics.yaml new file mode 100644 index 000000000..81bd7e31d --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: harbor-valkey-metrics + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-read.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-read.yaml new file mode 100644 index 000000000..39e14fcf4 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey-read.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: harbor-valkey-read + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: read +spec: + type: ClusterIP + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor diff --git a/clusters/cl01tl/manifests/harbor/Service-harbor-valkey.yaml b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey.yaml new file mode 100644 index 000000000..4b6d120a2 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/Service-harbor-valkey.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: harbor-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + statefulset.kubernetes.io/pod-name: harbor-valkey-0 diff --git a/clusters/cl01tl/manifests/harbor/ServiceAccount-harbor-valkey.yaml b/clusters/cl01tl/manifests/harbor/ServiceAccount-harbor-valkey.yaml new file mode 100644 index 000000000..c266f2b73 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ServiceAccount-harbor-valkey.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: harbor-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor-valkey.yaml b/clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor-valkey.yaml new file mode 100644 index 000000000..d2add91a5 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor-valkey.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: harbor-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - harbor + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor.yaml b/clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor.yaml new file mode 100644 index 000000000..4f888a7ee --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/ServiceMonitor-harbor.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: harbor + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: http-metrics + honorLabels: true + selector: + matchLabels: + release: harbor + app: "harbor" diff --git a/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml b/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml new file mode 100644 index 000000000..9e3fdbc22 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harbor-trivy + namespace: "harbor" + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: trivy + app.kubernetes.io/component: trivy +spec: + replicas: 1 + serviceName: harbor-trivy + selector: + matchLabels: + release: harbor + app: "harbor" + component: trivy + template: + metadata: + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + app.kubernetes.io/instance: harbor + app.kubernetes.io/name: harbor + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: harbor + app.kubernetes.io/version: "2.14.3" + component: trivy + app.kubernetes.io/component: trivy + annotations: + checksum/secret: 83fe4ce46bcdf24dffaccbf9ece506a58ee9eda2fe07e0aa3658386702fd3d26 + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: false + containers: + - name: trivy + image: goharbor/trivy-adapter-photon:v2.14.3 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + env: + - name: HTTP_PROXY + value: "" + - name: HTTPS_PROXY + value: "" + - name: NO_PROXY + value: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" + - name: "SCANNER_LOG_LEVEL" + value: "info" + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: "false" + - name: "SCANNER_TRIVY_VULN_TYPE" + value: "os,library" + - name: "SCANNER_TRIVY_TIMEOUT" + value: "5m0s" + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: harbor-trivy + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: "false" + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: "false" + - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" + value: "false" + - name: "SCANNER_TRIVY_DB_REPOSITORY" + value: "mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db" + - name: "SCANNER_TRIVY_JAVA_DB_REPOSITORY" + value: "mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db" + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: "false" + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: "vuln" + - name: "SCANNER_TRIVY_INSECURE" + value: "false" + - name: SCANNER_API_SERVER_ADDR + value: ":8080" + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: harbor-trivy + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: harbor-trivy + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: harbor-trivy + key: redisURL + ports: + - name: api-server + containerPort: 8080 + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: + readOnly: false + livenessProbe: + httpGet: + scheme: HTTP + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: HTTP + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 200m + memory: 512Mi + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + labels: + heritage: Helm + release: harbor + chart: harbor + app: "harbor" + annotations: + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: "5Gi" diff --git a/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-valkey.yaml b/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-valkey.yaml new file mode 100644 index 000000000..89ecd1387 --- /dev/null +++ b/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-valkey.yaml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harbor-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: harbor-valkey-headless + replicas: 3 + podManagementPolicy: OrderedReady + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + volumeClaimTemplates: + - metadata: + name: valkey-data + spec: + accessModes: + - ReadWriteOnce + storageClassName: "ceph-block" + resources: + requests: + storage: "1Gi" + template: + metadata: + labels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: harbor + annotations: + checksum/initconfig: "0cad4b394241164de6b4d658a977be16" + spec: + automountServiceAccountToken: false + serviceAccountName: harbor-valkey + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: harbor-valkey-init + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: harbor-valkey + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 128Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.82.0 + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 10m + memory: 64M + env: + - name: REDIS_ALIAS + value: harbor-valkey + volumes: + - name: scripts + configMap: + name: harbor-valkey-init-scripts + defaultMode: 0555