diff --git a/clusters/cl01tl/applications/homepage/values.yaml b/clusters/cl01tl/applications/homepage/values.yaml index a961810d0..52dd9d9ac 100644 --- a/clusters/cl01tl/applications/homepage/values.yaml +++ b/clusters/cl01tl/applications/homepage/values.yaml @@ -360,6 +360,12 @@ homepage: href: https://traefik-ps10rp.lebens-home.net/dashboard/#/ siteMonitor: https://traefik-ps10rp.lebens-home.net/dashboard/#/ statusStyle: dot + - Image Cache: + icon: sh-harbor.svg + description: Harbor + href: https://harbor-cl01tl.boreal-beaufort.ts.net + siteMonitor: http://harbor.harbor:80 + statusStyle: dot - Hardware: - Network Management (alexlebens.net): icon: sh-ubiquiti-unifi.svg diff --git a/clusters/cl01tl/services/harbor/Chart.yaml b/clusters/cl01tl/services/harbor/Chart.yaml new file mode 100644 index 000000000..47a3d46ba --- /dev/null +++ b/clusters/cl01tl/services/harbor/Chart.yaml @@ -0,0 +1,25 @@ +apiVersion: v2 +name: harbor +version: 1.0.0 +description: Harbor +keywords: + - harbor + - images + - cache + - kubernetes +home: https://wiki.alexlebens.dev/doc/harbor- +sources: + - https://github.com/goharborv + - https://github.com/goharbor/harbor-helm +maintainers: + - name: alexlebens +dependencies: + - name: harbor + version: v2.12.1 + repository: https://helm.goharbor.io + - name: postgres-cluster + alias: postgres-17-cluster + version: 4.1.3 + repository: http://alexlebens.github.io/helm-charts +icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png +appVersion: v2.12.1 diff --git a/clusters/cl01tl/services/harbor/templates/external-secret.yaml b/clusters/cl01tl/services/harbor/templates/external-secret.yaml new file mode 100644 index 000000000..32024082b --- /dev/null +++ b/clusters/cl01tl/services/harbor/templates/external-secret.yaml @@ -0,0 +1,97 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: harbor-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: harbor-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: HARBOR_ADMIN_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: admin-password + - secretKey: secretKey + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: secretKey + - secretKey: secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: secret + - secretKey: JOBSERVICE_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: jobservice-secret + - secretKey: REGISTRY_HTTP_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: registry-http-secret + - secretKey: REGISTRY_PASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: registry-password + - secretKey: REGISTRY_HTPASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: registry-ht-password + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: harbor-postgresql-17-cluster-backup-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: harbor-postgresql-17-cluster-backup-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: access + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: secret diff --git a/clusters/cl01tl/services/harbor/templates/ingress.yaml b/clusters/cl01tl/services/harbor/templates/ingress.yaml new file mode 100644 index 000000000..3cd9394ce --- /dev/null +++ b/clusters/cl01tl/services/harbor/templates/ingress.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: harbor-tailscale + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: harbor-tailscale + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + ingressClassName: tailscale + tls: + - hosts: + - harbor-cl01tl + rules: + - host: harbor-cl01tl + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: harbor-core + port: + number: 80 diff --git a/clusters/cl01tl/services/harbor/values.yaml b/clusters/cl01tl/services/harbor/values.yaml new file mode 100644 index 000000000..92e7fb985 --- /dev/null +++ b/clusters/cl01tl/services/harbor/values.yaml @@ -0,0 +1,136 @@ +harbor: + expose: + type: ingress + ingress: + hosts: + core: harbor.alexlebens.net + className: traefik + labels: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt-issuer + externalURL: https://harbor-cl01tl.boreal-beaufort.ts.net + persistence: + enabled: true + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + storageClass: ceph-block-delete + accessMode: ReadWriteOnce + size: 20Gi + jobservice: + jobLog: + storageClass: ceph-block-delete + accessMode: ReadWriteOnce + size: 5Gi + redis: + storageClass: ceph-block-delete + accessMode: ReadWriteOnce + size: 5Gi + trivy: + storageClass: ceph-block-delete + accessMode: ReadWriteOnce + size: 5Gi + imageChartStorage: + type: filesystem + filesystem: + rootdirectory: /storage + existingSecretAdminPassword: harbor-secret + existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD + ipFamily: + ipv6: + enabled: false + ipv4: + enabled: true + updateStrategy: + type: Recreate + existingSecretSecretKey: harbor-secret + metrics: + enabled: true + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + serviceMonitor: + enabled: true + trace: + enabled: false + cache: + enabled: false + portal: + image: + repository: ghcr.io/goharbor/harbor-portal + tag: v2.12.1 + core: + image: + repository: ghcr.io/goharbor/harbor-core + tag: v2.12.1 + existingSecret: harbor-secret + jobservice: + image: + repository: ghcr.io/goharbor/harbor-jobservice + tag: v2.12.1 + existingSecret: harbor-secret + existingSecretKey: JOBSERVICE_SECRET + registry: + registry: + image: + repository: ghcr.io/goharbor/registry-photon + tag: v2.12.1 + controller: + image: + repository: ghcr.io/goharbor/harbor-registryctl + tag: v2.12.1 + existingSecret: harbor-secret + existingSecretKey: REGISTRY_HTTP_SECRET + relativeurls: false + credentials: + existingSecret: harbor-secret + upload_purging: + enabled: true + age: 168h + interval: 24h + dryrun: false + trivy: + enabled: false + database: + type: external + external: + host: harbor-postgresql-17-cluster-rw + port: "5432" + username: app + coreDatabase: app + existingSecret: harbor-postgresql-17-cluster-app + redis: + type: internal + internal: + image: + repository: ghcr.io/goharbor/redis-photon + tag: v2.12.1 + exporter: + image: + repository: ghcr.io/goharbor/harbor-exporter + tag: v2.12.1 +postgres-17-cluster: + mode: standalone + cluster: + walStorage: + storageClass: local-path + storage: + storageClass: local-path + monitoring: + enabled: true + backup: + enabled: true + endpointURL: https://nyc3.digitaloceanspaces.com + destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-17-cluster + endpointCredentials: harbor-postgresql-17-cluster-backup-secret + backupIndex: 1