diff --git a/clusters/cl01tl/services/harbor/Chart.yaml b/clusters/cl01tl/services/harbor/Chart.yaml new file mode 100644 index 000000000..75533dff4 --- /dev/null +++ b/clusters/cl01tl/services/harbor/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: harbor +version: 1.0.0 +description: Harbor +keywords: + - harbor + - images + - cache + - kubernetes +home: https://wiki.alexlebens.dev/doc/harbor- +sources: + - https://github.com/goharborv + - https://github.com/goharbor/harbor-helm + - https://github.com/valkey-io/valkey + - https://github.com/cloudnative-pg/cloudnative-pg + - https://github.com/bitnami/charts/tree/main/bitnami/valkey + - https://github.com/alexlebens/helm-charts/charts/postgres-cluster +maintainers: + - name: alexlebens +dependencies: + - name: harbor + version: 1.16.2 + repository: https://helm.goharbor.io + - name: postgres-cluster + alias: postgres-17-cluster + version: 4.2.0 + repository: http://alexlebens.github.io/helm-charts +icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png +appVersion: v2.12.1 diff --git a/clusters/cl01tl/services/harbor/templates/external-secret.yaml b/clusters/cl01tl/services/harbor/templates/external-secret.yaml new file mode 100644 index 000000000..32024082b --- /dev/null +++ b/clusters/cl01tl/services/harbor/templates/external-secret.yaml @@ -0,0 +1,97 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: harbor-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: harbor-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: HARBOR_ADMIN_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: admin-password + - secretKey: secretKey + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: secretKey + - secretKey: secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: secret + - secretKey: JOBSERVICE_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: jobservice-secret + - secretKey: REGISTRY_HTTP_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: registry-http-secret + - secretKey: REGISTRY_PASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: registry-password + - secretKey: REGISTRY_HTPASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/config + metadataPolicy: None + property: registry-ht-password + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: harbor-postgresql-17-cluster-backup-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: harbor-postgresql-17-cluster-backup-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: access + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: secret diff --git a/clusters/cl01tl/services/harbor/templates/http-route.yaml b/clusters/cl01tl/services/harbor/templates/http-route.yaml new file mode 100644 index 000000000..d9845163a --- /dev/null +++ b/clusters/cl01tl/services/harbor/templates/http-route.yaml @@ -0,0 +1,49 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-route-harbor + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: http-route-harbor + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - harbor.alexlebens.net + rules: + - matches: + - path: + type: PathPrefix + value: /api/ + - path: + type: PathPrefix + value: /service/ + - path: + type: PathPrefix + value: /v2/ + - path: + type: PathPrefix + value: /c/ + backendRefs: + - group: '' + kind: Service + name: harbor-core + port: 80 + weight: 100 + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - group: '' + kind: Service + name: harbor-portal + port: 80 + weight: 100 diff --git a/clusters/cl01tl/services/harbor/templates/ingress.yaml b/clusters/cl01tl/services/harbor/templates/ingress.yaml new file mode 100644 index 000000000..7dd1bbc24 --- /dev/null +++ b/clusters/cl01tl/services/harbor/templates/ingress.yaml @@ -0,0 +1,59 @@ +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: harbor-tailscale +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: harbor-tailscale +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: web +# app.kubernetes.io/part-of: {{ .Release.Name }} +# labels: +# tailscale.com/proxy-class: no-metrics +# annotations: +# tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" +# spec: +# ingressClassName: tailscale +# tls: +# - hosts: +# - harbor-cl01tl +# rules: +# - host: harbor-cl01tl +# http: +# paths: +# - backend: +# service: +# name: harbor-core +# port: +# number: 80 +# path: /api/ +# pathType: Prefix +# - backend: +# service: +# name: harbor-core +# port: +# number: 80 +# path: /service/ +# pathType: Prefix +# - backend: +# service: +# name: harbor-core +# port: +# number: 80 +# path: /v2/ +# pathType: Prefix +# - backend: +# service: +# name: harbor-core +# port: +# number: 80 +# path: /c/ +# pathType: Prefix +# - backend: +# service: +# name: harbor-portal +# port: +# number: 80 +# path: / +# pathType: Prefix diff --git a/clusters/cl01tl/services/harbor/values.yaml b/clusters/cl01tl/services/harbor/values.yaml new file mode 100644 index 000000000..acc33c577 --- /dev/null +++ b/clusters/cl01tl/services/harbor/values.yaml @@ -0,0 +1,132 @@ +harbor: + expose: + type: clusterIP + externalURL: https://harbor.alexlebens.net + persistence: + enabled: true + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 20Gi + jobservice: + jobLog: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 5Gi + redis: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 5Gi + trivy: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 5Gi + imageChartStorage: + type: filesystem + filesystem: + rootdirectory: /storage + existingSecretAdminPassword: harbor-secret + existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD + ipFamily: + ipv6: + enabled: false + ipv4: + enabled: true + updateStrategy: + type: Recreate + existingSecretSecretKey: harbor-secret + metrics: + enabled: true + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + serviceMonitor: + enabled: true + trace: + enabled: false + cache: + enabled: false + portal: + image: + repository: ghcr.io/goharbor/harbor-portal + tag: v2.12.2 + core: + image: + repository: ghcr.io/goharbor/harbor-core + tag: v2.12.2 + existingSecret: harbor-secret + jobservice: + image: + repository: ghcr.io/goharbor/harbor-jobservice + tag: v2.12.2 + existingSecret: harbor-secret + existingSecretKey: JOBSERVICE_SECRET + registry: + registry: + image: + repository: ghcr.io/goharbor/registry-photon + tag: v2.12.2 + controller: + image: + repository: ghcr.io/goharbor/harbor-registryctl + tag: v2.12.2 + existingSecret: harbor-secret + existingSecretKey: REGISTRY_HTTP_SECRET + relativeurls: false + credentials: + existingSecret: harbor-secret + upload_purging: + enabled: true + age: 168h + interval: 24h + dryrun: false + trivy: + enabled: false + database: + type: external + external: + host: harbor-postgresql-17-cluster-rw + port: "5432" + username: app + coreDatabase: app + existingSecret: harbor-postgresql-17-cluster-app + redis: + type: internal + internal: + image: + repository: goharbor/redis-photon + tag: v2.12.2 + exporter: + image: + repository: ghcr.io/goharbor/harbor-exporter + tag: v2.12.2 +postgres-17-cluster: + mode: recovery + cluster: + walStorage: + storageClass: local-path + storage: + storageClass: local-path + monitoring: + enabled: true + recovery: + endpointURL: https://nyc3.digitaloceanspaces.com + destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-17-cluster + endpointCredentials: harbor-postgresql-17-cluster-backup-secret + backup: + enabled: false + endpointURL: https://nyc3.digitaloceanspaces.com + destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-17-cluster + endpointCredentials: harbor-postgresql-17-cluster-backup-secret + backupIndex: 2