alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
gitea-bot
2025-12-12 01:42:52 +00:00
parent 25e5e6db68
commit c00d6bbfb6
6 changed files with 6 additions and 313 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
clusters/cl01tl/manifests/harbor/ConfigMap-harbor-nginx.yaml
View File

@@ -1,160 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-nginx
namespace: "harbor"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.14.1"
data:
nginx.conf: |
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 3096;
use epoll;
multi_accept on;
}
http {
client_body_temp_path /tmp/client_body_temp;
proxy_temp_path /tmp/proxy_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server "harbor-core:80";
}
upstream portal {
server "harbor-portal:80";
}
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
map $http_x_forwarded_proto $x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
server {
listen 8443 ssl;
# server_name harbordomain.com;
server_tokens off;
# SSL
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
# Add extra headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
proxy_pass http://portal/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; HttpOnly; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ {
proxy_pass http://core/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ {
proxy_pass http://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
proxy_send_timeout 900;
proxy_read_timeout 900;
}
location /service/ {
proxy_pass http://core/service/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
}
server {
listen 8080;
#server_name harbordomain.com;
return 301 https://$host$request_uri;
}
}

1
clusters/cl01tl/manifests/harbor/Deployment-harbor-core.yaml
View File

@@ -152,6 +152,5 @@ spec:
secretName: harbor-secret
- name: ca-download
secret:
secretName: harbor-nginx
- name: psc
emptyDir: {}

90
clusters/cl01tl/manifests/harbor/Deployment-harbor-nginx.yaml
View File

@@ -1,90 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-nginx
namespace: "harbor"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.14.1"
component: nginx
app.kubernetes.io/component: nginx
spec:
replicas: 0
revisionHistoryLimit: 10
selector:
matchLabels:
release: harbor
app: "harbor"
component: nginx
template:
metadata:
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.14.1"
component: nginx
app.kubernetes.io/component: nginx
annotations:
checksum/configmap: bd115f845eb3c5da99a75fa596b0abd85f4e9d1b05b144b15ebf050a3eaa45f9
checksum/secret: 1542145fece666b667fc989143b9970123b74e380e8cfb8ae46ee243712efad3
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: nginx
image: "goharbor/nginx-photon:v2.14.1"
imagePullPolicy: "IfNotPresent"
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 1
periodSeconds: 10
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 8080
- containerPort: 8443
volumeMounts:
- name: config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: certificate
mountPath: /etc/nginx/cert
volumes:
- name: config
configMap:
name: harbor-nginx
- name: certificate
secret:
secretName: harbor-nginx

20
clusters/cl01tl/manifests/harbor/HTTPRoute-http-route-harbor.yaml → clusters/cl01tl/manifests/harbor/HTTPRoute-harbor-route.yaml
View File

@@ -1,12 +1,8 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-harbor
namespace: harbor
labels:
app.kubernetes.io/name: http-route-harbor
app.kubernetes.io/instance: harbor
app.kubernetes.io/part-of: harbor
name: "harbor-route"
namespace: "harbor"
spec:
parentRefs:
- group: gateway.networking.k8s.io
@@ -30,18 +26,14 @@ spec:
type: PathPrefix
value: /c/
backendRefs:
- group: ''
kind: Service
name: harbor-core
- name: harbor-core
namespace: "harbor"
port: 80
weight: 100
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: harbor-portal
- name: harbor-portal
namespace: "harbor"
port: 80
weight: 100

20
clusters/cl01tl/manifests/harbor/Secret-harbor-nginx.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: harbor-nginx
namespace: "harbor"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.14.1"
type: Opaque
data:
tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRakNDQWlxZ0F3SUJBZ0lRUGNsZTYvU1NiekllV2dUaFRYNnBXekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsb1lYSmliM0l0WTJFd0hoY05NalV4TWpFeU1EQTFPVEk0V2hjTk1qWXhNakV5TURBMQpPVEk0V2pBZ01SNHdIQVlEVlFRREV4Vm9ZWEppYjNJdVlXeGxlR3hsWW1WdWN5NXVaWFF3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURZbnpNYlFTWnh2OFR1Smw5dGFGcDdyUjVHVHN6b1VOeGIKeStHa0FYRVl5c3RKYnllSTZ2bzlLS3pUOFoxUTdrbWtaTlpnSnN5L3FDanRyb2FFSFVpL01Sd1o0ejJDY0JjWgpvOXVlNFJCcHZNU0hnWW52UThzZlFzMnBXNTQyZWNSRE80R0ZFbzRkNHdwK3JLN0dGT2tNb3VuMDJIUWdXMW50ClppVlNNSGRMUWgvTVF2cEdJaVJTRzdaMTBueFZTQS9RelkrbTBFRjlZK25WVCt5a1puZ0YraFBGbmEvdWVJUm4KN3VpR3RGVUlZbjZURW5XRjFRa0FpcktNcW9iZm1aeGExbEwwMlV0ZDdSRDF3UWk2aGdNbWE5RVQwU0VFK2czdApMcUxtVWR5U3ZsbTB2dFFwUVNTTjF5Um5pRkJnWEY5VndvWmRNOEpUNmJMR2pkSC85MGdiQWdNQkFBR2pnWU13CmdZQXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0QKQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRk5wVTc3U1lkY0hTdTdZSytHWnF0YW9OY0YwcwpNQ0FHQTFVZEVRUVpNQmVDRldoaGNtSnZjaTVoYkdWNGJHVmlaVzV6TG01bGREQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBU2JVM1hxdmkyNWtLc1ZCMkpQRU9KeTM0QktTbGRIQVF2c2pxRU9hVWVncDN5WmovSDNEc2R4aVIKNi9mSzU4c3JOWE1DNkhzL1RlaGJoSUZJTVFXSk5CTGZIVVExT3pFTkFKOURkZkJkOHpFbTJQc0ptQ2pBVVZ6cApDTVlwWjVtY2kwZ0l0ZTBtOHhIdVE4LytTZ1o4aXpxRytsczk0dkpQaS9QclZoc2EyQWxlWXlPTk4rWHdEMll0ClNtRDdPZ2JTOFNxVUwwdXN4dEdUL0JBZHBCUzBqNk92eElFYTArYXBWWDc1blM4c25GZXRJdmY4bjJiaVlUaysKQmkxWlVLN0sva2xGVHlHbHVmdnJFa3NYaTZ1YUtsSXl1YWFrTFJTZk5aVHJGNkcwZENtclhEeTMyenRVRUlpbApTMk8vK09aTW12bzhIc1BFc3psTVByeHhMNW5sK1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBMko4ekcwRW1jYi9FN2laZmJXaGFlNjBlUms3TTZGRGNXOHZocEFGeEdNckxTVzhuCmlPcjZQU2lzMC9HZFVPNUpwR1RXWUNiTXY2Z283YTZHaEIxSXZ6RWNHZU05Z25BWEdhUGJudUVRYWJ6RWg0R0oKNzBQTEgwTE5xVnVlTm5uRVF6dUJoUktPSGVNS2ZxeXV4aFRwREtMcDlOaDBJRnRaN1dZbFVqQjNTMElmekVMNgpSaUlrVWh1MmRkSjhWVWdQME0yUHB0QkJmV1BwMVUvc3BHWjRCZm9UeFoydjduaUVaKzdvaHJSVkNHSitreEoxCmhkVUpBSXF5aktxRzM1bWNXdFpTOU5sTFhlMFE5Y0VJdW9ZREptdlJFOUVoQlBvTjdTNmk1bEhja3I1WnRMN1UKS1VFa2pkY2taNGhRWUZ4ZlZjS0dYVFBDVStteXhvM1IvL2RJR3dJREFRQUJBb0lCQUI3UDlrc0lKMW5DdDFaUQpxdjQ2KzdQZjJoQ1NJTjlpc1JWMW1MRGxhNXJsTGFsU1lFTS9lVHk5em1lUFZKc3dhZFV5YXJQZWtQMHFCRGhhCnZOT0ovdEVEUVVZRlpyaHBEVUFlYUp6ZTBxRFhzdlM3WGsxa1RUNHpHR0hnb0U2TFgzbFl1NEdjTkE3WVBxUHEKR0NvZ3kwMTYxdUIyOFgyd3dNZmQ0YTBoSzdiT2UrKzRYRitIeGlyVTVQa1luOGkyZ1JscHVDVmZiT0lzbzlyWApTSnc0eXBmU3pHQm0zMW91WVFYcFp0UllBaEQxTTJNNlRtTUh2MFZYVmxjbU80ZGdlWVZNTVBKcUMvWnJmWjBYCk81Zng3Z2NocHBHNHk3WFVaL0dGL0U2aUY4R3RzWWJlNGdCYVBZYUN4K2tDZ1FVNmhjZ0E2c3hVdkM5NjVxSjUKeFVQdXNMRUNnWUVBM2hhd3dDckIyRFc4QTJUN0JoT295a0N5SWR5WlpFVjlJdjR5V0RJOXpXWlJBWnJxUmVVTAp6NjdWSnlTZ1JxUlR5L2FDcVpmRW0yejRqVFB2SzNkUW96dWNmckt3ZmVBR1l2VHRvY3JMNmRRU3lWSzRzT2krCmRXMVdTYUJXTkFWUThvQ0l5V3lVOHYxcmhYZEZlNUVZVUN2d3dTdlFjcEd0UUV6dktTQVJQOFVDZ1lFQStiTFIKSExuRnYvdkdXNFIzcG8xMnpFc1pydlJhU0hEUXptOGRDN0w4UkFKU0F0MXhrVGszTzJOb1lzK3U3aC9BbGlZMQprVHdOWmlIQWdxWWFrNHpkUGlyZ3JsZ29GQTVkcE5DaVpDaHI0MXQ1Vlc4T2d5YlVkSGltN0FOTFphbFlBVEhrCm52RklkSXp6cDllSXNZNU5zclpMbjg5NHQ3bEE4cUVuWDBqcUJsOENnWUFLRHMwQ1p1MVFkVjZHYU5SVmVoNXkKeW10R3pVN0ZFOENQRFNRS2ludnlDV2d4d21wSnNBM1E0Z0lWTzd0bWQ1cXo2ZjRRNENhdlEwZ2VYUE8vN0M5aQp0UmhwUkg1cHRQT1ZGN0tMV1R2UzR4L1dya0JmQXF0ZGRnNHFWM0NQK28ybjdkcEVCUDdaNGxBMFF5cUtaZy9MCjBiR2RqZlpxdWQ0MncwVXhmNXBJWVFLQmdIZEk0WFRqbW9DWWVxNEZubE5HaVZZWEduSGw4YXRobVo3RW5nK1UKdGNhWGhTNHhNNnU0dFpYOWEwU3BDbHhmZHRWRDg1c3FJUXlGV3o0T3MrdUJBOEJMSTRLbVFwOHlMYklxcVNsSAoxaUtLOUcvSDJocjFWZEUrUWgvRmd5TlJ2dVR6UE5CaFc4ZXgva1JVUnN6cnVscUJrNmNJcWhhNnZUZ3JuRzk4Cm1hL3BBb0dCQUpiSzRwTEp1SUFsSHRyNHc5VVdpRmtkN3Y5eXljOS9UejZ1Sml2aUxsd1pOTkVkbENJMy9BMHkKTHM0MDR4RkY2NXowM01OMy91MWk3eHZZQzdZRFpPUzVlaTVOdUxIOWY2cS9mWFljODl4dm8zdjBxNW4zdUpkUAp5Ykk0YlJJd0lVa0hUd3JJbGVGM1EzNjVJMUJnVk9xdGR1NUFaYW9IYUNtU1pqUi8xNC9YCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUxocUQ2dWhVRHhGbCtPMkg0M1lJVWN3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSmFHRnlZbTl5TFdOaE1CNFhEVEkxTVRJeE1qQXdOVGt5TjFvWERUSTJNVEl4TWpBdwpOVGt5TjFvd0ZERVNNQkFHQTFVRUF4TUphR0Z5WW05eUxXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFwRGdpVlZndnVmTU9FZVVwVjVXYS8zcHEwM3EvdFhTb1BvRmovS00zYlVSbkdLV2EKR3BSbysyYXo3S1FKUVdiQ0FjdUFNaUxOSWhJa0prc3ZsK1M0WmpOamxYZGlxY25rWXJQSmhzQ2JwSE1XTW8vNwpLT1dvZzZZT3FsZDJGNWVvYjJEdHRWRlpsbHRlVnNNQ3N2VmtjanMwRjF2UHlnSVZHOW02Tko5QWRWcE96V016CnVTZ3dVSXhWUER0LzNnQmt0RHpOMWhlSFNOS0lrT2dWTkJGaDJoMFp5SHU4R2NodFpmTEtyUWlZaUNyYUg0N3YKYWY0TkpXZ1RSNFl3YTdtejJETlNuclEwYXppWER3aEtaeUd2WXlRYVFPTUlpZ2hDRE15V0tsWmx0SXdqcUtwbgpqdC9XelZ4OUhvQ2ZCRkloVjFSUVNJNk5vZ0NVUzFVRU0ySi90UUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGTnBVNzdTWWRjSFN1N1lLK0dacXRhb05jRjBzTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQWtoVno1U2J3dlhMYTBtbzN0YjJuUnZRME5SUm1vWWhCMDJiRmkwYmFRdm85L3hnVktsYkFvCm52TEtOd01IQ0VwUStqcVZrd2k5RERJbzJPNnllaEIzcjU1QVlxNXlWU1J0Zm5VSUU4bVRGOThzR3dNRGk5TEYKZzJ2WTNFaXNKaHhNVmJ4bmZEKzVhcUx0RTJNR2hwL0ZqZ2tQSFl0QzNPRzFXNG41d1I0T28zTVJoekpkSSszaQpmaHFETVBTMlFvWnBpcWNIWTNVenZpMjBjcGxKUlVkQk5pN3hYZmhiT1VUOUlVS3RLSG5DczN0NlF6a3JVYnpQCmlQVzBURjJMTk1tajhHS0ZoZTVPYjNTWmZIcnlNOGlUaW4xZlRiYTRjUVJqRExjUE5MQ2pRYTZCeFlJTXNMdHMKWmx4RHE3NEdtKzdxYmxFRG5OWjN4Z1V3ZVNCQkxRdmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="

28
clusters/cl01tl/manifests/harbor/Service-harbor.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: harbor
namespace: "harbor"
labels:
heritage: Helm
release: harbor
chart: harbor
app: "harbor"
app.kubernetes.io/instance: harbor
app.kubernetes.io/name: harbor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: harbor
app.kubernetes.io/version: "2.14.1"
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
selector:
release: harbor
app: "harbor"
component: nginx