pull/1/head
Max Erenberg 9 months ago committed by root
parent c9ec56c3be
commit 7a016a8232
  1. 27
      harbor/README.md
  2. 50
      harbor/values.yaml
  3. 78
      syscom-redis.yaml

@ -0,0 +1,27 @@
# Harbor
See [Deploying Harbor with High Availability via Helm](https://goharbor.io/docs/2.4.0/install-config/harbor-ha-helm/).
## Database setup
On coffee, switch to the `postgres` user, run `psql`, and execute the following:
```sql
CREATE USER harbor WITH PASSWORD 'REPLACE_ME';
CREATE DATABASE harbor_registry OWNER harbor;
REVOKE ALL ON DATABASE harbor_registry FROM PUBLIC;
CREATE DATABASE harbor_notary_server OWNER harbor;
REVOKE ALL ON DATABASE harbor_notary_server FROM PUBLIC;
CREATE DATABASE harbor_notary_signer OWNER harbor;
REVOKE ALL ON DATABASE harbor_notary_signer FROM PUBLIC;
```
## Redis setup
See [syscom-redis.yaml](../syscom-redis.yaml). The reason why this is in the
syscom namespace is because we may decide to re-use this Redis server for
other apps.
## Install the Helm chart
Open values.yaml and replace all instances of 'REPLACE_ME' with appropriate username/password values.
Check https://artifacthub.io/packages/helm/harbor/harbor to see what the latest **stable** version is.
```sh
helm install -f values.yaml --create-namespace --namespace harbor harbor1 harbor/harbor --version 1.8.1
```

@ -0,0 +1,50 @@
# run `helm show values harbor/harbor` to see defaults
expose:
# We are performing TLS termination OUTSIDE of the k8s cluster
tls:
enabled: false
type: ingress
ingress:
hosts:
core: registry.cloud.csclub.uwaterloo.ca
notary: notary.cloud.csclub.uwaterloo.ca
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
externalURL: https://registry.cloud.csclub.uwaterloo.ca
harborAdminPassword: REPLACE_ME
# must be a string of 16 chars
secretKey: REPLACE_ME
ipFamily:
ipv6:
enabled: false
persistence:
persistentVolumeClaim:
registry:
size: 1Ti
registry:
credentials:
username: REPLACE_ME
password: REPLACE_ME
chartmuseum:
enabled: false
trivy:
enabled: false
database:
type: external
external:
host: coffee.csclub.uwaterloo.ca
port: "5432"
username: REPLACE_ME
password: REPLACE_ME
coreDatabase: harbor_registry
notaryServerDatabase: harbor_notary_server
notarySignerDatabase: harbor_notary_signer
sslmode: require
redis:
type: external
external:
addr: redis.syscom:6379
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"

@ -0,0 +1,78 @@
apiVersion: v1
kind: ConfigMap
metadata:
namespace: syscom
name: redis-config
data:
# Increase the number of databases if necessary.
# If you add another app which uses this Redis instance, make sure
# to also update the NetworkPolicy in this file.
#
# Database 0: Harbor core
# Database 1: Harbor job service
# database 2: Harbor registry
redis.conf: |
databases 16
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: syscom
name: redis
labels:
app: redis
spec:
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:6.2
volumeMounts:
- mountPath: "/usr/local/etc/redis"
name: redis-conf-vol
ports:
- name: redis
containerPort: 6379
volumes:
- name: redis-conf-vol
configMap:
name: redis-config
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: syscom
spec:
selector:
app: redis
ports:
- protocol: TCP
port: 6379
targetPort: 6379
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: redis-network-policy
namespace: syscom
spec:
podSelector:
matchLabels:
app: redis
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: syscom
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: harbor
Loading…
Cancel
Save