add Harbor

9 months ago · 7a016a8232
parent c9ec56c3be
commit 7a016a8232
3 changed files with 155 additions and 0 deletions
--- a/harbor/README.md
+++ b/harbor/README.md
@ -0,0 +1,27 @@
+# Harbor
+See [Deploying Harbor with High Availability via Helm](https://goharbor.io/docs/2.4.0/install-config/harbor-ha-helm/).
+
+## Database setup
+On coffee, switch to the `postgres` user, run `psql`, and execute the following:
+```sql
+CREATE USER harbor WITH PASSWORD 'REPLACE_ME';
+CREATE DATABASE harbor_registry OWNER harbor;
+REVOKE ALL ON DATABASE harbor_registry FROM PUBLIC;
+CREATE DATABASE harbor_notary_server OWNER harbor;
+REVOKE ALL ON DATABASE harbor_notary_server FROM PUBLIC;
+CREATE DATABASE harbor_notary_signer OWNER harbor;
+REVOKE ALL ON DATABASE harbor_notary_signer FROM PUBLIC;
+```
+
+## Redis setup
+See [syscom-redis.yaml](../syscom-redis.yaml). The reason why this is in the
+syscom namespace is because we may decide to re-use this Redis server for
+other apps.
+
+## Install the Helm chart
+Open values.yaml and replace all instances of 'REPLACE_ME' with appropriate username/password values.
+
+Check https://artifacthub.io/packages/helm/harbor/harbor to see what the latest **stable** version is.
+```sh
+helm install -f values.yaml --create-namespace --namespace harbor harbor1 harbor/harbor --version 1.8.1
+```
--- a/harbor/values.yaml
+++ b/harbor/values.yaml
@ -0,0 +1,50 @@
+# run `helm show values harbor/harbor` to see defaults
+expose:
+  # We are performing TLS termination OUTSIDE of the k8s cluster
+  tls:
+    enabled: false
+  type: ingress
+  ingress:
+    hosts:
+      core: registry.cloud.csclub.uwaterloo.ca
+      notary: notary.cloud.csclub.uwaterloo.ca
+    annotations:
+      ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+externalURL: https://registry.cloud.csclub.uwaterloo.ca
+harborAdminPassword: REPLACE_ME
+# must be a string of 16 chars
+secretKey: REPLACE_ME
+ipFamily:
+  ipv6:
+    enabled: false
+persistence:
+  persistentVolumeClaim:
+    registry:
+      size: 1Ti
+registry:
+  credentials:
+    username: REPLACE_ME
+    password: REPLACE_ME
+chartmuseum:
+  enabled: false
+trivy:
+  enabled: false
+database:
+  type: external
+  external:
+    host: coffee.csclub.uwaterloo.ca
+    port: "5432"
+    username: REPLACE_ME
+    password: REPLACE_ME
+    coreDatabase: harbor_registry
+    notaryServerDatabase: harbor_notary_server
+    notarySignerDatabase: harbor_notary_signer
+    sslmode: require
+redis:
+  type: external
+  external:
+    addr: redis.syscom:6379
+    coreDatabaseIndex: "0"
+    jobserviceDatabaseIndex: "1"
+    registryDatabaseIndex: "2"
--- a/syscom-redis.yaml
+++ b/syscom-redis.yaml
@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: syscom
+  name: redis-config
+data:
+  # Increase the number of databases if necessary.
+  # If you add another app which uses this Redis instance, make sure
+  # to also update the NetworkPolicy in this file.
+  #
+  # Database 0: Harbor core
+  # Database 1: Harbor job service
+  # database 2: Harbor registry
+  redis.conf: |
+    databases 16
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: syscom
+  name: redis
+  labels:
+    app: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:6.2
+          volumeMounts:
+            - mountPath: "/usr/local/etc/redis"
+              name: redis-conf-vol
+          ports:
+            - name: redis
+              containerPort: 6379
+      volumes:
+        - name: redis-conf-vol
+          configMap:
+            name: redis-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: syscom
+spec:
+  selector:
+    app: redis
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: redis-network-policy
+  namespace: syscom
+spec:
+  podSelector:
+    matchLabels:
+      app: redis
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: syscom
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: harbor