From 7a016a8232139798afadf48713ce4c415a96fdf5 Mon Sep 17 00:00:00 2001
From: Max Erenberg <merenber@csclub.uwaterloo.ca>
Date: Thu, 30 Dec 2021 17:03:38 -0500
Subject: [PATCH] add Harbor

---
 harbor/README.md   | 27 ++++++++++++++++
 harbor/values.yaml | 50 +++++++++++++++++++++++++++++
 syscom-redis.yaml  | 78 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 155 insertions(+)
 create mode 100644 harbor/README.md
 create mode 100644 harbor/values.yaml
 create mode 100644 syscom-redis.yaml

diff --git a/harbor/README.md b/harbor/README.md
new file mode 100644
index 0000000..08edcbc
--- /dev/null
+++ b/harbor/README.md
@@ -0,0 +1,27 @@
+# Harbor
+See [Deploying Harbor with High Availability via Helm](https://goharbor.io/docs/2.4.0/install-config/harbor-ha-helm/).
+
+## Database setup
+On coffee, switch to the `postgres` user, run `psql`, and execute the following:
+```sql
+CREATE USER harbor WITH PASSWORD 'REPLACE_ME';
+CREATE DATABASE harbor_registry OWNER harbor;
+REVOKE ALL ON DATABASE harbor_registry FROM PUBLIC;
+CREATE DATABASE harbor_notary_server OWNER harbor;
+REVOKE ALL ON DATABASE harbor_notary_server FROM PUBLIC;
+CREATE DATABASE harbor_notary_signer OWNER harbor;
+REVOKE ALL ON DATABASE harbor_notary_signer FROM PUBLIC;
+```
+
+## Redis setup
+See [syscom-redis.yaml](../syscom-redis.yaml). The reason why this is in the
+syscom namespace is because we may decide to re-use this Redis server for
+other apps.
+
+## Install the Helm chart
+Open values.yaml and replace all instances of 'REPLACE_ME' with appropriate username/password values.
+
+Check https://artifacthub.io/packages/helm/harbor/harbor to see what the latest **stable** version is.
+```sh
+helm install -f values.yaml --create-namespace --namespace harbor harbor1 harbor/harbor --version 1.8.1
+```
diff --git a/harbor/values.yaml b/harbor/values.yaml
new file mode 100644
index 0000000..0f9d1c2
--- /dev/null
+++ b/harbor/values.yaml
@@ -0,0 +1,50 @@
+# run `helm show values harbor/harbor` to see defaults
+expose:
+  # We are performing TLS termination OUTSIDE of the k8s cluster
+  tls:
+    enabled: false
+  type: ingress
+  ingress:
+    hosts:
+      core: registry.cloud.csclub.uwaterloo.ca
+      notary: notary.cloud.csclub.uwaterloo.ca
+    annotations:
+      ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+externalURL: https://registry.cloud.csclub.uwaterloo.ca
+harborAdminPassword: REPLACE_ME
+# must be a string of 16 chars
+secretKey: REPLACE_ME
+ipFamily:
+  ipv6:
+    enabled: false
+persistence:
+  persistentVolumeClaim:
+    registry:
+      size: 1Ti
+registry:
+  credentials:
+    username: REPLACE_ME
+    password: REPLACE_ME
+chartmuseum:
+  enabled: false
+trivy:
+  enabled: false
+database:
+  type: external
+  external:
+    host: coffee.csclub.uwaterloo.ca
+    port: "5432"
+    username: REPLACE_ME
+    password: REPLACE_ME
+    coreDatabase: harbor_registry
+    notaryServerDatabase: harbor_notary_server
+    notarySignerDatabase: harbor_notary_signer
+    sslmode: require
+redis:
+  type: external
+  external:
+    addr: redis.syscom:6379
+    coreDatabaseIndex: "0"
+    jobserviceDatabaseIndex: "1"
+    registryDatabaseIndex: "2"
diff --git a/syscom-redis.yaml b/syscom-redis.yaml
new file mode 100644
index 0000000..197504e
--- /dev/null
+++ b/syscom-redis.yaml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: syscom
+  name: redis-config
+data:
+  # Increase the number of databases if necessary.
+  # If you add another app which uses this Redis instance, make sure
+  # to also update the NetworkPolicy in this file.
+  #
+  # Database 0: Harbor core
+  # Database 1: Harbor job service
+  # database 2: Harbor registry
+  redis.conf: |
+    databases 16
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: syscom
+  name: redis
+  labels:
+    app: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:6.2
+          volumeMounts:
+            - mountPath: "/usr/local/etc/redis"
+              name: redis-conf-vol
+          ports:
+            - name: redis
+              containerPort: 6379
+      volumes:
+        - name: redis-conf-vol
+          configMap:
+            name: redis-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: syscom
+spec:
+  selector:
+    app: redis
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: redis-network-policy
+  namespace: syscom
+spec:
+  podSelector:
+    matchLabels:
+      app: redis
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: syscom
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: harbor