2025-12-15 22:05:40 -03:00
|
|
|
# services/harbor/helmrelease.yaml
|
2025-12-17 01:39:49 -03:00
|
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
2025-12-15 22:05:40 -03:00
|
|
|
kind: HelmRelease
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor
|
|
|
|
|
namespace: harbor
|
|
|
|
|
spec:
|
|
|
|
|
interval: 10m
|
2025-12-17 01:39:49 -03:00
|
|
|
install:
|
|
|
|
|
timeout: 20m
|
|
|
|
|
remediation:
|
|
|
|
|
retries: 3
|
|
|
|
|
upgrade:
|
|
|
|
|
timeout: 20m
|
|
|
|
|
remediation:
|
|
|
|
|
retries: 3
|
|
|
|
|
remediateLastFailure: true
|
|
|
|
|
cleanupOnFail: true
|
|
|
|
|
rollback:
|
|
|
|
|
timeout: 20m
|
2025-12-15 22:05:40 -03:00
|
|
|
chart:
|
|
|
|
|
spec:
|
|
|
|
|
chart: harbor
|
|
|
|
|
version: 1.18.1
|
|
|
|
|
sourceRef:
|
|
|
|
|
kind: HelmRepository
|
|
|
|
|
name: harbor
|
|
|
|
|
namespace: flux-system
|
|
|
|
|
values:
|
|
|
|
|
externalURL: https://registry.bstein.dev
|
2025-12-16 03:22:01 -03:00
|
|
|
imagePullPolicy: IfNotPresent
|
2026-01-14 10:07:31 -03:00
|
|
|
imagePullSecrets:
|
|
|
|
|
- name: harbor-regcred
|
2025-12-15 22:05:40 -03:00
|
|
|
expose:
|
|
|
|
|
type: ingress
|
|
|
|
|
tls:
|
|
|
|
|
enabled: true
|
|
|
|
|
certSource: secret
|
|
|
|
|
secret:
|
|
|
|
|
secretName: registry-bstein-dev-tls
|
|
|
|
|
ingress:
|
|
|
|
|
className: traefik
|
|
|
|
|
annotations:
|
|
|
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
|
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
|
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
|
|
|
hosts:
|
|
|
|
|
core: registry.bstein.dev
|
|
|
|
|
persistence:
|
|
|
|
|
enabled: true
|
|
|
|
|
resourcePolicy: keep
|
|
|
|
|
persistentVolumeClaim:
|
|
|
|
|
registry:
|
|
|
|
|
existingClaim: harbor-registry
|
|
|
|
|
accessMode: ReadWriteOnce
|
|
|
|
|
size: 50Gi
|
|
|
|
|
jobservice:
|
|
|
|
|
jobLog:
|
|
|
|
|
existingClaim: harbor-jobservice-logs
|
|
|
|
|
accessMode: ReadWriteOnce
|
|
|
|
|
size: 5Gi
|
|
|
|
|
imageChartStorage:
|
|
|
|
|
type: filesystem
|
|
|
|
|
filesystem:
|
|
|
|
|
rootdirectory: /storage
|
|
|
|
|
database:
|
|
|
|
|
type: external
|
|
|
|
|
external:
|
|
|
|
|
host: postgres-service.postgres.svc.cluster.local
|
|
|
|
|
port: "5432"
|
|
|
|
|
username: harbor
|
|
|
|
|
coreDatabase: harbor
|
|
|
|
|
existingSecret: harbor-db
|
|
|
|
|
sslmode: disable
|
|
|
|
|
redis:
|
|
|
|
|
type: internal
|
2025-12-15 23:14:26 -03:00
|
|
|
internal:
|
2025-12-16 11:16:34 -03:00
|
|
|
image:
|
|
|
|
|
repository: registry.bstein.dev/infra/harbor-redis
|
2025-12-17 17:29:03 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-redis:tag"}
|
2025-12-17 03:30:31 -03:00
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/hostname: titan-05
|
2025-12-15 23:14:26 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
|
|
|
|
- key: kubernetes.io/arch
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["arm64"]
|
2025-12-15 23:14:26 -03:00
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 90
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:14:26 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi5"]
|
2025-12-16 03:22:01 -03:00
|
|
|
- weight: 50
|
2025-12-15 23:14:26 -03:00
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:14:26 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi4"]
|
2025-12-15 22:05:40 -03:00
|
|
|
trivy:
|
|
|
|
|
enabled: false
|
|
|
|
|
metrics:
|
|
|
|
|
enabled: false
|
|
|
|
|
cache:
|
|
|
|
|
enabled: false
|
|
|
|
|
existingSecretAdminPassword: harbor-core
|
2025-12-15 22:08:52 -03:00
|
|
|
existingSecretAdminPasswordKey: harbor_admin_password
|
|
|
|
|
existingSecretSecretKey: harbor-core
|
|
|
|
|
core:
|
2025-12-16 03:22:01 -03:00
|
|
|
image:
|
2026-01-14 21:02:50 -03:00
|
|
|
repository: registry.bstein.dev/infra/harbor-core
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-core:tag"}
|
2025-12-17 03:30:31 -03:00
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/hostname: titan-05
|
2026-01-14 20:46:46 -03:00
|
|
|
serviceAccountName: harbor-vault-sync
|
|
|
|
|
automountServiceAccountToken: true
|
2025-12-15 22:08:52 -03:00
|
|
|
existingSecret: harbor-core
|
|
|
|
|
existingXsrfSecret: harbor-core
|
|
|
|
|
existingXsrfSecretKey: CSRF_KEY
|
2026-01-14 20:46:46 -03:00
|
|
|
secretName: harbor-core
|
|
|
|
|
podAnnotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/role: "harbor"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-core-env.sh: "kv/data/atlas/harbor/harbor-core"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-core-env.sh: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-core" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export CORE_SECRET="{{ .Data.data.secret }}"
|
|
|
|
|
export CSRF_KEY="{{ .Data.data.CSRF_KEY }}"
|
|
|
|
|
export HARBOR_ADMIN_PASSWORD="{{ .Data.data.harbor_admin_password }}"
|
|
|
|
|
export REGISTRY_CREDENTIAL_PASSWORD="{{ .Data.data.REGISTRY_CREDENTIAL_PASSWORD }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-jobservice" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export JOBSERVICE_SECRET="{{ .Data.data.JOBSERVICE_SECRET }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-db" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export POSTGRESQL_PASSWORD="{{ .Data.data.password }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-oidc" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export CONFIG_OVERWRITE_JSON='{{ .Data.data.CONFIG_OVERWRITE_JSON }}'
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
2026-01-14 20:46:46 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-core-secretKey: "kv/data/atlas/harbor/harbor-core"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-core-secretKey: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{- with secret "kv/data/atlas/harbor/harbor-core" -}}{{ .Data.data.secretKey }}{{- end -}}
|
2026-01-14 20:46:46 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-core-tls-key: "kv/data/atlas/harbor/harbor-core"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-core-tls-key: |
|
|
|
|
|
{{- with secret "kv/data/atlas/harbor/harbor-core" -}}
|
|
|
|
|
{{ index .Data.data "tls.key" }}
|
|
|
|
|
{{- end }}
|
2025-12-15 23:00:11 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
2025-12-15 23:02:58 -03:00
|
|
|
- key: kubernetes.io/arch
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["arm64"]
|
2025-12-15 23:00:11 -03:00
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 90
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi5"]
|
2025-12-16 03:22:01 -03:00
|
|
|
- weight: 50
|
2025-12-15 23:00:11 -03:00
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi4"]
|
2025-12-15 23:00:11 -03:00
|
|
|
jobservice:
|
2025-12-16 03:22:01 -03:00
|
|
|
image:
|
2026-01-14 21:02:50 -03:00
|
|
|
repository: registry.bstein.dev/infra/harbor-jobservice
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-jobservice:tag"}
|
2025-12-17 03:30:31 -03:00
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/hostname: titan-05
|
2026-01-14 20:46:46 -03:00
|
|
|
serviceAccountName: harbor-vault-sync
|
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
|
existingSecret: harbor-jobservice
|
|
|
|
|
podAnnotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/role: "harbor"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-jobservice-env.sh: "kv/data/atlas/harbor/harbor-jobservice"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-jobservice-env.sh: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-core" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export CORE_SECRET="{{ .Data.data.secret }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-jobservice" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export JOBSERVICE_SECRET="{{ .Data.data.JOBSERVICE_SECRET }}"
|
|
|
|
|
export REGISTRY_CREDENTIAL_PASSWORD="{{ .Data.data.REGISTRY_CREDENTIAL_PASSWORD }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
2025-12-15 23:00:11 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
2025-12-15 23:02:58 -03:00
|
|
|
- key: kubernetes.io/arch
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["arm64"]
|
2025-12-15 23:00:11 -03:00
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 90
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi5"]
|
2025-12-16 03:22:01 -03:00
|
|
|
- weight: 50
|
2025-12-15 23:00:11 -03:00
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi4"]
|
2025-12-15 23:00:11 -03:00
|
|
|
portal:
|
2025-12-16 03:22:01 -03:00
|
|
|
image:
|
|
|
|
|
repository: registry.bstein.dev/infra/harbor-portal
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-portal:tag"}
|
2025-12-17 03:30:31 -03:00
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/hostname: titan-05
|
2025-12-15 23:00:11 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
2025-12-15 23:02:58 -03:00
|
|
|
- key: kubernetes.io/arch
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["arm64"]
|
2025-12-15 23:00:11 -03:00
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 90
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi5"]
|
2025-12-16 03:22:01 -03:00
|
|
|
- weight: 50
|
2025-12-15 23:00:11 -03:00
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2025-12-16 03:22:01 -03:00
|
|
|
- key: hardware
|
2025-12-15 23:00:11 -03:00
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi4"]
|
2025-12-15 23:00:11 -03:00
|
|
|
registry:
|
2025-12-16 11:16:34 -03:00
|
|
|
registry:
|
|
|
|
|
image:
|
2026-01-14 21:02:50 -03:00
|
|
|
repository: registry.bstein.dev/infra/harbor-registry
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registry:tag"}
|
2025-12-16 11:16:34 -03:00
|
|
|
controller:
|
|
|
|
|
image:
|
2026-01-14 21:02:50 -03:00
|
|
|
repository: registry.bstein.dev/infra/harbor-registryctl
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registryctl:tag"}
|
2026-01-14 20:46:46 -03:00
|
|
|
serviceAccountName: harbor-vault-sync
|
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
|
existingSecret: harbor-registry
|
|
|
|
|
credentials:
|
|
|
|
|
existingSecret: harbor-registry
|
|
|
|
|
podAnnotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/role: "harbor"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-registry-env.sh: "kv/data/atlas/harbor/harbor-registry"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-registry-env.sh: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-registry" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export REGISTRY_HTTP_SECRET="{{ .Data.data.REGISTRY_HTTP_SECRET }}"
|
|
|
|
|
export REGISTRY_REDIS_PASSWORD="{{ .Data.data.REGISTRY_REDIS_PASSWORD }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
2026-01-14 20:46:46 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-registryctl-env.sh: "kv/data/atlas/harbor/harbor-registry"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-registryctl-env.sh: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-core" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export CORE_SECRET="{{ .Data.data.secret }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-jobservice" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export JOBSERVICE_SECRET="{{ .Data.data.JOBSERVICE_SECRET }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-registry" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export REGISTRY_HTTP_SECRET="{{ .Data.data.REGISTRY_HTTP_SECRET }}"
|
|
|
|
|
export REGISTRY_REDIS_PASSWORD="{{ .Data.data.REGISTRY_REDIS_PASSWORD }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
2026-01-14 20:46:46 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-registry-htpasswd: "kv/data/atlas/harbor/harbor-registry-htpasswd"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-registry-htpasswd: |
|
|
|
|
|
{{- with secret "kv/data/atlas/harbor/harbor-registry-htpasswd" -}}
|
|
|
|
|
{{ .Data.data.REGISTRY_HTPASSWD }}
|
|
|
|
|
{{- end }}
|
2025-12-17 03:30:31 -03:00
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/hostname: titan-05
|
2025-12-16 03:22:01 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
|
|
|
|
- key: kubernetes.io/arch
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["arm64"]
|
2025-12-16 03:22:01 -03:00
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 90
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi5"]
|
2025-12-16 03:22:01 -03:00
|
|
|
- weight: 50
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi4"]
|
2025-12-16 03:22:01 -03:00
|
|
|
nginx:
|
|
|
|
|
image:
|
|
|
|
|
repository: registry.bstein.dev/infra/harbor-nginx
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-nginx:tag"}
|
2025-12-17 03:30:31 -03:00
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/hostname: titan-05
|
2025-12-16 03:22:01 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
|
|
|
|
- key: kubernetes.io/arch
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["arm64"]
|
2025-12-16 03:22:01 -03:00
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 90
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi5"]
|
2025-12-16 03:22:01 -03:00
|
|
|
- weight: 50
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
2025-12-17 19:38:57 +00:00
|
|
|
values: ["rpi4"]
|
2025-12-16 03:22:01 -03:00
|
|
|
prepare:
|
|
|
|
|
image:
|
|
|
|
|
repository: registry.bstein.dev/infra/harbor-prepare
|
2025-12-17 17:54:50 -03:00
|
|
|
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-prepare:tag"}
|
2025-12-15 22:05:40 -03:00
|
|
|
updateStrategy:
|
|
|
|
|
type: Recreate
|
2026-01-14 20:46:46 -03:00
|
|
|
postRenderers:
|
|
|
|
|
- kustomize:
|
|
|
|
|
patches:
|
|
|
|
|
- target:
|
|
|
|
|
kind: Deployment
|
|
|
|
|
name: harbor-core
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: Deployment
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-core
|
|
|
|
|
spec:
|
|
|
|
|
template:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
- name: core
|
2026-01-14 21:02:50 -03:00
|
|
|
command:
|
|
|
|
|
- /entrypoint.sh
|
|
|
|
|
args:
|
|
|
|
|
- /harbor/entrypoint.sh
|
2026-01-14 20:46:46 -03:00
|
|
|
env:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- name: VAULT_ENV_FILE
|
|
|
|
|
value: /vault/secrets/harbor-core-env.sh
|
|
|
|
|
- name: VAULT_COPY_FILES
|
2026-01-14 21:17:05 -03:00
|
|
|
value: /vault/secrets/harbor-core-secretkey:/etc/core/key,/vault/secrets/harbor-core-tls-key:/etc/core/private_key.pem
|
2026-01-14 20:46:46 -03:00
|
|
|
envFrom:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- configMapRef:
|
|
|
|
|
name: harbor-core
|
|
|
|
|
volumeMounts:
|
2026-01-14 21:29:40 -03:00
|
|
|
- $patch: replace
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
mountPath: /entrypoint.sh
|
|
|
|
|
subPath: vault-entrypoint.sh
|
2026-01-14 20:46:46 -03:00
|
|
|
- name: core-writable
|
|
|
|
|
mountPath: /etc/core
|
2026-01-14 21:29:40 -03:00
|
|
|
- name: config
|
|
|
|
|
mountPath: /etc/core/app.conf
|
|
|
|
|
subPath: app.conf
|
|
|
|
|
- name: ca-download
|
|
|
|
|
mountPath: /etc/core/ca
|
|
|
|
|
- name: psc
|
|
|
|
|
mountPath: /etc/core/token
|
2026-01-14 20:46:46 -03:00
|
|
|
volumes:
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
configMap:
|
|
|
|
|
name: harbor-vault-entrypoint
|
|
|
|
|
defaultMode: 493
|
2026-01-14 20:46:46 -03:00
|
|
|
- name: secret-key
|
|
|
|
|
$patch: delete
|
|
|
|
|
- name: token-service-private-key
|
|
|
|
|
$patch: delete
|
|
|
|
|
- name: core-writable
|
|
|
|
|
emptyDir: {}
|
2026-01-22 13:31:12 -03:00
|
|
|
- target:
|
|
|
|
|
kind: Ingress
|
|
|
|
|
name: harbor-ingress
|
|
|
|
|
patch: |-
|
|
|
|
|
- op: replace
|
|
|
|
|
path: /spec/rules/0/http/paths/2/backend/service/name
|
|
|
|
|
value: harbor-registry
|
|
|
|
|
- op: replace
|
|
|
|
|
path: /spec/rules/0/http/paths/2/backend/service/port/number
|
|
|
|
|
value: 5000
|
2026-01-14 20:46:46 -03:00
|
|
|
- target:
|
|
|
|
|
kind: Deployment
|
|
|
|
|
name: harbor-jobservice
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: Deployment
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-jobservice
|
|
|
|
|
spec:
|
|
|
|
|
template:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
- name: jobservice
|
2026-01-14 21:02:50 -03:00
|
|
|
command:
|
|
|
|
|
- /entrypoint.sh
|
|
|
|
|
args:
|
|
|
|
|
- /harbor/entrypoint.sh
|
2026-01-14 20:46:46 -03:00
|
|
|
env:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- name: VAULT_ENV_FILE
|
|
|
|
|
value: /vault/secrets/harbor-jobservice-env.sh
|
|
|
|
|
envFrom:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- configMapRef:
|
|
|
|
|
name: harbor-jobservice-env
|
2026-01-14 21:02:50 -03:00
|
|
|
volumeMounts:
|
2026-01-14 21:29:40 -03:00
|
|
|
- $patch: replace
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
mountPath: /entrypoint.sh
|
|
|
|
|
subPath: vault-entrypoint.sh
|
2026-01-14 21:29:40 -03:00
|
|
|
- name: jobservice-config
|
|
|
|
|
mountPath: /etc/jobservice/config.yml
|
|
|
|
|
subPath: config.yml
|
|
|
|
|
- name: job-logs
|
|
|
|
|
mountPath: /var/log/jobs
|
2026-01-14 21:02:50 -03:00
|
|
|
volumes:
|
|
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
configMap:
|
|
|
|
|
name: harbor-vault-entrypoint
|
|
|
|
|
defaultMode: 493
|
2026-01-14 20:46:46 -03:00
|
|
|
- target:
|
|
|
|
|
kind: Deployment
|
|
|
|
|
name: harbor-registry
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: Deployment
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-registry
|
|
|
|
|
spec:
|
|
|
|
|
template:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
- name: registry
|
2026-01-14 21:02:50 -03:00
|
|
|
command:
|
|
|
|
|
- /entrypoint.sh
|
|
|
|
|
args:
|
|
|
|
|
- /home/harbor/entrypoint.sh
|
2026-01-14 20:46:46 -03:00
|
|
|
env:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- name: VAULT_ENV_FILE
|
|
|
|
|
value: /vault/secrets/harbor-registry-env.sh
|
|
|
|
|
- name: VAULT_COPY_FILES
|
|
|
|
|
value: /vault/secrets/harbor-registry-htpasswd:/etc/registry/passwd
|
|
|
|
|
envFrom:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
volumeMounts:
|
2026-01-14 21:29:40 -03:00
|
|
|
- $patch: replace
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
mountPath: /entrypoint.sh
|
|
|
|
|
subPath: vault-entrypoint.sh
|
2026-01-14 20:46:46 -03:00
|
|
|
- name: registry-writable
|
|
|
|
|
mountPath: /etc/registry
|
2026-01-14 21:29:40 -03:00
|
|
|
- name: registry-config
|
|
|
|
|
mountPath: /etc/registry/config.yml
|
|
|
|
|
subPath: config.yml
|
|
|
|
|
- name: registry-data
|
|
|
|
|
mountPath: /storage
|
2026-01-14 20:46:46 -03:00
|
|
|
- name: registryctl
|
2026-01-14 21:02:50 -03:00
|
|
|
command:
|
|
|
|
|
- /entrypoint.sh
|
|
|
|
|
args:
|
|
|
|
|
- /home/harbor/start.sh
|
2026-01-14 20:46:46 -03:00
|
|
|
env:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- name: VAULT_ENV_FILE
|
|
|
|
|
value: /vault/secrets/harbor-registryctl-env.sh
|
|
|
|
|
envFrom:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- configMapRef:
|
|
|
|
|
name: harbor-registryctl
|
2026-01-14 21:02:50 -03:00
|
|
|
volumeMounts:
|
2026-01-14 21:29:40 -03:00
|
|
|
- $patch: replace
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
mountPath: /entrypoint.sh
|
|
|
|
|
subPath: vault-entrypoint.sh
|
2026-01-14 21:29:40 -03:00
|
|
|
- name: registry-config
|
|
|
|
|
mountPath: /etc/registry/config.yml
|
|
|
|
|
subPath: config.yml
|
|
|
|
|
- name: registry-config
|
|
|
|
|
mountPath: /etc/registryctl/config.yml
|
|
|
|
|
subPath: ctl-config.yml
|
|
|
|
|
- name: registry-data
|
|
|
|
|
mountPath: /storage
|
2026-01-14 20:46:46 -03:00
|
|
|
volumes:
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
configMap:
|
|
|
|
|
name: harbor-vault-entrypoint
|
|
|
|
|
defaultMode: 493
|
2026-01-14 20:46:46 -03:00
|
|
|
- name: registry-htpasswd
|
|
|
|
|
$patch: delete
|
|
|
|
|
- name: registry-writable
|
|
|
|
|
emptyDir: {}
|
|
|
|
|
- target:
|
|
|
|
|
kind: Job
|
|
|
|
|
name: migration-job
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: batch/v1
|
|
|
|
|
kind: Job
|
|
|
|
|
metadata:
|
|
|
|
|
name: migration-job
|
|
|
|
|
spec:
|
|
|
|
|
template:
|
|
|
|
|
metadata:
|
|
|
|
|
annotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/role: "harbor"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-core-env.sh: "kv/data/atlas/harbor/harbor-core"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-core-env.sh: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-core" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export CORE_SECRET="{{ .Data.data.secret }}"
|
|
|
|
|
export CSRF_KEY="{{ .Data.data.CSRF_KEY }}"
|
|
|
|
|
export HARBOR_ADMIN_PASSWORD="{{ .Data.data.harbor_admin_password }}"
|
|
|
|
|
export REGISTRY_CREDENTIAL_PASSWORD="{{ .Data.data.REGISTRY_CREDENTIAL_PASSWORD }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-jobservice" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export JOBSERVICE_SECRET="{{ .Data.data.JOBSERVICE_SECRET }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-db" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export POSTGRESQL_PASSWORD="{{ .Data.data.password }}"
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/harbor/harbor-oidc" }}
|
2026-01-14 20:46:46 -03:00
|
|
|
export CONFIG_OVERWRITE_JSON='{{ .Data.data.CONFIG_OVERWRITE_JSON }}'
|
2026-01-14 22:07:51 -03:00
|
|
|
{{ end }}
|
2026-01-14 20:46:46 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-core-secretKey: "kv/data/atlas/harbor/harbor-core"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-core-secretKey: |
|
2026-01-14 22:07:51 -03:00
|
|
|
{{- with secret "kv/data/atlas/harbor/harbor-core" -}}{{ .Data.data.secretKey }}{{- end -}}
|
2026-01-14 20:46:46 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-harbor-core-tls-key: "kv/data/atlas/harbor/harbor-core"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-harbor-core-tls-key: |
|
|
|
|
|
{{- with secret "kv/data/atlas/harbor/harbor-core" -}}
|
|
|
|
|
{{ index .Data.data "tls.key" }}
|
|
|
|
|
{{- end }}
|
|
|
|
|
spec:
|
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
|
containers:
|
|
|
|
|
- name: core-job
|
2026-01-14 21:02:50 -03:00
|
|
|
command:
|
|
|
|
|
- /entrypoint.sh
|
|
|
|
|
args:
|
|
|
|
|
- /harbor/harbor_core
|
|
|
|
|
- -mode=migrate
|
2026-01-14 20:46:46 -03:00
|
|
|
env:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- name: VAULT_ENV_FILE
|
|
|
|
|
value: /vault/secrets/harbor-core-env.sh
|
|
|
|
|
envFrom:
|
|
|
|
|
- $patch: replace
|
|
|
|
|
- configMapRef:
|
|
|
|
|
name: harbor-core
|
2026-01-14 21:02:50 -03:00
|
|
|
volumeMounts:
|
2026-01-14 21:29:40 -03:00
|
|
|
- $patch: replace
|
2026-01-14 21:02:50 -03:00
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
mountPath: /entrypoint.sh
|
|
|
|
|
subPath: vault-entrypoint.sh
|
2026-01-14 21:29:40 -03:00
|
|
|
- name: config
|
|
|
|
|
mountPath: /etc/core/app.conf
|
|
|
|
|
subPath: app.conf
|
2026-01-14 21:02:50 -03:00
|
|
|
volumes:
|
|
|
|
|
- name: harbor-vault-entrypoint
|
|
|
|
|
configMap:
|
|
|
|
|
name: harbor-vault-entrypoint
|
|
|
|
|
defaultMode: 493
|
2026-01-14 20:46:46 -03:00
|
|
|
- target:
|
|
|
|
|
kind: Secret
|
|
|
|
|
name: harbor-core
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-core
|
|
|
|
|
$patch: delete
|
|
|
|
|
- target:
|
|
|
|
|
kind: Secret
|
|
|
|
|
name: harbor-jobservice
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-jobservice
|
|
|
|
|
$patch: delete
|
|
|
|
|
- target:
|
|
|
|
|
kind: Secret
|
|
|
|
|
name: harbor-registry
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-registry
|
|
|
|
|
$patch: delete
|
|
|
|
|
- target:
|
|
|
|
|
kind: Secret
|
|
|
|
|
name: harbor-registry-htpasswd
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-registry-htpasswd
|
|
|
|
|
$patch: delete
|
|
|
|
|
- target:
|
|
|
|
|
kind: Secret
|
|
|
|
|
name: harbor-registryctl
|
|
|
|
|
patch: |-
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: harbor-registryctl
|
|
|
|
|
$patch: delete
|
