Initial helm chart for Harbor (goharbor#4271)

.gitignore

@@ -1,4 +1,6 @@
 harbor
+!/contrib/helm/harbor
+
 make/docker-compose.yml
 make/common/config/*
 make/dev/adminserver/harbor_adminserver

contrib/helm/harbor/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

contrib/helm/harbor/Chart.yaml

@@ -0,0 +1,17 @@
+name: harbor
+version: 0.0.1
+appVersion: 1.3.0
+description: An Enterprise-class Docker Registry Harbor by VMware
+keywords:
+- vmware
+- docker
+- registry
+- harbor
+home: https://github.com/vmware/harbor
+icon: https://github.com/vmware/harbor/blob/master/docs/img/harbor_logo.png
+sources:
+- https://github.com/vmware/harbor
+maintainers:
+- name: paulczar
+  email: username.taken@gmail.com
+engine: gotpl

contrib/helm/harbor/README.md

@@ -0,0 +1,130 @@
+# Project Harbor by VMware
+
+[Harbor](http://vmware.github.io/harbor/) is an enterprise-class registry server that stores and distributes Docker images. Harbor extends the open source Docker Distribution by adding the functionalities usually required by an enterprise, such as security, identity and management. As an enterprise private registry, Harbor offers better performance and security. Having a registry closer to the build and run environment improves the image transfer efficiency. Harbor supports the setup of multiple registries and has images replicated between them. In addition, Harbor offers advanced security features, such as user management, access control and activity auditing.
+
+## Introduction
+
+This is an experimental monolithic chart that installs and configures VMWare Harbor and its dependencies. The initial implementation of this includes all of the components required to run Harbor. As upstream harbor becomes more cloud native we will be able to break apart the monolith and utitlize helm dependencies.
+
+## Prerequisites
+
+- Kubernetes 1.7+ with Beta APIs enabled
+- PV provisioner support in the underlying infrastructure
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+$ git clone https://github.com/vmware/harbor.git
+$ cd harbor/contrib/helm/harbor
+$ helm install --name my-release incubator/harbor
+```
+
+The command deploys Harbor on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```bash
+$ helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+
+The following tables lists the configurable parameters of the Percona chart and their default values.
+
+| Parameter                  | Description                        | Default                 |
+| -----------------------    | ---------------------------------- | ----------------------- |
+| **Harbor** |
+| `externalDomain`               | domain harbor will run on (https://*harbor.url*/) |`harbor.192.168.99.100.xip.io`   |
+| `tls_crt`               | TLS certificate to use for Harbor's https endpoint | see values.yaml |
+| `tls_key`               | TLS key to use for Harbor's https endpoint | see values.yaml |
+| `ca_crt`               | CA Cert for self signed TLS cert | see values.yaml |
+| `persistence.enabled` | enable persistent data storage | `false` |
+| **Adminserver** |
+| `adminserver.image.repository` | Repository for adminserver image | `vmware/harbor-adminserver` |
+| `adminserver.image.tag` | Tag for adminserver image | `v1.3.0` |
+| `adminserver.image.pullPolicy` | Pull Policy for adminserver image | `IfNotPresent` |
+| `adminserver.emailHost` | email server | `smtp.mydomain.com` |
+| `adminserver.emailPort` | email port | `25` |
+| `adminserver.emailUser` | email username | `sample_admin@mydomain.com` |
+| `adminserver.emailSsl` | email uses SSL? | `false` |
+| `adminserver.emailFrom` | send email from address | `admin <sample_admin@mydomain.com>` |
+| `adminserver.emailIdentity` | | "" |
+| `adminserver.key` | adminsever key | `not-a-secure-key` |
+| `adminserver.emailPwd` | password for email | `not-a-secure-password` |
+| `adminserver.harborAdminPassword` | password for admin user | `Harbor12345` |
+| `adminserver.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined |
+| `adminserver.volumes` | used to create PVCs if persistence is enabled (see instructions in values.yaml) | see values.yaml |
+| **Jobservice** |
+| `jobservice.image.repository` | Repository for jobservice image | `vmware/harbor-jobservice` |
+| `jobservice.image.tag` | Tag for jobservice image | `v1.3.0` |
+| `jobservice.image.pullPolicy` | Pull Policy for jobservice image | `IfNotPresent` |
+| `jobservice.key` | jobservice key | `not-a-secure-key` |
+| `jobservice.secret` | jobservice secret | `not-a-secure-secret` |
+| `jobservice.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined |
+| **UI** |
+| `ui.image.repository` | Repository for ui image | `vmware/harbor-ui` |
+| `ui.image.tag` | Tag for ui image | `v1.3.0` |
+| `ui.image.pullPolicy` | Pull Policy for ui image | `IfNotPresent` |
+| `ui.key` | ui key | `not-a-secure-key` |
+| `ui.secret` | ui secret | `not-a-secure-secret` |
+| `ui.privateKeyPem` | ui private key | see values.yaml |
+| `ui.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined |
+| **MySQL** |
+| `mysql.image.repository` | Repository for mysql image | `vmware/harbor-mysql` |
+| `mysql.image.tag` | Tag for mysql image | `v1.3.0` |
+| `mysql.image.pullPolicy` | Pull Policy for mysql image | `IfNotPresent` |
+| `mysql.host` | MySQL Server | `~` |
+| `mysql.port` | MySQL Port | `3306` |
+| `mysql.user` | MySQL Username | `root` |
+| `mysql.pass` | MySQL Password | `registry` |
+| `mysql.database` | MySQL Database | `registry` |
+| `mysql.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined |
+| `mysql.volumes` | used to create PVCs if persistence is enabled (see instructions in values.yaml) | see values.yaml |
+| **Registry** |
+| `registry.image.repository` | Repository for registry image | `vmware/harbor-registry` |
+| `registry.image.tag` | Tag for registry image | `v1.3.0` |
+| `registry.image.pullPolicy` | Pull Policy for registry image | `IfNotPresent` |
+| `registry.rootCrt` | registry root cert | see values.yaml |
+| `registry.httpSecret` | registry secret | `not-a-secure-secret` |
+| `registry.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined |
+| `registry.volumes` | used to create PVCs if persistence is enabled (see instructions in values.yaml) | see values.yaml |
+| **Clair** |
+| `clair.enabled` | Enable clair? | `false` |
+| `clair.postgresPassword` | password for clair postgres | see values.yaml |
+| `clair.image.repository` | Repository for clair image | `vmware/clair` |
+| `clair.image.tag` | Tag for clair image | `v2.0.1-photon` |
+| `clair.image.pullPolicy` | Pull Policy for clair image | `IfNotPresent` |
+| `clair.pgImage.repository` | Repository for clair postgres image | `postgres` |
+| `clair.pgImage.tag` | Tag for clair postgres image | `9.6.4` |
+| `clair.pgImage.pullPolicy` | Pull Policy for clair postgres image | `IfNotPresent` |
+| `clair.resources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined | `clair.pgResources` | [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to allocate for container   | undefined |
+| | | |
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
+
+```bash
+$ helm install --name my-release --set mysql.pass=baconeggs .
+```
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```bash
+$ helm install --name my-release -f /path/to/values.yaml .
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Persistence
+
+VMWare Harbor stores the data and configurations in emptyDir volumes. You can change the values.yaml to enable persistence and use a PersistentVolumeClaim instead.
+
+> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."*

contrib/helm/harbor/templates/NOTES.txt

@@ -0,0 +1,15 @@
+To add the CA certificate to docker copy the contents of the following command into /etc/docker/certs.d/{{ .Values.externalDomain }}:
+
+$ kubectl get secret \
+    --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }}-ingress \
+    -o jsonpath="{.data.ca\.crt}" | base64 --decode
+
+Access Harbor via: https://{{ .Values.externalDomain }}
+
+login to harbor with docker cli:
+
+docker login {{ .Values.externalDomain }}
+
+To get your admin password run the following (not yet ready):
+
+$ kubectl get secret --namespace {{ .Release.Namespace }} {{ template "harbor.fullname" . }} -o jsonpath="{.data.}" | base64 --decode; echo

contrib/helm/harbor/templates/_helpers.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "harbor.name" -}}
+{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "harbor.fullname" -}}
+{{- $name := default "harbor" .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Helm required labels */}}
+{{- define "helm.labels" -}}
+heritage: {{ .Release.Service }}
+release: {{ .Release.Name }}
+chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+app: "{{ template "harbor.name" . }}"
+{{- end -}}
+
+{{/* matchLabels */}}
+{{- define "helm.matchLabels" -}}
+release: {{ .Release.Name }}
+app: "{{ template "harbor.name" . }}"
+{{- end -}}

contrib/helm/harbor/templates/adminserver/adminserver-cm.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ template "harbor.fullname" . }}-adminserver"
+  labels:
+{{ include "helm.labels" . | indent 4 }}
+data:
+  {{ if .Values.mysql.host -}}
+  MYSQL_HOST: "{{ .Values.mysql.host }}"
+  {{ else -}}
+  MYSQL_HOST: "{{ template "harbor.fullname" . }}-mysql"
+  {{ end -}}
+  MYSQL_PORT: "{{ .Values.mysql.port }}"
+  MYSQL_USR: "{{ .Values.mysql.user }}"
+  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
+  EMAIL_HOST: "{{ .Values.adminserver.emailHost }}"
+  EMAIL_PORT: "{{ .Values.adminserver.emailPort }}"
+  EMAIL_USR: "{{ .Values.adminserver.emailUser }}"
+  EMAIL_SSL: "{{ .Values.adminserver.emailSsl }}"
+  EMAIL_FROM: "{{ .Values.adminserver.emailFrom }}"
+  EMAIL_IDENTITY: "{{ .Values.adminserver.emailIdentity }}"
+  EXT_ENDPOINT: "https://{{ .Values.externalDomain }}"
+  REGISTRY_URL: "http://{{ template "harbor.fullname" . }}-registry:5000"
+  TOKEN_SERVICE_URL: "http://{{ template "harbor.fullname" . }}-ui/service/token"
+  WITH_NOTARY: "{{ .Values.notary.enabled }}"
+  LOG_LEVEL: "info"
+  IMAGE_STORE_PATH: "/"
+  AUTH_MODE: "database"
+  SELF_REGISTRATION: "on"
+  LDAP_URL: "ldaps://ldapserver"
+  LDAP_SEARCH_DN: ""
+  LDAP_BASE_DN: ""
+  LDAP_FILTER: "(objectClass=person)"
+  LDAP_UID: "uid"
+  LDAP_SCOPE: "3"
+  LDAP_TIMEOUT: "5"
+  DATABASE_TYPE: "mysql"
+  PROJECT_CREATION_RESTRICTION: "everyone"
+  VERIFY_REMOTE_CERT: "off"
+  MAX_JOB_WORKERS: "3"
+  TOKEN_EXPIRATION: "30"
+  CFG_EXPIRATION: "5"
+  GODEBUG: "netdns=cgo"
+  ADMIRAL_URL: "NA"
+  RESET: "false"
+  WITH_CLAIR: "{{ .Values.clair.enabled }}"
+  CLAIR_DB_HOST: "{{ template "harbor.fullname" . }}-clair-pg"

contrib/helm/harbor/templates/adminserver/adminserver-secrets.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.fullname" . }}-adminserver"
+  labels:
+{{ include "helm.labels" . | indent 4 }}
+type: Opaque
+data:
+  key: {{ .Values.adminserver.key | b64enc | quote }}
+  EMAIL_PWD: {{ .Values.adminserver.emailPwd | b64enc | quote }}
+  HARBOR_ADMIN_PASSWORD: {{ .Values.adminserver.harborAdminPassword | b64enc | quote }}
+  MYSQL_PWD: {{ .Values.mysql.pass | b64enc | quote }}
+  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | b64enc | quote }}
+  UI_SECRET: {{ .Values.ui.secret | b64enc | quote }}
+{{ if .Values.clair.enabled }}
+  CLAIR_DB_PASSWORD: {{ .Values.clair.postgresPassword | b64enc | quote }}
+{{ end }}
+  #LDAP_SEARCH_PWD: not-a-secure-password

contrib/helm/harbor/templates/adminserver/adminserver-ss.yaml

@@ -0,0 +1,74 @@
+apiVersion: apps/v1beta2
+kind: StatefulSet
+metadata:
+  name: "{{ template "harbor.fullname" . }}-adminserver"
+  labels:
+{{ include "helm.labels" . | indent 4 }}
+    component: adminserver
+spec:
+  replicas: 1
+  serviceName: "{{ template "harbor.fullname" . }}"
+  selector:
+    matchLabels:
+{{ include "helm.matchLabels" . | indent 6 }}
+      component: adminserver
+  template:
+    metadata:
+      labels:
+{{ include "helm.labels" . | indent 8 }}
+        component: adminserver
+    spec:
+      containers:
+      - name: adminserver
+        image: "{{ .Values.adminserver.image.repository }}:{{ .Values.adminserver.image.tag }}"
+        imagePullPolicy: "{{ .Values.adminserver.image.pullPolicy }}"
+        resources:
+{{ toYaml .Values.adminserver.resources | indent 10 }}
+        envFrom:
+        - configMapRef:
+            name: "{{ template "harbor.fullname" . }}-adminserver"
+        - secretRef:
+            name: "{{ template "harbor.fullname" . }}-adminserver"
+        env:
+          - name: PORT
+            value: "8080"
+          - name: JSON_CFG_STORE_PATH
+            value: /etc/adminserver/config/config.json
+          - name: KEY_PATH
+            value: /etc/adminserver/key
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: adminserver-config
+          mountPath: /etc/adminserver/config
+        - name: adminserver-key
+          mountPath: /etc/adminserver/key
+          subPath: key
+      volumes:
+      {{- if not .Values.persistence.enabled }}
+      - name: adminserver-config
+        emptyDir: {}
+      {{- end }}
+      - name: adminserver-key
+        secret:
+          secretName: "{{ template "harbor.fullname" . }}-adminserver"
+          items:
+          - key: key
+            path: key
+  {{- if .Values.persistence.enabled }}
+  volumeClaimTemplates:
+  - metadata:
+      name: adminserver-config
+    spec:
+      accessModes: [{{ .Values.adminserver.volumes.config.accessMode | quote }}]
+      {{- if .Values.adminserver.volumes.config.storageClass }}
+      {{- if (eq "-" .Values.adminserver.volumes.config.storageClass) }}
+      storageClassName: ""
+      {{- else }}
+      storageClassName: "{{ .Values.adminserver.volumes.config.storageClass }}"
+      {{- end }}
+      {{- end }}
+      resources:
+        requests:
+          storage: {{ .Values.adminserver.volumes.config.size | quote }}
+  {{- end -}}

contrib/helm/harbor/templates/adminserver/adminserver-svc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ template "harbor.fullname" . }}-adminserver"
+  labels:
+{{ include "helm.labels" . | indent 4 }}
+spec:
+  ports:
+    - port: 80
+      targetPort: 8080
+  selector:
+{{ include "helm.matchLabels" . | indent 4 }}
+    component: adminserver