Added harbor config

2026-01-27 11:12:08 +00:00 · 2025-07-12 19:29:25 +01:00
parent fa178cb4d1
commit 1efa074bde
6 changed files with 118 additions and 1 deletions
--- a/charts/harbor-config/.helmignore
+++ b/charts/harbor-config/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/charts/harbor-config/Chart.yaml
+++ b/charts/harbor-config/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: harbor-config
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
--- a/charts/harbor-config/README.md
+++ b/charts/harbor-config/README.md
@@ -0,0 +1,6 @@
+# harbor-config
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
--- a/charts/harbor-config/values.yaml
+++ b/charts/harbor-config/values.yaml
--- a/charts/harbor/README.md
+++ b/charts/harbor/README.md
@@ -34,7 +34,6 @@ A Helm chart for Kubernetes
 | harbor.database.external.username | string | `"harbor"` |  |
 | harbor.database.type | string | `"external"` |  |
 | harbor.enabled | bool | `true` |  |
-| harbor.esternalURL | string | `"https://harbor.deepcypher.me"` |  |
 | harbor.existingSecretAdminPassword | string | `"harbor-admin"` |  |
 | harbor.existingSecretAdminPasswordKey | string | `"password"` |  |
 | harbor.existingSecretSecretKey | string | `"harbor-encryption"` |  |
@@ -47,6 +46,7 @@ A Helm chart for Kubernetes
 | harbor.expose.ingress.hosts.core | string | `"harbor.deepcypher.me"` |  |
 | harbor.expose.tls.enabled | bool | `true` |  |
 | harbor.expose.type | string | `"ingress"` |  |
+| harbor.externalURL | string | `"https://harbor.deepcypher.me"` |  |
 | harbor.jobservice.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"kubernetes.io/arch"` |  |
 | harbor.jobservice.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` |  |
 | harbor.jobservice.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"amd64"` |  |
--- a/charts/infrastructure/templates/harbor-config.yaml
+++ b/charts/infrastructure/templates/harbor-config.yaml
@@ -0,0 +1,82 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: harbor-config
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  ignoreDifferences:
+  - group: ""
+    kind: Secret
+    name: harbor-config-ingress
+    jqPathExpressions:
+    - '.data'
+  destination:
+    name: ''
+    namespace: harbor
+    server: 'https://kubernetes.default.svc'
+  source:
+    path: charts/harbor-config
+    repoURL: {{ .Values.global.repo }}
+    targetRevision: {{ .Values.environment.revision }}
+    helm:
+      values: |
+        {{- include "defaultEnvironment" . | indent 8 }}
+        {{- if eq .Values.environment.mode "staging" }}
+        {{- else if eq .Values.environment.mode "production" }}
+        {{- end }}
+  #project: harbor-config
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+    - ApplyOutOfSyncOnly=true
+    - RespectIgnoreDifferences=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: harbor-config
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: Infra-level project to isolate harbor-config
+  # Allow manifests to deploy from any Git repos
+  sourceRepos:
+  - '*'
+  # Only permit applications to deploy to the guestbook namespace in the same cluster
+  destinations:
+  - namespace: harbor-config
+    server: https://kubernetes.default.svc
+  # Deny all cluster-scoped resources from being created, except for Namespace
+  clusterResourceWhitelist:
+  - group: ''
+    kind: Namespace
+  # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
+  namespaceResourceBlacklist:
+  - group: ''
+    kind: ResourceQuota
+  - group: ''
+    kind: LimitRange
+  #- group: ''
+  #  kind: NetworkPolicy
+  # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
+  # namespaceResourceWhitelist:
+  # - group: 'apps'
+  #   kind: Deployment
+  # - group: 'apps'
+  #   kind: StatefulSet
+  roles:
+  # A role which provides read-only access to all applications in the project
+  - name: read-only
+    description: Read-only privileges to harbor-config
+    policies:
+    - p, proj:my-project:read-only, applications, get, harbor-config/*, allow
+    groups:
+    - my-oidc-group