From 1efa074bde10a537638c19c244dddae30f7caab4 Mon Sep 17 00:00:00 2001 From: GeorgeRaven Date: Sat, 12 Jul 2025 19:29:25 +0100 Subject: [PATCH] Added harbor config --- charts/harbor-config/.helmignore | 23 ++++++ charts/harbor-config/Chart.yaml | 6 ++ charts/harbor-config/README.md | 6 ++ charts/harbor-config/values.yaml | 0 charts/harbor/README.md | 2 +- .../templates/harbor-config.yaml | 82 +++++++++++++++++++ 6 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 charts/harbor-config/.helmignore create mode 100644 charts/harbor-config/Chart.yaml create mode 100644 charts/harbor-config/README.md create mode 100644 charts/harbor-config/values.yaml create mode 100644 charts/infrastructure/templates/harbor-config.yaml diff --git a/charts/harbor-config/.helmignore b/charts/harbor-config/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/harbor-config/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/harbor-config/Chart.yaml b/charts/harbor-config/Chart.yaml new file mode 100644 index 00000000..75bb9a5b --- /dev/null +++ b/charts/harbor-config/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: harbor-config +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "1.16.0" diff --git a/charts/harbor-config/README.md b/charts/harbor-config/README.md new file mode 100644 index 00000000..7caba548 --- /dev/null +++ b/charts/harbor-config/README.md @@ -0,0 +1,6 @@ +# harbor-config + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + diff --git a/charts/harbor-config/values.yaml b/charts/harbor-config/values.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/harbor/README.md b/charts/harbor/README.md index 08694205..6fced368 100644 --- a/charts/harbor/README.md +++ b/charts/harbor/README.md @@ -34,7 +34,6 @@ A Helm chart for Kubernetes | harbor.database.external.username | string | `"harbor"` | | | harbor.database.type | string | `"external"` | | | harbor.enabled | bool | `true` | | -| harbor.esternalURL | string | `"https://harbor.deepcypher.me"` | | | harbor.existingSecretAdminPassword | string | `"harbor-admin"` | | | harbor.existingSecretAdminPasswordKey | string | `"password"` | | | harbor.existingSecretSecretKey | string | `"harbor-encryption"` | | @@ -47,6 +46,7 @@ A Helm chart for Kubernetes | harbor.expose.ingress.hosts.core | string | `"harbor.deepcypher.me"` | | | harbor.expose.tls.enabled | bool | `true` | | | harbor.expose.type | string | `"ingress"` | | +| harbor.externalURL | string | `"https://harbor.deepcypher.me"` | | | harbor.jobservice.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"kubernetes.io/arch"` | | | harbor.jobservice.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` | | | harbor.jobservice.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"amd64"` | | diff --git a/charts/infrastructure/templates/harbor-config.yaml b/charts/infrastructure/templates/harbor-config.yaml new file mode 100644 index 00000000..255db238 --- /dev/null +++ b/charts/infrastructure/templates/harbor-config.yaml @@ -0,0 +1,82 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: harbor-config + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + ignoreDifferences: + - group: "" + kind: Secret + name: harbor-config-ingress + jqPathExpressions: + - '.data' + destination: + name: '' + namespace: harbor + server: 'https://kubernetes.default.svc' + source: + path: charts/harbor-config + repoURL: {{ .Values.global.repo }} + targetRevision: {{ .Values.environment.revision }} + helm: + values: | + {{- include "defaultEnvironment" . | indent 8 }} + {{- if eq .Values.environment.mode "staging" }} + {{- else if eq .Values.environment.mode "production" }} + {{- end }} + #project: harbor-config + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - RespectIgnoreDifferences=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: harbor-config + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + description: Infra-level project to isolate harbor-config + # Allow manifests to deploy from any Git repos + sourceRepos: + - '*' + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: harbor-config + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace + # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy + namespaceResourceBlacklist: + - group: '' + kind: ResourceQuota + - group: '' + kind: LimitRange + #- group: '' + # kind: NetworkPolicy + # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet + # namespaceResourceWhitelist: + # - group: 'apps' + # kind: Deployment + # - group: 'apps' + # kind: StatefulSet + roles: + # A role which provides read-only access to all applications in the project + - name: read-only + description: Read-only privileges to harbor-config + policies: + - p, proj:my-project:read-only, applications, get, harbor-config/*, allow + groups: + - my-oidc-group