k8s部署harbor
创建pvc
cat >>0-harbor-pvc.yaml <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-pv-claim
spec:
storageClassName: nfs
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1000Gi
EOF
kubectl create -f 0-harbor-pvc.yaml部署harbor
cat >>1-harbor-deploy.yaml <<EOF
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-chartmuseum
labels:
app: harbor
type: Opaque
data:
CACHE_REDIS_PASSWORD: ""
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-core
labels:
app: harbor
type: Opaque
data:
secretKey: "bm90LWEtc2VjdXJlLWtleQ=="
secret: "NE50SmNWVVdudWNKd3ZjVw=="
tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZJVENDQXdtZ0F3SUJBZ0lKQUtySjBTUjlXU29VTUEwR0NTcUdTSWIzRFFFQkRRVUFNQlF4RWpBUUJnTlYKQkFNTUNXaGhjbUp2Y2kxallUQWdGdzB5TXpBMU1EWXdPVEkwTVRkYUdBOHlNVEl6TURReE1qQTVNalF4TjFvdwpHekVaTUJjR0ExVUVBd3dRYUhWaUxtdHZZV3hoZFhKaGJpNWpiakNDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnSVBBRENDQWdvQ2dnSUJBSnB1azh3K0pWQXMzbFdNUWR3UEt6NEpQMzhiWnVEaCt0T2dOd3NDQ251T0w4ZzEKb1NUN0V5Yzd5YkpJS3dYLy9MNlM0YlVJcjFhU2Rtdk95SGt2b2kzZHdRK2o5c1o5SlQrd1QwZHkyMWR6SjkyLwowNk8vUG5KdmVSVmJMREttSkwvVGROOXhDUm9qSE4rWmtOdUc5RitpU2pkLzU0cGQvR0dibFA4TnQ4OWhVajFoCldsckpOeGMvQUhjRmV3QVFkcUlhR3ZLVXdGTGgrbzJ4aVFjaTFjZ3hYU2NGRGlCblZDMFFyMXY5SS9xZUIyTDEKdWJIWWI5dTRMVkRQOENBNDZhNHZtcml2UEVyREYwaTNKdHhnMWVUSWFpUENOZ3ZHTFptdDFVN0J1M0NRalFuZQpDc2RxYTUyZDRrK05sNGF4UlJpS1o1QVVhUmpRQUNNMGp1S2FRWS9BTjQ1bUI2aTd5MW9mNHRXcXZRSEFDdVVrCkhHcmtLdUFtdnlTczJXTXBVVE1xZnNlbjBCZG51b3lqVjhERWRNMUVCTXdsVlN1YWNMQldXRnNFVXVueXlFUUQKYTBPcXNKVE55STJjWTZoSEVJNjZONmdqN1FuVU5pTXJGWkVaOUR4eC9BYUhDS0ZKWlFzV2tiQ2ZkMGUwSExCdQpib215aG40eEsvWFJKbmpVOG5ERE9XaDZOdVVpbFE5eVdzNmhNaEJtM00rdG1mU01qRjhjaE1iMW4zZXllVlpyCkJuNVFpQXlBbU1aRjlDaVpZQ2pPdXJhU1JlTzFMQ3ByQS8xMS82eVN5R2s2bUFGT0FzZk4rckxJdVBTM3RvRFoKTVpaKy9mWG1LZjNIMTRyTERKN2tHTkwvcnJkcTJtYkdUdi9mNGk1bDZ6VDM2eHJxcFgyWDhndXNucGQxQWdNQgpBQUdqYlRCck1COEdBMVVkSXdRWU1CYUFGSFpGeEMzZGEyS2ZOWjFJMXpCK0xVSzg5MEN3TUFrR0ExVWRFd1FDCk1BQXdDd1lEVlIwUEJBUURBZ1R3TUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Cc0dBMVVkRVFRVU1CS0MKRUdoMVlpNXJiMkZzWVhWeVlXNHVZMjR3RFFZSktvWklodmNOQVFFTkJRQURnZ0lCQUNNbXIwRkZ2aERLMTZtSAp0RUwvYkh2c2NIVkp5VUtmRWIzVWI0V0xWVTgwbjU2MlZiL1pLRU8zdGF0MjlVMUVMMVdaZkcxVXMzMnBvdW5FCmVVMElxNERONjBmU2R6WWttd2JFTWRiSlh1dHhZSkRKd0VIWnhxZlFJTXVMMFNXR0hMRTRjbnZSYlg1Y0lnK28KbDFWOWRFN2dDd2U1R3Vqam9Kd2JYTzdNY3Bzc0YwaE8wQ2pidFdWWEZOQmU4NjhJM0VrV0M2TUhnRDMzZWVpMQo0NDRTUXlmL2czWkJBdDRRcmpNVUp6cjhoWkJZZ2E2MUtzSEhHTFh1WVRueGdMSFJtWWpvYytQck5hK3I2RWxLCkhqVnB6TVFVVmliVkZRa1lnVExRZ3pzVlJBREVCczFpU1ZEK2w0L1RPOUVsMDVMRTJ1WGI3SjJTMEd3ekVScEwKMExvWDJuTTVXWVkvdnpCUjhwamFUTEZHS2hUVGxsZmVTYnlFOGsrc05nRjg0K0dWd3B3QTR1VHJsZ2V4aFFRRgpjY3FtRWxMVXRRTWlxYnVCYThEcnNKeG0vcXZJMXFUSERzTTVaQ2FwSDYyVTdZOFJGdzR4UFkrNHFaVHJUUGhWCkVjUmNJNThRNGtJaUFoZkRKL2NkVWQ0dCs5U0hlMm02VHRjZ0p4TlNoR1cvcDRMbEhVQWhuNERsbjBzTEVtVkUKOXZ4Z20wYlpxM2VjUzF0aFM2NzJrZ2NkdEwwS2d2VXUxZUFJdVRuMmhNU0ZqSEZpaE5SQXhJbWNDa3lkT2lzdQpjb0xxWVg5c2lZM21xQ0ZDMHdDWUxkRTF4WTRSb25aSGhGeVhzVVoxYTBHYU1mdXVpc0JPaENIejV6SXZBUC9aCkg1VC9qcE5uSUgvYk5TMzBuVXhOdVV4eDFwSXgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBbW02VHpENGxVQ3plVll4QjNBOHJQZ2svZnh0bTRPSDYwNkEzQ3dJS2U0NHZ5RFdoCkpQc1RKenZKc2tnckJmLzh2cExodFFpdlZwSjJhODdJZVMraUxkM0JENlAyeG4wbFA3QlBSM0xiVjNNbjNiL1QKbzc4K2NtOTVGVnNzTXFZa3Y5TjAzM0VKR2lNYzM1bVEyNGIwWDZKS04zL25pbDM4WVp1VS93MjN6MkZTUFdGYQpXc2szRno4QWR3VjdBQkIyb2hvYThwVEFVdUg2amJHSkJ5TFZ5REZkSndVT0lHZFVMUkN2Vy8waitwNEhZdlc1CnNkaHYyN2d0VU0vd0lEanByaSthdUs4OFNzTVhTTGNtM0dEVjVNaHFJOEkyQzhZdG1hM1ZUc0c3Y0pDTkNkNEsKeDJwcm5aM2lUNDJYaHJGRkdJcG5rQlJwR05BQUl6U080cHBCajhBM2ptWUhxTHZMV2gvaTFhcTlBY0FLNVNRYwphdVFxNENhL0pLelpZeWxSTXlwK3g2ZlFGMmU2aktOWHdNUjB6VVFFekNWVks1cHdzRlpZV3dSUzZmTElSQU5yClE2cXdsTTNJalp4anFFY1Fqcm8zcUNQdENkUTJJeXNWa1JuMFBISDhCb2NJb1VsbEN4YVJzSjkzUjdRY3NHNXUKaWJLR2ZqRXI5ZEVtZU5UeWNNTTVhSG8yNVNLVkQzSmF6cUV5RUdiY3o2Mlo5SXlNWHh5RXh2V2ZkN0o1Vm1zRwpmbENJRElDWXhrWDBLSmxnS002NnRwSkY0N1VzS21zRC9YWC9ySkxJYVRxWUFVNEN4ODM2c3NpNDlMZTJnTmt4CmxuNzk5ZVlwL2NmWGlzc01udVFZMHYrdXQycmFac1pPLzkvaUxtWHJOUGZyR3VxbGZaZnlDNnllbDNVQ0F3RUEKQVFLQ0FnQmd6Ym5WeUlycE5BYjJoeUh0aUpDcHBYQnBBOHM4WWtzeGh2ZVo3ZUNXVEszRkNXRUc1bCsrTXlzZQpsMEJvMVdzZ0pzQlhFNmVkVTlmcGdraUdOb2FweTV5dWFqQlJnYmJzc2w4dndWNmU5YTlpd0ZFeERydGRUbVVQCkx3U0loejc0QTl2NkNFZ1ZXemRKTG1Ed1N5czZHMmY4WEMvT3UxVnQ5Zkd5NDIxNkVGNVYzWVdlN1F5Y2hNQ00KMnlHY0M3WGhyUTJCVEI4MmxUTFN5UnZGSGwvMXlvUEM1dGRSRnBSY1gxNGRBcFFnRUJrL1BocjEwVjlrMHBHTgpXNXNCQjh2cmhTbXVaU0lkRnllc1RDcU84Q0NEOWVFYW95M3Z1WDF5SE5aZU5QQ0RBZ2wyeXZua3dOL09nRjZSClVZZFBSaVd5MldkTG1JKzhudjNIRTdZUmMzSnVhVjhZTkwzR2VxSlVmQk1HbW8yMXR1aDV1OUxhQjkxUUcybVgKZmV2V2J6NVlldGJsZWtiMHpnK0JQTHA0Ty9Ec2s2TTBBTVcrZnVOSlYzeTZHLzlWUHJFeGc5cUwvQ09tQXNyZgp4R29DUjJKdjNJcUtKRlhWNkc4a1NaZ0J5YXpYN3NKRks4RUl0V3A4V3EwTlhHajNOejN6aG1SQ1hpek13b2VnCklEZlJMQ2NaWmFvK3FpM2x5WXhraERZQkFZRWxQYXNHcC9aSmM1UFN3dko3YzJlcVZld0NST3VCRzljVm16amkKVVpEM3pjcXNIV2FoQTJxZHVsUEFabGVtMFB1VTA0MkxJZFRlWTlQcDlCa0JtSG4yckhscCtpWTR5aklkTmZhRAp4ZjNzalY4dkJJeFlYanVSRmw3Q1hJVzB1NEVrRDUvN0ZZNFZEZEZ3S21aeFh2RHh6UUtDQVFFQXg2YVBlcDFGCjRSTW9ROFB3MzUvSGRvUUNtSUc0QWJtTVZSd1FzMUFCVjRIZ3Rjeld4eG13T2cvZnExTjVCU09jUnZWcjdidkkKNU9GTXUxVDJwQ0l4MWRMZlRCYnllUXlTU3FWVW81V1hVSTVHNUtCTjFyNHA0bC9mNUpuaTlHLzZDd0dhbFpqVwpaYzN2Qmh3dUMxSVl5VUd3MzZVTENqSC9BVGVsZnNQdXpLV2l3aTliY2R2UGIzYnphNXE5SUxGOVpIdEVCbVcxClVLV3VCZHFNc2EvS2lrcEtkOUVBdmxiOWs1RTVLbVRzaE5TZmdrNmN1b2dMNkRvT0hOQnFxWjBGR1RlYVZ4MXQKM3NsL0FMRmJsckV6OFIwbHNHYmlxUWpWOXZvNjBwMWYzQUltVEhDVkl2Y2krTHVkTm5XU1VOT2ErVUxCeDFoegpiaFZNa21ibGI3emtqd0tDQVFFQXhnVFFBbHFyTUNsNy9wditzMlVRVlJFTjAvNDMyeU1hT05XRVlodGZwT3pSClpHZENjcjlGSkM0bmRqVlJINUcvVnVpVWlCTlVkYm1jNkFxaEpkOVFmT0tNUEpFT3Q1MnRkZlBIS0FSU0JrYlAKblZlbUx6SmpUSGdLK1h2WEErc080MTg1YkdkRlpLQnFNZW4xcDVSZENUN3l2bFJKU0FCRys0Z2tSeVM3V1hQTQpiMmNwU2s2MWd5Vk00bTkvcjQveFpPYWM1dnFDUEtXd0d2bkhFYUpVM1Rjd3I0cWdWMWh6bnNudm80WmFOSXdzCktyeGkzVDhTbzcxT1Jxa3htQlRGNE1JdFFlbVBKaVoxeWFYQnk5ZFd2NjV5ZktZcXcxbS8vR3lXK25uaDRRUG0KaWIxaXprRUZsOXAvUEdoc05pT2ZaeXlIeFBQR3FmSGlYaFdkNDJHdHV3S0NBUUI2d2NibXRWMEtEeVZxeFVlTgp1RWlFYnBiSi9yaU5GdkZhUTI5aFVZZ0JyakhrbHBaWXhVcTk2SlMyV3hUR1BDY1Mya1FLWUxRZFJ3cFBCT2JCCjlPUi9mTEVmcjl4VzRZdnhxY1pvN3NtakZsZ3dxd0F4VWF1ZkxTUVZBeW13OGtqa0M1Qm8reGlZY0E3UHl2UGsKc2czYmNUQzMwbHIvWWM1UmlVMlFyQmhnYkZldTNqOXp1cHZKQlhLV2J3WnEyN2NsMlVUeVNnYzZGeVR4SkhmdApxUkQ0QnNYUzlnZG5BVVhaUGluUUQwMytQbDMxV1RDMDRJR3h3RUI5SndqdVVVV1pRNzc2WVhYMHpoL3c1UnhUCmc1RlVaMytNL3pYT2lVaEdHNFdmaW5RdWFvUHg3Q2RHNEgzNFFpTmdJTnBlS0QzWmxWcGduOW9aamE4UE5ZVk4KTnUreEFvSUJBUUNjK2wrMEhoQ3J3NWRLaG52cDEycVZKVW5qRHh0VW00VkVIUEF2bmllNlpRcXlIN0hycVhtMApidXBWcVhyQUhoaWpXd20wdmk0c2paSzMyUVZiTXFkcCtXYlc5Ti9IN0RZQTFkckIvSHJTQXZ5L2JTYVBMOURNClpEVy9CYyswaVhscUFxbFJLS1U0V25zVlNyVzF2Y1hyZUgyVEtOcFhPL0VKb2ltd1JJeEpJNldqZ3hLV2w4TUoKVGw2ZSsya3IwbDY1Y0tCZDg2V2ZVbkpEVUZQaHhPQ2w1Z1N3aEtNTDIxRDlSblMxRytNUzJUU0NSSW5UZnhiVgp1MUw4YlZDbGtZSTA1WHBmVURwdE1md2FlVThpdTNsSHg1RjNBM3ZQRmEwKy9RN0xUaWdrNjZTcytQZ0ZMa0t5CjJVSVlyMmRwbTkvWU9OTUE3WWhHWFR6by9SWUhsZjNWQW9JQkFDN0hTRmRLN0hOVUUycWxrYjUwemNKRVNBSU8KT1dkemN1bjg2VVAzMEpwV0FRQmlRMzY2b3NYWGZsbVlJd2QrVXpnV0M2OWNmWGRkWVNGaW9paHo4NGhkT1BQOApNM043QXVBNUxEaG0rMnJHdFpXM3d5Qm9GNmMreXRjUWdSUUV5U0R3UC8zcE81cElQVDBPcC8yY3Q2MVgyUmRrCmpYK2hJdEtsTWdNSGt1cDdPMWZTdzQvQ0tpU1gzeHU4NVhoMTQxWEtXemc0MEJUY1Z6c2pLSnVOWm5qb1lobkQKM0djMzlONk51R25vYXk3N243VlR5WDZkY1Vvc3BDakZ5SHpFaUZlTFZWMVBWNEQ5N3pEeVRzcGNaa0Y5VGh1OAo3N1Y4c3drTGt4cDZWTzVXS0NSZG9CczAzQ3I4djVQUVdlSGRESVBCTkl2bjJ1c09oNE5SaTJYT0lVbz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
HARBOR_ADMIN_PASSWORD: "SGFyYm9yMTIzNDU="
POSTGRESQL_PASSWORD: "Y2hhbmdlaXQ="
REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk"
CSRF_KEY: "VWRhbW5EalliS2VnRFBHRU83ZFR4REQ1aU5GVHE3aEk="
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-database
labels:
app: harbor
type: Opaque
data:
POSTGRES_PASSWORD: "Y2hhbmdlaXQ="
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-jobservice
labels:
app: harbor
type: Opaque
data:
JOBSERVICE_SECRET: "QWw1S2tBR29BM1RMeTBiNw=="
REGISTRY_CREDENTIAL_PASSWORD: "aGFyYm9yX3JlZ2lzdHJ5X3Bhc3N3b3Jk"
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-nginx
labels:
app: harbor
type: Opaque
data:
tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZJVENDQXdtZ0F3SUJBZ0lKQUtySjBTUjlXU29VTUEwR0NTcUdTSWIzRFFFQkRRVUFNQlF4RWpBUUJnTlYKQkFNTUNXaGhjbUp2Y2kxallUQWdGdzB5TXpBMU1EWXdPVEkwTVRkYUdBOHlNVEl6TURReE1qQTVNalF4TjFvdwpHekVaTUJjR0ExVUVBd3dRYUhWaUxtdHZZV3hoZFhKaGJpNWpiakNDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnSVBBRENDQWdvQ2dnSUJBSnB1azh3K0pWQXMzbFdNUWR3UEt6NEpQMzhiWnVEaCt0T2dOd3NDQ251T0w4ZzEKb1NUN0V5Yzd5YkpJS3dYLy9MNlM0YlVJcjFhU2Rtdk95SGt2b2kzZHdRK2o5c1o5SlQrd1QwZHkyMWR6SjkyLwowNk8vUG5KdmVSVmJMREttSkwvVGROOXhDUm9qSE4rWmtOdUc5RitpU2pkLzU0cGQvR0dibFA4TnQ4OWhVajFoCldsckpOeGMvQUhjRmV3QVFkcUlhR3ZLVXdGTGgrbzJ4aVFjaTFjZ3hYU2NGRGlCblZDMFFyMXY5SS9xZUIyTDEKdWJIWWI5dTRMVkRQOENBNDZhNHZtcml2UEVyREYwaTNKdHhnMWVUSWFpUENOZ3ZHTFptdDFVN0J1M0NRalFuZQpDc2RxYTUyZDRrK05sNGF4UlJpS1o1QVVhUmpRQUNNMGp1S2FRWS9BTjQ1bUI2aTd5MW9mNHRXcXZRSEFDdVVrCkhHcmtLdUFtdnlTczJXTXBVVE1xZnNlbjBCZG51b3lqVjhERWRNMUVCTXdsVlN1YWNMQldXRnNFVXVueXlFUUQKYTBPcXNKVE55STJjWTZoSEVJNjZONmdqN1FuVU5pTXJGWkVaOUR4eC9BYUhDS0ZKWlFzV2tiQ2ZkMGUwSExCdQpib215aG40eEsvWFJKbmpVOG5ERE9XaDZOdVVpbFE5eVdzNmhNaEJtM00rdG1mU01qRjhjaE1iMW4zZXllVlpyCkJuNVFpQXlBbU1aRjlDaVpZQ2pPdXJhU1JlTzFMQ3ByQS8xMS82eVN5R2s2bUFGT0FzZk4rckxJdVBTM3RvRFoKTVpaKy9mWG1LZjNIMTRyTERKN2tHTkwvcnJkcTJtYkdUdi9mNGk1bDZ6VDM2eHJxcFgyWDhndXNucGQxQWdNQgpBQUdqYlRCck1COEdBMVVkSXdRWU1CYUFGSFpGeEMzZGEyS2ZOWjFJMXpCK0xVSzg5MEN3TUFrR0ExVWRFd1FDCk1BQXdDd1lEVlIwUEJBUURBZ1R3TUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Cc0dBMVVkRVFRVU1CS0MKRUdoMVlpNXJiMkZzWVhWeVlXNHVZMjR3RFFZSktvWklodmNOQVFFTkJRQURnZ0lCQUNNbXIwRkZ2aERLMTZtSAp0RUwvYkh2c2NIVkp5VUtmRWIzVWI0V0xWVTgwbjU2MlZiL1pLRU8zdGF0MjlVMUVMMVdaZkcxVXMzMnBvdW5FCmVVMElxNERONjBmU2R6WWttd2JFTWRiSlh1dHhZSkRKd0VIWnhxZlFJTXVMMFNXR0hMRTRjbnZSYlg1Y0lnK28KbDFWOWRFN2dDd2U1R3Vqam9Kd2JYTzdNY3Bzc0YwaE8wQ2pidFdWWEZOQmU4NjhJM0VrV0M2TUhnRDMzZWVpMQo0NDRTUXlmL2czWkJBdDRRcmpNVUp6cjhoWkJZZ2E2MUtzSEhHTFh1WVRueGdMSFJtWWpvYytQck5hK3I2RWxLCkhqVnB6TVFVVmliVkZRa1lnVExRZ3pzVlJBREVCczFpU1ZEK2w0L1RPOUVsMDVMRTJ1WGI3SjJTMEd3ekVScEwKMExvWDJuTTVXWVkvdnpCUjhwamFUTEZHS2hUVGxsZmVTYnlFOGsrc05nRjg0K0dWd3B3QTR1VHJsZ2V4aFFRRgpjY3FtRWxMVXRRTWlxYnVCYThEcnNKeG0vcXZJMXFUSERzTTVaQ2FwSDYyVTdZOFJGdzR4UFkrNHFaVHJUUGhWCkVjUmNJNThRNGtJaUFoZkRKL2NkVWQ0dCs5U0hlMm02VHRjZ0p4TlNoR1cvcDRMbEhVQWhuNERsbjBzTEVtVkUKOXZ4Z20wYlpxM2VjUzF0aFM2NzJrZ2NkdEwwS2d2VXUxZUFJdVRuMmhNU0ZqSEZpaE5SQXhJbWNDa3lkT2lzdQpjb0xxWVg5c2lZM21xQ0ZDMHdDWUxkRTF4WTRSb25aSGhGeVhzVVoxYTBHYU1mdXVpc0JPaENIejV6SXZBUC9aCkg1VC9qcE5uSUgvYk5TMzBuVXhOdVV4eDFwSXgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBbW02VHpENGxVQ3plVll4QjNBOHJQZ2svZnh0bTRPSDYwNkEzQ3dJS2U0NHZ5RFdoCkpQc1RKenZKc2tnckJmLzh2cExodFFpdlZwSjJhODdJZVMraUxkM0JENlAyeG4wbFA3QlBSM0xiVjNNbjNiL1QKbzc4K2NtOTVGVnNzTXFZa3Y5TjAzM0VKR2lNYzM1bVEyNGIwWDZKS04zL25pbDM4WVp1VS93MjN6MkZTUFdGYQpXc2szRno4QWR3VjdBQkIyb2hvYThwVEFVdUg2amJHSkJ5TFZ5REZkSndVT0lHZFVMUkN2Vy8waitwNEhZdlc1CnNkaHYyN2d0VU0vd0lEanByaSthdUs4OFNzTVhTTGNtM0dEVjVNaHFJOEkyQzhZdG1hM1ZUc0c3Y0pDTkNkNEsKeDJwcm5aM2lUNDJYaHJGRkdJcG5rQlJwR05BQUl6U080cHBCajhBM2ptWUhxTHZMV2gvaTFhcTlBY0FLNVNRYwphdVFxNENhL0pLelpZeWxSTXlwK3g2ZlFGMmU2aktOWHdNUjB6VVFFekNWVks1cHdzRlpZV3dSUzZmTElSQU5yClE2cXdsTTNJalp4anFFY1Fqcm8zcUNQdENkUTJJeXNWa1JuMFBISDhCb2NJb1VsbEN4YVJzSjkzUjdRY3NHNXUKaWJLR2ZqRXI5ZEVtZU5UeWNNTTVhSG8yNVNLVkQzSmF6cUV5RUdiY3o2Mlo5SXlNWHh5RXh2V2ZkN0o1Vm1zRwpmbENJRElDWXhrWDBLSmxnS002NnRwSkY0N1VzS21zRC9YWC9ySkxJYVRxWUFVNEN4ODM2c3NpNDlMZTJnTmt4CmxuNzk5ZVlwL2NmWGlzc01udVFZMHYrdXQycmFac1pPLzkvaUxtWHJOUGZyR3VxbGZaZnlDNnllbDNVQ0F3RUEKQVFLQ0FnQmd6Ym5WeUlycE5BYjJoeUh0aUpDcHBYQnBBOHM4WWtzeGh2ZVo3ZUNXVEszRkNXRUc1bCsrTXlzZQpsMEJvMVdzZ0pzQlhFNmVkVTlmcGdraUdOb2FweTV5dWFqQlJnYmJzc2w4dndWNmU5YTlpd0ZFeERydGRUbVVQCkx3U0loejc0QTl2NkNFZ1ZXemRKTG1Ed1N5czZHMmY4WEMvT3UxVnQ5Zkd5NDIxNkVGNVYzWVdlN1F5Y2hNQ00KMnlHY0M3WGhyUTJCVEI4MmxUTFN5UnZGSGwvMXlvUEM1dGRSRnBSY1gxNGRBcFFnRUJrL1BocjEwVjlrMHBHTgpXNXNCQjh2cmhTbXVaU0lkRnllc1RDcU84Q0NEOWVFYW95M3Z1WDF5SE5aZU5QQ0RBZ2wyeXZua3dOL09nRjZSClVZZFBSaVd5MldkTG1JKzhudjNIRTdZUmMzSnVhVjhZTkwzR2VxSlVmQk1HbW8yMXR1aDV1OUxhQjkxUUcybVgKZmV2V2J6NVlldGJsZWtiMHpnK0JQTHA0Ty9Ec2s2TTBBTVcrZnVOSlYzeTZHLzlWUHJFeGc5cUwvQ09tQXNyZgp4R29DUjJKdjNJcUtKRlhWNkc4a1NaZ0J5YXpYN3NKRks4RUl0V3A4V3EwTlhHajNOejN6aG1SQ1hpek13b2VnCklEZlJMQ2NaWmFvK3FpM2x5WXhraERZQkFZRWxQYXNHcC9aSmM1UFN3dko3YzJlcVZld0NST3VCRzljVm16amkKVVpEM3pjcXNIV2FoQTJxZHVsUEFabGVtMFB1VTA0MkxJZFRlWTlQcDlCa0JtSG4yckhscCtpWTR5aklkTmZhRAp4ZjNzalY4dkJJeFlYanVSRmw3Q1hJVzB1NEVrRDUvN0ZZNFZEZEZ3S21aeFh2RHh6UUtDQVFFQXg2YVBlcDFGCjRSTW9ROFB3MzUvSGRvUUNtSUc0QWJtTVZSd1FzMUFCVjRIZ3Rjeld4eG13T2cvZnExTjVCU09jUnZWcjdidkkKNU9GTXUxVDJwQ0l4MWRMZlRCYnllUXlTU3FWVW81V1hVSTVHNUtCTjFyNHA0bC9mNUpuaTlHLzZDd0dhbFpqVwpaYzN2Qmh3dUMxSVl5VUd3MzZVTENqSC9BVGVsZnNQdXpLV2l3aTliY2R2UGIzYnphNXE5SUxGOVpIdEVCbVcxClVLV3VCZHFNc2EvS2lrcEtkOUVBdmxiOWs1RTVLbVRzaE5TZmdrNmN1b2dMNkRvT0hOQnFxWjBGR1RlYVZ4MXQKM3NsL0FMRmJsckV6OFIwbHNHYmlxUWpWOXZvNjBwMWYzQUltVEhDVkl2Y2krTHVkTm5XU1VOT2ErVUxCeDFoegpiaFZNa21ibGI3emtqd0tDQVFFQXhnVFFBbHFyTUNsNy9wditzMlVRVlJFTjAvNDMyeU1hT05XRVlodGZwT3pSClpHZENjcjlGSkM0bmRqVlJINUcvVnVpVWlCTlVkYm1jNkFxaEpkOVFmT0tNUEpFT3Q1MnRkZlBIS0FSU0JrYlAKblZlbUx6SmpUSGdLK1h2WEErc080MTg1YkdkRlpLQnFNZW4xcDVSZENUN3l2bFJKU0FCRys0Z2tSeVM3V1hQTQpiMmNwU2s2MWd5Vk00bTkvcjQveFpPYWM1dnFDUEtXd0d2bkhFYUpVM1Rjd3I0cWdWMWh6bnNudm80WmFOSXdzCktyeGkzVDhTbzcxT1Jxa3htQlRGNE1JdFFlbVBKaVoxeWFYQnk5ZFd2NjV5ZktZcXcxbS8vR3lXK25uaDRRUG0KaWIxaXprRUZsOXAvUEdoc05pT2ZaeXlIeFBQR3FmSGlYaFdkNDJHdHV3S0NBUUI2d2NibXRWMEtEeVZxeFVlTgp1RWlFYnBiSi9yaU5GdkZhUTI5aFVZZ0JyakhrbHBaWXhVcTk2SlMyV3hUR1BDY1Mya1FLWUxRZFJ3cFBCT2JCCjlPUi9mTEVmcjl4VzRZdnhxY1pvN3NtakZsZ3dxd0F4VWF1ZkxTUVZBeW13OGtqa0M1Qm8reGlZY0E3UHl2UGsKc2czYmNUQzMwbHIvWWM1UmlVMlFyQmhnYkZldTNqOXp1cHZKQlhLV2J3WnEyN2NsMlVUeVNnYzZGeVR4SkhmdApxUkQ0QnNYUzlnZG5BVVhaUGluUUQwMytQbDMxV1RDMDRJR3h3RUI5SndqdVVVV1pRNzc2WVhYMHpoL3c1UnhUCmc1RlVaMytNL3pYT2lVaEdHNFdmaW5RdWFvUHg3Q2RHNEgzNFFpTmdJTnBlS0QzWmxWcGduOW9aamE4UE5ZVk4KTnUreEFvSUJBUUNjK2wrMEhoQ3J3NWRLaG52cDEycVZKVW5qRHh0VW00VkVIUEF2bmllNlpRcXlIN0hycVhtMApidXBWcVhyQUhoaWpXd20wdmk0c2paSzMyUVZiTXFkcCtXYlc5Ti9IN0RZQTFkckIvSHJTQXZ5L2JTYVBMOURNClpEVy9CYyswaVhscUFxbFJLS1U0V25zVlNyVzF2Y1hyZUgyVEtOcFhPL0VKb2ltd1JJeEpJNldqZ3hLV2w4TUoKVGw2ZSsya3IwbDY1Y0tCZDg2V2ZVbkpEVUZQaHhPQ2w1Z1N3aEtNTDIxRDlSblMxRytNUzJUU0NSSW5UZnhiVgp1MUw4YlZDbGtZSTA1WHBmVURwdE1md2FlVThpdTNsSHg1RjNBM3ZQRmEwKy9RN0xUaWdrNjZTcytQZ0ZMa0t5CjJVSVlyMmRwbTkvWU9OTUE3WWhHWFR6by9SWUhsZjNWQW9JQkFDN0hTRmRLN0hOVUUycWxrYjUwemNKRVNBSU8KT1dkemN1bjg2VVAzMEpwV0FRQmlRMzY2b3NYWGZsbVlJd2QrVXpnV0M2OWNmWGRkWVNGaW9paHo4NGhkT1BQOApNM043QXVBNUxEaG0rMnJHdFpXM3d5Qm9GNmMreXRjUWdSUUV5U0R3UC8zcE81cElQVDBPcC8yY3Q2MVgyUmRrCmpYK2hJdEtsTWdNSGt1cDdPMWZTdzQvQ0tpU1gzeHU4NVhoMTQxWEtXemc0MEJUY1Z6c2pLSnVOWm5qb1lobkQKM0djMzlONk51R25vYXk3N243VlR5WDZkY1Vvc3BDakZ5SHpFaUZlTFZWMVBWNEQ5N3pEeVRzcGNaa0Y5VGh1OAo3N1Y4c3drTGt4cDZWTzVXS0NSZG9CczAzQ3I4djVQUVdlSGRESVBCTkl2bjJ1c09oNE5SaTJYT0lVbz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUUvVENDQXVXZ0F3SUJBZ0lKQU1tbkxQMFVmWlA2TUEwR0NTcUdTSWIzRFFFQkRRVUFNQlF4RWpBUUJnTlYKQkFNTUNXaGhjbUp2Y2kxallUQWdGdzB5TXpBMU1EWXdPVEl5TURkYUdBOHlNVEl6TURReE1qQTVNakl3TjFvdwpGREVTTUJBR0ExVUVBd3dKYUdGeVltOXlMV05oTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDCkNnS0NBZ0VBeXNsUis0RjBJOFpzdG95N2ZrcGNvM00wSWlzY3B0bmdoM0R4Y0o3cVlNOEhsWU1vc0FpTXhXYU8KOXpYdVZLbW11dkVtdE5mZ1QveUtOTEpzRzJtWWpGQ0g3NnkveUdvVHNiK2s2OTVFQjV5WHEzSUZkU0ZPT2VTYQo2RzhLUWpOZE1oTTJvWVEvUVpNTXhlZTRMRlhRWXpVS2YxbUp0R0RmNDVlZXljcnhnTTZQQjZRVUFMSzhHNFBMCjJwWWZWamNjOWNuQlNDeFd3bHo1blMvZkx4anBvVzhGdVZHWCtiZDdaNU5YK1c1bXM0bGF2R1pISXVYTWVpcHcKVDdpcVU4TlJCOVRCZlg1UExDckRyZkdRVXovQ0FSdGRBeG1YR1dCbSt2UmExTDl2Tis1VnE3QVl6NFJFdDdOLwp0UkJyN1VxMTNELzdTV1BOaCt3WlBLMWZucG45cHNrSkR5S1h2MTc5UTNBbGVnRk9Kei9BbTJJNmdsZEJYbUdyCnZBQ0lzeWQyZCtDOVBnRDhiUU51eVNMOG9EVEE5RXhpSWloZENTMXdIb0hNT1RDejQwWFNYbnVJemF1TWtpbXkKQVNTVE9PRXRaKzdaa0kxMzNaaVpWM0d4bnJ5ZEczKzlvTE4yOXB3Z2IzUDM0SmlkVk1JanUvOFF2elBvWjBCRQpjOGFxak5oZU9haG9lcWkwZVBlNTZ2MjRBMzEwUit0L2JnREdBN1llYjJJZHl4L0pKM2ZIeWtMS1REdldGUTQyClQ2ekJmUWNBK2pSb0VhWnlzNDFQYWV3SEJaREdvQlg4bmRpR3dBZkJsMTV6UUN6SHlONm1oZ2hLYUVEemF3UWkKbGE3THBLTGJ0Y0VURmVBUDkzeXIvM1p6bzQyeG15YTdPU0N6Qm4wak5BeEZOb1puOThFQ0F3RUFBYU5RTUU0dwpIUVlEVlIwT0JCWUVGSFpGeEMzZGEyS2ZOWjFJMXpCK0xVSzg5MEN3TUI4R0ExVWRJd1FZTUJhQUZIWkZ4QzNkCmEyS2ZOWjFJMXpCK0xVSzg5MEN3TUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVOQlFBRGdnSUIKQUZlUlBxTjdTdStaUlljWVFRMTNRZmp4Q0IrNXROd3FXT0x5Zk5HK0N4MFBlOTJMeWoraThIUC9qeHRiQlhJbwo0RkRvcEo1dUgyL0RDb1pSV3d4M0ZUWVgwT0FYR01LeXh2QVBDb1BxQkFnM0NETjIxaUl1di9aYVZ1ZmpDbFpPCnBGdTF3N3VHTTQyUlJraWo0M2pXVTBYdm5FV0xINzhRWklKMkxaMFJ0WWwwTlJxVnY2ZWNaZDBGNVAvazZwRDQKM2Q0a1B1emhOc2I2M3hYaEo0bjRtS3FjTFdVNWl1UTZZZDM5KzJkNjVjYTJBbFUrN0padVkwNFhHZUwvcmorbgo3RUxIME1ZUlZnODFuYkU2b1BrV2Jyd1kyNEl1KzhlUmM2clkxSTErY29LSGpZd1RHREdJRTY4VVBORnhQZlorCm9mSERRVHFPUDA3UldRckJxbDY5OVMwMVcwRW8wOXJWM3Y1K0Fybm1XcUFMenpsaXd3a0tRdG9DM252cnNVdTkKQk5GR1FTWWdiakl3WDk0Q055VmI3ZHNtaTU2bmhZYXV1dVRaY3N6dVd6T0lkbFZxaW5oS1B4MmR3WlF2QTVMRgo3bXNkUStVVVhZWHFhMnpVcTN5eEdkOGl6YUtIWmh4SmpsRi9WSzh4dGJvaHZNUXNYMDVQc1o5TnZ0RTRsazNiCkQybjlldHU2OWhxZ3VJMTFZNmRKV3JjVjBrMmt6MXVVQ1NYVVg0WCtSRzFzSHJQcFRucWVWa08ybm5YMmJ3dTIKRDFCdVdITWZHWkN0UTlubnpBblIyeGNNaGZleGFIUXFObUJ3QnZNSHNucjR4RFlMSDIvR3VKRXYxL052b3RzdApvekRNNjBnbk9pcE01MFFRak5xZkZhNFphSjNaSTVyMS9Na0VwTUN2SWVGQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-notary-server
labels:
app: harbor
component: notary
type: Opaque
data:
ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZDekNDQXZPZ0F3SUJBZ0lKQU1MSURYT1BlZFlqTUEwR0NTcUdTSWIzRFFFQkRRVUFNQnN4R1RBWEJnTlYKQkFNTUVHaGhjbUp2Y2kxdWIzUmhjbmt0WTJFd0lCY05Nak13TlRBMk1EZzBPRFF4V2hnUE1qRXlNekEwTVRJdwpPRFE0TkRGYU1Cc3hHVEFYQmdOVkJBTU1FR2hoY21KdmNpMXViM1JoY25rdFkyRXdnZ0lpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQy8vb0xqY3FWUVBaMXlCMWlFT1JzZk9WSEFLb2lGVkJPUzJXbmgKRngyTjZaSTBiM1BpYUVkUHBXNi9xc2RVb2c0SFVIVUtrREp5QmFwdWpxeHJRTSsvVGREdTVaYVBIWWMvbmZXUgpDR0Exay9YQ2RTNUhKR0hrR0NEY1RWeDJoU3JDRXNpQXVYQVB3bi9Mcm9hRFNkc1lIdEhONUhJSHdFWGJGTGhJCnVXdnA3U3p1WW9lQjMwTlZ0dWhnN1ZwTVgwbkdiQ2dUWGpHamtrWmFBanBnWWFKWUIrd0pLWnJhN0hMSXo1bngKSUNXK1pyYkdRUG1sMVQ5TGtBU1pkZGtYQmVJWVlmbTkzMGp3SEwxUmMxai9ZbTM4S0F5V1YyUFRyU3JLMjBVdQpkMmtDZDJtbWp5YzlST2lSU09WQ2dJZ0N2K3F3WDJ0UjJ5M0FqcFpxd3dibWhrZUcxQ2k4STFlQUhJNUR6SFEyCkZ4cUNYc2M5QmtzQ01zM3pXZzZDZFRieE9sSnpVREV2UWZPbTAzNjhXbVVxYnhsWlE4eHBRN1N4UkRjN2RCNlkKLzUwY0hUSDY1YnlEcGNpRytJQlZHZG4zdlZSdHo5azV2NmpYQmRoUUtJajlNYWtKSE9MVDRCRVM4R2ExcGxWVgp5MG9TS1RuQ2YvQk5wN0MwcDVFakhJSmN3S3hRdTVyYTdaYWhSdFlsNysvOW52dWJmQngrbXhQaUc2UXNUbDR2Cnh2MWw2cTk0OUc5dzJyNVU4YlZlTGJHOTBRbzhVdGlIaWxtazhFZmJ4a08weitDTTRDbzh5SzlKODFlYWhjUEMKdW8vU3BPZFc0MzZVcFlmaCtYZXZxMVNuOWlya2dzL2ROdDhqT0N1N0hmZ1NYRkJPSDByaXloeGExak5ZdHp0TApKTndMWVFJREFRQUJvMUF3VGpBZEJnTlZIUTRFRmdRVWQwNzA4ajkxM2lNZm9CQ1BnTCtsKys4Zm1vTXdId1lEClZSMGpCQmd3Rm9BVWQwNzA4ajkxM2lNZm9CQ1BnTCtsKys4Zm1vTXdEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3EKaGtpRzl3MEJBUTBGQUFPQ0FnRUFha1NUMUVOTXBTOXRZODF0dStqSkZRODNqM0lHM1daS295TThHQ3I4UmNLWQpJZE5rM0EwR1I4UGZtZXFzUEx6RzhpWHpJUitzWGkwS0JtaFhqVkw5MTduYUVVYnFVUzdQU1FuUndKY0QrYm16CkthMTdoelBka0ZjV3dGSVJtTjdXWktGUjF5TTZoSXhMSjNVMWxHQnJXQzgvZ1c4VUZHa2orMzdUUk1Pa3o0azIKaWxxSjdtUERkMHF5cE56dzJIQXVlL1BuZzVaemRJU0JXTU5xeXVJQnV3NGxrM2VQcGRhbGFjYlFrRkxOOUhNTwpiWGJCR1VLSWhCTFFaNUxmNnVpeXdGSGZhck5ibGdKbXRoOUc3K01wVUI1VExBaWJVZzRQT1BJbVBick1YUTJxCnYrclVCVUZ5OUgyMlhHbWkrT1VRYm9SVTlhR2VqTW5yZ0VoRWtPb085Zm42R0Y4ejBjbzFRMnlaUGNwUURxbUQKNkhBb0lxeWVKREw3WFZpcEYwbmpuN1Q2S3BCWGxWWlJqQjE5NmNCQ3RqT0ZjNVZqMmppdWIrNEQ3SmV4RFBqaApYanlDMFZoTHRwdXBVeFJVQU5VK2xCamFQaW8yd1NGbyt0Y2ZaQjlwdGIyZGREVHYyNnIxTFZHQXNGMkNDYnRECkpNdmRLS1lSOEFydFVES0d0RVZFVTNRVTdaVHFCQ2xQY2c4OEhpbGtNeTFVeUVJM3NUanFJU1RlUzZnYW0xZFIKNi8yZkJNeVlncmhRWWVtMUYzWGtIQ3VSZStqRkw0WTNZWm9tbGJWN3huajJmN29wMnd6Y2IySktXUDVtazlCTwppcWh2dTBIMHpLZGZDSEtpWUFSK243T3U3N3dHV0s3NnZIZHNIRGdueWM0VnVwUDNZNDFvL2VoMjhZNUFJVDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNRENDQXhpZ0F3SUJBZ0lKQUlqc29XcW80NkNyTUEwR0NTcUdTSWIzRFFFQkRRVUFNQnN4R1RBWEJnTlYKQkFNTUVHaGhjbUp2Y2kxdWIzUmhjbmt0WTJFd0lCY05Nak13TlRBMk1EZzFORFE0V2hnUE1qRXlNekEwTVRJdwpPRFUwTkRoYU1COHhIVEFiQmdOVkJBTU1GR2hoY21KdmNpMXViM1JoY25rdGMybG5ibVZ5TUlJQ0lqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdTZRWjdwQlJPZDF1VkRGbkRiSkUzK0lEaEQvWUxsZUMKbjdMeWdISjN3YjRLSGh2V0RQV2NRU25PRkxhb1p0b0Z0blo4djFqQmM4L0hwK3RmMXdIcnlCQVMzcDZablYrZApad0hMZWJ5eUFlMGVycjk0UURubWZzY2pmYW9rUDJZU0YrUnJSQ3ZRckg0b1BSL0tRc2MwZkVhb2F5c0xZWFpaClNlYVJQdFRUeGcyRDJWdFNxaWJ5dFl4cDg2OEVJRmpqSTQzZzlYVkxWL0Y1MkliSVhLeldtcXJYbXBNRUE3QjAKWWJBdFRVRHVrUGJGczgra2I0SHdicFBFOWlEeEZsak1HMTNUQURvUW5UOEpRRE4wR21BdU95d2p3bmVqVHgvSAp3eVBnSDdzQlhYUXBpaVgyUGZBaE11OWNTMDc3bnc2WGkwejNvWDIzQi9uSWxUbnd0RnJMb3Q0RGVDR2tUTmVXCktpc2hTVVY5YmlSNm1EV1pZMXpyeXlwSkI5SzVjelZBZ2lVelVkM2JTUmhDUGJScGFSNUFySlVQNnhsMjYxWW8KditqMHljamJRT3BkY2xnUHpDbXNXYisxd3ExWjMrTWpvNjBsZkVYSzV0bXRyQ0hLeXVZNTA4bVVpN3JoaWxhSQpkcTRCQUszQUV5dmpxcnRRWVYwblQzaCtiQVdaV1pzWSsrZWh3dmZScmZpYXhmSWczQ2RLdy9QK0NOSy9Kbk1VCjVkTTJwc2dKV2RCYUx4MnVxUFk1dElJdkNrYkd2SDZ1cFZXYUt3cUdNL1NKUlVFKy9RZ2xQclNzTmpsNkoyNDEKTmRmUFA3Q2FzNFc4dEhGb3dBUk9mRWlQNEZRM3VMUk9XQTJycmxBdHlPOU1od1lKVUs4a2VMY3h6ZDU4aHBOdAp2d0w2ZkRXRWVzRUNBd0VBQWFOeE1HOHdId1lEVlIwakJCZ3dGb0FVZDA3MDhqOTEzaU1mb0JDUGdMK2wrKzhmCm1vTXdDUVlEVlIwVEJBSXdBREFMQmdOVkhROEVCQU1DQlBBd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXcKSHdZRFZSMFJCQmd3Rm9JVWFHRnlZbTl5TFc1dmRHRnllUzF6YVdkdVpYSXdEUVlKS29aSWh2Y05BUUVOQlFBRApnZ0lCQUJZaDFTaFozdmVXT1N2QzI0c1BYcjNPWnVtMVdMdHFVT0dMbXEzbGV1a0Q3bzhHc0ZrNEtkVGhoc2tICmtTanRBTUNBYTFaSHl5ai85TFJsWVhncnQ3a1ZZU1ROYnQ1M2JrNDRpQjBkYzVxK2pOSGNzQjdGV3VCWFBMSTEKMzhLVy9FVTgyY1JDd3JYYWwwYmlxZ2lFOGtKS0JoWVdtMUNtbFlvdGhUbitkdFQyanpsSzVoQzBsUzd4cXBOUAp2aU9EM2FqcGtPU3VseVEzQ1F0Rk83bVpCdEEweHBMUDdUT0MzN2N0Qk1iNHlDekFhWXVlMUQ2a1g2UUpVQzVDCnBjc0xGeDF6c3RUMlM3ZUFRVGVyWHdwVHJ5MmNkNzBGL3REbkJzbHhtZlI3Y1FmNlU4T0VmSVN6RE5xWnZHK3UKakNrOHNkWlVPS1AwVllrVHZlZ2hGcExtZVNuV011V1VzR2xpd2VJQkhOZE5QM0tETnVlSEpTOXQ0eG9XNDF2OQpJRHNWN3pVZ25Wek5IY2pvZ21mY2IyY2RlMmp5N29QSkluQkZiQVJRMEdHd0ZCNU9oRExYUWY3NHE5dzgySHhkCnRqcmMwdlVaNUtUV0l2a0JSVHN0YVpjbHpjREU4UCtRM2xTRDlhV0tFUGJkK0IzV1I5YzgvciswT3ZtT1gwaDkKa0JRQW5QamFiVGVod2pHTFpqWS95RWZwZVpqcFlmSldhYXJrZXpWUE9vSUp3UC9ubTV3ZG1jZmNWQW04eW9DbwoxK2ZjeVAvcGtaZ0hTYlpETUtkK3k0V3Foa2E0bTMrazJBZWZGMmhVT3BZWm43UVRMYjNETGsvQlJmUzJvNlJ0CnRsd0t2SVJaTGRBM1VCeWVWV1cxcUhXU0sxNmdkNEpRY2d4TFBmdFBNUjM3WUcrUAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBdTZRWjdwQlJPZDF1VkRGbkRiSkUzK0lEaEQvWUxsZUNuN0x5Z0hKM3diNEtIaHZXCkRQV2NRU25PRkxhb1p0b0Z0blo4djFqQmM4L0hwK3RmMXdIcnlCQVMzcDZablYrZFp3SExlYnl5QWUwZXJyOTQKUURubWZzY2pmYW9rUDJZU0YrUnJSQ3ZRckg0b1BSL0tRc2MwZkVhb2F5c0xZWFpaU2VhUlB0VFR4ZzJEMlZ0UwpxaWJ5dFl4cDg2OEVJRmpqSTQzZzlYVkxWL0Y1MkliSVhLeldtcXJYbXBNRUE3QjBZYkF0VFVEdWtQYkZzOCtrCmI0SHdicFBFOWlEeEZsak1HMTNUQURvUW5UOEpRRE4wR21BdU95d2p3bmVqVHgvSHd5UGdIN3NCWFhRcGlpWDIKUGZBaE11OWNTMDc3bnc2WGkwejNvWDIzQi9uSWxUbnd0RnJMb3Q0RGVDR2tUTmVXS2lzaFNVVjliaVI2bURXWgpZMXpyeXlwSkI5SzVjelZBZ2lVelVkM2JTUmhDUGJScGFSNUFySlVQNnhsMjYxWW92K2oweWNqYlFPcGRjbGdQCnpDbXNXYisxd3ExWjMrTWpvNjBsZkVYSzV0bXRyQ0hLeXVZNTA4bVVpN3JoaWxhSWRxNEJBSzNBRXl2anFydFEKWVYwblQzaCtiQVdaV1pzWSsrZWh3dmZScmZpYXhmSWczQ2RLdy9QK0NOSy9Kbk1VNWRNMnBzZ0pXZEJhTHgydQpxUFk1dElJdkNrYkd2SDZ1cFZXYUt3cUdNL1NKUlVFKy9RZ2xQclNzTmpsNkoyNDFOZGZQUDdDYXM0Vzh0SEZvCndBUk9mRWlQNEZRM3VMUk9XQTJycmxBdHlPOU1od1lKVUs4a2VMY3h6ZDU4aHBOdHZ3TDZmRFdFZXNFQ0F3RUEKQVFLQ0FnQXdPcnpEbWVxVzBmaUN3WFA0akVLeHZQa2thL2lYNkx4VmFmeDAwWGRBb0NVZm1nNEpwTE8xK0JYVgpNeUhUMWVRMEF2NkxmRGUxR2NuNnVrQVhGcEpSQ1BpZ3FlbFlEdlI1UG5mYllZbnJmdFF0SEYrL09tS3BZV3dZCjU3dUxaQ1B3YWpDOEEvc042eHRTb3JJdE9lQ2V0TmFqUFJ3ZXYvbXhTZ2M1UENEMnZoQ090SzlwdHJzWnVPNmUKeVBScGtBOUoyelRnUW5iTU12QWJuSUV4ZU9kc044OVZGc2FvWUJsNTVudXVhS3NwTFpTaFpCU2k2S1l3OWVCaApWeFJBcHpCSE5IV0FrR3dtenNZRTczUy9Oc3VMUUF3czl1MU44Q0E3WXlRL1k2UzFMWjlqdCtBMENWMnZKdUQxCkptYjhlaGF2b21mZjVWMC9Pbys0ODN5UUR1cGFFTC84VjJtQVNqL1VCYVRZM1hPMkp3T21rRzl5L2pUUGxiSHoKVHdFOUsva3JCRGVvTnNNT1VFWTN6SzdpQTRUb2pDMWJJenNIRHIzbVRSUmxUeDlUT09paG0wYVFtQXJ0NEJVbgpuTEVrTWpiNFVZV3ZhUGV0dkdsS1RBWjR1NXZnbDZRYTVnaGVUY28wTXdPM3FjWExpODVWSDgzYmUyc2VLN0Z3ClJmN25QOXhyMXJnbWF3bFF4S1RmVmhNdmFRdFloNGo0Q2k1N2gxR2lKTjhlUmZJL0FlNm1KQURrWlU1QkprYmkKYm9sVnpCTUNhN3VSOENCVnpjWGxBa2Jwa1NHaDlvSEh6ME9hUUV1SkhJbnVVK2RSS28xam1Lc3kwc0tNbndTVQoweFhLdStJYkxaTnl4ZTMyVmxyL2VyZFhjSHAwMFdSK3ZsRG5QSXZtZjEyQmxNUVN3UUtDQVFFQTMydDRJS2h0CnZSWTdpMXBQMzVCeHN6K3dyU2ZKWGZENmRwSVZvNzljWTFDTUtqTHIzK3hpZG1KRjBlTVNTN3hMQ0xtTXBIVUQKL2NVcVYrNDZLNDdJbHFxalY2UCtBc3hZT3pyUUZjQXNPRlNEN2NSaFk0REt3ODhDRFNvUEpWK2s5U2RINDBLNApXbVR6bFd0SnlmYXU0T2JRL05JNUxja3NrNDY2bThNVWJTdjZWV0QwNG1LZG5tUElCc1ZtTW5DRUZZZ1htV1FlCjRNYWkwUHk0dEp3S0lTMkFCcStPV2p6a3NlUGhSbnNORlp1ZVFScWN3WkJwbXF3cjJnaVplQUZIdkNEL0lxZVYKdEJLYlNPVW1tcHVIZkk5SUt2SVoyN0ZZcDJDV24zRmF2bmFhbHhhWlFGd1RsRjY2a0wvYWNKRFdBbk5rMStmNwp0UXIwbnNRcDZTRWNtUUtDQVFFQTF3RDNqRXo4QnliVFlodTFCVUwydDVFTXRGbExYcllJK0dJc3lRb3FVS25ICmkrM0dhYmxqeHgyWHM3eWcrcjdyblh0RGNVQk12dWxHWjFRZlg3V1I1bzJWRmZmcGQ2L1E5aS9KTmtleXk2bk8KYXpzNERaSC9jOEpEMEFQaWhValJIV1RpRDJmc0U1QzhZd25BV2E1WnpDNjZ2VWI4Y1ZoOU54bHM4VTNIWFNKSApEVGNqSzhzU1k3UVU5WnVLY0dWVHg0VXhGTWhoRW1yUGhCMUgzRzlaTWZRS3k5Q0VrK1NFK1VBQ2ZBMHdQMmZ4CmNXS0V3c2M2Q1BVVmdwR216NUpFRkk1MmJtSTFCa3JpeG00TE1ySGdoYUsyMFV0eldycXBjdjhzNWFBRzJwUy8KdzBvTUpuOXBGd0cxc21JWU1NZHdYK1JiSjBLUE1YQUMrNFJ2MW9YQWFRS0NBUUFHenRLSlJEaWIwMnFiRTNSdApub3dvWng5dUYxRkdnSXBSUktCT0xnMlZwU1d3UDM3NmdzeDVTUU5Sb3ZheXdoa1RPZncwSXJDdGNlMlpZbFA1CmNjOWc3L0FzUW40Qi9kSU9jL3RWUGxiYW5KQ3NsUmhXbk4wUTNHVDJtN3A4YkE2dHZiV3VFaUZsOTcrSVpRMkoKanUvRFFLVkxudWhKSWVFdTJlR0x6NFQyMHFrOUlzZ3pnY2ZGeE1xYWtqZE1BQ3UyTUVCdjF5SXR2VC9HMkh5VQpYRkRlcy9FN3d1dTJpalo1eVRUYkhmTEhIc2ZTdWduZXlCUy90dEZiUW5uU3MwOUpSMFFlL1RaTmwyZU44QldlCkRuRXhkWGhBZnNJVTlMRjc0RENXeVRCM3IwdUVvUmFvWkdYZ1ZvYWUxSW5HZGxOZkhiOEw2VEM5VW9ranNWeUoKa3cyNUFvSUJBQytQUGpNaDRHb3drM2ZUU3pLendtR095M0dsZ3YrYll0YVcyUE5MdFZxTWcrQ1hJMW5Gc2FXZApEUzZzSGl2NVNhTlhYZTdTVzJlcnNIQXc4cE80VldMYmxNdjhQLy9DdTRXSndvZW9Tb3UwcnoyWEp1b1JqcUZyCnFwWjhGWUtJUGdHempESCtPZ0dGOWJZdXRRYmhnMm1nT0p5ZjlEMmFabkJteG11R1dnQm5FYktCck4wR0diWkcKWXBDRjdKUzZSVk1RU25BZmR5R2MwUFNYaVlyZ2NxbVRJMFE4aHVjMEdKb09KNzZMS0U0T1R5Rld1cWxmYXA0SwpvTXgyTGFFaTZMNW5XUmxIemhUclFjakZGT01NNSs2SHRNc05WcUlPUW1kMnZOYTZsR21MbC9PNkVILy9sUjZLCnVVZVJYV3FFNDMzQ3hNc2xkUWxwanE5V2Qyckx3V2tDZ2dFQWMzU01ZRnNwMzNUUC9udENsVmdVcTRhcTZ3dHIKUU8xUjhkZ25yM3RnY25CWUYrbGFwa0hFRnVSbitRK29XWE5MaUdqVTVOOHdET2hLV2l4ZWdHWStROUZJK1VYNgpPWDA1eTdGVUV3UmN6SWM5WTVmdlduYUUybW9IS1lFRWh6TzBmSWZuWG8za0RIZUFzVmlDUndlcHAvdnlmOXF1CndCOVdNZ3JXVlVRaU5EMlNUNWF3Nk5xWGRzbVFvU3BXdjFvUloxNGdtTEQyYVN1Ry8yWEV3VHgxSU9YV1VXRVcKSjcwc3VielVNbmJudzl2ckxGYXhRZkRlQ2oyTEwycWdSZnA4T0lld0JDWkh3bGpVNmVLYUJLeGc5MTI5Sk5IRwppOThoQ0liNHRHTDVwSnQ1V1JTSjhYR1FKTUxzamNGZHJvOG1kOG1RSDBxUURCQXZwV01IQTl6LzBBPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
server.json: ewogICJzZXJ2ZXIiOiB7CiAgICAiaHR0cF9hZGRyIjogIjo0NDQzIgogIH0sCiAgInRydXN0X3NlcnZpY2UiOiB7CiAgICAidHlwZSI6ICJyZW1vdGUiLAogICAgImhvc3RuYW1lIjogImhhcmJvci1ub3Rhcnktc2lnbmVyIiwKICAgICJwb3J0IjogIjc4OTkiLAogICAgInRsc19jYV9maWxlIjogIi9ldGMvc3NsL25vdGFyeS9jYS5jcnQiLAogICAgImtleV9hbGdvcml0aG0iOiAiZWNkc2EiCiAgfSwKICAibG9nZ2luZyI6IHsKICAgICJsZXZlbCI6ICJpbmZvIgogIH0sCiAgInN0b3JhZ2UiOiB7CiAgICAiYmFja2VuZCI6ICJwb3N0Z3JlcyIsCiAgICAiZGJfdXJsIjogInBvc3RncmVzOi8vcG9zdGdyZXM6Y2hhbmdlaXRAaGFyYm9yLWRhdGFiYXNlOjU0MzIvbm90YXJ5c2VydmVyP3NzbG1vZGU9ZGlzYWJsZSIKICB9LAogICJhdXRoIjogewogICAgInR5cGUiOiAidG9rZW4iLAogICAgIm9wdGlvbnMiOiB7CiAgICAgICJyZWFsbSI6ICJodHRwczovL2h1Yi5rb2FsYXVyYW4uY246MzAwMDMvc2VydmljZS90b2tlbiIsCiAgICAgICJzZXJ2aWNlIjogImhhcmJvci1ub3RhcnkiLAogICAgICAiaXNzdWVyIjogImhhcmJvci10b2tlbi1pc3N1ZXIiLAogICAgICAicm9vdGNlcnRidW5kbGUiOiAiL3Jvb3QuY3J0IgogICAgfQogIH0KfQ==
signer.json: ewogICJzZXJ2ZXIiOiB7CiAgICAiZ3JwY19hZGRyIjogIjo3ODk5IiwKICAgICJ0bHNfY2VydF9maWxlIjogIi9ldGMvc3NsL25vdGFyeS90bHMuY3J0IiwKICAgICJ0bHNfa2V5X2ZpbGUiOiAiL2V0Yy9zc2wvbm90YXJ5L3Rscy5rZXkiCiAgfSwKICAibG9nZ2luZyI6IHsKICAgICJsZXZlbCI6ICJpbmZvIgogIH0sCiAgInN0b3JhZ2UiOiB7CiAgICAiYmFja2VuZCI6ICJwb3N0Z3JlcyIsCiAgICAiZGJfdXJsIjogInBvc3RncmVzOi8vcG9zdGdyZXM6Y2hhbmdlaXRAaGFyYm9yLWRhdGFiYXNlOjU0MzIvbm90YXJ5c2lnbmVyP3NzbG1vZGU9ZGlzYWJsZSIsCiAgICAiZGVmYXVsdF9hbGlhcyI6ICJkZWZhdWx0YWxpYXMiCiAgfQp9
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-registry
labels:
app: harbor
type: Opaque
data:
REGISTRY_HTTP_SECRET: "ZXRudzhFdzBTQmhsRVh0dA=="
REGISTRY_REDIS_PASSWORD: ""
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-registry-htpasswd
labels:
app: harbor
type: Opaque
data:
REGISTRY_HTPASSWD: "aGFyYm9yX3JlZ2lzdHJ5X3VzZXI6JDJhJDEwJE5xU1dKWnpBVmdTTmVRNXd4b2NGWi53RkduR0dXU3ZkV0p3UWt4TTVVLlk1c0UyanNWV00u"
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-registryctl
labels:
app: harbor
type: Opaque
data:
---
apiVersion: v1
kind: Secret
metadata:
name: harbor-trivy
labels:
app: harbor
type: Opaque
data:
redisURL: cmVkaXM6Ly9oYXJib3ItcmVkaXM6NjM3OS81P2lkbGVfdGltZW91dF9zZWNvbmRzPTMw
gitHubToken: ""
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-chartmuseum
labels:
app: harbor
data:
PORT: "9999"
CACHE: "redis"
CACHE_REDIS_ADDR: "harbor-redis:6379"
CACHE_REDIS_DB: "3"
BASIC_AUTH_USER: "chart_controller"
DEPTH: "1"
DEBUG: "false"
LOG_JSON: "true"
DISABLE_METRICS: "false"
DISABLE_API: "false"
DISABLE_STATEFILES: "false"
ALLOW_OVERWRITE: "true"
AUTH_ANONYMOUS_GET: "false"
CONTEXT_PATH: ""
INDEX_LIMIT: "0"
MAX_STORAGE_OBJECTS: "0"
MAX_UPLOAD_SIZE: "20971520"
CHART_POST_FORM_FIELD_NAME: "chart"
PROV_POST_FORM_FIELD_NAME: "prov"
STORAGE: "local"
STORAGE_LOCAL_ROOTDIR: "/chart_storage"
STORAGE_TIMESTAMP_TOLERANCE: 1s
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-core
labels:
app: harbor
data:
app.conf: |+
appname = Harbor
runmode = prod
enablegzip = true
[prod]
httpport = 8080
PORT: "8080"
DATABASE_TYPE: "postgresql"
POSTGRESQL_HOST: "harbor-database"
POSTGRESQL_PORT: "5432"
POSTGRESQL_USERNAME: "postgres"
POSTGRESQL_DATABASE: "registry"
POSTGRESQL_SSLMODE: "disable"
POSTGRESQL_MAX_IDLE_CONNS: "100"
POSTGRESQL_MAX_OPEN_CONNS: "900"
EXT_ENDPOINT: "https://hub.koalauran.cn:30003"
CORE_URL: "http://harbor-core:80"
JOBSERVICE_URL: "http://harbor-jobservice"
REGISTRY_URL: "http://harbor-registry:5000"
TOKEN_SERVICE_URL: "http://harbor-core:80/service/token"
WITH_NOTARY: "true"
NOTARY_URL: "http://harbor-notary-server:4443"
CORE_LOCAL_URL: "http://127.0.0.1:8080"
WITH_TRIVY: "true"
TRIVY_ADAPTER_URL: "http://harbor-trivy:8080"
REGISTRY_STORAGE_PROVIDER_NAME: "filesystem"
WITH_CHARTMUSEUM: "true"
CHART_REPOSITORY_URL: "http://harbor-chartmuseum"
LOG_LEVEL: "info"
CONFIG_PATH: "/etc/core/app.conf"
CHART_CACHE_DRIVER: "redis"
_REDIS_URL_CORE: "redis://harbor-redis:6379/0?idle_timeout_seconds=30"
_REDIS_URL_REG: "redis://harbor-redis:6379/2?idle_timeout_seconds=30"
PORTAL_URL: "http://harbor-portal"
REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080"
REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user"
HTTP_PROXY: ""
HTTPS_PROXY: ""
NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-chartmuseum,harbor-notary-server,harbor-notary-signer,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal"
PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-jobservice-env
labels:
app: harbor
data:
CORE_URL: "http://harbor-core:80"
TOKEN_SERVICE_URL: "http://harbor-core:80/service/token"
REGISTRY_URL: "http://harbor-registry:5000"
REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080"
REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user"
HTTP_PROXY: ""
HTTPS_PROXY: ""
NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-chartmuseum,harbor-notary-server,harbor-notary-signer,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-jobservice
labels:
app: harbor
data:
config.yml: |+
#Server listening port
protocol: "http"
port: 8080
worker_pool:
workers: 10
backend: "redis"
redis_pool:
redis_url: "redis://harbor-redis:6379/1"
namespace: "harbor_job_service_namespace"
idle_timeout_second: 3600
job_loggers:
- name: FILE
level: INFO
settings: # Customized settings of logger
base_dir: "/var/log/jobs"
sweeper:
duration: 14 #days
settings: # Customized settings of sweeper
work_dir: "/var/log/jobs"
metric:
enabled: false
path: /metrics
port: 8001
#Loggers for the job service
loggers:
- name: STD_OUTPUT
level: INFO
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-nginx
labels:
app: harbor
data:
nginx.conf: |+
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 3096;
use epoll;
multi_accept on;
}
http {
client_body_temp_path /tmp/client_body_temp;
proxy_temp_path /tmp/proxy_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream core {
server "harbor-core:80";
}
upstream portal {
server "harbor-portal:80";
}
upstream notary-server {
server harbor-notary-server:4443;
}
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
map $http_x_forwarded_proto $x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
server {
listen 4443 ssl;
listen [::]:4443 ssl;
server_tokens off;
# ssl
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
ssl_protocols tlsv1.1 tlsv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:ssl:10m;
# disable any limits to avoid http 413 for large image uploads
client_max_body_size 0;
# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
proxy_pass http://notary-server/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
}
}
server {
listen 8443 ssl;
listen [::]:8443 ssl;
# server_name harbordomain.com;
server_tokens off;
# SSL
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
# Add extra headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
proxy_pass http://portal/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; HttpOnly; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /api/ {
proxy_pass http://core/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /chartrepo/ {
proxy_pass http://core/chartrepo/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /c/ {
proxy_pass http://core/c/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://core/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://core/service/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
location /service/notifications {
return 404;
}
}
server {
listen 8080;
listen [::]:8080;
#server_name harbordomain.com;
return 301 https://$host$request_uri;
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-portal
labels:
app: harbor
data:
nginx.conf: |+
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
client_body_temp_path /tmp/client_body_temp;
proxy_temp_path /tmp/proxy_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
listen 8080;
listen [::]:8080;
server_name localhost;
root /usr/share/nginx/html;
index index.html index.htm;
include /etc/nginx/mime.types;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
try_files $uri $uri/ /index.html;
}
location = /index.html {
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-registry
labels:
app: harbor
data:
config.yml: |+
version: 0.1
log:
level: info
fields:
service: registry
storage:
filesystem:
rootdirectory: /storage
cache:
layerinfo: redis
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
redirect:
disable: false
redis:
addr: harbor-redis:6379
db: 2
readtimeout: 10s
writetimeout: 10s
dialtimeout: 10s
pool:
maxidle: 100
maxactive: 500
idletimeout: 60s
http:
addr: :5000
relativeurls: false
# set via environment variable
# secret: placeholder
debug:
addr: localhost:5001
auth:
htpasswd:
realm: harbor-registry-basic-realm
path: /etc/registry/passwd
validation:
disabled: true
compatibility:
schema1:
enabled: true
ctl-config.yml: |+
---
protocol: "http"
port: 8080
log_level: info
registry_config: "/etc/registry/config.yml"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-registryctl
labels:
app: harbor
data:
---
apiVersion: v1
kind: Service
metadata:
name: harbor-chartmuseum
labels:
app: harbor
spec:
ports:
- port: 80
targetPort: 9999
selector:
app: harbor
component: chartmuseum
---
apiVersion: v1
kind: Service
metadata:
name: harbor-core
labels:
app: harbor
spec:
ports:
- name: http-web
port: 80
targetPort: 8080
selector:
app: harbor
component: core
---
apiVersion: v1
kind: Service
metadata:
name: harbor-database
labels:
app: harbor
spec:
ports:
- port: 5432
selector:
app: harbor
component: database
---
apiVersion: v1
kind: Service
metadata:
name: harbor-jobservice
labels:
app: harbor
spec:
ports:
- name: http-jobservice
port: 80
targetPort: 8080
selector:
app: harbor
component: jobservice
---
apiVersion: v1
kind: Service
metadata:
name: harbor
labels:
app: harbor
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 8080
nodePort: 30002
- name: https
port: 443
targetPort: 8443
nodePort: 30003
- name: notary
port: 4443
targetPort: 4443
nodePort: 30004
selector:
app: harbor
component: nginx
---
apiVersion: v1
kind: Service
metadata:
name: harbor-notary-server
labels:
app: harbor
spec:
ports:
- port: 4443
selector:
app: harbor
component: notary-server
---
apiVersion: v1
kind: Service
metadata:
name: harbor-notary-signer
labels:
app: harbor
spec:
ports:
- port: 7899
selector:
app: harbor
component: notary-signer
---
apiVersion: v1
kind: Service
metadata:
name: harbor-portal
labels:
app: harbor
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: harbor
component: portal
---
apiVersion: v1
kind: Service
metadata:
name: harbor-redis
labels:
app: harbor
spec:
ports:
- port: 6379
selector:
app: harbor
component: redis
---
apiVersion: v1
kind: Service
metadata:
name: harbor-registry
labels:
app: harbor
spec:
ports:
- name: http-registry
port: 5000
- name: http-controller
port: 8080
selector:
app: harbor
component: registry
---
apiVersion: v1
kind: Service
metadata:
name: harbor-trivy
labels:
app: harbor
spec:
ports:
- name: http-trivy
protocol: TCP
port: 8080
selector:
app: harbor
component: trivy
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: common-store-harbor
labels:
app: harbor
component: chartmuseum
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app: harbor
component: chartmuseum
template:
metadata:
labels:
app: harbor
component: chartmuseum
annotations:
checksum/configmap: 3a145cb777903ca8ff8fcfcb3c25ed9ee7a426a8b01cf024d6e52d92458b4564
checksum/secret: 12c4400ee99d72e1e816c38dc665ea3e7f6b640478d7a0cca350151b4813b80d
checksum/secret-core: 1f0aa61e2a55d3cb689d9a021981eb141f38415b126722921a90d393f85eb0d4
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: chartmuseum
image: hub.kaolayouran.cn:5000/base/chartmuseum-photon:v2.4.2
#image: goharbor/chartmuseum-photon:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /health
scheme: HTTP
port: 9999
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
scheme: HTTP
port: 9999
initialDelaySeconds: 1
periodSeconds: 10
envFrom:
- configMapRef:
name: harbor-chartmuseum
- secretRef:
name: harbor-chartmuseum
env:
- name: BASIC_AUTH_PASS
valueFrom:
secretKeyRef:
name: harbor-core
key: secret
- # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
name: AWS_SDK_LOAD_CONFIG
value: "1"
ports:
- containerPort: 9999
volumeMounts:
- name: chartmuseum-data
mountPath: /chart_storage
subPath: chartmuseum
volumes:
- name: chartmuseum-data
persistentVolumeClaim:
claimName: harbor-pv-claim
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-core
labels:
app: harbor
component: core
spec:
replicas: 1
selector:
matchLabels:
app: harbor
component: core
template:
metadata:
labels:
app: harbor
component: core
annotations:
checksum/configmap: bd2b34383441bfcff2d870b02b04a3dae69ccd05a330047c5d8829aeada20685
checksum/secret: 02b2cb32e03f306d15b782cae8584d7987844bbd65979695f5e10918042999a7
checksum/secret-jobservice: 7de664062a56330a0ac4144206d1b021fe7ee43542e401f86e647ffcceb67399
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
terminationGracePeriodSeconds: 120
containers:
- name: core
image: hub.kaolayouran.cn:5000/base/harbor-core:v2.4.2
#image: goharbor/harbor-core:v2.4.2
imagePullPolicy: IfNotPresent
startupProbe:
httpGet:
path: /api/v2.0/ping
scheme: HTTP
port: 8080
failureThreshold: 360
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /api/v2.0/ping
scheme: HTTP
port: 8080
failureThreshold: 2
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/v2.0/ping
scheme: HTTP
port: 8080
failureThreshold: 2
periodSeconds: 10
envFrom:
- configMapRef:
name: harbor-core
- secretRef:
name: harbor-core
env:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: harbor-core
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: harbor-jobservice
key: JOBSERVICE_SECRET
ports:
- containerPort: 8080
volumeMounts:
- name: config
mountPath: /etc/core/app.conf
subPath: app.conf
- name: secret-key
mountPath: /etc/core/key
subPath: key
- name: token-service-private-key
mountPath: /etc/core/private_key.pem
subPath: tls.key
- name: ca-download
mountPath: /etc/core/ca
- name: psc
mountPath: /etc/core/token
volumes:
- name: config
configMap:
name: harbor-core
items:
- key: app.conf
path: app.conf
- name: secret-key
secret:
secretName: harbor-core
items:
- key: secretKey
path: key
- name: token-service-private-key
secret:
secretName: harbor-core
- name: ca-download
secret:
secretName: harbor-nginx
- name: psc
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-jobservice
labels:
app: harbor
component: jobservice
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app: harbor
component: jobservice
template:
metadata:
labels:
app: harbor
component: jobservice
annotations:
checksum/configmap: 41138a089428e6776014e59b1a37c5e69bedc9331ccdb1f382f1950882ec1b7e
checksum/configmap-env: 5c0e2cf333f81a4f19f13c25cb45f2b2f5353c9bd05f59e8cbb6b59cc0eb7195
checksum/secret: 646779fe901aa8f33ca5fce3eac2d732709e178caa697a600f89bb1cac9ed3d1
checksum/secret-core: 168ef9ab2be4e7a479149263d0a1b57c43a4a7ee4ee300c81d3ba190888940e6
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
terminationGracePeriodSeconds: 120
containers:
- name: jobservice
image: hub.kaolayouran.cn:5000/base/harbor-jobservice:v2.4.2
#image: goharbor/harbor-jobservice:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /api/v1/stats
scheme: HTTP
port: 8080
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/v1/stats
scheme: HTTP
port: 8080
initialDelaySeconds: 20
periodSeconds: 10
env:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: harbor-core
key: secret
envFrom:
- configMapRef:
name: harbor-jobservice-env
- secretRef:
name: harbor-jobservice
ports:
- containerPort: 8080
volumeMounts:
- name: jobservice-config
mountPath: /etc/jobservice/config.yml
subPath: config.yml
- name: job-logs
mountPath: /var/log/jobs
subPath: jobservice
volumes:
- name: jobservice-config
configMap:
name: harbor-jobservice
- name: job-logs
persistentVolumeClaim:
claimName: harbor-pv-claim
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-nginx
labels:
app: harbor
component: nginx
spec:
replicas: 1
selector:
matchLabels:
app: harbor
component: nginx
template:
metadata:
labels:
app: harbor
component: nginx
annotations:
checksum/configmap: 088e5cc3efc0b39e7f8aa2a67bd5d955ed8945e58d3c17ac8059da9ab53fe321
checksum/secret: 4f23ec29a4d9d3d987937f2fa380c350f3c5c5a519c098a4bb14866085923aab
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: nginx
image: hub.kaolayouran.cn:5000/base/nginx-photon:v2.4.2
#image: "goharbor/nginx-photon:v2.4.2"
imagePullPolicy: "IfNotPresent"
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 1
periodSeconds: 10
ports:
- containerPort: 8080
- containerPort: 8443
- containerPort: 4443
volumeMounts:
- name: config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: certificate
mountPath: /etc/nginx/cert
volumes:
- name: config
configMap:
name: harbor-nginx
- name: certificate
secret:
secretName: harbor-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-notary-server
labels:
app: harbor
component: notary-server
spec:
replicas: 1
selector:
matchLabels:
app: harbor
component: notary-server
template:
metadata:
labels:
app: harbor
component: notary-server
annotations:
checksum/secret: b70953c25216d51cbc010ede0f2d930891232639f9803703d8c81502e3a42ff6
checksum/secret-core: 2c41f069d03705278d95df73b2526b695ccfcb039abb39cf143958b9bd13af6f
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: notary-server
image: hub.kaolayouran.cn:5000/base/notary-server-photon:v2.4.2
#image: goharbor/notary-server-photon:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /_notary_server/health
scheme: "HTTP"
port: 4443
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /_notary_server/health
scheme: "HTTP"
port: 4443
initialDelaySeconds: 20
periodSeconds: 10
env:
- name: MIGRATIONS_PATH
value: migrations/server/postgresql
- name: DB_URL
value: postgres://postgres:changeit@harbor-database:5432/notaryserver?sslmode=disable
volumeMounts:
- name: config
mountPath: /etc/notary/server-config.postgres.json
subPath: server.json
- name: token-service-certificate
mountPath: /root.crt
subPath: tls.crt
- name: signer-certificate
mountPath: /etc/ssl/notary/ca.crt
subPath: ca.crt
volumes:
- name: config
secret:
secretName: "harbor-notary-server"
- name: token-service-certificate
secret:
secretName: harbor-core
- name: signer-certificate
secret:
secretName: harbor-notary-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-notary-signer
labels:
app: harbor
component: notary-signer
spec:
replicas: 1
selector:
matchLabels:
app: harbor
component: notary-signer
template:
metadata:
labels:
app: harbor
component: notary-signer
annotations:
checksum/secret: f2c5bbfba6983db82911297b302267c6193b0d8683af7f54261ac6055f0ed2ca
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: notary-signer
image: hub.kaolayouran.cn:5000/base/notary-signer-photon:v2.4.2
#image: goharbor/notary-signer-photon:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
scheme: "HTTPS"
port: 7899
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
scheme: "HTTPS"
port: 7899
initialDelaySeconds: 20
periodSeconds: 10
env:
- name: MIGRATIONS_PATH
value: migrations/signer/postgresql
- name: DB_URL
value: postgres://postgres:changeit@harbor-database:5432/notarysigner?sslmode=disable
- name: NOTARY_SIGNER_DEFAULTALIAS
value: defaultalias
volumeMounts:
- name: config
mountPath: /etc/notary/signer-config.postgres.json
subPath: signer.json
- name: signer-certificate
mountPath: /etc/ssl/notary/tls.crt
subPath: tls.crt
- name: signer-certificate
mountPath: /etc/ssl/notary/tls.key
subPath: tls.key
volumes:
- name: config
secret:
secretName: "harbor-notary-server"
- name: signer-certificate
secret:
secretName: harbor-notary-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-portal
labels:
app: harbor
component: portal
spec:
replicas: 1
selector:
matchLabels:
app: harbor
component: portal
template:
metadata:
labels:
app: harbor
component: portal
annotations:
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: portal
image: hub.kaolayouran.cn:5000/base/harbor-portal:v2.4.2
#image: goharbor/harbor-portal:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
scheme: HTTP
port: 8080
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
scheme: HTTP
port: 8080
initialDelaySeconds: 1
periodSeconds: 10
ports:
- containerPort: 8080
volumeMounts:
- name: portal-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: portal-config
configMap:
name: harbor-portal
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor-registry
labels:
app: harbor
component: registry
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app: harbor
component: registry
template:
metadata:
labels:
app: harbor
component: registry
annotations:
checksum/configmap: dbbd548871ae33e48eb16af08dc415671c1a982eea0685ce1a94015b9a0e5dcd
checksum/secret: 4111ba16f44d7978f520068cadecc471f3d0a32984f3b481393f471503683580
checksum/secret-jobservice: 97ab3f72e9fdbed04c753344e8f9854f46e9620cd77409954c14cf4fa04f845e
checksum/secret-core: 5d26213a63cee325a177fdacb9954caf67700f88254b40088c34821162fcff5b
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
terminationGracePeriodSeconds: 120
containers:
- name: registry
image: hub.kaolayouran.cn:5000/base/registry-photon:v2.4.2
#image: goharbor/registry-photon:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
scheme: HTTP
port: 5000
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
scheme: HTTP
port: 5000
initialDelaySeconds: 1
periodSeconds: 10
args: ["serve", "/etc/registry/config.yml"]
envFrom:
- secretRef:
name: harbor-registry
env:
ports:
- containerPort: 5000
- containerPort: 5001
volumeMounts:
- name: registry-data
mountPath: /storage
subPath: registry
- name: registry-htpasswd
mountPath: /etc/registry/passwd
subPath: passwd
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
- name: registryctl
image: hub.kaolayouran.cn:5000/base/harbor-registryctl:v2.4.2
#image: goharbor/harbor-registryctl:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /api/health
scheme: HTTP
port: 8080
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/health
scheme: HTTP
port: 8080
initialDelaySeconds: 1
periodSeconds: 10
envFrom:
- configMapRef:
name: harbor-registryctl
- secretRef:
name: harbor-registry
- secretRef:
name: harbor-registryctl
env:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: harbor-core
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: harbor-jobservice
key: JOBSERVICE_SECRET
ports:
- containerPort: 8080
volumeMounts:
- name: registry-data
mountPath: /storage
subPath: registry
- name: registry-config
mountPath: /etc/registry/config.yml
subPath: config.yml
- name: registry-config
mountPath: /etc/registryctl/config.yml
subPath: ctl-config.yml
volumes:
- name: registry-htpasswd
secret:
secretName: harbor-registry-htpasswd
items:
- key: REGISTRY_HTPASSWD
path: passwd
- name: registry-config
configMap:
name: harbor-registry
- name: registry-data
persistentVolumeClaim:
claimName: harbor-pv-claim
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: harbor-database
labels:
app: harbor
component: database
spec:
replicas: 1
serviceName: "harbor-database"
selector:
matchLabels:
app: harbor
component: database
template:
metadata:
labels:
app: harbor
component: database
annotations:
checksum/secret: 55b1e7be0855a53d12362dc11834f575bd16ba09cdd84b0551bda85635e15ac1
spec:
securityContext:
runAsUser: 999
fsGroup: 999
automountServiceAccountToken: false
terminationGracePeriodSeconds: 120
initContainers:
# as we change the data directory to a sub folder to support psp, the init container here
# is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756
# for more detail.
# we may remove it after several releases
- name: data-migrator
image: hub.kaolayouran.cn:5000/base/harbor-db:v2.4.2
#image: goharbor/harbor-db:v2.4.2
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"]
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: database
# with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume
# this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph
# use this init container to correct the permission
# as "fsGroup" applied before the init container running, the container has enough permission to execute the command
- name: data-permissions-ensurer
image: hub.kaolayouran.cn:5000/base/harbor-db:v2.4.2
#image: goharbor/harbor-db:v2.4.2
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: database
containers:
- name: database
image: hub.kaolayouran.cn:5000/base/harbor-db:v2.4.2
#image: goharbor/harbor-db:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /docker-healthcheck.sh
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
exec:
command:
- /docker-healthcheck.sh
initialDelaySeconds: 1
periodSeconds: 10
envFrom:
- secretRef:
name: harbor-database
env:
# put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
# more detail refer to https://github.com/goharbor/harbor-helm/issues/756
- name: PGDATA
value: "/var/lib/postgresql/data/pgdata"
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: database
- name: shm-volume
mountPath: /dev/shm
volumes:
- name: shm-volume
emptyDir:
medium: Memory
sizeLimit: 512Mi
- name: database-data
persistentVolumeClaim:
claimName: harbor-pv-claim
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: harbor-redis
labels:
app: harbor
component: redis
spec:
replicas: 1
serviceName: harbor-redis
selector:
matchLabels:
app: harbor
component: redis
template:
metadata:
labels:
app: harbor
component: redis
spec:
securityContext:
runAsUser: 999
fsGroup: 999
automountServiceAccountToken: false
terminationGracePeriodSeconds: 120
containers:
- name: redis
image: hub.kaolayouran.cn:5000/base/redis-photon:v2.4.2
#image: goharbor/redis-photon:v2.4.2
imagePullPolicy: IfNotPresent
livenessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 1
periodSeconds: 10
volumeMounts:
- name: data
mountPath: /var/lib/redis
subPath: redis
volumes:
- name: data
persistentVolumeClaim:
claimName: harbor-pv-claim
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: harbor-trivy
labels:
app: harbor
component: trivy
spec:
replicas: 1
serviceName: harbor-trivy
selector:
matchLabels:
app: harbor
component: trivy
template:
metadata:
labels:
app: harbor
component: trivy
annotations:
checksum/secret: 81105cb33a8cb2937d69d3a39d46a94953951b6154c8518d288852bcf66b4d6d
spec:
securityContext:
runAsUser: 10000
fsGroup: 10000
automountServiceAccountToken: false
containers:
- name: trivy
image: hub.kaolayouran.cn:5000/base/trivy-adapter-photon:v2.4.2
#image: goharbor/trivy-adapter-photon:v2.4.2
imagePullPolicy: IfNotPresent
securityContext:
privileged: false
allowPrivilegeEscalation: false
env:
- name: HTTP_PROXY
value: ""
- name: HTTPS_PROXY
value: ""
- name: NO_PROXY
value: "harbor-core,harbor-jobservice,harbor-database,harbor-chartmuseum,harbor-notary-server,harbor-notary-signer,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal"
- name: SCANNER_LOG_LEVEL
value: "info"
- name: SCANNER_TRIVY_CACHE_DIR
value: "/home/scanner/.cache/trivy"
- name: SCANNER_TRIVY_REPORTS_DIR
value: "/home/scanner/.cache/reports"
- name: SCANNER_TRIVY_DEBUG_MODE
value: "false"
- name: SCANNER_TRIVY_VULN_TYPE
value: "os,library"
- name: SCANNER_TRIVY_TIMEOUT
value: "5m0s"
- name: SCANNER_TRIVY_GITHUB_TOKEN
valueFrom:
secretKeyRef:
name: harbor-trivy
key: gitHubToken
- name: SCANNER_TRIVY_SEVERITY
value: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
- name: SCANNER_TRIVY_IGNORE_UNFIXED
value: "false"
- name: SCANNER_TRIVY_SKIP_UPDATE
value: "false"
- name: SCANNER_TRIVY_OFFLINE_SCAN
value: "false"
- name: SCANNER_TRIVY_INSECURE
value: "false"
- name: SCANNER_API_SERVER_ADDR
value: ":8080"
- name: SCANNER_REDIS_URL
valueFrom:
secretKeyRef:
name: harbor-trivy
key: redisURL
- name: SCANNER_STORE_REDIS_URL
valueFrom:
secretKeyRef:
name: harbor-trivy
key: redisURL
- name: SCANNER_JOB_QUEUE_REDIS_URL
valueFrom:
secretKeyRef:
name: harbor-trivy
key: redisURL
ports:
- name: api-server
containerPort: 8080
volumeMounts:
- name: data
mountPath: /home/scanner/.cache
subPath: trivy
readOnly: false
livenessProbe:
httpGet:
scheme: HTTP
path: /probe/healthy
port: api-server
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
httpGet:
scheme: HTTP
path: /probe/ready
port: api-server
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi
volumes:
- name: data
persistentVolumeClaim:
claimName: harbor-pv-claim
EOF
kubectl create -f 1-harbor-deploy.yaml需要的镜像
goharbor/chartmuseum-photon:v2.4.2
goharbor/harbor-core:v2.4.2
goharbor/harbor-jobservice:v2.4.2
goharbor/nginx-photon:v2.4.2
goharbor/notary-server-photon:v2.4.2
goharbor/notary-signer-photon:v2.4.2
goharbor/harbor-portal:v2.4.2
goharbor/registry-photon:v2.4.2
goharbor/harbor-registryctl:v2.4.2
goharbor/harbor-db:v2.4.2
goharbor/harbor-db:v2.4.2
goharbor/harbor-db:v2.4.2
goharbor/redis-photon:v2.4.2
goharbor/trivy-adapter-photon:v2.4.2- 感谢你赐予我前进的力量
-
微信 
支付宝
赞赏者名单
因为你们的支持让我意识到写文章的价值🙏
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 运维小白
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
