Merge pull request #1 from MarcHenriot/rebase

feat: add pdb
goharbor · Jul 12, 2023 · f4fa8e0 · f4fa8e0
2 parents cf681d6 + 968cfea
commit f4fa8e0
Show file tree

Hide file tree

Showing 34 changed files with 218 additions and 664 deletions.
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -43,7 +43,6 @@ jobs:
       - name: Set /etc/hosts
         run: |
          sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts"
-         sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts"
 
       - name: Run integration tests
         working-directory: ./test
@@ -56,7 +55,7 @@ jobs:
           df -h
           free -m
           mkdir -p /tmp/harbor
-          for name in core jobservice registry registryctl trivy notaryserver notarysigner portal redis database; do \
+          for name in core jobservice registry registryctl trivy portal redis database; do \
             kubectl -n default logs -l "component=$name" --all-containers > /tmp/harbor/$name.log ; \
           done
 

diff --git a/README.md b/README.md
diff --git a/conf/notary-server.json b/conf/notary-server.json
diff --git a/conf/notary-signer.json b/conf/notary-signer.json
diff --git a/docs/High Availability.md b/docs/High Availability.md
@@ -39,13 +39,13 @@ helm fetch harbor/harbor --untar
 Configure the following items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`:
 
 - **Ingress rule**
-   Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`.
+   Configure the `expose.ingress.hosts.core`.
 - **External URL**
    Configure the `externalURL`.
 - **External PostgreSQL**
    Set the `database.type` to `external` and fill the information in `database.external` section.
 
-   Four empty databases should be created manually for `Harbor core`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up.
+   Four empty databases should be created manually for `Harbor core`, and configure them in the section. Harbor will create tables automatically when starting up.
 - **External Redis**
    Set the `redis.type` to `external` and fill the information in `redis.external` section.
    Redis sentinel is supported after v1.9.0, configure the `redis.external.sentinelMasterSet` and `redis.external.addr` to enable it.
@@ -61,7 +61,7 @@ Configure the following items in `values.yaml`, you can also set them as paramet
    If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLoggers` to `database`.
 
 - **Replica**
-   Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2).
+   Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas` to `n`(`n`>=2).
 
 ### Installation
 

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -111,22 +111,6 @@ app: "{{ template "harbor.name" . }}"
   {{- end -}}
 {{- end -}}
 
-{{- define "harbor.database.notaryServerDatabase" -}}
-  {{- if eq .Values.database.type "internal" -}}
-    {{- printf "%s" "notaryserver" -}}
-  {{- else -}}
-    {{- .Values.database.external.notaryServerDatabase -}}
-  {{- end -}}
-{{- end -}}
-
-{{- define "harbor.database.notarySignerDatabase" -}}
-  {{- if eq .Values.database.type "internal" -}}
-    {{- printf "%s" "notarysigner" -}}
-  {{- else -}}
-    {{- .Values.database.external.notarySignerDatabase -}}
-  {{- end -}}
-{{- end -}}
-
 {{- define "harbor.database.sslmode" -}}
   {{- if eq .Values.database.type "internal" -}}
     {{- printf "%s" "disable" -}}
@@ -135,14 +119,6 @@ app: "{{ template "harbor.name" . }}"
   {{- end -}}
 {{- end -}}
 
-{{- define "harbor.database.notaryServer" -}}
-postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
-{{- end -}}
-
-{{- define "harbor.database.notarySigner" -}}
-postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
-{{- end -}}
-
 {{- define "harbor.redis.scheme" -}}
   {{- with .Values.redis }}
     {{- ternary "redis+sentinel" "redis"  (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
@@ -247,14 +223,6 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
   {{- printf "%s-trivy" (include "harbor.fullname" .) -}}
 {{- end -}}
 
-{{- define "harbor.notary-server" -}}
-  {{- printf "%s-notary-server" (include "harbor.fullname" .) -}}
-{{- end -}}
-
-{{- define "harbor.notary-signer" -}}
-  {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}}
-{{- end -}}
-
 {{- define "harbor.nginx" -}}
   {{- printf "%s-nginx" (include "harbor.fullname" .) -}}
 {{- end -}}
@@ -267,12 +235,8 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
   {{- printf "%s-ingress" (include "harbor.fullname" .) -}}
 {{- end -}}
 
-{{- define "harbor.ingress-notary" -}}
-  {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}}
-{{- end -}}
-
 {{- define "harbor.noProxy" -}}
-  {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}}
+  {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}}
 {{- end -}}
 
 {{- define "harbor.caBundleVolume" -}}
@@ -287,7 +251,7 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
   subPath: ca.crt
 {{- end -}}
 
-{{/* scheme for all components except notary because it only support http mode */}}
+{{/* scheme for all components because it only support http mode */}}
 {{- define "harbor.component.scheme" -}}
   {{- if .Values.internalTLS.enabled -}}
     {{- printf "https" -}}
@@ -490,16 +454,6 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
   {{- end -}}
 {{- end -}}
 
-{{- define "harbor.tlsNotarySecretForIngress" -}}
-  {{- if eq .Values.expose.tls.certSource "none" -}}
-    {{- printf "" -}}
-  {{- else if eq .Values.expose.tls.certSource "secret" -}}
-    {{- .Values.expose.tls.secret.notarySecretName -}}
-  {{- else -}}
-    {{- include "harbor.ingress" . -}}
-  {{- end -}}
-{{- end -}}
-
 {{- define "harbor.tlsSecretForNginx" -}}
   {{- if eq .Values.expose.tls.certSource "secret" -}}
     {{- .Values.expose.tls.secret.secretName -}}

diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml
@@ -26,8 +26,6 @@ data:
   JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
   REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
   TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
-  WITH_NOTARY: "{{ .Values.notary.enabled }}"
-  NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
   CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}"
   WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
   TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}"
@@ -48,7 +46,7 @@ data:
   HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
   NO_PROXY: "{{ template "harbor.noProxy" . }}"
   {{- end }}
-  PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,jfrog-artifactory"
+  PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory"
   {{- if .Values.metrics.enabled}}
   METRIC_ENABLE: "true"
   METRIC_PATH: "{{ .Values.metrics.core.path }}"

diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -45,6 +45,16 @@ spec:
       {{- end }}
       automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }}
       terminationGracePeriodSeconds: 120
+{{- with .Values.core.topologySpreadConstraints}}
+      topologySpreadConstraints:
+{{- range . }}
+      - {{ . | toYaml | indent 8 | trim }}
+        labelSelector:
+          matchLabels:
+{{ include "harbor.matchLabels" $ | indent 12 }}
+            component: core
+{{- end }}
+{{- end }}
       containers:
       - name: core
         image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}

diff --git a/templates/core/core-pdb.yaml b/templates/core/core-pdb.yaml
@@ -1,12 +1,17 @@
-{{- if and .Values.core.podDisruptionBudget (gt (int .Values.core.replicas) 1) }}
+{{- if and .Values.core.podDisruptionBudget.enabled (gt (int .Values.core.replicas) 1) }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "harbor.core" . }}
   labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
-  minAvailable: 1
+  {{- if .Values.core.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.core.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.core.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.core.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
   selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
     component: core

diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -25,4 +25,7 @@ data:
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}
   CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
+{{- if .Values.core.configureUserSettings }}
+  CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
+{{- end }}
   {{- template "harbor.traceJaegerPassword" . }}
diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -22,6 +22,11 @@ spec:
 {{ toYaml .Values.exporter.podLabels | indent 8 }}
 {{- end }}
       annotations:
+{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
+        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
+{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
+        checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
+{{- end }}
 {{- if .Values.exporter.podAnnotations }}
 {{ toYaml .Values.exporter.podAnnotations | indent 8 }}
 {{- end }}
@@ -37,6 +42,16 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }}
+{{- with .Values.exporter.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- range . }}
+      - {{ . | toYaml | indent 8 | trim }}
+        labelSelector:
+          matchLabels:
+{{ include "harbor.matchLabels" $ | indent 12 }}
+            component: exporter
+{{- end }}
+{{- end }}
       containers:
       - name: exporter
         image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}

diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml
@@ -8,23 +8,20 @@
   {{- $_ := set . "v2_path" "/v2/*" -}}
   {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
   {{- $_ := set . "controller_path" "/c/*" -}}
-  {{- $_ := set . "notary_path" "/" -}}
 {{- else if eq .Values.expose.ingress.controller "ncp" }}
   {{- $_ := set . "portal_path" "/.*" -}}
   {{- $_ := set . "api_path" "/api/.*" -}}
   {{- $_ := set . "service_path" "/service/.*" -}}
   {{- $_ := set . "v2_path" "/v2/.*" -}}
   {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
   {{- $_ := set . "controller_path" "/c/.*" -}}
-  {{- $_ := set . "notary_path" "/.*" -}}
 {{- else }}
   {{- $_ := set . "portal_path" "/" -}}
   {{- $_ := set . "api_path" "/api/" -}}
   {{- $_ := set . "service_path" "/service/" -}}
   {{- $_ := set . "v2_path" "/v2/" -}}
   {{- $_ := set . "chartrepo_path" "/chartrepo/" -}}
   {{- $_ := set . "controller_path" "/c/" -}}
-  {{- $_ := set . "notary_path" "/" -}}
 {{- end }}
 
 ---
@@ -145,65 +142,4 @@ spec:
     host: {{ $ingress.hosts.core }}
     {{- end }}
 
-{{- if .Values.notary.enabled  }}
----
-{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }}
-apiVersion: extensions/v1beta1
-{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
-apiVersion: networking.k8s.io/v1beta1
-{{- else }}
-apiVersion: networking.k8s.io/v1
-{{- end }}
-kind: Ingress
-metadata:
-  name: "{{ template "harbor.ingress-notary" . }}"
-  labels:
-{{ include "harbor.labels" . | indent 4 }}
-{{- if $ingress.notary.labels }}
-{{ toYaml $ingress.notary.labels | indent 4 }}
-{{- end }}
-  annotations:
-{{ toYaml $ingress.annotations | indent 4 }}
-{{- if eq .Values.expose.ingress.controller "ncp" }}
-    ncp/use-regex: "true"
-    {{- if $tls.enabled }}
-    ncp/http-redirect: "true"
-    {{- end }}
-{{- end }}
-{{- if $ingress.notary.annotations }}
-{{ toYaml $ingress.notary.annotations | indent 4 }}
-{{- end }}
-spec:
-  {{- if $ingress.className }}
-  ingressClassName: {{ $ingress.className }}
-  {{- end }}
-  {{- if $tls.enabled }}
-  tls:
-  - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }}
-    {{- if $ingress.hosts.notary }}
-    hosts:
-    - {{ $ingress.hosts.notary }}
-    {{- end }}
-  {{- end }}
-  rules:
-  - http:
-      paths:
-      - path: {{ .notary_path }}
-{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
-        backend:
-          serviceName: {{ template "harbor.notary-server" . }}
-          servicePort: 4443
-{{- else }}
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ template "harbor.notary-server" . }}
-            port:
-              number: 4443
-{{- end -}}
-    {{- if $ingress.hosts.notary }}
-    host: {{ $ingress.hosts.notary }}
-    {{- end }}
-{{- end }}
-
 {{- end }}
diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml
@@ -1,6 +1,6 @@
 {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
 {{- $ca := genCA "harbor-ca" 365 }}
-{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }}
+{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -51,6 +51,16 @@ spec:
       {{- end }}
       automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }}
       terminationGracePeriodSeconds: 120
+{{- with .Values.jobservice.topologySpreadConstraints}}
+      topologySpreadConstraints:
+{{- range . }}
+      - {{ . | toYaml | indent 8 | trim }}
+        labelSelector:
+          matchLabels:
+{{ include "harbor.matchLabels" $ | indent 12 }}
+            component: jobservice
+{{- end }}
+{{- end }}
       containers:
       - name: jobservice
         image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}