diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index c72b9431c..a88e01d74 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -9,31 +9,31 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - k8s_version: [v1.25.3, v1.24.7, v1.23.13] + k8s_version: [v1.31.1, v1.30.4, v1.29.8] steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Create kind cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.10.0 with: - version: v0.17.0 + version: v0.24.0 node_image: kindest/node:${{ matrix.k8s_version }} cluster_name: kind-cluster-${{ matrix.k8s_version }} config: test/integration/kind-cluster.yaml - name: Install Nginx ingress controller run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.0/deploy/static/provider/kind/deploy.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/kind/deploy.yaml kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s - - name: Set up Go 1.19 - uses: actions/setup-go@v2 + - name: Set up Go 1.23 + uses: actions/setup-go@v5 with: - go-version: "1.19" + go-version: "1.23" - name: Cache go mod - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -59,7 +59,7 @@ jobs: kubectl -n default logs -l "component=$name" --all-containers > /tmp/harbor/$name.log ; \ done - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v4 if: failure() with: name: harbor_${{ matrix.k8s_version }}_${{ runner.os }} @@ -71,7 +71,7 @@ jobs: mkdir -p /tmp/logs kind export logs --name kind-cluster-${{ matrix.k8s_version }} /tmp/logs - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v4 if: failure() with: name: kind_v${{ matrix.k8s_version }} diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml index d9cf91e90..0c3e8100d 100644 --- a/.github/workflows/unittest.yaml +++ b/.github/workflows/unittest.yaml @@ -16,20 +16,10 @@ jobs: with: version: '3.11.1' - - name: Set up Go 1.19 - uses: actions/setup-go@v2 - with: - go-version: 1.19 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- + - name: Install Helm Unit Test Plugin + run: | + helm plugin install https://github.com/helm-unittest/helm-unittest --version v0.4.4 - name: Run unit tests - working-directory: ./test run: - go test -v github.com/goharbor/harbor-helm/unittest + helm unittest -f 'test/unittest/*.yaml' . diff --git a/Chart.yaml b/Chart.yaml index 59edf1fcd..6838db79e 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -13,10 +13,12 @@ sources: - https://github.com/goharbor/harbor - https://github.com/goharbor/harbor-helm maintainers: +- name: Yan Wang + email: yan-yw.wang@broadcom.com - name: Wenkai Yin - email: yinw@vmware.com -- name: Weiwei He - email: hweiwei@vmware.com + email: wenkai.yin@broadcom.com +- name: Miner Yang + email: miner.yang@broadcom.com - name: Shengwen Yu - email: yshengwen@vmware.com + email: shengwen.yu@broadcom.com engine: gotpl diff --git a/README.md b/README.md index 91687ddaf..ec394b84a 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | | `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | | `portal.priorityClassName` | The priority class to run the pod as | | +| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **Core** | | | | `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | | `core.image.tag` | Tag for Harbor core image | `dev` | @@ -240,6 +241,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | | `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | | `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | +| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **Jobservice** | | | | `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | | `jobservice.image.tag` | Tag for jobservice image | `dev` | @@ -261,6 +263,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | | `jobservice.priorityClassName` | The priority class to run the pod as | | | `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **Registry** | | | | `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | | `registry.registry.image.tag` | Tag for registry image | `dev` | @@ -288,6 +291,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | | `registry.upload_purging.interval` | The interval of the purge operations | `24h` | | `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **[Trivy][trivy]** | | | | `trivy.enabled` | The flag to enable Trivy scanner | `true` | | `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | @@ -303,11 +307,12 @@ The following table lists the configurable parameters of the Harbor chart and th | `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | | `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | | `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | -| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. | `vuln` | | `trivy.timeout` | The duration to wait for scan completion | `5m0s` | | `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | | `trivy.priorityClassName` | The priority class to run the pod as | | | `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **Database** | | | | `database.type` | If external database is used, set it to `external` | `internal` | | `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | @@ -324,6 +329,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.internal.priorityClassName` | The priority class to run the pod as | | | `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | | `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` | | `database.external.host` | The hostname of external database | `192.168.0.1` | | `database.external.port` | The port of external database | `5432` | | `database.external.username` | The username of external database | `user` | @@ -349,6 +355,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | | `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | | `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` | | `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | | `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | | `redis.external.coreDatabaseIndex` | The database index for core | `0` | diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index 93cab01b4..f27bdaaaf 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: @@ -87,4 +88,4 @@ data: {{- if .Values.core.quotaUpdateProvider }} QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" - {{- end }} \ No newline at end of file + {{- end }} diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index c01f51d4c..42f444029 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: core @@ -59,6 +60,10 @@ spec: component: core {{- end }} {{- end }} + {{- with .Values.core.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: core image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index ce0b13134..872715694 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -3,6 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: migration-job + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: migrator @@ -74,4 +75,4 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 62a41fce8..ea9d4cfab 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/core/core-svc.yaml b/templates/core/core-svc.yaml index 0d2cfb291..f918eb388 100644 --- a/templates/core/core-svc.yaml +++ b/templates/core/core-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- with .Values.core.serviceAnnotations }} diff --git a/templates/core/core-tls.yaml b/templates/core/core-tls.yaml index c52148f0d..d90d30c8f 100644 --- a/templates/core/core-tls.yaml +++ b/templates/core/core-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.core.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml index 864aff4a1..0d07ec26f 100644 --- a/templates/database/database-secret.yaml +++ b/templates/database/database-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 8cf9cd928..9bd5c096c 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: database @@ -63,6 +64,9 @@ spec: - name: database-data mountPath: /var/lib/postgresql/data subPath: {{ $database.subPath }} + {{- with .Values.database.internal.extrInitContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} containers: - name: database image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} diff --git a/templates/database/database-svc.yaml b/templates/database/database-svc.yaml index 6475048cd..e2085a058 100644 --- a/templates/database/database-svc.yaml +++ b/templates/database/database-svc.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -11,4 +12,4 @@ spec: selector: {{ include "harbor.matchLabels" . | indent 4 }} component: database -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/exporter/exporter-cm-env.yaml b/templates/exporter/exporter-cm-env.yaml index 0bf4e7d90..3f911032b 100644 --- a/templates/exporter/exporter-cm-env.yaml +++ b/templates/exporter/exporter-cm-env.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.exporter" . }}-env" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: @@ -32,4 +33,4 @@ data: HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" -{{- end}} \ No newline at end of file +{{- end}} diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index a4e5fa21f..8a8237b3e 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "harbor.exporter" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: exporter diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml index 434a1bf68..02c74d03c 100644 --- a/templates/exporter/exporter-secret.yaml +++ b/templates/exporter/exporter-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.exporter" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/exporter/exporter-svc.yaml b/templates/exporter/exporter-svc.yaml index 4a6f3fdec..6d0d83193 100644 --- a/templates/exporter/exporter-svc.yaml +++ b/templates/exporter/exporter-svc.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.exporter" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index 73472c605..f2314716e 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -2,6 +2,7 @@ {{- $ingress := .Values.expose.ingress -}} {{- $tls := .Values.expose.tls -}} {{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "path_type" "ImplementationSpecific" -}} {{- $_ := set . "portal_path" "/*" -}} {{- $_ := set . "api_path" "/api/*" -}} {{- $_ := set . "service_path" "/service/*" -}} @@ -9,6 +10,7 @@ {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} {{- $_ := set . "controller_path" "/c/*" -}} {{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "path_type" "Prefix" -}} {{- $_ := set . "portal_path" "/.*" -}} {{- $_ := set . "api_path" "/api/.*" -}} {{- $_ := set . "service_path" "/service/.*" -}} @@ -16,6 +18,7 @@ {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} {{- $_ := set . "controller_path" "/c/.*" -}} {{- else }} + {{- $_ := set . "path_type" "Prefix" -}} {{- $_ := set . "portal_path" "/" -}} {{- $_ := set . "api_path" "/api/" -}} {{- $_ := set . "service_path" "/service/" -}} @@ -35,6 +38,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: "{{ template "harbor.ingress" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- if $ingress.labels }} @@ -93,42 +97,42 @@ spec: servicePort: {{ template "harbor.portal.servicePort" . }} {{- else }} - path: {{ .api_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .service_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .v2_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .chartrepo_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .controller_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .portal_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.portal" . }} diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml index 41507b3dd..90ba27511 100644 --- a/templates/ingress/secret.yaml +++ b/templates/ingress/secret.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.ingress" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ $cert.Cert | b64enc | quote }} tls.key: {{ $cert.Key | b64enc | quote }} ca.crt: {{ $ca.Cert | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/internal/auto-tls.yaml b/templates/internal/auto-tls.yaml index da5f5e2c7..32807cfd1 100644 --- a/templates/internal/auto-tls.yaml +++ b/templates/internal/auto-tls.yaml @@ -14,6 +14,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.core.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -27,6 +28,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -40,6 +42,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -53,6 +56,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -69,6 +73,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -78,4 +83,4 @@ data: tls.key: {{ $trivyCrt.Key | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/jobservice/jobservice-cm-env.yaml b/templates/jobservice/jobservice-cm-env.yaml index 8411c7a47..2b9307455 100644 --- a/templates/jobservice/jobservice-cm-env.yaml +++ b/templates/jobservice/jobservice-cm-env.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.jobservice" . }}-env" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/jobservice/jobservice-cm.yaml b/templates/jobservice/jobservice-cm.yaml index 8211c6220..c950e6787 100644 --- a/templates/jobservice/jobservice-cm.yaml +++ b/templates/jobservice/jobservice-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 32929ca80..aa6a8c990 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: jobservice @@ -65,6 +66,10 @@ spec: component: jobservice {{- end }} {{- end }} + {{- with .Values.jobservice.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: jobservice image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} diff --git a/templates/jobservice/jobservice-pvc.yaml b/templates/jobservice/jobservice-pvc.yaml index 3f7d00b67..eb781eed1 100644 --- a/templates/jobservice/jobservice-pvc.yaml +++ b/templates/jobservice/jobservice-pvc.yaml @@ -4,6 +4,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "harbor.jobservice" . }} + namespace: {{ .Release.Namespace | quote }} annotations: {{- range $key, $value := $jobLog.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index eeb00bde0..7706c3513 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/jobservice/jobservice-svc.yaml b/templates/jobservice/jobservice-svc.yaml index d2b7a47fd..483b40ed5 100644 --- a/templates/jobservice/jobservice-svc.yaml +++ b/templates/jobservice/jobservice-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: diff --git a/templates/jobservice/jobservice-tls.yaml b/templates/jobservice/jobservice-tls.yaml index 234cb3999..58809ec46 100644 --- a/templates/jobservice/jobservice-tls.yaml +++ b/templates/jobservice/jobservice-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/metrics/metrics-svcmon.yaml b/templates/metrics/metrics-svcmon.yaml index 1122ef01e..d566285ed 100644 --- a/templates/metrics/metrics-svcmon.yaml +++ b/templates/metrics/metrics-svcmon.yaml @@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "harbor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | nindent 4 }} {{- if .Values.metrics.serviceMonitor.additionalLabels }} {{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml index c4b8354d0..93ef76e8b 100644 --- a/templates/nginx/configmap-http.yaml +++ b/templates/nginx/configmap-http.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: @@ -89,21 +90,6 @@ data: proxy_request_buffering off; } - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - location /c/ { proxy_pass {{ $scheme }}://core/c/; proxy_set_header Host $host; diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml index 56c943a61..390caf216 100644 --- a/templates/nginx/configmap-https.yaml +++ b/templates/nginx/configmap-https.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: @@ -112,23 +113,6 @@ data: proxy_request_buffering off; } - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - location /c/ { proxy_pass {{ $scheme }}://core/c/; proxy_set_header Host $host; diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 3abc94198..04faa3735 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: nginx diff --git a/templates/nginx/secret.yaml b/templates/nginx/secret.yaml index c819c556d..369bd65d6 100644 --- a/templates/nginx/secret.yaml +++ b/templates/nginx/secret.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque @@ -20,4 +21,4 @@ data: tls.key: {{ $cert.Key | b64enc | quote }} ca.crt: {{ $ca.Cert | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml index 691584ce0..7eac84ee1 100644 --- a/templates/nginx/service.yaml +++ b/templates/nginx/service.yaml @@ -5,6 +5,7 @@ metadata: {{- if eq .Values.expose.type "clusterIP" }} {{- $clusterIP := .Values.expose.clusterIP }} name: {{ $clusterIP.name }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- if .Values.expose.clusterIP.labels }} diff --git a/templates/portal/configmap.yaml b/templates/portal/configmap.yaml index 7b2118e72..af56783a8 100644 --- a/templates/portal/configmap.yaml +++ b/templates/portal/configmap.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index ae1251360..f8a6dc6e9 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: portal @@ -56,6 +57,10 @@ spec: component: portal {{- end }} {{- end }} + {{- with .Values.portal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: portal image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} diff --git a/templates/portal/service.yaml b/templates/portal/service.yaml index d00026da4..c1273f072 100644 --- a/templates/portal/service.yaml +++ b/templates/portal/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- with .Values.portal.serviceAnnotations }} diff --git a/templates/portal/tls.yaml b/templates/portal/tls.yaml index de63f4e81..e61a7d3a4 100644 --- a/templates/portal/tls.yaml +++ b/templates/portal/tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls diff --git a/templates/redis/service.yaml b/templates/redis/service.yaml index 79c95c3e0..61c21d13e 100644 --- a/templates/redis/service.yaml +++ b/templates/redis/service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "harbor.redis" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -11,4 +12,4 @@ spec: selector: {{ include "harbor.matchLabels" . | indent 4 }} component: redis -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index ed8f705a7..fa5dd22d2 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "harbor.redis" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: redis @@ -41,6 +42,10 @@ spec: {{- end }} automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 + {{- with .Values.redis.internal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: redis image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml index 4f7056c38..26e3fc915 100644 --- a/templates/registry/registry-cm.yaml +++ b/templates/registry/registry-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index ee11abf5d..9005925dd 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: registry @@ -68,6 +69,10 @@ spec: component: registry {{- end }} {{- end }} + {{- with .Values.registry.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: registry image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} @@ -93,7 +98,6 @@ spec: {{- if not (empty .Values.containerSecurityContext) }} securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} {{- end }} - args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: name: "{{ template "harbor.registry" . }}" diff --git a/templates/registry/registry-pvc.yaml b/templates/registry/registry-pvc.yaml index 5d6d4d3dd..712c21175 100644 --- a/templates/registry/registry-pvc.yaml +++ b/templates/registry/registry-pvc.yaml @@ -5,6 +5,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "harbor.registry" . }} + namespace: {{ .Release.Namespace | quote }} annotations: {{- range $key, $value := $registry.annotations }} {{ $key }}: {{ $value | quote }} @@ -30,4 +31,4 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index e853a9cbe..11ada3b70 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque @@ -43,6 +44,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.registry" . }}-htpasswd" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/registry/registry-svc.yaml b/templates/registry/registry-svc.yaml index 749690ea0..d89ae7dca 100644 --- a/templates/registry/registry-svc.yaml +++ b/templates/registry/registry-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -17,4 +18,4 @@ spec: {{- end }} selector: {{ include "harbor.matchLabels" . | indent 4 }} - component: registry \ No newline at end of file + component: registry diff --git a/templates/registry/registry-tls.yaml b/templates/registry/registry-tls.yaml index 9d1862c41..ec4540c2e 100644 --- a/templates/registry/registry-tls.yaml +++ b/templates/registry/registry-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/registry/registryctl-cm.yaml b/templates/registry/registryctl-cm.yaml index 87aa5ffe2..61b2c5e13 100644 --- a/templates/registry/registryctl-cm.yaml +++ b/templates/registry/registryctl-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.registryCtl" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/registry/registryctl-secret.yaml b/templates/registry/registryctl-secret.yaml index 70097703e..324a2e03b 100644 --- a/templates/registry/registryctl-secret.yaml +++ b/templates/registry/registryctl-secret.yaml @@ -2,8 +2,9 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.registryCtl" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file + {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/trivy/trivy-secret.yaml b/templates/trivy/trivy-secret.yaml index 84652c749..b13f88000 100644 --- a/templates/trivy/trivy-secret.yaml +++ b/templates/trivy/trivy-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.trivy" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index ae53e50fc..8c3c4d7ce 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "harbor.trivy" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: trivy @@ -58,6 +59,10 @@ spec: component: trivy {{- end }} {{- end }} + {{- with .Values.trivy.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: trivy image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} diff --git a/templates/trivy/trivy-svc.yaml b/templates/trivy/trivy-svc.yaml index 24daf094e..e0ae32070 100644 --- a/templates/trivy/trivy-svc.yaml +++ b/templates/trivy/trivy-svc.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.trivy" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: diff --git a/templates/trivy/trivy-tls.yaml b/templates/trivy/trivy-tls.yaml index a9c8330c3..58bce4ec5 100644 --- a/templates/trivy/trivy-tls.yaml +++ b/templates/trivy/trivy-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls diff --git a/test/unittest/core_configmap_test.yaml b/test/unittest/core_configmap_test.yaml new file mode 100644 index 000000000..a68d17e42 --- /dev/null +++ b/test/unittest/core_configmap_test.yaml @@ -0,0 +1,180 @@ +suite: CoreConfigMap + +tests: + - it: witTrivy + set: + trivy: + enabled: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.WITH_TRIVY + value: "true" + + - it: RedisUrlHarborInternal + set: + redis: + internal: + harborDatabaseIndex: test-index + type: internal + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data._REDIS_URL_HARBOR + value: redis://RELEASE-NAME-harbor-redis:6379/test-index?idle_timeout_seconds=30 + + - it: RedisUrlHarborExternal + set: + redis: + external: + harborDatabaseIndex: test-index + type: external + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data._REDIS_URL_HARBOR + value: redis://192.168.0.2:6379/test-index?idle_timeout_seconds=30 + + - it: CacheLayerDatabaseIndex + set: + redis: + internal: + cacheLayerDatabaseIndex: test-index + type: internal + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data._REDIS_URL_CACHE_LAYER + value: redis://RELEASE-NAME-harbor-redis:6379/test-index?idle_timeout_seconds=30 + + - it: RegsitryCredentialUsername + set: + registry: + credentials: + username: test-username + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.REGISTRY_CREDENTIAL_USERNAME + value: test-username + + - it: UaaSecretName + set: + uaaSecretName: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.UAA_CA_ROOT + value: /etc/core/auth-ca/auth-ca.crt + + - it: MetricEnabled + set: + metrics: + enabled: true + core: + path: /customMetrics + port: 8080 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.METRIC_ENABLE + value: "true" + - equal: + path: data.METRIC_PATH + value: /customMetrics + - equal: + path: data.METRIC_PORT + value: "8080" + - equal: + path: data.METRIC_NAMESPACE + value: harbor + - equal: + path: data.METRIC_SUBSYSTEM + value: core + + - it: GcTimeWindowHours + set: + core: + gcTimeWindowHours: 2 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GC_TIME_WINDOW_HOURS + value: "2" + + - it: ArtifactPullAsyncFlushDuration + set: + core: + artifactPullAsyncFlushDuration: 30 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.ARTIFACT_PULL_ASYNC_FLUSH_DURATION + value: "30" + + - it: GdprDeleteUser + set: + core: + gdpr: + deleteUser: true + auditLogsCompliant: false + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GDPR_DELETE_USER + value: "true" + - notExists: + path: data.GDPR_AUDIT_LOGS + + - it: GdprAuditLogsCompliant + set: + core: + gdpr: + deleteUser: false + auditLogsCompliant: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GDPR_AUDIT_LOGS + value: "true" + - notExists: + path: data.GDPR_DELETE_USER + + - it: GdprDeleteUserAuditLogsCompliant + set: + core: + gdpr: + deleteUser: true + auditLogsCompliant: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GDPR_DELETE_USER + value: "true" + - equal: + path: data.GDPR_AUDIT_LOGS + value: "true" + + - it: CacheEnabled + set: + cache: + enabled: true + expireHours: 3 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.CACHE_ENABLED + value: "true" + - equal: + path: data.CACHE_EXPIRE_HOURS + value: "3" + + - it: QuotaUpdate + set: + core: + quotaUpdateProvider: 3 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.QUOTA_UPDATE_PROVIDER + value: "3" \ No newline at end of file diff --git a/test/unittest/core_deployment_test.yaml b/test/unittest/core_deployment_test.yaml new file mode 100644 index 000000000..da67d3cbf --- /dev/null +++ b/test/unittest/core_deployment_test.yaml @@ -0,0 +1,536 @@ +suite: CoreDeployment + +tests: + - it: PodLabels + set: + core: + podLabels: + test.label: test-label + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.metadata.labels["test.label"] + value: test-label + + - it: PodAnnotations + set: + core: + podAnnotations: + test.annotation: test-annotation + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.metadata.annotations["test.annotation"] + value: test-annotation + + - it: NoReplicas + set: + core: + replicas: 0 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.replicas + value: 0 + + - it: MultipleReplicas + set: + core: + replicas: 2 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.replicas + value: 2 + + - it: ServiceAccounts + set: + core: + serviceAccountName: testServiceAccount + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: testServiceAccount + + - it: ImagePullSecrets + set: + imagePullSecrets: + - name: test-secret-1 + - name: test-secret-2 + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.imagePullSecrets + count: 2 + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: test-secret-1 + - name: test-secret-2 + + - it: TopologySpreadConstraints + set: + core: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.topologySpreadConstraints + count: 1 + - contains: + path: spec.template.spec.topologySpreadConstraints + content: + labelSelector: + matchLabels: + app: harbor + component: core + release: RELEASE-NAME + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + + - it: InitContainers + set: + core: + initContainers: + - name: test + image: busybox + command: ["sh", "-c", "sleep 20"] + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.initContainers + count: 1 + - equal: + path: spec.template.spec.initContainers + value: + - name: test + image: busybox + command: + - sh + - "-c" + - sleep 20 + + - it: ContainerImage + set: + core: + image: + repository: test-repository/test-image + tag: 1.0.0 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: test-repository/test-image:1.0.0 + + - it: StartupProbe + set: + core: + startupProbe: + enabled: true + initialDelaySeconds: 10 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.path + value: /api/v2.0/ping + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.scheme + value: HTTP + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.port + value: 8080 + - equal: + path: spec.template.spec.containers[0].startupProbe.failureThreshold + value: 360 + - equal: + path: spec.template.spec.containers[0].startupProbe.initialDelaySeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].startupProbe.periodSeconds + value: 10 + + - it: StartupProbeInternalTLS + set: + core: + startupProbe: + enabled: true + initialDelaySeconds: 10 + internalTLS: + enabled: true + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.path + value: /api/v2.0/ping + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.scheme + value: HTTPS + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.port + value: 8443 + - equal: + path: spec.template.spec.containers[0].startupProbe.failureThreshold + value: 360 + - equal: + path: spec.template.spec.containers[0].startupProbe.initialDelaySeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].startupProbe.periodSeconds + value: 10 + + - it: ExistingSecretAdminPassword + set: + existingSecretAdminPassword: HARBOR_ADMIN_PASSWORD + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: HARBOR_ADMIN_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: HARBOR_ADMIN_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: HARBOR_ADMIN_PASSWORD + + - it: InternalTLS + set: + internalTLS: + enabled: true + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 6 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: INTERNAL_TLS_ENABLED + - equal: + path: spec.template.spec.containers[0].env[2].value + value: "true" + - equal: + path: spec.template.spec.containers[0].env[3].name + value: INTERNAL_TLS_KEY_PATH + - equal: + path: spec.template.spec.containers[0].env[3].value + value: /etc/harbor/ssl/core/tls.key + - equal: + path: spec.template.spec.containers[0].env[4].name + value: INTERNAL_TLS_CERT_PATH + - equal: + path: spec.template.spec.containers[0].env[4].value + value: /etc/harbor/ssl/core/tls.crt + - equal: + path: spec.template.spec.containers[0].env[5].name + value: INTERNAL_TLS_TRUST_CA_PATH + - equal: + path: spec.template.spec.containers[0].env[5].value + value: /etc/harbor/ssl/core/ca.crt + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].name + value: core-internal-certs + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].mountPath + value: /etc/harbor/ssl/core + + - it: DBCredentials + set: + database: + external: + existingSecret: db-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: POSTGRESQL_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: db-secret-name + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: password + + - it: RegistryCredentials + set: + registry: + credentials: + existingSecret: registry-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: REGISTRY_CREDENTIAL_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: registry-secret-name + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: REGISTRY_PASSWD + + - it: XsrfCredentials + set: + core: + existingXsrfSecret: xsrf-secret-name + existingXsrfSecretKey: xsrf-secret-key + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: CSRF_KEY + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: xsrf-secret-name + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: xsrf-secret-key + + - it: ExtraEnvVars + set: + core: + extraEnvVars: + - name: ENVVAR_NAME + value: envvar_value + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: ENVVAR_NAME + - equal: + path: spec.template.spec.containers[0].env[2].value + value: envvar_value + + - it: MultipleExtraEnvVars + set: + core: + extraEnvVars: + - name: ENVVAR_NAME_1 + value: envvar_value_1 + - name: ENVVAR_NAME_2 + value: envvar_value_2 + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 4 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: ENVVAR_NAME_1 + - equal: + path: spec.template.spec.containers[0].env[2].value + value: envvar_value_1 + - equal: + path: spec.template.spec.containers[0].env[3].name + value: ENVVAR_NAME_2 + - equal: + path: spec.template.spec.containers[0].env[3].value + value: envvar_value_2 + + - it: ContainerSecurityContext + set: + containerSecurityContext: + privileged: true + allowPrivilegeEscalation: true + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - All + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.privileged + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.seccompProfile.type + value: RuntimeDefault + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities.drop[0] + value: All + + - it: ExposeTLSEnabled + set: + expose: + tls: + enabled: true + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 5 + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].name + value: ca-download + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].mountPath + value: /etc/core/ca + + - it: UaaSecretName + set: + uaaSecretName: uaa-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 6 + - lengthEqual: + path: spec.template.spec.volumes + count: 6 + - equal: + path: spec.template.spec.volumes[4].name + value: auth-ca-cert + - equal: + path: spec.template.spec.volumes[4].secret.secretName + value: uaa-secret-name + - equal: + path: spec.template.spec.volumes[4].secret.items[0].key + value: ca.crt + - equal: + path: spec.template.spec.volumes[4].secret.items[0].path + value: auth-ca.crt + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].mountPath + value: /etc/core/auth-ca/auth-ca.crt + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].subPath + value: auth-ca.crt + + - it: Resources + set: + core: + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 500Mi + cpu: 200m + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 256Mi + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 200m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 500Mi + + - it: CASecretName + set: + caSecretName: ca-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 5 + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].name + value: ca-download + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].mountPath + value: /etc/core/ca + - equal: + path: spec.template.spec.volumes[3].name + value: ca-download + - equal: + path: spec.template.spec.volumes[3].secret.secretName + value: ca-secret-name + + - it: NodeSelector + set: + core: + nodeSelector: + node.selector/tier: test-node-selector + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector["node.selector/tier"] + value: test-node-selector + + - it: Affinity + set: + core: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: test-affinity + operator: In + values: + - S1 + topologyKey: topology.kubernetes.io/zone + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key + value: test-affinity + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator + value: In + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values[0] + value: S1 + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey + value: topology.kubernetes.io/zone + + - it: Tolerations + set: + core: + tolerations: + - effect: NoSchedule + key: test-label + value: test + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0].effect + value: NoSchedule + - equal: + path: spec.template.spec.tolerations[0].key + value: test-label + - equal: + path: spec.template.spec.tolerations[0].value + value: test + + - it: PriorityClassName + set: + core: + priorityClassName: test-priority + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: test-priority diff --git a/test/unittest/core_job_test.yaml b/test/unittest/core_job_test.yaml new file mode 100644 index 000000000..0f060fea5 --- /dev/null +++ b/test/unittest/core_job_test.yaml @@ -0,0 +1,198 @@ +suite: CoreJob + +tests: + - it: JobDefault + set: + enableMigrateHelmHook: true + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + - it: ServiceAccount + set: + enableMigrateHelmHook: true + core: + serviceAccountName: test-service-account + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.serviceAccountName + value: test-service-account + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + - it: NodeSelector + set: + enableMigrateHelmHook: true + core: + nodeSelector: + node.selector/tier: test-node-selector + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector["node.selector/tier"] + value: test-node-selector + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + + - it: Affinity + set: + enableMigrateHelmHook: true + core: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: test-affinity + operator: In + values: + - S1 + topologyKey: topology.kubernetes.io/zone + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key + value: test-affinity + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator + value: In + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values[0] + value: S1 + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey + value: topology.kubernetes.io/zone + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + + - it: Tolerations + set: + enableMigrateHelmHook: true + core: + tolerations: + - effect: NoSchedule + key: test-label + value: test + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0].effect + value: NoSchedule + - equal: + path: spec.template.spec.tolerations[0].key + value: test-label + - equal: + path: spec.template.spec.tolerations[0].value + value: test + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] \ No newline at end of file diff --git a/test/unittest/core_secret_test.yaml b/test/unittest/core_secret_test.yaml new file mode 100644 index 000000000..4f08c1e61 --- /dev/null +++ b/test/unittest/core_secret_test.yaml @@ -0,0 +1,97 @@ +suite: CoreSecret + +tests: + - it: Secret + set: + secretKey: test-secret + harborAdminPassword: test-admin-password + registry: + credentials: + password: test-registry-secret + core: + secret: test-secret-defined + xsrfKey: xsrf-key + configureUserSettings: "{\"test\": \"test\"}" + template: templates/core/core-secret.yaml + asserts: + - equal: + path: data.secretKey + value: "dGVzdC1zZWNyZXQ=" + - equal: + path: data.secret + value: "dGVzdC1zZWNyZXQtZGVmaW5lZA==" + - exists: + path: data["tls.key"] + - exists: + path: data["tls.crt"] + - equal: + path: data.HARBOR_ADMIN_PASSWORD + value: "dGVzdC1hZG1pbi1wYXNzd29yZA==" + - equal: + path: data.CONFIG_OVERWRITE_JSON + value: "eyJ0ZXN0IjogInRlc3QifQ==" + + - it: ExistingSecretSecretKey + set: + existingSecretSecretKey: test-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.secretKey + + - it: ExistingCoreSecret + set: + core: + existingSecret: test-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.secret + + - it: ExistingTLSSecret + set: + core: + secretName: test-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data["tls.key"] + - notExists: + path: data["tls.crt"] + + - it: ExistingAdminSecret + set: + existingSecretAdminPassword: test-password + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.HARBOR_ADMIN_PASSWORD + + - it: ExistingExternalDBSecret + set: + database: + external: + existingSecret: test-db-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.POSTGRESQL_PASSWORD + + - it: ExistingRegistrySecret + set: + registry: + credentials: + existingSecret: test-registry-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.REGISTRY_CREDENTIAL_PASSWORD + + - it: ExistingRegistrySecret + set: + core: + existingXsrfSecret: test-xsrf-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.CSRF_KEY \ No newline at end of file diff --git a/test/unittest/core_svc_test.yaml b/test/unittest/core_svc_test.yaml new file mode 100644 index 000000000..21fa842df --- /dev/null +++ b/test/unittest/core_svc_test.yaml @@ -0,0 +1,84 @@ +suite: CoreSvc + +tests: + - it: Annotation + set: + core: + serviceAnnotations: + test.annotation: test-annotation + template: templates/core/core-svc.yaml + asserts: + - equal: + path: metadata.annotations["test.annotation"] + value: test-annotation + + - it: TypeGce + set: + expose: + ingress: + controller: gce + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.type + value: NodePort + + - it: TypeAlb + set: + expose: + ingress: + controller: alb + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.type + value: NodePort + + - it: TypeF5 + set: + expose: + ingress: + controller: f5-bigip + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.type + value: NodePort + + - it: NotType + template: templates/core/core-svc.yaml + asserts: + - notExists: + path: spec.type + + - it: InternalTLSEnabled + set: + internalTLS: + enabled: true + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.ports[0].name + value: https-web + + - it: InternalTLSDisabled + set: + internalTLS: + enabled: false + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.ports[0].name + value: http-web + + - it: ExposeMetricsPort + set: + metrics: + enabled: true + core: + port: 1111 + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.ports[1].port + value: 1111 \ No newline at end of file diff --git a/test/unittest/core_tls_test.yaml b/test/unittest/core_tls_test.yaml new file mode 100644 index 000000000..72907e23a --- /dev/null +++ b/test/unittest/core_tls_test.yaml @@ -0,0 +1,38 @@ +suite: CoreTls + +tests: + - it: TLSExists + set: + trivy: + enabled: false + internalTLS: + enabled: true + trustCa: testCa + certSource: manual + core: + crt: testCrt + key: testKey + registry: + crt: testCrt + key: testKey + portal: + crt: testCrt + key: testKey + jobservice: + crt: testCrt + key: testKey + template: templates/core/core-tls.yaml + asserts: + - exists: + path: metadata.name + - exists: + path: apiVersion + - equal: + path: data["ca.crt"] + value: "dGVzdENh" + - equal: + path: data["tls.crt"] + value: "dGVzdENydA==" + - equal: + path: data["tls.key"] + value: "dGVzdEtleQ==" diff --git a/test/unittest/trivy_stateful_set_test.go b/test/unittest/trivy_stateful_set_test.go deleted file mode 100644 index c8efa9be8..000000000 --- a/test/unittest/trivy_stateful_set_test.go +++ /dev/null @@ -1,171 +0,0 @@ -package unittest - -import ( - "os" - "testing" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/logger" - "github.com/stretchr/testify/suite" - appsV1 "k8s.io/api/apps/v1" -) - -type TrivyStatefulSetTestSuite struct { - suite.Suite -} - -func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet { - helmChartPath := "../../" - - options := &helm.Options{ - SetValues: values, - } - - debug := os.Getenv("debug") - if debug != "true" { - options.Logger = logger.Discard - } - - output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"}) - - var ss appsV1.StatefulSet - helm.UnmarshalK8SYaml(suite.T(), output, &ss) - - return &ss -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() { - values := map[string]string{ - "persistence.enabled": "false", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() { - values := map[string]string{ - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 0) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) -} - -func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() { - values := map[string]string{ - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim) - suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() { - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func (suite *TrivyStatefulSetTestSuite) TestCustomCA() { - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func TestTrivyStatefulSetTestSuite(t *testing.T) { - suite.Run(t, &TrivyStatefulSetTestSuite{}) -} diff --git a/test/unittest/trivy_statefulset_test.yaml b/test/unittest/trivy_statefulset_test.yaml new file mode 100644 index 000000000..195c3b4e7 --- /dev/null +++ b/test/unittest/trivy_statefulset_test.yaml @@ -0,0 +1,97 @@ +suite: TrivyStatefulSet + +tests: + - it: PersistenceDisabled + set: + persistence: + enabled: false + persistentVolumeClaim: + trivy: + existingClaim: trivy-data + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - notExists: + path: spec.volumeClaimTemplates + - exists: + path: spec.template.spec.volumes[0].emptyDir + + - it: PersistenceEnabled + set: + persistence: + enabled: true + template: templates/trivy/trivy-sts.yaml + asserts: + - notExists: + path: spec.template.spec.volumes + - lengthEqual: + path: spec.volumeClaimTemplates + count: 1 + + - it: ExistingClaim + set: + persistence: + enabled: true + persistentVolumeClaim: + trivy: + existingClaim: trivy-data + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - notExists: + path: spec.volumeClaimTemplates + - exists: + path: spec.template.spec.volumes[0].persistentVolumeClaim + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim.claimName + value: trivy-data + + - it: InternalTLSEnabledWithoutPersistence + set: + internalTLS: + enabled: true + persistence: + enabled: false + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 2 + - notExists: + path: spec.volumeClaimTemplates + + - it: InternalTLSEnabledWithPersistence + set: + internalTLS: + enabled: true + persistence: + enabled: true + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + + - it: InternalTLSEnabledWithPersistenceExistigClaim + set: + internalTLS: + enabled: true + persistence: + enabled: true + persistentVolumeClaim: + trivy: + existingClaim: trivy-data + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 2 + - notExists: + path: spec.volumeClaimTemplates \ No newline at end of file diff --git a/values.yaml b/values.yaml index 1bf1437b4..1d222799f 100644 --- a/values.yaml +++ b/values.yaml @@ -173,14 +173,14 @@ persistence: annotations: {} # Define which storage backend is used for registry to store # images and charts. Refer to - # https://github.com/distribution/distribution/blob/main/docs/content/about/configuration.md#storage + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#storage # for the detail. imageChartStorage: # Specify whether to disable `redirect` for images and chart storage, for # backends which not supported it (such as using minio for `s3` storage type), please disable # it. To disable redirects, simply set `disableredirect` to `true` instead. # Refer to - # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#redirect # for the detail. disableredirect: false # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. @@ -575,6 +575,13 @@ portal: serviceAnnotations: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # Horizontal Pod Autoscaler autoscaling: @@ -644,6 +651,13 @@ core: serviceAnnotations: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] ## User settings configuration json string configureUserSettings: # The provider for updating project quota(usage), there are 2 options, redis or db. @@ -749,6 +763,13 @@ jobservice: podLabels: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] maxJobWorkers: 10 # The logger for jobs: "file", "database" or "stdout" jobLoggers: @@ -846,9 +867,16 @@ registry: podLabels: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # Secret is used to secure the upload state from client # and registry storage backend. - # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # See: https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#http # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" @@ -955,6 +983,13 @@ trivy: podLabels: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # debugMode the flag to enable Trivy debug mode with more verbose scanning log debugMode: false # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. @@ -999,7 +1034,7 @@ trivy: # It would work if all the dependencies are in local. # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. offlineScan: false - # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + # Comma-separated list of what security issues to detect. Defaults to `vuln`. securityCheck: "vuln" # The duration to wait for scan completion timeout: 5m0s @@ -1064,6 +1099,13 @@ database: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + extrInitContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # The initial superuser password for internal database password: "changeit" # The size limit for Shared memory, pgSQL use it for shared_buffer @@ -1131,6 +1173,13 @@ redis: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # # jobserviceDatabaseIndex defaults to "1" # # registryDatabaseIndex defaults to "2" # # trivyAdapterIndex defaults to "5"