From 045758056e9e84660c5afd9cc79d7f5acdb251bf Mon Sep 17 00:00:00 2001 From: tanner Date: Mon, 27 Feb 2023 14:45:49 +0900 Subject: [PATCH 01/13] feat: add init containers Signed-off-by: Taehyun Kim --- README.md | 4 ++++ templates/core/core-dpl.yaml | 4 ++++ templates/jobservice/jobservice-dpl.yaml | 4 ++++ templates/portal/deployment.yaml | 4 ++++ templates/registry/registry-dpl.yaml | 4 ++++ values.yaml | 28 ++++++++++++++++++++++++ 6 files changed, 48 insertions(+) diff --git a/README.md b/README.md index c21764a86..38c108952 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `portal.affinity` | Node/Pod affinities | `{}` | | `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | | `portal.priorityClassName` | The priority class to run the pod as | | +| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **Core** | | | | `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | | `core.image.tag` | Tag for Harbor core image | `dev` | @@ -226,6 +227,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `core.nodeSelector` | Node labels for pod assignment | `{}` | | `core.tolerations` | Tolerations for pod assignment | `[]` | | `core.affinity` | Node/Pod affinities | `{}` | +| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | `core.podAnnotations` | Annotations to add to the core pod | `{}` | | `core.serviceAnnotations` | Annotations to add to the core service | `{}` | | `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | @@ -251,6 +253,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `jobservice.affinity` | Node/Pod affinities | `{}` | | `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | | `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | **Registry** | | | | `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | @@ -278,6 +281,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | | `registry.upload_purging.interval` | The interval of the purge operations | `24h` | | `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` | | **[Trivy][trivy]** | | | | `trivy.enabled` | The flag to enable Trivy scanner | `true` | | `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 2ca8b0c5e..fb630c09f 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -42,6 +42,10 @@ spec: {{- end }} automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 + {{- with .Values.core.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: core image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 32df454b1..8c461a82c 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -48,6 +48,10 @@ spec: {{- end }} automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 + {{- with .Values.jobservice.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: jobservice image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 934dc566b..7f1e62f59 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -38,6 +38,10 @@ spec: serviceAccountName: {{ .Values.portal.serviceAccountName }} {{- end }} automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} + {{- with .Values.portal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: portal image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 118a165d4..09224b545 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -51,6 +51,10 @@ spec: {{- end }} automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 + {{- with .Values.registry.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: registry image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} diff --git a/values.yaml b/values.yaml index 06c7a4f6a..86655c3a5 100644 --- a/values.yaml +++ b/values.yaml @@ -440,6 +440,13 @@ portal: podAnnotations: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] core: image: @@ -464,6 +471,13 @@ core: affinity: {} ## Additional deployment annotations podAnnotations: {} + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] ## Additional service annotations serviceAnnotations: {} # Secret is used when core server communicates with other components. @@ -528,6 +542,13 @@ jobservice: secret: "" ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] registry: # set the service account to be used, default if left empty @@ -594,6 +615,13 @@ registry: # the interval of the purge operations interval: 24h dryrun: false + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] trivy: # enabled the flag to enable Trivy scanner From c22a09852e2195c8494fc522393a1780bfda22a2 Mon Sep 17 00:00:00 2001 From: Shengwen Yu Date: Mon, 22 Apr 2024 18:46:23 +0800 Subject: [PATCH 02/13] feat: update images and tags for FC testing Signed-off-by: Shengwen Yu --- Chart.yaml | 4 ++-- values.yaml | 40 ++++++++++++++++++++-------------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 59edf1fcd..3daffb820 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: harbor -version: 1.4.0-dev -appVersion: dev +version: 1.15.0 +appVersion: 2.11.0-fc description: An open source trusted cloud native registry that stores, signs, and scans content keywords: - docker diff --git a/values.yaml b/values.yaml index 505d755aa..05fb7b151 100644 --- a/values.yaml +++ b/values.yaml @@ -482,8 +482,8 @@ containerSecurityContext: # If service exposed via "ingress", the Nginx will not be used nginx: image: - repository: goharbor/nginx-photon - tag: dev + repository: zigzag18/nginx-photon + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -513,8 +513,8 @@ nginx: portal: image: - repository: goharbor/harbor-portal - tag: dev + repository: zigzag18/harbor-portal + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -546,8 +546,8 @@ portal: core: image: - repository: goharbor/harbor-core - tag: dev + repository: zigzag18/harbor-core + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -626,8 +626,8 @@ core: jobservice: image: - repository: goharbor/harbor-jobservice - tag: dev + repository: zigzag18/harbor-jobservice + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -682,8 +682,8 @@ jobservice: registry: registry: image: - repository: goharbor/registry-photon - tag: dev + repository: zigzag18/registry-photon + tag: v2.11.0-build.2621 # resources: # requests: # memory: 256Mi @@ -691,8 +691,8 @@ registry: extraEnvVars: [] controller: image: - repository: goharbor/harbor-registryctl - tag: dev + repository: zigzag18/harbor-registryctl + tag: v2.11.0-build.2621 # resources: # requests: # memory: 256Mi @@ -764,9 +764,9 @@ trivy: enabled: true image: # repository the repository for Trivy adapter image - repository: goharbor/trivy-adapter-photon + repository: zigzag18/trivy-adapter-photon # tag the tag for Trivy adapter image - tag: dev + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -851,8 +851,8 @@ database: type: internal internal: image: - repository: goharbor/harbor-db - tag: dev + repository: zigzag18/harbor-db + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -924,8 +924,8 @@ redis: type: internal internal: image: - repository: goharbor/redis-photon - tag: dev + repository: zigzag18/redis-photon + tag: v2.11.0-build.2621 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -979,8 +979,8 @@ redis: exporter: image: - repository: goharbor/harbor-exporter - tag: dev + repository: zigzag18/harbor-exporter + tag: v2.11.0-build.2621 serviceAccountName: "" # mount the service account token automountServiceAccountToken: false From 509eda8bfa57003c5588183841da269ddff85901 Mon Sep 17 00:00:00 2001 From: Shengwen Yu Date: Wed, 24 Apr 2024 08:51:14 +0000 Subject: [PATCH 03/13] fix: add "harbor.legacy.labels" to resolve the upgrade issue 1747 Signed-off-by: Shengwen Yu --- Chart.yaml | 4 +-- templates/_helpers.tpl | 11 ++++++-- templates/database/database-ss.yaml | 2 +- templates/redis/statefulset.yaml | 2 +- templates/trivy/trivy-sts.yaml | 2 +- values.yaml | 40 ++++++++++++++--------------- 6 files changed, 34 insertions(+), 27 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 3daffb820..59edf1fcd 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: harbor -version: 1.15.0 -appVersion: 2.11.0-fc +version: 1.4.0-dev +appVersion: dev description: An open source trusted cloud native registry that stores, signs, and scans content keywords: - docker diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0914d5684..f6249b399 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -25,13 +25,20 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{/* Helm required labels: legacy */}} +{{- define "harbor.legacy.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + {{/* Helm required labels */}} {{- define "harbor.labels" -}} heritage: {{ .Release.Service }} release: {{ .Release.Name }} chart: {{ .Chart.Name }} app: "{{ template "harbor.name" . }}" -{{ include "harbor.matchLabels" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/name: {{ include "harbor.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -571,4 +578,4 @@ app: "{{ template "harbor.name" . }}" {{/* Allow KubeVersion to be overridden. */}} {{- define "harbor.ingress.kubeVersion" -}} {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index dc6f962e1..8cf9cd928 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -138,7 +138,7 @@ spec: - metadata: name: "database-data" labels: -{{ include "harbor.labels" . | indent 8 }} +{{ include "harbor.legacy.labels" . | indent 8 }} annotations: {{- range $key, $value := $database.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 9573f9ad6..ed8f705a7 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -100,7 +100,7 @@ spec: - metadata: name: data labels: -{{ include "harbor.labels" . | indent 8 }} +{{ include "harbor.legacy.labels" . | indent 8 }} annotations: {{- range $key, $value := $redis.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index ddaa4c908..b554b5db8 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -205,7 +205,7 @@ spec: - metadata: name: data labels: -{{ include "harbor.labels" . | indent 8 }} +{{ include "harbor.legacy.labels" . | indent 8 }} annotations: {{- range $key, $value := $trivy.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/values.yaml b/values.yaml index 05fb7b151..505d755aa 100644 --- a/values.yaml +++ b/values.yaml @@ -482,8 +482,8 @@ containerSecurityContext: # If service exposed via "ingress", the Nginx will not be used nginx: image: - repository: zigzag18/nginx-photon - tag: v2.11.0-build.2621 + repository: goharbor/nginx-photon + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -513,8 +513,8 @@ nginx: portal: image: - repository: zigzag18/harbor-portal - tag: v2.11.0-build.2621 + repository: goharbor/harbor-portal + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -546,8 +546,8 @@ portal: core: image: - repository: zigzag18/harbor-core - tag: v2.11.0-build.2621 + repository: goharbor/harbor-core + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -626,8 +626,8 @@ core: jobservice: image: - repository: zigzag18/harbor-jobservice - tag: v2.11.0-build.2621 + repository: goharbor/harbor-jobservice + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -682,8 +682,8 @@ jobservice: registry: registry: image: - repository: zigzag18/registry-photon - tag: v2.11.0-build.2621 + repository: goharbor/registry-photon + tag: dev # resources: # requests: # memory: 256Mi @@ -691,8 +691,8 @@ registry: extraEnvVars: [] controller: image: - repository: zigzag18/harbor-registryctl - tag: v2.11.0-build.2621 + repository: goharbor/harbor-registryctl + tag: dev # resources: # requests: # memory: 256Mi @@ -764,9 +764,9 @@ trivy: enabled: true image: # repository the repository for Trivy adapter image - repository: zigzag18/trivy-adapter-photon + repository: goharbor/trivy-adapter-photon # tag the tag for Trivy adapter image - tag: v2.11.0-build.2621 + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -851,8 +851,8 @@ database: type: internal internal: image: - repository: zigzag18/harbor-db - tag: v2.11.0-build.2621 + repository: goharbor/harbor-db + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -924,8 +924,8 @@ redis: type: internal internal: image: - repository: zigzag18/redis-photon - tag: v2.11.0-build.2621 + repository: goharbor/redis-photon + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -979,8 +979,8 @@ redis: exporter: image: - repository: zigzag18/harbor-exporter - tag: v2.11.0-build.2621 + repository: goharbor/harbor-exporter + tag: dev serviceAccountName: "" # mount the service account token automountServiceAccountToken: false From e5c177c4e2f9c28229c92749191b3606cad46630 Mon Sep 17 00:00:00 2001 From: Taehyun Kim Date: Tue, 18 Jun 2024 15:09:44 +0900 Subject: [PATCH 04/13] feat: init containers for database, redis Signed-off-by: Taehyun Kim --- README.md | 2 ++ templates/database/database-ss.yaml | 3 +++ templates/redis/statefulset.yaml | 4 ++++ values.yaml | 14 ++++++++++++++ 4 files changed, 23 insertions(+) diff --git a/README.md b/README.md index b33d462ef..a78cfa670 100644 --- a/README.md +++ b/README.md @@ -329,6 +329,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.internal.priorityClassName` | The priority class to run the pod as | | | `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | | `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` | | `database.external.host` | The hostname of external database | `192.168.0.1` | | `database.external.port` | The port of external database | `5432` | | `database.external.username` | The username of external database | `user` | @@ -354,6 +355,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | | `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | | `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` | | `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | | `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | | `redis.external.coreDatabaseIndex` | The database index for core | `0` | diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 8cf9cd928..71c5eb1e0 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -63,6 +63,9 @@ spec: - name: database-data mountPath: /var/lib/postgresql/data subPath: {{ $database.subPath }} + {{- with .Values.database.internal.extrInitContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} containers: - name: database image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index ed8f705a7..1d37fb184 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -41,6 +41,10 @@ spec: {{- end }} automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 + {{- with .Values.redis.internal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: redis image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} diff --git a/values.yaml b/values.yaml index a74710d17..ec3e4c499 100644 --- a/values.yaml +++ b/values.yaml @@ -908,6 +908,13 @@ database: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + extrInitContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # The initial superuser password for internal database password: "changeit" # The size limit for Shared memory, pgSQL use it for shared_buffer @@ -975,6 +982,13 @@ redis: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # # jobserviceDatabaseIndex defaults to "1" # # registryDatabaseIndex defaults to "2" # # trivyAdapterIndex defaults to "5" From 1da7ed5a66edb279ebecb5ba8777441a01d1e50d Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Tue, 9 Jul 2024 17:32:41 +0200 Subject: [PATCH 05/13] Create unit tests for Core - Migrate `go test` to `helm unittest` - Migrate Trivy existing unit tests to `helm unittest` - Add unit tests for Core Signed-off-by: Carlos Vega --- .github/workflows/unittest.yaml | 18 +- test/unittest/core_configmap_test.yaml | 180 +++++++ test/unittest/core_deployment_test.yaml | 547 ++++++++++++++++++++++ test/unittest/core_job_test.yaml | 198 ++++++++ test/unittest/core_secret_test.yaml | 97 ++++ test/unittest/core_svc_test.yaml | 84 ++++ test/unittest/core_tls_test.yaml | 40 ++ test/unittest/trivy_stateful_set_test.go | 171 ------- test/unittest/trivy_statefulset_test.yaml | 97 ++++ 9 files changed, 1247 insertions(+), 185 deletions(-) create mode 100644 test/unittest/core_configmap_test.yaml create mode 100644 test/unittest/core_deployment_test.yaml create mode 100644 test/unittest/core_job_test.yaml create mode 100644 test/unittest/core_secret_test.yaml create mode 100644 test/unittest/core_svc_test.yaml create mode 100644 test/unittest/core_tls_test.yaml delete mode 100644 test/unittest/trivy_stateful_set_test.go create mode 100644 test/unittest/trivy_statefulset_test.yaml diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml index d9cf91e90..0c3e8100d 100644 --- a/.github/workflows/unittest.yaml +++ b/.github/workflows/unittest.yaml @@ -16,20 +16,10 @@ jobs: with: version: '3.11.1' - - name: Set up Go 1.19 - uses: actions/setup-go@v2 - with: - go-version: 1.19 - - - name: Cache go mod - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- + - name: Install Helm Unit Test Plugin + run: | + helm plugin install https://github.com/helm-unittest/helm-unittest --version v0.4.4 - name: Run unit tests - working-directory: ./test run: - go test -v github.com/goharbor/harbor-helm/unittest + helm unittest -f 'test/unittest/*.yaml' . diff --git a/test/unittest/core_configmap_test.yaml b/test/unittest/core_configmap_test.yaml new file mode 100644 index 000000000..5699425db --- /dev/null +++ b/test/unittest/core_configmap_test.yaml @@ -0,0 +1,180 @@ +suite: CoreConfigMap + +tests: + - it: witTrivy + set: + trivy: + enabled: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.WITH_TRIVY + value: "true" + + - it: RedisUrlHarborInternal + set: + redis: + internal: + harborDatabaseIndex: test-index + type: internal + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data._REDIS_URL_HARBOR + value: redis://RELEASE-NAME-harbor-redis:6379/test-index?idle_timeout_seconds=30 + + - it: RedisUrlHarborExternal + set: + redis: + external: + harborDatabaseIndex: test-index + type: external + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data._REDIS_URL_HARBOR + value: redis://192.168.0.2:6379/test-index?idle_timeout_seconds=30 + + - it: CacheLayerDatabaseIndex + set: + redis: + internal: + cacheLayerDatabaseIndex: test-index + type: internal + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data._REDIS_URL_CACHE_LAYER + value: redis://RELEASE-NAME-harbor-redis:6379/test-index?idle_timeout_seconds=30 + + - it: RegsitryCredentialUsername + set: + registry: + credentials: + username: test-username + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.REGISTRY_CREDENTIAL_USERNAME + value: test-username + + - it: UaaSecretName + set: + uaaSecretName: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.UAA_CA_ROOT + value: /etc/core/auth-ca/auth-ca.crt + + - it: MetricEnabled + set: + metrics: + enabled: true + core: + path: /customMetrics + port: 8080 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.METRIC_ENABLE + value: "true" + - equal: + path: data.METRIC_PATH + value: /customMetrics + - equal: + path: data.METRIC_PORT + value: "8080" + - equal: + path: data.METRIC_NAMESPACE + value: harbor + - equal: + path: data.METRIC_SUBSYSTEM + value: core + + - it: GcTimeWindowHours + set: + core: + gcTimeWindowHours: 2 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GC_TIME_WINDOW_HOURS + value: "2" + + - it: GcTimeWindowHours + set: + core: + artifactPullAsyncFlushDuration: 30 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.ARTIFACT_PULL_ASYNC_FLUSH_DURATION + value: "30" + + - it: GdprDeleteUser + set: + core: + gdpr: + deleteUser: true + auditLogsCompliant: false + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GDPR_DELETE_USER + value: "true" + - notExists: + path: data.GDPR_AUDIT_LOGS + + - it: GdprAuditLogsCompliant + set: + core: + gdpr: + deleteUser: false + auditLogsCompliant: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GDPR_AUDIT_LOGS + value: "true" + - notExists: + path: data.GDPR_DELETE_USER + + - it: GdprDeleteUserAuditLogsCompliant + set: + core: + gdpr: + deleteUser: true + auditLogsCompliant: true + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.GDPR_DELETE_USER + value: "true" + - equal: + path: data.GDPR_AUDIT_LOGS + value: "true" + + - it: CacheEnabled + set: + cache: + enabled: true + expireHours: 3 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.CACHE_ENABLED + value: "true" + - equal: + path: data.CACHE_EXPIRE_HOURS + value: "3" + + - it: CuotaUpdate + set: + core: + quotaUpdateProvider: 3 + template: templates/core/core-cm.yaml + asserts: + - equal: + path: data.QUOTA_UPDATE_PROVIDER + value: "3" \ No newline at end of file diff --git a/test/unittest/core_deployment_test.yaml b/test/unittest/core_deployment_test.yaml new file mode 100644 index 000000000..91c974196 --- /dev/null +++ b/test/unittest/core_deployment_test.yaml @@ -0,0 +1,547 @@ +suite: CoreDeployment + +tests: + - it: PodLabels + set: + core: + podLabels: + test.label: test-label + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.metadata.labels["test.label"] + value: test-label + + - it: PodAnnotations + set: + core: + podAnnotations: + test.annotation: test-annotation + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.metadata.annotations["test.annotation"] + value: test-annotation + + - it: PodAnnotations + set: + core: + podAnnotations: + test.annotation: test-annotation + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.metadata.annotations["test.annotation"] + value: test-annotation + + - it: NoReplicas + set: + core: + replicas: 0 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.replicas + value: 0 + + - it: MultipleReplicas + set: + core: + replicas: 2 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.replicas + value: 2 + + - it: ServiceAccounts + set: + core: + serviceAccountName: testServiceAccount + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: testServiceAccount + + - it: ImagePullSecrets + set: + imagePullSecrets: + - name: test-secret-1 + - name: test-secret-2 + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.imagePullSecrets + count: 2 + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: test-secret-1 + - name: test-secret-2 + + - it: TopologySpreadConstraints + set: + core: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.topologySpreadConstraints + count: 1 + - contains: + path: spec.template.spec.topologySpreadConstraints + content: + labelSelector: + matchLabels: + app: harbor + component: core + release: RELEASE-NAME + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + + - it: InitContainers + set: + core: + initContainers: + - name: test + image: busybox + command: ["sh", "-c", "sleep 20"] + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.initContainers + count: 1 + - equal: + path: spec.template.spec.initContainers + value: + - name: test + image: busybox + command: + - sh + - "-c" + - sleep 20 + + - it: ContainerImage + set: + core: + image: + repository: test-repository/test-image + tag: 1.0.0 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: test-repository/test-image:1.0.0 + + - it: StartupProbe + set: + core: + startupProbe: + enabled: true + initialDelaySeconds: 10 + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.path + value: /api/v2.0/ping + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.scheme + value: HTTP + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.port + value: 8080 + - equal: + path: spec.template.spec.containers[0].startupProbe.failureThreshold + value: 360 + - equal: + path: spec.template.spec.containers[0].startupProbe.initialDelaySeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].startupProbe.periodSeconds + value: 10 + + - it: StartupProbeInternalTLS + set: + core: + startupProbe: + enabled: true + initialDelaySeconds: 10 + internalTLS: + enabled: true + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.path + value: /api/v2.0/ping + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.scheme + value: HTTPS + - equal: + path: spec.template.spec.containers[0].startupProbe.httpGet.port + value: 8443 + - equal: + path: spec.template.spec.containers[0].startupProbe.failureThreshold + value: 360 + - equal: + path: spec.template.spec.containers[0].startupProbe.initialDelaySeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].startupProbe.periodSeconds + value: 10 + + - it: ExistingSecretAdminPassword + set: + existingSecretAdminPassword: HARBOR_ADMIN_PASSWORD + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: HARBOR_ADMIN_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: HARBOR_ADMIN_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: HARBOR_ADMIN_PASSWORD + + - it: InternalTLS + set: + internalTLS: + enabled: true + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 6 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: INTERNAL_TLS_ENABLED + - equal: + path: spec.template.spec.containers[0].env[2].value + value: "true" + - equal: + path: spec.template.spec.containers[0].env[3].name + value: INTERNAL_TLS_KEY_PATH + - equal: + path: spec.template.spec.containers[0].env[3].value + value: /etc/harbor/ssl/core/tls.key + - equal: + path: spec.template.spec.containers[0].env[4].name + value: INTERNAL_TLS_CERT_PATH + - equal: + path: spec.template.spec.containers[0].env[4].value + value: /etc/harbor/ssl/core/tls.crt + - equal: + path: spec.template.spec.containers[0].env[5].name + value: INTERNAL_TLS_TRUST_CA_PATH + - equal: + path: spec.template.spec.containers[0].env[5].value + value: /etc/harbor/ssl/core/ca.crt + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].name + value: core-internal-certs + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].mountPath + value: /etc/harbor/ssl/core + + - it: DBCredentials + set: + database: + external: + existingSecret: db-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: POSTGRESQL_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: db-secret-name + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: password + + - it: RegistryCredentials + set: + registry: + credentials: + existingSecret: registry-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: REGISTRY_CREDENTIAL_PASSWORD + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: registry-secret-name + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: REGISTRY_PASSWD + + - it: XsrfCredentials + set: + core: + existingXsrfSecret: xsrf-secret-name + existingXsrfSecretKey: xsrf-secret-key + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: CSRF_KEY + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: xsrf-secret-name + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.key + value: xsrf-secret-key + + - it: ExtraEnvVars + set: + core: + extraEnvVars: + - name: ENVVAR_NAME + value: envvar_value + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 3 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: ENVVAR_NAME + - equal: + path: spec.template.spec.containers[0].env[2].value + value: envvar_value + + - it: MultipleExtraEnvVars + set: + core: + extraEnvVars: + - name: ENVVAR_NAME_1 + value: envvar_value_1 + - name: ENVVAR_NAME_2 + value: envvar_value_2 + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].env + count: 4 + - equal: + path: spec.template.spec.containers[0].env[2].name + value: ENVVAR_NAME_1 + - equal: + path: spec.template.spec.containers[0].env[2].value + value: envvar_value_1 + - equal: + path: spec.template.spec.containers[0].env[3].name + value: ENVVAR_NAME_2 + - equal: + path: spec.template.spec.containers[0].env[3].value + value: envvar_value_2 + + - it: ContainerSecurityContext + set: + containerSecurityContext: + privileged: true + allowPrivilegeEscalation: true + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - All + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.privileged + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.seccompProfile.type + value: RuntimeDefault + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities.drop[0] + value: All + + - it: ExposeTLSEnabled + set: + expose: + tls: + enabled: true + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 5 + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].name + value: ca-download + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].mountPath + value: /etc/core/ca + + - it: UaaSecretName + set: + uaaSecretName: uaa-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 6 + - lengthEqual: + path: spec.template.spec.volumes + count: 6 + - equal: + path: spec.template.spec.volumes[4].name + value: auth-ca-cert + - equal: + path: spec.template.spec.volumes[4].secret.secretName + value: uaa-secret-name + - equal: + path: spec.template.spec.volumes[4].secret.items[0].key + value: ca.crt + - equal: + path: spec.template.spec.volumes[4].secret.items[0].path + value: auth-ca.crt + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].mountPath + value: /etc/core/auth-ca/auth-ca.crt + - equal: + path: spec.template.spec.containers[0].volumeMounts[4].subPath + value: auth-ca.crt + + - it: Resources + set: + core: + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 500Mi + cpu: 200m + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 256Mi + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 200m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 500Mi + + - it: CASecretName + set: + caSecretName: ca-secret-name + template: templates/core/core-dpl.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 5 + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].name + value: ca-download + - equal: + path: spec.template.spec.containers[0].volumeMounts[3].mountPath + value: /etc/core/ca + - equal: + path: spec.template.spec.volumes[3].name + value: ca-download + - equal: + path: spec.template.spec.volumes[3].secret.secretName + value: ca-secret-name + + - it: NodeSelector + set: + core: + nodeSelector: + node.selector/tier: test-node-selector + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector["node.selector/tier"] + value: test-node-selector + + - it: Affinity + set: + core: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: test-affinity + operator: In + values: + - S1 + topologyKey: topology.kubernetes.io/zone + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key + value: test-affinity + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator + value: In + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values[0] + value: S1 + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey + value: topology.kubernetes.io/zone + + - it: Tolerations + set: + core: + tolerations: + - effect: NoSchedule + key: test-label + value: test + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0].effect + value: NoSchedule + - equal: + path: spec.template.spec.tolerations[0].key + value: test-label + - equal: + path: spec.template.spec.tolerations[0].value + value: test + + - it: PriorityClassName + set: + core: + priorityClassName: test-priority + template: templates/core/core-dpl.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: test-priority diff --git a/test/unittest/core_job_test.yaml b/test/unittest/core_job_test.yaml new file mode 100644 index 000000000..0f060fea5 --- /dev/null +++ b/test/unittest/core_job_test.yaml @@ -0,0 +1,198 @@ +suite: CoreJob + +tests: + - it: JobDefault + set: + enableMigrateHelmHook: true + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + - it: ServiceAccount + set: + enableMigrateHelmHook: true + core: + serviceAccountName: test-service-account + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.serviceAccountName + value: test-service-account + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + - it: NodeSelector + set: + enableMigrateHelmHook: true + core: + nodeSelector: + node.selector/tier: test-node-selector + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector["node.selector/tier"] + value: test-node-selector + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + + - it: Affinity + set: + enableMigrateHelmHook: true + core: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: test-affinity + operator: In + values: + - S1 + topologyKey: topology.kubernetes.io/zone + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key + value: test-affinity + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator + value: In + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values[0] + value: S1 + - equal: + path: spec.template.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey + value: topology.kubernetes.io/zone + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] + + - it: Tolerations + set: + enableMigrateHelmHook: true + core: + tolerations: + - effect: NoSchedule + key: test-label + value: test + template: templates/core/core-pre-upgrade-job.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0].effect + value: NoSchedule + - equal: + path: spec.template.spec.tolerations[0].key + value: test-label + - equal: + path: spec.template.spec.tolerations[0].value + value: test + - lengthEqual: + path: spec.template.spec.containers + count: 1 + - lengthEqual: + path: spec.template.spec.containers[0].volumeMounts + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - equal: + path: metadata.name + value: migration-job + - equal: + path: spec.template.spec.containers[0].name + value: core-job + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: config + - equal: + path: spec.template.spec.volumes[0].name + value: config + - equal: + path: spec.template.spec.containers[0].command + value: ["/harbor/harbor_core", "-mode=migrate"] \ No newline at end of file diff --git a/test/unittest/core_secret_test.yaml b/test/unittest/core_secret_test.yaml new file mode 100644 index 000000000..02553c036 --- /dev/null +++ b/test/unittest/core_secret_test.yaml @@ -0,0 +1,97 @@ +suite: CoreSecret + +tests: + - it: Secret + set: + secretKey: test-secret + harborAdminPassword: test-admin-password + registry: + credentials: + password: test-registry-secret + core: + secret: test-secret-defined + xsrfKey: xsrf-key + configureUserSettings: "{\"test\": \"test\"}" + template: templates/core/core-secret.yaml + asserts: + - equal: + path: data.secretKey + value: "dGVzdC1zZWNyZXQ=" + - equal: + path: data.secret + value: "dGVzdC1zZWNyZXQtZGVmaW5lZA==" + - exists: + path: data["tls.key"] + - exists: + path: data["tls.crt"] + - equal: + path: data.HARBOR_ADMIN_PASSWORD + value: "dGVzdC1hZG1pbi1wYXNzd29yZA==" + - equal: + path: data.CONFIG_OVERWRITE_JSON + value: "eyJ0ZXN0IjogInRlc3QifQ==" + + - it: ExistingSecretSecretKey + set: + existingSecretSecretKey: test-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.secretKey + + - it: ExistingCoreSecret + set: + core: + existingSecret: test-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.secret + + - it: ExistingTLSSecret + set: + core: + secretName: test-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data["tls.key"] + - notExists: + path: data["tls.crt"] + + - it: ExistingAdminSecret + set: + existingSecretAdminPassword: test-password + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.HARBOR_ADMIN_PASSWORD + + - it: ExistingDBSecret + set: + database: + external: + existingSecret: test-db-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.POSTGRESQL_PASSWORD + + - it: ExistingRegistrySecret + set: + registry: + credentials: + existingSecret: test-registry-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.REGISTRY_CREDENTIAL_PASSWORD + + - it: ExistingRegistrySecret + set: + core: + existingXsrfSecret: test-xsrf-secret + template: templates/core/core-secret.yaml + asserts: + - notExists: + path: data.CSRF_KEY \ No newline at end of file diff --git a/test/unittest/core_svc_test.yaml b/test/unittest/core_svc_test.yaml new file mode 100644 index 000000000..ee641cca7 --- /dev/null +++ b/test/unittest/core_svc_test.yaml @@ -0,0 +1,84 @@ +suite: CoreSvc + +tests: + - it: Annotation + set: + core: + serviceAnnotations: + test.annotation: test-annotation + template: templates/core/core-svc.yaml + asserts: + - equal: + path: metadata.annotations["test.annotation"] + value: test-annotation + + - it: TypeGce + set: + expose: + ingress: + controller: gce + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.type + value: NodePort + + - it: TypeAlb + set: + expose: + ingress: + controller: alb + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.type + value: NodePort + + - it: TypeF5 + set: + expose: + ingress: + controller: f5-bigip + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.type + value: NodePort + + - it: NotType + template: templates/core/core-svc.yaml + asserts: + - notExists: + path: spec.type + + - it: ExposeTLSEnabled + set: + internalTLS: + enabled: true + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.ports[0].name + value: https-web + + - it: ExposeTLSDisabled + set: + internalTLS: + enabled: false + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.ports[0].name + value: http-web + + - it: ExposeMetricsPort + set: + metrics: + enabled: true + core: + port: 1111 + template: templates/core/core-svc.yaml + asserts: + - equal: + path: spec.ports[1].port + value: 1111 \ No newline at end of file diff --git a/test/unittest/core_tls_test.yaml b/test/unittest/core_tls_test.yaml new file mode 100644 index 000000000..1d9dca1a9 --- /dev/null +++ b/test/unittest/core_tls_test.yaml @@ -0,0 +1,40 @@ +suite: CoreTls + +tests: + - it: TLSExists + set: + trivy: + enabled: false + registry: + enabled: false + internalTLS: + enabled: true + trustCa: testCa + certSource: manual + core: + crt: testCrt + key: testKey + registry: + crt: testCrt + key: testKey + portal: + crt: testCrt + key: testKey + jobservice: + crt: testCrt + key: testKey + template: templates/core/core-tls.yaml + asserts: + - exists: + path: metadata.name + - exists: + path: apiVersion + - equal: + path: data["ca.crt"] + value: "dGVzdENh" + - equal: + path: data["tls.crt"] + value: "dGVzdENydA==" + - equal: + path: data["tls.key"] + value: "dGVzdEtleQ==" diff --git a/test/unittest/trivy_stateful_set_test.go b/test/unittest/trivy_stateful_set_test.go deleted file mode 100644 index c8efa9be8..000000000 --- a/test/unittest/trivy_stateful_set_test.go +++ /dev/null @@ -1,171 +0,0 @@ -package unittest - -import ( - "os" - "testing" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/logger" - "github.com/stretchr/testify/suite" - appsV1 "k8s.io/api/apps/v1" -) - -type TrivyStatefulSetTestSuite struct { - suite.Suite -} - -func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet { - helmChartPath := "../../" - - options := &helm.Options{ - SetValues: values, - } - - debug := os.Getenv("debug") - if debug != "true" { - options.Logger = logger.Discard - } - - output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"}) - - var ss appsV1.StatefulSet - helm.UnmarshalK8SYaml(suite.T(), output, &ss) - - return &ss -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() { - values := map[string]string{ - "persistence.enabled": "false", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() { - values := map[string]string{ - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 0) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) -} - -func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() { - values := map[string]string{ - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim) - suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) -} - -func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() { - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func (suite *TrivyStatefulSetTestSuite) TestCustomCA() { - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "false", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "internalTLS.enabled": "true", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 3) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 1) - suite.Len(ss.Spec.VolumeClaimTemplates, 1) - } - - { - values := map[string]string{ - "caBundleSecretName": "ca-bundle-secret", - "persistence.enabled": "true", - "persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data", - } - - ss := suite.render(values) - suite.Len(ss.Spec.Template.Spec.Volumes, 2) - suite.Len(ss.Spec.VolumeClaimTemplates, 0) - } -} - -func TestTrivyStatefulSetTestSuite(t *testing.T) { - suite.Run(t, &TrivyStatefulSetTestSuite{}) -} diff --git a/test/unittest/trivy_statefulset_test.yaml b/test/unittest/trivy_statefulset_test.yaml new file mode 100644 index 000000000..195c3b4e7 --- /dev/null +++ b/test/unittest/trivy_statefulset_test.yaml @@ -0,0 +1,97 @@ +suite: TrivyStatefulSet + +tests: + - it: PersistenceDisabled + set: + persistence: + enabled: false + persistentVolumeClaim: + trivy: + existingClaim: trivy-data + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - notExists: + path: spec.volumeClaimTemplates + - exists: + path: spec.template.spec.volumes[0].emptyDir + + - it: PersistenceEnabled + set: + persistence: + enabled: true + template: templates/trivy/trivy-sts.yaml + asserts: + - notExists: + path: spec.template.spec.volumes + - lengthEqual: + path: spec.volumeClaimTemplates + count: 1 + + - it: ExistingClaim + set: + persistence: + enabled: true + persistentVolumeClaim: + trivy: + existingClaim: trivy-data + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - notExists: + path: spec.volumeClaimTemplates + - exists: + path: spec.template.spec.volumes[0].persistentVolumeClaim + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim.claimName + value: trivy-data + + - it: InternalTLSEnabledWithoutPersistence + set: + internalTLS: + enabled: true + persistence: + enabled: false + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 2 + - notExists: + path: spec.volumeClaimTemplates + + - it: InternalTLSEnabledWithPersistence + set: + internalTLS: + enabled: true + persistence: + enabled: true + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + - lengthEqual: + path: spec.template.spec.volumes + count: 1 + + - it: InternalTLSEnabledWithPersistenceExistigClaim + set: + internalTLS: + enabled: true + persistence: + enabled: true + persistentVolumeClaim: + trivy: + existingClaim: trivy-data + template: templates/trivy/trivy-sts.yaml + asserts: + - lengthEqual: + path: spec.template.spec.volumes + count: 2 + - notExists: + path: spec.volumeClaimTemplates \ No newline at end of file From 0be9b1a89f96d4d341813aa27e4196bf0e19d342 Mon Sep 17 00:00:00 2001 From: Kellen Sappington Date: Fri, 26 Jul 2024 06:43:01 -0400 Subject: [PATCH 06/13] Fix ArgoCD integration by adding metadata.namespace to all templates Signed-off-by: Kellen Sappington --- templates/core/core-cm.yaml | 3 ++- templates/core/core-dpl.yaml | 1 + templates/core/core-pre-upgrade-job.yaml | 3 ++- templates/core/core-secret.yaml | 1 + templates/core/core-svc.yaml | 1 + templates/core/core-tls.yaml | 3 ++- templates/database/database-secret.yaml | 1 + templates/database/database-ss.yaml | 1 + templates/database/database-svc.yaml | 3 ++- templates/exporter/exporter-cm-env.yaml | 3 ++- templates/exporter/exporter-dpl.yaml | 1 + templates/exporter/exporter-secret.yaml | 1 + templates/exporter/exporter-svc.yaml | 1 + templates/ingress/ingress.yaml | 1 + templates/ingress/secret.yaml | 3 ++- templates/internal/auto-tls.yaml | 7 ++++++- templates/jobservice/jobservice-cm-env.yaml | 1 + templates/jobservice/jobservice-cm.yaml | 1 + templates/jobservice/jobservice-dpl.yaml | 1 + templates/jobservice/jobservice-pvc.yaml | 1 + templates/jobservice/jobservice-secrets.yaml | 1 + templates/jobservice/jobservice-svc.yaml | 1 + templates/jobservice/jobservice-tls.yaml | 3 ++- templates/metrics/metrics-svcmon.yaml | 1 + templates/nginx/configmap-http.yaml | 1 + templates/nginx/configmap-https.yaml | 1 + templates/nginx/deployment.yaml | 1 + templates/nginx/secret.yaml | 3 ++- templates/nginx/service.yaml | 1 + templates/portal/configmap.yaml | 1 + templates/portal/deployment.yaml | 1 + templates/portal/service.yaml | 1 + templates/portal/tls.yaml | 1 + templates/redis/service.yaml | 3 ++- templates/redis/statefulset.yaml | 1 + templates/registry/registry-cm.yaml | 1 + templates/registry/registry-dpl.yaml | 1 + templates/registry/registry-pvc.yaml | 3 ++- templates/registry/registry-secret.yaml | 2 ++ templates/registry/registry-svc.yaml | 3 ++- templates/registry/registry-tls.yaml | 3 ++- templates/registry/registryctl-cm.yaml | 1 + templates/registry/registryctl-secret.yaml | 3 ++- templates/trivy/trivy-secret.yaml | 1 + templates/trivy/trivy-sts.yaml | 1 + templates/trivy/trivy-svc.yaml | 1 + templates/trivy/trivy-tls.yaml | 1 + 47 files changed, 66 insertions(+), 14 deletions(-) diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index 93cab01b4..f27bdaaaf 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: @@ -87,4 +88,4 @@ data: {{- if .Values.core.quotaUpdateProvider }} QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" - {{- end }} \ No newline at end of file + {{- end }} diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 2ee8fd59c..4705c5f6e 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: core diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index ce0b13134..872715694 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -3,6 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: migration-job + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: migrator @@ -74,4 +75,4 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 62a41fce8..ea9d4cfab 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/core/core-svc.yaml b/templates/core/core-svc.yaml index 0d2cfb291..f918eb388 100644 --- a/templates/core/core-svc.yaml +++ b/templates/core/core-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "harbor.core" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- with .Values.core.serviceAnnotations }} diff --git a/templates/core/core-tls.yaml b/templates/core/core-tls.yaml index c52148f0d..d90d30c8f 100644 --- a/templates/core/core-tls.yaml +++ b/templates/core/core-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.core.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml index 864aff4a1..0d07ec26f 100644 --- a/templates/database/database-secret.yaml +++ b/templates/database/database-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 71c5eb1e0..9bd5c096c 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: database diff --git a/templates/database/database-svc.yaml b/templates/database/database-svc.yaml index 6475048cd..e2085a058 100644 --- a/templates/database/database-svc.yaml +++ b/templates/database/database-svc.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.database" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -11,4 +12,4 @@ spec: selector: {{ include "harbor.matchLabels" . | indent 4 }} component: database -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/exporter/exporter-cm-env.yaml b/templates/exporter/exporter-cm-env.yaml index 0bf4e7d90..3f911032b 100644 --- a/templates/exporter/exporter-cm-env.yaml +++ b/templates/exporter/exporter-cm-env.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.exporter" . }}-env" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: @@ -32,4 +33,4 @@ data: HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" -{{- end}} \ No newline at end of file +{{- end}} diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 01e9258ea..32fac20ac 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "harbor.exporter" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: exporter diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml index 434a1bf68..02c74d03c 100644 --- a/templates/exporter/exporter-secret.yaml +++ b/templates/exporter/exporter-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.exporter" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/exporter/exporter-svc.yaml b/templates/exporter/exporter-svc.yaml index 4a6f3fdec..6d0d83193 100644 --- a/templates/exporter/exporter-svc.yaml +++ b/templates/exporter/exporter-svc.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.exporter" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index 73472c605..0b23cb43c 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -35,6 +35,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: "{{ template "harbor.ingress" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- if $ingress.labels }} diff --git a/templates/ingress/secret.yaml b/templates/ingress/secret.yaml index 41507b3dd..90ba27511 100644 --- a/templates/ingress/secret.yaml +++ b/templates/ingress/secret.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.ingress" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ $cert.Cert | b64enc | quote }} tls.key: {{ $cert.Key | b64enc | quote }} ca.crt: {{ $ca.Cert | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/internal/auto-tls.yaml b/templates/internal/auto-tls.yaml index da5f5e2c7..32807cfd1 100644 --- a/templates/internal/auto-tls.yaml +++ b/templates/internal/auto-tls.yaml @@ -14,6 +14,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.core.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -27,6 +28,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -40,6 +42,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -53,6 +56,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -69,6 +73,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -78,4 +83,4 @@ data: tls.key: {{ $trivyCrt.Key | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/jobservice/jobservice-cm-env.yaml b/templates/jobservice/jobservice-cm-env.yaml index 8411c7a47..2b9307455 100644 --- a/templates/jobservice/jobservice-cm-env.yaml +++ b/templates/jobservice/jobservice-cm-env.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.jobservice" . }}-env" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/jobservice/jobservice-cm.yaml b/templates/jobservice/jobservice-cm.yaml index 8211c6220..c950e6787 100644 --- a/templates/jobservice/jobservice-cm.yaml +++ b/templates/jobservice/jobservice-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 1bb669082..3e426694b 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: jobservice diff --git a/templates/jobservice/jobservice-pvc.yaml b/templates/jobservice/jobservice-pvc.yaml index 3f7d00b67..eb781eed1 100644 --- a/templates/jobservice/jobservice-pvc.yaml +++ b/templates/jobservice/jobservice-pvc.yaml @@ -4,6 +4,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "harbor.jobservice" . }} + namespace: {{ .Release.Namespace | quote }} annotations: {{- range $key, $value := $jobLog.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index eeb00bde0..7706c3513 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/jobservice/jobservice-svc.yaml b/templates/jobservice/jobservice-svc.yaml index d2b7a47fd..483b40ed5 100644 --- a/templates/jobservice/jobservice-svc.yaml +++ b/templates/jobservice/jobservice-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.jobservice" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: diff --git a/templates/jobservice/jobservice-tls.yaml b/templates/jobservice/jobservice-tls.yaml index 234cb3999..58809ec46 100644 --- a/templates/jobservice/jobservice-tls.yaml +++ b/templates/jobservice/jobservice-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/metrics/metrics-svcmon.yaml b/templates/metrics/metrics-svcmon.yaml index 1122ef01e..d566285ed 100644 --- a/templates/metrics/metrics-svcmon.yaml +++ b/templates/metrics/metrics-svcmon.yaml @@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "harbor.fullname" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | nindent 4 }} {{- if .Values.metrics.serviceMonitor.additionalLabels }} {{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml index c4b8354d0..8c25ff211 100644 --- a/templates/nginx/configmap-http.yaml +++ b/templates/nginx/configmap-http.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml index 56c943a61..5d625f81e 100644 --- a/templates/nginx/configmap-https.yaml +++ b/templates/nginx/configmap-https.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 3abc94198..04faa3735 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: nginx diff --git a/templates/nginx/secret.yaml b/templates/nginx/secret.yaml index c819c556d..369bd65d6 100644 --- a/templates/nginx/secret.yaml +++ b/templates/nginx/secret.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.nginx" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque @@ -20,4 +21,4 @@ data: tls.key: {{ $cert.Key | b64enc | quote }} ca.crt: {{ $ca.Cert | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/nginx/service.yaml b/templates/nginx/service.yaml index 691584ce0..7eac84ee1 100644 --- a/templates/nginx/service.yaml +++ b/templates/nginx/service.yaml @@ -5,6 +5,7 @@ metadata: {{- if eq .Values.expose.type "clusterIP" }} {{- $clusterIP := .Values.expose.clusterIP }} name: {{ $clusterIP.name }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- if .Values.expose.clusterIP.labels }} diff --git a/templates/portal/configmap.yaml b/templates/portal/configmap.yaml index 7b2118e72..af56783a8 100644 --- a/templates/portal/configmap.yaml +++ b/templates/portal/configmap.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 4dea94438..88bcd4979 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: portal diff --git a/templates/portal/service.yaml b/templates/portal/service.yaml index d00026da4..c1273f072 100644 --- a/templates/portal/service.yaml +++ b/templates/portal/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.portal" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} {{- with .Values.portal.serviceAnnotations }} diff --git a/templates/portal/tls.yaml b/templates/portal/tls.yaml index de63f4e81..e61a7d3a4 100644 --- a/templates/portal/tls.yaml +++ b/templates/portal/tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls diff --git a/templates/redis/service.yaml b/templates/redis/service.yaml index 79c95c3e0..61c21d13e 100644 --- a/templates/redis/service.yaml +++ b/templates/redis/service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "harbor.redis" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -11,4 +12,4 @@ spec: selector: {{ include "harbor.matchLabels" . | indent 4 }} component: redis -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 1d37fb184..fa5dd22d2 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "harbor.redis" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: redis diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml index 4f7056c38..26e3fc915 100644 --- a/templates/registry/registry-cm.yaml +++ b/templates/registry/registry-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 0965cf2e2..6310b9de0 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: registry diff --git a/templates/registry/registry-pvc.yaml b/templates/registry/registry-pvc.yaml index 5d6d4d3dd..712c21175 100644 --- a/templates/registry/registry-pvc.yaml +++ b/templates/registry/registry-pvc.yaml @@ -5,6 +5,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "harbor.registry" . }} + namespace: {{ .Release.Namespace | quote }} annotations: {{- range $key, $value := $registry.annotations }} {{ $key }}: {{ $value | quote }} @@ -30,4 +31,4 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index e853a9cbe..11ada3b70 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque @@ -43,6 +44,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.registry" . }}-htpasswd" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/registry/registry-svc.yaml b/templates/registry/registry-svc.yaml index 749690ea0..d89ae7dca 100644 --- a/templates/registry/registry-svc.yaml +++ b/templates/registry/registry-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.registry" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: @@ -17,4 +18,4 @@ spec: {{- end }} selector: {{ include "harbor.matchLabels" . | indent 4 }} - component: registry \ No newline at end of file + component: registry diff --git a/templates/registry/registry-tls.yaml b/templates/registry/registry-tls.yaml index 9d1862c41..ec4540c2e 100644 --- a/templates/registry/registry-tls.yaml +++ b/templates/registry/registry-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls @@ -12,4 +13,4 @@ data: tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/registry/registryctl-cm.yaml b/templates/registry/registryctl-cm.yaml index 87aa5ffe2..61b2c5e13 100644 --- a/templates/registry/registryctl-cm.yaml +++ b/templates/registry/registryctl-cm.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: "{{ template "harbor.registryCtl" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} data: diff --git a/templates/registry/registryctl-secret.yaml b/templates/registry/registryctl-secret.yaml index 70097703e..324a2e03b 100644 --- a/templates/registry/registryctl-secret.yaml +++ b/templates/registry/registryctl-secret.yaml @@ -2,8 +2,9 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.registryCtl" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file + {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/trivy/trivy-secret.yaml b/templates/trivy/trivy-secret.yaml index 84652c749..b13f88000 100644 --- a/templates/trivy/trivy-secret.yaml +++ b/templates/trivy/trivy-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "harbor.trivy" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: Opaque diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index c876ba387..7e34ee9c7 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "harbor.trivy" . }} + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} component: trivy diff --git a/templates/trivy/trivy-svc.yaml b/templates/trivy/trivy-svc.yaml index 24daf094e..e0ae32070 100644 --- a/templates/trivy/trivy-svc.yaml +++ b/templates/trivy/trivy-svc.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.trivy" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} spec: diff --git a/templates/trivy/trivy-tls.yaml b/templates/trivy/trivy-tls.yaml index a9c8330c3..58bce4ec5 100644 --- a/templates/trivy/trivy-tls.yaml +++ b/templates/trivy/trivy-tls.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + namespace: {{ .Release.Namespace | quote }} labels: {{ include "harbor.labels" . | indent 4 }} type: kubernetes.io/tls From cad54ba3c3d076d71244ac148352fdd1bff399fa Mon Sep 17 00:00:00 2001 From: Shengwen YU Date: Sun, 28 Jul 2024 19:58:29 +0800 Subject: [PATCH 07/13] fix: update maintainers info and comment of trivy config (#1792) Signed-off-by: Shengwen Yu --- Chart.yaml | 10 ++++++---- README.md | 2 +- values.yaml | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 59edf1fcd..6838db79e 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -13,10 +13,12 @@ sources: - https://github.com/goharbor/harbor - https://github.com/goharbor/harbor-helm maintainers: +- name: Yan Wang + email: yan-yw.wang@broadcom.com - name: Wenkai Yin - email: yinw@vmware.com -- name: Weiwei He - email: hweiwei@vmware.com + email: wenkai.yin@broadcom.com +- name: Miner Yang + email: miner.yang@broadcom.com - name: Shengwen Yu - email: yshengwen@vmware.com + email: shengwen.yu@broadcom.com engine: gotpl diff --git a/README.md b/README.md index a78cfa670..ec394b84a 100644 --- a/README.md +++ b/README.md @@ -307,7 +307,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | | `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | | `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | -| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. | `vuln` | | `trivy.timeout` | The duration to wait for scan completion | `5m0s` | | `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | | `trivy.priorityClassName` | The priority class to run the pod as | | diff --git a/values.yaml b/values.yaml index ec3e4c499..926bc1627 100644 --- a/values.yaml +++ b/values.yaml @@ -875,7 +875,7 @@ trivy: # It would work if all the dependencies are in local. # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. offlineScan: false - # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + # Comma-separated list of what security issues to detect. Defaults to `vuln`. securityCheck: "vuln" # The duration to wait for scan completion timeout: 5m0s From 74326eded0eb335576e94e6623627756a70421da Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Wed, 7 Aug 2024 08:37:48 +0200 Subject: [PATCH 08/13] Fixed comments - Remove duplicated test PodAnnotations - Rename test ArtifactPullAsyncFlushDuration Signed-off-by: Carlos Vega --- test/unittest/core_configmap_test.yaml | 4 ++-- test/unittest/core_deployment_test.yaml | 11 ----------- test/unittest/core_secret_test.yaml | 2 +- test/unittest/core_svc_test.yaml | 4 ++-- test/unittest/core_tls_test.yaml | 2 -- 5 files changed, 5 insertions(+), 18 deletions(-) diff --git a/test/unittest/core_configmap_test.yaml b/test/unittest/core_configmap_test.yaml index 5699425db..a68d17e42 100644 --- a/test/unittest/core_configmap_test.yaml +++ b/test/unittest/core_configmap_test.yaml @@ -102,7 +102,7 @@ tests: path: data.GC_TIME_WINDOW_HOURS value: "2" - - it: GcTimeWindowHours + - it: ArtifactPullAsyncFlushDuration set: core: artifactPullAsyncFlushDuration: 30 @@ -169,7 +169,7 @@ tests: path: data.CACHE_EXPIRE_HOURS value: "3" - - it: CuotaUpdate + - it: QuotaUpdate set: core: quotaUpdateProvider: 3 diff --git a/test/unittest/core_deployment_test.yaml b/test/unittest/core_deployment_test.yaml index 91c974196..da67d3cbf 100644 --- a/test/unittest/core_deployment_test.yaml +++ b/test/unittest/core_deployment_test.yaml @@ -23,17 +23,6 @@ tests: path: spec.template.metadata.annotations["test.annotation"] value: test-annotation - - it: PodAnnotations - set: - core: - podAnnotations: - test.annotation: test-annotation - template: templates/core/core-dpl.yaml - asserts: - - equal: - path: spec.template.metadata.annotations["test.annotation"] - value: test-annotation - - it: NoReplicas set: core: diff --git a/test/unittest/core_secret_test.yaml b/test/unittest/core_secret_test.yaml index 02553c036..4f08c1e61 100644 --- a/test/unittest/core_secret_test.yaml +++ b/test/unittest/core_secret_test.yaml @@ -67,7 +67,7 @@ tests: - notExists: path: data.HARBOR_ADMIN_PASSWORD - - it: ExistingDBSecret + - it: ExistingExternalDBSecret set: database: external: diff --git a/test/unittest/core_svc_test.yaml b/test/unittest/core_svc_test.yaml index ee641cca7..21fa842df 100644 --- a/test/unittest/core_svc_test.yaml +++ b/test/unittest/core_svc_test.yaml @@ -51,7 +51,7 @@ tests: - notExists: path: spec.type - - it: ExposeTLSEnabled + - it: InternalTLSEnabled set: internalTLS: enabled: true @@ -61,7 +61,7 @@ tests: path: spec.ports[0].name value: https-web - - it: ExposeTLSDisabled + - it: InternalTLSDisabled set: internalTLS: enabled: false diff --git a/test/unittest/core_tls_test.yaml b/test/unittest/core_tls_test.yaml index 1d9dca1a9..72907e23a 100644 --- a/test/unittest/core_tls_test.yaml +++ b/test/unittest/core_tls_test.yaml @@ -5,8 +5,6 @@ tests: set: trivy: enabled: false - registry: - enabled: false internalTLS: enabled: true trustCa: testCa From c1a4b04629bd5fef1a6e845882b201259656dc3d Mon Sep 17 00:00:00 2001 From: Nashwan Azhari Date: Tue, 13 Aug 2024 13:02:31 +0300 Subject: [PATCH 09/13] Remove ineffective 'args' from registry-dpl template. This patch removes the 'args' field from the 'registry-dpl' Deployment template, as is was completely ignored by the upstream registry-photon image's entrypoint.sh script which does not accept/process any arguments in any way. Fixes: https://github.com/goharbor/harbor-helm/issues/1801 Signed-off-by: Nashwan Azhari --- templates/registry/registry-dpl.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 0965cf2e2..feac95d00 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -95,7 +95,6 @@ spec: {{- if not (empty .Values.containerSecurityContext) }} securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} {{- end }} - args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: name: "{{ template "harbor.registry" . }}" From b4ff8f406172b29ff07e5548034bf8e9a962756e Mon Sep 17 00:00:00 2001 From: vitaliytv Date: Sun, 18 Aug 2024 19:58:42 +0300 Subject: [PATCH 10/13] DOCS: missing link to distribution Signed-off-by: vitaliytv --- values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/values.yaml b/values.yaml index 926bc1627..c862337d0 100644 --- a/values.yaml +++ b/values.yaml @@ -173,14 +173,14 @@ persistence: annotations: {} # Define which storage backend is used for registry to store # images and charts. Refer to - # https://github.com/distribution/distribution/blob/main/docs/content/about/configuration.md#storage + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#storage # for the detail. imageChartStorage: # Specify whether to disable `redirect` for images and chart storage, for # backends which not supported it (such as using minio for `s3` storage type), please disable # it. To disable redirects, simply set `disableredirect` to `true` instead. # Refer to - # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#redirect # for the detail. disableredirect: false # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. @@ -749,7 +749,7 @@ registry: # command: [ 'sh', '-c', "sleep 20" ] # Secret is used to secure the upload state from client # and registry storage backend. - # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # See: https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#http # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" From d0d2cd7f45baaa85b1ec2b7df819e61e4d585bbe Mon Sep 17 00:00:00 2001 From: Leonardo Barcaroli Date: Wed, 21 Aug 2024 05:07:22 +0200 Subject: [PATCH 11/13] Fix issue #1620 Signed-off-by: Leonardo Barcaroli --- templates/ingress/ingress.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index 0b23cb43c..f2314716e 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -2,6 +2,7 @@ {{- $ingress := .Values.expose.ingress -}} {{- $tls := .Values.expose.tls -}} {{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "path_type" "ImplementationSpecific" -}} {{- $_ := set . "portal_path" "/*" -}} {{- $_ := set . "api_path" "/api/*" -}} {{- $_ := set . "service_path" "/service/*" -}} @@ -9,6 +10,7 @@ {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} {{- $_ := set . "controller_path" "/c/*" -}} {{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "path_type" "Prefix" -}} {{- $_ := set . "portal_path" "/.*" -}} {{- $_ := set . "api_path" "/api/.*" -}} {{- $_ := set . "service_path" "/service/.*" -}} @@ -16,6 +18,7 @@ {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} {{- $_ := set . "controller_path" "/c/.*" -}} {{- else }} + {{- $_ := set . "path_type" "Prefix" -}} {{- $_ := set . "portal_path" "/" -}} {{- $_ := set . "api_path" "/api/" -}} {{- $_ := set . "service_path" "/service/" -}} @@ -94,42 +97,42 @@ spec: servicePort: {{ template "harbor.portal.servicePort" . }} {{- else }} - path: {{ .api_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .service_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .v2_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .chartrepo_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .controller_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.core" . }} port: number: {{ template "harbor.core.servicePort" . }} - path: {{ .portal_path }} - pathType: Prefix + pathType: {{ .path_type }} backend: service: name: {{ template "harbor.portal" . }} From 52f42c34fca17d9a6f6025371c631d0d561b1675 Mon Sep 17 00:00:00 2001 From: wang yan Date: Wed, 16 Oct 2024 12:08:50 +0800 Subject: [PATCH 12/13] fix ci failure update versions of 1, kind & kind-action 2, actions/checkout & upload-artifacts 3, ingress-controller 4, golang 5, kubernetes Signed-off-by: wang yan --- .github/workflows/integration.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index c72b9431c..a88e01d74 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -9,31 +9,31 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - k8s_version: [v1.25.3, v1.24.7, v1.23.13] + k8s_version: [v1.31.1, v1.30.4, v1.29.8] steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Create kind cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.10.0 with: - version: v0.17.0 + version: v0.24.0 node_image: kindest/node:${{ matrix.k8s_version }} cluster_name: kind-cluster-${{ matrix.k8s_version }} config: test/integration/kind-cluster.yaml - name: Install Nginx ingress controller run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.0/deploy/static/provider/kind/deploy.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/kind/deploy.yaml kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s - - name: Set up Go 1.19 - uses: actions/setup-go@v2 + - name: Set up Go 1.23 + uses: actions/setup-go@v5 with: - go-version: "1.19" + go-version: "1.23" - name: Cache go mod - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -59,7 +59,7 @@ jobs: kubectl -n default logs -l "component=$name" --all-containers > /tmp/harbor/$name.log ; \ done - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v4 if: failure() with: name: harbor_${{ matrix.k8s_version }}_${{ runner.os }} @@ -71,7 +71,7 @@ jobs: mkdir -p /tmp/logs kind export logs --name kind-cluster-${{ matrix.k8s_version }} /tmp/logs - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v4 if: failure() with: name: kind_v${{ matrix.k8s_version }} From 778849a6f68be6717fa2ffdfd50d278d7da6db6e Mon Sep 17 00:00:00 2001 From: Daniel Jiang Date: Thu, 17 Oct 2024 14:56:33 +0800 Subject: [PATCH 13/13] Remove chartrepo location for nginx configmap The chunk should be removed b/c it used to serve chart museum and it has been removed from Harbor Signed-off-by: Daniel Jiang --- templates/nginx/configmap-http.yaml | 15 --------------- templates/nginx/configmap-https.yaml | 17 ----------------- 2 files changed, 32 deletions(-) diff --git a/templates/nginx/configmap-http.yaml b/templates/nginx/configmap-http.yaml index 8c25ff211..93ef76e8b 100644 --- a/templates/nginx/configmap-http.yaml +++ b/templates/nginx/configmap-http.yaml @@ -90,21 +90,6 @@ data: proxy_request_buffering off; } - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_buffering off; - proxy_request_buffering off; - } - location /c/ { proxy_pass {{ $scheme }}://core/c/; proxy_set_header Host $host; diff --git a/templates/nginx/configmap-https.yaml b/templates/nginx/configmap-https.yaml index 5d625f81e..390caf216 100644 --- a/templates/nginx/configmap-https.yaml +++ b/templates/nginx/configmap-https.yaml @@ -113,23 +113,6 @@ data: proxy_request_buffering off; } - location /chartrepo/ { - proxy_pass {{ $scheme }}://core/chartrepo/; - {{- if and .Values.internalTLS.enabled }} - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - {{- end }} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - location /c/ { proxy_pass {{ $scheme }}://core/c/; proxy_set_header Host $host;