add harbor

Signed-off-by: gwg313 <gwg313@pm.me>

apps/harbor/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: harbor
+description: Harbor registry
+type: application
+version: 1.0.0
+appVersion: "1.10.2"
+
+dependencies:
+  - name: harbor
+    version: 1.19.0
+    repository: https://helm.goharbor.io

apps/harbor/templates/iscsi-secrets-sealed.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: harbor-iscsi-auth
+  namespace: harbor
+spec:
+  encryptedData:
+    discovery.sendtargets.auth.password: AgABfPv3gVBdRs8k9LLTBHhm2sk5lzcXxE4aXf3TI8dMMLGD4l2yI++zEZgh+k4f3abht7To1vtqOSzu1GQc08dWf/q0YgZmUJNuLS0z5vdvSn5RcM5NGMnB6y0SvXQVbSzN5cRg+oBLuwSHJPeF7k82BglOmZSxNLUL8fdNJvDj6ntr62oFaaiAD5D2UCy+ezp32yB9dD0C2F1isU4fyGgA8a0UYQvRbgurQUpq1dH5WWtS9mW7iH0oIhHOl4HUIfO6EGrinvnb2Wne+fgKWbfxwoMonNdo3uJK872OZ5qyvlg9fWMTHb+n10RuTB2z0jt8NdAfDVllnxSeNQaAzMu+cCIQejKoegWua0OC+Tx7smDkOUbkETRHrajy3mDDk88fqJ0s5uN0XmIT8F0ee9tzI070whtZkS9Ku5Gp9waj7ZA4TbawQ0AuVxVQTgGvPxL2A5eGXW6EHGb1RqY52mI0FLzcKXowSUj0PzOHgyWtfkxcyI5oDfLUNg7MxRtLLZspMm/wZi016M1JKlCQa3yGeHTNKkqDGc4oqEdkUPQyW0ItrdqtHT5Jb+9WARN9POMMxiYB15MRdkbXGPYJ1DsIDpDOZvBrKrQCr0DvDa664cXjaS9WWkV8ioSQvqoA3XkMZfmk+uSVC+rxIa/EveJgzfaUEW1O09mJvptFHKg1jMzTPF1UANLOeNQ8WNWXocqEfRaK/GPNTXb9fgUGeHmL
+    discovery.sendtargets.auth.username: AgA3mX964n6Uo1j0ZDcwHoo3aNgSTomDaqLQi3+Io0E4siQUHsYhBriAyG5yIMijR8g48FY/1x2hg9LVBtDq4C5GNIHDeiJx4B4+q2DV6o5EPSX6STfXKvRl1sv7tuJ0K5zQp0u1eaJ0pN7CGJBFPEQV0U2yslhoi+r/olY8MA+R7oyfsKeI34I1apOowovfeoijGluYNnfuWiKV23dTi+cANq/box34l+ssuCHb4P1UJJc0g5SoGCz9hYkq+9JsCN/pWmqvTp6RZICY3EeKl5Qm87ngZKTHdk0B06Xtq8oyMPIKkGbqeDViTHeGVhSp4i8u0QYRA1tiXFc+TQ13IZTcA92+NkNl4ZWoAktAmMUZhuYLh0zUlxOPHZXgNBDuZDprlQM+/wkOd8v6alOXU0aAm+hGycP7OdHf8IbE/3fb+zY2lTf87SO7keNJEaiXwOZpsbFshWBZUjlXvoF0tFoboDvn95XMkta8VTXR6BfBnStf9IhP2s8iI7DuYUwAxWd4FH/4xR8V0IOS9P/UhuswaHVtYqPn3ZI1oGVXat0EsW8uhrsiU1uOScFlKao+mhYGRhQLayaYrea30z5TcD4NdAe1/BVKTi4A4FoHhRgbpeKPuoOgn3HIRDHBfrmsrrF9htvB9DDhZ85K6wPVCKcNt9v92x6hb/uTwd/i2AZyDBAStCRgFuqVX68onI6ym41c9a5LInE=
+    node.session.auth.password: AgA7wscGesv+gwpCsrjK69M11vA8k/ewivb4p5dhbbqxj8XckNe/tPJLwWjFegv4eN0mlCy/kHwqqVDrAkjot1enOAxqUhmiodPqHmUMLnJYeShrwkQ4WJJM73/9d//gNSlKJZL+ow5XT0N/GWAnhuoFRm571OaVFFVTaxVjQTSzV0OITVynoEJoVJs4gSQP9lM0lZbDras3P1UgFcq9BsphWC8vfCsi5rXEJojoDLck/otXKlRvd3XztKoWV74bfeiH5O4MTZvjj5BBIKpr7A8mp1ILJ9E+3wlsmwY5yGEnPcuDBWyi5YcdQxWmwU782BqeUZt8fZo2ITBN3NvYDsKah8I/ItaAt2Zm6JERMNlm4aXPqbDvYHG4KupOQjkixckbSo3qQB+oKUkOyJJRulj5HNySOk4BnrNA4f9oQXAO4Q5tQZYj33UXgYittDswkEpBHqTf/VpNuQ1Nuu/1oqCdVQXELZ9tFNOGFdE3XiYGMQi4Fz0HsBQ8mZwcIMARWb7Bp454DVT6LZ3E6rv2xJQYQ9SXGnHKEd+vZZvlkie6ZBCRWc0r+n54rq0x1PQ8WCpGV9zuj9UcTdT2C2uAAScEHkjyBg/o9o4TS7XVCE5IKJqLAHpq0MwPOzog+Nsrx8oZSuy3nGlBWOR9Rm9YtzS5+xmDZLHoAaHzNTsTxCVjdZdO9K2jUBea5yQd1TX5Vqha+SOTbz/w8JoANfZW4ZAO
+    node.session.auth.username: AgBKUrioCJQXNkz5y5rKILyN7JvJ3koVUAgZ5RqekMxrvjO7I7FuCZ2yspPizHCxO+gTQgBg7nlCEZ6x34SCfhqIr+Y01YXRm81EQqYxk4wAyjwxPwK3DpFsU+ADYCAGiB7Lzxdu76cE4cZ3BMpCLKNOcPFjGWuDhUmtOtU2JT0kKKeGwGn8vEEHBca+7nwJYlqhNdYm5cBS6oH3rIc3GzM/fQyAlxS1SNu9KbxEImR2Ew19fXeEsNjGb8s2tF127Q9KG260dCm1f+wWVhwNsgfarXWCmFgmSonUa78A/huWGF/wG9QQvWbUyHSJyzyNSmtcPx1Nhu4W8M7jwSpo8NHAvnXTDwyY1UmYaUIvXisDxtcbZHtpDMbkg8LKXsM3z/N3zT9q1WSbPoKIbj2vinxrHXjzad2xQ2neqIgQrdPSv2dIwoy/alZrrFBjkaVV97HIbu7uVLnVForrzt5rAPmcY/Q1nX27bfNQ8UrshZvHxKmv4vymbVu2GoyOkb5ziVpxmvdKK66A1zUMZGEEMLqfcEhpZAgn1zMaIsiWOS2HZ90D9kg7RlK5djHzpCSYtGwKr8y7Nta87SYpTk5lxcRRu6S94+47z1O+rxGwWLQ3mcShh5tJljqSiJ7Z8a2QVaQzn24uobUpva3YcXRnktlO/VLkPcu2Pgbb1ZWJDEWzlW7IEc8qOBCyOoZUTNzwQNjtM0JShR4=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: harbor-iscsi-auth
+      namespace: harbor
+    type: kubernetes.io/iscsi-chap

apps/harbor/templates/network-policies.yaml

@@ -0,0 +1,37 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: harbor-intra-namespace-allow
+  namespace: harbor
+spec:
+  description: "Allow all internal Harbor microservices to talk to each other cleanly"
+  endpointSelector:
+    matchLabels:
+      app: harbor
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: harbor
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: harbor
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: harbor
+spec:
+  description: "Allow external traffic from the shared Cilium edge proxy into the harbor namespace services"
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - ingress
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "8080"
+              protocol: TCP

apps/harbor/templates/pvcs.yaml

@@ -0,0 +1,74 @@
+# Harbor: Registry
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-registry
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: harbor-iscsi
+  volumeName: harbor-registry-pv
+  resources:
+    requests:
+      storage: 200Gi
+---
+# Harbor: Jobservice
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-jobservice
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: harbor-iscsi
+  volumeName: harbor-jobservice-pv
+  resources:
+    requests:
+      storage: 10Gi
+---
+# Harbor: Database
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-database
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: harbor-iscsi
+  volumeName: harbor-database-pv
+  resources:
+    requests:
+      storage: 10Gi
+---
+# Harbor: Redis
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-redis
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: harbor-iscsi
+  volumeName: harbor-redis-pv
+  resources:
+    requests:
+      storage: 10Gi
+---
+# Harbor: Trivy
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-trivy
+  namespace: harbor
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: harbor-iscsi
+  volumeName: harbor-trivy-pv
+  resources:
+    requests:
+      storage: 10Gi

apps/harbor/templates/pvs.yaml

@@ -0,0 +1,131 @@
+# Harbor: Registry
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-registry-pv
+spec:
+  capacity:
+    storage: 200Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: harbor-iscsi
+  # --- PRE-BINDING LOCK ---
+  claimRef:
+    namespace: harbor
+    name: harbor-registry
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz
+    iqn: iqn.2005-10.org.freenas.ctl:harbor-registry
+    lun: 1
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: harbor-iscsi-auth
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-jobservice-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: harbor-iscsi
+  claimRef:
+    namespace: harbor
+    name: harbor-jobservice
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz
+    iqn: iqn.2005-10.org.freenas.ctl:harbor-jobservice
+    lun: 0
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: harbor-iscsi-auth
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-database-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: harbor-iscsi
+  claimRef:
+    namespace: harbor
+    name: harbor-database
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz
+    iqn: iqn.2005-10.org.freenas.ctl:harbor-database
+    lun: 2
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: harbor-iscsi-auth
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-redis-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: harbor-iscsi
+  claimRef:
+    namespace: harbor
+    name: harbor-redis
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz
+    iqn: iqn.2005-10.org.freenas.ctl:harbor-redis
+    lun: 3
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: harbor-iscsi-auth
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-trivy-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: harbor-iscsi
+  claimRef:
+    namespace: harbor
+    name: harbor-trivy
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz
+    iqn: iqn.2005-10.org.freenas.ctl:harbor-trivy
+    lun: 4
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: harbor-iscsi-auth

apps/harbor/templates/route.yaml

@@ -0,0 +1,38 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: harbor
+  namespace: harbor
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: shared-edge-gateway
+      namespace: cilium-ingress
+  hostnames:
+    - registry.gwg313.xyz
+    - registry.local.gwg313.xyz
+    - registry.zerotier.gwg313.xyz
+  rules:
+    - matches:
+        - path: { type: PathPrefix, value: "/api/" }
+        - path: { type: PathPrefix, value: "/service/" }
+        - path: { type: PathPrefix, value: "/chartrepo" }
+        - path: { type: PathPrefix, value: "/c/" }
+        - path: { type: PathPrefix, value: "/v1/" }
+        - path: { type: PathPrefix, value: "/v2/" }
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: harbor-core
+          port: 80
+          weight: 1
+
+    - matches:
+        - path: { type: PathPrefix, value: "/" }
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: harbor-portal
+          port: 80
+          weight: 1

apps/harbor/values.yaml

@@ -0,0 +1,111 @@
+harbor:
+  externalURL: https://registry.gwg313.xyz
+  
+  nginx:
+    replicas: 0
+    resources:
+      requests:
+        cpu: 10m
+        memory: 16Mi
+      limits:
+        cpu: 50m
+        memory: 32Mi
+
+  portal:
+    resources:
+      requests:
+        cpu: 50m
+        memory: 64Mi
+      limits:
+        cpu: 200m
+        memory: 128Mi
+
+  core:
+    updateStrategy:
+      type: Recreate
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+
+  jobservice:
+    updateStrategy:
+      type: Recreate
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 256Mi
+
+  registry:
+    updateStrategy:
+      type: Recreate
+    registry:
+      resources:
+        requests:
+          cpu: 100m
+          memory: 256Mi
+        limits:
+          cpu: 1000m
+          memory: 1Gi
+    controller:
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 200m
+          memory: 128Mi
+
+  trivy:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+
+  database:
+    internal:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 256Mi
+        limits:
+          cpu: 500m
+          memory: 512Mi
+
+  redis:
+    internal:
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 200m
+          memory: 128Mi
+
+  persistence:
+    enabled: true
+    persistentVolumeClaim:
+      registry:
+        existingClaim: harbor-registry
+      jobservice:
+        existingClaim: harbor-jobservice
+      trivy:
+        existingClaim: harbor-trivy
+      database:
+        existingClaim: harbor-database
+      redis:
+        existingClaim: harbor-redis
+      core:
+        existingClaim: harbor-core
+
+  ingress:
+    enabled: false