From 0633a0f9f70585d3a0796f051fc8f59dcc941091 Mon Sep 17 00:00:00 2001 From: Med Mouine Date: Wed, 4 Sep 2024 19:26:11 -0400 Subject: [PATCH] feat: Update Harbor Helm chart version to 1.11.4 --- .tool-versions | 15 +-- applications/harbor/helmfile.yaml | 6 +- applications/harbor/values.yaml | 188 +++++++--------------------- applications/woodpecker/values.yaml | 113 +++++++++-------- helmfile.yaml | 42 +------ 5 files changed, 117 insertions(+), 247 deletions(-) diff --git a/.tool-versions b/.tool-versions index 9134363..706d38d 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,7 +1,8 @@ -kubectl 1.26.7 -minikube 1.29.0 -helm 3.11.0 -stern 1.23.0 -yq 4.34.2 -gomplate v3.11.5 -vale 3.6.1 +kubectl 1.26.7 +helm 3.15.4 +stern 1.23.0 +yq 4.34.2 +gomplate v3.11.5 +vale 3.6.1 +helmfile 0.167.1 +helm-diff 3.9.10 diff --git a/applications/harbor/helmfile.yaml b/applications/harbor/helmfile.yaml index 2807afa..0d16f46 100644 --- a/applications/harbor/helmfile.yaml +++ b/applications/harbor/helmfile.yaml @@ -7,7 +7,7 @@ releases: - name: harbor namespace: harbor chart: harbor/harbor - version: 1.15.1 + version: 1.11.4 values: - values.yaml set: @@ -15,5 +15,5 @@ releases: value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}' - name: database.internal.password value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}' - - name: redis.internal.password - value: '{{ env "HARBOR_REDIS_PASSWORD" | default "changeme" }}' + - name: hostname + value: '{{ env "HARBOR_HOSTNAME" | default "hub.nationtech.io" }}' diff --git a/applications/harbor/values.yaml b/applications/harbor/values.yaml index 1bd41a8..ceb5b61 100644 --- a/applications/harbor/values.yaml +++ b/applications/harbor/values.yaml @@ -1,152 +1,52 @@ -harborAdminPassword: "Harbor12345" -tlsSecretName: "harbor.nationtech.io-tls" - +chartVersion: 1.11.4 +chartmuseum: + enabled: true +database: + internal: + password: {{ .Values.database.internal.password }} + type: internal expose: - type: ingress + ingress: + annotations: + cert-manager.io/issuer: letsencrypt-prod + kubernetes.io/tls-acme: "true" + hosts: + core: {{ .Values.hostname }} + className: nginx tls: enabled: true certSource: secret secret: - secretName: "harbor.nationtech.io-tls" - ingress: - hosts: - core: harbor.nationtech.io - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" - cert-manager.io/cluster-issuer: "letsencrypt-prod" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - className: "nginx" - ports: - httpPort: 80 - -persistence: - enabled: true - resourcePolicy: "keep" - persistentVolumeClaim: - registry: - subPath: "registry" - accessMode: ReadWriteOnce - size: 20Gi - jobservice: - jobLog: - subPath: "jobservice" - accessMode: ReadWriteOnce - size: 2Gi - database: - subPath: "db" - accessMode: ReadWriteOnce - size: 10Gi - redis: - subPath: "redis" - accessMode: ReadWriteOnce - size: 2Gi - trivy: - subPath: "trivy" - accessMode: ReadWriteOnce - size: 2Gi - imageChartStorage: - disableredirect: false - type: filesystem - filesystem: - rootdirectory: /storage - -# Enable Prometheus metrics -metrics: - enabled: true - core: - path: /metrics - port: 8001 - registry: - path: /metrics - port: 8001 - jobservice: - path: /metrics - port: 8001 - exporter: - path: /metrics - port: 8001 - serviceMonitor: - enabled: true - namespace: monitoring - additionalLabels: - release: prometheus - interval: 15s - metricRelabelings: [] - relabelings: [] - -# Disable tracing as we're not using Jaeger -trace: - enabled: false - -# Enable internal TLS -internalTLS: - enabled: true - strong_ssl_ciphers: true - certSource: "auto" - -# Use internal database for simplicity -database: - type: internal - internal: - password: "changeme" - -# Use internal Redis for simplicity -redis: - type: internal - internal: - password: "changeme" - -# Enable Trivy scanner -trivy: - enabled: true - image: - repository: goharbor/trivy-adapter-photon - tag: dev - replicas: 2 - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - vulnType: "os,library" - severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - ignoreUnfixed: false - insecure: false - skipUpdate: false - skipJavaDBUpdate: false - offlineScan: false - securityCheck: "vuln" - timeout: 5m0s - -# High Availability settings -portal: - replicas: 2 - -core: - replicas: 2 + secretName: {{ .Values.hostname }}-tls + type: ingress +externalURL: https://{{ .Values.hostname }} jobservice: replicas: 2 - -registry: - replicas: 2 - -chartmuseum: - replicas: 2 - -# Logging configuration -log: - level: info - local: - rotateCount: 50 - rotateSize: 200M - location: /var/log/harbor - external: - enabled: true - endpoint: http://fluentd.logging:24224 - index: harbor - type: fluentd +notary: + enabled: false +persistence: + persistentVolumeClaim: + chartmuseum: + size: 10Gi + storageClass: ceph-block + database: + size: 10Gi + storageClass: ceph-block + jobservice: + jobLog: + size: 2Gi + storageClass: ceph-block + redis: + size: 2Gi + storageClass: ceph-block + registry: + size: 10Gi + storageClass: ceph-block + trivy: + size: 5Gi + storageClass: ceph-block +redis: + enabled: true +trivy: + enabled: true diff --git a/applications/woodpecker/values.yaml b/applications/woodpecker/values.yaml index 4e4a817..6da9100 100644 --- a/applications/woodpecker/values.yaml +++ b/applications/woodpecker/values.yaml @@ -1,62 +1,65 @@ --- -# Woodpecker server configuration -woodpecker: - server: - image: - repository: woodpeckerci/woodpecker-server - tag: v1.0.3 # Use a specific version instead of 'latest' - replicaCount: 2 # Run multiple replicas for high availability - service: - type: ClusterIP - port: 8000 - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: "letsencrypt-prod" - hosts: - - host: woodpecker.example.com - paths: - - path: / - tls: - - secretName: woodpecker-tls - hosts: - - woodpecker.example.com - env: - WOODPECKER_OPEN: "false" # Disable open registration for production - WOODPECKER_HOST: "https://woodpecker.example.com" # Use HTTPS - WOODPECKER_GITHUB: "true" - WOODPECKER_GITHUB_CLIENT: "{{ .Env.WOODPECKER_GITHUB_CLIENT }}" - WOODPECKER_GITHUB_SECRET: "{{ .Env.WOODPECKER_GITHUB_SECRET }}" - WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}" - WOODPECKER_GRPC_SECRET: "{{ .Env.WOODPECKER_GRPC_SECRET }}" - WOODPECKER_GRPC_ADDR: ":9000" - WOODPECKER_SERVER_ADDR: ":8000" - WOODPECKER_METRICS_SERVER_ADDR: ":9001" - WOODPECKER_ADMIN: "{{ .Env.WOODPECKER_ADMIN }}" - WOODPECKER_DATABASE_DRIVER: "postgres" - WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Env.POSTGRES_USER }}:{{ .Env.POSTGRES_PASSWORD }}@postgresql:5432/woodpecker?sslmode=require" - resources: - requests: - cpu: 200m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi +server: + image: + repository: woodpeckerci/woodpecker-server + tag: v2.3.0 + replicaCount: 2 + service: + type: ClusterIP + port: 8000 + ingress: + enabled: true + ingressClassName: "nginx" + annotations: + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + cert-manager.io/issuer: "letsencrypt-prod" + hosts: + - host: ci.nationtech.io + paths: + - path: / + tls: + - secretName: ci.nationtech.io-tls + hosts: + - ci.nationtech.io + secrets: + - name: woodpecker-secret + serviceAccount: + # -- Specifies whether a service account should be created + create: true + + env: + WOODPECKER_OPEN: "false" + WOODPECKER_HOST: "https://ci.nationtech.io" + WOODPECKER_AGENT_SECRET: "woodpecker_agent_secret" + WOODPECKER_GRPC_SECRET: "woodpecker_grpc_secret" + WOODPECKER_GRPC_ADDR: ":9000" + WOODPECKER_SERVER_ADDR: ":8000" + WOODPECKER_METRICS_SERVER_ADDR: "prometheus-kube-prometheus-prometheus.monitoring.svc:9090" + # WOODPECKER_ADMIN: "woodpecker_admin" + # WOODPECKER_DATABASE_DRIVER: "postgres" + # WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker_admin:woodpecker_admin@postgresql:5432/woodpecker?sslmode=require" + resources: + requests: + cpu: 200m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi # Woodpecker agent configuration agent: image: repository: woodpeckerci/woodpecker-agent - tag: v1.0.3 # Use a specific version instead of 'latest' - replicaCount: 3 # Run multiple agents for better parallelism + tag: v2.3.0 # Use a specific version instead of 'latest' + replicaCount: 2 # Run multiple agents for better parallelism env: WOODPECKER_SERVER: "woodpecker-server:9000" - WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}" + WOODPECKER_AGENT_SECRET: "woodpecker_agent_secret" WOODPECKER_BACKEND: "kubernetes" WOODPECKER_BACKEND_K8S_NAMESPACE: "ci" - WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "20Gi" # Increased volume size - WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "managed-premium" # Use a production-grade storage class + WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "5Gi" + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ceph-block" WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true" WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app":"woodpecker-job"}' WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"prometheus.io/scrape":"true","prometheus.io/port":"9000"}' @@ -74,13 +77,13 @@ agent: # PostgreSQL configuration postgresql: enabled: true - postgresqlUsername: "{{ .Env.POSTGRES_USER }}" - postgresqlPassword: "{{ .Env.POSTGRES_PASSWORD }}" - postgresqlDatabase: "woodpecker" + auth: + username: "woodpecker_admin" + password: "woodpecker_admin" + database: "woodpecker" persistence: enabled: true - size: 20Gi - storageClass: "managed-premium" # Use a production-grade storage class + size: 5Gi resources: requests: cpu: 100m @@ -105,4 +108,4 @@ logging: enabled: true config: logLevel: info - fluentdAddress: fluentd.logging:24224 + fluentdAddress: fluentd-headless.logging.svc:24224 diff --git a/helmfile.yaml b/helmfile.yaml index e1d1a06..606f896 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -3,43 +3,9 @@ helmDefaults: atomic: true wait: true -repositories: - - name: gitea-charts - url: https://dl.gitea.io/charts/ - - name: woodpecker - url: https://woodpecker-ci.org/helm-charts - - name: harbor - url: https://helm.goharbor.io - -releases: - - name: gitea - namespace: nt - chart: gitea-charts/gitea - version: 8.3.0 - values: - - applications/gitea/values.yaml - - - name: woodpecker - namespace: ci - chart: woodpecker/woodpecker - version: 1.0.3 - values: - - applications/woodpecker/values.yaml - - - name: harbor - namespace: harbor - chart: harbor/harbor - version: 1.15.1 - values: - - applications/harbor/values.yaml - helmfiles: - - path: applications/vault/helmfile.yaml - - path: applications/logging/helmfile.yaml - - path: applications/gitea/helmfile.yaml - - path: applications/woodpecker/helmfile.yaml + # - path: applications/vault/helmfile.yaml + # - path: applications/logging/helmfile.yaml + # - path: applications/gitea/helmfile.yaml + # - path: applications/woodpecker/helmfile.yaml - path: applications/harbor/helmfile.yaml - -# Common configurations -commonConfig: - - common-config.yaml