med/cluster-management
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: med:harbor
Branches Tags
med:main
med:harbor
..
compare: med:main
Branches Tags
med:harbor
med:main

No commits in common. "harbor" and "main" have entirely different histories.
harbor ... main

6 changed files with 295 additions and 109 deletions
Show Stats Expand all files Collapse all files

15
.tool-versions
View File

@ -1,8 +1,7 @@
kubectl 1.26.7 kubectl 1.26.7
helm 3.15.4 minikube 1.29.0
stern 1.23.0 helm 3.11.0
yq 4.34.2 stern 1.23.0
gomplate v3.11.5 yq 4.34.2
vale 3.6.1 gomplate v3.11.5
helmfile 0.167.1 vale 3.6.1
helm-diff 3.9.10

6
applications/harbor/helmfile.yaml
View File

@ -7,7 +7,7 @@ releases:
- name: harbor - name: harbor
namespace: harbor namespace: harbor
chart: harbor/harbor chart: harbor/harbor
version: 1.11.4 version: 1.15.1
values: values:
- values.yaml - values.yaml
set: set:
@ -15,5 +15,5 @@ releases:
value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}' value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}'
- name: database.internal.password - name: database.internal.password
value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}' value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}'
- name: hostname - name: redis.internal.password
value: '{{ env "HARBOR_HOSTNAME" | default "hub.nationtech.io" }}' value: '{{ env "HARBOR_REDIS_PASSWORD" | default "changeme" }}'

188
applications/harbor/values.yaml
View File

@ -1,52 +1,152 @@
chartVersion: 1.11.4 harborAdminPassword: "Harbor12345"
chartmuseum: tlsSecretName: "harbor.nationtech.io-tls"
enabled: true
database:
internal:
password: {{ .Values.database.internal.password }}
type: internal
expose: expose:
ingress: type: ingress
annotations:
cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
hosts:
core: {{ .Values.hostname }}
className: nginx
tls: tls:
enabled: true enabled: true
certSource: secret certSource: secret
secret: secret:
secretName: {{ .Values.hostname }}-tls secretName: "harbor.nationtech.io-tls"
type: ingress ingress:
externalURL: https://{{ .Values.hostname }} hosts:
core: harbor.nationtech.io
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
className: "nginx"
ports:
httpPort: 80
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
subPath: "registry"
accessMode: ReadWriteOnce
size: 20Gi
jobservice:
jobLog:
subPath: "jobservice"
accessMode: ReadWriteOnce
size: 2Gi
database:
subPath: "db"
accessMode: ReadWriteOnce
size: 10Gi
redis:
subPath: "redis"
accessMode: ReadWriteOnce
size: 2Gi
trivy:
subPath: "trivy"
accessMode: ReadWriteOnce
size: 2Gi
imageChartStorage:
disableredirect: false
type: filesystem
filesystem:
rootdirectory: /storage
# Enable Prometheus metrics
metrics:
enabled: true
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: prometheus
interval: 15s
metricRelabelings: []
relabelings: []
# Disable tracing as we're not using Jaeger
trace:
enabled: false
# Enable internal TLS
internalTLS:
enabled: true
strong_ssl_ciphers: true
certSource: "auto"
# Use internal database for simplicity
database:
type: internal
internal:
password: "changeme"
# Use internal Redis for simplicity
redis:
type: internal
internal:
password: "changeme"
# Enable Trivy scanner
trivy:
enabled: true
image:
repository: goharbor/trivy-adapter-photon
tag: dev
replicas: 2
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
vulnType: "os,library"
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
ignoreUnfixed: false
insecure: false
skipUpdate: false
skipJavaDBUpdate: false
offlineScan: false
securityCheck: "vuln"
timeout: 5m0s
# High Availability settings
portal:
replicas: 2
core:
replicas: 2
jobservice: jobservice:
replicas: 2 replicas: 2
notary:
enabled: false registry:
persistence: replicas: 2
persistentVolumeClaim:
chartmuseum: chartmuseum:
size: 10Gi replicas: 2
storageClass: ceph-block
database: # Logging configuration
size: 10Gi log:
storageClass: ceph-block level: info
jobservice: local:
jobLog: rotateCount: 50
size: 2Gi rotateSize: 200M
storageClass: ceph-block location: /var/log/harbor
redis: external:
size: 2Gi enabled: true
storageClass: ceph-block endpoint: http://fluentd.logging:24224
registry: index: harbor
size: 10Gi type: fluentd
storageClass: ceph-block
trivy:
size: 5Gi
storageClass: ceph-block
redis:
enabled: true
trivy:
enabled: true

6
applications/woodpecker/helmfile.yaml
View File

@ -1,12 +1,12 @@
--- ---
repositories: repositories:
- name: woodpecker - name: woodpecker
url: https://woodpecker-ci.org/ url: https://woodpecker-ci.org/helm-charts
releases: releases:
- name: woodpecker - name: woodpecker
namespace: woodpecker namespace: ci
chart: woodpecker/woodpecker chart: woodpecker/woodpecker
version: 1.5.1 version: 1.0.3
values: values:
- values.yaml - values.yaml

147
applications/woodpecker/values.yaml
View File

@ -1,55 +1,108 @@
--- ---
server: # Woodpecker server configuration
host: "ci.nationtech.io" woodpecker:
ingress: server:
enabled: true image:
annotations: repository: woodpeckerci/woodpecker-server
kubernetes.io/ingress.class: nginx tag: v1.0.3 # Use a specific version instead of 'latest'
cert-manager.io/issuer: letsencrypt-prod replicaCount: 2 # Run multiple replicas for high availability
kubernetes.io/tls-acme: "true" service:
hosts: type: ClusterIP
- host: "ci.nationtech.io" port: 8000
paths: ingress:
- path: "/" enabled: true
pathType: Prefix annotations:
backend: kubernetes.io/ingress.class: nginx
service: cert-manager.io/cluster-issuer: "letsencrypt-prod"
name: woodpecker-server hosts:
port: - host: woodpecker.example.com
number: 80 paths:
tls: - path: /
- secretName: "ci.nationtech.io-tls" tls:
hosts: - secretName: woodpecker-tls
- "ci.nationtech.io" hosts:
env: - woodpecker.example.com
WOODPECKER_OPEN: "true" env:
WOODPECKER_ADMIN: "woodpecker,admin,ci,nationtech,med" WOODPECKER_OPEN: "false" # Disable open registration for production
WOODPECKER_HOST: "https://ci.nationtech.io" WOODPECKER_HOST: "https://woodpecker.example.com" # Use HTTPS
WOODPECKER_AGENT_SECRET: "woodpecker-secret" WOODPECKER_GITHUB: "true"
WOODPECKER_GRPC_ADDR: ":9000" WOODPECKER_GITHUB_CLIENT: "{{ .Env.WOODPECKER_GITHUB_CLIENT }}"
WOODPECKER_GITEA: "true" WOODPECKER_GITHUB_SECRET: "{{ .Env.WOODPECKER_GITHUB_SECRET }}"
WOODPECKER_GITEA_URL: "https://git.nationtech.io" WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}"
WOODPECKER_GITEA_CLIENT: "2a17849f-7747-44b9-a0d4-c79bc4aeff3d" WOODPECKER_GRPC_SECRET: "{{ .Env.WOODPECKER_GRPC_SECRET }}"
WOODPECKER_GITEA_SECRET: "gto_5zpyckcvuawq6l2zaja4mt3mptigpyc5o7nibmbd76jd2e5tu3fa" WOODPECKER_GRPC_ADDR: ":9000"
WOODPECKER_SERVER_ADDR: ":8000"
WOODPECKER_METRICS_SERVER_ADDR: ":9001"
WOODPECKER_ADMIN: "{{ .Env.WOODPECKER_ADMIN }}"
WOODPECKER_DATABASE_DRIVER: "postgres"
WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Env.POSTGRES_USER }}:{{ .Env.POSTGRES_PASSWORD }}@postgresql:5432/woodpecker?sslmode=require"
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Woodpecker agent configuration
agent: agent:
replicaCount: 2 image:
repository: woodpeckerci/woodpecker-agent
tag: v1.0.3 # Use a specific version instead of 'latest'
replicaCount: 3 # Run multiple agents for better parallelism
env: env:
WOODPECKER_SERVER: "woodpecker-server:9000" WOODPECKER_SERVER: "woodpecker-server:9000"
WOODPECKER_AGENT_SECRET: "woodpecker-secret" WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}"
WOODPECKER_MAX_PROCS: "2"
WOODPECKER_BACKEND: "kubernetes" WOODPECKER_BACKEND: "kubernetes"
WOODPECKER_BACKEND_K8S_NAMESPACE: "woodpecker" WOODPECKER_BACKEND_K8S_NAMESPACE: "ci"
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ceph-block" WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "20Gi" # Increased volume size
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "10Gi" WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "managed-premium" # Use a production-grade storage class
WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true" WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true"
WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app.kubernetes.io/name":"agent"}' WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app":"woodpecker-job"}'
WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: "" WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"prometheus.io/scrape":"true","prometheus.io/port":"9000"}'
WOODPECKER_CONNECT_RETRY_COUNT: "3" WOODPECKER_BACKEND_K8S_POD_NODE_SELECTOR: '{"kubernetes.io/os":"linux"}'
WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES: "" WOODPECKER_BACKEND_K8S_SECCTX_NONROOT: "true"
WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES: "woodpecker-pull-secret"
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 1
memory: 1Gi
image: # PostgreSQL configuration
registry: docker.io postgresql:
repository: woodpeckerci/woodpecker-agent enabled: true
pullPolicy: IfNotPresent postgresqlUsername: "{{ .Env.POSTGRES_USER }}"
tag: "latest" postgresqlPassword: "{{ .Env.POSTGRES_PASSWORD }}"
postgresqlDatabase: "woodpecker"
persistence:
enabled: true
size: 20Gi
storageClass: "managed-premium" # Use a production-grade storage class
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
# Prometheus integration
metrics:
serviceMonitor:
enabled: true
namespace: monitoring
interval: 15s
scrapeTimeout: 14s
selector:
release: prometheus
# Logging integration
logging:
fluentd:
enabled: true
config:
logLevel: info
fluentdAddress: fluentd.logging:24224

42
helmfile.yaml
View File

@ -3,9 +3,43 @@ helmDefaults:
atomic: true atomic: true
wait: true wait: true
repositories:
- name: gitea-charts
url: https://dl.gitea.io/charts/
- name: woodpecker
url: https://woodpecker-ci.org/helm-charts
- name: harbor
url: https://helm.goharbor.io
releases:
- name: gitea
namespace: nt
chart: gitea-charts/gitea
version: 8.3.0
values:
- applications/gitea/values.yaml
- name: woodpecker
namespace: ci
chart: woodpecker/woodpecker
version: 1.0.3
values:
- applications/woodpecker/values.yaml
- name: harbor
namespace: harbor
chart: harbor/harbor
version: 1.15.1
values:
- applications/harbor/values.yaml
helmfiles: helmfiles:
# - path: applications/vault/helmfile.yaml - path: applications/vault/helmfile.yaml
# - path: applications/logging/helmfile.yaml - path: applications/logging/helmfile.yaml
# - path: applications/gitea/helmfile.yaml - path: applications/gitea/helmfile.yaml
- path: applications/woodpecker/helmfile.yaml - path: applications/woodpecker/helmfile.yaml
# - path: applications/harbor/helmfile.yaml - path: applications/harbor/helmfile.yaml
# Common configurations
commonConfig:
- common-config.yaml