med/cluster-management
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

harbor + woodpecker #1

Open
med wants to merge 2 commits from harbor into main
pull from: harbor
merge into: med:main
Conversation 0 Commits 2 Files Changed 6 +117 -247
5 changed files with 117 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 0633a0f9f7 - Show all commits

5
.tool-versions
View File

@ -1,7 +1,8 @@
kubectl 1.26.7
minikube 1.29.0
helm 3.11.0
helm 3.15.4
stern 1.23.0
yq 4.34.2
gomplate v3.11.5
vale 3.6.1
helmfile 0.167.1
helm-diff 3.9.10

6
applications/harbor/helmfile.yaml
View File

@ -7,7 +7,7 @@ releases:
- name: harbor
namespace: harbor
chart: harbor/harbor
version: 1.15.1
version: 1.11.4
values:
- values.yaml
set:
@ -15,5 +15,5 @@ releases:
value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}'
- name: database.internal.password
value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}'
- name: redis.internal.password
value: '{{ env "HARBOR_REDIS_PASSWORD" | default "changeme" }}'
- name: hostname
value: '{{ env "HARBOR_HOSTNAME" | default "hub.nationtech.io" }}'

186
applications/harbor/values.yaml
View File

@ -1,152 +1,52 @@
harborAdminPassword: "Harbor12345"
tlsSecretName: "harbor.nationtech.io-tls"
chartVersion: 1.11.4
chartmuseum:
enabled: true
database:
internal:
password: {{ .Values.database.internal.password }}
type: internal
expose:
type: ingress
ingress:
annotations:
cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
hosts:
core: {{ .Values.hostname }}
className: nginx
tls:
enabled: true
certSource: secret
secret:
secretName: "harbor.nationtech.io-tls"
ingress:
hosts:
core: harbor.nationtech.io
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
className: "nginx"
ports:
httpPort: 80
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
subPath: "registry"
accessMode: ReadWriteOnce
size: 20Gi
jobservice:
jobLog:
subPath: "jobservice"
accessMode: ReadWriteOnce
size: 2Gi
database:
subPath: "db"
accessMode: ReadWriteOnce
size: 10Gi
redis:
subPath: "redis"
accessMode: ReadWriteOnce
size: 2Gi
trivy:
subPath: "trivy"
accessMode: ReadWriteOnce
size: 2Gi
imageChartStorage:
disableredirect: false
type: filesystem
filesystem:
rootdirectory: /storage
# Enable Prometheus metrics
metrics:
enabled: true
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: prometheus
interval: 15s
metricRelabelings: []
relabelings: []
# Disable tracing as we're not using Jaeger
trace:
enabled: false
# Enable internal TLS
internalTLS:
enabled: true
strong_ssl_ciphers: true
certSource: "auto"
# Use internal database for simplicity
database:
type: internal
internal:
password: "changeme"
# Use internal Redis for simplicity
redis:
type: internal
internal:
password: "changeme"
# Enable Trivy scanner
trivy:
enabled: true
image:
repository: goharbor/trivy-adapter-photon
tag: dev
replicas: 2
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
vulnType: "os,library"
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
ignoreUnfixed: false
insecure: false
skipUpdate: false
skipJavaDBUpdate: false
offlineScan: false
securityCheck: "vuln"
timeout: 5m0s
# High Availability settings
portal:
replicas: 2
core:
replicas: 2
secretName: {{ .Values.hostname }}-tls
type: ingress
externalURL: https://{{ .Values.hostname }}
jobservice:
replicas: 2
registry:
replicas: 2
chartmuseum:
replicas: 2
# Logging configuration
log:
level: info
local:
rotateCount: 50
rotateSize: 200M
location: /var/log/harbor
external:
notary:
enabled: false
persistence:
persistentVolumeClaim:
chartmuseum:
size: 10Gi
storageClass: ceph-block
database:
size: 10Gi
storageClass: ceph-block
jobservice:
jobLog:
size: 2Gi
storageClass: ceph-block
redis:
size: 2Gi
storageClass: ceph-block
registry:
size: 10Gi
storageClass: ceph-block
trivy:
size: 5Gi
storageClass: ceph-block
redis:
enabled: true
trivy:
enabled: true
endpoint: http://fluentd.logging:24224
index: harbor
type: fluentd

65
applications/woodpecker/values.yaml
View File

@ -1,41 +1,44 @@
---
# Woodpecker server configuration
woodpecker:
server:
server:
image:
repository: woodpeckerci/woodpecker-server
tag: v1.0.3 # Use a specific version instead of 'latest'
replicaCount: 2 # Run multiple replicas for high availability
tag: v2.3.0
replicaCount: 2
service:
type: ClusterIP
port: 8000
ingress:
enabled: true
ingressClassName: "nginx"
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
kubernetes.io/tls-acme: "true"
cert-manager.io/issuer: "letsencrypt-prod"
hosts:
- host: woodpecker.example.com
- host: ci.nationtech.io
paths:
- path: /
tls:
- secretName: woodpecker-tls
- secretName: ci.nationtech.io-tls
hosts:
- woodpecker.example.com
- ci.nationtech.io
secrets:
- name: woodpecker-secret
serviceAccount:
# -- Specifies whether a service account should be created
create: true
env:
WOODPECKER_OPEN: "false" # Disable open registration for production
WOODPECKER_HOST: "https://woodpecker.example.com" # Use HTTPS
WOODPECKER_GITHUB: "true"
WOODPECKER_GITHUB_CLIENT: "{{ .Env.WOODPECKER_GITHUB_CLIENT }}"
WOODPECKER_GITHUB_SECRET: "{{ .Env.WOODPECKER_GITHUB_SECRET }}"
WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}"
WOODPECKER_GRPC_SECRET: "{{ .Env.WOODPECKER_GRPC_SECRET }}"
WOODPECKER_OPEN: "false"
WOODPECKER_HOST: "https://ci.nationtech.io"
WOODPECKER_AGENT_SECRET: "woodpecker_agent_secret"
WOODPECKER_GRPC_SECRET: "woodpecker_grpc_secret"
WOODPECKER_GRPC_ADDR: ":9000"
WOODPECKER_SERVER_ADDR: ":8000"
WOODPECKER_METRICS_SERVER_ADDR: ":9001"
WOODPECKER_ADMIN: "{{ .Env.WOODPECKER_ADMIN }}"
WOODPECKER_DATABASE_DRIVER: "postgres"
WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Env.POSTGRES_USER }}:{{ .Env.POSTGRES_PASSWORD }}@postgresql:5432/woodpecker?sslmode=require"
WOODPECKER_METRICS_SERVER_ADDR: "prometheus-kube-prometheus-prometheus.monitoring.svc:9090"
# WOODPECKER_ADMIN: "woodpecker_admin"
# WOODPECKER_DATABASE_DRIVER: "postgres"
# WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker_admin:woodpecker_admin@postgresql:5432/woodpecker?sslmode=require"
resources:
requests:
cpu: 200m
@ -48,15 +51,15 @@ woodpecker:
agent:
image:
repository: woodpeckerci/woodpecker-agent
tag: v1.0.3 # Use a specific version instead of 'latest'
replicaCount: 3 # Run multiple agents for better parallelism
tag: v2.3.0 # Use a specific version instead of 'latest'
replicaCount: 2 # Run multiple agents for better parallelism
env:
WOODPECKER_SERVER: "woodpecker-server:9000"
WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}"
WOODPECKER_AGENT_SECRET: "woodpecker_agent_secret"
WOODPECKER_BACKEND: "kubernetes"
WOODPECKER_BACKEND_K8S_NAMESPACE: "ci"
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "20Gi" # Increased volume size
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "managed-premium" # Use a production-grade storage class
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "5Gi"
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ceph-block"
WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true"
WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app":"woodpecker-job"}'
WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"prometheus.io/scrape":"true","prometheus.io/port":"9000"}'
@ -74,13 +77,13 @@ agent:
# PostgreSQL configuration
postgresql:
enabled: true
postgresqlUsername: "{{ .Env.POSTGRES_USER }}"
postgresqlPassword: "{{ .Env.POSTGRES_PASSWORD }}"
postgresqlDatabase: "woodpecker"
auth:
username: "woodpecker_admin"
password: "woodpecker_admin"
database: "woodpecker"
persistence:
enabled: true
size: 20Gi
storageClass: "managed-premium" # Use a production-grade storage class
size: 5Gi
resources:
requests:
cpu: 100m
@ -105,4 +108,4 @@ logging:
enabled: true
config:
logLevel: info
fluentdAddress: fluentd.logging:24224
fluentdAddress: fluentd-headless.logging.svc:24224

42
helmfile.yaml
View File

@ -3,43 +3,9 @@ helmDefaults:
atomic: true
wait: true
repositories:
- name: gitea-charts
url: https://dl.gitea.io/charts/
- name: woodpecker
url: https://woodpecker-ci.org/helm-charts
- name: harbor
url: https://helm.goharbor.io
releases:
- name: gitea
namespace: nt
chart: gitea-charts/gitea
version: 8.3.0
values:
- applications/gitea/values.yaml
- name: woodpecker
namespace: ci
chart: woodpecker/woodpecker
version: 1.0.3
values:
- applications/woodpecker/values.yaml
- name: harbor
namespace: harbor
chart: harbor/harbor
version: 1.15.1
values:
- applications/harbor/values.yaml
helmfiles:
- path: applications/vault/helmfile.yaml
- path: applications/logging/helmfile.yaml
- path: applications/gitea/helmfile.yaml
- path: applications/woodpecker/helmfile.yaml
# - path: applications/vault/helmfile.yaml
# - path: applications/logging/helmfile.yaml
# - path: applications/gitea/helmfile.yaml
# - path: applications/woodpecker/helmfile.yaml
- path: applications/harbor/helmfile.yaml
# Common configurations
commonConfig:
- common-config.yaml