harbor + woodpecker #1
@ -1,7 +1,8 @@
|
|||||||
kubectl 1.26.7
|
kubectl 1.26.7
|
||||||
minikube 1.29.0
|
helm 3.15.4
|
||||||
helm 3.11.0
|
|
||||||
stern 1.23.0
|
stern 1.23.0
|
||||||
yq 4.34.2
|
yq 4.34.2
|
||||||
gomplate v3.11.5
|
gomplate v3.11.5
|
||||||
vale 3.6.1
|
vale 3.6.1
|
||||||
|
helmfile 0.167.1
|
||||||
|
helm-diff 3.9.10
|
||||||
|
|||||||
@ -7,7 +7,7 @@ releases:
|
|||||||
- name: harbor
|
- name: harbor
|
||||||
namespace: harbor
|
namespace: harbor
|
||||||
chart: harbor/harbor
|
chart: harbor/harbor
|
||||||
version: 1.15.1
|
version: 1.11.4
|
||||||
values:
|
values:
|
||||||
- values.yaml
|
- values.yaml
|
||||||
set:
|
set:
|
||||||
@ -15,5 +15,5 @@ releases:
|
|||||||
value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}'
|
value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}'
|
||||||
- name: database.internal.password
|
- name: database.internal.password
|
||||||
value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}'
|
value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}'
|
||||||
- name: redis.internal.password
|
- name: hostname
|
||||||
value: '{{ env "HARBOR_REDIS_PASSWORD" | default "changeme" }}'
|
value: '{{ env "HARBOR_HOSTNAME" | default "hub.nationtech.io" }}'
|
||||||
|
|||||||
@ -1,152 +1,52 @@
|
|||||||
harborAdminPassword: "Harbor12345"
|
chartVersion: 1.11.4
|
||||||
tlsSecretName: "harbor.nationtech.io-tls"
|
chartmuseum:
|
||||||
|
enabled: true
|
||||||
|
database:
|
||||||
|
internal:
|
||||||
|
password: {{ .Values.database.internal.password }}
|
||||||
|
type: internal
|
||||||
expose:
|
expose:
|
||||||
type: ingress
|
ingress:
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/issuer: letsencrypt-prod
|
||||||
|
kubernetes.io/tls-acme: "true"
|
||||||
|
hosts:
|
||||||
|
core: {{ .Values.hostname }}
|
||||||
|
className: nginx
|
||||||
tls:
|
tls:
|
||||||
enabled: true
|
enabled: true
|
||||||
certSource: secret
|
certSource: secret
|
||||||
secret:
|
secret:
|
||||||
secretName: "harbor.nationtech.io-tls"
|
secretName: {{ .Values.hostname }}-tls
|
||||||
ingress:
|
type: ingress
|
||||||
hosts:
|
externalURL: https://{{ .Values.hostname }}
|
||||||
core: harbor.nationtech.io
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/ingress.class: nginx
|
|
||||||
kubernetes.io/tls-acme: "true"
|
|
||||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
|
||||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
||||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
|
||||||
className: "nginx"
|
|
||||||
ports:
|
|
||||||
httpPort: 80
|
|
||||||
|
|
||||||
persistence:
|
|
||||||
enabled: true
|
|
||||||
resourcePolicy: "keep"
|
|
||||||
persistentVolumeClaim:
|
|
||||||
registry:
|
|
||||||
subPath: "registry"
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 20Gi
|
|
||||||
jobservice:
|
|
||||||
jobLog:
|
|
||||||
subPath: "jobservice"
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 2Gi
|
|
||||||
database:
|
|
||||||
subPath: "db"
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 10Gi
|
|
||||||
redis:
|
|
||||||
subPath: "redis"
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 2Gi
|
|
||||||
trivy:
|
|
||||||
subPath: "trivy"
|
|
||||||
accessMode: ReadWriteOnce
|
|
||||||
size: 2Gi
|
|
||||||
imageChartStorage:
|
|
||||||
disableredirect: false
|
|
||||||
type: filesystem
|
|
||||||
filesystem:
|
|
||||||
rootdirectory: /storage
|
|
||||||
|
|
||||||
# Enable Prometheus metrics
|
|
||||||
metrics:
|
|
||||||
enabled: true
|
|
||||||
core:
|
|
||||||
path: /metrics
|
|
||||||
port: 8001
|
|
||||||
registry:
|
|
||||||
path: /metrics
|
|
||||||
port: 8001
|
|
||||||
jobservice:
|
|
||||||
path: /metrics
|
|
||||||
port: 8001
|
|
||||||
exporter:
|
|
||||||
path: /metrics
|
|
||||||
port: 8001
|
|
||||||
serviceMonitor:
|
|
||||||
enabled: true
|
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
|
||||||
release: prometheus
|
|
||||||
interval: 15s
|
|
||||||
metricRelabelings: []
|
|
||||||
relabelings: []
|
|
||||||
|
|
||||||
# Disable tracing as we're not using Jaeger
|
|
||||||
trace:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
# Enable internal TLS
|
|
||||||
internalTLS:
|
|
||||||
enabled: true
|
|
||||||
strong_ssl_ciphers: true
|
|
||||||
certSource: "auto"
|
|
||||||
|
|
||||||
# Use internal database for simplicity
|
|
||||||
database:
|
|
||||||
type: internal
|
|
||||||
internal:
|
|
||||||
password: "changeme"
|
|
||||||
|
|
||||||
# Use internal Redis for simplicity
|
|
||||||
redis:
|
|
||||||
type: internal
|
|
||||||
internal:
|
|
||||||
password: "changeme"
|
|
||||||
|
|
||||||
# Enable Trivy scanner
|
|
||||||
trivy:
|
|
||||||
enabled: true
|
|
||||||
image:
|
|
||||||
repository: goharbor/trivy-adapter-photon
|
|
||||||
tag: dev
|
|
||||||
replicas: 2
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 200m
|
|
||||||
memory: 512Mi
|
|
||||||
limits:
|
|
||||||
cpu: 1
|
|
||||||
memory: 1Gi
|
|
||||||
vulnType: "os,library"
|
|
||||||
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
|
|
||||||
ignoreUnfixed: false
|
|
||||||
insecure: false
|
|
||||||
skipUpdate: false
|
|
||||||
skipJavaDBUpdate: false
|
|
||||||
offlineScan: false
|
|
||||||
securityCheck: "vuln"
|
|
||||||
timeout: 5m0s
|
|
||||||
|
|
||||||
# High Availability settings
|
|
||||||
portal:
|
|
||||||
replicas: 2
|
|
||||||
|
|
||||||
core:
|
|
||||||
replicas: 2
|
|
||||||
|
|
||||||
jobservice:
|
jobservice:
|
||||||
replicas: 2
|
replicas: 2
|
||||||
|
notary:
|
||||||
registry:
|
enabled: false
|
||||||
replicas: 2
|
persistence:
|
||||||
|
persistentVolumeClaim:
|
||||||
chartmuseum:
|
chartmuseum:
|
||||||
replicas: 2
|
size: 10Gi
|
||||||
|
storageClass: ceph-block
|
||||||
# Logging configuration
|
database:
|
||||||
log:
|
size: 10Gi
|
||||||
level: info
|
storageClass: ceph-block
|
||||||
local:
|
jobservice:
|
||||||
rotateCount: 50
|
jobLog:
|
||||||
rotateSize: 200M
|
size: 2Gi
|
||||||
location: /var/log/harbor
|
storageClass: ceph-block
|
||||||
external:
|
redis:
|
||||||
|
size: 2Gi
|
||||||
|
storageClass: ceph-block
|
||||||
|
registry:
|
||||||
|
size: 10Gi
|
||||||
|
storageClass: ceph-block
|
||||||
|
trivy:
|
||||||
|
size: 5Gi
|
||||||
|
storageClass: ceph-block
|
||||||
|
redis:
|
||||||
|
enabled: true
|
||||||
|
trivy:
|
||||||
enabled: true
|
enabled: true
|
||||||
endpoint: http://fluentd.logging:24224
|
|
||||||
index: harbor
|
|
||||||
type: fluentd
|
|
||||||
|
|||||||
@ -1,41 +1,44 @@
|
|||||||
---
|
---
|
||||||
# Woodpecker server configuration
|
server:
|
||||||
woodpecker:
|
|
||||||
server:
|
|
||||||
image:
|
image:
|
||||||
repository: woodpeckerci/woodpecker-server
|
repository: woodpeckerci/woodpecker-server
|
||||||
tag: v1.0.3 # Use a specific version instead of 'latest'
|
tag: v2.3.0
|
||||||
replicaCount: 2 # Run multiple replicas for high availability
|
replicaCount: 2
|
||||||
service:
|
service:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
port: 8000
|
port: 8000
|
||||||
ingress:
|
ingress:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
ingressClassName: "nginx"
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: nginx
|
kubernetes.io/ingress.class: nginx
|
||||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
kubernetes.io/tls-acme: "true"
|
||||||
|
cert-manager.io/issuer: "letsencrypt-prod"
|
||||||
hosts:
|
hosts:
|
||||||
- host: woodpecker.example.com
|
- host: ci.nationtech.io
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: /
|
||||||
tls:
|
tls:
|
||||||
- secretName: woodpecker-tls
|
- secretName: ci.nationtech.io-tls
|
||||||
hosts:
|
hosts:
|
||||||
- woodpecker.example.com
|
- ci.nationtech.io
|
||||||
|
secrets:
|
||||||
|
- name: woodpecker-secret
|
||||||
|
serviceAccount:
|
||||||
|
# -- Specifies whether a service account should be created
|
||||||
|
create: true
|
||||||
|
|
||||||
env:
|
env:
|
||||||
WOODPECKER_OPEN: "false" # Disable open registration for production
|
WOODPECKER_OPEN: "false"
|
||||||
WOODPECKER_HOST: "https://woodpecker.example.com" # Use HTTPS
|
WOODPECKER_HOST: "https://ci.nationtech.io"
|
||||||
WOODPECKER_GITHUB: "true"
|
WOODPECKER_AGENT_SECRET: "woodpecker_agent_secret"
|
||||||
WOODPECKER_GITHUB_CLIENT: "{{ .Env.WOODPECKER_GITHUB_CLIENT }}"
|
WOODPECKER_GRPC_SECRET: "woodpecker_grpc_secret"
|
||||||
WOODPECKER_GITHUB_SECRET: "{{ .Env.WOODPECKER_GITHUB_SECRET }}"
|
|
||||||
WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}"
|
|
||||||
WOODPECKER_GRPC_SECRET: "{{ .Env.WOODPECKER_GRPC_SECRET }}"
|
|
||||||
WOODPECKER_GRPC_ADDR: ":9000"
|
WOODPECKER_GRPC_ADDR: ":9000"
|
||||||
WOODPECKER_SERVER_ADDR: ":8000"
|
WOODPECKER_SERVER_ADDR: ":8000"
|
||||||
WOODPECKER_METRICS_SERVER_ADDR: ":9001"
|
WOODPECKER_METRICS_SERVER_ADDR: "prometheus-kube-prometheus-prometheus.monitoring.svc:9090"
|
||||||
WOODPECKER_ADMIN: "{{ .Env.WOODPECKER_ADMIN }}"
|
# WOODPECKER_ADMIN: "woodpecker_admin"
|
||||||
WOODPECKER_DATABASE_DRIVER: "postgres"
|
# WOODPECKER_DATABASE_DRIVER: "postgres"
|
||||||
WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Env.POSTGRES_USER }}:{{ .Env.POSTGRES_PASSWORD }}@postgresql:5432/woodpecker?sslmode=require"
|
# WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker_admin:woodpecker_admin@postgresql:5432/woodpecker?sslmode=require"
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 200m
|
cpu: 200m
|
||||||
@ -48,15 +51,15 @@ woodpecker:
|
|||||||
agent:
|
agent:
|
||||||
image:
|
image:
|
||||||
repository: woodpeckerci/woodpecker-agent
|
repository: woodpeckerci/woodpecker-agent
|
||||||
tag: v1.0.3 # Use a specific version instead of 'latest'
|
tag: v2.3.0 # Use a specific version instead of 'latest'
|
||||||
replicaCount: 3 # Run multiple agents for better parallelism
|
replicaCount: 2 # Run multiple agents for better parallelism
|
||||||
env:
|
env:
|
||||||
WOODPECKER_SERVER: "woodpecker-server:9000"
|
WOODPECKER_SERVER: "woodpecker-server:9000"
|
||||||
WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}"
|
WOODPECKER_AGENT_SECRET: "woodpecker_agent_secret"
|
||||||
WOODPECKER_BACKEND: "kubernetes"
|
WOODPECKER_BACKEND: "kubernetes"
|
||||||
WOODPECKER_BACKEND_K8S_NAMESPACE: "ci"
|
WOODPECKER_BACKEND_K8S_NAMESPACE: "ci"
|
||||||
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "20Gi" # Increased volume size
|
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "5Gi"
|
||||||
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "managed-premium" # Use a production-grade storage class
|
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ceph-block"
|
||||||
WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true"
|
WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true"
|
||||||
WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app":"woodpecker-job"}'
|
WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app":"woodpecker-job"}'
|
||||||
WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"prometheus.io/scrape":"true","prometheus.io/port":"9000"}'
|
WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"prometheus.io/scrape":"true","prometheus.io/port":"9000"}'
|
||||||
@ -74,13 +77,13 @@ agent:
|
|||||||
# PostgreSQL configuration
|
# PostgreSQL configuration
|
||||||
postgresql:
|
postgresql:
|
||||||
enabled: true
|
enabled: true
|
||||||
postgresqlUsername: "{{ .Env.POSTGRES_USER }}"
|
auth:
|
||||||
postgresqlPassword: "{{ .Env.POSTGRES_PASSWORD }}"
|
username: "woodpecker_admin"
|
||||||
postgresqlDatabase: "woodpecker"
|
password: "woodpecker_admin"
|
||||||
|
database: "woodpecker"
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
size: 20Gi
|
size: 5Gi
|
||||||
storageClass: "managed-premium" # Use a production-grade storage class
|
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
@ -105,4 +108,4 @@ logging:
|
|||||||
enabled: true
|
enabled: true
|
||||||
config:
|
config:
|
||||||
logLevel: info
|
logLevel: info
|
||||||
fluentdAddress: fluentd.logging:24224
|
fluentdAddress: fluentd-headless.logging.svc:24224
|
||||||
|
|||||||
@ -3,43 +3,9 @@ helmDefaults:
|
|||||||
atomic: true
|
atomic: true
|
||||||
wait: true
|
wait: true
|
||||||
|
|
||||||
repositories:
|
|
||||||
- name: gitea-charts
|
|
||||||
url: https://dl.gitea.io/charts/
|
|
||||||
- name: woodpecker
|
|
||||||
url: https://woodpecker-ci.org/helm-charts
|
|
||||||
- name: harbor
|
|
||||||
url: https://helm.goharbor.io
|
|
||||||
|
|
||||||
releases:
|
|
||||||
- name: gitea
|
|
||||||
namespace: nt
|
|
||||||
chart: gitea-charts/gitea
|
|
||||||
version: 8.3.0
|
|
||||||
values:
|
|
||||||
- applications/gitea/values.yaml
|
|
||||||
|
|
||||||
- name: woodpecker
|
|
||||||
namespace: ci
|
|
||||||
chart: woodpecker/woodpecker
|
|
||||||
version: 1.0.3
|
|
||||||
values:
|
|
||||||
- applications/woodpecker/values.yaml
|
|
||||||
|
|
||||||
- name: harbor
|
|
||||||
namespace: harbor
|
|
||||||
chart: harbor/harbor
|
|
||||||
version: 1.15.1
|
|
||||||
values:
|
|
||||||
- applications/harbor/values.yaml
|
|
||||||
|
|
||||||
helmfiles:
|
helmfiles:
|
||||||
- path: applications/vault/helmfile.yaml
|
# - path: applications/vault/helmfile.yaml
|
||||||
- path: applications/logging/helmfile.yaml
|
# - path: applications/logging/helmfile.yaml
|
||||||
- path: applications/gitea/helmfile.yaml
|
# - path: applications/gitea/helmfile.yaml
|
||||||
- path: applications/woodpecker/helmfile.yaml
|
# - path: applications/woodpecker/helmfile.yaml
|
||||||
- path: applications/harbor/helmfile.yaml
|
- path: applications/harbor/helmfile.yaml
|
||||||
|
|
||||||
# Common configurations
|
|
||||||
commonConfig:
|
|
||||||
- common-config.yaml
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user