plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing stuff for production deployment

Browse Source
This commit is contained in:
plm 2025-02-24 10:00:06 +01:00
parent ab70717458
commit 1ef92e5975
35 changed files with 1566 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
build_opencloud_microservices.sh
View File

@ -1,13 +1,16 @@
#!/bin/bash
find . -mindepth 2 -maxdepth 2 -name 'Makefile' | while read -r makefile; do
# Get the target from the first argument or use "all" as default
TARGET=${1:-all}
find .. -mindepth 2 -maxdepth 2 -name 'Makefile' | while read -r makefile; do
dir=$(dirname "$makefile")
echo "Running 'make all' in $dir"
echo "Running 'make $TARGET' in $dir"
(
cd "$dir" && make all
cd "$dir" && make "$TARGET"
)
if [ $? -ne 0 ]; then
echo "Error: make all failed in $dir"
echo "Error: make $TARGET failed in $dir"
exit 1
fi
done

5
install_production.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
RELEASE_NAME=prod
RELEASE_NAMESPACE=prod
helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/prod-values.yaml

3
opencloud/.helmignore
View File

@ -21,3 +21,6 @@
.idea/
*.tmproj
.vscode/
#custom
templates/registry/dockerconfigjson

5
opencloud/Chart.yaml
View File

@ -5,7 +5,6 @@ type: application
version: 0.0.1
appVersion: "0.0.1"
# TODO: grafana, loki
dependencies:
- name: openldap
repository: https://jp-gouin.github.io/helm-openldap/
@ -47,3 +46,7 @@ dependencies:
version: "0.45.4"
repository: "https://argoproj.github.io/argo-helm"
condition: argo-workflows.enabled
- name: docker-registry-ui
version: 1.1.3
repository: "https://helm.joxit.dev/"
condition: docker-registry-ui.enabled

22
opencloud/charts/docker-registry-ui/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

30
opencloud/charts/docker-registry-ui/Chart.yaml Normal file
View File

@ -0,0 +1,30 @@
annotations:
artifacthub.io/images: |
- name: docker-registry-ui
image: joxit/docker-registry-ui:2.5.2
- name: registry
image: registry:2.8.2
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Documentation
url: https://joxit.dev/docker-registry-ui
- name: Joxit/docker-registry-ui
url: https://github.com/Joxit/docker-registry-ui
- name: Joxit/helm-charts
url: https://github.com/Joxit/helm-charts
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 2.5.2
description: The simplest and most complete UI for your private registry
home: https://github.com/Joxit/docker-registry-ui
keywords:
- docker
- registry
- user-interface
- interface
kubeVersion: '>=1.19.0-0'
name: docker-registry-ui
sources:
- https://github.com/Joxit/docker-registry-ui
- https://github.com/Joxit/helm-charts
version: 1.1.3

140
opencloud/charts/docker-registry-ui/README.md Normal file
View File

@ -0,0 +1,140 @@
# Docker Registry UI Chart
[![Stars](https://img.shields.io/github/stars/joxit/docker-registry-ui.svg?logo=github&maxAge=86400)](https://github.com/Joxit/docker-registry-ui/stargazers)
[![Pulls](https://img.shields.io/docker/pulls/joxit/docker-registry-ui.svg?maxAge=86400)](https://hub.docker.com/r/joxit/docker-registry-ui)
[![Sponsor](https://joxit.dev/images/sponsor.svg)](https://github.com/sponsors/Joxit)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/joxit)](https://artifacthub.io/packages/helm/joxit/docker-registry-ui)
## Overview
This project aims to provide a simple and complete user interface for your private docker registry. You can customize the interface with various options. The major option is `ui.singleRegistry` which allows you to disable the dynamic selection of docker registeries.
If you like my work and want to support it, don't hesitate to [sponsor me](https://github.com/sponsors/Joxit).
## [Project Page](https://joxit.dev/docker-registry-ui), [Live Demo](https://joxit.dev/docker-registry-ui/demo/), [Examples](https://github.com/Joxit/docker-registry-ui/tree/main/examples), [Helm Chart](https://helm.joxit.dev/charts/docker-registry-ui/)
![preview](https://raw.github.com/Joxit/docker-registry-ui/main/docker-registry-ui.gif "Preview of Docker Registry UI")
## Prerequisites
* **Helm 3.2+** (Helm 2 is not supported)
* **Kubernetes 1.19+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is untested.
## Usage
1. Add my Helm repository (named `joxit`)
```
helm repo add joxit https://helm.joxit.dev
```
2. Ensure you have access to the Helm chart and you see the latest chart version listed. If you have previously added the Helm repository, run `helm repo update`.
```
helm search repo joxit/docker-registry-ui
```
3. Now you're ready to install the Docker Registry UI! To install Docker Registry UI with the default configuration using Helm 3.2 run the following command below. This will deploy the Docker Registry UI on the default namespace.
```
helm upgrade --install docker-registry-ui joxit/docker-registry-ui
```
## Configuration
### Global
| Value | Default | Description |
| --- | --- | --- |
| `global.name` | `null` | Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `<helm release name>`. |
| `global.imagePullSecrets` | `[]` | The default array of objects containing image pull secret names that will be applied. |
| `global.imagePullPolicy` | `IfNotPresent` | The default image policy for images: `IfNotPresent`, `Always`, `Never` |
### User Interface
| Value | Default | Description |
| --- | --- | --- |
| `ui.replicas` | `1` | Number of replicas for the Deployment. |
| `ui.title` | `"Docker registry UI"` | Title of the registry |
| `ui.proxy` | `false` | UI behave as a proxy of the registry |
| `ui.dockerRegistryUrl` | `null` | The URL of your docker registry, may be a service (when proxy is on) or an external URL. |
| `ui.pullUrl` | `null` | Override the pull URL |
| `ui.singleRegistry` | `true` | Remove the menu that show the dialogs to add, remove and change the endpoint of your docker registry. |
| `ui.registrySecured` | `false` | By default, the UI will check on every requests if your registry is secured or not (you will see `401` responses in your console). Set to `true` if your registry uses Basic Authentication and divide by two the number of call to your registry. |
| `ui.showCatalogNbTags` | `false` | Show number of tags per images on catalog page. This will produce + nb images requests, not recommended on large registries. |
| `ui.catalogElementsLimit` | `1000` | Limit the number of elements in the catalog page. |
| `ui.catalogDefaultExpanded` | `false` | Expand by default all repositories in catalog |
| `ui.catalogMinBranches` | `1` | Set the minimum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. |
| `ui.catalogMaxBranches` | `1` | Set the maximum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. |
| `ui.deleteImages` | `false` | Allow delete of images |
| `ui.showContentDigest` | `false` | Show content digest in docker tag list. |
| `ui.taglistOrder` | `alpha-asc;num-desc` | Set the default order for the taglist page, could be `num-asc;alpha-asc`, `num-desc;alpha-asc`, `num-asc;alpha-desc`, `num-desc;alpha-desc`, `alpha-asc;num-asc`, `alpha-asc;num-desc`, `alpha-desc;num-asc` or `alpha-desc;num-desc`. |
| `ui.taglistPageSize` | `100` | Set the number of tags to display in one page. |
| `ui.historyCustomLabels` | `[]` | Expose custom labels in history page, custom labels will be processed like maintainer label. |
| `ui.nginxProxyHeaders` | `[]` | Update the default Nginx configuration and **set custom headers** for your backend docker registry. Only when `ui.proxy` is used. Example: nginxProxyHeaders: [ { my-heeader-name: my-header-value } ] |
| `ui.nginxProxyPassHeaders` | `[]` | Update the default Nginx configuration and **forward custom headers** to your backend docker registry. Only when `ui.proxy` is used. Example: nginxProxyPassHeaders: [ my-first-header, my-second-header ] |
| `ui.useControlCacheHeader` | `false` | Add header Control-Cache: no-store, no-cache on requests to registry server. This needs to update your registry configuration with : `Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']` |
| `ui.runAsRoot` | `true` | Use root or nginx user inside the container, when this is false the target port must be greater or equal to 1024. |
| `ui.defaultTheme` | `"auto"` | Select the default theme to apply, values can be `auto`, `dark` and `light` |
| `ui.theme.background` | `""` | Custom background color for the UI |
| `ui.theme.primaryText` | `""` | Custom primary text color for the UI |
| `ui.theme.neutralText` | `""` | Custom netral color for the UI (icons) |
| `ui.theme.accentText` | `""` | Custom accent color for the UI (buttons) |
| `ui.theme.hoverBackground` | `""` | Custom hover background color for the UI |
| `ui.theme.headerBackground` | `""` | Custom header background color for the UI |
| `ui.theme.headerText` | `""` | Custom header text color for the UI |
| `ui.theme.footerBackground` | `""` | Custom footer background color for the UI |
| `ui.theme.footerText` | `""` | Custom footer text color for the UI |
| `ui.theme.footerNeutralText` | `""` | Custom footer neutral color for the UI (links) |
| `ui.image` | `joxit/docker-registry-ui:2.5.2` | The name and tag of the docker image of the interface |
| `ui.imagePullSecrets` | `"-"` | Override default image pull secrets |
| `ui.imagePullPolicy` | `"-"` | Override default pull policy |
| `ui.resources` | `{}` | The resource settings for user interface pod. |
| `ui.nodeSelector` | `{}` | Optional YAML string to specify a nodeSelector config. |
| `ui.tolerations` | `[]` | Optional YAML string to specify tolerations. |
| `ui.affinity` | `{}` | This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. |
| `ui.annotations` | `{}` | Annotations to apply to the user interface deployment. |
| `ui.additionalSpec` | `{}` | Optional YAML string that will be appended to the deployment spec. |
| `ui.service.type` | `ClusterIP` | Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service type, you must set the desired `nodePorts` setting below. |
| `ui.service.port` | `80` | Ports that will be exposed on the service |
| `ui.service.targetPort` | `80` | The port to listhen on the container. If under 1024, the user must be root |
| `ui.service.nodePort` | `null` | If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. |
| `ui.service.annotations` | `{}` | Annotations to apply to the user interface service. |
| `ui.service.additionalSpec` | `{}` | Optional YAML string that will be appended to the Service spec. |
| `ui.ingress.enabled` | `false` | Enable the ingress for the user interface. |
| `ui.ingress.host` | `null` | Fully qualified domain name of a network host. |
| `ui.ingress.path` | `/` | Path is matched against the path of an incoming request. |
| `ui.ingress.pathType` | `Prefix` | Determines the interpretation of the Path matching, must be Prefix to serve assets. |
| `ui.ingress.ingressClassName` | `nginx` | The name of an IngressClass cluster resource. |
| `ui.ingress.tls` | `[]` | TLS configuration |
| `ui.ingress.annotations` | `{}` | Annotations to apply to the user interface ingress. |
### Registry Server
| Value | Default | Description |
| --- | --- | --- |
| `registry.enabled` | `false` | Enable the registry server. |
| `registry.image` | `registry:2.8.2` | The name and tag of the docker registry server image |
| `registry.imagePullSecrets` | `"-"` | Override default image pull secrets |
| `registry.imagePullPolicy` | `"-"` | Override default pull policy |
| `registry.dataVolume` | `null` | Configuration for the data directory. When null it will create an emptyDir. |
| `registry.resources` | `{}` | The resource settings for registry server pod. |
| `registry.nodeSelector` | `{}` | Optional YAML string to specify a nodeSelector config. |
| `registry.tolerations` | `[]` | Optional YAML string to specify tolerations. |
| `registry.affinity` | `{}` | This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. |
| `registry.annotations` | `{}` | Annotations to apply to the registry server deployment. |
| `registry.additionalSpec` | `{}` | Optional YAML string that will be appended to the deployment spec. |
| `registry.extraEnv` | `[]` | Extra Environmental Variables for Registry |
| `registry.auth.basic.enabled` | `false` | Enable basic auth for Registry. |
| `registry.auth.basic.realm` | `Docker registry` | Basic auth realm. |
| `registry.auth.basic.htpasswdPath` | `/etc/docker/registry/auth/htpasswd` | Full path for htpasswd file. Note that filename should match the secret key. |
| `registry.auth.basic.secretName` | `''` | htpasswd secret name volume to mount. |
| `registry.service.type` | `ClusterIP` | Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service type, you must set the desired `nodePorts` setting below. |
| `registry.service.port` | `5000` | Ports that will be exposed on the service |
| `registry.service.targetPort` | `5000` | The port to listhen on the container. |
| `registry.service.nodePort` | `null` | If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. |
| `registry.service.annotations` | `{}` | Annotations to apply to the registry server service. |
| `registry.service.additionalSpec` | `{}` | Optional YAML string that will be appended to the Service spec. |
| `registry.ingress.enabled` | `false` | Enable the ingress for the registry server. |
| `registry.ingress.host` | `null` | Fully qualified domain name of a network host. |
| `registry.ingress.path` | `/v2/` | Path is matched against the path of an incoming request. |
| `registry.ingress.pathType` | `Prefix` | Determines the interpretation of the Path matching, must be Prefix to serve assets. |
| `registry.ingress.ingressClassName` | `nginx` | The name of an IngressClass cluster resource. |
| `registry.ingress.tls` | `[]` | TLS configuration |
| `registry.ingress.annotations` | `{}` | Annotations to apply to the registry server ingress. |

28
opencloud/charts/docker-registry-ui/README.tmpl Normal file
View File

@ -0,0 +1,28 @@
# {{ prettyName }} Chart
[![Stars](https://img.shields.io/github/stars/joxit/docker-registry-ui.svg?logo=github&maxAge=86400)](https://github.com/Joxit/docker-registry-ui/stargazers)
[![Pulls](https://img.shields.io/docker/pulls/joxit/docker-registry-ui.svg?maxAge=86400)](https://hub.docker.com/r/joxit/docker-registry-ui)
[![Sponsor](https://joxit.dev/images/sponsor.svg)](https://github.com/sponsors/Joxit)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/joxit)](https://artifacthub.io/packages/helm/joxit/docker-registry-ui)
## Overview
This project aims to provide a simple and complete user interface for your private docker registry. You can customize the interface with various options. The major option is `ui.singleRegistry` which allows you to disable the dynamic selection of docker registeries.
If you like my work and want to support it, don't hesitate to [sponsor me](https://github.com/sponsors/Joxit).
## [Project Page](https://joxit.dev/docker-registry-ui), [Live Demo](https://joxit.dev/docker-registry-ui/demo/), [Examples](https://github.com/Joxit/docker-registry-ui/tree/main/examples), [Helm Chart](https://helm.joxit.dev/charts/docker-registry-ui/)
![preview](https://raw.github.com/Joxit/docker-registry-ui/main/docker-registry-ui.gif "Preview of Docker Registry UI")
## Prerequisites
{{ prerequisites }}
## Usage
{{ usage }}
## Configuration
{{ configuration }}

8
opencloud/charts/docker-registry-ui/templates/NOTES.txt Normal file
View File

@ -0,0 +1,8 @@
Thank you for installing Joxit's Docker Registry UI!
Your release is named {{ .Release.Name }}.
To learn more about the release, run:
$ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }}
$ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }}

43
opencloud/charts/docker-registry-ui/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,43 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). Supports the legacy fullnameOverride setting
as well as the global.name setting.
*/}}
{{- define "docker-registry-ui.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else if .Values.global.name -}}
{{- .Values.global.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "docker-registry-ui.chart" -}}
{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "docker-registry-ui.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels.
*/}}
{{- define "docker-registry-ui.labels" -}}
app.kubernetes.io/name: {{ include "docker-registry-ui.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "docker-registry-ui.chart" . }}
{{- end -}}

101
opencloud/charts/docker-registry-ui/templates/registry-deployment.yaml Normal file
View File

@ -0,0 +1,101 @@
{{- if .Values.registry.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.registry.replicas }}
selector:
matchLabels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 8 }}
{{- if .Values.registry.annotations }}
annotations:
{{- toYaml .Values.registry.annotations | nindent 8 }}
{{- end }}
spec:
{{- if ne (.Values.registry.imagePullSecrets | toString) "-" }}
imagePullSecrets:
{{- toYaml .Values.registry.imagePullSecrets | nindent 8 }}
{{- else }}
imagePullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
{{- end}}
containers:
- name: "registry-server"
image: {{ .Values.registry.image | quote }}
imagePullPolicy: {{ if ne (.Values.registry.imagePullPolicy | toString) "-" }}{{ .Values.registry.imagePullPolicy }}{{ else }}{{ .Values.global.imagePullPolicy }}{{ end }}
env:
- name: REGISTRY_HTTP_ADDR
value: {{ printf "%s:%d" "0.0.0.0" (.Values.registry.service.targetPort | int) }}
{{- if .Values.ui.deleteImages }}
- name: REGISTRY_STORAGE_DELETE_ENABLED
value: 'true'
{{- end }}
{{- if .Values.registry.auth.basic.enabled }}
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: {{ if ne (.Values.registry.auth.basic.realm | toString) "-" }}{{ .Values.registry.auth.basic.realm }}{{ else }}{{ "Docker registry" }}{{ end }}
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: {{ if ne (.Values.registry.auth.basic.htpasswdPath | toString) "-" }}{{ .Values.registry.auth.basic.htpasswdPath }}{{ else }}{{ "/etc/docker/registry/auth/htpasswd" }}{{ end }}
{{- end }}
{{- range .Values.registry.extraEnv }}
- name: {{ .name | quote }}
value: {{ .value | quote }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.registry.service.targetPort }}
protocol: TCP
volumeMounts:
- mountPath: /var/lib/registry
name: data
{{- if .Values.registry.auth.basic.enabled }}
- name: htpasswd
mountPath: {{ if ne (.Values.registry.auth.basic.htpasswdPath | toString) "-" }}{{ dir .Values.registry.auth.basic.htpasswdPath }}{{ else }}{{ "/etc/docker/registry/auth" }}{{ end }}
readOnly: true
{{- end }}
resources:
{{- toYaml .Values.registry.resources | nindent 12 }}
volumes:
- name: data
{{- if .Values.registry.dataVolume }}
{{- toYaml .Values.registry.dataVolume | nindent 10 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.registry.auth.basic.enabled }}
- name: htpasswd
secret:
secretName: {{ if .Values.registry.auth.basic.secretName }}{{ .Values.registry.auth.basic.secretName }}{{ else }}{{ fail "Basic auth secret name is required" }}{{ end }}
{{- end }}
{{- with .Values.registry.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.registry.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.registry.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not .Values.registry.runAsRoot }}
securityContext:
runAsUser: 101
fsGroup: 101
{{- end }}
{{- if .Values.registry.additionalSpec }}
{{ tpl .Values.registry.additionalSpec . | nindent 6 | trim }}
{{- end }}
{{- end }}

38
opencloud/charts/docker-registry-ui/templates/registry-ingress.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.registry.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.registry.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.registry.ingress.ingressClassName }}
ingressClassName: {{ .Values.registry.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.registry.ingress.tls }}
tls:
{{ tpl (toYaml .Values.registry.ingress.tls) $ | indent 4 }}
{{- end }}
rules:
- http:
paths:
- backend:
service:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
port:
number: {{ .Values.registry.service.port }}
{{- if .Values.registry.ingress.path }}
path: {{ .Values.registry.ingress.path }}
{{- end }}
{{- if .Values.registry.ingress.pathType }}
pathType: {{ .Values.registry.ingress.pathType }}
{{- end }}
{{- if .Values.registry.ingress.host }}
host: {{ .Values.registry.ingress.host | quote }}
{{- end -}}
{{- end }}

29
opencloud/charts/docker-registry-ui/templates/registry-service.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.registry.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-registry-server
labels:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.registry.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
app.kubernetes.io/component : registry-server
{{- include "docker-registry-ui.labels" . | nindent 4 }}
type: {{ .Values.registry.service.type }}
ports:
- port: {{ .Values.registry.service.port }}
targetPort: {{ .Values.registry.service.targetPort }}
protocol: TCP
name: http
{{- if (and (eq .Values.registry.service.type "NodePort") .Values.registry.service.nodePort) }}
nodePort: {{ .Values.registry.service.nodePort }}
{{- end }}
{{- if .Values.registry.service.additionalSpec }}
{{ tpl .Values.registry.service.additionalSpec . | nindent 2 | trim }}
{{- end }}
{{- end }}

139
opencloud/charts/docker-registry-ui/templates/ui-deployment.yaml Normal file
View File

@ -0,0 +1,139 @@
{{- if and (not .Values.ui.runAsRoot) (lt (.Values.ui.service.targetPort | int) 1024) }}
{{ fail "When `ui.runAsRoot` is false `ui.service.targetPort` must be less than 1024." }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.ui.replicas }}
selector:
matchLabels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 8 }}
{{- if .Values.ui.annotations }}
annotations:
{{- toYaml .Values.ui.annotations | nindent 8 }}
{{- end }}
spec:
{{- if ne (.Values.ui.imagePullSecrets | toString) "-" }}
imagePullSecrets:
{{- toYaml .Values.ui.imagePullSecrets | nindent 8 }}
{{- else }}
imagePullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
{{- end}}
containers:
- name: "registry-ui"
image: {{ .Values.ui.image | quote }}
imagePullPolicy: {{ if ne (.Values.ui.imagePullPolicy | toString) "-" }}{{ .Values.ui.imagePullPolicy }}{{ else }}{{ .Values.global.imagePullPolicy }}{{ end }}
env:
- name: REGISTRY_TITLE
value: {{ .Values.ui.title | quote }}
- name: DELETE_IMAGES
value: {{ .Values.ui.deleteImages | quote }}
{{- if .Values.ui.proxy }}
{{- if .Values.ui.dockerRegistryUrl }}
- name: NGINX_PROXY_PASS_URL
value: {{ .Values.ui.dockerRegistryUrl | quote }}
{{- else if .Values.registry.enabled }}
- name: NGINX_PROXY_PASS_URL
value: {{ printf "http://%s-registry-server:%d" (include "docker-registry-ui.fullname" .) (.Values.registry.service.port | int) }}
{{- end }}
{{- range $header := .Values.ui.nginxProxyHeaders }}
{{- range $key, $value := $header }}
- name: {{ printf "NGINX_PROXY_HEADER_%s" $key }}
value: {{ $value }}
{{- end }}
{{- end }}
{{- range $header := .Values.ui.nginxProxyPassHeaders }}
- name: {{ printf "NGINX_PROXY_PASS_HEADER_%s" $header }}
{{- end }}
{{- else }}
- name: REGISTRY_URL
value: {{ .Values.ui.dockerRegistryUrl | quote }}
{{- end }}
- name: PULL_URL
value: {{ .Values.ui.pullUrl | quote }}
- name: SHOW_CATALOG_NB_TAGS
value: {{ .Values.ui.showCatalogNbTags | quote }}
- name: SHOW_CONTENT_DIGEST
value: {{ .Values.ui.showContentDigest | quote }}
- name: SINGLE_REGISTRY
value: {{ .Values.ui.singleRegistry | quote }}
- name: CATALOG_ELEMENTS_LIMIT
value: {{ .Values.ui.catalogElementsLimit | quote }}
- name: HISTORY_CUSTOM_LABELS
value: {{ .Values.ui.historyCustomLabels | join "," }}
- name: NGINX_LISTEN_PORT
value: {{ .Values.ui.service.targetPort | quote }}
- name: USE_CONTROL_CACHE_HEADER
value: {{ .Values.ui.useControlCacheHeader | quote }}
- name: TAGLIST_ORDER
value: {{ .Values.ui.taglistOrder | quote }}
- name: CATALOG_DEFAULT_EXPANDED
value: {{ .Values.ui.catalogDefaultExpanded | quote }}
- name: CATALOG_MIN_BRANCHES
value: {{ .Values.ui.catalogMinBranches | quote }}
- name: CATALOG_MAX_BRANCHES
value: {{ .Values.ui.catalogMaxBranches | quote }}
- name: TAGLIST_PAGE_SIZE
value: {{ .Values.ui.taglistPageSize | quote }}
- name: REGISTRY_SECURED
value: {{ .Values.ui.registrySecured | quote }}
- name: THEME
value: {{ .Values.ui.defaultTheme | quote }}
- name: THEME_PRIMARY_TEXT
value: {{ .Values.ui.theme.primaryText | quote }}
- name: THEME_NEUTRAL_TEXT
value: {{ .Values.ui.theme.neutralText | quote }}
- name: THEME_BACKGROUND
value: {{ .Values.ui.theme.background | quote }}
- name: THEME_HOVER_BACKGROUND
value: {{ .Values.ui.theme.hoverBackground | quote }}
- name: THEME_ACCENT_TEXT
value: {{ .Values.ui.theme.accentText | quote }}
- name: THEME_HEADER_TEXT
value: {{ .Values.ui.theme.headerText | quote }}
- name: THEME_HEADER_BACKGROUND
value: {{ .Values.ui.theme.headerBackground | quote }}
- name: THEME_FOOTER_TEXT
value: {{ .Values.ui.theme.footerText | quote }}
- name: THEME_FOOTER_NEUTRAL_TEXT
value: {{ .Values.ui.theme.footerNeutralText | quote }}
- name: THEME_FOOTER_BACKGROUND
value: {{ .Values.ui.theme.footerBackground | quote }}
ports:
- name: http
containerPort: {{ .Values.ui.service.targetPort }}
protocol: TCP
resources:
{{- toYaml .Values.ui.resources | nindent 12 }}
{{- with .Values.ui.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ui.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not .Values.ui.runAsRoot }}
securityContext:
runAsUser: 101
{{- end }}
{{- if .Values.ui.additionalSpec }}
{{ tpl .Values.ui.additionalSpec . | nindent 6 | trim }}
{{- end }}

38
opencloud/charts/docker-registry-ui/templates/ui-ingress.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.ui.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.ui.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ui.ingress.ingressClassName }}
ingressClassName: {{ .Values.ui.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.ui.ingress.tls }}
tls:
{{ tpl (toYaml .Values.ui.ingress.tls) $ | indent 4 }}
{{- end }}
rules:
- http:
paths:
- backend:
service:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
port:
number: {{ .Values.ui.service.port }}
{{- if .Values.ui.ingress.path }}
path: {{ .Values.ui.ingress.path }}
{{- end }}
{{- if .Values.ui.ingress.pathType }}
pathType: {{ .Values.ui.ingress.pathType }}
{{- end }}
{{- if .Values.ui.ingress.host }}
host: {{ .Values.ui.ingress.host | quote }}
{{- end -}}
{{- end }}

27
opencloud/charts/docker-registry-ui/templates/ui-service.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "docker-registry-ui.fullname" . }}-user-interface
labels:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
{{- with .Values.ui.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
app.kubernetes.io/component : user-interface
{{- include "docker-registry-ui.labels" . | nindent 4 }}
type: {{ .Values.ui.service.type }}
ports:
- port: {{ .Values.ui.service.port }}
targetPort: {{ .Values.ui.service.targetPort }}
protocol: TCP
name: http
{{- if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort) }}
nodePort: {{ .Values.ui.service.nodePort }}
{{- end }}
{{- if .Values.ui.service.additionalSpec }}
{{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }}
{{- end }}

218
opencloud/charts/docker-registry-ui/values.yaml Normal file
View File

@ -0,0 +1,218 @@
## Global
global:
# Set the prefix used for all resources in the Helm chart. If not set,
# the prefix will be `<helm release name>`.
name: null
# The default array of objects containing image pull secret names that will be applied.
imagePullSecrets: []
# The default image policy for images: `IfNotPresent`, `Always`, `Never`
imagePullPolicy: IfNotPresent
## User Interface
ui:
# Number of replicas for the Deployment.
replicas: 1
# Title of the registry
title: "Docker registry UI"
# UI behave as a proxy of the registry
proxy: false
# The URL of your docker registry, may be a service (when proxy is on) or an external URL.
dockerRegistryUrl: null
# Override the pull URL
pullUrl: null
# Remove the menu that show the dialogs to add, remove and change the endpoint of your docker registry.
singleRegistry: true
# By default, the UI will check on every requests if your registry is secured or not (you will see `401` responses in your console). Set to `true` if your registry uses Basic Authentication and divide by two the number of call to your registry.
registrySecured: false
# Show number of tags per images on catalog page. This will produce + nb images requests, not recommended on large registries.
showCatalogNbTags: false
# Limit the number of elements in the catalog page.
catalogElementsLimit: 1000
# Expand by default all repositories in catalog
catalogDefaultExpanded: false
# Set the minimum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching.
catalogMinBranches: 1
# Set the maximum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching.
catalogMaxBranches: 1
# Allow delete of images
deleteImages: false
# Show content digest in docker tag list.
showContentDigest: false
# Set the default order for the taglist page, could be `num-asc;alpha-asc`, `num-desc;alpha-asc`, `num-asc;alpha-desc`, `num-desc;alpha-desc`, `alpha-asc;num-asc`, `alpha-asc;num-desc`, `alpha-desc;num-asc` or `alpha-desc;num-desc`.
taglistOrder: alpha-asc;num-desc
# Set the number of tags to display in one page.
taglistPageSize: 100
# Expose custom labels in history page, custom labels will be processed like maintainer label.
historyCustomLabels: []
# Update the default Nginx configuration and **set custom headers** for your backend docker registry. Only when `ui.proxy` is used.
# Example:
# nginxProxyHeaders:
# [ { my-heeader-name: my-header-value } ]
nginxProxyHeaders: []
# Update the default Nginx configuration and **forward custom headers** to your backend docker registry. Only when `ui.proxy` is used.
# Example:
# nginxProxyPassHeaders: [ my-first-header, my-second-header ]
nginxProxyPassHeaders: []
# Add header Control-Cache: no-store, no-cache on requests to registry server.
# This needs to update your registry configuration with : `Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']`
useControlCacheHeader: false
# Use root or nginx user inside the container, when this is false the target port must be greater or equal to 1024.
runAsRoot: true
# Select the default theme to apply, values can be `auto`, `dark` and `light`
defaultTheme: "auto"
theme:
# Custom background color for the UI
background: ""
# Custom primary text color for the UI
primaryText: ""
# Custom netral color for the UI (icons)
neutralText: ""
# Custom accent color for the UI (buttons)
accentText: ""
# Custom hover background color for the UI
hoverBackground: ""
# Custom header background color for the UI
headerBackground: ""
# Custom header text color for the UI
headerText: ""
# Custom footer background color for the UI
footerBackground: ""
# Custom footer text color for the UI
footerText: ""
# Custom footer neutral color for the UI (links)
footerNeutralText: ""
# The name and tag of the docker image of the interface
image: joxit/docker-registry-ui:2.5.2
# Override default image pull secrets
imagePullSecrets: "-"
# Override default pull policy
imagePullPolicy: "-"
# The resource settings for user interface pod.
resources: {}
# Optional YAML string to specify a nodeSelector config.
nodeSelector: {}
# Optional YAML string to specify tolerations.
tolerations: []
# This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for server pods.
affinity: {}
# Annotations to apply to the user interface deployment.
annotations: {}
# Optional YAML string that will be appended to the deployment spec.
additionalSpec: {}
service:
# Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service
# type, you must set the desired `nodePorts` setting below.
type: ClusterIP
# Ports that will be exposed on the service
port: 80
# The port to listhen on the container. If under 1024, the user must be root
targetPort: 80
# If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port.
nodePort: null
# Annotations to apply to the user interface service.
annotations: {}
# Optional YAML string that will be appended to the Service spec.
additionalSpec: {}
ingress:
# Enable the ingress for the user interface.
enabled: false
# Fully qualified domain name of a network host.
host: null
# Path is matched against the path of an incoming request.
path: /
# Determines the interpretation of the Path matching, must be Prefix to serve assets.
pathType: Prefix
# The name of an IngressClass cluster resource.
ingressClassName: nginx
# TLS configuration
tls: []
# Annotations to apply to the user interface ingress.
annotations: {}
# If you want a custom path, you can try this example:
# path: /ui(/|$)(.*)
# annotations:
# { nginx.ingress.kubernetes.io/rewrite-target: /$2 }
## Registry Server
registry:
# Enable the registry server.
enabled: false
# The name and tag of the docker registry server image
image: registry:2.8.2
# Override default image pull secrets
imagePullSecrets: "-"
# Override default pull policy
imagePullPolicy: "-"
# Configuration for the data directory. When null it will create an emptyDir.
dataVolume: null
# The resource settings for registry server pod.
resources: {}
# Optional YAML string to specify a nodeSelector config.
nodeSelector: {}
# Optional YAML string to specify tolerations.
tolerations: []
# This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for server pods.
affinity: {}
# Annotations to apply to the registry server deployment.
annotations: {}
# Optional YAML string that will be appended to the deployment spec.
additionalSpec: {}
# Extra Environmental Variables for Registry
extraEnv: []
auth:
basic:
# Enable basic auth for Registry.
enabled: false
# Basic auth realm.
realm: Docker registry
# Full path for htpasswd file. Note that filename should match the secret key.
htpasswdPath: /etc/docker/registry/auth/htpasswd
# htpasswd secret name volume to mount.
secretName: ''
service:
# Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service
# type, you must set the desired `nodePorts` setting below.
type: ClusterIP
# Ports that will be exposed on the service
port: 5000
# The port to listhen on the container.
targetPort: 5000
# If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port.
nodePort: null
# Annotations to apply to the registry server service.
annotations: {}
# Optional YAML string that will be appended to the Service spec.
additionalSpec: {}
ingress:
# Enable the ingress for the registry server.
enabled: false
# Fully qualified domain name of a network host.
host: null
# Path is matched against the path of an incoming request.
path: /v2/
# Determines the interpretation of the Path matching, must be Prefix to serve assets.
pathType: Prefix
# The name of an IngressClass cluster resource.
ingressClassName: nginx
# TLS configuration
tls: []
# Annotations to apply to the registry server ingress.
annotations: {}
# If you want a custom path, you can try this example:
# path: /api(/|$)(.*)
# annotations:
# { nginx.ingress.kubernetes.io/rewrite-target: /$2 }

17
opencloud/dev-values.yaml
View File

@ -502,3 +502,20 @@ ocAggregator:
requests:
cpu: "128m"
memory: "256Mi"
docker-registry-ui:
enabled: true
ui:
title: "opencloud docker registry"
proxy: true
dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000"
registry:
secretName: regcred
enabled: true
dataVolume:
persistentVolumeClaim:
claimName: docker-registry-pvc
persistence:
accessMode: ReadWriteOnce
storage: 200Mi
storageClassName: kind-sc

520
opencloud/prod-values.yaml Normal file
View File

@ -0,0 +1,520 @@
env: prod # For storage class provisioning
host: opencloud.pf.irt-saintexupery.com # For reverse proxy rule
registryHost: registry-opencloud.pf.irt-saintexupery.com # For reverse proxy rule
scheme: https # For reverse proxy rule
mongo-express:
enabled: true
mongodbServer: prod-mongodb.prod
mongodbPort: 27017
mongodbEnableAdmin: true
mongodbAdminUsername: mongroot
mongodbAdminPassword: AaRahr9E
siteBaseUrl: /mongoexpress
basicAuthUsername: mongobserver
basicAuthPassword: ieSei4du
mongodb:
enabled: false
mongodb:
enabled: true
global:
defaultStorageClass: longhorn-nor1
storageClass: longhorn-nor1
architecture: standalone
useStatefulSet: false
auth:
enabled: true
rootUser: mongroot
rootPassword: AaRahr9E
databases: ["DC_myDC"]
usernames: ["opencloud"]
passwords: ["Sudoko5o"]
resourcesPreset: "small"
replicaCount: 1
persistence:
enabled: true
storageClass: longhorn-nor1
existingClaim: mongo-pvc
accessModes:
- ReadWriteOnce
size: 5000Mi
persistentVolumeClaimRetentionPolicy:
enabled: true
whenDeleted: Retain
whenScaled: Retain
arbiter:
enabled: false
livenessProbe:
enabled: true
readinessProbe:
enabled: true
nats:
enabled: true
jetstream:
enabled: true
fileStore:
size: 20Mi
storageClassName: longhorn-nor1
openldap:
enabled: true
test:
enabled: false
ltb-passwd:
enabled: false
replicaCount: 1
image:
repository: osixia/openldap
tag: 1.5.0
tls:
enabled: false
env:
LDAP_ORGANISATION: "Demo opencloud"
LDAP_DOMAIN: "example.com"
LDAP_BACKEND: "mdb"
LDAP_TLS: "false"
LDAP_TLS_ENFORCE: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: "ohwaiQu3"
configPassword: "oR5jiv3e"
phpldapadmin:
enabled: false
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 10Mi
storageClass: longhorn-nor1
replication:
enabled: false
customLdifFiles:
01-schema.ldif: |-
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=lastGID,dc=example,dc=com
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group.
cn: lastGID
serialNumber: 2001
dn: cn=lastUID,dc=example,dc=com
objectClass: device
objectClass: top
serialNumber: 2001
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
cn: lastUID
dn: cn=everybody,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: everybody
memberUid: admin
gidNumber: 2003
02-ldapadmin.ldif : |-
dn: cn=ldapadmin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ldapadmin
memberUid: ldapadmin
gidNumber: 2001
dn: uid=ldapadmin,ou=users,dc=example,dc=com
givenName: ldap
sn: admin
uid: ldapadmin
cn: ldapadmin
mail: ldapadmin@example.com
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: sai1yeiT
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/ldapadmin
03-opencloudadmin.ldif : |-
dn: cn=admin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: admin
memberUid: admin
gidNumber: 2002
dn: uid=admin,ou=users,dc=example,dc=com
givenName: John
sn: Doe
uid: admin
mail: john.doe@example.com
cn: JohnDoe
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: diiVei8y
uidNumber: 2002
gidNumber: 2002
loginShell: /bin/bash
homeDirectory: /home/admin
# ldap user manager configuration
ldapUserManager:
enabled: true
env:
SERVER_HOSTNAME: "opencloud.pf.irt-saintexupery.com"
LDAP_BASE_DN: "dc=example,dc=com"
LDAP_REQUIRE_STARTTLS: "false"
LDAP_ADMINS_GROUP: "ldapadmin"
LDAP_ADMIN_BIND_DN: "cn=admin,dc=example,dc=com"
LDAP_ADMIN_BIND_PWD: "ohwaiQu3"
LDAP_IGNORE_CERT_ERRORS: "true"
EMAIL_DOMAIN: ""
NO_HTTPS: "true"
SERVER_PATH: "/users"
ORGANISATION_NAME: "Demo"
LDAP_USER_OU: "users"
LDAP_GROUP_OU: "groups"
ACCEPT_WEAK_PASSWORDS: "true"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
traefik:
enabled: false
service:
type: NodePort
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`localhost`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)
entryPoints: [web]
ports:
web:
nodePort: 30950
hydra:
enabled: true
maester:
enabled: true
secret:
enabled: false
nameOverride: hydra-secret
hashSumEnabled: false
hydra:
dev: true
existingSecret: hydra-secret
config:
dsn: memory
urls:
login: https://localhost-login/authentication/login
consent: https://localhost-consent/consent/consent
logout: https://localhost-logout/authentication/logout
self:
issuer: http://prod-hydra-public:4444/
keto:
enabled: true
keto:
config:
serve:
read:
port: 4466
write:
port: 4467
metrics:
port: 4468
namespaces:
- id: 0
name: open-cloud
dsn: memory
loki:
enabled: true
loki:
auth_enabled: false
commonConfig:
replication_factor: 1
storage:
type: filesystem
filesystem:
chunks_directory: /var/loki/chunks
rules_directory: /var/loki/rules
admin_api_directory: /var/loki/admin
storage_config:
boltdb_shipper:
active_index_directory: /var/loki/index
filesystem:
directory: /var/loki/chunks
limits_config:
allow_structured_metadata: false
schemaConfig:
configs:
- from: "2020-01-01"
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
ingester:
chunk_encoding: snappy
tracing:
enabled: true
querier:
max_concurrent: 2
deploymentMode: SingleBinary
singleBinary:
extraVolumes:
- name: loki-storage
persistentVolumeClaim:
claimName: loki-pvc
persistence:
enabled: false # Deactivate loki auto provisioning, rely on existing PVC
accessMode: ReadWriteOnce
size: 1Gi
storageClassName: longhorn-nor1
claimName: loki-pvc
extraVolumeMounts:
- name: loki-storage
mountPath: /var/loki
replicas: 1
resources:
limits:
cpu: 3
memory: 4Gi
requests:
cpu: 1
memory: 0.5Gi
extraEnv:
- name: GOMEMLIMIT
value: 3750MiB
chunksCache:
# default is 500MB, with limited memory keep this smaller
writebackSizeLimit: 10MB
# Enable minio for storage
minio:
enabled: false
# Zero out replica counts of other deployment modes
backend:
replicas: 0
read:
replicas: 0
write:
replicas: 0
ingester:
replicas: 0
querier:
replicas: 0
queryFrontend:
replicas: 0
queryScheduler:
replicas: 0
distributor:
replicas: 0
compactor:
replicas: 0
indexGateway:
replicas: 0
bloomCompactor:
replicas: 0
bloomGateway:
replicas: 0
grafana:
enabled: false
argo-workflows:
enabled: true
workflow:
serviceAccount:
create: false
name: argo-workflow
rbac:
create: false # Manual provisioning
controller:
workflowNamespaces: [] #All of them
controller:
workflowDefaults:
spec:
serviceAccountName: argo-workflow
ocAuth:
enabled: true
enableTraefikProxyIntegration: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-auth:0.0.1"
authType: hydra
keto:
adminRole: admin
hydra:
openCloudOauth2ClientSecretName: oc-oauth2-client-secret
ldap:
bindDn: "cn=admin,dc=example,dc=com"
binPwd: "ohwaiQu3"
baseDn: "dc=example,dc=com"
roleBaseDn: "ou=AppRoles,dc=example,dc=com"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocFront:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-front:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocWorkspace:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-workspace:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocShared:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-shared:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocWorkflow:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-workflow:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocCatalog:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-catalog:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocPeer:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-peer:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocDatacenter:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-datacenter:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocSchedulerd:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-schedulerd:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocDiscovery:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-discovery:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocScheduler:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-scheduler:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
ocAggregator:
enabled: true
image: "registry-opencloud.pf.irt-saintexupery.com/oc-aggregator:0.0.1"
resources:
limits:
cpu: "128m"
memory: "256Mi"
requests:
cpu: "128m"
memory: "256Mi"
docker-registry-ui:
enabled: true
ui:
title: "opencloud docker registry"
proxy: true
dockerRegistryUrl: "http://prod-docker-registry-ui-registry-server.prod.svc.cluster.local:5000"
registry:
secretName: regcred
enabled: true
dataVolume:
persistentVolumeClaim:
claimName: docker-registry-pvc
persistence:
accessMode: ReadWriteOnce
storage: 5000Mi
storageClassName: longhorn-nor1

4
opencloud/templates/oc-aggregator/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-aggregator
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocAggregator.image }}"
name: oc-aggregator

6
opencloud/templates/oc-auth/deployment.yaml
View File

@ -22,7 +22,11 @@ spec:
secretName: public-key-secret
- name: private-key-volume
secret:
secretName: private-key-secret
secretName: private-key-secret
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocAuth.image }}"
name: oc-auth

4
opencloud/templates/oc-catalog/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-catalog
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocCatalog.image }}"
name: oc-catalog

4
opencloud/templates/oc-datacenter/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-datacenter
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocDatacenter.image }}"
name: oc-datacenter

4
opencloud/templates/oc-discovery/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-discovery
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocDiscovery.image }}"
name: oc-discovery

4
opencloud/templates/oc-front/deployment.yaml
View File

@ -19,6 +19,10 @@ spec:
- name: config-volume
configMap:
name: front-config
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocFront.image }}"
name: oc-front

4
opencloud/templates/oc-peer/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-peer
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocPeer.image }}"
name: oc-peer

4
opencloud/templates/oc-scheduler/deployment.yaml
View File

@ -16,6 +16,10 @@ spec:
app: oc-scheduler
spec:
serviceAccountName: scheduler-sa
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocScheduler.image }}"
name: oc-scheduler

4
opencloud/templates/oc-schedulerd/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-schedulerd
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocSchedulerd.image }}"
name: oc-schedulerd

4
opencloud/templates/oc-shared/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-shared
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocShared.image }}"
name: oc-shared

4
opencloud/templates/oc-workflow/deployment.yaml
View File

@ -15,6 +15,10 @@ spec:
labels:
app: oc-workflow
spec:
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
containers:
- image: "{{ .Values.ocWorkflow.image }}"
name: oc-shared

5
opencloud/templates/oc-workspace/deployment.yaml
View File

@ -32,4 +32,9 @@ spec:
requests:
cpu: "{{ .Values.ocWorkspace.resources.requests.cpu }}"
memory: "{{ .Values.ocWorkspace.resources.requests.memory }}"
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
imagePullSecrets:
- name: regcred
{{- end }}
{{- end }}

2
opencloud/templates/openCloudConf.yaml
View File

@ -23,5 +23,5 @@ data:
OC_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
OC_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
OC_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
OC_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}:4222"
OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}:4222"
OC_LOKI_URL: "http://{{ .Release.Name }}-loki.{{ .Release.Namespace }}:3100"

86
opencloud/templates/registry/docker-registry.yaml Normal file
View File

@ -0,0 +1,86 @@
{{- if index .Values "docker-registry-ui" "enabled" }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ index .Values "docker-registry-ui" "registry" "dataVolume" "persistentVolumeClaim" "claimName" }}
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- {{ index .Values "docker-registry-ui" "registry" "persistence" "accessMode" }}
resources:
requests:
storage: {{ index .Values "docker-registry-ui" "registry" "persistence" "storage" }}
storageClassName: {{ index .Values "docker-registry-ui" "registry" "persistence" "storageClassName" }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-ingress
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.registryHost }}`)
priority: 5
services:
- kind: Service
name: {{ .Values.env }}-docker-registry-ui-registry-server
namespace: {{ .Release.Namespace }}
port: 5000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-ingress-ui
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.registryHost }}`) && PathPrefix(`/ui`)
priority: 10
services:
- kind: Service
name: {{ .Values.env }}-docker-registry-ui-user-interface
namespace: {{ .Release.Namespace }}
port: 80
middlewares:
- name: strip-ui-prefix
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-ui-prefix
namespace: {{ .Release.Namespace }}
spec:
stripPrefix:
prefixes:
- "/ui"
---
#for htpasswd:
#htpasswd -nbB opencloud_registry Cei9phee | tr -d '\n' | base64 -w 0
#for password in dockerconfigjson:
#echo "opencloud_registry:Cei9phee" | tr -d '\n' | base64 -w 0
apiVersion: v1
kind: Secret
metadata:
name: registry-basic-auth-secret #To configure docker server authentication
namespace: {{ .Release.Namespace }}
data:
htpasswd: b3BlbmNsb3VkX3JlZ2lzdHJ5OiQyeSQwNSQ0cjFtV0h0Q3IzTmNPLjhqZjV2TkNPdkUvcFBkTDBmd1NFMkJ6bnI2azlmLjZhaVRHLzE1cQ==
---
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: {{ index .Values "docker-registry-ui" "registry" "secretName" }} #To configure docker client authentication against the server
namespace: {{ .Release.Namespace }}
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJyZWdpc3RyeS12YWFzLnBmLmlydC1zYWludGV4dXBlcnkuY29tIjogewoJCQkiYXV0aCI6ICJkbUZoYzE5eVpXZHBjM1J5ZVRva01ua2tNRFVrYjJFeFRFaERjVGw2TWs1WE55NVJjMlZFYVZjMFpUQjVSSGxsTDIxTFp5NUxValJPYkVGR1pqTlpkbnBaZW0weVdFRXlNaTQ9IgoJCX0KCX0KfQ==
{{- end }}

7
opencloud/templates/registry/dockerconfigjson Normal file
View File

@ -0,0 +1,7 @@
{
"auths": {
"registry-vaas.pf.irt-saintexupery.com": {
"auth": "dmFhc19yZWdpc3RyeTokMnkkMDUkb2ExTEhDcTl6Mk5XNy5Rc2VEaVc0ZTB5RHllL21LZy5LUjRObEFGZjNZdnpZem0yWEEyMi4="
}
}
}

5
upgrade_production.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
RELEASE_NAME=prod
RELEASE_NAMESPACE=prod
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} -f opencloud/prod-values.yaml