diff --git a/build_opencloud_microservices.sh b/build_opencloud_microservices.sh index 9cfe9c2..4489758 100755 --- a/build_opencloud_microservices.sh +++ b/build_opencloud_microservices.sh @@ -1,13 +1,16 @@ #!/bin/bash -find . -mindepth 2 -maxdepth 2 -name 'Makefile' | while read -r makefile; do +# Get the target from the first argument or use "all" as default +TARGET=${1:-all} + +find .. -mindepth 2 -maxdepth 2 -name 'Makefile' | while read -r makefile; do dir=$(dirname "$makefile") - echo "Running 'make all' in $dir" + echo "Running 'make $TARGET' in $dir" ( - cd "$dir" && make all + cd "$dir" && make "$TARGET" ) if [ $? -ne 0 ]; then - echo "Error: make all failed in $dir" + echo "Error: make $TARGET failed in $dir" exit 1 fi done diff --git a/install_production.sh b/install_production.sh new file mode 100755 index 0000000..91693de --- /dev/null +++ b/install_production.sh @@ -0,0 +1,5 @@ +#!/bin/bash +RELEASE_NAME=prod +RELEASE_NAMESPACE=prod + +helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/prod-values.yaml diff --git a/opencloud/.helmignore b/opencloud/.helmignore index 0e8a0eb..3af93d5 100644 --- a/opencloud/.helmignore +++ b/opencloud/.helmignore @@ -21,3 +21,6 @@ .idea/ *.tmproj .vscode/ + +#custom +templates/registry/dockerconfigjson \ No newline at end of file diff --git a/opencloud/Chart.yaml b/opencloud/Chart.yaml index cdeba8c..173cd54 100644 --- a/opencloud/Chart.yaml +++ b/opencloud/Chart.yaml @@ -5,7 +5,6 @@ type: application version: 0.0.1 appVersion: "0.0.1" -# TODO: grafana, loki dependencies: - name: openldap repository: https://jp-gouin.github.io/helm-openldap/ @@ -47,3 +46,7 @@ dependencies: version: "0.45.4" repository: "https://argoproj.github.io/argo-helm" condition: argo-workflows.enabled +- name: docker-registry-ui + version: 1.1.3 + repository: "https://helm.joxit.dev/" + condition: docker-registry-ui.enabled diff --git a/opencloud/charts/docker-registry-ui/.helmignore b/opencloud/charts/docker-registry-ui/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/opencloud/charts/docker-registry-ui/Chart.yaml b/opencloud/charts/docker-registry-ui/Chart.yaml new file mode 100644 index 0000000..1f463ef --- /dev/null +++ b/opencloud/charts/docker-registry-ui/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + artifacthub.io/images: | + - name: docker-registry-ui + image: joxit/docker-registry-ui:2.5.2 + - name: registry + image: registry:2.8.2 + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Documentation + url: https://joxit.dev/docker-registry-ui + - name: Joxit/docker-registry-ui + url: https://github.com/Joxit/docker-registry-ui + - name: Joxit/helm-charts + url: https://github.com/Joxit/helm-charts + artifacthub.io/prerelease: "false" +apiVersion: v2 +appVersion: 2.5.2 +description: The simplest and most complete UI for your private registry +home: https://github.com/Joxit/docker-registry-ui +keywords: +- docker +- registry +- user-interface +- interface +kubeVersion: '>=1.19.0-0' +name: docker-registry-ui +sources: +- https://github.com/Joxit/docker-registry-ui +- https://github.com/Joxit/helm-charts +version: 1.1.3 diff --git a/opencloud/charts/docker-registry-ui/README.md b/opencloud/charts/docker-registry-ui/README.md new file mode 100644 index 0000000..a67cf52 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/README.md @@ -0,0 +1,140 @@ +# Docker Registry UI Chart + +[![Stars](https://img.shields.io/github/stars/joxit/docker-registry-ui.svg?logo=github&maxAge=86400)](https://github.com/Joxit/docker-registry-ui/stargazers) +[![Pulls](https://img.shields.io/docker/pulls/joxit/docker-registry-ui.svg?maxAge=86400)](https://hub.docker.com/r/joxit/docker-registry-ui) +[![Sponsor](https://joxit.dev/images/sponsor.svg)](https://github.com/sponsors/Joxit) +[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/joxit)](https://artifacthub.io/packages/helm/joxit/docker-registry-ui) + +## Overview + +This project aims to provide a simple and complete user interface for your private docker registry. You can customize the interface with various options. The major option is `ui.singleRegistry` which allows you to disable the dynamic selection of docker registeries. + +If you like my work and want to support it, don't hesitate to [sponsor me](https://github.com/sponsors/Joxit). + +## [Project Page](https://joxit.dev/docker-registry-ui), [Live Demo](https://joxit.dev/docker-registry-ui/demo/), [Examples](https://github.com/Joxit/docker-registry-ui/tree/main/examples), [Helm Chart](https://helm.joxit.dev/charts/docker-registry-ui/) + +![preview](https://raw.github.com/Joxit/docker-registry-ui/main/docker-registry-ui.gif "Preview of Docker Registry UI") + +## Prerequisites + + * **Helm 3.2+** (Helm 2 is not supported) + * **Kubernetes 1.19+** - This is the earliest version of Kubernetes tested. + It is possible that this chart works with earlier versions but it is untested. + +## Usage + +1. Add my Helm repository (named `joxit`) +``` +helm repo add joxit https://helm.joxit.dev +``` +2. Ensure you have access to the Helm chart and you see the latest chart version listed. If you have previously added the Helm repository, run `helm repo update`. +``` +helm search repo joxit/docker-registry-ui +``` +3. Now you're ready to install the Docker Registry UI! To install Docker Registry UI with the default configuration using Helm 3.2 run the following command below. This will deploy the Docker Registry UI on the default namespace. +``` +helm upgrade --install docker-registry-ui joxit/docker-registry-ui +``` + +## Configuration + +### Global + +| Value | Default | Description | +| --- | --- | --- | +| `global.name` | `null` | Set the prefix used for all resources in the Helm chart. If not set, the prefix will be ``. | +| `global.imagePullSecrets` | `[]` | The default array of objects containing image pull secret names that will be applied. | +| `global.imagePullPolicy` | `IfNotPresent` | The default image policy for images: `IfNotPresent`, `Always`, `Never` | + +### User Interface + +| Value | Default | Description | +| --- | --- | --- | +| `ui.replicas` | `1` | Number of replicas for the Deployment. | +| `ui.title` | `"Docker registry UI"` | Title of the registry | +| `ui.proxy` | `false` | UI behave as a proxy of the registry | +| `ui.dockerRegistryUrl` | `null` | The URL of your docker registry, may be a service (when proxy is on) or an external URL. | +| `ui.pullUrl` | `null` | Override the pull URL | +| `ui.singleRegistry` | `true` | Remove the menu that show the dialogs to add, remove and change the endpoint of your docker registry. | +| `ui.registrySecured` | `false` | By default, the UI will check on every requests if your registry is secured or not (you will see `401` responses in your console). Set to `true` if your registry uses Basic Authentication and divide by two the number of call to your registry. | +| `ui.showCatalogNbTags` | `false` | Show number of tags per images on catalog page. This will produce + nb images requests, not recommended on large registries. | +| `ui.catalogElementsLimit` | `1000` | Limit the number of elements in the catalog page. | +| `ui.catalogDefaultExpanded` | `false` | Expand by default all repositories in catalog | +| `ui.catalogMinBranches` | `1` | Set the minimum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. | +| `ui.catalogMaxBranches` | `1` | Set the maximum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. | +| `ui.deleteImages` | `false` | Allow delete of images | +| `ui.showContentDigest` | `false` | Show content digest in docker tag list. | +| `ui.taglistOrder` | `alpha-asc;num-desc` | Set the default order for the taglist page, could be `num-asc;alpha-asc`, `num-desc;alpha-asc`, `num-asc;alpha-desc`, `num-desc;alpha-desc`, `alpha-asc;num-asc`, `alpha-asc;num-desc`, `alpha-desc;num-asc` or `alpha-desc;num-desc`. | +| `ui.taglistPageSize` | `100` | Set the number of tags to display in one page. | +| `ui.historyCustomLabels` | `[]` | Expose custom labels in history page, custom labels will be processed like maintainer label. | +| `ui.nginxProxyHeaders` | `[]` | Update the default Nginx configuration and **set custom headers** for your backend docker registry. Only when `ui.proxy` is used. Example: nginxProxyHeaders: [ { my-heeader-name: my-header-value } ] | +| `ui.nginxProxyPassHeaders` | `[]` | Update the default Nginx configuration and **forward custom headers** to your backend docker registry. Only when `ui.proxy` is used. Example: nginxProxyPassHeaders: [ my-first-header, my-second-header ] | +| `ui.useControlCacheHeader` | `false` | Add header Control-Cache: no-store, no-cache on requests to registry server. This needs to update your registry configuration with : `Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']` | +| `ui.runAsRoot` | `true` | Use root or nginx user inside the container, when this is false the target port must be greater or equal to 1024. | +| `ui.defaultTheme` | `"auto"` | Select the default theme to apply, values can be `auto`, `dark` and `light` | +| `ui.theme.background` | `""` | Custom background color for the UI | +| `ui.theme.primaryText` | `""` | Custom primary text color for the UI | +| `ui.theme.neutralText` | `""` | Custom netral color for the UI (icons) | +| `ui.theme.accentText` | `""` | Custom accent color for the UI (buttons) | +| `ui.theme.hoverBackground` | `""` | Custom hover background color for the UI | +| `ui.theme.headerBackground` | `""` | Custom header background color for the UI | +| `ui.theme.headerText` | `""` | Custom header text color for the UI | +| `ui.theme.footerBackground` | `""` | Custom footer background color for the UI | +| `ui.theme.footerText` | `""` | Custom footer text color for the UI | +| `ui.theme.footerNeutralText` | `""` | Custom footer neutral color for the UI (links) | +| `ui.image` | `joxit/docker-registry-ui:2.5.2` | The name and tag of the docker image of the interface | +| `ui.imagePullSecrets` | `"-"` | Override default image pull secrets | +| `ui.imagePullPolicy` | `"-"` | Override default pull policy | +| `ui.resources` | `{}` | The resource settings for user interface pod. | +| `ui.nodeSelector` | `{}` | Optional YAML string to specify a nodeSelector config. | +| `ui.tolerations` | `[]` | Optional YAML string to specify tolerations. | +| `ui.affinity` | `{}` | This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. | +| `ui.annotations` | `{}` | Annotations to apply to the user interface deployment. | +| `ui.additionalSpec` | `{}` | Optional YAML string that will be appended to the deployment spec. | +| `ui.service.type` | `ClusterIP` | Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service type, you must set the desired `nodePorts` setting below. | +| `ui.service.port` | `80` | Ports that will be exposed on the service | +| `ui.service.targetPort` | `80` | The port to listhen on the container. If under 1024, the user must be root | +| `ui.service.nodePort` | `null` | If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. | +| `ui.service.annotations` | `{}` | Annotations to apply to the user interface service. | +| `ui.service.additionalSpec` | `{}` | Optional YAML string that will be appended to the Service spec. | +| `ui.ingress.enabled` | `false` | Enable the ingress for the user interface. | +| `ui.ingress.host` | `null` | Fully qualified domain name of a network host. | +| `ui.ingress.path` | `/` | Path is matched against the path of an incoming request. | +| `ui.ingress.pathType` | `Prefix` | Determines the interpretation of the Path matching, must be Prefix to serve assets. | +| `ui.ingress.ingressClassName` | `nginx` | The name of an IngressClass cluster resource. | +| `ui.ingress.tls` | `[]` | TLS configuration | +| `ui.ingress.annotations` | `{}` | Annotations to apply to the user interface ingress. | + +### Registry Server + +| Value | Default | Description | +| --- | --- | --- | +| `registry.enabled` | `false` | Enable the registry server. | +| `registry.image` | `registry:2.8.2` | The name and tag of the docker registry server image | +| `registry.imagePullSecrets` | `"-"` | Override default image pull secrets | +| `registry.imagePullPolicy` | `"-"` | Override default pull policy | +| `registry.dataVolume` | `null` | Configuration for the data directory. When null it will create an emptyDir. | +| `registry.resources` | `{}` | The resource settings for registry server pod. | +| `registry.nodeSelector` | `{}` | Optional YAML string to specify a nodeSelector config. | +| `registry.tolerations` | `[]` | Optional YAML string to specify tolerations. | +| `registry.affinity` | `{}` | This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. | +| `registry.annotations` | `{}` | Annotations to apply to the registry server deployment. | +| `registry.additionalSpec` | `{}` | Optional YAML string that will be appended to the deployment spec. | +| `registry.extraEnv` | `[]` | Extra Environmental Variables for Registry | +| `registry.auth.basic.enabled` | `false` | Enable basic auth for Registry. | +| `registry.auth.basic.realm` | `Docker registry` | Basic auth realm. | +| `registry.auth.basic.htpasswdPath` | `/etc/docker/registry/auth/htpasswd` | Full path for htpasswd file. Note that filename should match the secret key. | +| `registry.auth.basic.secretName` | `''` | htpasswd secret name volume to mount. | +| `registry.service.type` | `ClusterIP` | Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service type, you must set the desired `nodePorts` setting below. | +| `registry.service.port` | `5000` | Ports that will be exposed on the service | +| `registry.service.targetPort` | `5000` | The port to listhen on the container. | +| `registry.service.nodePort` | `null` | If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. | +| `registry.service.annotations` | `{}` | Annotations to apply to the registry server service. | +| `registry.service.additionalSpec` | `{}` | Optional YAML string that will be appended to the Service spec. | +| `registry.ingress.enabled` | `false` | Enable the ingress for the registry server. | +| `registry.ingress.host` | `null` | Fully qualified domain name of a network host. | +| `registry.ingress.path` | `/v2/` | Path is matched against the path of an incoming request. | +| `registry.ingress.pathType` | `Prefix` | Determines the interpretation of the Path matching, must be Prefix to serve assets. | +| `registry.ingress.ingressClassName` | `nginx` | The name of an IngressClass cluster resource. | +| `registry.ingress.tls` | `[]` | TLS configuration | +| `registry.ingress.annotations` | `{}` | Annotations to apply to the registry server ingress. | diff --git a/opencloud/charts/docker-registry-ui/README.tmpl b/opencloud/charts/docker-registry-ui/README.tmpl new file mode 100644 index 0000000..e2c1cd1 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/README.tmpl @@ -0,0 +1,28 @@ +# {{ prettyName }} Chart + +[![Stars](https://img.shields.io/github/stars/joxit/docker-registry-ui.svg?logo=github&maxAge=86400)](https://github.com/Joxit/docker-registry-ui/stargazers) +[![Pulls](https://img.shields.io/docker/pulls/joxit/docker-registry-ui.svg?maxAge=86400)](https://hub.docker.com/r/joxit/docker-registry-ui) +[![Sponsor](https://joxit.dev/images/sponsor.svg)](https://github.com/sponsors/Joxit) +[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/joxit)](https://artifacthub.io/packages/helm/joxit/docker-registry-ui) + +## Overview + +This project aims to provide a simple and complete user interface for your private docker registry. You can customize the interface with various options. The major option is `ui.singleRegistry` which allows you to disable the dynamic selection of docker registeries. + +If you like my work and want to support it, don't hesitate to [sponsor me](https://github.com/sponsors/Joxit). + +## [Project Page](https://joxit.dev/docker-registry-ui), [Live Demo](https://joxit.dev/docker-registry-ui/demo/), [Examples](https://github.com/Joxit/docker-registry-ui/tree/main/examples), [Helm Chart](https://helm.joxit.dev/charts/docker-registry-ui/) + +![preview](https://raw.github.com/Joxit/docker-registry-ui/main/docker-registry-ui.gif "Preview of Docker Registry UI") + +## Prerequisites + +{{ prerequisites }} + +## Usage + +{{ usage }} + +## Configuration + +{{ configuration }} diff --git a/opencloud/charts/docker-registry-ui/templates/NOTES.txt b/opencloud/charts/docker-registry-ui/templates/NOTES.txt new file mode 100644 index 0000000..9b179e3 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/NOTES.txt @@ -0,0 +1,8 @@ +Thank you for installing Joxit's Docker Registry UI! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} diff --git a/opencloud/charts/docker-registry-ui/templates/_helpers.tpl b/opencloud/charts/docker-registry-ui/templates/_helpers.tpl new file mode 100644 index 0000000..4fd7015 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "docker-registry-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "docker-registry-ui.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "docker-registry-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "docker-registry-ui.labels" -}} +app.kubernetes.io/name: {{ include "docker-registry-ui.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ include "docker-registry-ui.chart" . }} +{{- end -}} \ No newline at end of file diff --git a/opencloud/charts/docker-registry-ui/templates/registry-deployment.yaml b/opencloud/charts/docker-registry-ui/templates/registry-deployment.yaml new file mode 100644 index 0000000..9f1f723 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/registry-deployment.yaml @@ -0,0 +1,101 @@ +{{- if .Values.registry.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "docker-registry-ui.fullname" . }}-registry-server + labels: + app.kubernetes.io/component : registry-server + {{- include "docker-registry-ui.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.registry.replicas }} + selector: + matchLabels: + app.kubernetes.io/component : registry-server + {{- include "docker-registry-ui.labels" . | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/component : registry-server + {{- include "docker-registry-ui.labels" . | nindent 8 }} + {{- if .Values.registry.annotations }} + annotations: + {{- toYaml .Values.registry.annotations | nindent 8 }} + {{- end }} + spec: + {{- if ne (.Values.registry.imagePullSecrets | toString) "-" }} + imagePullSecrets: + {{- toYaml .Values.registry.imagePullSecrets | nindent 8 }} + {{- else }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end}} + containers: + - name: "registry-server" + image: {{ .Values.registry.image | quote }} + imagePullPolicy: {{ if ne (.Values.registry.imagePullPolicy | toString) "-" }}{{ .Values.registry.imagePullPolicy }}{{ else }}{{ .Values.global.imagePullPolicy }}{{ end }} + env: + - name: REGISTRY_HTTP_ADDR + value: {{ printf "%s:%d" "0.0.0.0" (.Values.registry.service.targetPort | int) }} + {{- if .Values.ui.deleteImages }} + - name: REGISTRY_STORAGE_DELETE_ENABLED + value: 'true' + {{- end }} + {{- if .Values.registry.auth.basic.enabled }} + - name: REGISTRY_AUTH + value: htpasswd + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: {{ if ne (.Values.registry.auth.basic.realm | toString) "-" }}{{ .Values.registry.auth.basic.realm }}{{ else }}{{ "Docker registry" }}{{ end }} + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: {{ if ne (.Values.registry.auth.basic.htpasswdPath | toString) "-" }}{{ .Values.registry.auth.basic.htpasswdPath }}{{ else }}{{ "/etc/docker/registry/auth/htpasswd" }}{{ end }} + {{- end }} + {{- range .Values.registry.extraEnv }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.registry.service.targetPort }} + protocol: TCP + volumeMounts: + - mountPath: /var/lib/registry + name: data + {{- if .Values.registry.auth.basic.enabled }} + - name: htpasswd + mountPath: {{ if ne (.Values.registry.auth.basic.htpasswdPath | toString) "-" }}{{ dir .Values.registry.auth.basic.htpasswdPath }}{{ else }}{{ "/etc/docker/registry/auth" }}{{ end }} + readOnly: true + {{- end }} + resources: + {{- toYaml .Values.registry.resources | nindent 12 }} + volumes: + - name: data + {{- if .Values.registry.dataVolume }} + {{- toYaml .Values.registry.dataVolume | nindent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.registry.auth.basic.enabled }} + - name: htpasswd + secret: + secretName: {{ if .Values.registry.auth.basic.secretName }}{{ .Values.registry.auth.basic.secretName }}{{ else }}{{ fail "Basic auth secret name is required" }}{{ end }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.registry.runAsRoot }} + securityContext: + runAsUser: 101 + fsGroup: 101 + {{- end }} + {{- if .Values.registry.additionalSpec }} + {{ tpl .Values.registry.additionalSpec . | nindent 6 | trim }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/docker-registry-ui/templates/registry-ingress.yaml b/opencloud/charts/docker-registry-ui/templates/registry-ingress.yaml new file mode 100644 index 0000000..9d55024 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/registry-ingress.yaml @@ -0,0 +1,38 @@ +{{- if .Values.registry.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "docker-registry-ui.fullname" . }}-registry-server + labels: + app.kubernetes.io/component : registry-server + {{- include "docker-registry-ui.labels" . | nindent 4 }} + {{- with .Values.registry.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.registry.ingress.ingressClassName }} + ingressClassName: {{ .Values.registry.ingress.ingressClassName }} + {{- end -}} +{{- if .Values.registry.ingress.tls }} + tls: +{{ tpl (toYaml .Values.registry.ingress.tls) $ | indent 4 }} +{{- end }} + rules: + - http: + paths: + - backend: + service: + name: {{ include "docker-registry-ui.fullname" . }}-registry-server + port: + number: {{ .Values.registry.service.port }} + {{- if .Values.registry.ingress.path }} + path: {{ .Values.registry.ingress.path }} + {{- end }} + {{- if .Values.registry.ingress.pathType }} + pathType: {{ .Values.registry.ingress.pathType }} + {{- end }} + {{- if .Values.registry.ingress.host }} + host: {{ .Values.registry.ingress.host | quote }} + {{- end -}} +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/docker-registry-ui/templates/registry-service.yaml b/opencloud/charts/docker-registry-ui/templates/registry-service.yaml new file mode 100644 index 0000000..5da1526 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/registry-service.yaml @@ -0,0 +1,29 @@ +{{- if .Values.registry.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "docker-registry-ui.fullname" . }}-registry-server + labels: + app.kubernetes.io/component : registry-server + {{- include "docker-registry-ui.labels" . | nindent 4 }} + {{- with .Values.registry.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/component : registry-server + {{- include "docker-registry-ui.labels" . | nindent 4 }} + type: {{ .Values.registry.service.type }} + ports: + - port: {{ .Values.registry.service.port }} + targetPort: {{ .Values.registry.service.targetPort }} + protocol: TCP + name: http + {{- if (and (eq .Values.registry.service.type "NodePort") .Values.registry.service.nodePort) }} + nodePort: {{ .Values.registry.service.nodePort }} + {{- end }} + {{- if .Values.registry.service.additionalSpec }} + {{ tpl .Values.registry.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/docker-registry-ui/templates/ui-deployment.yaml b/opencloud/charts/docker-registry-ui/templates/ui-deployment.yaml new file mode 100644 index 0000000..43026e5 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/ui-deployment.yaml @@ -0,0 +1,139 @@ +{{- if and (not .Values.ui.runAsRoot) (lt (.Values.ui.service.targetPort | int) 1024) }} +{{ fail "When `ui.runAsRoot` is false `ui.service.targetPort` must be less than 1024." }} +{{- end }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "docker-registry-ui.fullname" . }}-user-interface + labels: + app.kubernetes.io/component : user-interface + {{- include "docker-registry-ui.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.ui.replicas }} + selector: + matchLabels: + app.kubernetes.io/component : user-interface + {{- include "docker-registry-ui.labels" . | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/component : user-interface + {{- include "docker-registry-ui.labels" . | nindent 8 }} + {{- if .Values.ui.annotations }} + annotations: + {{- toYaml .Values.ui.annotations | nindent 8 }} + {{- end }} + spec: + {{- if ne (.Values.ui.imagePullSecrets | toString) "-" }} + imagePullSecrets: + {{- toYaml .Values.ui.imagePullSecrets | nindent 8 }} + {{- else }} + imagePullSecrets: + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} + {{- end}} + containers: + - name: "registry-ui" + image: {{ .Values.ui.image | quote }} + imagePullPolicy: {{ if ne (.Values.ui.imagePullPolicy | toString) "-" }}{{ .Values.ui.imagePullPolicy }}{{ else }}{{ .Values.global.imagePullPolicy }}{{ end }} + env: + - name: REGISTRY_TITLE + value: {{ .Values.ui.title | quote }} + - name: DELETE_IMAGES + value: {{ .Values.ui.deleteImages | quote }} + {{- if .Values.ui.proxy }} + {{- if .Values.ui.dockerRegistryUrl }} + - name: NGINX_PROXY_PASS_URL + value: {{ .Values.ui.dockerRegistryUrl | quote }} + {{- else if .Values.registry.enabled }} + - name: NGINX_PROXY_PASS_URL + value: {{ printf "http://%s-registry-server:%d" (include "docker-registry-ui.fullname" .) (.Values.registry.service.port | int) }} + {{- end }} + {{- range $header := .Values.ui.nginxProxyHeaders }} + {{- range $key, $value := $header }} + - name: {{ printf "NGINX_PROXY_HEADER_%s" $key }} + value: {{ $value }} + {{- end }} + {{- end }} + {{- range $header := .Values.ui.nginxProxyPassHeaders }} + - name: {{ printf "NGINX_PROXY_PASS_HEADER_%s" $header }} + {{- end }} + {{- else }} + - name: REGISTRY_URL + value: {{ .Values.ui.dockerRegistryUrl | quote }} + {{- end }} + - name: PULL_URL + value: {{ .Values.ui.pullUrl | quote }} + - name: SHOW_CATALOG_NB_TAGS + value: {{ .Values.ui.showCatalogNbTags | quote }} + - name: SHOW_CONTENT_DIGEST + value: {{ .Values.ui.showContentDigest | quote }} + - name: SINGLE_REGISTRY + value: {{ .Values.ui.singleRegistry | quote }} + - name: CATALOG_ELEMENTS_LIMIT + value: {{ .Values.ui.catalogElementsLimit | quote }} + - name: HISTORY_CUSTOM_LABELS + value: {{ .Values.ui.historyCustomLabels | join "," }} + - name: NGINX_LISTEN_PORT + value: {{ .Values.ui.service.targetPort | quote }} + - name: USE_CONTROL_CACHE_HEADER + value: {{ .Values.ui.useControlCacheHeader | quote }} + - name: TAGLIST_ORDER + value: {{ .Values.ui.taglistOrder | quote }} + - name: CATALOG_DEFAULT_EXPANDED + value: {{ .Values.ui.catalogDefaultExpanded | quote }} + - name: CATALOG_MIN_BRANCHES + value: {{ .Values.ui.catalogMinBranches | quote }} + - name: CATALOG_MAX_BRANCHES + value: {{ .Values.ui.catalogMaxBranches | quote }} + - name: TAGLIST_PAGE_SIZE + value: {{ .Values.ui.taglistPageSize | quote }} + - name: REGISTRY_SECURED + value: {{ .Values.ui.registrySecured | quote }} + - name: THEME + value: {{ .Values.ui.defaultTheme | quote }} + - name: THEME_PRIMARY_TEXT + value: {{ .Values.ui.theme.primaryText | quote }} + - name: THEME_NEUTRAL_TEXT + value: {{ .Values.ui.theme.neutralText | quote }} + - name: THEME_BACKGROUND + value: {{ .Values.ui.theme.background | quote }} + - name: THEME_HOVER_BACKGROUND + value: {{ .Values.ui.theme.hoverBackground | quote }} + - name: THEME_ACCENT_TEXT + value: {{ .Values.ui.theme.accentText | quote }} + - name: THEME_HEADER_TEXT + value: {{ .Values.ui.theme.headerText | quote }} + - name: THEME_HEADER_BACKGROUND + value: {{ .Values.ui.theme.headerBackground | quote }} + - name: THEME_FOOTER_TEXT + value: {{ .Values.ui.theme.footerText | quote }} + - name: THEME_FOOTER_NEUTRAL_TEXT + value: {{ .Values.ui.theme.footerNeutralText | quote }} + - name: THEME_FOOTER_BACKGROUND + value: {{ .Values.ui.theme.footerBackground | quote }} + ports: + - name: http + containerPort: {{ .Values.ui.service.targetPort }} + protocol: TCP + resources: + {{- toYaml .Values.ui.resources | nindent 12 }} + {{- with .Values.ui.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ui.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ui.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.ui.runAsRoot }} + securityContext: + runAsUser: 101 + {{- end }} + {{- if .Values.ui.additionalSpec }} + {{ tpl .Values.ui.additionalSpec . | nindent 6 | trim }} + {{- end }} diff --git a/opencloud/charts/docker-registry-ui/templates/ui-ingress.yaml b/opencloud/charts/docker-registry-ui/templates/ui-ingress.yaml new file mode 100644 index 0000000..ac07f91 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/ui-ingress.yaml @@ -0,0 +1,38 @@ +{{- if .Values.ui.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "docker-registry-ui.fullname" . }}-user-interface + labels: + app.kubernetes.io/component : user-interface + {{- include "docker-registry-ui.labels" . | nindent 4 }} + {{- with .Values.ui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ui.ingress.ingressClassName }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end -}} +{{- if .Values.ui.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ui.ingress.tls) $ | indent 4 }} +{{- end }} + rules: + - http: + paths: + - backend: + service: + name: {{ include "docker-registry-ui.fullname" . }}-user-interface + port: + number: {{ .Values.ui.service.port }} + {{- if .Values.ui.ingress.path }} + path: {{ .Values.ui.ingress.path }} + {{- end }} + {{- if .Values.ui.ingress.pathType }} + pathType: {{ .Values.ui.ingress.pathType }} + {{- end }} + {{- if .Values.ui.ingress.host }} + host: {{ .Values.ui.ingress.host | quote }} + {{- end -}} +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/docker-registry-ui/templates/ui-service.yaml b/opencloud/charts/docker-registry-ui/templates/ui-service.yaml new file mode 100644 index 0000000..7031903 --- /dev/null +++ b/opencloud/charts/docker-registry-ui/templates/ui-service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "docker-registry-ui.fullname" . }}-user-interface + labels: + app.kubernetes.io/component : user-interface + {{- include "docker-registry-ui.labels" . | nindent 4 }} + {{- with .Values.ui.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/component : user-interface + {{- include "docker-registry-ui.labels" . | nindent 4 }} + type: {{ .Values.ui.service.type }} + ports: + - port: {{ .Values.ui.service.port }} + targetPort: {{ .Values.ui.service.targetPort }} + protocol: TCP + name: http + {{- if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort) }} + nodePort: {{ .Values.ui.service.nodePort }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} diff --git a/opencloud/charts/docker-registry-ui/values.yaml b/opencloud/charts/docker-registry-ui/values.yaml new file mode 100644 index 0000000..1a0805c --- /dev/null +++ b/opencloud/charts/docker-registry-ui/values.yaml @@ -0,0 +1,218 @@ +## Global +global: + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be ``. + name: null + # The default array of objects containing image pull secret names that will be applied. + imagePullSecrets: [] + # The default image policy for images: `IfNotPresent`, `Always`, `Never` + imagePullPolicy: IfNotPresent + +## User Interface +ui: + # Number of replicas for the Deployment. + replicas: 1 + # Title of the registry + title: "Docker registry UI" + # UI behave as a proxy of the registry + proxy: false + # The URL of your docker registry, may be a service (when proxy is on) or an external URL. + dockerRegistryUrl: null + # Override the pull URL + pullUrl: null + # Remove the menu that show the dialogs to add, remove and change the endpoint of your docker registry. + singleRegistry: true + # By default, the UI will check on every requests if your registry is secured or not (you will see `401` responses in your console). Set to `true` if your registry uses Basic Authentication and divide by two the number of call to your registry. + registrySecured: false + + # Show number of tags per images on catalog page. This will produce + nb images requests, not recommended on large registries. + showCatalogNbTags: false + # Limit the number of elements in the catalog page. + catalogElementsLimit: 1000 + # Expand by default all repositories in catalog + catalogDefaultExpanded: false + # Set the minimum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. + catalogMinBranches: 1 + # Set the maximum repository/namespace to expand (e.g. `joxit/docker-registry-ui` `joxit/` is the repository/namespace). Can be 0 to disable branching. + catalogMaxBranches: 1 + + # Allow delete of images + deleteImages: false + # Show content digest in docker tag list. + showContentDigest: false + # Set the default order for the taglist page, could be `num-asc;alpha-asc`, `num-desc;alpha-asc`, `num-asc;alpha-desc`, `num-desc;alpha-desc`, `alpha-asc;num-asc`, `alpha-asc;num-desc`, `alpha-desc;num-asc` or `alpha-desc;num-desc`. + taglistOrder: alpha-asc;num-desc + # Set the number of tags to display in one page. + taglistPageSize: 100 + + # Expose custom labels in history page, custom labels will be processed like maintainer label. + historyCustomLabels: [] + + # Update the default Nginx configuration and **set custom headers** for your backend docker registry. Only when `ui.proxy` is used. + # Example: + # nginxProxyHeaders: + # [ { my-heeader-name: my-header-value } ] + nginxProxyHeaders: [] + # Update the default Nginx configuration and **forward custom headers** to your backend docker registry. Only when `ui.proxy` is used. + # Example: + # nginxProxyPassHeaders: [ my-first-header, my-second-header ] + nginxProxyPassHeaders: [] + # Add header Control-Cache: no-store, no-cache on requests to registry server. + # This needs to update your registry configuration with : `Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']` + useControlCacheHeader: false + # Use root or nginx user inside the container, when this is false the target port must be greater or equal to 1024. + runAsRoot: true + + # Select the default theme to apply, values can be `auto`, `dark` and `light` + defaultTheme: "auto" + + theme: + # Custom background color for the UI + background: "" + # Custom primary text color for the UI + primaryText: "" + # Custom netral color for the UI (icons) + neutralText: "" + # Custom accent color for the UI (buttons) + accentText: "" + # Custom hover background color for the UI + hoverBackground: "" + # Custom header background color for the UI + headerBackground: "" + # Custom header text color for the UI + headerText: "" + # Custom footer background color for the UI + footerBackground: "" + # Custom footer text color for the UI + footerText: "" + # Custom footer neutral color for the UI (links) + footerNeutralText: "" + + # The name and tag of the docker image of the interface + image: joxit/docker-registry-ui:2.5.2 + # Override default image pull secrets + imagePullSecrets: "-" + # Override default pull policy + imagePullPolicy: "-" + # The resource settings for user interface pod. + resources: {} + # Optional YAML string to specify a nodeSelector config. + nodeSelector: {} + # Optional YAML string to specify tolerations. + tolerations: [] + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. + affinity: {} + # Annotations to apply to the user interface deployment. + annotations: {} + # Optional YAML string that will be appended to the deployment spec. + additionalSpec: {} + + service: + # Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service + # type, you must set the desired `nodePorts` setting below. + type: ClusterIP + # Ports that will be exposed on the service + port: 80 + # The port to listhen on the container. If under 1024, the user must be root + targetPort: 80 + # If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. + nodePort: null + # Annotations to apply to the user interface service. + annotations: {} + # Optional YAML string that will be appended to the Service spec. + additionalSpec: {} + + ingress: + # Enable the ingress for the user interface. + enabled: false + # Fully qualified domain name of a network host. + host: null + # Path is matched against the path of an incoming request. + path: / + # Determines the interpretation of the Path matching, must be Prefix to serve assets. + pathType: Prefix + # The name of an IngressClass cluster resource. + ingressClassName: nginx + # TLS configuration + tls: [] + # Annotations to apply to the user interface ingress. + annotations: {} + # If you want a custom path, you can try this example: + # path: /ui(/|$)(.*) + # annotations: + # { nginx.ingress.kubernetes.io/rewrite-target: /$2 } + +## Registry Server +registry: + # Enable the registry server. + enabled: false + # The name and tag of the docker registry server image + image: registry:2.8.2 + # Override default image pull secrets + imagePullSecrets: "-" + # Override default pull policy + imagePullPolicy: "-" + # Configuration for the data directory. When null it will create an emptyDir. + dataVolume: null + # The resource settings for registry server pod. + resources: {} + # Optional YAML string to specify a nodeSelector config. + nodeSelector: {} + # Optional YAML string to specify tolerations. + tolerations: [] + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. + affinity: {} + # Annotations to apply to the registry server deployment. + annotations: {} + # Optional YAML string that will be appended to the deployment spec. + additionalSpec: {} + # Extra Environmental Variables for Registry + extraEnv: [] + + auth: + basic: + # Enable basic auth for Registry. + enabled: false + # Basic auth realm. + realm: Docker registry + # Full path for htpasswd file. Note that filename should match the secret key. + htpasswdPath: /etc/docker/registry/auth/htpasswd + # htpasswd secret name volume to mount. + secretName: '' + + service: + # Type of service: `LoadBalancer`, `ClusterIP` or `NodePort`. If using `NodePort` service + # type, you must set the desired `nodePorts` setting below. + type: ClusterIP + # Ports that will be exposed on the service + port: 5000 + # The port to listhen on the container. + targetPort: 5000 + # If using a `NodePort` service type, you must specify the desired `nodePort` for each exposed port. + nodePort: null + # Annotations to apply to the registry server service. + annotations: {} + # Optional YAML string that will be appended to the Service spec. + additionalSpec: {} + + ingress: + # Enable the ingress for the registry server. + enabled: false + # Fully qualified domain name of a network host. + host: null + # Path is matched against the path of an incoming request. + path: /v2/ + # Determines the interpretation of the Path matching, must be Prefix to serve assets. + pathType: Prefix + # The name of an IngressClass cluster resource. + ingressClassName: nginx + # TLS configuration + tls: [] + # Annotations to apply to the registry server ingress. + annotations: {} + # If you want a custom path, you can try this example: + # path: /api(/|$)(.*) + # annotations: + # { nginx.ingress.kubernetes.io/rewrite-target: /$2 } diff --git a/opencloud/dev-values.yaml b/opencloud/dev-values.yaml index 013ae0b..eed622f 100644 --- a/opencloud/dev-values.yaml +++ b/opencloud/dev-values.yaml @@ -502,3 +502,20 @@ ocAggregator: requests: cpu: "128m" memory: "256Mi" + +docker-registry-ui: + enabled: true + ui: + title: "opencloud docker registry" + proxy: true + dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000" + registry: + secretName: regcred + enabled: true + dataVolume: + persistentVolumeClaim: + claimName: docker-registry-pvc + persistence: + accessMode: ReadWriteOnce + storage: 200Mi + storageClassName: kind-sc diff --git a/opencloud/prod-values.yaml b/opencloud/prod-values.yaml new file mode 100644 index 0000000..e3d3a95 --- /dev/null +++ b/opencloud/prod-values.yaml @@ -0,0 +1,520 @@ +env: prod # For storage class provisioning +host: opencloud.pf.irt-saintexupery.com # For reverse proxy rule +registryHost: registry-opencloud.pf.irt-saintexupery.com # For reverse proxy rule +scheme: https # For reverse proxy rule + +mongo-express: + enabled: true + mongodbServer: prod-mongodb.prod + mongodbPort: 27017 + mongodbEnableAdmin: true + mongodbAdminUsername: mongroot + mongodbAdminPassword: AaRahr9E + siteBaseUrl: /mongoexpress + basicAuthUsername: mongobserver + basicAuthPassword: ieSei4du + mongodb: + enabled: false + +mongodb: + enabled: true + global: + defaultStorageClass: longhorn-nor1 + storageClass: longhorn-nor1 + architecture: standalone + useStatefulSet: false + auth: + enabled: true + rootUser: mongroot + rootPassword: AaRahr9E + databases: ["DC_myDC"] + usernames: ["opencloud"] + passwords: ["Sudoko5o"] + resourcesPreset: "small" + replicaCount: 1 + persistence: + enabled: true + storageClass: longhorn-nor1 + existingClaim: mongo-pvc + accessModes: + - ReadWriteOnce + size: 5000Mi + persistentVolumeClaimRetentionPolicy: + enabled: true + whenDeleted: Retain + whenScaled: Retain + arbiter: + enabled: false + livenessProbe: + enabled: true + readinessProbe: + enabled: true + +nats: + enabled: true + jetstream: + enabled: true + fileStore: + size: 20Mi + storageClassName: longhorn-nor1 + + +openldap: + enabled: true + test: + enabled: false + ltb-passwd: + enabled: false + replicaCount: 1 + image: + repository: osixia/openldap + tag: 1.5.0 + tls: + enabled: false + env: + LDAP_ORGANISATION: "Demo opencloud" + LDAP_DOMAIN: "example.com" + LDAP_BACKEND: "mdb" + LDAP_TLS: "false" + LDAP_TLS_ENFORCE: "false" + LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" + adminPassword: "ohwaiQu3" + configPassword: "oR5jiv3e" + phpldapadmin: + enabled: false + persistence: + enabled: true + accessMode: ReadWriteOnce + size: 10Mi + storageClass: longhorn-nor1 + replication: + enabled: false + customLdifFiles: + + 01-schema.ldif: |- + dn: ou=groups,dc=example,dc=com + objectClass: organizationalUnit + ou: groups + + dn: ou=users,dc=example,dc=com + objectClass: organizationalUnit + ou: users + + dn: cn=lastGID,dc=example,dc=com + objectClass: device + objectClass: top + description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group. + cn: lastGID + serialNumber: 2001 + + dn: cn=lastUID,dc=example,dc=com + objectClass: device + objectClass: top + serialNumber: 2001 + description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account. + cn: lastUID + + dn: cn=everybody,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: everybody + memberUid: admin + gidNumber: 2003 + + 02-ldapadmin.ldif : |- + dn: cn=ldapadmin,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: ldapadmin + memberUid: ldapadmin + gidNumber: 2001 + + dn: uid=ldapadmin,ou=users,dc=example,dc=com + givenName: ldap + sn: admin + uid: ldapadmin + cn: ldapadmin + mail: ldapadmin@example.com + objectClass: person + objectClass: inetOrgPerson + objectClass: posixAccount + userPassword: sai1yeiT + uidNumber: 2001 + gidNumber: 2001 + loginShell: /bin/bash + homeDirectory: /home/ldapadmin + + 03-opencloudadmin.ldif : |- + dn: cn=admin,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: admin + memberUid: admin + gidNumber: 2002 + + dn: uid=admin,ou=users,dc=example,dc=com + givenName: John + sn: Doe + uid: admin + mail: john.doe@example.com + cn: JohnDoe + objectClass: person + objectClass: inetOrgPerson + objectClass: posixAccount + userPassword: diiVei8y + uidNumber: 2002 + gidNumber: 2002 + loginShell: /bin/bash + homeDirectory: /home/admin + +# ldap user manager configuration +ldapUserManager: + enabled: true + env: + SERVER_HOSTNAME: "opencloud.pf.irt-saintexupery.com" + LDAP_BASE_DN: "dc=example,dc=com" + LDAP_REQUIRE_STARTTLS: "false" + LDAP_ADMINS_GROUP: "ldapadmin" + LDAP_ADMIN_BIND_DN: "cn=admin,dc=example,dc=com" + LDAP_ADMIN_BIND_PWD: "ohwaiQu3" + LDAP_IGNORE_CERT_ERRORS: "true" + EMAIL_DOMAIN: "" + NO_HTTPS: "true" + SERVER_PATH: "/users" + ORGANISATION_NAME: "Demo" + LDAP_USER_OU: "users" + LDAP_GROUP_OU: "groups" + ACCEPT_WEAK_PASSWORDS: "true" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +traefik: + enabled: false + service: + type: NodePort + ingressRoute: + dashboard: + enabled: true + matchRule: Host(`localhost`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`) + entryPoints: [web] + ports: + web: + nodePort: 30950 + +hydra: + enabled: true + maester: + enabled: true + secret: + enabled: false + nameOverride: hydra-secret + hashSumEnabled: false + hydra: + dev: true + existingSecret: hydra-secret + config: + dsn: memory + urls: + login: https://localhost-login/authentication/login + consent: https://localhost-consent/consent/consent + logout: https://localhost-logout/authentication/logout + self: + issuer: http://prod-hydra-public:4444/ + +keto: + enabled: true + keto: + config: + serve: + read: + port: 4466 + write: + port: 4467 + metrics: + port: 4468 + namespaces: + - id: 0 + name: open-cloud + dsn: memory + + +loki: + enabled: true + loki: + auth_enabled: false + commonConfig: + replication_factor: 1 + storage: + type: filesystem + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + admin_api_directory: /var/loki/admin + storage_config: + boltdb_shipper: + active_index_directory: /var/loki/index + filesystem: + directory: /var/loki/chunks + limits_config: + allow_structured_metadata: false + schemaConfig: + configs: + - from: "2020-01-01" + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + ingester: + chunk_encoding: snappy + tracing: + enabled: true + querier: + max_concurrent: 2 + + deploymentMode: SingleBinary + singleBinary: + extraVolumes: + - name: loki-storage + persistentVolumeClaim: + claimName: loki-pvc + persistence: + enabled: false # Deactivate loki auto provisioning, rely on existing PVC + accessMode: ReadWriteOnce + size: 1Gi + storageClassName: longhorn-nor1 + claimName: loki-pvc + + + extraVolumeMounts: + - name: loki-storage + mountPath: /var/loki + replicas: 1 + resources: + limits: + cpu: 3 + memory: 4Gi + requests: + cpu: 1 + memory: 0.5Gi + extraEnv: + - name: GOMEMLIMIT + value: 3750MiB + + chunksCache: + # default is 500MB, with limited memory keep this smaller + writebackSizeLimit: 10MB + + # Enable minio for storage + minio: + enabled: false + + # Zero out replica counts of other deployment modes + backend: + replicas: 0 + read: + replicas: 0 + write: + replicas: 0 + ingester: + replicas: 0 + querier: + replicas: 0 + queryFrontend: + replicas: 0 + queryScheduler: + replicas: 0 + distributor: + replicas: 0 + compactor: + replicas: 0 + indexGateway: + replicas: 0 + bloomCompactor: + replicas: 0 + bloomGateway: + replicas: 0 + +grafana: + enabled: false + +argo-workflows: + enabled: true + workflow: + serviceAccount: + create: false + name: argo-workflow + rbac: + create: false # Manual provisioning + controller: + workflowNamespaces: [] #All of them + controller: + workflowDefaults: + spec: + serviceAccountName: argo-workflow + +ocAuth: + enabled: true + enableTraefikProxyIntegration: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-auth:0.0.1" + authType: hydra + keto: + adminRole: admin + hydra: + openCloudOauth2ClientSecretName: oc-oauth2-client-secret + ldap: + bindDn: "cn=admin,dc=example,dc=com" + binPwd: "ohwaiQu3" + baseDn: "dc=example,dc=com" + roleBaseDn: "ou=AppRoles,dc=example,dc=com" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocFront: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-front:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocWorkspace: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-workspace:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocShared: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-shared:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocWorkflow: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-workflow:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocCatalog: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-catalog:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocPeer: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-peer:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocDatacenter: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-datacenter:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocSchedulerd: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-schedulerd:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocDiscovery: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-discovery:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocScheduler: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-scheduler:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +ocAggregator: + enabled: true + image: "registry-opencloud.pf.irt-saintexupery.com/oc-aggregator:0.0.1" + resources: + limits: + cpu: "128m" + memory: "256Mi" + requests: + cpu: "128m" + memory: "256Mi" + +docker-registry-ui: + enabled: true + ui: + title: "opencloud docker registry" + proxy: true + dockerRegistryUrl: "http://prod-docker-registry-ui-registry-server.prod.svc.cluster.local:5000" + registry: + secretName: regcred + enabled: true + dataVolume: + persistentVolumeClaim: + claimName: docker-registry-pvc + persistence: + accessMode: ReadWriteOnce + storage: 5000Mi + storageClassName: longhorn-nor1 diff --git a/opencloud/templates/oc-aggregator/deployment.yaml b/opencloud/templates/oc-aggregator/deployment.yaml index 4e62563..5d61077 100644 --- a/opencloud/templates/oc-aggregator/deployment.yaml +++ b/opencloud/templates/oc-aggregator/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-aggregator spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocAggregator.image }}" name: oc-aggregator diff --git a/opencloud/templates/oc-auth/deployment.yaml b/opencloud/templates/oc-auth/deployment.yaml index 8cf1478..d9bb6cf 100644 --- a/opencloud/templates/oc-auth/deployment.yaml +++ b/opencloud/templates/oc-auth/deployment.yaml @@ -22,7 +22,11 @@ spec: secretName: public-key-secret - name: private-key-volume secret: - secretName: private-key-secret + secretName: private-key-secret + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocAuth.image }}" name: oc-auth diff --git a/opencloud/templates/oc-catalog/deployment.yaml b/opencloud/templates/oc-catalog/deployment.yaml index fa63d3b..a0abc77 100644 --- a/opencloud/templates/oc-catalog/deployment.yaml +++ b/opencloud/templates/oc-catalog/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-catalog spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocCatalog.image }}" name: oc-catalog diff --git a/opencloud/templates/oc-datacenter/deployment.yaml b/opencloud/templates/oc-datacenter/deployment.yaml index 0794510..cdd496b 100644 --- a/opencloud/templates/oc-datacenter/deployment.yaml +++ b/opencloud/templates/oc-datacenter/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-datacenter spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocDatacenter.image }}" name: oc-datacenter diff --git a/opencloud/templates/oc-discovery/deployment.yaml b/opencloud/templates/oc-discovery/deployment.yaml index f5728e5..4b4523c 100644 --- a/opencloud/templates/oc-discovery/deployment.yaml +++ b/opencloud/templates/oc-discovery/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-discovery spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocDiscovery.image }}" name: oc-discovery diff --git a/opencloud/templates/oc-front/deployment.yaml b/opencloud/templates/oc-front/deployment.yaml index 344607a..c0ce772 100644 --- a/opencloud/templates/oc-front/deployment.yaml +++ b/opencloud/templates/oc-front/deployment.yaml @@ -19,6 +19,10 @@ spec: - name: config-volume configMap: name: front-config + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocFront.image }}" name: oc-front diff --git a/opencloud/templates/oc-peer/deployment.yaml b/opencloud/templates/oc-peer/deployment.yaml index d839027..ea4390d 100644 --- a/opencloud/templates/oc-peer/deployment.yaml +++ b/opencloud/templates/oc-peer/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-peer spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocPeer.image }}" name: oc-peer diff --git a/opencloud/templates/oc-scheduler/deployment.yaml b/opencloud/templates/oc-scheduler/deployment.yaml index 7ac37c9..d11ee65 100644 --- a/opencloud/templates/oc-scheduler/deployment.yaml +++ b/opencloud/templates/oc-scheduler/deployment.yaml @@ -16,6 +16,10 @@ spec: app: oc-scheduler spec: serviceAccountName: scheduler-sa + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocScheduler.image }}" name: oc-scheduler diff --git a/opencloud/templates/oc-schedulerd/deployment.yaml b/opencloud/templates/oc-schedulerd/deployment.yaml index 1daf0e8..d91e93b 100644 --- a/opencloud/templates/oc-schedulerd/deployment.yaml +++ b/opencloud/templates/oc-schedulerd/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-schedulerd spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocSchedulerd.image }}" name: oc-schedulerd diff --git a/opencloud/templates/oc-shared/deployment.yaml b/opencloud/templates/oc-shared/deployment.yaml index 1076b2a..1dfb868 100644 --- a/opencloud/templates/oc-shared/deployment.yaml +++ b/opencloud/templates/oc-shared/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-shared spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocShared.image }}" name: oc-shared diff --git a/opencloud/templates/oc-workflow/deployment.yaml b/opencloud/templates/oc-workflow/deployment.yaml index 5140005..2783960 100644 --- a/opencloud/templates/oc-workflow/deployment.yaml +++ b/opencloud/templates/oc-workflow/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: oc-workflow spec: + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} containers: - image: "{{ .Values.ocWorkflow.image }}" name: oc-shared diff --git a/opencloud/templates/oc-workspace/deployment.yaml b/opencloud/templates/oc-workspace/deployment.yaml index 643914e..4328240 100644 --- a/opencloud/templates/oc-workspace/deployment.yaml +++ b/opencloud/templates/oc-workspace/deployment.yaml @@ -32,4 +32,9 @@ spec: requests: cpu: "{{ .Values.ocWorkspace.resources.requests.cpu }}" memory: "{{ .Values.ocWorkspace.resources.requests.memory }}" + {{- if or (eq .Values.env "prod") (eq .Values.env "staging") }} + imagePullSecrets: + - name: regcred + {{- end }} + {{- end }} \ No newline at end of file diff --git a/opencloud/templates/openCloudConf.yaml b/opencloud/templates/openCloudConf.yaml index 9f3b407..a691583 100644 --- a/opencloud/templates/openCloudConf.yaml +++ b/opencloud/templates/openCloudConf.yaml @@ -23,5 +23,5 @@ data: OC_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}" OC_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}" OC_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}" - OC_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}:4222" + OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}:4222" OC_LOKI_URL: "http://{{ .Release.Name }}-loki.{{ .Release.Namespace }}:3100" diff --git a/opencloud/templates/registry/docker-registry.yaml b/opencloud/templates/registry/docker-registry.yaml new file mode 100644 index 0000000..08e7b7a --- /dev/null +++ b/opencloud/templates/registry/docker-registry.yaml @@ -0,0 +1,86 @@ +{{- if index .Values "docker-registry-ui" "enabled" }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ index .Values "docker-registry-ui" "registry" "dataVolume" "persistentVolumeClaim" "claimName" }} + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/resource-policy: keep +spec: + accessModes: + - {{ index .Values "docker-registry-ui" "registry" "persistence" "accessMode" }} + resources: + requests: + storage: {{ index .Values "docker-registry-ui" "registry" "persistence" "storage" }} + storageClassName: {{ index .Values "docker-registry-ui" "registry" "persistence" "storageClassName" }} +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: registry-ingress + namespace: {{ .Release.Namespace }} +spec: + entryPoints: + - web + routes: + - kind: Rule + match: Host(`{{ .Values.registryHost }}`) + priority: 5 + services: + - kind: Service + name: {{ .Values.env }}-docker-registry-ui-registry-server + namespace: {{ .Release.Namespace }} + port: 5000 +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: registry-ingress-ui + namespace: {{ .Release.Namespace }} +spec: + entryPoints: + - web + routes: + - kind: Rule + match: Host(`{{ .Values.registryHost }}`) && PathPrefix(`/ui`) + priority: 10 + services: + - kind: Service + name: {{ .Values.env }}-docker-registry-ui-user-interface + namespace: {{ .Release.Namespace }} + port: 80 + middlewares: + - name: strip-ui-prefix + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: strip-ui-prefix + namespace: {{ .Release.Namespace }} +spec: + stripPrefix: + prefixes: + - "/ui" +--- +#for htpasswd: +#htpasswd -nbB opencloud_registry Cei9phee | tr -d '\n' | base64 -w 0 +#for password in dockerconfigjson: +#echo "opencloud_registry:Cei9phee" | tr -d '\n' | base64 -w 0 +apiVersion: v1 +kind: Secret +metadata: + name: registry-basic-auth-secret #To configure docker server authentication + namespace: {{ .Release.Namespace }} +data: + htpasswd: b3BlbmNsb3VkX3JlZ2lzdHJ5OiQyeSQwNSQ0cjFtV0h0Q3IzTmNPLjhqZjV2TkNPdkUvcFBkTDBmd1NFMkJ6bnI2azlmLjZhaVRHLzE1cQ== +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: {{ index .Values "docker-registry-ui" "registry" "secretName" }} #To configure docker client authentication against the server + namespace: {{ .Release.Namespace }} +data: + .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJyZWdpc3RyeS12YWFzLnBmLmlydC1zYWludGV4dXBlcnkuY29tIjogewoJCQkiYXV0aCI6ICJkbUZoYzE5eVpXZHBjM1J5ZVRva01ua2tNRFVrYjJFeFRFaERjVGw2TWs1WE55NVJjMlZFYVZjMFpUQjVSSGxsTDIxTFp5NUxValJPYkVGR1pqTlpkbnBaZW0weVdFRXlNaTQ9IgoJCX0KCX0KfQ== +{{- end }} diff --git a/opencloud/templates/registry/dockerconfigjson b/opencloud/templates/registry/dockerconfigjson new file mode 100644 index 0000000..e9b9bf6 --- /dev/null +++ b/opencloud/templates/registry/dockerconfigjson @@ -0,0 +1,7 @@ +{ + "auths": { + "registry-vaas.pf.irt-saintexupery.com": { + "auth": "dmFhc19yZWdpc3RyeTokMnkkMDUkb2ExTEhDcTl6Mk5XNy5Rc2VEaVc0ZTB5RHllL21LZy5LUjRObEFGZjNZdnpZem0yWEEyMi4=" + } + } +} \ No newline at end of file diff --git a/upgrade_production.sh b/upgrade_production.sh new file mode 100755 index 0000000..18ed974 --- /dev/null +++ b/upgrade_production.sh @@ -0,0 +1,5 @@ +#!/bin/bash +RELEASE_NAME=prod +RELEASE_NAMESPACE=prod + +helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} -f opencloud/prod-values.yaml