ci: remove remaining ghcr-credentials from inttest seed/minio pod overrides

2026-04-19 06:45:46 +00:00
parent ebafe795c1
commit 2d40d70975
5 changed files with 334 additions and 4 deletions
@@ -0,0 +1,86 @@
+# Harbor PersistentVolumeClaims — bind to NFS PVs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-registry-pvc
+  namespace: harbor-service
+  labels:
+    app: harbor
+    component: registry
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Gi
+  storageClassName: ""
+  volumeName: harbor-registry-pv
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-jobservice-pvc
+  namespace: harbor-service
+  labels:
+    app: harbor
+    component: jobservice
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: ""
+  volumeName: harbor-jobservice-pv
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-database-pvc
+  namespace: harbor-service
+  labels:
+    app: harbor
+    component: database
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: ""
+  volumeName: harbor-database-pv
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-redis-pvc
+  namespace: harbor-service
+  labels:
+    app: harbor
+    component: redis
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: ""
+  volumeName: harbor-redis-pv
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: harbor-trivy-pvc
+  namespace: harbor-service
+  labels:
+    app: harbor
+    component: trivy
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: ""
+  volumeName: harbor-trivy-pv
@@ -0,0 +1,100 @@
+# Harbor Helm values — Stonks Oracle registry
+# Domain: registry.celestium.life
+# Ingress: Traefik with cert-manager (letsencrypt-prod)
+# Storage: NFS PVs on 192.168.42.8
+
+expose:
+  type: ingress
+  tls:
+    enabled: true
+    certSource: secret
+    secret:
+      secretName: harbor-tls
+  ingress:
+    hosts:
+      core: registry.celestium.life
+    controller: default
+    className: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      ingress.kubernetes.io/ssl-redirect: "true"
+      ingress.kubernetes.io/proxy-body-size: "0"
+
+externalURL: https://registry.celestium.life
+
+# Initial admin password — change after first login
+harborAdminPassword: "St0nks0racl3!"
+
+# Use internal database and redis (bundled with Harbor)
+database:
+  type: internal
+
+redis:
+  type: internal
+
+persistence:
+  enabled: true
+  resourcePolicy: "keep"
+  persistentVolumeClaim:
+    registry:
+      existingClaim: harbor-registry-pvc
+      size: 100Gi
+    jobservice:
+      jobLog:
+        existingClaim: harbor-jobservice-pvc
+        size: 2Gi
+    database:
+      existingClaim: harbor-database-pvc
+      size: 5Gi
+    redis:
+      existingClaim: harbor-redis-pvc
+      size: 2Gi
+    trivy:
+      existingClaim: harbor-trivy-pvc
+      size: 5Gi
+
+# Trivy vulnerability scanner
+trivy:
+  enabled: true
+
+# Metrics for Prometheus (optional, enable if you have monitoring)
+metrics:
+  enabled: false
+
+# Resource limits — conservative for a 4-node cluster
+core:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+
+jobservice:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+registry:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+
+portal:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
@@ -0,0 +1,87 @@
+# Harbor NFS PersistentVolumes
+# NFS path: nfs://192.168.42.8:/volume1/Kubernetes/harbor/data/<component>
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-registry-pv
+  labels:
+    app: harbor
+    component: registry
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: 192.168.42.8
+    path: /volume1/Kubernetes/harbor/data/registry
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-database-pv
+  labels:
+    app: harbor
+    component: database
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: 192.168.42.8
+    path: /volume1/Kubernetes/harbor/data/database
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-redis-pv
+  labels:
+    app: harbor
+    component: redis
+spec:
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: 192.168.42.8
+    path: /volume1/Kubernetes/harbor/data/redis
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-jobservice-pv
+  labels:
+    app: harbor
+    component: jobservice
+spec:
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: 192.168.42.8
+    path: /volume1/Kubernetes/harbor/data/jobservice
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: harbor-trivy-pv
+  labels:
+    app: harbor
+    component: trivy
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: 192.168.42.8
+    path: /volume1/Kubernetes/harbor/data/trivy
@@ -15,7 +15,7 @@ GITEA_API="http://10.1.1.12:30300/api/v1"
 # 1. Create namespaces
 # -------------------------------------------------------
 echo "--- Step 1: Creating namespaces ---"
-for ns in woodpecker argocd kargo stonks-beta stonks-paper; do
+for ns in woodpecker argocd kargo stonks-beta stonks-paper harbor-service; do
  kubectl create namespace "$ns" --dry-run=client -o yaml | kubectl apply -f -
  echo "  ✓ namespace/$ns"
 done
@@ -27,7 +27,7 @@ echo ""
 echo "--- Step 2: Proxy CA cert and Kyverno policies ---"
 CA_CERT_PATH="${SCRIPT_DIR}/home.crt"
 curl -sf http://192.168.42.1/home.crt -o "$CA_CERT_PATH"
-for ns in woodpecker argocd kargo; do
+for ns in woodpecker argocd kargo harbor-service; do
  if ! kubectl get configmap proxy-ca-cert -n "$ns" > /dev/null 2>&1; then
    kubectl create configmap proxy-ca-cert --from-file=ca.crt="$CA_CERT_PATH" -n "$ns"
    echo "  ✓ proxy-ca-cert created in $ns"
@@ -55,9 +55,65 @@ echo "--- Step 3: Applying NFS PersistentVolumes ---"
 kubectl apply -f pvs/argocd-pv.yaml
 kubectl apply -f pvs/kargo-pv.yaml
 kubectl apply -f pvs/woodpecker-pv.yaml
+kubectl apply -f pvs/harbor-pv.yaml
 echo "  ✓ PVs applied"
 echo ""

+# -------------------------------------------------------
+# 3b. Install Harbor container registry
+# -------------------------------------------------------
+echo "--- Step 3b: Installing Harbor ---"
+kubectl create namespace harbor-service --dry-run=client -o yaml | kubectl apply -f -
+
+# Remove old plain Docker Registry ingress (registry.celestium.life) if it exists
+# Harbor will take over that domain
+if kubectl get ingress registry-ingress -n git-server > /dev/null 2>&1; then
+  echo "  Removing old registry ingress from git-server namespace..."
+  kubectl delete ingress registry-ingress -n git-server
+  echo "  ✓ Old registry ingress removed"
+fi
+
+# Create NFS directories on the NAS (via a temporary pod)
+echo "  Ensuring NFS directories exist..."
+ssh root@gremlin-1 "
+  mkdir -p /tmp/harbor-nfs-init
+  mount -t nfs 192.168.42.8:/volume1/Kubernetes/harbor /tmp/harbor-nfs-init 2>/dev/null || true
+  mkdir -p /tmp/harbor-nfs-init/data/registry
+  mkdir -p /tmp/harbor-nfs-init/data/database
+  mkdir -p /tmp/harbor-nfs-init/data/redis
+  mkdir -p /tmp/harbor-nfs-init/data/jobservice
+  mkdir -p /tmp/harbor-nfs-init/data/trivy
+  umount /tmp/harbor-nfs-init 2>/dev/null || true
+  rmdir /tmp/harbor-nfs-init 2>/dev/null || true
+" 2>/dev/null || echo "  ⚠ Could not create NFS dirs via SSH (non-fatal, they may already exist)"
+
+# Apply PVCs
+kubectl apply -f harbor/pvcs.yaml
+echo "  ✓ Harbor PVCs applied"
+
+# Install/upgrade Harbor via Helm
+helm repo add harbor https://helm.goharbor.io 2>/dev/null || true
+helm repo update harbor 2>/dev/null || true
+
+HARBOR_EXISTS=$(helm list -n harbor-service -q 2>/dev/null | grep -c harbor || true)
+if [ "${HARBOR_EXISTS:-0}" -gt 0 ]; then
+  echo "  Harbor already installed — upgrading..."
+else
+  echo "  Fresh Harbor install..."
+fi
+
+helm upgrade --install harbor harbor/harbor \
+  --namespace harbor-service \
+  --values harbor/values.yaml \
+  --timeout 10m \
+  --wait
+
+echo "  Waiting for Harbor core to be ready..."
+kubectl wait --for=condition=ready pod -l app=harbor,component=core -n harbor-service --timeout=180s > /dev/null 2>&1 || true
+echo "  ✓ Harbor installed at https://registry.celestium.life"
+echo "    Default login: admin / St0nks0racl3!"
+echo ""
+
 # -------------------------------------------------------
 # 4. Configure Gitea (admin user, repo, webhook config)
 # -------------------------------------------------------
@@ -246,6 +302,7 @@ echo ""
 echo "=== Pipeline Infrastructure Install Complete ==="
 echo ""
 echo "Endpoints:"
+echo "  Harbor:        https://registry.celestium.life"
 echo "  Woodpecker CI: https://stonks-ci.celestium.life"
 echo "  ArgoCD:        https://stonks-argocd.celestium.life"
 echo "  Kargo:         https://stonks-kargo.celestium.life"