Harbor Integration (#1269)

.env.defaults

@@ -5,3 +5,7 @@ JWTAUDIENCE=api.dev
 AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX
 AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxx
 AWS_BUCKET=aws-bucket
+HARBOR_REGISTRY_STORAGE_AMAZON_BUCKET=bucket-name
+HARBOR_REGISTRY_STORAGE_AMAZON_REGION=bucket-region
+REGISTRY_STORAGE_S3_ACCESSKEY=AWS-ID
+REGISTRY_STORAGE_S3_SECRETKEY=AWS-Secret

.lagoon.harbor-secrets.yaml

@@ -0,0 +1,119 @@
+apiVersion: v1
+kind: Template
+metadata:
+  creationTimestamp: null
+  name: lagoon-secret-environment-template
+parameters:
+  - name: HARBOR_CORE_SECRET
+    description: The secret used to connect to harbor's core service
+    generate: expression
+    from: "[a-zA-Z0-9]{16}"
+  - name: HARBOR_JOBSERVICE_SECRET
+    description: The secret used to connect to harbor's jobservice service
+    generate: expression
+    from: "[a-zA-Z0-9]{16}"
+  - name: HARBOR_REGISTRY_SECRET
+    description: The secret used to connect to harbor's registry service
+    generate: expression
+    from: "[a-zA-Z0-9]{16}"
+  - name: HARBOR_ADMIN_PASSWORD
+    description: Harbor's admin password
+    generate: expression
+    from: "[a-zA-Z0-9]{32}"
+  - name: CLAIR_DB_PASSWORD
+    description: The password clair should use to talk to the postgres db
+    generate: expression
+    from: "[a-zA-Z0-9]{32}"
+  - name: SAFE_BRANCH
+    description: Which branch this belongs to, special chars replaced with dashes
+    required: true
+  - name: SAFE_PROJECT
+    description: Which project this belongs to, special chars replaced with dashes
+    required: true
+  - name: BRANCH
+    description: Which branch this belongs to, original value
+    required: true
+  - name: PROJECT
+    description: Which project this belongs to, original value
+    required: true
+  - name: LAGOON_GIT_SHA
+    description: git hash sha of the current deployment
+    required: true
+  - name: OPENSHIFT_PROJECT
+    description: Name of the Project that this service is in
+    required: true
+objects:
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: harbor-core-secret
+  stringData:
+    HARBOR_CORE_SECRET: ${HARBOR_CORE_SECRET}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: harbor-jobservice-secret
+  stringData:
+    HARBOR_JOBSERVICE_SECRET: ${HARBOR_JOBSERVICE_SECRET}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: harborregistry-secret
+  stringData:
+    HARBOR_REGISTRY_SECRET: ${HARBOR_REGISTRY_SECRET}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: harbor-admin-password
+  stringData:
+    HARBOR_ADMIN_PASSWORD: ${HARBOR_ADMIN_PASSWORD}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: clair-db-password
+  stringData:
+    CLAIR_DB_PASSWORD: ${CLAIR_DB_PASSWORD}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: postgresql-password
+  stringData:
+    POSTGRESQL_PASSWORD: ${CLAIR_DB_PASSWORD}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: notary-db-url
+  stringData:
+    NOTARY_DB_URL: postgres://postgres:${CLAIR_DB_PASSWORD}@harbor-database:5432/notaryserver?sslmode=disable
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: harbor-clair
+    labels:
+      service: harbor-clair
+      branch: ${SAFE_BRANCH}
+      project: ${SAFE_PROJECT}
+  type: Opaque
+  data:
+    config.yaml: |
+      clair:
+        database:
+          type: pgsql
+          options:
+            source: "postgres://postgres:${CLAIR_DB_PASSWORD}@harbor-database:5432/postgres?sslmode=disable"
+            # Number of elements kept in the cache
+            # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+            cachesize: 16384
+        api:
+          # API server port
+          port: 6060
+          healthport: 6061
+          # Deadline before an API request will respond with a 503
+          timeout: 300s
+        updater:
+          interval: 1h
+        notifier:
+          attempts: 3
+          renotifyinterval: 2h
+          http:
+            endpoint: "http://harbor-core/service/notifications"

.lagoon.yml

@@ -16,6 +16,10 @@ additional-yaml:
     command: create
     ignore_error: true
 
+  harbor-secrets:
+    path: .lagoon.harbor-secrets.yaml
+    command: create
+    ignore_error: true
 tasks:
 #   pre-rollout:
 #     - run:

Makefile

@@ -431,7 +431,16 @@ services :=       api \
 									drush-alias \
 									keycloak \
 									keycloak-db \
-									ui
+									ui \
+									harbor-clair \
+									harbor-core \
+									harbor-database \
+									harbor-jobservice \
+									harbor-nginx \
+									harbor-portal \
+									harbor-redis \
+									harborregistry \
+									harborregistryctl
 
 services-galera := 	api-db-galera \
 										keycloak-db-galera
@@ -468,6 +477,11 @@ build/broker: build/rabbitmq-cluster
 build/broker-single: build/rabbitmq
 build/drush-alias: build/nginx
 build/keycloak: build/commons
+build/harbor-database: build/postgres
+build/harbor-clair: build/harbor-database images/harbor-redis/Dockerfile
+build/harborregistry: build/harbor-clair images/harbor-jobservice/Dockerfile
+build/harborregistryctl: build/harborregistry
+build/harbor-nginx: build/harborregistryctl images/harbor-core/Dockerfile images/harbor-portal/Dockerfile
 
 # Auth SSH needs the context of the root folder, so we have it individually
 build/ssh: build/commons

docker-compose.yaml

@@ -146,7 +146,7 @@ services:
     labels:
       lagoon.type: custom
       lagoon.template: services/logs2microsoftteams/.lagoon.app.yml
-      lagoon.image: amazeeiolagoon/logs2microsoftteams:v1-0-0
+      lagoon.image: amazeeiolagoon/logs2microsoftteams:master
   logs2email:
     image: ${IMAGE_REPO:-lagoon}/logs2email
     command: yarn run dev
@@ -429,3 +429,59 @@ services:
       lagoon.type: custom
       lagoon.template: services/logs-collector/.lagoon.yml
       lagoon.rollout: daemonset
+  harbor-clair:
+    image: ${IMAGE_REPO:-lagoon}/harbor-clair
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-clair/harbor-clair.yml
+      lagoon.image: amazeeiolagoon/harbor-clair:v1-1-4
+  harbor-core:
+    image: ${IMAGE_REPO:-lagoon}/harbor-core
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-core/harbor-core.yml
+      lagoon.image: amazeeiolagoon/harbor-core:v1-1-4
+  harbor-database:
+    image: ${IMAGE_REPO:-lagoon}/harbor-database
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-database/harbor-database.yml
+      lagoon.image: amazeeiolagoon/harbor-database:v1-1-4
+  harbor-jobservice:
+    image: ${IMAGE_REPO:-lagoon}/harbor-jobservice
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-jobservice/harbor-jobservice.yml
+      lagoon.image: amazeeiolagoon/harbor-jobservice:v1-1-4
+  harbor-nginx:
+    image: ${IMAGE_REPO:-lagoon}/harbor-nginx
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-nginx/harbor-nginx.yml
+      lagoon.image: amazeeiolagoon/harbor-nginx:v1-1-4
+  harbor-portal:
+    image: ${IMAGE_REPO:-lagoon}/harbor-portal
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-portal/harbor-portal.yml
+      lagoon.image: amazeeiolagoon/harbor-portal:v1-1-4
+  harbor-redis:
+    image: ${IMAGE_REPO:-lagoon}/harbor-redis
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harbor-redis/harbor-redis.yml
+      lagoon.image: amazeeiolagoon/harbor-redis:v1-1-4
+  harborregistry:
+    image: ${IMAGE_REPO:-lagoon}/harborregistry
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harborregistry/harborregistry.yml
+      lagoon.name: harborregistry
+      lagoon.image: amazeeiolagoon/harborregistry:v1-1-4
+  harborregistryctl:
+    image: ${IMAGE_REPO:-lagoon}/harborregistryctl
+    labels:
+      lagoon.type: custom
+      lagoon.template: services/harborregistryctl/harborregistry.yml
+      lagoon.name: harborregistry
+      lagoon.image: amazeeiolagoon/harborregistryctl:v1-1-4

docs/using_lagoon/docker_images/postgres.md

@@ -0,0 +1,8 @@
+# Postgres Image
+
+# Supported versions
+
+- 11.x [[Dockerfile]](https://github.com/amazeeio/lagoon/blob/master/images/postgres/Dockerfile)
+
+# Tips & Tricks
+If you have SQL statements that need to be ran immediately after container startup to initalize the database, you can place those `.sql` files in the container's `docker-entrypoint-initdb.d` directory. Any `.sql` files contained in that directory are ran automatically at startup, as part of bringing the Postgres container up. ***Take note that these scripts are only ran if the container is started with an empty database.***

images/harbor-clair/Dockerfile

@@ -0,0 +1,17 @@
+FROM goharbor/clair-photon:v2.1.0-v1.9.3
+LABEL maintainer="amazee.io"
+
+COPY docker-entrypoint.sh /
+
+USER root
+
+RUN chmod -R g+w /etc/pki/tls/certs \
+&& chmod +x /clair/clair \
+&& chmod -R g+w /config \
+&& chgrp -R root /clair \
+&& chmod -R g+w /clair \
+&& mkdir -p /etc/clair \
+&& chmod -R g+w /etc/clair \
+&& touch /etc/clair/config.yaml
+
+USER 10000

images/harbor-clair/docker-entrypoint.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+/harbor/install_cert.sh
+exec "/dumb-init" "--" "/clair/clair" "-config" "/etc/clair/config.yaml"
+set +e

images/harbor-core/Dockerfile

@@ -0,0 +1,12 @@
+FROM goharbor/harbor-core:v1.9.3
+LABEL maintainer="amazee.io"
+
+COPY entrypoint.sh /
+
+USER root
+
+RUN chmod +rx /entrypoint.sh
+
+USER 10000
+
+ENTRYPOINT /entrypoint.sh

images/harbor-core/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+
+# if HARBOR_NGINX_ENDPOINT is not defined, we try to load it from LAGOON_ROUTES
+if [[ -z ${HARBOR_NGINX_ENDPOINT+x} ]]; then
+    REGEX="(https?://harbor[0-9A-Za-z\.-]+)"
+
+    if [[ $LAGOON_ROUTES =~ $REGEX ]]; then
+        export HARBOR_NGINX_ENDPOINT=${BASH_REMATCH[1]}
+    else
+        echo "Could not load harbor URL from LAGOON_ROUTES, please define via HARBOR_NGINX_ENDPOINT env variable"
+        exit 1
+    fi
+fi
+
+export EXT_ENDPOINT=$HARBOR_NGINX_ENDPOINT
+
+exec "/harbor/harbor_core"
+#sudo -E -u \#10000 "$@"

images/harbor-database/Dockerfile

@@ -0,0 +1,5 @@
+ARG IMAGE_REPO
+FROM ${IMAGE_REPO:-lagoon}/postgres
+LABEL maintainer="amazee.io"
+
+COPY docker-entrypoint-initdb.d /docker-entrypoint-initdb.d

images/harbor-database/docker-entrypoint-initdb.d/initial-registry.sql

@@ -0,0 +1,4 @@
+CREATE DATABASE registry ENCODING 'UTF8';
+\c registry;
+
+CREATE TABLE schema_migrations(version bigint not null primary key, dirty boolean not null);

images/harbor-jobservice/Dockerfile

@@ -0,0 +1,2 @@
+FROM goharbor/harbor-jobservice:v1.9.3
+LABEL maintainer="amazee.io"

images/harbor-nginx/Dockerfile

@@ -0,0 +1,10 @@
+FROM goharbor/nginx-photon:v1.9.3
+LABEL maintainer="amazee.io"
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+USER root
+
+RUN chown root:root /etc/nginx/nginx.conf && chmod 744 /etc/nginx/nginx.conf && chmod -R g+r /etc/nginx
+
+USER nginx