To upgrade the Harbor Package📜
Check the upstream changelog and the upgrade notes.
Upgrading📜
Find the latest version of the harbor image that matches the latest version in IronBank that Renovate has identified from here: https://github.com/goharbor/harbor-helm
Run a KPT update against the main chart folder:
# To find the chart version for the command below:
# - Browse to the [upstream](https://github.com/goharbor/harbor-helm).
# - Click on the drop-down menu on the upper left, then on Tags.
# - Scroll through the tags until you get to the Helm chart version tags (e.g. v1.13.0, v1.12.4, etc.).
# - Starting with the most recent Helm chart version tag, open the Chart.yaml for the tag. If the appVersion value corresponds to the version of Loki that Renovate detected for an upgrade, this is the correct version. So, for example, if you will be updating to chart
# version v1.13.0, your kpt command would be:
kpt pkg update chart@v1.13.0 --strategy alpha-git-patch
kpt pkg update chart@${chart.version} --strategy alpha-git-patch
Update dependencies in chart.yml📜
helm dependency update ./chart
Update main chart📜
chart/Chart.yaml
- update harbor
versionandappVersion - Ensure Big Bang version suffix is appended to chart version
- Ensure dependencies gluon, postgresql, and redis are present and up to date
version: $VERSION-bb.0 dependencies: - name: postgresql version: $POSTGRESQL_VERSION repository: file://./deps/postgresql condition: postgresql.enabled - name: redis version: $REDIS_VERSION repository: oci://registry1.dso.mil/bigbang condition: redis-bb.enabled alias: redis-bb - name: gluon version: $GLUON_VERSION repository: oci://registry1.dso.mil/bigbang annotations: bigbang.dev/applicationVersions: | - Harbor Core: $HARBOR_APP_VERSION
chart/values.yaml
- Verify that Renovate updated the image tags in
chart/values.yaml - For example, if Renovate wants to update harbor-core to version v2.9.0, you should see:
core: image: repository: registry1.dso.mil/ironbank/opensource/goharbor/harbor-core # -- Overrides the image tag whose default is the chart's appVersion tag: v2.9.0
tests\images.txt
- verify that image tag in is updated to match current version
registry1.dso.mil/ironbank/opensource/goharbor/harbor-exporter:v2.9.0
Testing new harbor Version📜
Deploy harbor as part of BigBang in the local dev cluster📜
harbor-values-overrides.yaml
monitoring:
enabled: true
addons:
monitoring:
enabled: true
harbor:
enabled: true
git:
tag: null
branch: "your-development-branch-name"
values:
istio:
enabled: true
hardened:
enabled: true
monitoring:
enabled: true
monitoring:
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
networkPolicies:
enabled: true
https://harbor.dev.bigbang.mil and login
default credentials
username: admin
password: Harbor12345
From the CLI, run the following to test pushing/pulling from registry is working as expected
docker login harbor.dev.bigbang.mil
# Enter default credentials
docker pull alpine:latest alpine-latest.tar
docker push alpine-latest.tar harbor.dev.bigbang.mil/alpine:latest
Navigate to the Prometheus target page (https://prometheus.dev.bigbang.mil/targets) and validate that the Harbor targets show as up.
Chart Additions📜
automountServiceAccountToken📜
The mutating Kyverno policy named update-automountserviceaccounttokens is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods: array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.
Modifications made to upstream chart📜
This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.
chart/templates/exporter/exporter-dpl.yaml📜
- Added lines 59-61 to enable setting of container securityContext for exporter. This was absent from the upstream chart, but appears as though it will be added in chart version 1.15.x.
{{- with .Values.exporter.containerSecurityContext }} {{- toYaml . | nindent 10 }} {{- end }}