zyyw
commented
2 years ago We currently not test harbor deployment on openshift.
Closed Meza1923 closed 5 months ago
zyyw
commented
2 years ago We currently not test harbor deployment on openshift.
arjunprasad2143
commented
2 years ago Could you share the details of the version of the openshift used and the version of harbor helm. For me it works without an issue
Meza1923
commented
2 years ago Could you share the details of the version of the openshift used and the version of harbor helm. For me it works without an issue
Openshift 4.8.19 Helm chart 1.9.2
MallocArray
commented
2 years ago I'm on Openshift 4.10 and using chart 1.9.1 and 1.9.3 without issue.
We do use a certSource of "secret" and have our own TLS secret created, as well as the expose.ingress.hosts.core set to a shorter URL, so we just have harbor.domain.com and a cert that is valid for that, but the routes get created as expected in that setup.
I haven't used a default tls cert on ingress, so not sure if that is specifically where your problem lies.
Kajot-dev
commented
9 months ago @Meza1923 By "the certificate of the cluster" do you mean certificate served by default?
First if the Routes are not created, that means, that something with your Ingress is not quite right.
I think I see the problem. Setting expose.tls.enabled=true and expose.tls.certSource=none set's secretName in Ingress tls section to "".
In order to enable default tls in OpenShift you will need to:
expose.tls.enabled to falseroute.openshift.io/termination annotation to your Ingress with the value edge if you are not using internalTLS in Harbor (set expose.ingress.annotations)route.openshift.io/termination annotation to your Ingress with the value reencrypt and set route.openshift.io/destination-ca-certificate-secret annotation accordingly (although I believe this is available in newer version of Openshift)Here is an example configuration:
expose:
type: ingress
tls:
enabled: false
ingress:
hosts:
core: my.domain
annotations:
route.openshift.io/termination: "edge"
fvogl
commented
8 months ago Would be great if you could adjust the helm chart to work on Openshift 4.13.
W1219 09:28:18.347053 14086 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "core" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "core" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "core" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "core" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Kajot-dev
commented
8 months ago You can either:
securityContext on containers with proper valuesSecurityContextConstraint (such as nonroot-v2) or change PodSecurityPolicy to "basic" instead of "restricted
github-actions[bot]
commented
6 months ago This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
github-actions[bot]
commented
5 months ago This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.
Hey,
I'm trying to deploy harbor on OpenShift and make him use the certificate of the cluster. When I set the next values in order to achieve that, no route is being created.
expose.type=ingress expose.tls.enabled=true expose.tls.certSource=none
Could someone help with that problem?
Thanks a lot, Guy.