Merge pull request #10 from QingCloudAppcenter/upgrade/1.7.5

Upgrade to 1.7.5

ansible/.gitignore

@@ -1,2 +1,3 @@
 /files/tmp
 /make.retry
+hosts

ansible/files/etc/confd/templates/03.adminserver.env.tmpl

@@ -73,7 +73,7 @@ UAA_CLIENTID=id
 UAA_CLIENTSECRET=secret
 UAA_ENDPOINT=uaa.mydomain.org
 UAA_VERIFY_CERT=true
-WITH_CHARTMUSEUM=False
+WITH_CHARTMUSEUM=True
 WITH_CLAIR=False
 WITH_NOTARY=False
 ADMINSERVER_ENV_FILE

ansible/files/etc/confd/templates/03.chartserver.env.tmpl

@@ -0,0 +1,62 @@
+{{- if eq $nodeRole "web" }}
+encrypted=$(echo -n {{ getv "/cluster/cluster_id" }}{{ getv "/cluster/global_uuid" }} | sha256sum | base64)
+coreSecret=${encrypted:0:16}
+encrypted=$(echo -n {{ getv "/cluster/user_id" }}{{ getv "/cluster/global_uuid" }} | sha256sum | base64)
+redisPassword=${encrypted:0:16}
+
+cat > /opt/app/conf/chartserver/env << CHART_SERVER_ENV_EOF
+## Settings should be set
+PORT=9999
+
+# Only support redis now. If redis is setup, then enable cache
+CACHE=redis
+CACHE_REDIS_ADDR=redis:6379
+CACHE_REDIS_PASSWORD=$redisPassword
+CACHE_REDIS_DB=3
+
+# Credential for internal communication
+BASIC_AUTH_USER=chart_controller
+BASIC_AUTH_PASS=$coreSecret
+
+# Multiple tenants
+# Must be set with 1 to support project namespace
+DEPTH=1
+
+{{- if len (ls "/hosts/storage_node") }}
+STORAGE=local
+STORAGE_LOCAL_ROOTDIR=/chart_storage
+{{- else }}
+STORAGE=amazon
+STORAGE_AMAZON_BUCKET={{ getv "/env/QS_BUCKET" }}
+STORAGE_AMAZON_PREFIX={{ getv "/env/QS_ROOT_DIRECTORY" "" }}
+{{- $qsRegion := getv "/env/QS_ZONE" "pek3a" }}
+STORAGE_AMAZON_REGION={{ $qsRegion }}
+{{- if eq (getv "/env/s3.url.used" "false") "true" }}
+STORAGE_AMAZON_ENDPOINT={{ getv "/env/QS_URL" }}
+{{- else }}
+{{- $qsUrl := split (getv "/env/QS_URL") "://" }}
+STORAGE_AMAZON_ENDPOINT={{ index $qsUrl 0}}://s3.{{ $qsRegion }}.{{ index $qsUrl 1 }}
+{{- end }}
+AWS_ACCESS_KEY_ID={{ getv "/env/QS_ACCESS" }}
+AWS_SECRET_ACCESS_KEY={{ getv "/env/QS_SECRET" }}
+{{- end }}
+
+## Settings with default values. Just put here for future changes
+DEBUG=false
+LOG_JSON=true
+DISABLE_METRICS=false
+DISABLE_API=false
+DISABLE_STATEFILES=false
+ALLOW_OVERWRITE=true
+CHART_URL=
+AUTH_ANONYMOUS_GET=false
+TLS_CERT=
+TLS_KEY=
+CONTEXT_PATH=
+INDEX_LIMIT=0
+MAX_STORAGE_OBJECTS=0
+MAX_UPLOAD_SIZE=20971520
+CHART_POST_FORM_FIELD_NAME=chart
+PROV_POST_FORM_FIELD_NAME=prov
+CHART_SERVER_ENV_EOF
+{{- end }}

ansible/files/etc/confd/templates/10.registry.yml.tmpl

@@ -20,8 +20,12 @@ storage:
     secretkey: {{ getv "/env/QS_SECRET" }}
     {{- $qsRegion := getv "/env/QS_ZONE" "pek3a" }}
     region: {{ $qsRegion }}
+    {{- if eq (getv "/env/s3.url.used" "false") "true" }}
+    regionendpoint: {{ getv "/env/QS_URL" }}
+    {{- else }}
     {{- $qsUrl := split (getv "/env/QS_URL") "://" }}
     regionendpoint: {{ index $qsUrl 0}}://s3.{{ $qsRegion }}.{{ index $qsUrl 1 }}
+    {{- end }}
     bucket: {{ getv "/env/QS_BUCKET" }}
     rootdirectory: {{ getv "/env/QS_ROOT_DIRECTORY" "" }}
   {{- end }}

ansible/files/etc/confd/templates/13.docker-compose.yml.tmpl

@@ -31,7 +31,7 @@ services:
   {{- end }}
   {{- if eq $nodeRole "storage" }}
   storage:
-    image: erichough/nfs-server:1.2.0
+    image: erichough/nfs-server:2.2.1
     container_name: nfs-server
     restart: always
     privileged: true
@@ -270,6 +270,36 @@ services:
       options:
         syslog-address: "tcp://log:1514"
         tag: "web.portal"
+  chartmuseum:
+    container_name: chartmuseum
+    image: goharbor/chartmuseum-photon:v0.8.1-\$HARBOR_VERSION
+    env_file:
+      ./chartserver/env
+    restart: always
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+    networks:
+      - harbor
+    dns_search: .
+    extra_hosts:
+      - redis:{{ range getvs "/hosts/cache_node/*/ip" }}{{ . }}{{ end }}
+    volumes:
+      {{- if len (ls "/hosts/storage_node") }}
+      - /data/registry:/chart_storage:z
+      {{- end }}
+      - ./chartserver/docker-entrypoint.sh:/docker-entrypoint.sh:z
+      - ./chartserver:/etc/chartserver:z
+      - ./custom-ca-bundle.crt:/harbor_cust_cert/custom-ca-bundle.crt:z
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://log:1514"
+        tag: "web.chartmuseum"
   proxy:
     image: goharbor/nginx-photon:\$HARBOR_VERSION
     container_name: nginx

ansible/files/opt/app/conf/chartserver/docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+#/chart_storage is the directory in the contaienr for storing the chart artifacts
+#if storage driver is set to 'local'
+if [ -d /chart_storage ]; then
+    if ! stat -c '%u:%g' /chart_storage | grep -q '10000:10000' ; then
+        # 10000 is the id of harbor user/group.
+        # Usually NFS Server does not allow changing owner of the export directory,
+        # so need to skip this step and requires NFS Server admin to set its owner to 10000.
+        chown 10000:10000 -R /chart_storage
+    fi
+fi
+
+echo $UID
+/harbor/install_cert.sh
+
+#Start the server process
+sudo -E -H -u \#10000 sh -c "/chartserver/chartm" #Parameters are set by ENV
+set +e

ansible/files/opt/app/conf/nginx/nginx.conf

@@ -33,6 +33,9 @@ http {
     # disable any limits to avoid HTTP 413 for large image uploads
     client_max_body_size 0;
 
+    # costumized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf
+    include /etc/nginx/conf.d/harbor.http.*.conf;
+
     location / {
       proxy_pass http://portal/;
       proxy_set_header Host $host;

ansible/make.yml

@@ -1,7 +1,7 @@
 ---
 - hosts: appcenter
   vars:
-    harborVersion: v1.7.4
+    harborVersion: v1.7.5
     appAgentVersion: v1.0.6
     containerdVersion: 1.2.4
     dockerVersion: 18.09.3
@@ -15,9 +15,11 @@
 
     - file: path=files/tmp/confd-tmpl state=absent
       delegate_to: localhost
+      run_once: True
 
     - file: path=files/tmp/confd-tmpl state=directory
       delegate_to: localhost
+      run_once: True
 
     - name: Copy tmpl files
       vars:
@@ -27,6 +29,7 @@
         src: "{{ srcDir }}"
         dest: "{{ destDir }}"
       delegate_to: localhost
+      run_once: True
 
     - name: Generate tmpl files
       template:
@@ -35,6 +38,7 @@
       with_fileglob:
         - templates/etc/confd/templates/*.j2
       delegate_to: localhost
+      run_once: True
 
     - name: Compile tmpl files
       shell: |
@@ -47,6 +51,7 @@
       args:
         executable: /bin/bash
       delegate_to: localhost
+      run_once: True
 
     - name: Copy confd tmpl files
       copy:
@@ -135,7 +140,8 @@
         - "goharbor/harbor-portal:{{ harborVersion }}"
         - "goharbor/harbor-adminserver:{{ harborVersion }}"
         - "goharbor/harbor-db:{{ harborVersion }}"
-        - "erichough/nfs-server:1.2.0"
+        - "goharbor/chartmuseum-photon:v0.8.1-{{ harborVersion }}"
+        - "erichough/nfs-server:2.2.1"
 
     - name: Download reusable Docker Compose binaries locally
       get_url:

app/cluster.json.mustache

@@ -2,6 +2,7 @@
   "name": {{cluster.name}},
   "description": {{cluster.description}},
   "upgrade_policy": [
+    "appv-lqqfiy30",
     "appv-p3qbt6y6",
     "appv-utedkwla"
   ],
@@ -11,7 +12,7 @@
     "container": {
       "type": "kvm",
       "zone": "pek3a",
-      "image": "img-uq1pyeay"
+      "image": "img-nzp3btub"
     },
     "instance_class": {{cluster.log_node.instance_class}},
     "count": 1,
@@ -52,7 +53,7 @@
     "container": {
       "type": "kvm",
       "zone": "pek3a",
-      "image": "img-uq1pyeay"
+      "image": "img-nzp3btub"
     },
     "instance_class": {{cluster.storage_node.instance_class}},
     "count": {{cluster.storage_node.count}},
@@ -93,7 +94,7 @@
     "container": {
       "type": "kvm",
       "zone": "pek3a",
-      "image": "img-uq1pyeay"
+      "image": "img-nzp3btub"
     },
     "instance_class": {{cluster.db_node.instance_class}},
     "count": 1,
@@ -135,7 +136,7 @@
     "container": {
       "type": "kvm",
       "zone": "pek3a",
-      "image": "img-uq1pyeay"
+      "image": "img-nzp3btub"
     },
     "instance_class": {{cluster.cache_node.instance_class}},
     "count": 1,
@@ -169,7 +170,7 @@
     "container": {
       "type": "kvm",
       "zone": "pek3a",
-      "image": "img-uq1pyeay"
+      "image": "img-nzp3btub"
     },
     "instance_class": {{cluster.web_node.instance_class}},
     "count": {{cluster.web_node.count}},
@@ -207,14 +208,15 @@
       "QS_BUCKET": {{env.QS_BUCKET}},
       "QS_ZONE": {{env.QS_ZONE}},
       "QS_URL": {{env.QS_URL}},
+      "s3.url.used": {{env.s3.url.used}},
       "QS_ROOT_DIRECTORY": {{env.QS_ROOT_DIRECTORY}}
     }
   }, {
     "role": "job_node",
     "container": {
       "type": "kvm",
       "zone": "pek3a",
-      "image": "img-uq1pyeay"
+      "image": "img-nzp3btub"
     },
     "instance_class": {{cluster.job_node.instance_class}},
     "count": {{cluster.job_node.count}},
@@ -251,6 +253,7 @@
       "QS_BUCKET": {{env.QS_BUCKET}},
       "QS_ZONE": {{env.QS_ZONE}},
       "QS_URL": {{env.QS_URL}},
+      "s3.url.used": {{env.s3.url.used}},
       "QS_ROOT_DIRECTORY": {{env.QS_ROOT_DIRECTORY}}
     }
   }],

app/config.json

@@ -262,7 +262,8 @@
           0,
           2,
           3,
-          5
+          5,
+          6
         ],
         "required": "yes"
       }, {
@@ -455,6 +456,14 @@
       "changeable": true,
       "default": "https://qingstor.com",
       "required": "no"
+    }, {
+      "key": "s3.url.used",
+      "label": "S3 URL Used",
+      "description": "The specified URL is non-QingStor",
+      "type": "boolean",
+      "changeable": true,
+      "default": false,
+      "required": "no"
     }]
   }]
 }

app/locale/zh-cn.json

@@ -11,7 +11,7 @@
   "Express Configuration": "快速配置",
   "The resource group of the service": "使用默认配置快速创建集群。也可根据自身需求自定义节点配置",
   "vxnet": "私有网络",
-  "Choose a vxnet to join": "选择要加入的私有网络",
+  "Choose a vxnet to join": "请不要选择 172.17.0.0/16 或 172.18.0.0/16 这两个网段的网络，这两个网段会与 Harbor 所在的 Docker 网络产生冲突从而导致创建失败",
   "loadbalancer": "负载均衡器",
   "Loadbalancer": "负载均衡器",
   "The load balancer for the cluster":"用于 Harbor 服务的负载均衡器",
@@ -32,7 +32,7 @@
   "Provide an access_key_id to use": "（若使用本地存储请忽略此项）提供要使用的 access_key_id，用于 Harbor 的镜像存储",
   "secret_access_key": "secret_access_key",
   "Provide the accesskey to connect QingStor for storing Image data; keep untouched if not using QingStor": "（若使用本地存储请忽略此项）提供可用于访问 QingStor 的 Access Key，用于 Harbor 的镜像存储",
-  "Provide the Address of QingStor": "（若使用本地存储请忽略此项）提供 QingStor 的地址",
+  "Provide the Address of QingStor": "（若使用本地存储请忽略此项）提供对象存储的地址，比如填入 https://qingstor.com 默认会自动转换成兼容 S3 的地址：https://s3.[region].qingstor.com",
   "zone": "（若使用本地存储请忽略此项）QingStor 区域",
   "Provide the zone of bucket to use": "（若使用本地存储请忽略此项）提供 QingStor 存储空间区域",
   "The root direcotry or prefix for Harbor image storage; keep untouched if not using QingStor": "（若使用本地存储请忽略此项）提供存储桶里用于存储镜像的根目录名称，默认为空，表示使用整个桶；为了保证数据完整，创建集群后将无法更改此项",
@@ -54,19 +54,21 @@
   "If QingStor will be used as Harbor's backend, then DO NOT create this node; otherwise please create one; default to 0 meaning not to create": "使用本地存储请选择 1 ，使用 QingStor 对象存储请选择 0",
   "Local Storage": "本地存储",
   "QingStor": "QingStor 对象存储",
-  "Local Storage: for testing; QingStor: for production": "本地存储：仅供开发测试使用，默认为超高性能盘（最大 2T），如有大容量需求，请选择“自定义”并在存储节点的磁盘类型处选择“企业级分布式 SAN（NeonSAN）”；QingStor 对象存储：生产环境请使用对象存储，获得更高的可用性和无限容量",
+  "Local Storage: for testing; QingStor: for production": "本地存储：仅供开发测试使用，默认为超高性能盘（最大 2T），如有大容量需求，请选择“自定义”，存储节点数选为 1，并在磁盘类型处选择“企业级分布式 SAN（NeonSAN）”；QingStor 对象存储：生产环境请使用对象存储，获得更高的可用性和无限容量",
   "Configuration properties":"服务配置参数",
   "HARBOR_HOST":"Harbor 地址",
   "HARBOR_MYSQL_PW":"MySQL 密码",
   "The password of Database MySQL":"Harbor 数据库 MySQL 的密码",
   "REGISTRY_READONLY":"只读",
   "Turn on readonly mode,only allow pull action":"只允许 pull 操作，请在进行仓库清理 GC 时使用",
   "The address of harbor service, e.g. https://harbor.example.com (notice not to end with slash '/')":"访问 Harbor 服务的地址，与负载均衡器前端保持一致，示例：https://harbor.example.com （注意不要以斜线 '/' 结尾）",
+  "The specified URL is non-QingStor": "如果设为 true，则表示不要把上面填的对象存储 URL 转换成 QingStor 兼容 S3 的地址",
   "QS_ACCESS":"Access_Key_ID",
   "QS_SECRET":"Secret_Access_Key",
-  "QS_BUCKET":"QingStor Bucket 桶",
-  "QS_ZONE":"QingStor Zone 区域",
-  "QS_URL":"QintStor 地址",
+  "QS_BUCKET":"对象存储桶 (Bucket)",
+  "QS_ZONE":"对象存储区 (Region)",
+  "QS_URL":"对象存储 URL",
+  "S3 URL Used": "使用 S3 地址",
   "QS_ROOT_DIRECTORY":"存储根目录",
   "cleanImage":"清理镜像"
 }