refactor(harbor): merge trivy sections

CHANGELOG.md

@@ -1,6 +1,26 @@
 # Changelog
 
-## [0.2.0] - 2024-11-20
+## [0.2.0] - 2024-11-23
+
+### Added
+
+- Enable gzip compression on Ingress-NGINX
+- Enable brotli compression on Ingress-NGINX
+  - Set brotli level to `6`
+
+## [0.1.3] - 2024-11-23
+
+### Changed
+
+- Bump ingress-nginx Helm chart to version `4.11.3`
+
+## [0.1.2] - 2024-11-21
+
+### Changed
+
+- Disable Cilium Envoy (`l7Proxy=false`)
+
+## [0.1.1] - 2024-11-20
 
 ### Changed
 

apps/hq/harbor.yaml

@@ -0,0 +1,87 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mareshq-registry
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "50"
+spec:
+  project: hq
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: hq-registry
+  source:
+    chart: harbor
+    repoURL: https://helm.goharbor.io
+    targetRevision: 1.16.0
+    helm:
+      releaseName: harbor
+      valuesObject:
+        externalURL: https://oci.marespkg.com
+        expose:
+          type: ingress
+          tls:
+            enabled: true
+            certSource: secret
+            secret:
+              secretName: oci-marespkg-com-ingress-tls
+          ingress:
+            className: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-dns-production
+              external-dns.alpha.kubernetes.io/hostname: oci.marespkg.com
+              external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+            hosts:
+              core: oci.marespkg.com
+        database:
+          type: external
+          external:
+            host: postgres-rw.postgres.svc
+            port: 5432
+            username: harbor
+            password: "YFC0tae.bpz2ncf!rye"
+            # existingSecret: harbor-user-credentials
+            coreDatabase: harbor
+        persistence:
+          enabled: false
+        imageChartStorage:
+          type: s3
+          s3:
+            region: us-east-1 # see: https://developers.cloudflare.com/r2/api/s3/api/#bucket-region
+            bucket: marespkg-registry-storage
+            regionendpoint: https://f24333bb3c47d6db753e57e2a0c90082.r2.cloudflarestorage.com
+            accesskey: "e9d400c4f63375cc94f6f125724f3aa6"
+            secretkey: "5e1da29e9ab131c1c312add4bda82a4bdb75c4afe0f69c40dd384c5f0a6f8120"
+        metrics:
+          enabled: false
+        nginx:
+          nodeSelector:
+            kubernetes.io/arch: amd64
+        portal:
+          nodeSelector:
+            kubernetes.io/arch: amd64
+        core:
+          nodeSelector:
+            kubernetes.io/arch: amd64
+        jobservice:
+          nodeSelector:
+            kubernetes.io/arch: amd64
+        registry:
+          nodeSelector:
+            kubernetes.io/arch: amd64
+        trivy:
+          nodeSelector:
+            kubernetes.io/arch: amd64
+          extraEnvVars:
+            - name: SCANNER_TRIVY_DB_REPOSITORY
+              value: "oci.marespkg.com/library/trivy-db:2"
+        redis:
+          internal:
+            nodeSelector:
+              kubernetes.io/arch: amd64

apps/system/cilium.yaml

@@ -31,3 +31,6 @@ spec:
         kubeProxyReplacement: true
         k8sServiceHost: "172.16.1.1" # internal IP (Hetzner Cloud Network)
         k8sServicePort: "6443"
+
+        # Disable Envoy proxy
+        l7Proxy: false

apps/system/ingress-nginx.yaml

@@ -19,7 +19,7 @@ spec:
   source:
     chart: ingress-nginx
     repoURL: https://kubernetes.github.io/ingress-nginx
-    targetRevision: 4.11.2
+    targetRevision: 4.11.3
     helm:
       releaseName: ingress-nginx
       valuesObject:
@@ -46,3 +46,7 @@ spec:
             use-proxy-protocol: "true"
             use-forwarded-headers: "true"
             enable-real-ip: "true"
+            use-gzip: "true"
+            enable-brotli: "true"
+            brotli-level: "6"
+            use-http2: "true"