feat(recipes): adding nuo specific recipes

recipes/alpine/templates/conf/docker/subgid.pktpl.hcl

@@ -0,0 +1,6 @@
+
+# Configuration file of Harbor
+
+# The IP address or hostname to access admin UI and registry service.
+# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
+hostname: ${Vars.RootlessDocker}

recipes/alpine/templates/conf/docker/subuid.pktpl.hcl

@@ -0,0 +1,3 @@
+%{ if Vars.RootlessDocker }
+docker:231072:65536
+%{ endif }

recipes/alpine/templates/conf/harbor/harbor.yml.pktpl.hcl

@@ -0,0 +1,265 @@
+# Configuration file of Harbor
+
+# The IP address or hostname to access admin UI and registry service.
+# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
+hostname: ${Vars.HarborDomain}
+
+# http related config
+http:
+  # port for http, default is 80. If https enabled, this port will redirect to https port
+  port: ${Vars.HarborHTTPPort}
+
+# https related config
+https:
+  # https port for harbor, default is 443
+  port: ${Vars.HarborHTTPSPort}
+  # The path of cert and key files for nginx
+  certificate: ${Vars.HarborSSLCert}
+  private_key: ${Vars.HarborSSLPrivKey}
+
+# # Uncomment following will enable tls communication between all harbor components
+# internal_tls:
+#   # set enabled to true means internal tls is enabled
+#   enabled: true
+#   # put your cert and key files on dir
+#   dir: /etc/harbor/tls/internal
+
+# Uncomment external_url if you want to enable external proxy
+# And when it enabled the hostname will no longer used
+# external_url: https://reg.mydomain.com:8433
+
+# The initial password of Harbor admin
+# It only works in first time to install harbor
+# Remember Change the admin password from UI after launching Harbor.
+harbor_admin_password: ${Vars.HarborAdminPassword}
+
+# Harbor DB configuration
+database:
+  # The password for the root user of Harbor DB. Change this before any production use.
+  password: ${Vars.HarborDBPassword}
+  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
+  max_idle_conns: 50
+  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
+  # Note: the default number of connections is 100 for postgres.
+  max_open_conns: 200
+
+# The default data volume
+data_volume: /srv/harbor/data
+
+# Harbor Storage settings by default is using /data dir on local filesystem
+# Uncomment storage_service setting If you want to using external storage
+# storage_service:
+#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
+#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
+#   ca_bundle:
+
+#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
+#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
+#   filesystem:
+#     maxthreads: 100
+#   # set disable to true when you want to disable registry redirect
+#   redirect:
+#     disabled: false
+
+# Trivy configuration
+#
+# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
+# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
+# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
+# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
+# 12 hours and published as a new release to GitHub.
+trivy:
+  # ignoreUnfixed The flag to display only fixed vulnerabilities
+  ignore_unfixed: false
+  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
+  #
+  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
+  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
+  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
+  skip_update: false
+  #
+  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
+  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
+  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
+  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
+  # It would work if all the dependencies are in local.
+  # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
+  offline_scan: false
+  #
+  # insecure The flag to skip verifying registry certificate
+  insecure: false
+  # github_token The GitHub access token to download Trivy DB
+  #
+  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
+  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
+  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
+  # https://developer.github.com/v3/#rate-limiting
+  #
+  # You can create a GitHub token by following the instructions in
+  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
+  #
+  # github_token: xxx
+
+jobservice:
+  # Maximum number of job workers in job service
+  max_job_workers: 10
+  logger_sweeper_duration: 300
+
+notification:
+  # Maximum retry count for webhook job
+  webhook_job_max_retry: 10
+  webhook_job_http_client_timeout: 300
+
+chart:
+  # Change the value of absolute_url to enabled can enable absolute url in chart
+  absolute_url: disabled
+
+# Log configurations
+log:
+  # options are debug, info, warning, error, fatal
+  level: info
+  # configs for logs in local storage
+  local:
+    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
+    rotate_count: 50
+    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
+    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
+    # are all valid.
+    rotate_size: 200M
+    # The directory on your host that store log
+    location: /var/log/harbor
+
+  # Uncomment following lines to enable external syslog endpoint.
+  # external_endpoint:
+  #   # protocol used to transmit log to external endpoint, options is tcp or udp
+  #   protocol: tcp
+  #   # The host of external endpoint
+  #   host: localhost
+  #   # Port of external endpoint
+  #   port: 5140
+
+#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
+_version: 2.6.0
+
+# Uncomment external_database if using external database.
+# external_database:
+#   harbor:
+#     host: harbor_db_host
+#     port: harbor_db_port
+#     db_name: harbor_db_name
+#     username: harbor_db_username
+#     password: harbor_db_password
+#     ssl_mode: disable
+#     max_idle_conns: 2
+#     max_open_conns: 0
+#   notary_signer:
+#     host: notary_signer_db_host
+#     port: notary_signer_db_port
+#     db_name: notary_signer_db_name
+#     username: notary_signer_db_username
+#     password: notary_signer_db_password
+#     ssl_mode: disable
+#   notary_server:
+#     host: notary_server_db_host
+#     port: notary_server_db_port
+#     db_name: notary_server_db_name
+#     username: notary_server_db_username
+#     password: notary_server_db_password
+#     ssl_mode: disable
+
+# Uncomment external_redis if using external Redis server
+# external_redis:
+#   # support redis, redis+sentinel
+#   # host for redis: <host_redis>:<port_redis>
+#   # host for redis+sentinel:
+#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
+#   host: redis:6379
+#   password:
+#   # sentinel_master_set must be set to support redis+sentinel
+#   #sentinel_master_set:
+#   # db_index 0 is for core, it's unchangeable
+#   registry_db_index: 1
+#   jobservice_db_index: 2
+#   chartmuseum_db_index: 3
+#   trivy_db_index: 5
+#   idle_timeout_seconds: 30
+
+# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
+# uaa:
+#   ca_file: /path/to/ca
+
+# Global proxy
+# Config http proxy for components, e.g. http://my.proxy.com:3128
+# Components doesn't need to connect to each others via http proxy.
+# Remove component from `components` array if want disable proxy
+# for it. If you want use proxy for replication, MUST enable proxy
+# for core and jobservice, and set `http_proxy` and `https_proxy`.
+# Add domain to the `no_proxy` field, when you want disable proxy
+# for some special registry.
+proxy:
+  http_proxy:
+  https_proxy:
+  no_proxy:
+  components:
+  - core
+  - jobservice
+  - notary
+  - trivy
+
+metric:
+  enabled: false
+  port: 9090
+  path: /metrics
+
+# Trace related config
+# only can enable one trace provider(jaeger or otel) at the same time,
+# and when using jaeger as provider, can only enable it with agent mode or collector mode.
+# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
+# if using jaeger agetn mode uncomment agent_host and agent_port
+# trace:
+#   enabled: true
+#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
+#   sample_rate: 1
+#   # # namespace used to differenciate different harbor services
+#   # namespace:
+#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
+#   # attributes:
+#   #   application: harbor
+#   # # jaeger should be 1.26 or newer.
+#   # jaeger:
+#   #   endpoint: http://hostname:14268/api/traces
+#   #   username:
+#   #   password:
+#   #   agent_host: hostname
+#   #   # export trace data by jaeger.thrift in compact mode
+#   #   agent_port: 6831
+#   # otel:
+#   #   endpoint: hostname:4318
+#   #   url_path: /v1/traces
+#   #   compression: false
+#   #   insecure: true
+#   #   timeout: 10s
+
+# enable purge _upload directories
+upload_purging:
+  enabled: true
+  # remove files in _upload directories which exist for a period of time, default is one week.
+  age: 168h
+  # the interval of the purge operations
+  interval: 24h
+  dryrun: false
+
+# cache layer configurations
+# If this feature enabled, harbor will cache the resource
+# `project/project_metadata/repository/artifact/manifest` in the redis
+# which can especially help to improve the performance of high concurrent
+# manifest pulling.
+# NOTICE
+# If you are deploying Harbor in HA mode, make sure that all the harbor
+# instances have the same behaviour, all with caching enabled or disabled,
+# otherwise it can lead to potential data inconsistency.
+cache:
+  # not enabled by default
+  enabled: false
+  # keep cache for one day by default
+  expire_hours: 24

recipes/alpine/templates/conf/install/awnsers.pktpl.hcl

@@ -37,7 +37,7 @@ SSHDOPTS="-c openssh -k /root/.ssh/authorized_keys"
 NTPOPTS="-c openntpd"
 
 # Use /dev/sda as a data disk
-DISKOPTS="-L -m sys /dev/vda"
+DISKOPTS="-L -m sys ${disk_device}"
 
 USEROPTS="-a -g 'netdev' ${user}"
 

recipes/alpine/templates/conf/matchbox/dnsmasq.d/dnsmasq-hosts.conf.pktpl.hcl

@@ -1,4 +1,4 @@
-${Vars.ETH0.IP} ${Vars.Set.Hostname}
+${Vars.NIC[0].IP} ${Vars.Set.Hostname}
 %{ if Vars.MatchBox.Hostname != "" }
-${Vars.ETH0.IP} ${Vars.MatchBox.Hostname}
+${Vars.NIC[0].IP} ${Vars.MatchBox.Hostname}
 %{ endif }

recipes/alpine/templates/conf/nuo-harbor

@@ -0,0 +1 @@
+harbor

recipes/alpine/templates/conf/nuo-matchbox/conf.d/matchbox.conf.pktpl.hcl

@@ -0,0 +1 @@
+command_args="-address 0.0.0.0:${Vars.MatchBox.HTTPPort} -rpc-address 0.0.0.0:${Vars.MatchBox.gRPCPort} -log-level ${Vars.MatchBox.LogLevel}"

recipes/alpine/templates/conf/nuo-matchbox/dnsmasq.d/dnsmasq-hosts.conf.pktpl.hcl

@@ -0,0 +1,7 @@
+${Vars.NIC[0].IP} ${Vars.Set.Hostname}
+%{ if Vars.MatchBox.Hostname != "" }
+${Vars.NIC[0].IP} ${Vars.MatchBox.Hostname}
+%{ endif }
+%{ for host in Vars.DNSMasq.Hosts }
+${host.IP} ${host.Name}
+%{ endfor }

recipes/alpine/templates/conf/nuo-matchbox/dnsmasq.d/ipxe.conf.pktpl.hcl

@@ -0,0 +1,60 @@
+log-queries
+log-dhcp
+
+#port=0
+listen-address=0.0.0.0
+interface=${Vars.PXE.ListenInterface}
+no-resolv
+domain-needed
+bogus-priv
+expand-hosts
+server=${Vars.DNS[0]}
+strict-order
+addn-hosts=/etc/dnsmasq-hosts.conf
+domain=${Vars.PXE.DNSDomain}
+local=/${Vars.PXE.DNSDomain}/
+localise-queries
+
+
+%{ if Vars.PXE.DHCPMode == "proxy" }
+#dhcp-no-override
+dhcp-range=${Vars.NIC[0].IP},proxy
+%{ else }
+dhcp-range=${Vars.PXE.DHCPRangeStart},${Vars.PXE.DHCPRangeEnd},${Vars.PXE.DHCPLeaseDuration}
+dhcp-option=option:router,${Vars.NIC[0].Gateway}
+%{ endif }
+
+dhcp-option=option:dns-server,${Vars.NIC[0].IP}
+dhcp-option=option:domain-name,${Vars.PXE.DNSDomain}
+
+# TFTP Configuration
+enable-tftp
+tftp-root="${Vars.PXE.TFTPRoot}"
+
+pxe-prompt="${Vars.PXE.GreetingMessage}",${Vars.PXE.DelayTime}
+
+# Based on logic in https://gist.github.com/robinsmidsrod/4008017
+# iPXE sends a 175 option, checking suboptions
+dhcp-match=set:ipxe-http,175,19
+dhcp-match=set:ipxe-https,175,20
+dhcp-match=set:ipxe-menu,175,39
+# pcbios specific
+dhcp-match=set:ipxe-pxe,175,33
+dhcp-match=set:ipxe-bzimage,175,24
+dhcp-match=set:ipxe-iscsi,175,17
+# efi specific
+dhcp-match=set:ipxe-efi,175,36
+# combination
+# set ipxe-ok tag if we have correct combination
+# http && menu && iscsi ((pxe && bzimage) || efi)
+tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-pxe,tag:ipxe-bzimage
+tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-efi
+
+
+## Load different PXE boot image depending on client architecture (when running as a proxy DHCP)
+pxe-service=tag:!ipxe-ok, x86PC, "Legacy boot PXE chainload to iPXE", undionly.kpxe
+pxe-service=tag:!ipxe-ok, BC_EFI, "UEFI32 boot chainload to iPXE", snponly.efi
+pxe-service=tag:!ipxe-ok, X86-64_EFI, "UEFI64 boot chainload to iPXE", snponly.efi
+
+dhcp-userclass=set:ipxe,iPXE
+dhcp-boot=tag:ipxe-ok,http://${Vars.NIC[0].IP}:${Vars.MatchBox.HTTPPort}/boot.ipxe,,${Vars.NIC[0].IP}

recipes/alpine/templates/conf/nuo-matchbox/hostname.pktpl.hcl

@@ -0,0 +1 @@
+${Vars.Set.Hostname}

recipes/alpine/templates/conf/nuo-matchbox/init.d/matchbox.pktpl.hcl

@@ -0,0 +1,28 @@
+#!/sbin/openrc-run
+  
+name=$RC_SVCNAME
+command="/usr/local/bin/$RC_SVCNAME"
+command_user="$RC_SVCNAME"
+pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"
+start_stop_daemon_args="--start -b"
+command_args="$command_args"
+command_background="yes"
+
+depend() {
+        need net
+}
+
+start_pre() {
+        checkpath --directory --owner $command_user:$command_user --mode 0775 \
+                /run/$RC_SVCNAME /var/log/$RC_SVCNAME
+        if [ ! -f "/etc/matchbox/server.crt" ]; then
+                cd /root/tls
+                export SAN="DNS.1:${Vars.MatchBox.Hostname},IP.1:${Vars.NIC[0].IP}"
+                ./cert-gen
+                mkdir -p /etc/matchbox
+                cp ca.crt server.crt server.key /etc/matchbox
+                chown -R matchbox:matchbox /etc/matchbox
+                mkdir -p /root/.matchbox
+                cp client.crt client.key ca.crt /root/.matchbox/
+        fi
+}

recipes/alpine/templates/conf/nuo-matchbox/network/interfaces.pktpl.hcl

@@ -0,0 +1,9 @@
+
+%{ for iface in Vars.NIC }
+auto ${iface.Name}
+
+iface ${iface.Name} inet static
+  address ${iface.IP}
+  netmask ${iface.Mask}
+  gateway ${iface.Gateway}
+%{ endfor ~}

recipes/alpine/templates/conf/nuo-matchbox/resolv.conf.pktpl.hcl

@@ -0,0 +1,4 @@
+
+%{ for dns in Vars.DNS }
+nameserver ${dns}
+%{ endfor ~}