From 146e797326caba23a4f5c1a201710aa11b356fd9 Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Fri, 19 Jan 2024 17:51:29 +0100 Subject: [PATCH 1/8] add condition to disable deployment of nginx even if you do not expose via ingress Signed-off-by: Raul Garcia Sanchez --- templates/nginx/deployment.yaml | 2 +- values.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 8290d497b..9c415410a 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -1,4 +1,4 @@ -{{- if ne .Values.expose.type "ingress" }} +{{- if and (ne .Values.expose.type "ingress") .Values.nginx.enabled }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/values.yaml b/values.yaml index ebe1e9b6a..e7b2ad4f5 100644 --- a/values.yaml +++ b/values.yaml @@ -381,8 +381,9 @@ enableMigrateHelmHook: false # contains a base64 encoded CA Certificate named `ca.crt`. # uaaSecretName: -# If service exposed via "ingress", the Nginx will not be used +# If service exposed via "ingress", or not enabled the Nginx will not be used nginx: + enabled: true image: repository: goharbor/nginx-photon tag: dev From 3833764ca5855a96e8953cdc2f2ba17562451bd3 Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Mon, 22 Jan 2024 15:21:14 +0100 Subject: [PATCH 2/8] update readme Signed-off-by: Raul Garcia Sanchez --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b690a74cd..34f0e4dde 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,9 @@ The following table lists the configurable parameters of the Harbor chart and th | `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | | `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | | `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | -| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| **Nginx** (If service exposed via `ingress`, or not enabled the Nginx will not be used) | | | +| +| `nginx.enabled` | Set to false if you plan to expose Harbor without nginx. | `true` | | `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | | `nginx.image.tag` | Image tag | `dev` | | `nginx.replicas` | The replica count | `1` | From 893345e3c4afd5b94e04f85765ddef0ec8da8086 Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Mon, 22 Jan 2024 15:22:47 +0100 Subject: [PATCH 3/8] implemented Vadims #1073 PR changes Signed-off-by: Raul Garcia Sanchez --- README.md | 3 +++ templates/ingress/ingress.yaml | 3 +++ values.yaml | 1 + 3 files changed, 7 insertions(+) diff --git a/README.md b/README.md index 34f0e4dde..aa9379427 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ The following items can be set via `--set` flag during installation or configure - **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. - **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. +If your desired option to expose Harbor (e.g. Istio Gateway, AWS ALB) is not present you can set `expose.enabled` to false and expose Harbor manually with Kubernetes Manifests. + #### Configure the external URL The external URL for Harbor core service is used to: @@ -78,6 +80,7 @@ The following table lists the configurable parameters of the Harbor chart and th | Parameter | Description | Default | | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | **Expose** | | | +| `expose.enabled` | Set to false if no `ingress`, `clusterIP`, `nodePort` or `loadBalancer` should be created or you plan to expose Harbor in a way not offered by this chart. | `true` | | `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | | `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | | `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | diff --git a/templates/ingress/ingress.yaml b/templates/ingress/ingress.yaml index e4c06939c..95e5ca682 100644 --- a/templates/ingress/ingress.yaml +++ b/templates/ingress/ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.expose.enabled }} {{- if eq .Values.expose.type "ingress" }} {{- $ingress := .Values.expose.ingress -}} {{- $tls := .Values.expose.tls -}} @@ -143,3 +144,5 @@ spec: {{- end }} {{- end }} + +{{- end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index e7b2ad4f5..35ac75a7c 100644 --- a/values.yaml +++ b/values.yaml @@ -1,4 +1,5 @@ expose: + enabled: true # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" # and fill the information in the corresponding section type: ingress From 0b1bef800b7dd25aa734fdaf929ba469359b4eaf Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Mon, 22 Jan 2024 15:27:20 +0100 Subject: [PATCH 4/8] fix markdown Signed-off-by: Raul Garcia Sanchez --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aa9379427..d560c1e5b 100644 --- a/README.md +++ b/README.md @@ -189,7 +189,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | | **Nginx** (If service exposed via `ingress`, or not enabled the Nginx will not be used) | | | | -| `nginx.enabled` | Set to false if you plan to expose Harbor without nginx. | `true` | +| `nginx.enabled` | Set to false if you plan to expose Harbor without nginx. | `true` | | `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | | `nginx.image.tag` | Image tag | `dev` | | `nginx.replicas` | The replica count | `1` | From e90f2fe33d92ba56e949c461ca80f1df53b4641e Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Mon, 22 Jan 2024 15:33:53 +0100 Subject: [PATCH 5/8] readme markdown foo Signed-off-by: Raul Garcia Sanchez --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index d560c1e5b..6040b6675 100644 --- a/README.md +++ b/README.md @@ -188,8 +188,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | | `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | | **Nginx** (If service exposed via `ingress`, or not enabled the Nginx will not be used) | | | -| -| `nginx.enabled` | Set to false if you plan to expose Harbor without nginx. | `true` | +| | `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | | `nginx.image.tag` | Image tag | `dev` | | `nginx.replicas` | The replica count | `1` | From 439260e2d9e8181be1d30dc648e3a271895f68e4 Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Mon, 22 Jan 2024 15:37:00 +0100 Subject: [PATCH 6/8] revert changes in nginx changes Signed-off-by: Raul Garcia Sanchez --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 6040b6675..d01f10f8c 100644 --- a/README.md +++ b/README.md @@ -187,8 +187,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | | `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | | `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | -| **Nginx** (If service exposed via `ingress`, or not enabled the Nginx will not be used) | | | -| +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | | `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | | `nginx.image.tag` | Image tag | `dev` | | `nginx.replicas` | The replica count | `1` | From 3800c79fbd8531f0c5fcd3ae1b2f97eee9ce3191 Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Mon, 22 Jan 2024 15:44:20 +0100 Subject: [PATCH 7/8] markdown next try Signed-off-by: Raul Garcia Sanchez --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d01f10f8c..c32466f2f 100644 --- a/README.md +++ b/README.md @@ -188,6 +188,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | | `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | | **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.enabled` | Set to false if you plan to expose Harbor without nginx | `true` | | `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | | `nginx.image.tag` | Image tag | `dev` | | `nginx.replicas` | The replica count | `1` | From 4e4c994c7c1a43144e220223cecb6fcd6462174c Mon Sep 17 00:00:00 2001 From: Raul Garcia Sanchez Date: Tue, 8 Oct 2024 15:23:57 +0200 Subject: [PATCH 8/8] resolve conflicting files Signed-off-by: Raul Garcia Sanchez --- README.md | 667 ++++++++++++++++++++++++++-------------------------- values.yaml | 534 +++++++++++++++++++++++------------------ 2 files changed, 642 insertions(+), 559 deletions(-) diff --git a/README.md b/README.md index c32466f2f..77a048b62 100644 --- a/README.md +++ b/README.md @@ -77,337 +77,350 @@ helm uninstall my-release The following table lists the configurable parameters of the Harbor chart and the default values. -| Parameter | Description | Default | -| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| **Expose** | | | +| Parameter | Description | Default | +|-----------------------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | | `expose.enabled` | Set to false if no `ingress`, `clusterIP`, `nodePort` or `loadBalancer` should be created or you plan to expose Harbor in a way not offered by this chart. | `true` | -| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | -| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | -| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | -| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | -| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | -| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | -| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | -| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | -| `expose.ingress.annotations` | The annotations used commonly for ingresses | | -| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | -| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | -| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | -| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | -| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | -| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | -| `expose.nodePort.name` | The name of NodePort service | `harbor` | -| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | -| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | -| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | -| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | -| `expose.loadBalancer.name` | The name of service | `harbor` | -| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | -| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | -| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | -| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | -| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | -| **Internal TLS** | | | -| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | -| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` -| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | -| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | -| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | -| **IPFamily** | | | -| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | -| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | -| **Persistence** | | | -| `persistence.enabled` | Enable the data persistence or not | `true` | -| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | -| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | -| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | -|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | -| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | -| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | -| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | -| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | -| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | -| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | -| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | -| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | -| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | -| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | -| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | -| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | -| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | -| **General** | | | -| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | -| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | -| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | -| `imagePullPolicy` | The image pull policy | | -| `imagePullSecrets` | The imagePullSecrets names for all deployments | | -| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | -| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | -| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | -| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | -| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | -| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | -| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | -| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | -| `proxy.httpProxy` | The URL of the HTTP proxy server | | -| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | -| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | -| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | -| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | -| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.labels` | The labels specific to ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.clusterIP.annotations` | The annotations used commonly for clusterIP | | +| `expose.clusterIP.labels` | The labels specific to clusterIP | {} | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.nodePort.annotations` | The annotations used commonly for nodePort | | +| `expose.nodePort.labels` | The labels specific to nodePort | {} | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.labels` | The labels specific to loadBalancer | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | | `nginx.enabled` | Set to false if you plan to expose Harbor without nginx | `true` | -| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | -| `nginx.image.tag` | Image tag | `dev` | -| `nginx.replicas` | The replica count | `1` | -| `nginx.revisionHistoryLimit` | The revision history limit | `10` | -| `nginx.resources` | The [resources] to allocate for container | undefined | -| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | -| `nginx.tolerations` | Tolerations for pod assignment | `[]` | -| `nginx.affinity` | Node/Pod affinities | `{}` | -| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | -| `nginx.priorityClassName` | The priority class to run the pod as | | -| **Portal** | | | -| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | -| `portal.image.tag` | Tag for portal image | `dev` | -| `portal.replicas` | The replica count | `1` | -| `portal.revisionHistoryLimit` | The revision history limit | `10` | -| `portal.resources` | The [resources] to allocate for container | undefined | -| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `portal.nodeSelector` | Node labels for pod assignment | `{}` | -| `portal.tolerations` | Tolerations for pod assignment | `[]` | -| `portal.affinity` | Node/Pod affinities | `{}` | -| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | -| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | -| `portal.priorityClassName` | The priority class to run the pod as | | -| **Core** | | | -| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | -| `core.image.tag` | Tag for Harbor core image | `dev` | -| `core.replicas` | The replica count | `1` | -| `core.revisionHistoryLimit` | The revision history limit | `10` | -| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | -| `core.resources` | The [resources] to allocate for container | undefined | -| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `core.nodeSelector` | Node labels for pod assignment | `{}` | -| `core.tolerations` | Tolerations for pod assignment | `[]` | -| `core.affinity` | Node/Pod affinities | `{}` | -| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `core.podAnnotations` | Annotations to add to the core pod | `{}` | -| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | -| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | -| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | -| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | -| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | -| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | -| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | -| `core.priorityClassName` | The priority class to run the pod as | | -| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | -| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | -| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | -| **Jobservice** | | | -| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | -| `jobservice.image.tag` | Tag for jobservice image | `dev` | -| `jobservice.replicas` | The replica count | `1` | -| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | -| `jobservice.maxJobWorkers` | The max job workers | `10` | -| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | -| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | -| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | -| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | -| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | -| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | -| `jobservice.resources` | The [resources] to allocate for container | undefined | -| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | -| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | -| `jobservice.affinity` | Node/Pod affinities | `{}` | -| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | -| `jobservice.priorityClassName` | The priority class to run the pod as | | -| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| **Registry** | | | -| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | -| `registry.registry.image.tag` | Tag for registry image | `dev` | -| `registry.registry.resources` | The [resources] to allocate for container | undefined | -| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | -| `registry.controller.image.tag` | Tag for registry controller image | `dev` | -| `registry.controller.resources` | The [resources] to allocate for container | undefined | -| `registry.replicas` | The replica count | `1` | -| `registry.revisionHistoryLimit` | The revision history limit | `10` | -| `registry.nodeSelector` | Node labels for pod assignment | `{}` | -| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `registry.tolerations` | Tolerations for pod assignment | `[]` | -| `registry.affinity` | Node/Pod affinities | `{}` | -| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | -| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | -| `registry.priorityClassName` | The priority class to run the pod as | | -| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | -| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | -| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | -| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | -| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | -| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | -| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | -| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | -| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | -| **[Trivy][trivy]** | | | -| `trivy.enabled` | The flag to enable Trivy scanner | `true` | -| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | -| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | -| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | -| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `trivy.replicas` | The number of Pod replicas | `1` | -| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | -| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | -| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | -| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | -| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | -| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | -| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | -| `trivy.priorityClassName` | The priority class to run the pod as | | -| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | -| **Database** | | | -| `database.type` | If external database is used, set it to `external` | `internal` | -| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | -| `database.internal.image.tag` | Tag for database image | `dev` | -| `database.internal.password` | The password for database | `changeit` | -| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | -| `database.internal.resources` | The [resources] to allocate for container | undefined | -| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | -| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | -| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `database.internal.affinity` | Node/Pod affinities | `{}` | -| `database.internal.priorityClassName` | The priority class to run the pod as | | -| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | -| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | -| `database.external.host` | The hostname of external database | `192.168.0.1` | -| `database.external.port` | The port of external database | `5432` | -| `database.external.username` | The username of external database | `user` | -| `database.external.password` | The password of external database | `password` | -| `database.external.coreDatabase` | The database used by core service | `registry` | -| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | -| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | -| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | -| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | -| `database.podAnnotations` | Annotations to add to the database pod | `{}` | -| **Redis** | | | -| `redis.type` | If external redis is used, set it to `external` | `internal` | -| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | -| `redis.internal.image.tag` | Tag for redis image | `dev` | -| `redis.internal.resources` | The [resources] to allocate for container | undefined | -| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.internal.affinity` | Node/Pod affinities | `{}` | -| `redis.internal.priorityClassName` | The priority class to run the pod as | | -| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | -| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | -| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | -| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | -| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | -| `redis.external.coreDatabaseIndex` | The database index for core | `0` | -| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | -| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | -| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | -| `redis.external.username` | The username of external Redis | | -| `redis.external.password` | The password of external Redis | | -| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | -| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | -| **Exporter** | | | -| `exporter.replicas` | The replica count | `1` | -| `exporter.revisionHistoryLimit` | The revision history limit | `10` | -| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | -| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | -| `exporter.image.tag` | Tag for exporter image | `dev` | -| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | -| `exporter.tolerations` | Tolerations for pod assignment | `[]` | -| `exporter.affinity` | Node/Pod affinities | `{}` | -| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | -| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | -| `exporter.priorityClassName` | The priority class to run the pod as | | -| **Metrics** | | | -| `metrics.enabled` | if enable harbor metrics | `false` | -| `metrics.core.path` | the url path for core metrics | `/metrics` | -| `metrics.core.port` | the port for core metrics | `8001` | -| `metrics.registry.path` | the url path for registry metrics | `/metrics` | -| `metrics.registry.port` | the port for registry metrics | `8001` | -| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | -| `metrics.exporter.port` | the port for exporter metrics | `8001` | -| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | -| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | -| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | -| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | -| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | -| **Trace** | | | -| `trace.enabled` | Enable tracing or not | `false` | -| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | -| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | -| `trace.namespace` | Namespace used to differentiate different harbor services | | -| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | -| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | -| `trace.jaeger.username` | The username of jaeger | | -| `trace.jaeger.password` | The password of jaeger | | -| `trace.jaeger.agent_host` | The agent host of jaeger | | -| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | -| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | -| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | -| `trace.otel.compression` | Whether enable compression or not for otel | `false` | -| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | -| `trace.otel.timeout` | The timeout in seconds of otel | `10` | -| **Cache** | | | -| `cache.enabled` | Enable cache layer or not | `false` | -| `cache.expireHours` | The expire hours of cache layer | `24` | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | +| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | [resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ [trivy]: https://github.com/aquasecurity/trivy [trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db [trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/values.yaml b/values.yaml index 35ac75a7c..356b1cf0f 100644 --- a/values.yaml +++ b/values.yaml @@ -47,23 +47,22 @@ expose: ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0" - harbor: - # harbor ingress-specific annotations - annotations: {} - # harbor ingress-specific labels - labels: {} + # ingress-specific labels + labels: {} clusterIP: # The name of ClusterIP service name: harbor # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) staticClusterIP: "" - # Annotations on the ClusterIP service - annotations: {} ports: # The service port Harbor listens on when serving HTTP httpPort: 80 # The service port Harbor listens on when serving HTTPS httpsPort: 443 + # Annotations on the ClusterIP service + annotations: {} + # ClusterIP-specific labels + labels: {} nodePort: # The name of NodePort service name: harbor @@ -78,6 +77,10 @@ expose: port: 443 # The node port Harbor listens on when serving HTTPS nodePort: 30003 + # Annotations on the nodePort service + annotations: {} + # nodePort-specific labels + labels: {} loadBalancer: # The name of LoadBalancer service name: harbor @@ -88,7 +91,10 @@ expose: httpPort: 80 # The service port Harbor listens on when serving HTTPS httpsPort: 443 + # Annotations on the loadBalancer service annotations: {} + # loadBalancer-specific labels + labels: {} sourceRanges: [] # The external URL for Harbor core service. It is used to @@ -106,69 +112,6 @@ expose: # If Harbor is deployed behind the proxy, set it as the URL of proxy externalURL: https://core.harbor.domain -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each component tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # enable strong ssl ciphers (default: false) - strong_ssl_ciphers: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: "auto" - # The content of trust ca, only available when `certSource` is "manual" - trustCa: "" - # core related cert configuration - core: - # secret name for core's tls certs - secretName: "" - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: "" - # Content of core's TLS key file, only available when `certSource` is "manual" - key: "" - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: "" - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: "" - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: "" - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: "" - -ipFamily: - # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component - ipv6: - enabled: true - # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component - ipv4: - enabled: true - # The persistence is enabled by default and a default StorageClass # is needed in the k8s cluster to provision volumes dynamically. # Specify another StorageClass in the "storageClass" or set "existingClaim" @@ -231,14 +174,14 @@ persistence: annotations: {} # Define which storage backend is used for registry to store # images and charts. Refer to - # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#storage # for the detail. imageChartStorage: # Specify whether to disable `redirect` for images and chart storage, for # backends which not supported it (such as using minio for `s3` storage type), please disable # it. To disable redirects, simply set `disableredirect` to `true` instead. # Refer to - # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#redirect # for the detail. disableredirect: false # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. @@ -325,6 +268,76 @@ persistence: #chunksize: 10M #rootdirectory: rootdirectory +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + imagePullPolicy: IfNotPresent # Use this set to assign a list of default pullSecrets @@ -340,13 +353,6 @@ updateStrategy: # debug, info, warning, error or fatal logLevel: info -# The initial password of Harbor admin. Change it from portal after launching Harbor -# or give an existing secret for it -# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) -# existingSecretAdminPassword: -existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD -harborAdminPassword: "Harbor12345" - # The name of the secret which contains key named "ca.crt". Setting this enables the # download link on portal to download the CA certificate when the certificate isn't # generated automatically @@ -382,6 +388,98 @@ enableMigrateHelmHook: false # contains a base64 encoded CA Certificate named `ca.crt`. # uaaSecretName: +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 + +## set Container Security Context to comply with PSP restricted policy if necessary +## each of the conatiner will apply the same security context +## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience +containerSecurityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL + # If service exposed via "ingress", or not enabled the Nginx will not be used nginx: enabled: true @@ -447,6 +545,13 @@ portal: serviceAnnotations: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] core: image: @@ -482,6 +587,15 @@ core: podLabels: {} ## Additional service annotations serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] ## User settings configuration json string configureUserSettings: # The provider for updating project quota(usage), there are 2 options, redis or db. @@ -518,8 +632,6 @@ core: existingXsrfSecret: "" # If using existingSecret, the key existingXsrfSecretKey: CSRF_KEY - ## The priority class to run the pod as - priorityClassName: # The time duration for async update artifact pull_time and repository # pull_count, the unit is second. Will be 10 seconds if it isn't set. # eg. artifactPullAsyncFlushDuration: 10 @@ -532,29 +644,12 @@ jobservice: image: repository: goharbor/harbor-jobservice tag: dev - replicas: 1 - revisionHistoryLimit: 10 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLoggers: - - file - # - database - # - stdout - # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) - loggerSweeperDuration: 14 #days - notification: - webhook_job_max_retry: 3 - webhook_job_http_client_timeout: 3 # in seconds - reaper: - # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 - max_update_hours: 24 - # the max time for execution in running state without new task created - max_dangling_hours: 168 - + replicas: 1 + revisionHistoryLimit: 10 # resources: # requests: # memory: 256Mi @@ -573,6 +668,31 @@ jobservice: podAnnotations: {} ## Additional deployment labels podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 # Secret is used when job service communicates with other components. # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. @@ -581,14 +701,8 @@ jobservice: existingSecret: "" # Key within the existing secret for the job service secret existingSecretKey: JOBSERVICE_SECRET - ## The priority class to run the pod as - priorityClassName: registry: - # set the service account to be used, default if left empty - serviceAccountName: "" - # mount the service account token - automountServiceAccountToken: false registry: image: repository: goharbor/registry-photon @@ -602,12 +716,15 @@ registry: image: repository: goharbor/harbor-registryctl tag: dev - # resources: # requests: # memory: 256Mi # cpu: 100m extraEnvVars: [] + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false replicas: 1 revisionHistoryLimit: 10 nodeSelector: {} @@ -625,9 +742,16 @@ registry: podLabels: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # Secret is used to secure the upload state from client # and registry storage backend. - # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # See: https://github.com/distribution/distribution/blob/release/2.8/docs/configuration.md#http # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" @@ -679,6 +803,36 @@ trivy: automountServiceAccountToken: false # replicas the number of Pod replicas replicas: 1 + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # debugMode the flag to enable Trivy debug mode with more verbose scanning log debugMode: false # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. @@ -711,6 +865,10 @@ trivy: # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the # `/home/scanner/.cache/trivy/db/trivy.db` path. skipUpdate: false + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + # + skipJavaDBUpdate: false # The offlineScan option prevents Trivy from sending API requests to identify dependencies. # # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. @@ -719,52 +877,23 @@ trivy: # It would work if all the dependencies are in local. # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. offlineScan: false - # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + # Comma-separated list of what security issues to detect. Defaults to `vuln`. securityCheck: "vuln" # The duration to wait for scan completion timeout: 5m0s - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - extraEnvVars: [] - nodeSelector: {} - tolerations: [] - affinity: {} - # Spread Pods across failure-domains like regions, availability zones or nodes - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # nodeTaintsPolicy: Honor - # whenUnsatisfiable: DoNotSchedule - ## Additional deployment annotations - podAnnotations: {} - ## Additional deployment labels - podLabels: {} - ## The priority class to run the pod as - priorityClassName: database: # if external database is used, set "type" to "external" # and fill the connection information in "external" section type: internal internal: + image: + repository: goharbor/harbor-db + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false - image: - repository: goharbor/harbor-db - tag: dev - # The initial superuser password for internal database - password: "changeit" - # The size limit for Shared memory, pgSQL use it for shared_buffer - # More details see: - # https://github.com/goharbor/harbor/issues/15034 - shmSizeLimit: 512Mi # resources: # requests: # memory: 256Mi @@ -781,6 +910,19 @@ database: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + extrInitContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi initContainer: migrator: {} # resources: @@ -813,7 +955,7 @@ database: maxIdleConns: 100 # The maximum number of open connections to the database per pod (core+exporter). # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. + # Note: the default number of connections is 1024 for harbor's postgres. maxOpenConns: 900 ## Additional deployment annotations podAnnotations: {} @@ -825,13 +967,13 @@ redis: # and fill the connection information in "external" section type: internal internal: + image: + repository: goharbor/redis-photon + tag: dev # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false - image: - repository: goharbor/redis-photon - tag: dev # resources: # requests: # memory: 256Mi @@ -842,6 +984,13 @@ redis: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # # jobserviceDatabaseIndex defaults to "1" # # registryDatabaseIndex defaults to "2" # # trivyAdapterIndex defaults to "5" @@ -880,6 +1029,12 @@ redis: podLabels: {} exporter: + image: + repository: goharbor/harbor-exporter + tag: dev + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false replicas: 1 revisionHistoryLimit: 10 # resources: @@ -890,101 +1045,16 @@ exporter: podAnnotations: {} ## Additional deployment labels podLabels: {} - serviceAccountName: "" - # mount the service account token - automountServiceAccountToken: false - image: - repository: goharbor/harbor-exporter - tag: dev nodeSelector: {} tolerations: [] affinity: {} # Spread Pods across failure-domains like regions, availability zones or nodes topologySpreadConstraints: [] + ## The priority class to run the pod as + priorityClassName: # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone # nodeTaintsPolicy: Honor # whenUnsatisfiable: DoNotSchedule cacheDuration: 23 cacheCleanInterval: 14400 - ## The priority class to run the pod as - priorityClassName: - -metrics: - enabled: false - core: - path: /metrics - port: 8001 - registry: - path: /metrics - port: 8001 - jobservice: - path: /metrics - port: 8001 - exporter: - path: /metrics - port: 8001 - ## Create prometheus serviceMonitor to scrape harbor metrics. - ## This requires the monitoring.coreos.com/v1 CRD. Please see - ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md - ## - serviceMonitor: - enabled: false - additionalLabels: {} - # Scrape interval. If not set, the Prometheus default scrape interval is used. - interval: "" - # Metric relabel configs to apply to samples before ingestion. - metricRelabelings: - [] - # - action: keep - # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' - # sourceLabels: [__name__] - # Relabel configs to apply to samples before ingestion. - relabelings: - [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - -trace: - enabled: false - # trace provider: jaeger or otel - # jaeger should be 1.26+ - provider: jaeger - # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth - sample_rate: 1 - # namespace used to differentiate different harbor services - # namespace: - # attributes is a key value dict contains user defined attributes used to initialize trace provider - # attributes: - # application: harbor - jaeger: - # jaeger supports two modes: - # collector mode(uncomment endpoint and uncomment username, password if needed) - # agent mode(uncomment agent_host and agent_port) - endpoint: http://hostname:14268/api/traces - # username: - # password: - # agent_host: hostname - # export trace data by jaeger.thrift in compact mode - # agent_port: 6831 - otel: - endpoint: hostname:4318 - url_path: /v1/traces - compression: false - insecure: true - # timeout is in seconds - timeout: 10 - -# cache layer configurations -# if this feature enabled, harbor will cache the resource -# `project/project_metadata/repository/artifact/manifest` in the redis -# which help to improve the performance of high concurrent pulling manifest. -cache: - # default is not enabled. - enabled: false - # default keep cache for one day. - expireHours: 24