### Install Harbor Helm Chart Source: https://github.com/goharbor/harbor-helm/blob/main/docs/High Availability.md Installs the Harbor Helm chart with a specified release name after configuration. ```bash helm install my-release . ``` -------------------------------- ### Install Harbor Helm Chart Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Installs the Harbor Helm chart into your Kubernetes cluster with a specified release name. This command deploys Harbor using the default configuration. ```bash helm install my-release harbor/harbor ``` -------------------------------- ### Add Harbor Helm Repository Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Adds the official Harbor Helm repository to your local Helm configuration, allowing you to install the Harbor chart. ```bash helm repo add harbor https://helm.goharbor.io ``` -------------------------------- ### Download Harbor Helm Chart Source: https://github.com/goharbor/harbor-helm/blob/main/docs/High Availability.md Fetches the Harbor Helm chart from the official repository and untars it for local configuration and deployment. ```bash helm repo add harbor https://helm.goharbor.io helm fetch harbor/harbor --untar ``` -------------------------------- ### Harbor Init Containers Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Specifies any init containers that need to be run before the main Harbor controller container starts. This is useful for setting up prerequisites or performing initial configurations. ```yaml registry.initContainers: [] # Init containers to be run before the controller's container starts. ``` -------------------------------- ### Execute Harbor Helm Upgrade Source: https://github.com/goharbor/harbor-helm/blob/main/docs/Upgrade.md This snippet shows the command to upgrade a Harbor deployment using the Helm chart. The `--force` flag is recommended for upgrades from version 0.3.0 due to a known issue. ```bash helm upgrade release-name --force . ``` -------------------------------- ### Harbor Helm Chart Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/docs/High Availability.md Key configuration parameters in values.yaml for deploying Harbor with Helm, covering ingress, external services, storage, and replicas. ```yaml # Ingress rule expose: ingress: hosts: core: harbor.yourdomain.com # External URL externalURL: http://harbor.yourdomain.com # External PostgreSQL database: type: external external: host: postgresql.example.com port: 5432 username: harbor_user password: harbor_password name: harbor_db # External Redis redis: type: external external: host: redis.example.com port: 6379 password: redis_password # For Redis sentinel support (v1.9.0+) # sentinelMasterSet: mymaster # addr: sentinel1.example.com:26379,sentinel2.example.com:26379 # Storage Configuration persistence: persistentVolumeClaim: registry: # Specify StorageClass if needed, otherwise uses default # storageClass: "your-storage-class" accessMode: "ReadWriteMany" # Required for shared PVCs existingClaim: "" jobservice: # Specify StorageClass if needed, otherwise uses default # storageClass: "your-storage-class" accessMode: "ReadWriteMany" # Required for shared PVCs existingClaim: "" imageChartStorage: type: "" # e.g., "filesystem", "s3", "azureblob", "gcs" # Configure specific object storage details here if not using PVCs jobservice: jobLoggers: "database" # Use 'database' if not using PVCs for job logs # Replica counts for HA portal: replicas: 2 core: replicas: 2 jobservice: replicas: 2 registry: replicas: 2 ``` -------------------------------- ### Harbor Helm Chart Database Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration parameters for the Harbor Helm chart related to database setup. This includes settings for internal init containers and external database connections such as host, port, username, password, and the core database name. It also supports using an existing Kubernetes secret for the database password. ```yaml database: internal: extrInitContainers: [] # Extra init containers to be run before the database's container starts. external: host: "192.168.0.1" # The hostname of external database port: 5432 # The port of external database username: "user" # The username of external database password: "password" # The password of external database coreDatabase: "registry" # The database used by core service existingSecret: "" # An existing password containing the database password. the key must be `password`. ``` -------------------------------- ### Uninstall Harbor Helm Chart Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Uninstalls or deletes a previously installed Harbor release from your Kubernetes cluster. ```bash helm uninstall my-release ``` -------------------------------- ### Helm Chart Configuration for TLS Secret Source: https://github.com/goharbor/harbor-helm/blob/main/docs/Upgrade.md This YAML configuration snippet demonstrates how to instruct the Harbor Helm chart to use an existing TLS secret. It specifies the certificate source and the name of the secret containing the certificate. ```yaml expose: tls: certSource: secret secret: secretName: ``` -------------------------------- ### Helm Upgrade Workaround for Release Name Issue Source: https://github.com/goharbor/harbor-helm/blob/main/docs/Upgrade.md This provides a workaround for an issue where upgrading Harbor Helm charts from version 1.6 to 1.7+ with a release name containing 'harbor' can cause problems. It involves setting `fullnameOverride`. ```yaml fullnameOverride: release_name-harbor ``` -------------------------------- ### Configure TLS Certificate for Harbor Helm Upgrade Source: https://github.com/goharbor/harbor-helm/blob/main/docs/Upgrade.md This section details how to retain existing TLS certificates during a Harbor Helm chart upgrade. It involves exporting the current certificate secret, modifying it, and re-creating it to be used by the new chart configuration. ```bash kubectl get secret ``` ```bash kubectl get secret -o yaml > secret.yaml ``` ```bash kubectl create -f secret.yaml ``` -------------------------------- ### Portal Deployment Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the deployment of the Harbor portal component, including image tag, replica count, resource allocation, and pod assignment. ```yaml portal.image.tag: "dev" # Tag for portal image portal.replicas: "1" # The replica count portal.revisionHistoryLimit: "10" # The revision history limit portal.resources: undefined # The [resources] to allocate for container portal.automountServiceAccountToken: "false" # Mount serviceAccountToken? portal.nodeSelector: "{}" # Node labels for pod assignment portal.tolerations: "[]" # Tolerations for pod assignment ``` -------------------------------- ### Redis Initialization and External Address Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Specifies init containers for Redis startup and the address for external Redis connections. Supports both direct host:port and Sentinel configurations. ```yaml redis.internal.initContainers: [] redis.external.addr: "192.168.0.2:6379" ``` -------------------------------- ### Trivy Adapter Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration parameters for the Trivy adapter, including image details, resource allocation, and operational flags. ```Helm trivy.image.repository: "goharbor/trivy-adapter-photon" trivy.image.tag: "dev" trivy.resources: "The [resources] to allocate for Trivy adapter container" trivy.automountServiceAccountToken: "false" trivy.replicas: "1" trivy.debugMode: "false" trivy.vulnType: "os,library" ``` -------------------------------- ### Harbor Helm Database Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md This section outlines the key-value pairs used to configure the database settings for the Harbor Helm chart. These parameters control aspects like the database image, credentials, and resource limits. ```APIDOC database.internal.image.repository: Description: Repository for database image Default: `goharbor/harbor-db` database.internal.image.tag: Description: Tag for database image Default: `dev` database.internal.password: Description: The password for database Default: `changeit` database.internal.shmSizeLimit: Description: The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container Default: `512Mi` database.internal.resources: Description: The [resources] to allocate for container Default: undefined database.internal.automountServiceAccountToken: Description: Mount serviceAccountToken? Default: `false` database.internal.initContainer.migrator.resources: Description: The [resources] to allocate for the database migrator initContainer Default: undefined ``` -------------------------------- ### Harbor Helm Chart Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md This section details various configuration parameters for the Harbor Helm chart. It covers deployment update strategies, logging verbosity, administrative password management, and certificate handling. ```APIDOC updateStrategy.type: Description: The update strategy for deployments with persistent volumes (jobservice, registry). Options are `RollingUpdate` or `Recreate`. Set to `Recreate` when `RWM` for volumes isn't supported. Default: `RollingUpdate` logLevel: Description: The log level for Harbor. Options include `debug`, `info`, `warning`, `error`, or `fatal`. Default: `info` harborAdminPassword: Description: The initial password for the Harbor admin user. It is recommended to change this from the portal after launching Harbor. Default: `Harbor12345` existingSecretAdminPassword: Description: The name of the Kubernetes secret containing the Harbor admin password. Default: None existingSecretAdminPasswordKey: Description: The key within the specified secret that holds the Harbor admin password. Default: `HARBOR_ADMIN_PASSWORD` caSecretName: Description: The name of the Kubernetes secret containing the CA certificate (`ca.crt`). Setting this enables a download link on the portal for the CA certificate when it's not automatically generated. Default: None secretKey: Description: The encryption key used by Harbor. This must be a string exactly 16 characters long. Default: `not-a-secure-key` ``` -------------------------------- ### Harbor Jobservice Image Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the Harbor jobservice image, specifying the repository and tag for the Docker image. ```yaml jobservice.image.repository: Repository for jobservice image jobservice.image.tag: Tag for jobservice image ``` -------------------------------- ### Database Internal Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md This section outlines various internal configuration parameters for the database component within the Harbor Helm chart. It covers resource allocation for init containers, node selection, tolerations, affinity, priority class, and probe timeouts. ```yaml database.internal.initContainer.permissions.resources: The [resources] to allocate for the database permissions initContainer database.internal.nodeSelector: Node labels for pod assignment database.internal.tolerations: Tolerations for pod assignment database.internal.affinity: Node/Pod affinities database.internal.priorityClassName: The priority class to run the pod as database.internal.livenessProbe.timeoutSeconds: The timeout used in liveness probe; 1 to 5 seconds database.internal.readinessProbe.timeoutSeconds: The timeout used in readiness probe; 1 to 5 seconds ``` -------------------------------- ### OpenTelemetry Tracing Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the OpenTelemetry tracing agent for the Go Harbor Helm project. Includes settings for endpoint, URL path, compression, insecure connections, and timeouts. ```yaml trace.otel.endpoint: "hostname:4318" trace.otel.url_path: "/v1/traces" trace.otel.compression: "false" trace.otel.insecure: "true" trace.otel.timeout: "10" ``` -------------------------------- ### Harbor Helm Chart Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Details the configurable parameters for the Harbor Helm chart, covering network exposure and TLS settings. This includes options for service exposure type, TLS enablement, and certificate source management. ```APIDOC Parameter: `expose.type` Description: How to expose the service: `ingress`, `clusterIP`, `nodePort`, `loadBalancer` or `route`. Other values will be ignored and the creation of service will be skipped. Default: `ingress` Parameter: `expose.tls.enabled` Description: Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. Default: `true` Parameter: `expose.tls.certSource` Description: The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option. Default: `auto` Parameter: `expose.tls.auto.commonName` Description: The common name used to generate the certificate, it's necessary when the type isn't `ingress` Default: (empty) ``` -------------------------------- ### Harbor Metrics Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for enabling and setting up Harbor metrics. This includes a flag to enable metrics collection and the URL path for accessing core metrics. ```yaml metrics.enabled: "false" metrics.core.path: "/metrics" ``` -------------------------------- ### Database Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the connection method for an external database, including SSL modes like 'require', 'verify-full', 'verify-ca', and 'disable'. It also sets the maximum number of idle and open connections to the database, and allows for adding annotations to the database pod. ```yaml database.external.sslmode: "disable" # Connection method of external database (require, verify-full, verify-ca, disable) database.maxIdleConns: "50" # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. database.maxOpenConns: "100" # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. database.podAnnotations: "{}" # Annotations to add to the database pod ``` -------------------------------- ### Harbor Ingress Annotations and Labels Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures annotations and labels for Harbor ingresses, allowing for common ingress annotations and specific ingress labels. ```yaml expose: ingress: annotations: "The annotations used commonly for ingresses" labels: "The labels specific to ingress" ``` -------------------------------- ### Harbor Helm Chart Expose Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration parameters for exposing Harbor via NodePort and LoadBalancer in a Helm chart. This includes service ports, node ports, annotations, and labels for NodePort, and service names for LoadBalancer. ```yaml expose: nodePort: ports: http: port: 80 nodePort: 30002 https: port: 443 nodePort: 30003 annotations: {} labels: {} loadBalancer: name: harbor ``` -------------------------------- ### Harbor Core Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options related to core Harbor functionalities, including artifact pull asynchronous operations and GDPR compliance settings. ```yaml core.artifactPullAsyncFlushDuration: The time duration for async update artifact pull_time and repository pull_count core.gdpr.deleteUser: Enable GDPR compliant user delete core.gdpr.auditLogsCompliant: Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system core.initContainers: Init containers to be run before the controller's container starts. ``` -------------------------------- ### JobService Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the JobService, including replica count, revision history limit, maximum job workers, logging settings, and notification retry/timeout values. ```APIDOC jobservice.replicas: description: The replica count for the JobService. default: "1" jobservice.revisionHistoryLimit: description: The revision history limit for the JobService. default: "10" jobservice.maxJobWorkers: description: The maximum number of workers for jobs. default: "10" jobservice.jobLoggers: description: The loggers for jobs. Can be `file`, `database`, or `stdout`. default: "[file]" jobservice.loggerSweeperDuration: description: The duration in days for the job logger sweeper. Ignored if `jobLoggers` is set to `stdout`. default: "14" jobservice.notification.webhook_job_max_retry: description: The maximum number of retries for sending webhook notifications. default: "3" jobservice.notification.webhook_job_http_client_timeout: description: The HTTP client timeout value for sending webhook notifications. default: "3" ``` -------------------------------- ### Harbor Helm Exporter Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md This section details the configuration parameters for the exporter within the Harbor Helm chart. It includes settings for pod annotations, image repository and tag, node selection, tolerations, affinity, and topology spread constraints. ```yaml exporter.podAnnotations: Annotations to add to the exporter pod exporter.image.repository: Repository for redis image exporter.image.tag: Tag for exporter image exporter.nodeSelector: Node labels for pod assignment exporter.tolerations: Tolerations for pod assignment exporter.affinity: Node/Pod affinities exporter.topologySpreadConstraints: Constraints that define how Pods are spread across failure-domains like regions or availability zones ``` -------------------------------- ### Harbor Registry Controller Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the Harbor registry controller, specifying the image repository and tag, and resource allocation. The tag defaults to 'dev' and repository to 'goharbor/harbor-registryctl'. Resource allocation can be defined using Kubernetes resource specifications. ```yaml registry.controller.image.repository: "goharbor/harbor-registryctl" registry.controller.image.tag: "dev" registry.controller.resources: | # Define resources here # Example: # limits: # cpu: 500m # memory: 512Mi # requests: # cpu: 250m # memory: 256Mi ``` -------------------------------- ### Harbor ClusterIP Service Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Defines parameters for the ClusterIP service used to expose Harbor within a Kubernetes cluster. Includes service name, ports for HTTP and HTTPS, and associated annotations and labels. ```yaml expose: clusterIP: name: harbor annotations: {} ports: httpPort: "80" httpsPort: "443" labels: {} ``` -------------------------------- ### Database Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the Harbor project's database. This parameter specifies whether an internal or external database is being used. ```yaml database.type: "internal" # If external database is used, set it to `external` ``` -------------------------------- ### Nginx Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the Nginx component within the Harbor Helm chart. These settings control pod scheduling, annotations, and priority. ```yaml nginx.tolerations: Tolerations for pod assignment nginx.affinity: Node/Pod affinities nginx.topologySpreadConstraints: Constraints that define how Pods are spread across failure-domains like regions or availability zones nginx.podAnnotations: Annotations to add to the nginx pod nginx.priorityClassName: The priority class to run the pod as ``` -------------------------------- ### Registry Image Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration for the registry image repository within the Harbor Helm chart. ```yaml registry: registry: image: # Repository for registry image repository: "goharbor/registry-photon" ``` -------------------------------- ### Harbor Registry Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the Harbor registry, including image repository and tag, and resource allocation. The tag defaults to 'dev' and repository to 'goharbor/harbor-registry'. Resource allocation can be specified using Kubernetes resource definitions. ```yaml registry.registry.image.repository: "goharbor/harbor-registry" registry.registry.image.tag: "dev" registry.registry.resources: | # Define resources here # Example: # limits: # cpu: 500m # memory: 512Mi # requests: # cpu: 250m # memory: 256Mi ``` -------------------------------- ### Nginx Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration parameters for the Nginx deployment in the Harbor Helm chart. These settings control aspects like the container image, replica count, resource limits, and node selection. ```yaml nginx.image.repository: Image repository nginx.image.tag: Image tag nginx.replicas: The replica count nginx.revisionHistoryLimit: The revision history limit nginx.resources: The [resources] to allocate for container nginx.automountServiceAccountToken: Mount serviceAccountToken? nginx.nodeSelector: Node labels for pod assignment ``` -------------------------------- ### Harbor Helm Chart Expose Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for exposing Harbor services via load balancer or route. This includes settings for IP address, ports, annotations, labels, and source ranges for load balancers, as well as labels for HTTP routes. ```yaml expose: loadBalancer: # The IP of the loadBalancer. It only works when loadBalancer supports assigning IP IP: "" # The service port Harbor listens on when serving HTTP ports: httpPort: 80 # The service port Harbor listens on when serving HTTPS httpsPort: 30002 # The annotations attached to the loadBalancer service annotations: {} # The labels specific to loadBalancer labels: {} # List of IP address ranges to assign to loadBalancerSourceRanges sourceRanges: [] route: # The labels to attach to the HTTPRoute labels: {} ``` -------------------------------- ### Jobservice Resource and Scheduling Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Defines resource allocation and Kubernetes scheduling parameters for the jobservice pods, including CPU/memory requests/limits, service account token mounting, node selectors, tolerations, and affinities. ```yaml jobservice.resources: "The [resources] to allocate for container" jobservice.automountServiceAccountToken: "Mount serviceAccountToken? (default: false)" jobservice.nodeSelector: "Node labels for pod assignment" jobservice.tolerations: "Tolerations for pod assignment" jobservice.affinity: "Node/Pod affinities" ``` -------------------------------- ### Trivy Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md This section details various configuration parameters for the Trivy vulnerability scanner within the Harbor Helm chart. These options allow fine-grained control over scan behavior, including severity filtering, vulnerability reporting, certificate validation, and update mechanisms. ```APIDOC trivy.severity: Comma-separated list of severities to be checked. Default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL trivy.ignoreUnfixed: Flag to display only fixed vulnerabilities. Default: false trivy.insecure: Flag to skip verifying registry certificate. Default: false trivy.skipUpdate: Flag to disable Trivy DB downloads from GitHub. Default: false trivy.skipJavaDBUpdate: If enabled, requires manual download of trivy-java.db and mounting it to /home/scanner/.cache/trivy/java-db/trivy-java.db. Default: false trivy.offlineScan: Flag to prevent Trivy from sending API requests to identify dependencies. Default: false trivy.securityCheck: Comma-separated list of what security issues to detect. Default: vuln ``` -------------------------------- ### Metrics Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Defines various parameters for configuring metrics collection and exposure in the Harbor Helm chart. This includes ports and paths for core, registry, and exporter metrics, as well as settings for Prometheus ServiceMonitor integration. ```yaml metrics.core.port: the port for core metrics metrics.registry.path: the url path for registry metrics metrics.registry.port: the port for registry metrics metrics.exporter.path: the url path for exporter metrics metrics.exporter.port: the port for exporter metrics metrics.serviceMonitor.enabled: create prometheus serviceMonitor. Requires prometheus CRD's metrics.serviceMonitor.additionalLabels: additional labels to upsert to the manifest ``` -------------------------------- ### Harbor General Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Provides essential configuration settings for Harbor, including the external URL for core services, custom CA bundle secret names for trust store injection, UAA secret names for external authentication with self-signed certificates, and image pull policies. ```yaml externalURL: "https://core.harbor.domain" caBundleSecretName: "" uaaSecretName: "" imagePullPolicy: "" imagePullSecrets: "" ``` -------------------------------- ### Harbor Helm Internal TLS Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for internal TLS settings in the Harbor Helm chart. This covers parameters for registry, portal, and trivy components, specifying how TLS certificates and keys should be provided. ```APIDOC internalTLS.registry.secretName: Description: The secret name for the registry component. Only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. internalTLS.registry.crt: Description: Content of the registry's TLS cert file. Only available when `certSource` is `manual`. internalTLS.registry.key: Description: Content of the registry's TLS key file. Only available when `certSource` is `manual`. internalTLS.portal.secretName: Description: The secret name for the portal component. Only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. internalTLS.portal.crt: Description: Content of the portal's TLS cert file. Only available when `certSource` is `manual`. internalTLS.portal.key: Description: Content of the portal's TLS key file. Only available when `certSource` is `manual`. internalTLS.trivy.secretName: Description: The secret name for the trivy component. Only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. ``` -------------------------------- ### Harbor Helm Registry Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md This snippet details various configuration options for the Harbor Helm chart's registry component. It covers settings for node selection, service account token mounting, tolerations, affinity rules, topology spread constraints, middleware integration, and pod annotations. ```yaml registry.nodeSelector: Node labels for pod assignment registry.automountServiceAccountToken: Mount serviceAccountToken? registry.tolerations: Tolerations for pod assignment registry.affinity: Node/Pod affinities registry.topologySpreadConstraints: Constraints that define how Pods are spread across failure-domains like regions or availability zones registry.middleware: Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). registry.podAnnotations: Annotations to add to the registry pod ``` -------------------------------- ### Trivy Scanner Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the Trivy vulnerability scanner within the Harbor Helm project. This includes settings for scan timeouts, authentication for downloading vulnerability databases, and resource management for scanner pods. ```yaml trivy.timeout: "5m0s" # The duration to wait for scan completion trivy.gitHubToken: "" # The GitHub access token to download Trivy DB trivy.priorityClassName: "" # The priority class to run the pod as trivy.topologySpreadConstraints: "" # The priority class to run the pod as trivy.initContainers: [] # Init containers to be run before the controller's container starts ``` -------------------------------- ### Harbor NodePort Service Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Specifies parameters for the NodePort service, which exposes Harbor on a static port on each Node's IP address. Includes the service name. ```yaml expose: nodePort: name: harbor ``` -------------------------------- ### Portal Image Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration option for the Portal component's image repository in the Harbor Helm chart. ```yaml portal.image.repository: Repository for portal image ``` -------------------------------- ### Trivy TLS Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Specifies the TLS certificate and key content for Trivy when using manual certificate management. These parameters are only relevant if `certSource` is set to `manual`. ```yaml internalTLS.trivy.crt: "Content of trivy's TLS cert file, only available when certSource is manual" internalTLS.trivy.key: "Content of trivy's TLS key file, only available when certSource is manual" ``` -------------------------------- ### Harbor Tracing Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Enables and configures distributed tracing for Harbor. Supports Jaeger and OpenTelemetry (otel) providers, with options to set the sampling rate. ```yaml trace: enabled: false provider: "jaeger" sample_rate: 1 ``` -------------------------------- ### Harbor Ingress Host and Controller Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Defines the host for the Harbor core service within ingress rules and specifies the type of ingress controller to use. Supports various controller types like default, gce, alb, f5-bigip, and ncp. ```yaml expose: ingress: hosts: core: "The host of Harbor core service in ingress rule" controller: "The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp`" ``` -------------------------------- ### Redis Configuration Parameters Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Defines various configuration parameters for the Redis instance managed by the Harbor Helm chart. These parameters control aspects like image version, resource allocation, and pod scheduling. ```helm redis.internal.image.tag: Tag for redis image redis.internal.resources: The [resources] to allocate for container redis.internal.automountServiceAccountToken: Mount serviceAccountToken? redis.internal.nodeSelector: Node labels for pod assignment redis.internal.tolerations: Tolerations for pod assignment redis.internal.affinity: Node/Pod affinities redis.internal.priorityClassName: The priority class to run the pod as ``` -------------------------------- ### Harbor XSRF Key Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the Cross-Site Request Forgery (XSRF) key for security. The key will be generated automatically if it is not specified. ```APIDOC core.xsrfKey: description: The XSRF key. Will be generated automatically if it isn't specified. ``` -------------------------------- ### Harbor Helm Persistence Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for persistence in the Harbor Helm chart. This includes settings for PersistentVolumeClaims used by Trivy and storage configurations for images and charts. ```yaml persistence: persistentVolumeClaim: trivy: accessMode: "ReadWriteOnce" # The access mode of the volume size: "1Gi" # The size of the volume annotations: {} # The annotations of the volume imageChartStorage: disableredirect: false # Disable redirects for storage backends that do not support them (e.g., Minio S3) caBundleSecretName: "" # Secret name for CA bundle if storage service uses self-signed certificates type: "filesystem" # Type of storage for images and charts: filesystem, azure, gcs, s3, swift, or oss gcs: existingSecret: "" # Existing secret containing the GCS service account JSON key ``` -------------------------------- ### Harbor Registry Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the Harbor registry, including priority class, secret management, and credential handling. ```APIDOC `registry.priorityClassName`: - The priority class to run the pod as. `registry.secret`: - Secret used to secure the upload state from client and registry storage backend. - See official docs: https://github.com/docker/distribution/blob/master/docs/configuration.md#http - If a secret key is not specified, Helm will generate one. - Must be a string of 16 chars. `registry.credentials.username`: - The username Harbor core uses internally to access the registry instance. - Together with `registry.credentials.password`, a htpasswd is created. - Alternative to providing `registry.credentials.htpasswdString`. - For more details see official docs: https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd - Default: `harbor_registry_user` `registry.credentials.password`: - The password Harbor core uses internally to access the registry instance. - Together with `registry.credentials.username`, a htpasswd is created. - Alternative to providing `registry.credentials.htpasswdString`. - It is suggested you update this value before installation. - Default: `harbor_registry_password` `registry.credentials.existingSecret`: - An existing secret containing the password for accessing the registry instance, hosted by htpasswd auth mode. - More details see official docs: https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd - The key must be `REGISTRY_PASSWD` - Default: `""` `registry.credentials.htpasswdString`: - Login and password in htpasswd string format. - Excludes `registry.credentials.username` and `registry.credentials.password`. - Useful for integrating with tools like argocd or flux. - Allows the same line to be generated each time the template is rendered, unlike the Helm `htpasswd` function which generates different lines due to the salt. - Default: `undefined` `registry.relativeurls`: - If true, the registry returns relative URLs in Location headers. - The client is responsible for resolving the correct URL. - Needed if Harbor is behind a reverse proxy. - Default: `false` ``` -------------------------------- ### Harbor Helm Database Persistence Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures PersistentVolumeClaim settings for the Harbor database. Allows specifying storage class, sub-path, access mode, size, and annotations. These settings are ignored if an external database is used. ```yaml persistence: persistentVolumeClaim: database: storageClass: "-" # Specify storageClass or set to "-" to disable dynamic provisioning subPath: "" accessMode: "ReadWriteOnce" size: "1Gi" annotations: {} ``` -------------------------------- ### Job Service Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for the job service component of the Harbor Helm chart. This includes settings for pod distribution, annotations, priority, secrets, and init containers. ```yaml jobservice: # Constraints that define how Pods are spread across failure-domains like regions or availability zones topologySpreadConstraints: [] # Annotations to add to the jobservice pod podAnnotations: {} # The priority class to run the pod as priorityClassName: "" # Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. secret: "" # Init containers to be run before the controller's container starts. initContainers: [] ``` -------------------------------- ### Redis Configuration Options Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Specifies the Redis type, allowing for 'internal' or 'external' configurations. If an external Redis is used, this section also defines the repository for the internal Redis image. ```yaml redis.type: "internal" # If external redis is used, set it to `external` redis.internal.image.repository: "goharbor/redis-photon" # Repository for redis image ``` -------------------------------- ### Exporter Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configure settings for the Harbor exporter, including the number of replicas and the revision history limit for deployments. ```yaml exporter.replicas: "The replica count" exporter.revisionHistoryLimit: "The revision history limit" ``` -------------------------------- ### Jaeger Tracing Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration parameters for enabling and configuring Jaeger tracing within the Harbor Helm project. This includes setting the endpoint, authentication, and agent details. ```yaml trace.namespace: Namespace used to differentiate different harbor services trace.attributes: `attributes` is a key value dict contains user defined attributes used to initialize trace provider trace.jaeger.endpoint: The endpoint of jaeger (e.g., http://hostname:14268/api/traces) trace.jaeger.username: The username of jaeger trace.jaeger.password: The password of jaeger trace.jaeger.agent_host: The agent host of jaeger trace.jaeger.agent_port: The agent port of jaeger (e.g., 6831) ``` -------------------------------- ### Harbor Metrics Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures metrics collection for Harbor using Prometheus ServiceMonitor. Allows setting scrape interval and applying relabeling rules for metrics. ```yaml metrics: serviceMonitor: interval: "" metricRelabelings: [] relabelings: [] ``` -------------------------------- ### Harbor Ingress TLS Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures TLS settings for Harbor ingress, specifying the Kubernetes secret containing the TLS certificate and private key. ```yaml expose: tls: secret: secretName: "The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key" ``` -------------------------------- ### Jobservice Reaper Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the reaper settings for the jobservice, controlling how long tasks are allowed to run before being marked as an error and how long dangling executions are tracked. ```yaml jobservice.reaper.max_update_hours: "the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24" jobservice.reaper.max_dangling_hours: "the max time for execution in running state without new task created, default value is 168" ``` -------------------------------- ### Harbor Token Signing and Validation Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the private key and certificate for signing and validating service tokens. These are used for token encryption/decryption when a custom secret name is not provided. ```APIDOC core.tokenKey: description: PEM-formatted RSA private key used to sign service tokens. Only used if core.secretName is unset. If set, core.tokenCert MUST also be set. ``` ```APIDOC core.tokenCert: description: PEM-formatted certificate signed by core.tokenKey used to validate service tokens. Only used if core.secretName is unset. If set, core.tokenKey MUST also be set. ``` -------------------------------- ### Harbor Helm Job Service Persistence Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures PersistentVolumeClaim settings for the Harbor job service's log storage. Allows specifying an existing claim, storage class, subPath, access mode, size, and annotations. ```yaml persistence: persistentVolumeClaim: jobservice: jobLog: existingClaim: "" storageClass: "" subPath: "" accessMode: "ReadWriteOnce" size: "1Gi" annotations: {} ``` -------------------------------- ### HTTPRoute Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures annotations, hosts, and parent references for the HTTPRoute, which determines how external traffic is routed to Harbor components. ```yaml expose.route.annotations: The annotations to attach to the HTTPRoute expose.route.hosts: The hosts that the HTTPRoute will request to the Gateway expose.route.parentRefs: The Gateways to attach to the HTTPRoute ``` -------------------------------- ### Harbor Quota Update Provider Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures the provider for updating project quota usage. Options include 'db' (default) or 'redis'. Using 'redis' can improve performance for high-concurrency pushes to the same project and reduce database connection spikes, but may introduce a slight delay in quota usage display. It is recommended only for scenarios experiencing database connection spikes. ```APIDOC core.quotaUpdateProvider: description: The provider for updating project quota (usage). Options: 'redis' or 'db'. Default is 'db'. usage: 'redis' can improve performance for high concurrent pushing to the same project and reduce database connections spike. Using redis will bring up some delay for quota usage updation for display. Only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. default: "db" ``` -------------------------------- ### External Redis Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configure connection details for an external Redis instance. Supports username, password, and the option to use an existing Kubernetes secret for authentication. Annotations can be added to the Redis pod. ```yaml redis.external.username: "The username of external Redis" redis.external.password: "The password of external Redis" redis.external.existingSecret: "Use an existing secret to connect to redis. The key must be REDIS_PASSWORD" redis.podAnnotations: "Annotations to add to the redis pod" ``` -------------------------------- ### Harbor Helm Database Persistence Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configures PersistentVolumeClaim settings for the Harbor database. Supports using an existing claim and specifies subPath if the PVC is shared. This setting is ignored if an external database is used. ```yaml persistence: persistentVolumeClaim: database: existingClaim: "" ``` -------------------------------- ### Harbor Helm Persistence Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Configuration options for managing Persistent Volume Claims (PVCs) in the Harbor Helm deployment. This includes settings for resource retention, using existing PVCs, storage class provisioning, volume size, and access modes. ```APIDOC persistence.resourcePolicy: Description: Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. Default: `keep` persistence.persistentVolumeClaim.registry.existingClaim: Description: Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components persistence.persistentVolumeClaim.registry.storageClass: Description: Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning persistence.persistentVolumeClaim.registry.subPath: Description: The sub path used in the volume persistence.persistentVolumeClaim.registry.accessMode: Description: The access mode of the volume Default: `ReadWriteOnce` persistence.persistentVolumeClaim.registry.size: Description: The size of the volume Default: `5Gi` persistence.persistentVolumeClaim.registry.annotations: Description: The annotations of the volume ``` -------------------------------- ### Harbor Deployment Configuration Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Sets the replica count and revision history limit for the Harbor deployment. The replica count defaults to '1', and the revision history limit defaults to '10'. ```yaml registry.replicas: "1" registry.revisionHistoryLimit: "10" ``` -------------------------------- ### Harbor Ingress Class Name Specification Source: https://github.com/goharbor/harbor-helm/blob/main/README.md Specifies the `ingressClassName` to be used for implementing the Ingress, compatible with Kubernetes 1.18+. ```yaml expose: ingress: className: "Specify the `ingressClassName` used to implement the Ingress (Kubernetes 1.18+)" ```