Harbor is an open source trusted cloud-native registry to store, sign, and scan content. It adds functionalities like security, identity, and management to the open source Docker distribution.
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/harbor
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository.
This Helm chart installs Harbor in a Kubernetes cluster. Welcome to contribute to Helm Chart for Harbor.
This Helm chart has been developed based on goharbor/harbor-helm chart but including some features common to the Bitnami chart library. For example, the following changes have been introduced:
Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters.
To install the chart with the release name my-release
:
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/harbor
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.io
andREPOSITORY_NAME=bitnamicharts
.
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources
value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the resourcesPreset
values, which automatically sets the resources
section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcePreset
is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
You can expose Harbor core using two methods:
exposureType
should be set to ingress
.
exposureType
should be set to proxy
. There are three ways to do so depending on the NGINX Proxy service type:
NodeIP:NodePort
.The external URL for Harbor core service is used to:
Format: protocol://domain[:port]
. Usually:
domain
should be the value of ingress.core.hostname
.ClusterIP
service type, the domain
should be the value of service.clusterIP
.NodePort
service type, the domain
should be the IP address of one Kubernetes node.LoadBalancer
service type, set the domain
as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider.If Harbor is deployed behind the proxy, set it as the URL of proxy.
If you have a need for additional containers to run within the same pod as any of the Harbor components (e.g. an additional metrics or logging exporter), you can do so via the sidecars
config parameter inside each component subsection. Simply define your container according to the Kubernetes container spec.
core:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
Similarly, you can add extra init containers using the initContainers
parameter.
core:
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the extraEnvVars
property inside each component subsection.
core:
extraEnvVars:
- name: LOG_LEVEL
value: error
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM
or the extraEnvVarsSecret
values inside each component subsection.
StorageClass
is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the storageClass
or set existingClaim
if you have already existing persistent volumes to use.azure
, gcs
, s3
swift
and oss
.core.secret
, jobservice.secret
and registry.secret
to configure then statically through the helm values. it expects the “key or password”, not the secret name where secrets are stored.core.secretName
to configure.Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: #107).
If you want to manage full Secret objects by your own, you can use existingSecret & existingEnvVarsSecret parameters. This could be useful for some secure GitOps workflows, of course, you will have to ensure to define all expected keys for those secrets.
The core service have two Secret
objects, the default one for data & communication which is very important as it’s contains the data encryption key of your harbor instance ! and a second one which contains standard passwords, database access password, … Keep in mind that the HARBOR_ADMIN_PASSWORD
is only used to boostrap your harbor instance, if you update it after the deployment, the password is updated in database, but the secret will remain the initial one.
This chart allows you to set your custom affinity using the XXX.affinity
parameter(s). Find more information about Pod’s affinity in the kubernetes documentation.
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the XXX.podAffinityPreset
, XXX.podAntiAffinityPreset
, or XXX.nodeAffinityPreset
parameters.
As the images run as non-root by default, it is necessary to adjust the ownership of the persistent volumes so that the containers can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.
You can enable this initContainer by setting volumePermissions.enabled
to true
.
Name | Description | Value |
---|---|---|
global.imageRegistry |
Global Docker image registry | "" |
global.imagePullSecrets |
Global Docker registry secret names as an array | [] |
global.defaultStorageClass |
Global default StorageClass for Persistent Volume(s) | "" |
global.storageClass |
DEPRECATED: use global.defaultStorageClass instead | "" |
global.compatibility.openshift.adaptSecurityContext |
Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | auto |
Name | Description | Value |
---|---|---|
nameOverride |
String to partially override common.names.fullname template (will maintain the release name) | "" |
fullnameOverride |
String to fully override common.names.fullname template with a string | "" |
kubeVersion |
Force target Kubernetes version (using Helm capabilities if not set) | "" |
clusterDomain |
Kubernetes Cluster Domain | cluster.local |
commonAnnotations |
Annotations to add to all deployed objects | {} |
commonLabels |
Labels to add to all deployed objects | {} |
extraDeploy |
Array of extra objects to deploy with the release (evaluated as a template). | [] |
diagnosticMode.enabled |
Enable diagnostic mode (all probes will be disabled and the command will be overridden) | false |
diagnosticMode.command |
Command to override all containers in the the deployment(s)/statefulset(s) | ["sleep"] |
diagnosticMode.args |
Args to override all containers in the the deployment(s)/statefulset(s) | ["infinity"] |
Name | Description | Value |
---|---|---|
adminPassword |
The initial password of Harbor admin. Change it from portal after launching Harbor | "" |
externalURL |
The external URL for Harbor Core service | https://core.harbor.domain |
proxy.httpProxy |
The URL of the HTTP proxy server | "" |
proxy.httpsProxy |
The URL of the HTTPS proxy server | "" |
proxy.noProxy |
The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
proxy.components |
The component list that the proxy settings apply to | ["core","jobservice","trivy"] |
logLevel |
The log level used for Harbor services. Allowed values are [ fatal | error | warn | info | debug | trace ] | debug |
internalTLS.enabled |
Use TLS in all the supported containers: core, jobservice, portal, registry and trivy | false |
internalTLS.caBundleSecret |
Name of an existing secret with a custom CA that will be injected into the trust store for core, jobservice, registry, trivy components | "" |
ipFamily.ipv6.enabled |
Enable listening on IPv6 ([::]) for NGINX-based components (NGINX,portal) | true |
ipFamily.ipv4.enabled |
Enable listening on IPv4 for NGINX-based components (NGINX,portal) | true |
Name | Description | Value |
---|---|---|
exposureType |
The way to expose Harbor. Allowed values are [ ingress | proxy ] | proxy |
service.type |
NGINX proxy service type | LoadBalancer |
service.ports.http |
NGINX proxy service HTTP port | 80 |
service.ports.https |
NGINX proxy service HTTPS port | 443 |
service.nodePorts.http |
Node port for HTTP | "" |
service.nodePorts.https |
Node port for HTTPS | "" |
service.sessionAffinity |
Control where client requests go, to the same pod or round-robin | None |
service.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
service.clusterIP |
NGINX proxy service Cluster IP | "" |
service.loadBalancerIP |
NGINX proxy service Load Balancer IP | "" |
service.loadBalancerSourceRanges |
NGINX proxy service Load Balancer sources | [] |
service.externalTrafficPolicy |
NGINX proxy service external traffic policy | Cluster |
service.annotations |
Additional custom annotations for NGINX proxy service | {} |
service.extraPorts |
Extra port to expose on NGINX proxy service | [] |
ingress.core.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
ingress.core.pathType |
Ingress path type | ImplementationSpecific |
ingress.core.apiVersion |
Force Ingress API version (automatically detected if not set) | "" |
ingress.core.controller |
The ingress controller type. Currently supports default , gce and ncp |
default |
ingress.core.hostname |
Default host for the ingress record | core.harbor.domain |
ingress.core.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
ingress.core.tls |
Enable TLS configuration for the host defined at ingress.core.hostname parameter |
false |
ingress.core.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
ingress.core.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
ingress.core.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
ingress.core.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
ingress.core.secrets |
Custom TLS certificates as secrets | [] |
ingress.core.extraRules |
Additional rules to be covered with this ingress record | [] |
Name | Description | Value |
---|---|---|
persistence.enabled |
Enable the data persistence or not | true |
persistence.resourcePolicy |
Setting it to keep to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted |
keep |
persistence.persistentVolumeClaim.registry.existingClaim |
Name of an existing PVC to use | "" |
persistence.persistentVolumeClaim.registry.storageClass |
PVC Storage Class for Harbor Registry data volume | "" |
persistence.persistentVolumeClaim.registry.subPath |
The sub path used in the volume | "" |
persistence.persistentVolumeClaim.registry.accessModes |
The access mode of the volume | ["ReadWriteOnce"] |
persistence.persistentVolumeClaim.registry.size |
The size of the volume | 5Gi |
persistence.persistentVolumeClaim.registry.annotations |
Annotations for the PVC | {} |
persistence.persistentVolumeClaim.registry.selector |
Selector to match an existing Persistent Volume | {} |
persistence.persistentVolumeClaim.jobservice.existingClaim |
Name of an existing PVC to use | "" |
persistence.persistentVolumeClaim.jobservice.storageClass |
PVC Storage Class for Harbor Jobservice data volume | "" |
persistence.persistentVolumeClaim.jobservice.subPath |
The sub path used in the volume | "" |
persistence.persistentVolumeClaim.jobservice.accessModes |
The access mode of the volume | ["ReadWriteOnce"] |
persistence.persistentVolumeClaim.jobservice.size |
The size of the volume | 1Gi |
persistence.persistentVolumeClaim.jobservice.annotations |
Annotations for the PVC | {} |
persistence.persistentVolumeClaim.jobservice.selector |
Selector to match an existing Persistent Volume | {} |
persistence.persistentVolumeClaim.trivy.storageClass |
PVC Storage Class for Trivy data volume | "" |
persistence.persistentVolumeClaim.trivy.accessModes |
The access mode of the volume | ["ReadWriteOnce"] |
persistence.persistentVolumeClaim.trivy.size |
The size of the volume | 5Gi |
persistence.persistentVolumeClaim.trivy.annotations |
Annotations for the PVC | {} |
persistence.persistentVolumeClaim.trivy.selector |
Selector to match an existing Persistent Volume | {} |
persistence.imageChartStorage.caBundleSecret |
Specify the caBundleSecret if the storage service uses a self-signed certificate. The secret must contain keys named ca.crt which will be injected into the trust store of registry’s containers. |
"" |
persistence.imageChartStorage.disableredirect |
The configuration for managing redirects from content backends. For backends which do not supported it (such as using MinIO® for s3 storage type), please set it to true to disable redirects. Refer to the guide for more information about the detail |
false |
persistence.imageChartStorage.type |
The type of storage for images and charts: filesystem , azure , gcs , s3 , swift or oss . The type must be filesystem if you want to use persistent volumes for registry. Refer to the guide for more information about the detail |
filesystem |
persistence.imageChartStorage.filesystem.rootdirectory |
Filesystem storage type setting: Storage root directory | /storage |
persistence.imageChartStorage.filesystem.maxthreads |
Filesystem storage type setting: Maximum threads directory | "" |
persistence.imageChartStorage.azure.accountname |
Azure storage type setting: Name of the Azure account | accountname |
persistence.imageChartStorage.azure.accountkey |
Azure storage type setting: Key of the Azure account | base64encodedaccountkey |
persistence.imageChartStorage.azure.container |
Azure storage type setting: Container | containername |
persistence.imageChartStorage.azure.storagePrefix |
Azure storage type setting: Storage prefix | /azure/harbor/charts |
persistence.imageChartStorage.azure.realm |
Azure storage type setting: Realm of the Azure account | "" |
persistence.imageChartStorage.gcs.bucket |
GCS storage type setting: Bucket name | bucketname |
persistence.imageChartStorage.gcs.encodedkey |
GCS storage type setting: Base64 encoded key | "" |
persistence.imageChartStorage.gcs.rootdirectory |
GCS storage type setting: Root directory name | "" |
persistence.imageChartStorage.gcs.chunksize |
GCS storage type setting: Chunk size name | "" |
persistence.imageChartStorage.s3.region |
S3 storage type setting: Region | us-west-1 |
persistence.imageChartStorage.s3.bucket |
S3 storage type setting: Bucket name | bucketname |
persistence.imageChartStorage.s3.accesskey |
S3 storage type setting: Access key name | "" |
persistence.imageChartStorage.s3.secretkey |
S3 storage type setting: Secret Key name | "" |
persistence.imageChartStorage.s3.regionendpoint |
S3 storage type setting: Region Endpoint | "" |
persistence.imageChartStorage.s3.encrypt |
S3 storage type setting: Encrypt | "" |
persistence.imageChartStorage.s3.keyid |
S3 storage type setting: Key ID | "" |
persistence.imageChartStorage.s3.secure |
S3 storage type setting: Secure | "" |
persistence.imageChartStorage.s3.skipverify |
S3 storage type setting: TLS skip verification | "" |
persistence.imageChartStorage.s3.v4auth |
S3 storage type setting: V4 authorization | "" |
persistence.imageChartStorage.s3.chunksize |
S3 storage type setting: V4 authorization | "" |
persistence.imageChartStorage.s3.rootdirectory |
S3 storage type setting: Root directory name | "" |
persistence.imageChartStorage.s3.storageClass |
S3 storage type setting: Storage class | "" |
persistence.imageChartStorage.s3.sse |
S3 storage type setting: SSE name | "" |
persistence.imageChartStorage.s3.multipartcopythresholdsize |
S3 storage type setting: Threshold size for multipart copy | "" |
persistence.imageChartStorage.swift.authurl |
Swift storage type setting: Authentication url | https://storage.myprovider.com/v3/auth |
persistence.imageChartStorage.swift.username |
Swift storage type setting: Authentication url | "" |
persistence.imageChartStorage.swift.password |
Swift storage type setting: Password | "" |
persistence.imageChartStorage.swift.container |
Swift storage type setting: Container | "" |
persistence.imageChartStorage.swift.region |
Swift storage type setting: Region | "" |
persistence.imageChartStorage.swift.tenant |
Swift storage type setting: Tenant | "" |
persistence.imageChartStorage.swift.tenantid |
Swift storage type setting: TenantID | "" |
persistence.imageChartStorage.swift.domain |
Swift storage type setting: Domain | "" |
persistence.imageChartStorage.swift.domainid |
Swift storage type setting: DomainID | "" |
persistence.imageChartStorage.swift.trustid |
Swift storage type setting: TrustID | "" |
persistence.imageChartStorage.swift.insecureskipverify |
Swift storage type setting: Verification | "" |
persistence.imageChartStorage.swift.chunksize |
Swift storage type setting: Chunk | "" |
persistence.imageChartStorage.swift.prefix |
Swift storage type setting: Prefix | "" |
persistence.imageChartStorage.swift.secretkey |
Swift storage type setting: Secre Key | "" |
persistence.imageChartStorage.swift.accesskey |
Swift storage type setting: Access Key | "" |
persistence.imageChartStorage.swift.authversion |
Swift storage type setting: Auth | "" |
persistence.imageChartStorage.swift.endpointtype |
Swift storage type setting: Endpoint | "" |
persistence.imageChartStorage.swift.tempurlcontainerkey |
Swift storage type setting: Temp URL container key | "" |
persistence.imageChartStorage.swift.tempurlmethods |
Swift storage type setting: Temp URL methods | "" |
persistence.imageChartStorage.oss.accesskeyid |
OSS storage type setting: Access key ID | "" |
persistence.imageChartStorage.oss.accesskeysecret |
OSS storage type setting: Access key secret name containing the token | "" |
persistence.imageChartStorage.oss.region |
OSS storage type setting: Region name | "" |
persistence.imageChartStorage.oss.bucket |
OSS storage type setting: Bucket name | "" |
persistence.imageChartStorage.oss.endpoint |
OSS storage type setting: Endpoint | "" |
persistence.imageChartStorage.oss.internal |
OSS storage type setting: Internal | "" |
persistence.imageChartStorage.oss.encrypt |
OSS storage type setting: Encrypt | "" |
persistence.imageChartStorage.oss.secure |
OSS storage type setting: Secure | "" |
persistence.imageChartStorage.oss.chunksize |
OSS storage type setting: Chunk | "" |
persistence.imageChartStorage.oss.rootdirectory |
OSS storage type setting: Directory | "" |
persistence.imageChartStorage.oss.secretkey |
OSS storage type setting: Secret key | "" |
Name | Description | Value |
---|---|---|
tracing.enabled |
Enable tracing | false |
tracing.sampleRate |
Tracing sample rate from 0 to 1 | 1 |
tracing.namespace |
Used to differentiate traces between different harbor services | "" |
tracing.attributes |
A key value dict containing user defined attributes used to initialize the trace provider | {} |
tracing.jaeger |
Configuration for exporting to jaeger. If using jaeger collector mode, use endpoint, username and password. If using jaeger agent mode, use agentHostname and agentPort. | |
tracing.jaeger.enabled |
Enable jaeger export | false |
tracing.jaeger.endpoint |
Jaeger endpoint | "" |
tracing.jaeger.username |
Jaeger username | "" |
tracing.jaeger.password |
Jaeger password | "" |
tracing.jaeger.agentHost |
Jaeger agent hostname | "" |
tracing.jaeger.agentPort |
Jaeger agent port | "" |
tracing.otel |
Configuration for exporting to an otel endpoint | |
tracing.otel.enabled |
Enable otel export | false |
tracing.otel.endpoint |
The hostname and port for an otel compatible backend | hostname:4318 |
tracing.otel.urlpath |
Url path of otel endpoint | /v1/traces |
tracing.otel.compression |
Enable data compression | false |
tracing.otel.timeout |
The timeout for data transfer | 10s |
tracing.otel.insecure |
Ignore cert verification for otel backend | true |
Name | Description | Value |
---|---|---|
certificateVolume.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if certificateVolume.resources is set (certificateVolume.resources is recommended for production). | nano |
certificateVolume.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
volumePermissions.enabled |
Enable init container that changes the owner and group of the persistent volume | false |
volumePermissions.image.registry |
Init container volume-permissions image registry | REGISTRY_NAME |
volumePermissions.image.repository |
Init container volume-permissions image repository | REPOSITORY_NAME/os-shell |
volumePermissions.image.digest |
Init container volume-permissions image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
volumePermissions.image.pullPolicy |
Init container volume-permissions image pull policy | IfNotPresent |
volumePermissions.image.pullSecrets |
Init container volume-permissions image pull secrets | [] |
volumePermissions.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | nano |
volumePermissions.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
volumePermissions.containerSecurityContext.enabled |
Enable init container Security Context | true |
volumePermissions.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
volumePermissions.containerSecurityContext.runAsUser |
User ID for the init container | 0 |
Name | Description | Value |
---|---|---|
nginx.image.registry |
NGINX image registry | REGISTRY_NAME |
nginx.image.repository |
NGINX image repository | REPOSITORY_NAME/nginx |
nginx.image.digest |
NGINX image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
nginx.image.pullPolicy |
NGINX image pull policy | IfNotPresent |
nginx.image.pullSecrets |
NGINX image pull secrets | [] |
nginx.image.debug |
Enable NGINX image debug mode | false |
nginx.tls.enabled |
Enable TLS termination | true |
nginx.tls.existingSecret |
Existing secret name containing your own TLS certificates. | "" |
nginx.tls.commonName |
The common name used to generate the self-signed TLS certificates | core.harbor.domain |
nginx.behindReverseProxy |
If NGINX is behind another reverse proxy, set to true | false |
nginx.command |
Override default container command (useful when using custom images) | [] |
nginx.args |
Override default container args (useful when using custom images) | [] |
nginx.extraEnvVars |
Array with extra environment variables to add NGINX pods | [] |
nginx.extraEnvVarsCM |
ConfigMap containing extra environment variables for NGINX pods | "" |
nginx.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for NGINX pods | "" |
nginx.containerPorts.http |
NGINX HTTP container port | 8080 |
nginx.containerPorts.https |
NGINX HTTPS container port | 8443 |
nginx.replicaCount |
Number of NGINX replicas | 1 |
nginx.livenessProbe.enabled |
Enable livenessProbe on NGINX containers | true |
nginx.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
nginx.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
nginx.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
nginx.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
nginx.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
nginx.readinessProbe.enabled |
Enable readinessProbe on NGINX containers | true |
nginx.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
nginx.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
nginx.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
nginx.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
nginx.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
nginx.startupProbe.enabled |
Enable startupProbe on NGINX containers | false |
nginx.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 10 |
nginx.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
nginx.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
nginx.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
nginx.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
nginx.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
nginx.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
nginx.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
nginx.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if nginx.resources is set (nginx.resources is recommended for production). | small |
nginx.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
nginx.podSecurityContext.enabled |
Enabled NGINX pods’ Security Context | true |
nginx.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
nginx.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
nginx.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
nginx.podSecurityContext.fsGroup |
Set NGINX pod’s Security Context fsGroup | 1001 |
nginx.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
nginx.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
nginx.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
nginx.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
nginx.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
nginx.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
nginx.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
nginx.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
nginx.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
nginx.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
nginx.updateStrategy.type |
NGINX deployment strategy type - only really applicable for deployments with RWO PVs attached | RollingUpdate |
nginx.lifecycleHooks |
LifecycleHook for the NGINX container(s) to automate configuration before or after startup | {} |
nginx.automountServiceAccountToken |
Mount Service Account token in pod | false |
nginx.serviceAccount.create |
Specifies whether a ServiceAccount should be created | false |
nginx.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
nginx.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
nginx.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
nginx.hostAliases |
NGINX pods host aliases | [] |
nginx.podLabels |
Add additional labels to the NGINX pods (evaluated as a template) | {} |
nginx.podAnnotations |
Annotations to add to the NGINX pods (evaluated as a template) | {} |
nginx.podAffinityPreset |
NGINX Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
nginx.podAntiAffinityPreset |
NGINX Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
soft |
nginx.nodeAffinityPreset.type |
NGINX Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard |
"" |
nginx.nodeAffinityPreset.key |
NGINX Node label key to match Ignored if affinity is set. |
"" |
nginx.nodeAffinityPreset.values |
NGINX Node label values to match. Ignored if affinity is set. |
[] |
nginx.affinity |
NGINX Affinity for pod assignment | {} |
nginx.nodeSelector |
NGINX Node labels for pod assignment | {} |
nginx.tolerations |
NGINX Tolerations for pod assignment | [] |
nginx.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
nginx.priorityClassName |
Priority Class Name | "" |
nginx.schedulerName |
Use an alternate scheduler, e.g. “stork”. | "" |
nginx.sidecars |
Add additional sidecar containers to the NGINX pods | [] |
nginx.initContainers |
Add additional init containers to the NGINX pods | [] |
nginx.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
nginx.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
nginx.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both nginx.pdb.minAvailable and nginx.pdb.maxUnavailable are empty. |
"" |
nginx.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the NGINX pods | [] |
nginx.extraVolumes |
Optionally specify extra list of additional volumes for the NGINX pods | [] |
nginx.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
nginx.networkPolicy.allowExternal |
Don’t require server label for connections | true |
nginx.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
nginx.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
nginx.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
nginx.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
nginx.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
Name | Description | Value |
---|---|---|
portal.image.registry |
Harbor Portal image registry | REGISTRY_NAME |
portal.image.repository |
Harbor Portal image repository | REPOSITORY_NAME/harbor-portal |
portal.image.digest |
Harbor Portal image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
portal.image.pullPolicy |
Harbor Portal image pull policy | IfNotPresent |
portal.image.pullSecrets |
Harbor Portal image pull secrets | [] |
portal.image.debug |
Enable Harbor Portal image debug mode | false |
portal.tls.existingSecret |
Name of an existing secret with the certificates for internal TLS access | "" |
portal.command |
Override default container command (useful when using custom images) | [] |
portal.args |
Override default container args (useful when using custom images) | [] |
portal.extraEnvVars |
Array with extra environment variables to add Harbor Portal pods | [] |
portal.extraEnvVarsCM |
ConfigMap containing extra environment variables for Harbor Portal pods | "" |
portal.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for Harbor Portal pods | "" |
portal.containerPorts.http |
Harbor Portal HTTP container port | 8080 |
portal.containerPorts.https |
Harbor Portal HTTPS container port | 8443 |
portal.replicaCount |
Number of Harbor Portal replicas | 1 |
portal.livenessProbe.enabled |
Enable livenessProbe on Harbor Portal containers | true |
portal.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
portal.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
portal.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
portal.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
portal.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
portal.readinessProbe.enabled |
Enable readinessProbe on Harbor Portal containers | true |
portal.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
portal.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
portal.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
portal.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
portal.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
portal.startupProbe.enabled |
Enable startupProbe on Harbor Portal containers | false |
portal.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
portal.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
portal.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
portal.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
portal.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
portal.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
portal.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
portal.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
portal.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if portal.resources is set (portal.resources is recommended for production). | small |
portal.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
portal.podSecurityContext.enabled |
Enabled Harbor Portal pods’ Security Context | true |
portal.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
portal.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
portal.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
portal.podSecurityContext.fsGroup |
Set Harbor Portal pod’s Security Context fsGroup | 1001 |
portal.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
portal.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
portal.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
portal.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
portal.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
portal.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
portal.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
portal.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
portal.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
portal.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
portal.updateStrategy.type |
Harbor Portal deployment strategy type - only really applicable for deployments with RWO PVs attached | RollingUpdate |
portal.lifecycleHooks |
LifecycleHook for the Harbor Portal container(s) to automate configuration before or after startup | {} |
portal.hostAliases |
Harbor Portal pods host aliases | [] |
portal.podLabels |
Add additional labels to the Harbor Portal pods (evaluated as a template) | {} |
portal.podAnnotations |
Annotations to add to the Harbor Portal pods (evaluated as a template) | {} |
portal.podAffinityPreset |
Harbor Portal Pod affinity preset. Ignored if portal.affinity is set. Allowed values: soft or hard |
"" |
portal.podAntiAffinityPreset |
Harbor Portal Pod anti-affinity preset. Ignored if portal.affinity is set. Allowed values: soft or hard |
soft |
portal.nodeAffinityPreset.type |
Harbor Portal Node affinity preset type. Ignored if portal.affinity is set. Allowed values: soft or hard |
"" |
portal.nodeAffinityPreset.key |
Harbor Portal Node label key to match Ignored if portal.affinity is set. |
"" |
portal.nodeAffinityPreset.values |
Harbor Portal Node label values to match. Ignored if portal.affinity is set. |
[] |
portal.affinity |
Harbor Portal Affinity for pod assignment | {} |
portal.nodeSelector |
Harbor Portal Node labels for pod assignment | {} |
portal.tolerations |
Harbor Portal Tolerations for pod assignment | [] |
portal.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
portal.priorityClassName |
Priority Class Name | "" |
portal.schedulerName |
Use an alternate scheduler, e.g. “stork”. | "" |
portal.sidecars |
Add additional sidecar containers to the Harbor Portal pods | [] |
portal.initContainers |
Add additional init containers to the Harbor Portal pods | [] |
portal.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
portal.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
portal.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both portal.pdb.minAvailable and portal.pdb.maxUnavailable are empty. |
"" |
portal.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Harbor Portal pods | [] |
portal.extraVolumes |
Optionally specify extra list of additional volumes for the Harbor Portal pods | [] |
portal.automountServiceAccountToken |
Mount Service Account token in pod | false |
portal.serviceAccount.create |
Specifies whether a ServiceAccount should be created | false |
portal.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
portal.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
portal.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
portal.service.ports.http |
Harbor Portal HTTP service port | 80 |
portal.service.ports.https |
Harbor Portal HTTPS service port | 443 |
portal.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
portal.networkPolicy.allowExternal |
Don’t require server label for connections | true |
portal.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
portal.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
portal.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
portal.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
portal.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
Name | Description | Value |
---|---|---|
core.image.registry |
Harbor Core image registry | REGISTRY_NAME |
core.image.repository |
Harbor Core image repository | REPOSITORY_NAME/harbor-core |
core.image.digest |
Harbor Core image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
core.image.pullPolicy |
Harbor Core image pull policy | IfNotPresent |
core.image.pullSecrets |
Harbor Core image pull secrets | [] |
core.image.debug |
Enable Harbor Core image debug mode | false |
core.sessionLifetime |
Explicitly set a session timeout (in seconds) overriding the backend default. | "" |
core.uaaSecret |
If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key ca.crt . |
"" |
core.secretKey |
The key used for encryption. Must be a string of 16 chars | "" |
core.secret |
Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | "" |
core.tokenKey |
Key of the certificate used for token encryption/decryption. | "" |
core.tokenCert |
Certificate used for token encryption/decryption. | "" |
core.secretName |
Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: tls.crt - the certificate and tls.key - the private key. The default key pair will be used if it isn’t set |
"" |
core.existingSecret |
Existing secret for core | "" |
core.existingEnvVarsSecret |
Existing secret for core envvars | "" |
core.csrfKey |
The CSRF key. Will be generated automatically if it isn’t specified | "" |
core.tls.existingSecret |
Name of an existing secret with the certificates for internal TLS access | "" |
core.command |
Override default container command (useful when using custom images) | [] |
core.args |
Override default container args (useful when using custom images) | [] |
core.extraEnvVars |
Array with extra environment variables to add Harbor Core pods | [] |
core.extraEnvVarsCM |
ConfigMap containing extra environment variables for Harbor Core pods | "" |
core.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for Harbor Core pods | "" |
core.configOverwriteJson |
String containing a JSON with configuration overrides | "" |
core.configOverwriteJsonSecret |
Secret containing the JSON configuration overrides | "" |
core.containerPorts.http |
Harbor Core HTTP container port | 8080 |
core.containerPorts.https |
Harbor Core HTTPS container port | 8443 |
core.containerPorts.metrics |
Harbor Core metrics container port | 8001 |
core.replicaCount |
Number of Harbor Core replicas | 1 |
core.livenessProbe.enabled |
Enable livenessProbe on Harbor Core containers | true |
core.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
core.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
core.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
core.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
core.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
core.readinessProbe.enabled |
Enable readinessProbe on Harbor Core containers | true |
core.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
core.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
core.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
core.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
core.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
core.startupProbe.enabled |
Enable startupProbe on Harbor Core containers | false |
core.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
core.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
core.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
core.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
core.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
core.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
core.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
core.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
core.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if core.resources is set (core.resources is recommended for production). | small |
core.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
core.podSecurityContext.enabled |
Enabled Harbor Core pods’ Security Context | true |
core.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
core.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
core.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
core.podSecurityContext.fsGroup |
Set Harbor Core pod’s Security Context fsGroup | 1001 |
core.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
core.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
core.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
core.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
core.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
core.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
core.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
core.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
core.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
core.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
core.updateStrategy.type |
Harbor Core deployment strategy type - only really applicable for deployments with RWO PVs attached | RollingUpdate |
core.lifecycleHooks |
LifecycleHook for the Harbor Core container(s) to automate configuration before or after startup | {} |
core.hostAliases |
Harbor Core pods host aliases | [] |
core.podLabels |
Add additional labels to the Harbor Core pods (evaluated as a template) | {} |
core.podAnnotations |
Annotations to add to the Harbor Core pods (evaluated as a template) | {} |
core.podAffinityPreset |
Harbor Core Pod affinity preset. Ignored if core.affinity is set. Allowed values: soft or hard |
"" |
core.podAntiAffinityPreset |
Harbor Core Pod anti-affinity preset. Ignored if core.affinity is set. Allowed values: soft or hard |
soft |
core.nodeAffinityPreset.type |
Harbor Core Node affinity preset type. Ignored if core.affinity is set. Allowed values: soft or hard |
"" |
core.nodeAffinityPreset.key |
Harbor Core Node label key to match Ignored if core.affinity is set. |
"" |
core.nodeAffinityPreset.values |
Harbor Core Node label values to match. Ignored if core.affinity is set. |
[] |
core.affinity |
Harbor Core Affinity for pod assignment | {} |
core.nodeSelector |
Harbor Core Node labels for pod assignment | {} |
core.tolerations |
Harbor Core Tolerations for pod assignment | [] |
core.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
core.priorityClassName |
Priority Class Name | "" |
core.schedulerName |
Use an alternate scheduler, e.g. “stork”. | "" |
core.sidecars |
Add additional sidecar containers to the Harbor Core pods | [] |
core.initContainers |
Add additional init containers to the Harbor Core pods | [] |
core.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
core.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
core.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both core.pdb.minAvailable and core.pdb.maxUnavailable are empty. |
"" |
core.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Harbor Core pods | [] |
core.extraVolumes |
Optionally specify extra list of additional volumes for the Harbor Core pods | [] |
core.automountServiceAccountToken |
Mount Service Account token in pod | false |
core.serviceAccount.create |
Specifies whether a ServiceAccount should be created | false |
core.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
core.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
core.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
core.service.ports.http |
Harbor Core HTTP service port | 80 |
core.service.ports.https |
Harbor Core HTTPS service port | 443 |
core.service.ports.metrics |
Harbor Core metrics service port | 8001 |
core.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
core.networkPolicy.allowExternal |
Don’t require server label for connections | true |
core.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
core.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
core.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
core.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
core.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
Name | Description | Value |
---|---|---|
jobservice.image.registry |
Harbor Jobservice image registry | REGISTRY_NAME |
jobservice.image.repository |
Harbor Jobservice image repository | REPOSITORY_NAME/harbor-jobservice |
jobservice.image.digest |
Harbor Jobservice image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
jobservice.image.pullPolicy |
Harbor Jobservice image pull policy | IfNotPresent |
jobservice.image.pullSecrets |
Harbor Jobservice image pull secrets | [] |
jobservice.image.debug |
Enable Harbor Jobservice image debug mode | false |
jobservice.maxJobWorkers |
The max job workers | 10 |
jobservice.redisNamespace |
Redis namespace for jobservice | harbor_job_service_namespace |
jobservice.jobLogger |
The logger for jobs: file , database or stdout |
file |
jobservice.secret |
Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | "" |
jobservice.existingSecret |
Existing secret for jobservice | "" |
jobservice.existingEnvVarsSecret |
Existing secret for jobservice envvars | "" |
jobservice.tls.existingSecret |
Name of an existing secret with the certificates for internal TLS access | "" |
jobservice.command |
Override default container command (useful when using custom images) | [] |
jobservice.args |
Override default container args (useful when using custom images) | [] |
jobservice.extraEnvVars |
Array with extra environment variables to add Harbor Jobservice pods | [] |
jobservice.extraEnvVarsCM |
ConfigMap containing extra environment variables for Harbor Jobservice pods | "" |
jobservice.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for Harbor Jobservice pods | "" |
jobservice.containerPorts.http |
Harbor Jobservice HTTP container port | 8080 |
jobservice.containerPorts.https |
Harbor Jobservice HTTPS container port | 8443 |
jobservice.containerPorts.metrics |
Harbor Jobservice metrics container port | 8001 |
jobservice.replicaCount |
Number of Harbor Jobservice replicas | 1 |
jobservice.livenessProbe.enabled |
Enable livenessProbe on Harbor Jobservice containers | true |
jobservice.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
jobservice.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
jobservice.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
jobservice.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
jobservice.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
jobservice.readinessProbe.enabled |
Enable readinessProbe on Harbor Jobservice containers | true |
jobservice.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
jobservice.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
jobservice.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
jobservice.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
jobservice.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
jobservice.startupProbe.enabled |
Enable startupProbe on Harbor Jobservice containers | false |
jobservice.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
jobservice.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
jobservice.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
jobservice.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
jobservice.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
jobservice.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
jobservice.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
jobservice.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
jobservice.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jobservice.resources is set (jobservice.resources is recommended for production). | small |
jobservice.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
jobservice.podSecurityContext.enabled |
Enabled Harbor Jobservice pods’ Security Context | true |
jobservice.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
jobservice.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
jobservice.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
jobservice.podSecurityContext.fsGroup |
Set Harbor Jobservice pod’s Security Context fsGroup | 1001 |
jobservice.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
jobservice.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
jobservice.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
jobservice.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
jobservice.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
jobservice.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
jobservice.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
jobservice.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
jobservice.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
jobservice.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
jobservice.updateStrategy.type |
Harbor Jobservice deployment strategy type - only really applicable for deployments with RWO PVs attached | RollingUpdate |
jobservice.lifecycleHooks |
LifecycleHook for the Harbor Jobservice container(s) to automate configuration before or after startup | {} |
jobservice.hostAliases |
Harbor Jobservice pods host aliases | [] |
jobservice.podLabels |
Add additional labels to the Harbor Jobservice pods (evaluated as a template) | {} |
jobservice.podAnnotations |
Annotations to add to the Harbor Jobservice pods (evaluated as a template) | {} |
jobservice.podAffinityPreset |
Harbor Jobservice Pod affinity preset. Ignored if jobservice.affinity is set. Allowed values: soft or hard |
"" |
jobservice.podAntiAffinityPreset |
Harbor Jobservice Pod anti-affinity preset. Ignored if jobservice.affinity is set. Allowed values: soft or hard |
soft |
jobservice.nodeAffinityPreset.type |
Harbor Jobservice Node affinity preset type. Ignored if jobservice.affinity is set. Allowed values: soft or hard |
"" |
jobservice.nodeAffinityPreset.key |
Harbor Jobservice Node label key to match Ignored if jobservice.affinity is set. |
"" |
jobservice.nodeAffinityPreset.values |
Harbor Jobservice Node label values to match. Ignored if jobservice.affinity is set. |
[] |
jobservice.affinity |
Harbor Jobservice Affinity for pod assignment | {} |
jobservice.nodeSelector |
Harbor Jobservice Node labels for pod assignment | {} |
jobservice.tolerations |
Harbor Jobservice Tolerations for pod assignment | [] |
jobservice.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
jobservice.priorityClassName |
Priority Class Name | "" |
jobservice.schedulerName |
Use an alternate scheduler, e.g. “stork”. | "" |
jobservice.sidecars |
Add additional sidecar containers to the Harbor Jobservice pods | [] |
jobservice.initContainers |
Add additional init containers to the Harbor Jobservice pods | [] |
jobservice.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
jobservice.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
jobservice.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both jobservice.pdb.minAvailable and jobservice.pdb.maxUnavailable are empty. |
"" |
jobservice.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Harbor Jobservice pods | [] |
jobservice.extraVolumes |
Optionally specify extra list of additional volumes for the Harbor Jobservice pods | [] |
jobservice.automountServiceAccountToken |
Mount Service Account token in pod | false |
jobservice.serviceAccount.create |
Specifies whether a ServiceAccount should be created | false |
jobservice.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
jobservice.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
jobservice.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
jobservice.service.ports.http |
Harbor Jobservice HTTP service port | 80 |
jobservice.service.ports.https |
Harbor Jobservice HTTPS service port | 443 |
jobservice.service.ports.metrics |
Harbor Jobservice HTTPS service port | 8001 |
jobservice.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
jobservice.networkPolicy.allowExternal |
Don’t require server label for connections | true |
jobservice.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
jobservice.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
jobservice.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
jobservice.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
jobservice.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
Name | Description | Value |
---|---|---|
registry.secret |
Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md | "" |
registry.existingSecret |
Existing secret for registry | "" |
registry.relativeurls |
Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL. | false |
registry.credentials.username |
The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs | harbor_registry_user |
registry.credentials.password |
The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. It is suggested you update this value before installation. | harbor_registry_password |
registry.credentials.htpasswd |
The content of htpasswd file based on the value of registry.credentials.username registry.credentials.password . Currently helm does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling |
harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m |
registry.middleware.enabled |
Middleware is used to add support for a CDN between backend storage and docker pull recipient. See |
false |
registry.middleware.type |
CDN type for the middleware | cloudFront |
registry.middleware.cloudFront.baseurl |
CloudFront CDN settings: Base URL | example.cloudfront.net |
registry.middleware.cloudFront.keypairid |
CloudFront CDN settings: Keypair ID | KEYPAIRID |
registry.middleware.cloudFront.duration |
CloudFront CDN settings: Duration | 3000s |
registry.middleware.cloudFront.ipfilteredby |
CloudFront CDN settings: IP filters | none |
registry.middleware.cloudFront.privateKeySecret |
CloudFront CDN settings: Secret name with the private key | my-secret |
registry.tls.existingSecret |
Name of an existing secret with the certificates for internal TLS access | "" |
registry.replicaCount |
Number of Harbor Registry replicas | 1 |
registry.podSecurityContext.enabled |
Enabled Harbor Registry pods’ Security Context | true |
registry.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
registry.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
registry.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
registry.podSecurityContext.fsGroup |
Set Harbor Registry pod’s Security Context fsGroup | 1001 |
registry.updateStrategy.type |
Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached | RollingUpdate |
registry.hostAliases |
Harbor Registry pods host aliases | [] |
registry.podLabels |
Add additional labels to the Harbor Registry pods (evaluated as a template) | {} |
registry.podAnnotations |
Annotations to add to the Harbor Registry pods (evaluated as a template) | {} |
registry.podAffinityPreset |
Harbor Registry Pod affinity preset. Ignored if registry.affinity is set. Allowed values: soft or hard |
"" |
registry.podAntiAffinityPreset |
Harbor Registry Pod anti-affinity preset. Ignored if registry.affinity is set. Allowed values: soft or hard |
soft |
registry.nodeAffinityPreset.type |
Harbor Registry Node affinity preset type. Ignored if registry.affinity is set. Allowed values: soft or hard |
"" |
registry.nodeAffinityPreset.key |
Harbor Registry Node label key to match Ignored if registry.affinity is set. |
"" |
registry.nodeAffinityPreset.values |
Harbor Registry Node label values to match. Ignored if registry.affinity is set. |
[] |
registry.affinity |
Harbor Registry Affinity for pod assignment | {} |
registry.nodeSelector |
Harbor Registry Node labels for pod assignment | {} |
registry.tolerations |
Harbor Registry Tolerations for pod assignment | [] |
registry.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
registry.priorityClassName |
Priority Class Name | "" |
registry.schedulerName |
Use an alternate scheduler, e.g. “stork”. | "" |
registry.sidecars |
Add additional sidecar containers to the Harbor Registry pods | [] |
registry.initContainers |
Add additional init containers to the Harbor Registry pods | [] |
registry.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
registry.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
registry.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both registry.pdb.minAvailable and registry.pdb.maxUnavailable are empty. |
"" |
registry.extraVolumes |
Optionally specify extra list of additional volumes for the Harbor Registry pods | [] |
registry.automountServiceAccountToken |
Mount Service Account token in pod | false |
registry.serviceAccount.create |
Specifies whether a ServiceAccount should be created | true |
registry.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
registry.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
registry.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
registry.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
registry.networkPolicy.allowExternal |
Don’t require server label for connections | true |
registry.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
registry.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
registry.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
registry.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
registry.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
registry.server.image.registry |
Harbor Registry image registry | REGISTRY_NAME |
registry.server.image.repository |
Harbor Registry image repository | REPOSITORY_NAME/harbor-registry |
registry.server.image.digest |
Harbor Registry image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
registry.server.image.pullPolicy |
Harbor Registry image pull policy | IfNotPresent |
registry.server.image.pullSecrets |
Harbor Registry image pull secrets | [] |
registry.server.image.debug |
Enable Harbor Registry image debug mode | false |
registry.server.command |
Override default container command (useful when using custom images) | [] |
registry.server.args |
Override default container args (useful when using custom images) | [] |
registry.server.extraEnvVars |
Array with extra environment variables to add Harbor Registry main containers | [] |
registry.server.extraEnvVarsCM |
ConfigMap containing extra environment variables for Harbor Registry main containers | "" |
registry.server.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for Harbor Registry main containers | "" |
registry.server.containerPorts.http |
Harbor Registry HTTP container port | 5000 |
registry.server.containerPorts.https |
Harbor Registry HTTPS container port | 5443 |
registry.server.containerPorts.debug |
Harbor Registry debug container port | 5001 |
registry.server.containerPorts.metrics |
Harbor Registry metrics container port | 8001 |
registry.server.livenessProbe.enabled |
Enable livenessProbe on Harbor Registry main containers | true |
registry.server.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
registry.server.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
registry.server.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
registry.server.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
registry.server.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
registry.server.readinessProbe.enabled |
Enable readinessProbe on Harbor Registry main containers | true |
registry.server.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
registry.server.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
registry.server.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
registry.server.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
registry.server.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
registry.server.startupProbe.enabled |
Enable startupProbe on Harbor Registry main containers | false |
registry.server.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
registry.server.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
registry.server.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
registry.server.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
registry.server.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
registry.server.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
registry.server.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
registry.server.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
registry.server.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.server.resources is set (registry.server.resources is recommended for production). | small |
registry.server.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
registry.server.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
registry.server.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
registry.server.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
registry.server.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
registry.server.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
registry.server.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
registry.server.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
registry.server.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
registry.server.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
registry.server.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
registry.server.lifecycleHooks |
LifecycleHook for the Harbor Registry main container(s) to automate configuration before or after startup | {} |
registry.server.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Harbor Registry main pods | [] |
registry.server.service.ports.http |
Harbor Registry HTTP service port | 5000 |
registry.server.service.ports.https |
Harbor Registry HTTPS service port | 5443 |
registry.server.service.ports.metrics |
Harbor Registry metrics service port | 8001 |
registry.controller.image.registry |
Harbor Registryctl image registry | REGISTRY_NAME |
registry.controller.image.repository |
Harbor Registryctl image repository | REPOSITORY_NAME/harbor-registryctl |
registry.controller.image.digest |
Harbor Registryctl image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
registry.controller.image.pullPolicy |
Harbor Registryctl image pull policy | IfNotPresent |
registry.controller.image.pullSecrets |
Harbor Registryctl image pull secrets | [] |
registry.controller.image.debug |
Enable Harbor Registryctl image debug mode | false |
registry.controller.command |
Override default container command (useful when using custom images) | [] |
registry.controller.args |
Override default container args (useful when using custom images) | [] |
registry.controller.extraEnvVars |
Array with extra environment variables to add Harbor Registryctl containers | [] |
registry.controller.extraEnvVarsCM |
ConfigMap containing extra environment variables for Harbor Registryctl containers | "" |
registry.controller.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for Harbor Registryctl containers | "" |
registry.controller.containerPorts.http |
Harbor Registryctl HTTP container port | 8080 |
registry.controller.containerPorts.https |
Harbor Registryctl HTTPS container port | 8443 |
registry.controller.livenessProbe.enabled |
Enable livenessProbe on Harbor Registryctl containers | true |
registry.controller.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
registry.controller.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
registry.controller.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
registry.controller.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
registry.controller.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
registry.controller.readinessProbe.enabled |
Enable readinessProbe on Harbor Registryctl containers | true |
registry.controller.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
registry.controller.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
registry.controller.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
registry.controller.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
registry.controller.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
registry.controller.startupProbe.enabled |
Enable startupProbe on Harbor Registryctl containers | false |
registry.controller.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
registry.controller.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
registry.controller.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
registry.controller.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
registry.controller.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
registry.controller.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
registry.controller.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
registry.controller.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
registry.controller.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.controller.resources is set (registry.controller.resources is recommended for production). | small |
registry.controller.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
registry.controller.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
registry.controller.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
registry.controller.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
registry.controller.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
registry.controller.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
registry.controller.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
registry.controller.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
registry.controller.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
registry.controller.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
registry.controller.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
registry.controller.lifecycleHooks |
LifecycleHook for the Harbor Registryctl container(s) to automate configuration before or after startup | {} |
registry.controller.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Harbor Registryctl pods | [] |
registry.controller.service.ports.http |
Harbor Registryctl HTTP service port | 8080 |
registry.controller.service.ports.https |
Harbor Registryctl HTTPS service port | 8443 |
Name | Description | Value |
---|---|---|
trivy.image.registry |
Harbor Adapter Trivy image registry | REGISTRY_NAME |
trivy.image.repository |
Harbor Adapter Trivy image repository | REPOSITORY_NAME/harbor-adapter-trivy |
trivy.image.digest |
Harbor Adapter Trivy image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
trivy.image.pullPolicy |
Harbor Adapter Trivy image pull policy | IfNotPresent |
trivy.image.pullSecrets |
Harbor Adapter Trivy image pull secrets | [] |
trivy.image.debug |
Enable Harbor Adapter Trivy image debug mode | false |
trivy.enabled |
Enable Trivy | true |
trivy.debugMode |
The flag to enable Trivy debug mode | false |
trivy.vulnType |
Comma-separated list of vulnerability types. Possible values os and library . |
os,library |
trivy.severity |
Comma-separated list of severities to be checked | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
trivy.ignoreUnfixed |
The flag to display only fixed vulnerabilities | false |
trivy.insecure |
The flag to skip verifying registry certificate | false |
trivy.existingEnvVarsSecret |
Existing secret for trivy | "" |
trivy.gitHubToken |
The GitHub access token to download Trivy DB | "" |
trivy.skipUpdate |
The flag to disable Trivy DB downloads from GitHub | false |
trivy.cacheDir |
Directory to store the cache | /bitnami/harbor-adapter-trivy/.cache |
trivy.tls.existingSecret |
Name of an existing secret with the certificates for internal TLS access | "" |
trivy.command |
Override default container command (useful when using custom images) | [] |
trivy.args |
Override default container args (useful when using custom images) | [] |
trivy.extraEnvVars |
Array with extra environment variables to add Trivy pods | [] |
trivy.extraEnvVarsCM |
ConfigMap containing extra environment variables for Trivy pods | "" |
trivy.extraEnvVarsSecret |
Secret containing extra environment variables (in case of sensitive data) for Trivy pods | "" |
trivy.containerPorts.http |
Trivy HTTP container port | 8080 |
trivy.containerPorts.https |
Trivy HTTPS container port | 8443 |
trivy.replicaCount |
Number of Trivy replicas | 1 |
trivy.livenessProbe.enabled |
Enable livenessProbe on Trivy containers | true |
trivy.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
trivy.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
trivy.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
trivy.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
trivy.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
trivy.readinessProbe.enabled |
Enable readinessProbe on Trivy containers | true |
trivy.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
trivy.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
trivy.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
trivy.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
trivy.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
trivy.startupProbe.enabled |
Enable startupProbe on Trivy containers | false |
trivy.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
trivy.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
trivy.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
trivy.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
trivy.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
trivy.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
trivy.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
trivy.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
trivy.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if trivy.resources is set (trivy.resources is recommended for production). | small |
trivy.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
trivy.podSecurityContext.enabled |
Enabled Trivy pods’ Security Context | true |
trivy.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
trivy.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
trivy.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
trivy.podSecurityContext.fsGroup |
Set Trivy pod’s Security Context fsGroup | 1001 |
trivy.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
trivy.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
trivy.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
trivy.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
trivy.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
trivy.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
trivy.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
trivy.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
trivy.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
trivy.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
trivy.updateStrategy.type |
Trivy deployment strategy type - only really applicable for deployments with RWO PVs attached | RollingUpdate |
trivy.lifecycleHooks |
LifecycleHook for the Trivy container(s) to automate configuration before or after startup | {} |
trivy.hostAliases |
Trivy pods host aliases | [] |
trivy.podLabels |
Add additional labels to the Trivy pods (evaluated as a template) | {} |
trivy.podAnnotations |
Annotations to add to the Trivy pods (evaluated as a template) | {} |
trivy.podAffinityPreset |
Trivy Pod affinity preset. Ignored if trivy.affinity is set. Allowed values: soft or hard |
"" |
trivy.podAntiAffinityPreset |
Trivy Pod anti-affinity preset. Ignored if trivy.affinity is set. Allowed values: soft or hard |
soft |
trivy.nodeAffinityPreset.type |
Trivy Node affinity preset type. Ignored if trivy.affinity is set. Allowed values: soft or hard |
"" |
trivy.nodeAffinityPreset.key |
Trivy Node label key to match Ignored if trivy.affinity is set. |
"" |
trivy.nodeAffinityPreset.values |
Trivy Node label values to match. Ignored if trivy.affinity is set. |
[] |
trivy.affinity |
Trivy Affinity for pod assignment | {} |
trivy.nodeSelector |
Trivy Node labels for pod assignment | {} |
trivy.tolerations |
Trivy Tolerations for pod assignment | [] |
trivy.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
trivy.priorityClassName |
Priority Class Name | "" |
trivy.schedulerName |
Use an alternate scheduler, e.g. “stork”. | "" |
trivy.sidecars |
Add additional sidecar containers to the Trivy pods | [] |
trivy.initContainers |
Add additional init containers to the Trivy pods | [] |
trivy.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
trivy.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
trivy.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both trivy.pdb.minAvailable and trivy.pdb.maxUnavailable are empty. |
"" |
trivy.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Trivy pods | [] |
trivy.extraVolumes |
Optionally specify extra list of additional volumes for the Trivy pods | [] |
trivy.automountServiceAccountToken |
Mount Service Account token in pod | false |
trivy.serviceAccount.create |
Specifies whether a ServiceAccount should be created | false |
trivy.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
trivy.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
trivy.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
trivy.service.ports.http |
Trivy HTTP service port | 8080 |
trivy.service.ports.https |
Trivy HTTPS service port | 8443 |
trivy.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
trivy.networkPolicy.allowExternal |
Don’t require server label for connections | true |
trivy.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
trivy.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
trivy.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
trivy.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
trivy.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
Name | Description | Value |
---|---|---|
exporter.image.registry |
Harbor Exporter image registry | REGISTRY_NAME |
exporter.image.repository |
Harbor Exporter image repository | REPOSITORY_NAME/harbor-exporter |
exporter.image.digest |
Harbor Exporter image image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
exporter.image.pullPolicy |
Harbor exporter image pull policy | IfNotPresent |
exporter.image.pullSecrets |
Specify docker-registry secret names as an array | [] |
exporter.image.debug |
Specify if debug logs should be enabled | false |
exporter.command |
Override default container command (useful when using custom images) | [] |
exporter.args |
Override default container args (useful when using custom images) | [] |
exporter.extraEnvVars |
Array containing extra env vars | [] |
exporter.extraEnvVarsCM |
ConfigMap containing extra env vars | "" |
exporter.extraEnvVarsSecret |
Secret containing extra env vars (in case of sensitive data) | "" |
exporter.containerPorts.metrics |
Harbor Exporter HTTP container port | 8001 |
exporter.replicaCount |
The replica count | 1 |
exporter.livenessProbe.enabled |
Enable livenessProbe | true |
exporter.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 20 |
exporter.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
exporter.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
exporter.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
exporter.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
exporter.readinessProbe.enabled |
Enable readinessProbe | true |
exporter.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 20 |
exporter.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
exporter.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
exporter.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
exporter.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
exporter.startupProbe.enabled |
Enable startupProbe on Harbor Exporter containers | false |
exporter.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
exporter.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
exporter.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 1 |
exporter.startupProbe.failureThreshold |
Failure threshold for startupProbe | 15 |
exporter.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
exporter.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
exporter.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
exporter.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
exporter.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if exporter.resources is set (exporter.resources is recommended for production). | nano |
exporter.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
exporter.podSecurityContext.enabled |
Enabled Exporter pods’ Security Context | true |
exporter.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
exporter.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
exporter.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
exporter.podSecurityContext.fsGroup |
Set Exporter pod’s Security Context fsGroup | 1001 |
exporter.containerSecurityContext.enabled |
Enabled containers’ Security Context | true |
exporter.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
exporter.containerSecurityContext.runAsUser |
Set containers’ Security Context runAsUser | 1001 |
exporter.containerSecurityContext.runAsGroup |
Set containers’ Security Context runAsGroup | 1001 |
exporter.containerSecurityContext.runAsNonRoot |
Set container’s Security Context runAsNonRoot | true |
exporter.containerSecurityContext.privileged |
Set container’s Security Context privileged | false |
exporter.containerSecurityContext.readOnlyRootFilesystem |
Set container’s Security Context readOnlyRootFilesystem | true |
exporter.containerSecurityContext.allowPrivilegeEscalation |
Set container’s Security Context allowPrivilegeEscalation | false |
exporter.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
exporter.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
exporter.updateStrategy.type |
The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn’t supported | RollingUpdate |
exporter.lifecycleHooks |
LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template | {} |
exporter.hostAliases |
Exporter pods host aliases | [] |
exporter.podLabels |
Add additional labels to the pod (evaluated as a template) | {} |
exporter.podAnnotations |
Annotations to add to the exporter pod | {} |
exporter.podAffinityPreset |
Harbor Exporter Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
exporter.podAntiAffinityPreset |
Harbor Exporter Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
soft |
exporter.nodeAffinityPreset.type |
Harbor Exporter Node affinity preset type. Ignored if exporter.affinity is set. Allowed values: soft or hard |
"" |
exporter.nodeAffinityPreset.key |
Harbor Exporter Node label key to match Ignored if exporter.affinity is set. |
"" |
exporter.nodeAffinityPreset.values |
Harbor Exporter Node label values to match. Ignored if exporter.affinity is set. |
[] |
exporter.affinity |
Harbor Exporter Affinity for pod assignment | {} |
exporter.priorityClassName |
Exporter pods Priority Class Name | "" |
exporter.schedulerName |
Name of the k8s scheduler (other than default) | "" |
exporter.nodeSelector |
Harbor Exporter Node labels for pod assignment | {} |
exporter.tolerations |
Harbor Exporter Tolerations for pod assignment | [] |
exporter.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
exporter.initContainers |
Add additional init containers to the pod (evaluated as a template) | [] |
exporter.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
exporter.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
exporter.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both exporter.pdb.minAvailable and exporter.pdb.maxUnavailable are empty. |
"" |
exporter.extraVolumeMounts |
[] |
|
exporter.extraVolumes |
[] |
|
exporter.sidecars |
Attach additional containers to the pod (evaluated as a template) | [] |
exporter.automountServiceAccountToken |
Mount Service Account token in pod | false |
exporter.serviceAccount.create |
Specifies whether a ServiceAccount should be created | false |
exporter.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
exporter.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
exporter.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
exporter.service.ports.metrics |
Exporter HTTP service port | 8001 |
exporter.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
exporter.networkPolicy.allowExternal |
Don’t require server label for connections | true |
exporter.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
exporter.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
exporter.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
exporter.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
exporter.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
Name | Description | Value |
---|---|---|
postgresql.enabled |
Switch to enable or disable the PostgreSQL helm chart | true |
postgresql.auth.enablePostgresUser |
Assign a password to the “postgres” admin user. Otherwise, remote access will be blocked for this user | true |
postgresql.auth.postgresPassword |
Password for the “postgres” admin user | not-secure-database-password |
postgresql.auth.existingSecret |
Name of existing secret to use for PostgreSQL credentials | "" |
postgresql.architecture |
PostgreSQL architecture (standalone or replication ) |
standalone |
postgresql.primary.extendedConfiguration |
Extended PostgreSQL Primary configuration (appended to main or default configuration) | `max_connections = 1024 |
` | ||
postgresql.primary.initdb.scripts |
Initdb scripts to create Harbor databases | {} |
postgresql.image.registry |
PostgreSQL image registry | REGISTRY_NAME |
postgresql.image.repository |
PostgreSQL image repository | REPOSITORY_NAME/postgresql |
postgresql.image.digest |
PostgreSQL image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
postgresql.primary.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | nano |
postgresql.primary.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
externalDatabase.host |
Database host | localhost |
externalDatabase.port |
Database port number | 5432 |
externalDatabase.user |
Non-root username for Harbor | bn_harbor |
externalDatabase.password |
Password for the non-root username for Harbor | "" |
externalDatabase.sslmode |
External database ssl mode | disable |
externalDatabase.coreDatabase |
External database name for core | "" |
Name | Description | Value |
---|---|---|
redis.enabled |
Switch to enable or disable the Redis® helm | true |
redis.auth.enabled |
Enable password authentication | false |
redis.auth.password |
Redis® password | "" |
redis.auth.existingSecret |
The name of an existing secret with Redis® credentials | "" |
redis.architecture |
Redis® architecture. Allowed values: standalone or replication |
standalone |
redis.sentinel.enabled |
Use Redis® Sentinel on Redis® pods. | false |
redis.sentinel.masterSet |
Master set name | mymaster |
redis.sentinel.service.ports.sentinel |
Redis® service port for Redis® Sentinel | 26379 |
redis.master.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | nano |
redis.master.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
externalRedis.host |
Redis® host | localhost |
externalRedis.port |
Redis® port number | 6379 |
externalRedis.password |
Redis® password | "" |
externalRedis.coreDatabaseIndex |
Index for core database | 0 |
externalRedis.jobserviceDatabaseIndex |
Index for jobservice database | 1 |
externalRedis.registryDatabaseIndex |
Index for registry database | 2 |
externalRedis.trivyAdapterDatabaseIndex |
Index for trivy adapter database | 5 |
externalRedis.sentinel.enabled |
If external redis with sentinal is used, set it to true |
false |
externalRedis.sentinel.masterSet |
Name of sentinel masterSet if sentinel is used | mymaster |
externalRedis.sentinel.hosts |
Sentinel hosts and ports in the format | "" |
Name | Description | Value |
---|---|---|
metrics.enabled |
Whether or not to enable metrics for different | false |
metrics.path |
Path where metrics are exposed | /metrics |
metrics.serviceMonitor.enabled |
if true , creates a Prometheus Operator ServiceMonitor (requires metrics.enabled to be true ) |
false |
metrics.serviceMonitor.namespace |
Namespace in which Prometheus is running | "" |
metrics.serviceMonitor.interval |
Interval at which metrics should be scraped | "" |
metrics.serviceMonitor.scrapeTimeout |
Timeout after which the scrape is ended | "" |
metrics.serviceMonitor.labels |
Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | {} |
metrics.serviceMonitor.selector |
Prometheus instance selector labels | {} |
metrics.serviceMonitor.relabelings |
RelabelConfigs to apply to samples before scraping | [] |
metrics.serviceMonitor.metricRelabelings |
MetricRelabelConfigs to apply to samples before ingestion | [] |
metrics.serviceMonitor.honorLabels |
Specify honorLabels parameter to add the scrape endpoint | false |
metrics.serviceMonitor.jobLabel |
The name of the label on the target service to use as the job name in prometheus. | "" |
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
helm install my-release \
--set adminPassword=password \
oci://REGISTRY_NAME/REPOSITORY_NAME/harbor
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.io
andREPOSITORY_NAME=bitnamicharts
.
The above command sets the Harbor administrator account password to password
.
NOTE: Once this chart is deployed, it is not possible to change the application’s access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application’s built-in administrative tools if available.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/harbor
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.io
andREPOSITORY_NAME=bitnamicharts
.
Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.
This major updates the Redis® subchart to its newest major, 20.0.0. Here you can find more information about the changes introduced in that version.
This major version renames the following values:
nginx.serviceAccountName
was renamed as nginx.serviceAccount.name
.portal.serviceAccountName
was renamed as portal.serviceAccount.name
.core.serviceAccountName
was renamed as core.serviceAccount.name
.jobservice.serviceAccountName
was renamed as jobservice.serviceAccount.name
.registry.serviceAccountName
was renamed as registry.serviceAccount.name
.trivy.serviceAccountName
was renamed as trivy.serviceAccount.name
.exporter.serviceAccountName
was renamed as exporter.serviceAccount.name
.Additionally, this major version adds support for serviceAccount creation in the Helm chart.
This major bump changes the following security defaults:
runAsGroup
is changed from 0
to 1001
readOnlyRootFilesystem
is set to true
resourcesPreset
is changed from none
to the minimum size working in our test suites (NOTE: resourcesPreset
is not meant for production usage, but resources
adapted to your use case).global.compatibility.openshift.adaptSecurityContext
is changed from disabled
to auto
.This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
This major release bumps the PostgreSQL chart version to 14.x.x; no major issues are expected during the upgrade.
This major updates the PostgreSQL subchart to its newest major, 13.0.0. Here you can find more information about the changes introduced in that version.
This major deprecates harbor notary server and harbor notary signer components. These components were deprecated in Harbor 2.9.0, find more information in Harbor wiki.
This major updates the Redis® subchart to its newest major, 18.0.0. Here you can find more information about the changes introduced in that version.
NOTE: Due to an error in our release process, Redis®’ chart versions higher or equal than 17.15.4 already use Redis® 7.2 by default.
This major updates the PostgreSQL subchart to its newest major, 12.0.0. Here you can find more information about the changes introduced in that version.
This major update the Redis® subchart to its newest major, 17.0.0, which updates Redis® from its version 6.2 to the latest 7.0.
The new version of this chart is not longer sopported Clair, who was deprecated by Habor in the version 2.2.0
This major release updates the PostgreSQL subchart image to the newest 13.x version.
The upgrade process to 13.x.x from 12.x.x should be done by reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor
):
NOTE: Please, create a backup of your database before running any of these actions.
HARBOR_NAMESPACE='default'
HARBOR_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
POSTGRESQL_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
POSTGRESQL_PVC=$(kubectl get pvc --namespace "${HARBOR_NAMESPACE:?}" -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}")
--cascade=orphan
) and secret:kubectl delete statefulsets.apps --namespace "${HARBOR_NAMESPACE:?}" --cascade=orphan harbor-postgresql
kubectl delete secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql
CURRENT_PG_VERSION=$(kubectl exec --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0 -c harbor-postgresql -- bash -c 'printenv APP_VERSION')
helm --namespace "${HARBOR_NAMESPACE:?}" upgrade harbor bitnami/harbor \
--set adminPassword="${HARBOR_PASSWORD:?}" \
--set postgresql.image.tag="${CURRENT_PG_VERSION:?}" \
--set postgresql.auth.postgresPassword="${POSTGRESQL_PASSWORD:?}" \
--set postgresql.primary.persistence.existingClaim="${POSTGRESQL_PVC:?}"
kubectl delete pod --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0
This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. Additionally updates the PostgreSQL & Redis subcharts to their newest major 11.x.x and 16.x.x, respectively, which contain similar changes.
harborAdminPassword
was renamed to adminPassword
forcePassword
was deprecatedexposureType
allows deciding whether to expose Harbor using Ingress or an NGINX proxyservice.type
doesn’t accept Ingress
as a valid value anymore. To configure traffic exposure through Ingress, set exposureType
to ingress
service.tls
map has been renamed to nginx.tls
ingress.core.tls
parameteringress
map is completely redefinedxxxImage
parameters (e.g. nginxImage
) have been renamed to xxx.image
(e.g. nginx.image
)xxx.replicas
parameters (e.g. nginx.replicas
) have been renamed to xxx.replicaCount
(e.g. nginx.replicaCount
)persistence.persistentVolumeClaim.xxx.accessMode
parameters (e.g. persistence.persistentVolumeClaim.registry.accessMode
) have been renamed to persistence.persistentVolumeClaim.xxx.accessModes
(e.g. persistence.persistentVolumeClaim.registry.accessModes
) and expect an array instead of a stringcaBundleSecretName
was renamed to internalTLS.caBundleSecret
persistence.imageChartStorage.caBundleSecretName
was renamed to persistence.imageChartStorage.caBundleSecret
core.uaaSecretName
was renamed to core.uaaSecret
To upgrade to 12.x.x from 11.x, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor
):
NOTE: Please, create a backup of your database before running any of those actions.
HARBOR_NAMESPACE='default'
HARBOR_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
POSTGRESQL_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
POSTGRESQL_PVC=$(kubectl get pvc --namespace "${HARBOR_NAMESPACE:?}" -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}")
--cascade=orphan
) and secret:kubectl delete statefulsets.apps --namespace "${HARBOR_NAMESPACE:?}" --cascade=orphan harbor-postgresql
kubectl delete secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql
CURRENT_PG_VERSION=$(kubectl exec --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0 -c harbor-postgresql -- bash -c 'printenv BITNAMI_IMAGE_VERSION')
helm --namespace "${HARBOR_NAMESPACE:?}" upgrade harbor bitnami/harbor \
--set adminPassword="${HARBOR_PASSWORD:?}" \
--set postgresql.image.tag="${CURRENT_PG_VERSION:?}" \
--set postgresql.auth.postgresPassword="${POSTGRESQL_PASSWORD:?}" \
--set postgresql.primary.persistence.existingClaim="${POSTGRESQL_PVC:?}"
kubectl delete pod --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0
NOTE: the instructions above reuse the same PostgreSQL version you were using in your chart release. Otherwise, you will find an error such as the one below when upgrading since the new chart major version also bumps the application version. To workaround this issue you need to upgrade database, please refer to the official PostgreSQL documentation for more information about this.
$ kubectl --namespace "${HARBOR_NAMESPACE:?}" logs harbor-postgresql-0 --container harbor-postgresql ... postgresql 08:10:14.72 INFO ==> ** Starting PostgreSQL ** 2022-02-01 08:10:14.734 GMT [1] FATAL: database files are incompatible with server 2022-02-01 08:10:14.734 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 14.1.
This major update the Redis® subchart to its newest major, 15.0.0. Here you can find more info about the specific changes.
This major updates the Redis® subchart to it newest major, 14.0.0, which contains breaking changes. For more information on this subchart’s major and the steps needed to migrate your data from your previous release, please refer to Redis® upgrade notes..
This new version of the chart bumps the version of Harbor to 2.2.0
which deprecates built-in Clair. If you still want to use Clair, you will need to set clair.enabled
to true
and Clair scanner and the Harbor adapter will be deployed. Follow these steps to add it as an additional interrogation service for Harbor.
Please note that Clair might be fully deprecated from this chart in following updates.
On November 13, 2020, Helm v2 support was formally finished, this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
apiVersion: v1
(installable by both Helm 2 and 3), this Helm Chart was updated to apiVersion: v2
(installable by Helm 3 only). Here you can find more information about the apiVersion
field.To upgrade to 9.0.0 from 8.x, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor
and the release namespace default
):
NOTE: Please, create a backup of your database before running any of those actions.
export HARBOR_PASSWORD=$(kubectl get secret --namespace default harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}")
kubectl delete statefulsets.apps --cascade=false harbor-postgresql
helm upgrade harbor bitnami/harbor \
--set harborAdminPassword=$HARBOR_PASSWORD \
--set postgresql.image.tag=$CURRENT_PG_VERSION \
--set postgresql.postgresqlPassword$POSTGRESQL_PASSWORD \
--set postgresql.persistence.existingClaim=$POSTGRESQL_PVC
kubectl delete pod harbor-postgresql-0
Copyright © 2024 Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.