Bitnami package for Harbor

Harbor is an open source trusted cloud-native registry to store, sign, and scan content. It adds functionalities like security, identity, and management to the open source Docker distribution.

Overview of Harbor

TL;DR

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/harbor

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository.

Introduction

This Helm chart installs Harbor in a Kubernetes cluster. Welcome to contribute to Helm Chart for Harbor.

This Helm chart has been developed based on goharbor/harbor-helm chart but including some features common to the Bitnami chart library. For example, the following changes have been introduced:

• Possibility to pull all the required images from a private registry through the Global Docker image parameters.
• Redis® and PostgreSQL are managed as chart dependencies.
• Liveness and Readiness probes for all deployments are exposed to the values.yaml.
• Uses new Helm chart labels formatting.
• Uses Bitnami container images:
  • non-root by default
  • published for debian-10 and ol-7
• This chart support the Harbor optional components.

Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters.

Prerequisites

• Kubernetes 1.23+
• Helm 3.8.0+
• PV provisioner support in the underlying infrastructure
• ReadWriteMany volumes for deployment scaling

Installing the Chart

To install the chart with the release name my-release:

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/harbor

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

Configuration and installation details

Resource requests and limits

Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.

To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcePreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

Configure the way how to expose Harbor core

You can expose Harbor core using two methods:

• An Ingress Controller, exposureType should be set to ingress.
  • An ingress controller must be installed in the Kubernetes cluster.
  • If the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue #5291 for the detail.
• An NGINX Proxy, exposureType should be set to proxy. There are three ways to do so depending on the NGINX Proxy service type:
  • ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster:
  • NodePort: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting NodeIP:NodePort.
  • LoadBalancer: Exposes the service externally using a cloud provider’s load balancer.

Configure the external URL

The external URL for Harbor core service is used to:

1. populate the docker/helm commands showed on portal

Format: protocol://domain[:port]. Usually:

• if expose Harbor core service via Ingress, the domain should be the value of ingress.core.hostname.
• if expose Harbor core via NGINX proxy using a ClusterIP service type, the domain should be the value of service.clusterIP.
• if expose Harbor core via NGINX proxy using a NodePort service type, the domain should be the IP address of one Kubernetes node.
• if expose Harbor core via NGINX proxy using a LoadBalancer service type, set the domain as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider.

If Harbor is deployed behind the proxy, set it as the URL of proxy.

Sidecars and Init Containers

If you have a need for additional containers to run within the same pod as any of the Harbor components (e.g. an additional metrics or logging exporter), you can do so via the sidecars config parameter inside each component subsection. Simply define your container according to the Kubernetes container spec.

core:
  sidecars:
    - name: your-image-name
      image: your-image
      imagePullPolicy: Always
      ports:
        - name: portname
        containerPort: 1234

Similarly, you can add extra init containers using the initContainers parameter.

core:
  initContainers:
    - name: your-image-name
      image: your-image
      imagePullPolicy: Always
      ports:
        - name: portname
          containerPort: 1234

Adding extra environment variables

In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the extraEnvVars property inside each component subsection.

core:
  extraEnvVars:
    - name: LOG_LEVEL
      value: error

Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM or the extraEnvVarsSecret values inside each component subsection.

Configure data persistence

• Disable: The data does not survive the termination of a pod.
• Persistent Volume Claim(default): A default StorageClass is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the storageClass or set existingClaim if you have already existing persistent volumes to use.
• External Storage(only for images and charts): For images and charts, the external storages are supported: azure, gcs, s3 swift and oss.

Configure the secrets

• Secrets: Secrets are used for encryption and to secure communication between components. Fill core.secret, jobservice.secret and registry.secret to configure then statically through the helm values. it expects the “key or password”, not the secret name where secrets are stored.
• Certificates: Used for token encryption/decryption. Fill core.secretName to configure.

Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: #107).

If you want to manage full Secret objects by your own, you can use existingSecret & existingEnvVarsSecret parameters. This could be useful for some secure GitOps workflows, of course, you will have to ensure to define all expected keys for those secrets.

The core service have two Secret objects, the default one for data & communication which is very important as it’s contains the data encryption key of your harbor instance ! and a second one which contains standard passwords, database access password, … Keep in mind that the HARBOR_ADMIN_PASSWORD is only used to boostrap your harbor instance, if you update it after the deployment, the password is updated in database, but the secret will remain the initial one.

Setting Pod’s affinity

This chart allows you to set your custom affinity using the XXX.affinity parameter(s). Find more information about Pod’s affinity in the kubernetes documentation.

As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the XXX.podAffinityPreset, XXX.podAntiAffinityPreset, or XXX.nodeAffinityPreset parameters.

Adjust permissions of persistent volume mountpoint

As the images run as non-root by default, it is necessary to adjust the ownership of the persistent volumes so that the containers can write data into it.

By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.

You can enable this initContainer by setting volumePermissions.enabled to true.

Parameters

Global parameters

Name	Description	Value
global.imageRegistry	Global Docker image registry	""
global.imagePullSecrets	Global Docker registry secret names as an array	[]
global.defaultStorageClass	Global default StorageClass for Persistent Volume(s)	""
global.storageClass	DEPRECATED: use global.defaultStorageClass instead	""
global.compatibility.openshift.adaptSecurityContext	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)	auto

Common Parameters

Name	Description	Value
nameOverride	String to partially override common.names.fullname template (will maintain the release name)	""
fullnameOverride	String to fully override common.names.fullname template with a string	""
kubeVersion	Force target Kubernetes version (using Helm capabilities if not set)	""
clusterDomain	Kubernetes Cluster Domain	cluster.local
commonAnnotations	Annotations to add to all deployed objects	{}
commonLabels	Labels to add to all deployed objects	{}
extraDeploy	Array of extra objects to deploy with the release (evaluated as a template).	[]
diagnosticMode.enabled	Enable diagnostic mode (all probes will be disabled and the command will be overridden)	false
diagnosticMode.command	Command to override all containers in the the deployment(s)/statefulset(s)	["sleep"]
diagnosticMode.args	Args to override all containers in the the deployment(s)/statefulset(s)	["infinity"]

Harbor common parameters

Name	Description	Value
adminPassword	The initial password of Harbor admin. Change it from portal after launching Harbor	""
externalURL	The external URL for Harbor Core service	https://core.harbor.domain
proxy.httpProxy	The URL of the HTTP proxy server	""
proxy.httpsProxy	The URL of the HTTPS proxy server	""
proxy.noProxy	The URLs that the proxy settings not apply to	127.0.0.1,localhost,.local,.internal
proxy.components	The component list that the proxy settings apply to	["core","jobservice","trivy"]
logLevel	The log level used for Harbor services. Allowed values are [ fatal | error | warn | info | debug | trace ]	debug
internalTLS.enabled	Use TLS in all the supported containers: core, jobservice, portal, registry and trivy	false
internalTLS.caBundleSecret	Name of an existing secret with a custom CA that will be injected into the trust store for core, jobservice, registry, trivy components	""
ipFamily.ipv6.enabled	Enable listening on IPv6 ([::]) for NGINX-based components (NGINX,portal)	true
ipFamily.ipv4.enabled	Enable listening on IPv4 for NGINX-based components (NGINX,portal)	true

Traffic Exposure Parameters

Name	Description	Value
exposureType	The way to expose Harbor. Allowed values are [ ingress | proxy ]	proxy
service.type	NGINX proxy service type	LoadBalancer
service.ports.http	NGINX proxy service HTTP port	80
service.ports.https	NGINX proxy service HTTPS port	443
service.nodePorts.http	Node port for HTTP	""
service.nodePorts.https	Node port for HTTPS	""
service.sessionAffinity	Control where client requests go, to the same pod or round-robin	None
service.sessionAffinityConfig	Additional settings for the sessionAffinity	{}
service.clusterIP	NGINX proxy service Cluster IP	""
service.loadBalancerIP	NGINX proxy service Load Balancer IP	""
service.loadBalancerSourceRanges	NGINX proxy service Load Balancer sources	[]
service.externalTrafficPolicy	NGINX proxy service external traffic policy	Cluster
service.annotations	Additional custom annotations for NGINX proxy service	{}
service.extraPorts	Extra port to expose on NGINX proxy service	[]
ingress.core.ingressClassName	IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)	""
ingress.core.pathType	Ingress path type	ImplementationSpecific
ingress.core.apiVersion	Force Ingress API version (automatically detected if not set)	""
ingress.core.controller	The ingress controller type. Currently supports default, gce and ncp	default
ingress.core.hostname	Default host for the ingress record	core.harbor.domain
ingress.core.annotations	Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.	{}
ingress.core.tls	Enable TLS configuration for the host defined at ingress.core.hostname parameter	false
ingress.core.selfSigned	Create a TLS secret for this ingress record using self-signed certificates generated by Helm	false
ingress.core.extraHosts	An array with additional hostname(s) to be covered with the ingress record	[]
ingress.core.extraPaths	An array with additional arbitrary paths that may need to be added to the ingress under the main host	[]
ingress.core.extraTls	TLS configuration for additional hostname(s) to be covered with this ingress record	[]
ingress.core.secrets	Custom TLS certificates as secrets	[]
ingress.core.extraRules	Additional rules to be covered with this ingress record	[]

Persistence Parameters

Name	Description	Value
persistence.enabled	Enable the data persistence or not	true
persistence.resourcePolicy	Setting it to keep to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted	keep
persistence.persistentVolumeClaim.registry.existingClaim	Name of an existing PVC to use	""
persistence.persistentVolumeClaim.registry.storageClass	PVC Storage Class for Harbor Registry data volume	""
persistence.persistentVolumeClaim.registry.subPath	The sub path used in the volume	""
persistence.persistentVolumeClaim.registry.accessModes	The access mode of the volume	["ReadWriteOnce"]
persistence.persistentVolumeClaim.registry.size	The size of the volume	5Gi
persistence.persistentVolumeClaim.registry.annotations	Annotations for the PVC	{}
persistence.persistentVolumeClaim.registry.selector	Selector to match an existing Persistent Volume	{}
persistence.persistentVolumeClaim.jobservice.existingClaim	Name of an existing PVC to use	""
persistence.persistentVolumeClaim.jobservice.storageClass	PVC Storage Class for Harbor Jobservice data volume	""
persistence.persistentVolumeClaim.jobservice.subPath	The sub path used in the volume	""
persistence.persistentVolumeClaim.jobservice.accessModes	The access mode of the volume	["ReadWriteOnce"]
persistence.persistentVolumeClaim.jobservice.size	The size of the volume	1Gi
persistence.persistentVolumeClaim.jobservice.annotations	Annotations for the PVC	{}
persistence.persistentVolumeClaim.jobservice.selector	Selector to match an existing Persistent Volume	{}
persistence.persistentVolumeClaim.trivy.storageClass	PVC Storage Class for Trivy data volume	""
persistence.persistentVolumeClaim.trivy.accessModes	The access mode of the volume	["ReadWriteOnce"]
persistence.persistentVolumeClaim.trivy.size	The size of the volume	5Gi
persistence.persistentVolumeClaim.trivy.annotations	Annotations for the PVC	{}
persistence.persistentVolumeClaim.trivy.selector	Selector to match an existing Persistent Volume	{}
persistence.imageChartStorage.caBundleSecret	Specify the caBundleSecret if the storage service uses a self-signed certificate. The secret must contain keys named ca.crt which will be injected into the trust store of registry’s containers.	""
persistence.imageChartStorage.disableredirect	The configuration for managing redirects from content backends. For backends which do not supported it (such as using MinIO® for s3 storage type), please set it to true to disable redirects. Refer to the guide for more information about the detail	false
persistence.imageChartStorage.type	The type of storage for images and charts: filesystem, azure, gcs, s3, swift or oss. The type must be filesystem if you want to use persistent volumes for registry. Refer to the guide for more information about the detail	filesystem
persistence.imageChartStorage.filesystem.rootdirectory	Filesystem storage type setting: Storage root directory	/storage
persistence.imageChartStorage.filesystem.maxthreads	Filesystem storage type setting: Maximum threads directory	""
persistence.imageChartStorage.azure.accountname	Azure storage type setting: Name of the Azure account	accountname
persistence.imageChartStorage.azure.accountkey	Azure storage type setting: Key of the Azure account	base64encodedaccountkey
persistence.imageChartStorage.azure.container	Azure storage type setting: Container	containername
persistence.imageChartStorage.azure.storagePrefix	Azure storage type setting: Storage prefix	/azure/harbor/charts
persistence.imageChartStorage.azure.realm	Azure storage type setting: Realm of the Azure account	""
persistence.imageChartStorage.gcs.bucket	GCS storage type setting: Bucket name	bucketname
persistence.imageChartStorage.gcs.encodedkey	GCS storage type setting: Base64 encoded key	""
persistence.imageChartStorage.gcs.rootdirectory	GCS storage type setting: Root directory name	""
persistence.imageChartStorage.gcs.chunksize	GCS storage type setting: Chunk size name	""
persistence.imageChartStorage.s3.region	S3 storage type setting: Region	us-west-1
persistence.imageChartStorage.s3.bucket	S3 storage type setting: Bucket name	bucketname
persistence.imageChartStorage.s3.accesskey	S3 storage type setting: Access key name	""
persistence.imageChartStorage.s3.secretkey	S3 storage type setting: Secret Key name	""
persistence.imageChartStorage.s3.regionendpoint	S3 storage type setting: Region Endpoint	""
persistence.imageChartStorage.s3.encrypt	S3 storage type setting: Encrypt	""
persistence.imageChartStorage.s3.keyid	S3 storage type setting: Key ID	""
persistence.imageChartStorage.s3.secure	S3 storage type setting: Secure	""
persistence.imageChartStorage.s3.skipverify	S3 storage type setting: TLS skip verification	""
persistence.imageChartStorage.s3.v4auth	S3 storage type setting: V4 authorization	""
persistence.imageChartStorage.s3.chunksize	S3 storage type setting: V4 authorization	""
persistence.imageChartStorage.s3.rootdirectory	S3 storage type setting: Root directory name	""
persistence.imageChartStorage.s3.storageClass	S3 storage type setting: Storage class	""
persistence.imageChartStorage.s3.sse	S3 storage type setting: SSE name	""
persistence.imageChartStorage.s3.multipartcopythresholdsize	S3 storage type setting: Threshold size for multipart copy	""
persistence.imageChartStorage.swift.authurl	Swift storage type setting: Authentication url	https://storage.myprovider.com/v3/auth
persistence.imageChartStorage.swift.username	Swift storage type setting: Authentication url	""
persistence.imageChartStorage.swift.password	Swift storage type setting: Password	""
persistence.imageChartStorage.swift.container	Swift storage type setting: Container	""
persistence.imageChartStorage.swift.region	Swift storage type setting: Region	""
persistence.imageChartStorage.swift.tenant	Swift storage type setting: Tenant	""
persistence.imageChartStorage.swift.tenantid	Swift storage type setting: TenantID	""
persistence.imageChartStorage.swift.domain	Swift storage type setting: Domain	""
persistence.imageChartStorage.swift.domainid	Swift storage type setting: DomainID	""
persistence.imageChartStorage.swift.trustid	Swift storage type setting: TrustID	""
persistence.imageChartStorage.swift.insecureskipverify	Swift storage type setting: Verification	""
persistence.imageChartStorage.swift.chunksize	Swift storage type setting: Chunk	""
persistence.imageChartStorage.swift.prefix	Swift storage type setting: Prefix	""
persistence.imageChartStorage.swift.secretkey	Swift storage type setting: Secre Key	""
persistence.imageChartStorage.swift.accesskey	Swift storage type setting: Access Key	""
persistence.imageChartStorage.swift.authversion	Swift storage type setting: Auth	""
persistence.imageChartStorage.swift.endpointtype	Swift storage type setting: Endpoint	""
persistence.imageChartStorage.swift.tempurlcontainerkey	Swift storage type setting: Temp URL container key	""
persistence.imageChartStorage.swift.tempurlmethods	Swift storage type setting: Temp URL methods	""
persistence.imageChartStorage.oss.accesskeyid	OSS storage type setting: Access key ID	""
persistence.imageChartStorage.oss.accesskeysecret	OSS storage type setting: Access key secret name containing the token	""
persistence.imageChartStorage.oss.region	OSS storage type setting: Region name	""
persistence.imageChartStorage.oss.bucket	OSS storage type setting: Bucket name	""
persistence.imageChartStorage.oss.endpoint	OSS storage type setting: Endpoint	""
persistence.imageChartStorage.oss.internal	OSS storage type setting: Internal	""
persistence.imageChartStorage.oss.encrypt	OSS storage type setting: Encrypt	""
persistence.imageChartStorage.oss.secure	OSS storage type setting: Secure	""
persistence.imageChartStorage.oss.chunksize	OSS storage type setting: Chunk	""
persistence.imageChartStorage.oss.rootdirectory	OSS storage type setting: Directory	""
persistence.imageChartStorage.oss.secretkey	OSS storage type setting: Secret key	""

Tracing parameters

Name	Description	Value
tracing.enabled	Enable tracing	false
tracing.sampleRate	Tracing sample rate from 0 to 1	1
tracing.namespace	Used to differentiate traces between different harbor services	""
tracing.attributes	A key value dict containing user defined attributes used to initialize the trace provider	{}
tracing.jaeger	Configuration for exporting to jaeger. If using jaeger collector mode, use endpoint, username and password. If using jaeger agent mode, use agentHostname and agentPort.
tracing.jaeger.enabled	Enable jaeger export	false
tracing.jaeger.endpoint	Jaeger endpoint	""
tracing.jaeger.username	Jaeger username	""
tracing.jaeger.password	Jaeger password	""
tracing.jaeger.agentHost	Jaeger agent hostname	""
tracing.jaeger.agentPort	Jaeger agent port	""
tracing.otel	Configuration for exporting to an otel endpoint
tracing.otel.enabled	Enable otel export	false
tracing.otel.endpoint	The hostname and port for an otel compatible backend	hostname:4318
tracing.otel.urlpath	Url path of otel endpoint	/v1/traces
tracing.otel.compression	Enable data compression	false
tracing.otel.timeout	The timeout for data transfer	10s
tracing.otel.insecure	Ignore cert verification for otel backend	true

Volume Permissions parameters

Name	Description	Value
certificateVolume.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if certificateVolume.resources is set (certificateVolume.resources is recommended for production).	nano
certificateVolume.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
volumePermissions.enabled	Enable init container that changes the owner and group of the persistent volume	false
volumePermissions.image.registry	Init container volume-permissions image registry	REGISTRY_NAME
volumePermissions.image.repository	Init container volume-permissions image repository	REPOSITORY_NAME/os-shell
volumePermissions.image.digest	Init container volume-permissions image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
volumePermissions.image.pullPolicy	Init container volume-permissions image pull policy	IfNotPresent
volumePermissions.image.pullSecrets	Init container volume-permissions image pull secrets	[]
volumePermissions.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).	nano
volumePermissions.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
volumePermissions.containerSecurityContext.enabled	Enable init container Security Context	true
volumePermissions.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
volumePermissions.containerSecurityContext.runAsUser	User ID for the init container	0

NGINX Parameters

Name	Description	Value
nginx.image.registry	NGINX image registry	REGISTRY_NAME
nginx.image.repository	NGINX image repository	REPOSITORY_NAME/nginx
nginx.image.digest	NGINX image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
nginx.image.pullPolicy	NGINX image pull policy	IfNotPresent
nginx.image.pullSecrets	NGINX image pull secrets	[]
nginx.image.debug	Enable NGINX image debug mode	false
nginx.tls.enabled	Enable TLS termination	true
nginx.tls.existingSecret	Existing secret name containing your own TLS certificates.	""
nginx.tls.commonName	The common name used to generate the self-signed TLS certificates	core.harbor.domain
nginx.behindReverseProxy	If NGINX is behind another reverse proxy, set to true	false
nginx.command	Override default container command (useful when using custom images)	[]
nginx.args	Override default container args (useful when using custom images)	[]
nginx.extraEnvVars	Array with extra environment variables to add NGINX pods	[]
nginx.extraEnvVarsCM	ConfigMap containing extra environment variables for NGINX pods	""
nginx.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for NGINX pods	""
nginx.containerPorts.http	NGINX HTTP container port	8080
nginx.containerPorts.https	NGINX HTTPS container port	8443
nginx.replicaCount	Number of NGINX replicas	1
nginx.livenessProbe.enabled	Enable livenessProbe on NGINX containers	true
nginx.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
nginx.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
nginx.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
nginx.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
nginx.livenessProbe.successThreshold	Success threshold for livenessProbe	1
nginx.readinessProbe.enabled	Enable readinessProbe on NGINX containers	true
nginx.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
nginx.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
nginx.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
nginx.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
nginx.readinessProbe.successThreshold	Success threshold for readinessProbe	1
nginx.startupProbe.enabled	Enable startupProbe on NGINX containers	false
nginx.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	10
nginx.startupProbe.periodSeconds	Period seconds for startupProbe	10
nginx.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
nginx.startupProbe.failureThreshold	Failure threshold for startupProbe	15
nginx.startupProbe.successThreshold	Success threshold for startupProbe	1
nginx.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
nginx.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
nginx.customStartupProbe	Custom startupProbe that overrides the default one	{}
nginx.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if nginx.resources is set (nginx.resources is recommended for production).	small
nginx.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
nginx.podSecurityContext.enabled	Enabled NGINX pods’ Security Context	true
nginx.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
nginx.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
nginx.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
nginx.podSecurityContext.fsGroup	Set NGINX pod’s Security Context fsGroup	1001
nginx.containerSecurityContext.enabled	Enabled containers’ Security Context	true
nginx.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
nginx.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
nginx.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
nginx.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
nginx.containerSecurityContext.privileged	Set container’s Security Context privileged	false
nginx.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
nginx.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
nginx.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
nginx.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
nginx.updateStrategy.type	NGINX deployment strategy type - only really applicable for deployments with RWO PVs attached	RollingUpdate
nginx.lifecycleHooks	LifecycleHook for the NGINX container(s) to automate configuration before or after startup	{}
nginx.automountServiceAccountToken	Mount Service Account token in pod	false
nginx.serviceAccount.create	Specifies whether a ServiceAccount should be created	false
nginx.serviceAccount.name	The name of the ServiceAccount to use.	""
nginx.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
nginx.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
nginx.hostAliases	NGINX pods host aliases	[]
nginx.podLabels	Add additional labels to the NGINX pods (evaluated as a template)	{}
nginx.podAnnotations	Annotations to add to the NGINX pods (evaluated as a template)	{}
nginx.podAffinityPreset	NGINX Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
nginx.podAntiAffinityPreset	NGINX Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
nginx.nodeAffinityPreset.type	NGINX Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
nginx.nodeAffinityPreset.key	NGINX Node label key to match Ignored if affinity is set.	""
nginx.nodeAffinityPreset.values	NGINX Node label values to match. Ignored if affinity is set.	[]
nginx.affinity	NGINX Affinity for pod assignment	{}
nginx.nodeSelector	NGINX Node labels for pod assignment	{}
nginx.tolerations	NGINX Tolerations for pod assignment	[]
nginx.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
nginx.priorityClassName	Priority Class Name	""
nginx.schedulerName	Use an alternate scheduler, e.g. “stork”.	""
nginx.sidecars	Add additional sidecar containers to the NGINX pods	[]
nginx.initContainers	Add additional init containers to the NGINX pods	[]
nginx.pdb.create	Enable/disable a Pod Disruption Budget creation	true
nginx.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
nginx.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both nginx.pdb.minAvailable and nginx.pdb.maxUnavailable are empty.	""
nginx.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the NGINX pods	[]
nginx.extraVolumes	Optionally specify extra list of additional volumes for the NGINX pods	[]
nginx.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
nginx.networkPolicy.allowExternal	Don’t require server label for connections	true
nginx.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
nginx.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
nginx.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
nginx.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
nginx.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Harbor Portal Parameters

Name	Description	Value
portal.image.registry	Harbor Portal image registry	REGISTRY_NAME
portal.image.repository	Harbor Portal image repository	REPOSITORY_NAME/harbor-portal
portal.image.digest	Harbor Portal image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
portal.image.pullPolicy	Harbor Portal image pull policy	IfNotPresent
portal.image.pullSecrets	Harbor Portal image pull secrets	[]
portal.image.debug	Enable Harbor Portal image debug mode	false
portal.tls.existingSecret	Name of an existing secret with the certificates for internal TLS access	""
portal.command	Override default container command (useful when using custom images)	[]
portal.args	Override default container args (useful when using custom images)	[]
portal.extraEnvVars	Array with extra environment variables to add Harbor Portal pods	[]
portal.extraEnvVarsCM	ConfigMap containing extra environment variables for Harbor Portal pods	""
portal.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for Harbor Portal pods	""
portal.containerPorts.http	Harbor Portal HTTP container port	8080
portal.containerPorts.https	Harbor Portal HTTPS container port	8443
portal.replicaCount	Number of Harbor Portal replicas	1
portal.livenessProbe.enabled	Enable livenessProbe on Harbor Portal containers	true
portal.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
portal.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
portal.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
portal.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
portal.livenessProbe.successThreshold	Success threshold for livenessProbe	1
portal.readinessProbe.enabled	Enable readinessProbe on Harbor Portal containers	true
portal.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
portal.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
portal.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
portal.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
portal.readinessProbe.successThreshold	Success threshold for readinessProbe	1
portal.startupProbe.enabled	Enable startupProbe on Harbor Portal containers	false
portal.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
portal.startupProbe.periodSeconds	Period seconds for startupProbe	10
portal.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
portal.startupProbe.failureThreshold	Failure threshold for startupProbe	15
portal.startupProbe.successThreshold	Success threshold for startupProbe	1
portal.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
portal.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
portal.customStartupProbe	Custom startupProbe that overrides the default one	{}
portal.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if portal.resources is set (portal.resources is recommended for production).	small
portal.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
portal.podSecurityContext.enabled	Enabled Harbor Portal pods’ Security Context	true
portal.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
portal.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
portal.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
portal.podSecurityContext.fsGroup	Set Harbor Portal pod’s Security Context fsGroup	1001
portal.containerSecurityContext.enabled	Enabled containers’ Security Context	true
portal.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
portal.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
portal.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
portal.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
portal.containerSecurityContext.privileged	Set container’s Security Context privileged	false
portal.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
portal.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
portal.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
portal.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
portal.updateStrategy.type	Harbor Portal deployment strategy type - only really applicable for deployments with RWO PVs attached	RollingUpdate
portal.lifecycleHooks	LifecycleHook for the Harbor Portal container(s) to automate configuration before or after startup	{}
portal.hostAliases	Harbor Portal pods host aliases	[]
portal.podLabels	Add additional labels to the Harbor Portal pods (evaluated as a template)	{}
portal.podAnnotations	Annotations to add to the Harbor Portal pods (evaluated as a template)	{}
portal.podAffinityPreset	Harbor Portal Pod affinity preset. Ignored if portal.affinity is set. Allowed values: soft or hard	""
portal.podAntiAffinityPreset	Harbor Portal Pod anti-affinity preset. Ignored if portal.affinity is set. Allowed values: soft or hard	soft
portal.nodeAffinityPreset.type	Harbor Portal Node affinity preset type. Ignored if portal.affinity is set. Allowed values: soft or hard	""
portal.nodeAffinityPreset.key	Harbor Portal Node label key to match Ignored if portal.affinity is set.	""
portal.nodeAffinityPreset.values	Harbor Portal Node label values to match. Ignored if portal.affinity is set.	[]
portal.affinity	Harbor Portal Affinity for pod assignment	{}
portal.nodeSelector	Harbor Portal Node labels for pod assignment	{}
portal.tolerations	Harbor Portal Tolerations for pod assignment	[]
portal.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
portal.priorityClassName	Priority Class Name	""
portal.schedulerName	Use an alternate scheduler, e.g. “stork”.	""
portal.sidecars	Add additional sidecar containers to the Harbor Portal pods	[]
portal.initContainers	Add additional init containers to the Harbor Portal pods	[]
portal.pdb.create	Enable/disable a Pod Disruption Budget creation	true
portal.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
portal.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both portal.pdb.minAvailable and portal.pdb.maxUnavailable are empty.	""
portal.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Harbor Portal pods	[]
portal.extraVolumes	Optionally specify extra list of additional volumes for the Harbor Portal pods	[]
portal.automountServiceAccountToken	Mount Service Account token in pod	false
portal.serviceAccount.create	Specifies whether a ServiceAccount should be created	false
portal.serviceAccount.name	The name of the ServiceAccount to use.	""
portal.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
portal.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
portal.service.ports.http	Harbor Portal HTTP service port	80
portal.service.ports.https	Harbor Portal HTTPS service port	443
portal.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
portal.networkPolicy.allowExternal	Don’t require server label for connections	true
portal.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
portal.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
portal.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
portal.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
portal.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Harbor Core Parameters

Name	Description	Value
core.image.registry	Harbor Core image registry	REGISTRY_NAME
core.image.repository	Harbor Core image repository	REPOSITORY_NAME/harbor-core
core.image.digest	Harbor Core image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
core.image.pullPolicy	Harbor Core image pull policy	IfNotPresent
core.image.pullSecrets	Harbor Core image pull secrets	[]
core.image.debug	Enable Harbor Core image debug mode	false
core.sessionLifetime	Explicitly set a session timeout (in seconds) overriding the backend default.	""
core.uaaSecret	If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key ca.crt.	""
core.secretKey	The key used for encryption. Must be a string of 16 chars	""
core.secret	Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.	""
core.tokenKey	Key of the certificate used for token encryption/decryption.	""
core.tokenCert	Certificate used for token encryption/decryption.	""
core.secretName	Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: tls.crt - the certificate and tls.key - the private key. The default key pair will be used if it isn’t set	""
core.existingSecret	Existing secret for core	""
core.existingEnvVarsSecret	Existing secret for core envvars	""
core.csrfKey	The CSRF key. Will be generated automatically if it isn’t specified	""
core.tls.existingSecret	Name of an existing secret with the certificates for internal TLS access	""
core.command	Override default container command (useful when using custom images)	[]
core.args	Override default container args (useful when using custom images)	[]
core.extraEnvVars	Array with extra environment variables to add Harbor Core pods	[]
core.extraEnvVarsCM	ConfigMap containing extra environment variables for Harbor Core pods	""
core.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for Harbor Core pods	""
core.configOverwriteJson	String containing a JSON with configuration overrides	""
core.configOverwriteJsonSecret	Secret containing the JSON configuration overrides	""
core.containerPorts.http	Harbor Core HTTP container port	8080
core.containerPorts.https	Harbor Core HTTPS container port	8443
core.containerPorts.metrics	Harbor Core metrics container port	8001
core.replicaCount	Number of Harbor Core replicas	1
core.livenessProbe.enabled	Enable livenessProbe on Harbor Core containers	true
core.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
core.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
core.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
core.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
core.livenessProbe.successThreshold	Success threshold for livenessProbe	1
core.readinessProbe.enabled	Enable readinessProbe on Harbor Core containers	true
core.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
core.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
core.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
core.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
core.readinessProbe.successThreshold	Success threshold for readinessProbe	1
core.startupProbe.enabled	Enable startupProbe on Harbor Core containers	false
core.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
core.startupProbe.periodSeconds	Period seconds for startupProbe	10
core.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
core.startupProbe.failureThreshold	Failure threshold for startupProbe	15
core.startupProbe.successThreshold	Success threshold for startupProbe	1
core.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
core.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
core.customStartupProbe	Custom startupProbe that overrides the default one	{}
core.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if core.resources is set (core.resources is recommended for production).	small
core.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
core.podSecurityContext.enabled	Enabled Harbor Core pods’ Security Context	true
core.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
core.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
core.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
core.podSecurityContext.fsGroup	Set Harbor Core pod’s Security Context fsGroup	1001
core.containerSecurityContext.enabled	Enabled containers’ Security Context	true
core.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
core.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
core.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
core.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
core.containerSecurityContext.privileged	Set container’s Security Context privileged	false
core.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
core.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
core.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
core.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
core.updateStrategy.type	Harbor Core deployment strategy type - only really applicable for deployments with RWO PVs attached	RollingUpdate
core.lifecycleHooks	LifecycleHook for the Harbor Core container(s) to automate configuration before or after startup	{}
core.hostAliases	Harbor Core pods host aliases	[]
core.podLabels	Add additional labels to the Harbor Core pods (evaluated as a template)	{}
core.podAnnotations	Annotations to add to the Harbor Core pods (evaluated as a template)	{}
core.podAffinityPreset	Harbor Core Pod affinity preset. Ignored if core.affinity is set. Allowed values: soft or hard	""
core.podAntiAffinityPreset	Harbor Core Pod anti-affinity preset. Ignored if core.affinity is set. Allowed values: soft or hard	soft
core.nodeAffinityPreset.type	Harbor Core Node affinity preset type. Ignored if core.affinity is set. Allowed values: soft or hard	""
core.nodeAffinityPreset.key	Harbor Core Node label key to match Ignored if core.affinity is set.	""
core.nodeAffinityPreset.values	Harbor Core Node label values to match. Ignored if core.affinity is set.	[]
core.affinity	Harbor Core Affinity for pod assignment	{}
core.nodeSelector	Harbor Core Node labels for pod assignment	{}
core.tolerations	Harbor Core Tolerations for pod assignment	[]
core.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
core.priorityClassName	Priority Class Name	""
core.schedulerName	Use an alternate scheduler, e.g. “stork”.	""
core.sidecars	Add additional sidecar containers to the Harbor Core pods	[]
core.initContainers	Add additional init containers to the Harbor Core pods	[]
core.pdb.create	Enable/disable a Pod Disruption Budget creation	true
core.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
core.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both core.pdb.minAvailable and core.pdb.maxUnavailable are empty.	""
core.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Harbor Core pods	[]
core.extraVolumes	Optionally specify extra list of additional volumes for the Harbor Core pods	[]
core.automountServiceAccountToken	Mount Service Account token in pod	false
core.serviceAccount.create	Specifies whether a ServiceAccount should be created	false
core.serviceAccount.name	The name of the ServiceAccount to use.	""
core.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
core.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
core.service.ports.http	Harbor Core HTTP service port	80
core.service.ports.https	Harbor Core HTTPS service port	443
core.service.ports.metrics	Harbor Core metrics service port	8001
core.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
core.networkPolicy.allowExternal	Don’t require server label for connections	true
core.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
core.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
core.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
core.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
core.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Harbor Jobservice Parameters

Name	Description	Value
jobservice.image.registry	Harbor Jobservice image registry	REGISTRY_NAME
jobservice.image.repository	Harbor Jobservice image repository	REPOSITORY_NAME/harbor-jobservice
jobservice.image.digest	Harbor Jobservice image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
jobservice.image.pullPolicy	Harbor Jobservice image pull policy	IfNotPresent
jobservice.image.pullSecrets	Harbor Jobservice image pull secrets	[]
jobservice.image.debug	Enable Harbor Jobservice image debug mode	false
jobservice.maxJobWorkers	The max job workers	10
jobservice.redisNamespace	Redis namespace for jobservice	harbor_job_service_namespace
jobservice.jobLogger	The logger for jobs: file, database or stdout	file
jobservice.secret	Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.	""
jobservice.existingSecret	Existing secret for jobservice	""
jobservice.existingEnvVarsSecret	Existing secret for jobservice envvars	""
jobservice.tls.existingSecret	Name of an existing secret with the certificates for internal TLS access	""
jobservice.command	Override default container command (useful when using custom images)	[]
jobservice.args	Override default container args (useful when using custom images)	[]
jobservice.extraEnvVars	Array with extra environment variables to add Harbor Jobservice pods	[]
jobservice.extraEnvVarsCM	ConfigMap containing extra environment variables for Harbor Jobservice pods	""
jobservice.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for Harbor Jobservice pods	""
jobservice.containerPorts.http	Harbor Jobservice HTTP container port	8080
jobservice.containerPorts.https	Harbor Jobservice HTTPS container port	8443
jobservice.containerPorts.metrics	Harbor Jobservice metrics container port	8001
jobservice.replicaCount	Number of Harbor Jobservice replicas	1
jobservice.livenessProbe.enabled	Enable livenessProbe on Harbor Jobservice containers	true
jobservice.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
jobservice.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
jobservice.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
jobservice.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
jobservice.livenessProbe.successThreshold	Success threshold for livenessProbe	1
jobservice.readinessProbe.enabled	Enable readinessProbe on Harbor Jobservice containers	true
jobservice.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
jobservice.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
jobservice.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
jobservice.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
jobservice.readinessProbe.successThreshold	Success threshold for readinessProbe	1
jobservice.startupProbe.enabled	Enable startupProbe on Harbor Jobservice containers	false
jobservice.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
jobservice.startupProbe.periodSeconds	Period seconds for startupProbe	10
jobservice.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
jobservice.startupProbe.failureThreshold	Failure threshold for startupProbe	15
jobservice.startupProbe.successThreshold	Success threshold for startupProbe	1
jobservice.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
jobservice.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
jobservice.customStartupProbe	Custom startupProbe that overrides the default one	{}
jobservice.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jobservice.resources is set (jobservice.resources is recommended for production).	small
jobservice.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
jobservice.podSecurityContext.enabled	Enabled Harbor Jobservice pods’ Security Context	true
jobservice.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
jobservice.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
jobservice.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
jobservice.podSecurityContext.fsGroup	Set Harbor Jobservice pod’s Security Context fsGroup	1001
jobservice.containerSecurityContext.enabled	Enabled containers’ Security Context	true
jobservice.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
jobservice.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
jobservice.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
jobservice.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
jobservice.containerSecurityContext.privileged	Set container’s Security Context privileged	false
jobservice.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
jobservice.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
jobservice.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
jobservice.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
jobservice.updateStrategy.type	Harbor Jobservice deployment strategy type - only really applicable for deployments with RWO PVs attached	RollingUpdate
jobservice.lifecycleHooks	LifecycleHook for the Harbor Jobservice container(s) to automate configuration before or after startup	{}
jobservice.hostAliases	Harbor Jobservice pods host aliases	[]
jobservice.podLabels	Add additional labels to the Harbor Jobservice pods (evaluated as a template)	{}
jobservice.podAnnotations	Annotations to add to the Harbor Jobservice pods (evaluated as a template)	{}
jobservice.podAffinityPreset	Harbor Jobservice Pod affinity preset. Ignored if jobservice.affinity is set. Allowed values: soft or hard	""
jobservice.podAntiAffinityPreset	Harbor Jobservice Pod anti-affinity preset. Ignored if jobservice.affinity is set. Allowed values: soft or hard	soft
jobservice.nodeAffinityPreset.type	Harbor Jobservice Node affinity preset type. Ignored if jobservice.affinity is set. Allowed values: soft or hard	""
jobservice.nodeAffinityPreset.key	Harbor Jobservice Node label key to match Ignored if jobservice.affinity is set.	""
jobservice.nodeAffinityPreset.values	Harbor Jobservice Node label values to match. Ignored if jobservice.affinity is set.	[]
jobservice.affinity	Harbor Jobservice Affinity for pod assignment	{}
jobservice.nodeSelector	Harbor Jobservice Node labels for pod assignment	{}
jobservice.tolerations	Harbor Jobservice Tolerations for pod assignment	[]
jobservice.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
jobservice.priorityClassName	Priority Class Name	""
jobservice.schedulerName	Use an alternate scheduler, e.g. “stork”.	""
jobservice.sidecars	Add additional sidecar containers to the Harbor Jobservice pods	[]
jobservice.initContainers	Add additional init containers to the Harbor Jobservice pods	[]
jobservice.pdb.create	Enable/disable a Pod Disruption Budget creation	true
jobservice.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
jobservice.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both jobservice.pdb.minAvailable and jobservice.pdb.maxUnavailable are empty.	""
jobservice.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Harbor Jobservice pods	[]
jobservice.extraVolumes	Optionally specify extra list of additional volumes for the Harbor Jobservice pods	[]
jobservice.automountServiceAccountToken	Mount Service Account token in pod	false
jobservice.serviceAccount.create	Specifies whether a ServiceAccount should be created	false
jobservice.serviceAccount.name	The name of the ServiceAccount to use.	""
jobservice.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
jobservice.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
jobservice.service.ports.http	Harbor Jobservice HTTP service port	80
jobservice.service.ports.https	Harbor Jobservice HTTPS service port	443
jobservice.service.ports.metrics	Harbor Jobservice HTTPS service port	8001
jobservice.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
jobservice.networkPolicy.allowExternal	Don’t require server label for connections	true
jobservice.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
jobservice.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
jobservice.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
jobservice.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
jobservice.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Harbor Registry Parameters

Name	Description	Value
registry.secret	Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md	""
registry.existingSecret	Existing secret for registry	""
registry.relativeurls	Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL.	false
registry.credentials.username	The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs	harbor_registry_user
registry.credentials.password	The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. It is suggested you update this value before installation.	harbor_registry_password
registry.credentials.htpasswd	The content of htpasswd file based on the value of registry.credentials.username registry.credentials.password. Currently helm does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling	harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m
registry.middleware.enabled	Middleware is used to add support for a CDN between backend storage and docker pull recipient. See	false
registry.middleware.type	CDN type for the middleware	cloudFront
registry.middleware.cloudFront.baseurl	CloudFront CDN settings: Base URL	example.cloudfront.net
registry.middleware.cloudFront.keypairid	CloudFront CDN settings: Keypair ID	KEYPAIRID
registry.middleware.cloudFront.duration	CloudFront CDN settings: Duration	3000s
registry.middleware.cloudFront.ipfilteredby	CloudFront CDN settings: IP filters	none
registry.middleware.cloudFront.privateKeySecret	CloudFront CDN settings: Secret name with the private key	my-secret
registry.tls.existingSecret	Name of an existing secret with the certificates for internal TLS access	""
registry.replicaCount	Number of Harbor Registry replicas	1
registry.podSecurityContext.enabled	Enabled Harbor Registry pods’ Security Context	true
registry.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
registry.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
registry.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
registry.podSecurityContext.fsGroup	Set Harbor Registry pod’s Security Context fsGroup	1001
registry.updateStrategy.type	Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached	RollingUpdate
registry.hostAliases	Harbor Registry pods host aliases	[]
registry.podLabels	Add additional labels to the Harbor Registry pods (evaluated as a template)	{}
registry.podAnnotations	Annotations to add to the Harbor Registry pods (evaluated as a template)	{}
registry.podAffinityPreset	Harbor Registry Pod affinity preset. Ignored if registry.affinity is set. Allowed values: soft or hard	""
registry.podAntiAffinityPreset	Harbor Registry Pod anti-affinity preset. Ignored if registry.affinity is set. Allowed values: soft or hard	soft
registry.nodeAffinityPreset.type	Harbor Registry Node affinity preset type. Ignored if registry.affinity is set. Allowed values: soft or hard	""
registry.nodeAffinityPreset.key	Harbor Registry Node label key to match Ignored if registry.affinity is set.	""
registry.nodeAffinityPreset.values	Harbor Registry Node label values to match. Ignored if registry.affinity is set.	[]
registry.affinity	Harbor Registry Affinity for pod assignment	{}
registry.nodeSelector	Harbor Registry Node labels for pod assignment	{}
registry.tolerations	Harbor Registry Tolerations for pod assignment	[]
registry.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
registry.priorityClassName	Priority Class Name	""
registry.schedulerName	Use an alternate scheduler, e.g. “stork”.	""
registry.sidecars	Add additional sidecar containers to the Harbor Registry pods	[]
registry.initContainers	Add additional init containers to the Harbor Registry pods	[]
registry.pdb.create	Enable/disable a Pod Disruption Budget creation	true
registry.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
registry.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both registry.pdb.minAvailable and registry.pdb.maxUnavailable are empty.	""
registry.extraVolumes	Optionally specify extra list of additional volumes for the Harbor Registry pods	[]
registry.automountServiceAccountToken	Mount Service Account token in pod	false
registry.serviceAccount.create	Specifies whether a ServiceAccount should be created	true
registry.serviceAccount.name	The name of the ServiceAccount to use.	""
registry.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
registry.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
registry.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
registry.networkPolicy.allowExternal	Don’t require server label for connections	true
registry.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
registry.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
registry.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
registry.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
registry.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}
registry.server.image.registry	Harbor Registry image registry	REGISTRY_NAME
registry.server.image.repository	Harbor Registry image repository	REPOSITORY_NAME/harbor-registry
registry.server.image.digest	Harbor Registry image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
registry.server.image.pullPolicy	Harbor Registry image pull policy	IfNotPresent
registry.server.image.pullSecrets	Harbor Registry image pull secrets	[]
registry.server.image.debug	Enable Harbor Registry image debug mode	false
registry.server.command	Override default container command (useful when using custom images)	[]
registry.server.args	Override default container args (useful when using custom images)	[]
registry.server.extraEnvVars	Array with extra environment variables to add Harbor Registry main containers	[]
registry.server.extraEnvVarsCM	ConfigMap containing extra environment variables for Harbor Registry main containers	""
registry.server.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for Harbor Registry main containers	""
registry.server.containerPorts.http	Harbor Registry HTTP container port	5000
registry.server.containerPorts.https	Harbor Registry HTTPS container port	5443
registry.server.containerPorts.debug	Harbor Registry debug container port	5001
registry.server.containerPorts.metrics	Harbor Registry metrics container port	8001
registry.server.livenessProbe.enabled	Enable livenessProbe on Harbor Registry main containers	true
registry.server.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
registry.server.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
registry.server.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
registry.server.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
registry.server.livenessProbe.successThreshold	Success threshold for livenessProbe	1
registry.server.readinessProbe.enabled	Enable readinessProbe on Harbor Registry main containers	true
registry.server.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
registry.server.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
registry.server.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
registry.server.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
registry.server.readinessProbe.successThreshold	Success threshold for readinessProbe	1
registry.server.startupProbe.enabled	Enable startupProbe on Harbor Registry main containers	false
registry.server.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
registry.server.startupProbe.periodSeconds	Period seconds for startupProbe	10
registry.server.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
registry.server.startupProbe.failureThreshold	Failure threshold for startupProbe	15
registry.server.startupProbe.successThreshold	Success threshold for startupProbe	1
registry.server.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
registry.server.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
registry.server.customStartupProbe	Custom startupProbe that overrides the default one	{}
registry.server.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.server.resources is set (registry.server.resources is recommended for production).	small
registry.server.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
registry.server.containerSecurityContext.enabled	Enabled containers’ Security Context	true
registry.server.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
registry.server.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
registry.server.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
registry.server.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
registry.server.containerSecurityContext.privileged	Set container’s Security Context privileged	false
registry.server.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
registry.server.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
registry.server.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
registry.server.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
registry.server.lifecycleHooks	LifecycleHook for the Harbor Registry main container(s) to automate configuration before or after startup	{}
registry.server.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Harbor Registry main pods	[]
registry.server.service.ports.http	Harbor Registry HTTP service port	5000
registry.server.service.ports.https	Harbor Registry HTTPS service port	5443
registry.server.service.ports.metrics	Harbor Registry metrics service port	8001
registry.controller.image.registry	Harbor Registryctl image registry	REGISTRY_NAME
registry.controller.image.repository	Harbor Registryctl image repository	REPOSITORY_NAME/harbor-registryctl
registry.controller.image.digest	Harbor Registryctl image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
registry.controller.image.pullPolicy	Harbor Registryctl image pull policy	IfNotPresent
registry.controller.image.pullSecrets	Harbor Registryctl image pull secrets	[]
registry.controller.image.debug	Enable Harbor Registryctl image debug mode	false
registry.controller.command	Override default container command (useful when using custom images)	[]
registry.controller.args	Override default container args (useful when using custom images)	[]
registry.controller.extraEnvVars	Array with extra environment variables to add Harbor Registryctl containers	[]
registry.controller.extraEnvVarsCM	ConfigMap containing extra environment variables for Harbor Registryctl containers	""
registry.controller.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for Harbor Registryctl containers	""
registry.controller.containerPorts.http	Harbor Registryctl HTTP container port	8080
registry.controller.containerPorts.https	Harbor Registryctl HTTPS container port	8443
registry.controller.livenessProbe.enabled	Enable livenessProbe on Harbor Registryctl containers	true
registry.controller.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
registry.controller.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
registry.controller.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
registry.controller.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
registry.controller.livenessProbe.successThreshold	Success threshold for livenessProbe	1
registry.controller.readinessProbe.enabled	Enable readinessProbe on Harbor Registryctl containers	true
registry.controller.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
registry.controller.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
registry.controller.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
registry.controller.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
registry.controller.readinessProbe.successThreshold	Success threshold for readinessProbe	1
registry.controller.startupProbe.enabled	Enable startupProbe on Harbor Registryctl containers	false
registry.controller.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
registry.controller.startupProbe.periodSeconds	Period seconds for startupProbe	10
registry.controller.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
registry.controller.startupProbe.failureThreshold	Failure threshold for startupProbe	15
registry.controller.startupProbe.successThreshold	Success threshold for startupProbe	1
registry.controller.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
registry.controller.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
registry.controller.customStartupProbe	Custom startupProbe that overrides the default one	{}
registry.controller.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.controller.resources is set (registry.controller.resources is recommended for production).	small
registry.controller.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
registry.controller.containerSecurityContext.enabled	Enabled containers’ Security Context	true
registry.controller.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
registry.controller.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
registry.controller.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
registry.controller.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
registry.controller.containerSecurityContext.privileged	Set container’s Security Context privileged	false
registry.controller.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
registry.controller.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
registry.controller.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
registry.controller.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
registry.controller.lifecycleHooks	LifecycleHook for the Harbor Registryctl container(s) to automate configuration before or after startup	{}
registry.controller.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Harbor Registryctl pods	[]
registry.controller.service.ports.http	Harbor Registryctl HTTP service port	8080
registry.controller.service.ports.https	Harbor Registryctl HTTPS service port	8443

Harbor Adapter Trivy Parameters

Name	Description	Value
trivy.image.registry	Harbor Adapter Trivy image registry	REGISTRY_NAME
trivy.image.repository	Harbor Adapter Trivy image repository	REPOSITORY_NAME/harbor-adapter-trivy
trivy.image.digest	Harbor Adapter Trivy image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
trivy.image.pullPolicy	Harbor Adapter Trivy image pull policy	IfNotPresent
trivy.image.pullSecrets	Harbor Adapter Trivy image pull secrets	[]
trivy.image.debug	Enable Harbor Adapter Trivy image debug mode	false
trivy.enabled	Enable Trivy	true
trivy.debugMode	The flag to enable Trivy debug mode	false
trivy.vulnType	Comma-separated list of vulnerability types. Possible values os and library.	os,library
trivy.severity	Comma-separated list of severities to be checked	UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.ignoreUnfixed	The flag to display only fixed vulnerabilities	false
trivy.insecure	The flag to skip verifying registry certificate	false
trivy.existingEnvVarsSecret	Existing secret for trivy	""
trivy.gitHubToken	The GitHub access token to download Trivy DB	""
trivy.skipUpdate	The flag to disable Trivy DB downloads from GitHub	false
trivy.cacheDir	Directory to store the cache	/bitnami/harbor-adapter-trivy/.cache
trivy.tls.existingSecret	Name of an existing secret with the certificates for internal TLS access	""
trivy.command	Override default container command (useful when using custom images)	[]
trivy.args	Override default container args (useful when using custom images)	[]
trivy.extraEnvVars	Array with extra environment variables to add Trivy pods	[]
trivy.extraEnvVarsCM	ConfigMap containing extra environment variables for Trivy pods	""
trivy.extraEnvVarsSecret	Secret containing extra environment variables (in case of sensitive data) for Trivy pods	""
trivy.containerPorts.http	Trivy HTTP container port	8080
trivy.containerPorts.https	Trivy HTTPS container port	8443
trivy.replicaCount	Number of Trivy replicas	1
trivy.livenessProbe.enabled	Enable livenessProbe on Trivy containers	true
trivy.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
trivy.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
trivy.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
trivy.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
trivy.livenessProbe.successThreshold	Success threshold for livenessProbe	1
trivy.readinessProbe.enabled	Enable readinessProbe on Trivy containers	true
trivy.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
trivy.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
trivy.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
trivy.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
trivy.readinessProbe.successThreshold	Success threshold for readinessProbe	1
trivy.startupProbe.enabled	Enable startupProbe on Trivy containers	false
trivy.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
trivy.startupProbe.periodSeconds	Period seconds for startupProbe	10
trivy.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
trivy.startupProbe.failureThreshold	Failure threshold for startupProbe	15
trivy.startupProbe.successThreshold	Success threshold for startupProbe	1
trivy.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
trivy.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
trivy.customStartupProbe	Custom startupProbe that overrides the default one	{}
trivy.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if trivy.resources is set (trivy.resources is recommended for production).	small
trivy.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
trivy.podSecurityContext.enabled	Enabled Trivy pods’ Security Context	true
trivy.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
trivy.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
trivy.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
trivy.podSecurityContext.fsGroup	Set Trivy pod’s Security Context fsGroup	1001
trivy.containerSecurityContext.enabled	Enabled containers’ Security Context	true
trivy.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
trivy.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
trivy.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
trivy.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
trivy.containerSecurityContext.privileged	Set container’s Security Context privileged	false
trivy.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
trivy.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
trivy.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
trivy.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
trivy.updateStrategy.type	Trivy deployment strategy type - only really applicable for deployments with RWO PVs attached	RollingUpdate
trivy.lifecycleHooks	LifecycleHook for the Trivy container(s) to automate configuration before or after startup	{}
trivy.hostAliases	Trivy pods host aliases	[]
trivy.podLabels	Add additional labels to the Trivy pods (evaluated as a template)	{}
trivy.podAnnotations	Annotations to add to the Trivy pods (evaluated as a template)	{}
trivy.podAffinityPreset	Trivy Pod affinity preset. Ignored if trivy.affinity is set. Allowed values: soft or hard	""
trivy.podAntiAffinityPreset	Trivy Pod anti-affinity preset. Ignored if trivy.affinity is set. Allowed values: soft or hard	soft
trivy.nodeAffinityPreset.type	Trivy Node affinity preset type. Ignored if trivy.affinity is set. Allowed values: soft or hard	""
trivy.nodeAffinityPreset.key	Trivy Node label key to match Ignored if trivy.affinity is set.	""
trivy.nodeAffinityPreset.values	Trivy Node label values to match. Ignored if trivy.affinity is set.	[]
trivy.affinity	Trivy Affinity for pod assignment	{}
trivy.nodeSelector	Trivy Node labels for pod assignment	{}
trivy.tolerations	Trivy Tolerations for pod assignment	[]
trivy.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
trivy.priorityClassName	Priority Class Name	""
trivy.schedulerName	Use an alternate scheduler, e.g. “stork”.	""
trivy.sidecars	Add additional sidecar containers to the Trivy pods	[]
trivy.initContainers	Add additional init containers to the Trivy pods	[]
trivy.pdb.create	Enable/disable a Pod Disruption Budget creation	true
trivy.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
trivy.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both trivy.pdb.minAvailable and trivy.pdb.maxUnavailable are empty.	""
trivy.extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the Trivy pods	[]
trivy.extraVolumes	Optionally specify extra list of additional volumes for the Trivy pods	[]
trivy.automountServiceAccountToken	Mount Service Account token in pod	false
trivy.serviceAccount.create	Specifies whether a ServiceAccount should be created	false
trivy.serviceAccount.name	The name of the ServiceAccount to use.	""
trivy.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
trivy.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
trivy.service.ports.http	Trivy HTTP service port	8080
trivy.service.ports.https	Trivy HTTPS service port	8443
trivy.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
trivy.networkPolicy.allowExternal	Don’t require server label for connections	true
trivy.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
trivy.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
trivy.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
trivy.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
trivy.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

Harbor Exporter Parameters

Name	Description	Value
exporter.image.registry	Harbor Exporter image registry	REGISTRY_NAME
exporter.image.repository	Harbor Exporter image repository	REPOSITORY_NAME/harbor-exporter
exporter.image.digest	Harbor Exporter image image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
exporter.image.pullPolicy	Harbor exporter image pull policy	IfNotPresent
exporter.image.pullSecrets	Specify docker-registry secret names as an array	[]
exporter.image.debug	Specify if debug logs should be enabled	false
exporter.command	Override default container command (useful when using custom images)	[]
exporter.args	Override default container args (useful when using custom images)	[]
exporter.extraEnvVars	Array containing extra env vars	[]
exporter.extraEnvVarsCM	ConfigMap containing extra env vars	""
exporter.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	""
exporter.containerPorts.metrics	Harbor Exporter HTTP container port	8001
exporter.replicaCount	The replica count	1
exporter.livenessProbe.enabled	Enable livenessProbe	true
exporter.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	20
exporter.livenessProbe.periodSeconds	Period seconds for livenessProbe	10
exporter.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
exporter.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
exporter.livenessProbe.successThreshold	Success threshold for livenessProbe	1
exporter.readinessProbe.enabled	Enable readinessProbe	true
exporter.readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	20
exporter.readinessProbe.periodSeconds	Period seconds for readinessProbe	10
exporter.readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
exporter.readinessProbe.failureThreshold	Failure threshold for readinessProbe	6
exporter.readinessProbe.successThreshold	Success threshold for readinessProbe	1
exporter.startupProbe.enabled	Enable startupProbe on Harbor Exporter containers	false
exporter.startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	5
exporter.startupProbe.periodSeconds	Period seconds for startupProbe	10
exporter.startupProbe.timeoutSeconds	Timeout seconds for startupProbe	1
exporter.startupProbe.failureThreshold	Failure threshold for startupProbe	15
exporter.startupProbe.successThreshold	Success threshold for startupProbe	1
exporter.customLivenessProbe	Custom livenessProbe that overrides the default one	{}
exporter.customReadinessProbe	Custom readinessProbe that overrides the default one	{}
exporter.customStartupProbe	Custom startupProbe that overrides the default one	{}
exporter.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if exporter.resources is set (exporter.resources is recommended for production).	nano
exporter.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
exporter.podSecurityContext.enabled	Enabled Exporter pods’ Security Context	true
exporter.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
exporter.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
exporter.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
exporter.podSecurityContext.fsGroup	Set Exporter pod’s Security Context fsGroup	1001
exporter.containerSecurityContext.enabled	Enabled containers’ Security Context	true
exporter.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
exporter.containerSecurityContext.runAsUser	Set containers’ Security Context runAsUser	1001
exporter.containerSecurityContext.runAsGroup	Set containers’ Security Context runAsGroup	1001
exporter.containerSecurityContext.runAsNonRoot	Set container’s Security Context runAsNonRoot	true
exporter.containerSecurityContext.privileged	Set container’s Security Context privileged	false
exporter.containerSecurityContext.readOnlyRootFilesystem	Set container’s Security Context readOnlyRootFilesystem	true
exporter.containerSecurityContext.allowPrivilegeEscalation	Set container’s Security Context allowPrivilegeEscalation	false
exporter.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
exporter.containerSecurityContext.seccompProfile.type	Set container’s Security Context seccomp profile	RuntimeDefault
exporter.updateStrategy.type	The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn’t supported	RollingUpdate
exporter.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	{}
exporter.hostAliases	Exporter pods host aliases	[]
exporter.podLabels	Add additional labels to the pod (evaluated as a template)	{}
exporter.podAnnotations	Annotations to add to the exporter pod	{}
exporter.podAffinityPreset	Harbor Exporter Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
exporter.podAntiAffinityPreset	Harbor Exporter Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
exporter.nodeAffinityPreset.type	Harbor Exporter Node affinity preset type. Ignored if exporter.affinity is set. Allowed values: soft or hard	""
exporter.nodeAffinityPreset.key	Harbor Exporter Node label key to match Ignored if exporter.affinity is set.	""
exporter.nodeAffinityPreset.values	Harbor Exporter Node label values to match. Ignored if exporter.affinity is set.	[]
exporter.affinity	Harbor Exporter Affinity for pod assignment	{}
exporter.priorityClassName	Exporter pods Priority Class Name	""
exporter.schedulerName	Name of the k8s scheduler (other than default)	""
exporter.nodeSelector	Harbor Exporter Node labels for pod assignment	{}
exporter.tolerations	Harbor Exporter Tolerations for pod assignment	[]
exporter.topologySpreadConstraints	Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template	[]
exporter.initContainers	Add additional init containers to the pod (evaluated as a template)	[]
exporter.pdb.create	Enable/disable a Pod Disruption Budget creation	true
exporter.pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
exporter.pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable. Defaults to 1 if both exporter.pdb.minAvailable and exporter.pdb.maxUnavailable are empty.	""
exporter.extraVolumeMounts		[]
exporter.extraVolumes		[]
exporter.sidecars	Attach additional containers to the pod (evaluated as a template)	[]
exporter.automountServiceAccountToken	Mount Service Account token in pod	false
exporter.serviceAccount.create	Specifies whether a ServiceAccount should be created	false
exporter.serviceAccount.name	The name of the ServiceAccount to use.	""
exporter.serviceAccount.automountServiceAccountToken	Allows auto mount of ServiceAccountToken on the serviceAccount created	false
exporter.serviceAccount.annotations	Additional custom annotations for the ServiceAccount	{}
exporter.service.ports.metrics	Exporter HTTP service port	8001
exporter.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
exporter.networkPolicy.allowExternal	Don’t require server label for connections	true
exporter.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
exporter.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
exporter.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
exporter.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
exporter.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}

PostgreSQL Parameters

Name	Description	Value
postgresql.enabled	Switch to enable or disable the PostgreSQL helm chart	true
postgresql.auth.enablePostgresUser	Assign a password to the “postgres” admin user. Otherwise, remote access will be blocked for this user	true
postgresql.auth.postgresPassword	Password for the “postgres” admin user	not-secure-database-password
postgresql.auth.existingSecret	Name of existing secret to use for PostgreSQL credentials	""
postgresql.architecture	PostgreSQL architecture (standalone or replication)	standalone
postgresql.primary.extendedConfiguration	Extended PostgreSQL Primary configuration (appended to main or default configuration)	`max_connections = 1024
`
postgresql.primary.initdb.scripts	Initdb scripts to create Harbor databases	{}
postgresql.image.registry	PostgreSQL image registry	REGISTRY_NAME
postgresql.image.repository	PostgreSQL image repository	REPOSITORY_NAME/postgresql
postgresql.image.digest	PostgreSQL image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag	""
postgresql.primary.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).	nano
postgresql.primary.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
externalDatabase.host	Database host	localhost
externalDatabase.port	Database port number	5432
externalDatabase.user	Non-root username for Harbor	bn_harbor
externalDatabase.password	Password for the non-root username for Harbor	""
externalDatabase.sslmode	External database ssl mode	disable
externalDatabase.coreDatabase	External database name for core	""

Redis® parameters

Name	Description	Value
redis.enabled	Switch to enable or disable the Redis® helm	true
redis.auth.enabled	Enable password authentication	false
redis.auth.password	Redis® password	""
redis.auth.existingSecret	The name of an existing secret with Redis® credentials	""
redis.architecture	Redis® architecture. Allowed values: standalone or replication	standalone
redis.sentinel.enabled	Use Redis® Sentinel on Redis® pods.	false
redis.sentinel.masterSet	Master set name	mymaster
redis.sentinel.service.ports.sentinel	Redis® service port for Redis® Sentinel	26379
redis.master.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production).	nano
redis.master.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
externalRedis.host	Redis® host	localhost
externalRedis.port	Redis® port number	6379
externalRedis.password	Redis® password	""
externalRedis.coreDatabaseIndex	Index for core database	0
externalRedis.jobserviceDatabaseIndex	Index for jobservice database	1
externalRedis.registryDatabaseIndex	Index for registry database	2
externalRedis.trivyAdapterDatabaseIndex	Index for trivy adapter database	5
externalRedis.sentinel.enabled	If external redis with sentinal is used, set it to true	false
externalRedis.sentinel.masterSet	Name of sentinel masterSet if sentinel is used	mymaster
externalRedis.sentinel.hosts	Sentinel hosts and ports in the format	""

Harbor metrics parameters

Name	Description	Value
metrics.enabled	Whether or not to enable metrics for different	false
metrics.path	Path where metrics are exposed	/metrics
metrics.serviceMonitor.enabled	if true, creates a Prometheus Operator ServiceMonitor (requires metrics.enabled to be true)	false
metrics.serviceMonitor.namespace	Namespace in which Prometheus is running	""
metrics.serviceMonitor.interval	Interval at which metrics should be scraped	""
metrics.serviceMonitor.scrapeTimeout	Timeout after which the scrape is ended	""
metrics.serviceMonitor.labels	Additional labels that can be used so ServiceMonitor will be discovered by Prometheus	{}
metrics.serviceMonitor.selector	Prometheus instance selector labels	{}
metrics.serviceMonitor.relabelings	RelabelConfigs to apply to samples before scraping	[]
metrics.serviceMonitor.metricRelabelings	MetricRelabelConfigs to apply to samples before ingestion	[]
metrics.serviceMonitor.honorLabels	Specify honorLabels parameter to add the scrape endpoint	false
metrics.serviceMonitor.jobLabel	The name of the label on the target service to use as the job name in prometheus.	""

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release \
  --set adminPassword=password \
    oci://REGISTRY_NAME/REPOSITORY_NAME/harbor

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The above command sets the Harbor administrator account password to password.

NOTE: Once this chart is deployed, it is not possible to change the application’s access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application’s built-in administrative tools if available.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/harbor

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

Troubleshooting

Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.

Upgrading

To 24.0.0

This major updates the PostgreSQL subchart to its newest major, 16.0.0, which uses PostgreSQL 17.x. Follow the official instructions to upgrade to 17.x.

To 23.0.0

This major updates the Redis® subchart to its newest major, 20.0.0. Here you can find more information about the changes introduced in that version.

To 22.0.0

This major version renames the following values:

• nginx.serviceAccountName was renamed as nginx.serviceAccount.name.
• portal.serviceAccountName was renamed as portal.serviceAccount.name.
• core.serviceAccountName was renamed as core.serviceAccount.name.
• jobservice.serviceAccountName was renamed as jobservice.serviceAccount.name.
• registry.serviceAccountName was renamed as registry.serviceAccount.name.
• trivy.serviceAccountName was renamed as trivy.serviceAccount.name.
• exporter.serviceAccountName was renamed as exporter.serviceAccount.name.

Additionally, this major version adds support for serviceAccount creation in the Helm chart.

To 21.0.0

This major bump changes the following security defaults:

• runAsGroup is changed from 0 to 1001
• readOnlyRootFilesystem is set to true
• resourcesPreset is changed from none to the minimum size working in our test suites (NOTE: resourcesPreset is not meant for production usage, but resources adapted to your use case).
• global.compatibility.openshift.adaptSecurityContext is changed from disabled to auto.

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

To 20.0.0

This major release bumps the PostgreSQL chart version to 14.x.x; no major issues are expected during the upgrade.

To 19.0.0

This major updates the PostgreSQL subchart to its newest major, 13.0.0. Here you can find more information about the changes introduced in that version.

To 18.0.0

This major deprecates harbor notary server and harbor notary signer components. These components were deprecated in Harbor 2.9.0, find more information in Harbor wiki.

To 17.0.0

This major updates the Redis® subchart to its newest major, 18.0.0. Here you can find more information about the changes introduced in that version.

NOTE: Due to an error in our release process, Redis®’ chart versions higher or equal than 17.15.4 already use Redis® 7.2 by default.

To 16.0.0

This major updates the PostgreSQL subchart to its newest major, 12.0.0. Here you can find more information about the changes introduced in that version.

To 15.0.0

This major update the Redis® subchart to its newest major, 17.0.0, which updates Redis® from its version 6.2 to the latest 7.0.

To 14.x.x

The new version of this chart is not longer sopported Clair, who was deprecated by Habor in the version 2.2.0

To 13.x.x

This major release updates the PostgreSQL subchart image to the newest 13.x version.

Upgrading Instructions

The upgrade process to 13.x.x from 12.x.x should be done by reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor):

NOTE: Please, create a backup of your database before running any of these actions.

1. Select the namespace where Harbor is deployed:

HARBOR_NAMESPACE='default'

1. Obtain the credentials and the names of the PVCs used to hold the data on your current release:

HARBOR_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
POSTGRESQL_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
POSTGRESQL_PVC=$(kubectl get pvc --namespace "${HARBOR_NAMESPACE:?}" -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}")

1. Delete the PostgreSQL statefulset (notice the option --cascade=orphan) and secret:

kubectl delete statefulsets.apps --namespace "${HARBOR_NAMESPACE:?}" --cascade=orphan harbor-postgresql
kubectl delete secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql

1. Upgrade your release using the same PostgreSQL version:

CURRENT_PG_VERSION=$(kubectl exec --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0 -c harbor-postgresql -- bash -c 'printenv APP_VERSION')
helm --namespace "${HARBOR_NAMESPACE:?}" upgrade harbor bitnami/harbor \
  --set adminPassword="${HARBOR_PASSWORD:?}" \
  --set postgresql.image.tag="${CURRENT_PG_VERSION:?}" \
  --set postgresql.auth.postgresPassword="${POSTGRESQL_PASSWORD:?}" \
  --set postgresql.primary.persistence.existingClaim="${POSTGRESQL_PVC:?}"

1. Delete the existing PostgreSQL pods and the new statefulset will create a new one:

kubectl delete pod --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0

To 12.x.x

This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. Additionally updates the PostgreSQL & Redis subcharts to their newest major 11.x.x and 16.x.x, respectively, which contain similar changes.

• harborAdminPassword was renamed to adminPassword
• forcePassword was deprecated
• Traffic exposure was completely redesigned:
  • The new parameter exposureType allows deciding whether to expose Harbor using Ingress or an NGINX proxy
  • service.type doesn’t accept Ingress as a valid value anymore. To configure traffic exposure through Ingress, set exposureType to ingress
  • service.tls map has been renamed to nginx.tls
  • To configure TLS termination with Ingress, set the ingress.core.tls parameter
  • ingress map is completely redefined
• xxxImage parameters (e.g. nginxImage) have been renamed to xxx.image (e.g. nginx.image)
• xxx.replicas parameters (e.g. nginx.replicas) have been renamed to xxx.replicaCount (e.g. nginx.replicaCount)
• persistence.persistentVolumeClaim.xxx.accessMode parameters (e.g. persistence.persistentVolumeClaim.registry.accessMode) have been renamed to persistence.persistentVolumeClaim.xxx.accessModes (e.g. persistence.persistentVolumeClaim.registry.accessModes) and expect an array instead of a string
• caBundleSecretName was renamed to internalTLS.caBundleSecret
• persistence.imageChartStorage.caBundleSecretName was renamed to persistence.imageChartStorage.caBundleSecret
• core.uaaSecretName was renamed to core.uaaSecret

How to upgrade to version 12.0.0

To upgrade to 12.x.x from 11.x, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor):

NOTE: Please, create a backup of your database before running any of those actions.

1. Select the namespace where Harbor is deployed:

HARBOR_NAMESPACE='default'

1. Obtain the credentials and the names of the PVCs used to hold the data on your current release:

HARBOR_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
POSTGRESQL_PASSWORD=$(kubectl get secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
POSTGRESQL_PVC=$(kubectl get pvc --namespace "${HARBOR_NAMESPACE:?}" -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}")

1. Delete the PostgreSQL statefulset (notice the option --cascade=orphan) and secret:

kubectl delete statefulsets.apps --namespace "${HARBOR_NAMESPACE:?}" --cascade=orphan harbor-postgresql
kubectl delete secret --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql

1. Upgrade your release using the same PostgreSQL version:

CURRENT_PG_VERSION=$(kubectl exec --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0 -c harbor-postgresql -- bash -c 'printenv BITNAMI_IMAGE_VERSION')
helm --namespace "${HARBOR_NAMESPACE:?}" upgrade harbor bitnami/harbor \
  --set adminPassword="${HARBOR_PASSWORD:?}" \
  --set postgresql.image.tag="${CURRENT_PG_VERSION:?}" \
  --set postgresql.auth.postgresPassword="${POSTGRESQL_PASSWORD:?}" \
  --set postgresql.primary.persistence.existingClaim="${POSTGRESQL_PVC:?}"

1. Delete the existing PostgreSQL pods and the new statefulset will create a new one:

kubectl delete pod --namespace "${HARBOR_NAMESPACE:?}" harbor-postgresql-0

NOTE: the instructions above reuse the same PostgreSQL version you were using in your chart release. Otherwise, you will find an error such as the one below when upgrading since the new chart major version also bumps the application version. To workaround this issue you need to upgrade database, please refer to the official PostgreSQL documentation for more information about this.

$ kubectl --namespace "${HARBOR_NAMESPACE:?}" logs harbor-postgresql-0 --container harbor-postgresql
    ...
postgresql 08:10:14.72 INFO  ==> ** Starting PostgreSQL **
2022-02-01 08:10:14.734 GMT [1] FATAL:  database files are incompatible with server
2022-02-01 08:10:14.734 GMT [1] DETAIL:  The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 14.1.

To 11.0.0

This major update the Redis® subchart to its newest major, 15.0.0. Here you can find more info about the specific changes.

To 10.0.0

This major updates the Redis® subchart to it newest major, 14.0.0, which contains breaking changes. For more information on this subchart’s major and the steps needed to migrate your data from your previous release, please refer to Redis® upgrade notes..

To 9.7.0

This new version of the chart bumps the version of Harbor to 2.2.0 which deprecates built-in Clair. If you still want to use Clair, you will need to set clair.enabled to true and Clair scanner and the Harbor adapter will be deployed. Follow these steps to add it as an additional interrogation service for Harbor.

Please note that Clair might be fully deprecated from this chart in following updates.

To 9.0.0

On November 13, 2020, Helm v2 support was formally finished, this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.

• Previous versions of this Helm Chart use apiVersion: v1 (installable by both Helm 2 and 3), this Helm Chart was updated to apiVersion: v2 (installable by Helm 3 only). Here you can find more information about the apiVersion field.
• Move dependency information from the requirements.yaml to the Chart.yaml
• After running helm dependency update, a Chart.lock file is generated containing the same structure used in the previous requirements.lock
• The different fields present in the Chart.yaml file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart.
• This chart depends on the PostgreSQL 10 instead of PostgreSQL 9. Apart from the same changes that are described in this section, there are also other major changes due to the master/slave nomenclature was replaced by primary/readReplica. Here you can find more information about the changes introduced.

Considerations when upgrading to this version

• If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore.
• If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the official Helm documentation about migrating from Helm v2 to v3.

Useful links

• Bitnami Tutorial
• Helm docs
• Helm Blog

How to upgrade to version 9.0.0

To upgrade to 9.0.0 from 8.x, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor and the release namespace default):

NOTE: Please, create a backup of your database before running any of those actions.

1. Obtain the credentials and the names of the PVCs used to hold the data on your current release:

export HARBOR_PASSWORD=$(kubectl get secret --namespace default harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}")

1. Delete the PostgreSQL statefulset (notice the option –cascade=false)

kubectl delete statefulsets.apps --cascade=false harbor-postgresql

1. Upgrade your release:

helm upgrade harbor bitnami/harbor \
  --set harborAdminPassword=$HARBOR_PASSWORD \
  --set postgresql.image.tag=$CURRENT_PG_VERSION \
  --set postgresql.postgresqlPassword$POSTGRESQL_PASSWORD \
  --set postgresql.persistence.existingClaim=$POSTGRESQL_PVC

1. Delete the existing PostgreSQL pods and the new statefulset will create a new one:

kubectl delete pod harbor-postgresql-0

License

Copyright © 2024 Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.