Home

Awesome

Helm Chart for Harbor

Notes: The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found here. And refer to the guide to upgrade the existing deployment.

This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on goharbor/harbor

Introduction

This Helm chart installs Harbor in a Kubernetes cluster. Welcome to contribute to Helm Chart for Harbor.

Prerequisites

Installation

Add Helm repository

helm repo add harbor https://helm.goharbor.io

Configure the chart

The following items can be set via --set flag during installation or configured by editing the values.yaml directly (need to download the chart first).

Configure how to expose Harbor service

Configure the external URL

The external URL for Harbor core service is used to:

  1. populate the docker/helm commands showed on portal
  2. populate the token service URL returned to docker client

Format: protocol://domain[:port]. Usually:

If Harbor is deployed behind the proxy, set it as the URL of proxy.

Configure how to persist data

Configure the other items listed in configuration section

Install the chart

Install the Harbor helm chart with a release name my-release:

helm install my-release harbor/harbor

Uninstallation

To uninstall/delete the my-release deployment:

helm uninstall my-release

Configuration

The following table lists the configurable parameters of the Harbor chart and the default values.

ParameterDescriptionDefault
Expose
expose.typeHow to expose the service: ingress, clusterIP, nodePort or loadBalancer, other values will be ignored and the creation of service will be skipped.ingress
expose.tls.enabledEnable TLS or not. Delete the ssl-redirect annotations in expose.ingress.annotations when TLS is disabled and expose.type is ingress. Note: if the expose.type is ingress and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details.true
expose.tls.certSourceThe source of the TLS certificate. Set as auto, secret or none and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this optionauto
expose.tls.auto.commonNameThe common name used to generate the certificate, it's necessary when the type isn't ingress
expose.tls.secret.secretNameThe name of secret which contains keys named: tls.crt - the certificate; tls.key - the private key
expose.ingress.hosts.coreThe host of Harbor core service in ingress rulecore.harbor.domain
expose.ingress.controllerThe ingress controller type. Currently supports default, gce, alb, f5-bigip and ncpdefault
expose.ingress.kubeVersionOverrideAllows the ability to override the kubernetes version used while templating the ingress
expose.ingress.annotationsThe annotations used commonly for ingresses
expose.ingress.labelsThe labels specific to ingress{}
expose.clusterIP.nameThe name of ClusterIP serviceharbor
expose.clusterIP.annotationsThe annotations attached to the ClusterIP service{}
expose.clusterIP.ports.httpPortThe service port Harbor listens on when serving HTTP80
expose.clusterIP.ports.httpsPortThe service port Harbor listens on when serving HTTPS443
expose.clusterIP.annotationsThe annotations used commonly for clusterIP
expose.clusterIP.labelsThe labels specific to clusterIP{}
expose.nodePort.nameThe name of NodePort serviceharbor
expose.nodePort.ports.http.portThe service port Harbor listens on when serving HTTP80
expose.nodePort.ports.http.nodePortThe node port Harbor listens on when serving HTTP30002
expose.nodePort.ports.https.portThe service port Harbor listens on when serving HTTPS443
expose.nodePort.ports.https.nodePortThe node port Harbor listens on when serving HTTPS30003
expose.nodePort.annotationsThe annotations used commonly for nodePort
expose.nodePort.labelsThe labels specific to nodePort{}
expose.loadBalancer.nameThe name of serviceharbor
expose.loadBalancer.IPThe IP of the loadBalancer. It only works when loadBalancer supports assigning IP""
expose.loadBalancer.ports.httpPortThe service port Harbor listens on when serving HTTP80
expose.loadBalancer.ports.httpsPortThe service port Harbor listens on when serving HTTPS30002
expose.loadBalancer.annotationsThe annotations attached to the loadBalancer service{}
expose.loadBalancer.labelsThe labels specific to loadBalancer{}
expose.loadBalancer.sourceRangesList of IP address ranges to assign to loadBalancerSourceRanges[]
Internal TLS
internalTLS.enabledEnable TLS for the components (core, jobservice, portal, registry, trivy)false
internalTLS.strong_ssl_ciphersEnable strong ssl ciphers for nginx and portalfalse
internalTLS.certSourceMethod to provide TLS for the components, options are auto, manual, secret.auto
internalTLS.trustCaThe content of trust CA, only available when certSource is manual. Note: all the internal certificates of the components must be issued by this CA
internalTLS.core.secretNameThe secret name for core component, only available when certSource is secret. The secret must contain keys named: ca.crt - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, tls.crt - the content of the TLS cert file, tls.key - the content of the TLS key file.
internalTLS.core.crtContent of core's TLS cert file, only available when certSource is manual
internalTLS.core.keyContent of core's TLS key file, only available when certSource is manual
internalTLS.jobservice.secretNameThe secret name for jobservice component, only available when certSource is secret. The secret must contain keys named: ca.crt - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, tls.crt - the content of the TLS cert file, tls.key - the content of the TLS key file.
internalTLS.jobservice.crtContent of jobservice's TLS cert file, only available when certSource is manual
internalTLS.jobservice.keyContent of jobservice's TLS key file, only available when certSource is manual
internalTLS.registry.secretNameThe secret name for registry component, only available when certSource is secret. The secret must contain keys named: ca.crt - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, tls.crt - the content of the TLS cert file, tls.key - the content of the TLS key file.
internalTLS.registry.crtContent of registry's TLS cert file, only available when certSource is manual
internalTLS.registry.keyContent of registry's TLS key file, only available when certSource is manual
internalTLS.portal.secretNameThe secret name for portal component, only available when certSource is secret. The secret must contain keys named: ca.crt - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, tls.crt - the content of the TLS cert file, tls.key - the content of the TLS key file.
internalTLS.portal.crtContent of portal's TLS cert file, only available when certSource is manual
internalTLS.portal.keyContent of portal's TLS key file, only available when certSource is manual
internalTLS.trivy.secretNameThe secret name for trivy component, only available when certSource is secret. The secret must contain keys named: ca.crt - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, tls.crt - the content of the TLS cert file, tls.key - the content of the TLS key file.
internalTLS.trivy.crtContent of trivy's TLS cert file, only available when certSource is manual
internalTLS.trivy.keyContent of trivy's TLS key file, only available when certSource is manual
IPFamily
ipFamily.ipv4.enabledif cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | true
ipFamily.ipv6.enabledif cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | true
Persistence
persistence.enabledEnable the data persistence or nottrue
persistence.resourcePolicySetting it to keep to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components.keep
persistence.persistentVolumeClaim.registry.existingClaimUse the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components
persistence.persistentVolumeClaim.registry.storageClassSpecify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning
persistence.persistentVolumeClaim.registry.subPathThe sub path used in the volume
persistence.persistentVolumeClaim.registry.accessModeThe access mode of the volumeReadWriteOnce
persistence.persistentVolumeClaim.registry.sizeThe size of the volume5Gi
persistence.persistentVolumeClaim.registry.annotationsThe annotations of the volume
persistence.persistentVolumeClaim.jobservice.jobLog.existingClaimUse the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components.
persistence.persistentVolumeClaim.jobservice.jobLog.storageClassSpecify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning
persistence.persistentVolumeClaim.jobservice.jobLog.subPathThe sub path used in the volume
persistence.persistentVolumeClaim.jobservice.jobLog.accessModeThe access mode of the volumeReadWriteOnce
persistence.persistentVolumeClaim.jobservice.jobLog.sizeThe size of the volume1Gi
persistence.persistentVolumeClaim.jobservice.jobLog.annotationsThe annotations of the volume
persistence.persistentVolumeClaim.database.existingClaimUse the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components. If external database is used, the setting will be ignored
persistence.persistentVolumeClaim.database.storageClassSpecify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning. If external database is used, the setting will be ignored
persistence.persistentVolumeClaim.database.subPathThe sub path used in the volume. If external database is used, the setting will be ignored
persistence.persistentVolumeClaim.database.accessModeThe access mode of the volume. If external database is used, the setting will be ignoredReadWriteOnce
persistence.persistentVolumeClaim.database.sizeThe size of the volume. If external database is used, the setting will be ignored1Gi
persistence.persistentVolumeClaim.database.annotationsThe annotations of the volume
persistence.persistentVolumeClaim.redis.existingClaimUse the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components. If external Redis is used, the setting will be ignored
persistence.persistentVolumeClaim.redis.storageClassSpecify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning. If external Redis is used, the setting will be ignored
persistence.persistentVolumeClaim.redis.subPathThe sub path used in the volume. If external Redis is used, the setting will be ignored
persistence.persistentVolumeClaim.redis.accessModeThe access mode of the volume. If external Redis is used, the setting will be ignoredReadWriteOnce
persistence.persistentVolumeClaim.redis.sizeThe size of the volume. If external Redis is used, the setting will be ignored1Gi
persistence.persistentVolumeClaim.redis.annotationsThe annotations of the volume
persistence.persistentVolumeClaim.trivy.existingClaimUse the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components
persistence.persistentVolumeClaim.trivy.storageClassSpecify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning
persistence.persistentVolumeClaim.trivy.subPathThe sub path used in the volume
persistence.persistentVolumeClaim.trivy.accessModeThe access mode of the volumeReadWriteOnce
persistence.persistentVolumeClaim.trivy.sizeThe size of the volume1Gi
persistence.persistentVolumeClaim.trivy.annotationsThe annotations of the volume
persistence.imageChartStorage.disableredirectThe configuration for managing redirects from content backends. For backends which not supported it (such as using minio for s3 storage type), please set it to true to disable redirects. Refer to the guide for more detailsfalse
persistence.imageChartStorage.caBundleSecretNameSpecify the caBundleSecretName if the storage service uses a self-signed certificate. The secret must contain keys named ca.crt which will be injected into the trust store of registry's and containers.
persistence.imageChartStorage.typeThe type of storage for images and charts: filesystem, azure, gcs, s3, swift or oss. The type must be filesystem if you want to use persistent volumes for registry. Refer to the guide for more detailsfilesystem
persistence.imageChartStorage.gcs.existingSecretAn existing secret containing the gcs service account json key. The key must be gcs-key.json.""
persistence.imageChartStorage.gcs.useWorkloadIdentityA boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key serviceAccountName of each component, then allow automounting the service account.false
General
externalURLThe external URL for Harbor core servicehttps://core.harbor.domain
caBundleSecretNameThe custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components.
uaaSecretNameIf using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key ca.crt.
imagePullPolicyThe image pull policy
imagePullSecretsThe imagePullSecrets names for all deployments
updateStrategy.typeThe update strategy for deployments with persistent volumes(jobservice, registry): RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supportedRollingUpdate
logLevelThe log level: debug, info, warning, error or fatalinfo
harborAdminPasswordThe initial password of Harbor admin. Change it from portal after launching HarborHarbor12345
existingSecretAdminPasswordThe name of secret where admin password can be found.
existingSecretAdminPasswordKeyThe name of the key in the secret where to find harbor admin password HarborHARBOR_ADMIN_PASSWORD
caSecretNameThe name of the secret which contains key named ca.crt. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically
secretKeyThe key used for encryption. Must be a string of 16 charsnot-a-secure-key
existingSecretSecretKeyAn existing secret containing the encoding secretKey""
proxy.httpProxyThe URL of the HTTP proxy server
proxy.httpsProxyThe URL of the HTTPS proxy server
proxy.noProxyThe URLs that the proxy settings not apply to127.0.0.1,localhost,.local,.internal
proxy.componentsThe component list that the proxy settings apply tocore, jobservice, trivy
enableMigrateHelmHookRun the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-jobfalse
Nginx (if service exposed via ingress, Nginx will not be used)
nginx.image.repositoryImage repositorygoharbor/nginx-photon
nginx.image.tagImage tagdev
nginx.replicasThe replica count1
nginx.revisionHistoryLimitThe revision history limit10
nginx.resourcesThe resources to allocate for containerundefined
nginx.automountServiceAccountTokenMount serviceAccountToken?false
nginx.nodeSelectorNode labels for pod assignment{}
nginx.tolerationsTolerations for pod assignment[]
nginx.affinityNode/Pod affinities{}
nginx.topologySpreadConstraintsConstraints that define how Pods are spread across failure-domains like regions or availability zones[]
nginx.podAnnotationsAnnotations to add to the nginx pod{}
nginx.priorityClassNameThe priority class to run the pod as
Portal
portal.image.repositoryRepository for portal imagegoharbor/harbor-portal
portal.image.tagTag for portal imagedev
portal.replicasThe replica count1
portal.revisionHistoryLimitThe revision history limit10
portal.resourcesThe resources to allocate for containerundefined
portal.automountServiceAccountTokenMount serviceAccountToken?false
portal.nodeSelectorNode labels for pod assignment{}
portal.tolerationsTolerations for pod assignment[]
portal.affinityNode/Pod affinities{}
portal.topologySpreadConstraintsConstraints that define how Pods are spread across failure-domains like regions or availability zones[]
portal.podAnnotationsAnnotations to add to the portal pod{}
portal.serviceAnnotationsAnnotations to add to the portal service{}
portal.priorityClassNameThe priority class to run the pod as
portal.initContainersInit containers to be run before the controller's container starts.[]
Core
core.image.repositoryRepository for Harbor core imagegoharbor/harbor-core
core.image.tagTag for Harbor core imagedev
core.replicasThe replica count1
core.revisionHistoryLimitThe revision history limit10
core.startupProbe.initialDelaySecondsThe initial delay in seconds for the startup probe10
core.resourcesThe resources to allocate for containerundefined
core.automountServiceAccountTokenMount serviceAccountToken?false
core.nodeSelectorNode labels for pod assignment{}
core.tolerationsTolerations for pod assignment[]
core.affinityNode/Pod affinities{}
core.topologySpreadConstraintsConstraints that define how Pods are spread across failure-domains like regions or availability zones[]
core.podAnnotationsAnnotations to add to the core pod{}
core.serviceAnnotationsAnnotations to add to the core service{}
core.configureUserSettingsA JSON string to set in the environment variable CONFIG_OVERWRITE_JSON to configure user settings. See the official docs.
core.quotaUpdateProviderThe provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes.db
core.secretSecret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.
core.secretNameFill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: tls.crt - the certificate and tls.key - the private key. The default key pair will be used if it isn't set
core.tokenKeyPEM-formatted RSA private key used to sign service tokens. Only used if core.secretName is unset. If set, core.tokenCert MUST also be set.
core.tokenCertPEM-formatted certificate signed by core.tokenKey used to validate service tokens. Only used if core.secretName is unset. If set, core.tokenKey MUST also be set.
core.xsrfKeyThe XSRF key. Will be generated automatically if it isn't specified
core.priorityClassNameThe priority class to run the pod as
core.artifactPullAsyncFlushDurationThe time duration for async update artifact pull_time and repository pull_count
core.gdpr.deleteUserEnable GDPR compliant user deletefalse
core.gdpr.auditLogsCompliantEnable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the systemfalse
core.initContainersInit containers to be run before the controller's container starts.[]
Jobservice
jobservice.image.repositoryRepository for jobservice imagegoharbor/harbor-jobservice
jobservice.image.tagTag for jobservice imagedev
jobservice.replicasThe replica count1
jobservice.revisionHistoryLimitThe revision history limit10
jobservice.maxJobWorkersThe max job workers10
jobservice.jobLoggersThe loggers for jobs: file, database or stdout[file]
jobservice.loggerSweeperDurationThe jobLogger sweeper duration in days (ignored if jobLoggers is set to stdout)14
jobservice.notification.webhook_job_max_retryThe maximum retry of webhook sending notifications3
jobservice.notification.webhook_job_http_client_timeoutThe http client timeout value of webhook sending notifications3
jobservice.reaper.max_update_hoursthe max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 2424
jobservice.reaper.max_dangling_hoursthe max time for execution in running state without new task created168
jobservice.resourcesThe resources to allocate for containerundefined
jobservice.automountServiceAccountTokenMount serviceAccountToken?false
jobservice.nodeSelectorNode labels for pod assignment{}
jobservice.tolerationsTolerations for pod assignment[]
jobservice.affinityNode/Pod affinities{}
jobservice.topologySpreadConstraintsConstraints that define how Pods are spread across failure-domains like regions or availability zones[]
jobservice.podAnnotationsAnnotations to add to the jobservice pod{}
jobservice.priorityClassNameThe priority class to run the pod as
jobservice.secretSecret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.
jobservice.initContainersInit containers to be run before the controller's container starts.[]
Registry
registry.registry.image.repositoryRepository for registry imagegoharbor/registry-photon
registry.registry.image.tagTag for registry imagedev
registry.registry.resourcesThe resources to allocate for containerundefined
registry.controller.image.repositoryRepository for registry controller imagegoharbor/harbor-registryctl
registry.controller.image.tagTag for registry controller imagedev
registry.controller.resourcesThe resources to allocate for containerundefined
registry.replicasThe replica count1
registry.revisionHistoryLimitThe revision history limit10
registry.nodeSelectorNode labels for pod assignment{}
registry.automountServiceAccountTokenMount serviceAccountToken?false
registry.tolerationsTolerations for pod assignment[]
registry.affinityNode/Pod affinities{}
registry.topologySpreadConstraintsConstraints that define how Pods are spread across failure-domains like regions or availability zones[]
registry.middlewareMiddleware is used to add support for a CDN between backend storage and docker pull recipient. See official docs.
registry.podAnnotationsAnnotations to add to the registry pod{}
registry.priorityClassNameThe priority class to run the pod as
registry.secretSecret is used to secure the upload state from client and registry storage backend. See official docs. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.
registry.credentials.usernameThe username that harbor core uses internally to access the registry instance. Together with the registry.credentials.password, a htpasswd is created. This is an alternative to providing registry.credentials.htpasswdString. For more details see official docs.harbor_registry_user
registry.credentials.passwordThe password that harbor core uses internally to access the registry instance. Together with the registry.credentials.username, a htpasswd is created. This is an alternative to providing registry.credentials.htpasswdString. For more details see official docs. It is suggested you update this value before installation.harbor_registry_password
registry.credentials.existingSecretAn existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. The key must be REGISTRY_PASSWD""
registry.credentials.htpasswdStringLogin and password in htpasswd string format. Excludes registry.credentials.username and registry.credentials.password. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the htpasswd function from helm, which generates different lines each time because of the salt.undefined
registry.relativeurlsIf true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxyfalse
registry.upload_purging.enabledIf true, enable purge _upload directoriestrue
registry.upload_purging.ageRemove files in _upload directories which exist for a period of time, default is one week.168h
registry.upload_purging.intervalThe interval of the purge operations24h
registry.upload_purging.dryrunIf true, enable dryrun for purging _upload, default falsefalse
registry.initContainersInit containers to be run before the controller's container starts.[]
Trivy
trivy.enabledThe flag to enable Trivy scannertrue
trivy.image.repositoryRepository for Trivy adapter imagegoharbor/trivy-adapter-photon
trivy.image.tagTag for Trivy adapter imagedev
trivy.resourcesThe resources to allocate for Trivy adapter container
trivy.automountServiceAccountTokenMount serviceAccountToken?false
trivy.replicasThe number of Pod replicas1
trivy.debugModeThe flag to enable Trivy debug modefalse
trivy.vulnTypeComma-separated list of vulnerability types. Possible values os and library.os,library
trivy.severityComma-separated list of severities to be checkedUNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.ignoreUnfixedThe flag to display only fixed vulnerabilitiesfalse
trivy.insecureThe flag to skip verifying registry certificatefalse
trivy.skipUpdateThe flag to disable Trivy DB downloads from GitHubfalse
trivy.skipJavaDBUpdateIf the flag is enabled you have to manually download the trivy-java.db file Trivy Java DB and mount it in the /home/scanner/.cache/trivy/java-db/trivy-java.db pathfalse
trivy.offlineScanThe flag prevents Trivy from sending API requests to identify dependencies.false
trivy.securityCheckComma-separated list of what security issues to detect.vuln
trivy.timeoutThe duration to wait for scan completion5m0s
trivy.gitHubTokenThe GitHub access token to download Trivy DB (see GitHub rate limiting)
trivy.priorityClassNameThe priority class to run the pod as
trivy.topologySpreadConstraintsThe priority class to run the pod as
trivy.initContainersInit containers to be run before the controller's container starts.[]
Database
database.typeIf external database is used, set it to externalinternal
database.internal.image.repositoryRepository for database imagegoharbor/harbor-db
database.internal.image.tagTag for database imagedev
database.internal.passwordThe password for databasechangeit
database.internal.shmSizeLimitThe limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container512Mi
database.internal.resourcesThe resources to allocate for containerundefined
database.internal.automountServiceAccountTokenMount serviceAccountToken?false
database.internal.initContainer.migrator.resourcesThe resources to allocate for the database migrator initContainerundefined
database.internal.initContainer.permissions.resourcesThe resources to allocate for the database permissions initContainerundefined
database.internal.nodeSelectorNode labels for pod assignment{}
database.internal.tolerationsTolerations for pod assignment[]
database.internal.affinityNode/Pod affinities{}
database.internal.priorityClassNameThe priority class to run the pod as
database.internal.livenessProbe.timeoutSecondsThe timeout used in liveness probe; 1 to 5 seconds1
database.internal.readinessProbe.timeoutSecondsThe timeout used in readiness probe; 1 to 5 seconds1
database.internal.extrInitContainersExtra init containers to be run before the database's container starts.[]
database.external.hostThe hostname of external database192.168.0.1
database.external.portThe port of external database5432
database.external.usernameThe username of external databaseuser
database.external.passwordThe password of external databasepassword
database.external.coreDatabaseThe database used by core serviceregistry
database.external.existingSecretAn existing password containing the database password. the key must be password.""
database.external.sslmodeConnection method of external database (require, verify-full, verify-ca, disable)disable
database.maxIdleConnsThe maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.50
database.maxOpenConnsThe maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.100
database.podAnnotationsAnnotations to add to the database pod{}
Redis
redis.typeIf external redis is used, set it to externalinternal
redis.internal.image.repositoryRepository for redis imagegoharbor/redis-photon
redis.internal.image.tagTag for redis imagedev
redis.internal.resourcesThe resources to allocate for containerundefined
redis.internal.automountServiceAccountTokenMount serviceAccountToken?false
redis.internal.nodeSelectorNode labels for pod assignment{}
redis.internal.tolerationsTolerations for pod assignment[]
redis.internal.affinityNode/Pod affinities{}
redis.internal.priorityClassNameThe priority class to run the pod as
redis.internal.jobserviceDatabaseIndexThe database index for jobservice1
redis.internal.registryDatabaseIndexThe database index for registry2
redis.internal.trivyAdapterIndexThe database index for trivy adapter5
redis.internal.harborDatabaseIndexThe database index for harbor miscellaneous business logic0
redis.internal.cacheLayerDatabaseIndexThe database index for harbor cache layer0
redis.internal.initContainersInit containers to be run before the redis's container starts.[]
redis.external.addrThe addr of external Redis: <host_redis>:<port_redis>. When using sentinel, it should be <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>192.168.0.2:6379
redis.external.sentinelMasterSetThe name of the set of Redis instances to monitor
redis.external.coreDatabaseIndexThe database index for core0
redis.external.jobserviceDatabaseIndexThe database index for jobservice1
redis.external.registryDatabaseIndexThe database index for registry2
redis.external.trivyAdapterIndexThe database index for trivy adapter5
redis.external.harborDatabaseIndexThe database index for harbor miscellaneous business logic0
redis.external.cacheLayerDatabaseIndexThe database index for harbor cache layer0
redis.external.usernameThe username of external Redis
redis.external.passwordThe password of external Redis
redis.external.existingSecretUse an existing secret to connect to redis. The key must be REDIS_PASSWORD.""
redis.podAnnotationsAnnotations to add to the redis pod{}
Exporter
exporter.replicasThe replica count1
exporter.revisionHistoryLimitThe revision history limit10
exporter.podAnnotationsAnnotations to add to the exporter pod{}
exporter.image.repositoryRepository for redis imagegoharbor/harbor-exporter
exporter.image.tagTag for exporter imagedev
exporter.nodeSelectorNode labels for pod assignment{}
exporter.tolerationsTolerations for pod assignment[]
exporter.affinityNode/Pod affinities{}
exporter.topologySpreadConstraintsConstraints that define how Pods are spread across failure-domains like regions or availability zones[]
exporter.automountServiceAccountTokenMount serviceAccountToken?false
exporter.cacheDurationthe cache duration for information that exporter collected from Harbor30
exporter.cacheCleanIntervalcache clean interval for information that exporter collected from Harbor14400
exporter.priorityClassNameThe priority class to run the pod as
Metrics
metrics.enabledif enable harbor metricsfalse
metrics.core.paththe url path for core metrics/metrics
metrics.core.portthe port for core metrics8001
metrics.registry.paththe url path for registry metrics/metrics
metrics.registry.portthe port for registry metrics8001
metrics.exporter.paththe url path for exporter metrics/metrics
metrics.exporter.portthe port for exporter metrics8001
metrics.serviceMonitor.enabledcreate prometheus serviceMonitor. Requires prometheus CRD'sfalse
metrics.serviceMonitor.additionalLabelsadditional labels to upsert to the manifest""
metrics.serviceMonitor.intervalscrape period for harbor metrics""
metrics.serviceMonitor.metricRelabelingsmetrics relabel to add/mod/del before ingestion[]
metrics.serviceMonitor.relabelingsrelabels to add/mod/del to sample before scrape[]
Trace
trace.enabledEnable tracing or notfalse
trace.providerThe tracing provider: jaeger or otel. jaeger should be 1.26+jaeger
trace.sample_rateSet sample_rate to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth1
trace.namespaceNamespace used to differentiate different harbor services
trace.attributesattributes is a key value dict contains user defined attributes used to initialize trace provider
trace.jaeger.endpointThe endpoint of jaegerhttp://hostname:14268/api/traces
trace.jaeger.usernameThe username of jaeger
trace.jaeger.passwordThe password of jaeger
trace.jaeger.agent_hostThe agent host of jaeger
trace.jaeger.agent_portThe agent port of jaeger6831
trace.otel.endpointThe endpoint of otelhostname:4318
trace.otel.url_pathThe URL path of otel/v1/traces
trace.otel.compressionWhether enable compression or not for otelfalse
trace.otel.insecureWhether establish insecure connection or not for oteltrue
trace.otel.timeoutThe timeout in seconds of otel10
Cache
cache.enabledEnable cache layer or notfalse
cache.expireHoursThe expire hours of cache layer24