harbor
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
## Compatibility adaptations for Kubernetes platforms
34
##
35
compatibility:
36
## Compatibility adaptations for Openshift
37
##
38
openshift:
39
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
40
##
41
adaptSecurityContext: auto
42
org: ""
43
## @section Common Parameters
44
45
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
46
##
47
nameOverride: ""
48
## @param fullnameOverride String to fully override common.names.fullname template with a string
49
##
50
fullnameOverride: ""
51
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
52
##
53
apiVersions: []
54
## @param kubeVersion Override Kubernetes version reported by .Capabilities
55
##
56
kubeVersion: ""
57
## @param clusterDomain Kubernetes Cluster Domain
58
##
59
clusterDomain: cluster.local
60
## @param commonAnnotations Annotations to add to all deployed objects
61
##
62
commonAnnotations: {}
63
## @param commonLabels Labels to add to all deployed objects
64
##
65
commonLabels: {}
66
## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template).
67
##
68
extraDeploy: []
69
## Diagnostic mode
70
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
71
## @param diagnosticMode.command Command to override all containers in the chart release
72
## @param diagnosticMode.args Args to override all containers in the chart release
73
##
74
diagnosticMode:
75
enabled: false
76
command:
77
- sleep
78
args:
79
- infinity
80
## @section Harbor common parameters
81
82
## @param adminPassword The initial password of Harbor admin. Change it from portal after launching Harbor
83
##
84
adminPassword: ""
85
## @param existingSecret Name of existing Secret containing the Harbor admin password
86
##
87
existingSecret: ""
88
## @param existingSecretAdminPasswordKey Name of the key inside the existing secret containing the Harbor admin password (HARBOR_ADMIN_PASSWORD as default if not provided)
89
##
90
existingSecretAdminPasswordKey: ""
91
## @param externalURL The external URL for Harbor Core service
92
## It is used to
93
## 1) populate the docker/helm commands showed on portal
94
## 2) populate the token service URL returned to docker client
95
##
96
## Format: protocol://domain[:port]. Usually:
97
## 1) if "exposureType" is "ingress", the "domain" should be
98
## the value of "ingress.hostname"
99
## 2) if "exposureType" is "proxy" and "service.type" is "ClusterIP",
100
## the "domain" should be the value of "service.clusterIP"
101
## 3) if "exposureType" is "proxy" and "service.type" is "NodePort",
102
## the "domain" should be the IP address of k8s node
103
## 4) if "exposureType" is "proxy" and "service.type" is "LoadBalancer",
104
## the "domain" should be the LoadBalancer IP
105
##
106
externalURL: https://core.harbor.domain
107
## Note: If Harbor is exposed via Ingress, the NGINX server will not be used
108
## @param proxy.httpProxy The URL of the HTTP proxy server
109
## @param proxy.httpsProxy The URL of the HTTPS proxy server
110
## @param proxy.noProxy The URLs that the proxy settings not apply to
111
## @param proxy.components The component list that the proxy settings apply to
112
##
113
proxy:
114
httpProxy: ""
115
httpsProxy: ""
116
noProxy: 127.0.0.1,localhost,.local,.internal
117
components:
118
- core
119
- jobservice
120
- trivy
121
## @param logLevel The log level used for Harbor services. Allowed values are [ fatal \| error \| warn \| info \| debug \| trace ]
122
##
123
logLevel: debug
124
## TLS settings
125
## Note: TLS cert files need to provided in each components in advance.
126
##
127
internalTLS:
128
## @param internalTLS.enabled Use TLS in all the supported containers: core, jobservice, portal, registry and trivy
129
##
130
enabled: false
131
## @param internalTLS.caBundleSecret Name of an existing secret with a custom CA that will be injected into the trust store for core, jobservice, registry, trivy components
132
## The secret must contain the key "ca.crt"
133
##
134
caBundleSecret: ""
135
## IP family parameters
136
##
137
ipFamily:
138
## @param ipFamily.ipv6.enabled Enable listening on IPv6 ([::]) for NGINX-based components (NGINX,portal)
139
## Note: enabling IPv6 will cause NGINX to crash on start on systems with IPv6 disabled (`ipv6.disable` kernel flag)
140
##
141
ipv6:
142
enabled: true
143
## @param ipFamily.ipv4.enabled Enable listening on IPv4 for NGINX-based components (NGINX,portal)
144
##
145
ipv4:
146
enabled: true
147
## Cache layer configurations
148
## @param cache.enabled Enable caching manifests in Redis for better performance on high concurrent pulling
149
## @param cache.expireHours The time (in hours) to keep the cache
150
##
151
cache:
152
enabled: false
153
expireHours: 24
154
## Database common configuration
155
## @param database.maxIdleConns The maximum number of connections in the idle connection pool per component
156
## @param database.maxOpenConns The maximum number of open connections to the database per component
157
##
158
database:
159
maxIdleConns: 100
160
maxOpenConns: 900
161
## @section Traffic Exposure Parameters
162
163
## @param exposureType The way to expose Harbor. Allowed values are [ ingress \| proxy \| none ]
164
## Use "proxy" to deploy NGINX proxy in front of Harbor services
165
## Use "ingress" to use an Ingress Controller as proxy
166
## Use "none" to bring your own ingress
167
##
168
exposureType: proxy
169
## Service parameters
170
##
171
service:
172
## @param service.type NGINX proxy service type
173
##
174
type: LoadBalancer
175
## @param service.ports.http NGINX proxy service HTTP port
176
## @param service.ports.https NGINX proxy service HTTPS port
177
##
178
ports:
179
http: 80
180
https: 443
181
## Node ports to expose
182
## @param service.nodePorts.http Node port for HTTP
183
## @param service.nodePorts.https Node port for HTTPS
184
## NOTE: choose port between <30000-32767>
185
##
186
nodePorts:
187
http: ""
188
https: ""
189
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
190
## Values: ClientIP or None
191
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
192
##
193
sessionAffinity: None
194
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
195
## sessionAffinityConfig:
196
## clientIP:
197
## timeoutSeconds: 300
198
##
199
sessionAffinityConfig: {}
200
## @param service.clusterIP NGINX proxy service Cluster IP
201
## e.g.:
202
## clusterIP: None
203
##
204
clusterIP: ""
205
## @param service.loadBalancerIP NGINX proxy service Load Balancer IP
206
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
207
##
208
loadBalancerIP: ""
209
## @param service.loadBalancerSourceRanges NGINX proxy service Load Balancer sources
210
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
211
## e.g:
212
## loadBalancerSourceRanges:
213
## - 10.10.10.0/24
214
##
215
loadBalancerSourceRanges: []
216
## @param service.externalTrafficPolicy NGINX proxy service external traffic policy
217
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
218
##
219
externalTrafficPolicy: Cluster
220
## @param service.annotations Additional custom annotations for NGINX proxy service
221
##
222
annotations: {}
223
## @param service.extraPorts Extra port to expose on NGINX proxy service
224
##
225
extraPorts: []
226
ingress:
227
## Configure the ingress resource that allows you to access Harbor Core
228
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
229
##
230
core:
231
## @param ingress.core.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
232
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
233
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
234
##
235
ingressClassName: ""
236
## @param ingress.core.pathType Ingress path type
237
##
238
pathType: ImplementationSpecific
239
## @param ingress.core.apiVersion Force Ingress API version (automatically detected if not set)
240
##
241
apiVersion: ""
242
## @param ingress.core.controller The ingress controller type. Currently supports `default`, `gce` and `ncp`
243
## leave as `default` for most ingress controllers.
244
## set to `gce` if using the GCE ingress controller
245
## set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
246
##
247
controller: default
248
## @param ingress.core.hostname Default host for the ingress record
249
##
250
hostname: core.harbor.domain
251
## @param ingress.core.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
252
## Use this parameter to set the required annotations for cert-manager, see
253
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
254
## e.g:
255
## annotations:
256
## kubernetes.io/ingress.class: nginx
257
## cert-manager.io/cluster-issuer: cluster-issuer-name
258
##
259
annotations:
260
ingress.kubernetes.io/ssl-redirect: "true"
261
ingress.kubernetes.io/proxy-body-size: "0"
262
nginx.ingress.kubernetes.io/ssl-redirect: "true"
263
nginx.ingress.kubernetes.io/proxy-body-size: "0"
264
## @param ingress.core.tls Enable TLS configuration for the host defined at `ingress.core.hostname` parameter
265
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.core.hostname }}`
266
## You can:
267
## - Use the `ingress.core.secrets` parameter to create this TLS secret
268
## - Rely on cert-manager to create it by setting the corresponding annotations
269
## - Rely on Helm to create self-signed certificates by setting `ingress.core.selfSigned=true`
270
##
271
tls: false
272
## @param ingress.core.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
273
##
274
selfSigned: false
275
## @param ingress.core.extraHosts An array with additional hostname(s) to be covered with the ingress record
276
## e.g:
277
## extraHosts:
278
## - name: core.harbor.domain
279
## path: /
280
##
281
extraHosts: []
282
## @param ingress.core.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
283
## e.g:
284
## extraPaths:
285
## - path: /*
286
## backend:
287
## serviceName: ssl-redirect
288
## servicePort: use-annotation
289
##
290
extraPaths: []
291
## @param ingress.core.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
292
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
293
## e.g:
294
## extraTls:
295
## - hosts:
296
## - core.harbor.domain
297
## secretName: core.harbor.domain-tls
298
##
299
extraTls: []
300
## @param ingress.core.secrets Custom TLS certificates as secrets
301
## NOTE: 'key' and 'certificate' are expected in PEM format
302
## NOTE: 'name' should line up with a 'secretName' set further up
303
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
304
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
305
## It is also possible to create and manage the certificates outside of this helm chart
306
## Please see README.md for more information
307
## e.g:
308
## secrets:
309
## - name: core.harbor.domain-tls
310
## key: |-
311
## -----BEGIN RSA PRIVATE KEY-----
312
## ...
313
## -----END RSA PRIVATE KEY-----
314
## certificate: |-
315
## -----BEGIN CERTIFICATE-----
316
## ...
317
## -----END CERTIFICATE-----
318
##
319
secrets: []
320
## @param ingress.core.extraRules Additional rules to be covered with this ingress record
321
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
322
## e.g:
323
## extraRules:
324
## - host: example.local
325
## http:
326
## path: /
327
## backend:
328
## service:
329
## name: example-svc
330
## port:
331
## name: http
332
##
333
extraRules: []
334
##
335
## @section Persistence Parameters
336
##
337
338
## The persistence is enabled by default and a default StorageClass
339
## is needed in the k8s cluster to provision volumes dynamically.
340
## Specify another StorageClass in the "storageClass" or set "existingClaim"
341
## if you have already existing persistent volumes to use
342
##
343
## For storing images and charts, you can also use "azure", "gcs", "s3",
344
## "swift" or "oss". Set it in the "imageChartStorage" section
345
##
346
persistence:
347
## @param persistence.enabled Enable the data persistence or not
348
##
349
enabled: true
350
## Resource Policy
351
## @param persistence.resourcePolicy Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted
352
##
353
resourcePolicy: "keep"
354
persistentVolumeClaim:
355
## @param persistence.persistentVolumeClaim.registry.existingClaim Name of an existing PVC to use
356
## @param persistence.persistentVolumeClaim.registry.storageClass PVC Storage Class for Harbor Registry data volume
357
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
358
## @param persistence.persistentVolumeClaim.registry.subPath The sub path used in the volume
359
## @param persistence.persistentVolumeClaim.registry.accessModes The access mode of the volume
360
## @param persistence.persistentVolumeClaim.registry.size The size of the volume
361
## @param persistence.persistentVolumeClaim.registry.annotations Annotations for the PVC
362
## @param persistence.persistentVolumeClaim.registry.selector Selector to match an existing Persistent Volume
363
##
364
registry:
365
existingClaim: ""
366
storageClass: ""
367
subPath: ""
368
accessModes:
369
- ReadWriteOnce
370
size: 5Gi
371
annotations: {}
372
selector: {}
373
## @param persistence.persistentVolumeClaim.jobservice.existingClaim Name of an existing PVC to use
374
## @param persistence.persistentVolumeClaim.jobservice.storageClass PVC Storage Class for Harbor Jobservice data volume
375
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
376
## @param persistence.persistentVolumeClaim.jobservice.subPath The sub path used in the volume
377
## @param persistence.persistentVolumeClaim.jobservice.accessModes The access mode of the volume
378
## @param persistence.persistentVolumeClaim.jobservice.size The size of the volume
379
## @param persistence.persistentVolumeClaim.jobservice.annotations Annotations for the PVC
380
## @param persistence.persistentVolumeClaim.jobservice.selector Selector to match an existing Persistent Volume
381
##
382
jobservice:
383
existingClaim: ""
384
storageClass: ""
385
subPath: ""
386
accessModes:
387
- ReadWriteOnce
388
size: 1Gi
389
annotations: {}
390
selector: {}
391
## @param persistence.persistentVolumeClaim.trivy.storageClass PVC Storage Class for Trivy data volume
392
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
393
## @param persistence.persistentVolumeClaim.trivy.accessModes The access mode of the volume
394
## @param persistence.persistentVolumeClaim.trivy.size The size of the volume
395
## @param persistence.persistentVolumeClaim.trivy.annotations Annotations for the PVC
396
## @param persistence.persistentVolumeClaim.trivy.selector Selector to match an existing Persistent Volume
397
##
398
trivy:
399
storageClass: ""
400
accessModes:
401
- ReadWriteOnce
402
size: 5Gi
403
annotations: {}
404
selector: {}
405
## Define which storage backend is used for registry to store
406
## images and charts.
407
## ref: https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
408
##
409
imageChartStorage:
410
## @param persistence.imageChartStorage.caBundleSecret Specify the `caBundleSecret` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's containers.
411
##
412
caBundleSecret: ""
413
## @param persistence.imageChartStorage.disableredirect The configuration for managing redirects from content backends. For backends which do not supported it (such as using MinIO® for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail
414
##
415
disableredirect: false
416
## @param persistence.imageChartStorage.type The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail
417
##
418
type: filesystem
419
## Images/charts storage parameters when type is "filesystem"
420
## @param persistence.imageChartStorage.filesystem.rootdirectory Filesystem storage type setting: Storage root directory
421
## @param persistence.imageChartStorage.filesystem.maxthreads Filesystem storage type setting: Maximum threads directory
422
##
423
filesystem:
424
rootdirectory: /storage
425
maxthreads: ""
426
## Images/charts storage parameters when type is "azure"
427
## @param persistence.imageChartStorage.azure.accountname Azure storage type setting: Name of the Azure account
428
## @param persistence.imageChartStorage.azure.accountkey Azure storage type setting: Key of the Azure account
429
## @param persistence.imageChartStorage.azure.container Azure storage type setting: Container
430
## @param persistence.imageChartStorage.azure.storagePrefix Azure storage type setting: Storage prefix
431
## @param persistence.imageChartStorage.azure.realm Azure storage type setting: Realm of the Azure account
432
##
433
azure:
434
accountname: accountname
435
accountkey: base64encodedaccountkey
436
container: containername
437
storagePrefix: /azure/harbor/charts
438
## Example realm
439
## realm: core.windows.net
440
##
441
realm: ""
442
## Images/charts storage parameters when type is "gcs"
443
## @param persistence.imageChartStorage.gcs.bucket GCS storage type setting: Bucket name
444
## @param persistence.imageChartStorage.gcs.encodedkey GCS storage type setting: Base64 encoded key
445
## @param persistence.imageChartStorage.gcs.rootdirectory GCS storage type setting: Root directory name
446
## @param persistence.imageChartStorage.gcs.chunksize GCS storage type setting: Chunk size name
447
##
448
gcs:
449
bucket: bucketname
450
## The base64 encoded json file which contains the gcs key (file's content)
451
##
452
encodedkey: ""
453
rootdirectory: ""
454
chunksize: ""
455
## Images/charts storage parameters when type is "s3"
456
## ref: https://docs.docker.com/registry/storage-drivers/s3/
457
## @param persistence.imageChartStorage.s3.region S3 storage type setting: Region
458
## @param persistence.imageChartStorage.s3.bucket S3 storage type setting: Bucket name
459
## @param persistence.imageChartStorage.s3.accesskey S3 storage type setting: Access key name
460
## @param persistence.imageChartStorage.s3.secretkey S3 storage type setting: Secret Key name
461
## @param persistence.imageChartStorage.s3.regionendpoint S3 storage type setting: Region Endpoint
462
## @param persistence.imageChartStorage.s3.encrypt S3 storage type setting: Encrypt
463
## @param persistence.imageChartStorage.s3.keyid S3 storage type setting: Key ID
464
## @param persistence.imageChartStorage.s3.secure S3 storage type setting: Secure
465
## @param persistence.imageChartStorage.s3.skipverify S3 storage type setting: TLS skip verification
466
## @param persistence.imageChartStorage.s3.v4auth S3 storage type setting: V4 authorization
467
## @param persistence.imageChartStorage.s3.chunksize S3 storage type setting: V4 authorization
468
## @param persistence.imageChartStorage.s3.rootdirectory S3 storage type setting: Root directory name
469
## @param persistence.imageChartStorage.s3.storageClass S3 storage type setting: Storage class
470
## @param persistence.imageChartStorage.s3.sse S3 storage type setting: SSE name
471
## @param persistence.imageChartStorage.s3.multipartcopychunksize S3 storage type setting: Chunk size for multipart copy
472
## @param persistence.imageChartStorage.s3.multipartcopymaxconcurrency S3 storage type setting: Maximum concurrency for multipart copy
473
## @param persistence.imageChartStorage.s3.multipartcopythresholdsize S3 storage type setting: Threshold size for multipart copy
474
##
475
s3:
476
region: us-west-1
477
bucket: bucketname
478
accesskey: ""
479
secretkey: ""
480
regionendpoint: ""
481
encrypt: ""
482
keyid: ""
483
secure: ""
484
skipverify: ""
485
v4auth: ""
486
chunksize: ""
487
rootdirectory: ""
488
storageClass: ""
489
sse: ""
490
multipartcopychunksize: ""
491
multipartcopymaxconcurrency: ""
492
multipartcopythresholdsize: ""
493
## Images/charts storage parameters when type is "swift"
494
## @param persistence.imageChartStorage.swift.authurl Swift storage type setting: Authentication url
495
## @param persistence.imageChartStorage.swift.username Swift storage type setting: Authentication url
496
## @param persistence.imageChartStorage.swift.password Swift storage type setting: Password
497
## @param persistence.imageChartStorage.swift.container Swift storage type setting: Container
498
## @param persistence.imageChartStorage.swift.region Swift storage type setting: Region
499
## @param persistence.imageChartStorage.swift.tenant Swift storage type setting: Tenant
500
## @param persistence.imageChartStorage.swift.tenantid Swift storage type setting: TenantID
501
## @param persistence.imageChartStorage.swift.domain Swift storage type setting: Domain
502
## @param persistence.imageChartStorage.swift.domainid Swift storage type setting: DomainID
503
## @param persistence.imageChartStorage.swift.trustid Swift storage type setting: TrustID
504
## @param persistence.imageChartStorage.swift.insecureskipverify Swift storage type setting: Verification
505
## @param persistence.imageChartStorage.swift.chunksize Swift storage type setting: Chunk
506
## @param persistence.imageChartStorage.swift.prefix Swift storage type setting: Prefix
507
## @param persistence.imageChartStorage.swift.secretkey Swift storage type setting: Secret Key
508
## @param persistence.imageChartStorage.swift.accesskey Swift storage type setting: Access Key
509
## @param persistence.imageChartStorage.swift.authversion Swift storage type setting: Auth
510
## @param persistence.imageChartStorage.swift.endpointtype Swift storage type setting: Endpoint
511
## @param persistence.imageChartStorage.swift.tempurlcontainerkey Swift storage type setting: Temp URL container key
512
## @param persistence.imageChartStorage.swift.tempurlmethods Swift storage type setting: Temp URL methods
513
##
514
swift:
515
authurl: https://storage.myprovider.com/v3/auth
516
username: ""
517
password: ""
518
container: ""
519
region: ""
520
tenant: ""
521
tenantid: ""
522
domain: ""
523
domainid: ""
524
trustid: ""
525
insecureskipverify: ""
526
chunksize: ""
527
prefix: ""
528
secretkey: ""
529
accesskey: ""
530
authversion: ""
531
endpointtype: ""
532
tempurlcontainerkey: ""
533
tempurlmethods: ""
534
## Images/charts storage parameters when type is "oss"
535
## @param persistence.imageChartStorage.oss.accesskeyid OSS storage type setting: Access key ID
536
## @param persistence.imageChartStorage.oss.accesskeysecret OSS storage type setting: Access key secret name containing the token
537
## @param persistence.imageChartStorage.oss.region OSS storage type setting: Region name
538
## @param persistence.imageChartStorage.oss.bucket OSS storage type setting: Bucket name
539
## @param persistence.imageChartStorage.oss.endpoint OSS storage type setting: Endpoint
540
## @param persistence.imageChartStorage.oss.internal OSS storage type setting: Internal
541
## @param persistence.imageChartStorage.oss.encrypt OSS storage type setting: Encrypt
542
## @param persistence.imageChartStorage.oss.secure OSS storage type setting: Secure
543
## @param persistence.imageChartStorage.oss.chunksize OSS storage type setting: Chunk
544
## @param persistence.imageChartStorage.oss.rootdirectory OSS storage type setting: Directory
545
## @param persistence.imageChartStorage.oss.secretkey OSS storage type setting: Secret key
546
##
547
oss:
548
accesskeyid: ""
549
accesskeysecret: ""
550
region: ""
551
bucket: ""
552
endpoint: ""
553
internal: ""
554
encrypt: ""
555
secure: ""
556
chunksize: ""
557
rootdirectory: ""
558
secretkey: ""
559
## @section Migration job parameters
560
##
561
migration:
562
## @param migration.enabled Enable migration job
563
##
564
enabled: false
565
## @param migration.podLabels Additional pod labels
566
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
567
##
568
podLabels: {}
569
## @param migration.podAnnotations Additional pod annotations
570
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
571
##
572
podAnnotations: {}
573
## @param migration.automountServiceAccountToken Mount Service Account token in pod
574
##
575
automountServiceAccountToken: false
576
## @param migration.hostAliases Migration job host aliases
577
##
578
hostAliases: []
579
## @param migration.command Override default container command (useful when using custom images)
580
##
581
command: []
582
## @param migration.args Override default container args (useful when using custom images)
583
##
584
args: []
585
## @param migration.annotations [object] Provide any additional annotations which may be required.
586
## This can be used to set the LoadBalancer service type to internal only.
587
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
588
##
589
annotations:
590
helm.sh/hook: pre-upgrade
591
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
592
## Pod security context
593
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
594
## @param migration.podSecurityContext.enabled Enabled Jaeger pods' Security Context
595
## @param migration.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
596
## @param migration.podSecurityContext.sysctls Set kernel settings using the sysctl interface
597
## @param migration.podSecurityContext.supplementalGroups Set filesystem extra groups
598
## @param migration.podSecurityContext.fsGroup Set Jaeger pod's Security Context fsGroup
599
##
600
podSecurityContext:
601
enabled: true
602
fsGroupChangePolicy: Always
603
sysctls: []
604
supplementalGroups: []
605
fsGroup: 1001
606
## @param migration.containerSecurityContext.enabled Enabled containers' Security Context
607
## @param migration.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
608
## @param migration.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
609
## @param migration.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
610
## @param migration.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
611
## @param migration.containerSecurityContext.privileged Set container's Security Context privileged
612
## @param migration.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
613
## @param migration.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
614
## @param migration.containerSecurityContext.capabilities.drop List of capabilities to be dropped
615
## @param migration.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
616
containerSecurityContext:
617
enabled: true
618
seLinuxOptions: {}
619
runAsUser: 1001
620
runAsGroup: 1001
621
runAsNonRoot: true
622
privileged: false
623
readOnlyRootFilesystem: true
624
allowPrivilegeEscalation: false
625
capabilities:
626
drop: ["ALL"]
627
seccompProfile:
628
type: "RuntimeDefault"
629
## @param migration.extraEnvVars Extra environment variables to be set on jaeger migration container
630
## For example:
631
## - name: FOO
632
## value: BAR
633
##
634
extraEnvVars: []
635
## @param migration.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
636
##
637
extraEnvVarsCM: ""
638
## @param migration.extraEnvVarsSecret Name of existing Secret containing extra env vars
639
##
640
extraEnvVarsSecret: ""
641
## @param migration.extraVolumeMounts Optionally specify extra list of additional volumeMounts for jaeger container
642
##
643
extraVolumeMounts: []
644
## Jaeger pods' resource requests and limits
645
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
646
## Minimum memory for development is 4GB and 2 CPU cores
647
## Minimum memory for production is 8GB and 4 CPU cores
648
## ref: http://docs.datastax.com/en/archived/jaeger/2.0/jaeger/architecture/architecturePlanningHardware_c.html
649
##
650
## We usually recommend not to specify default resources and to leave this as a conscious
651
## choice for the user. This also increases chances charts run on environments with little
652
## resources, such as Minikube. If you do want to specify resources, uncomment the following
653
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
654
## @param migration.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if migration.resources is set (migration.resources is recommended for production).
655
##
656
resourcesPreset: "small"
657
## @param migration.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
658
## Example:
659
## resources:
660
## requests:
661
## cpu: 2
662
## memory: 512Mi
663
## limits:
664
## cpu: 3
665
## memory: 1024Mi
666
##
667
resources: {}
668
## Network Policies
669
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
670
##
671
networkPolicy:
672
## @param migration.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
673
##
674
enabled: true
675
## @param migration.networkPolicy.allowExternal Don't require server label for connections
676
## The Policy model to apply. When set to false, only pods with the correct
677
## server label will have network access to the ports server is listening
678
## on. When true, server will accept connections from any source
679
## (with the correct destination port).
680
##
681
allowExternal: true
682
## @param migration.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
683
##
684
allowExternalEgress: true
685
## @param migration.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
686
## e.g:
687
## extraIngress:
688
## - ports:
689
## - port: 1234
690
## from:
691
## - podSelector:
692
## - matchLabels:
693
## - role: frontend
694
## - podSelector:
695
## - matchExpressions:
696
## - key: role
697
## operator: In
698
## values:
699
## - frontend
700
extraIngress: []
701
## @param migration.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
702
## e.g:
703
## extraEgress:
704
## - ports:
705
## - port: 1234
706
## to:
707
## - podSelector:
708
## - matchLabels:
709
## - role: frontend
710
## - podSelector:
711
## - matchExpressions:
712
## - key: role
713
## operator: In
714
## values:
715
## - frontend
716
##
717
extraEgress: []
718
## @param migration.extraVolumes Optionally specify extra list of additional volumes for jaeger container
719
##
720
extraVolumes: []
721
## @section Tracing parameters
722
##
723
724
## Tracing parameters:
725
## tracing: Configure tracing for Harbor, only one of tracing.jeager.enabled and tracing.otel.enabled should be set
726
##
727
tracing:
728
## @param tracing.enabled Enable tracing
729
##
730
enabled: false
731
## @param tracing.sampleRate Tracing sample rate from 0 to 1
732
##
733
sampleRate: 1
734
## @param tracing.namespace Used to differentiate traces between different harbor services
735
##
736
namespace: ""
737
## @param tracing.attributes A key value dict containing user defined attributes used to initialize the trace provider
738
## e.g:
739
## attributes:
740
## application: harbor
741
##
742
attributes: {}
743
## @extra tracing.jaeger Configuration for exporting to jaeger. If using jaeger collector mode, use endpoint, username and password. If using jaeger agent mode, use agentHostname and agentPort.
744
## e.g:
745
## jaeger:
746
## enabled: true
747
## endpoint: http://hostname:14268/api/traces
748
## username: "jaeger-username"
749
## password: "jaeger-password"
750
## @param tracing.jaeger.enabled Enable jaeger export
751
## @param tracing.jaeger.endpoint Jaeger endpoint
752
## @param tracing.jaeger.username Jaeger username
753
## @param tracing.jaeger.password Jaeger password
754
## @param tracing.jaeger.agentHost Jaeger agent hostname
755
## @param tracing.jaeger.agentPort Jaeger agent port
756
##
757
jaeger:
758
enabled: false
759
endpoint: ""
760
username: ""
761
password: ""
762
agentHost: ""
763
agentPort: ""
764
## @extra tracing.otel Configuration for exporting to an otel endpoint
765
## @param tracing.otel.enabled Enable otel export
766
## @param tracing.otel.endpoint The hostname and port for an otel compatible backend
767
## @param tracing.otel.urlpath Url path of otel endpoint
768
## @param tracing.otel.compression Enable data compression
769
## @param tracing.otel.timeout The timeout for data transfer
770
## @param tracing.otel.insecure Ignore cert verification for otel backend
771
##
772
otel:
773
enabled: false
774
endpoint: "hostname:4318"
775
urlpath: "/v1/traces"
776
compression: false
777
timeout: 10s
778
insecure: true
779
## @section Volume Permissions parameters
780
##
781
782
## Init containers parameters:
783
## certificateVolume: Copy /etc/ssl/certs to a volume so that they can be updated when a read-only volume is in use.
784
##
785
certificateVolume:
786
## Init container resource requests and limits
787
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
788
## @param certificateVolume.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if certificateVolume.resources is set (certificateVolume.resources is recommended for production).
789
##
790
resourcesPreset: "nano"
791
## @param certificateVolume.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
792
## Example:
793
## resources:
794
## requests:
795
## cpu: 2
796
## memory: 512Mi
797
## limits:
798
## cpu: 3
799
## memory: 1024Mi
800
##
801
resources: {}
802
## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
803
##
804
volumePermissions:
805
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
806
##
807
enabled: false
808
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
809
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
810
## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
811
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
812
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
813
## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
814
##
815
image:
816
registry: cgr.dev
817
repository: chainguard-private/os-shell-iamguarded
818
tag: 1.0.0
819
digest: ""
820
pullPolicy: IfNotPresent
821
## Optionally specify an array of imagePullSecrets.
822
## Secrets must be manually created in the namespace.
823
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
824
## Example:
825
## pullSecrets:
826
## - myRegistryKeySecretName
827
##
828
pullSecrets: []
829
## Init container resource requests and limits
830
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
831
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
832
##
833
resourcesPreset: "nano"
834
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
835
## Example:
836
## resources:
837
## requests:
838
## cpu: 2
839
## memory: 512Mi
840
## limits:
841
## cpu: 3
842
## memory: 1024Mi
843
##
844
resources: {}
845
## Init container' Security Context
846
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
847
## and not the below volumePermissions.containerSecurityContext.runAsUser
848
## @param volumePermissions.containerSecurityContext.enabled Enable init container Security Context
849
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
850
## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
851
##
852
containerSecurityContext:
853
enabled: true
854
seLinuxOptions: {}
855
runAsUser: 0
856
## @section NGINX Parameters
857
##
858
nginx:
859
## Iamguarded NGINX image
860
## @param nginx.image.registry [default: REGISTRY_NAME] NGINX image registry
861
## @param nginx.image.repository [default: REPOSITORY_NAME/nginx] NGINX image repository
862
## @skip nginx.image.tag NGINX image tag (immutable tags are recommended)
863
## @param nginx.image.digest NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
864
## @param nginx.image.pullPolicy NGINX image pull policy
865
## @param nginx.image.pullSecrets NGINX image pull secrets
866
## @param nginx.image.debug Enable NGINX image debug mode
867
##
868
image:
869
registry: cgr.dev
870
repository: chainguard-private/nginx-iamguarded
871
tag: 1.29.5
872
digest: ""
873
## Specify a imagePullPolicy
874
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
875
##
876
pullPolicy: IfNotPresent
877
## Optionally specify an array of imagePullSecrets.
878
## Secrets must be manually created in the namespace.
879
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
880
## e.g:
881
## pullSecrets:
882
## - myRegistryKeySecretName
883
##
884
pullSecrets: []
885
## Enable debug mode
886
##
887
debug: false
888
## TLS parameters
889
##
890
tls:
891
## @param nginx.tls.enabled Enable TLS termination
892
##
893
enabled: true
894
## @param nginx.tls.existingSecret Existing secret name containing your own TLS certificates.
895
## The secret must contain the keys:
896
## `tls.crt` - the certificate (required),
897
## `tls.key` - the private key (required),
898
## `ca.crt` - CA certificate (optional)
899
## Self-signed TLS certificates will be used otherwise.
900
##
901
existingSecret: ""
902
## @param nginx.tls.commonName The common name used to generate the self-signed TLS certificates
903
##
904
commonName: core.harbor.domain
905
## @param nginx.behindReverseProxy If NGINX is behind another reverse proxy, set to true
906
## if the reverse proxy already provides the 'X-Forwarded-Proto' header field.
907
## This is, for example, the case for the OpenShift HAProxy router.
908
##
909
behindReverseProxy: false
910
## @param nginx.command Override default container command (useful when using custom images)
911
##
912
command: []
913
## @param nginx.args Override default container args (useful when using custom images)
914
##
915
args: []
916
## @param nginx.extraEnvVars Array with extra environment variables to add NGINX pods
917
##
918
extraEnvVars: []
919
## @param nginx.extraEnvVarsCM ConfigMap containing extra environment variables for NGINX pods
920
##
921
extraEnvVarsCM: ""
922
## @param nginx.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for NGINX pods
923
##
924
extraEnvVarsSecret: ""
925
## @param nginx.containerPorts.http NGINX HTTP container port
926
## @param nginx.containerPorts.https NGINX HTTPS container port
927
##
928
containerPorts:
929
http: 8080
930
https: 8443
931
## @param nginx.replicaCount Number of NGINX replicas
932
##
933
replicaCount: 1
934
## Configure extra options for NGINX containers' liveness, readiness and startup probes
935
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
936
## @param nginx.livenessProbe.enabled Enable livenessProbe on NGINX containers
937
## @param nginx.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
938
## @param nginx.livenessProbe.periodSeconds Period seconds for livenessProbe
939
## @param nginx.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
940
## @param nginx.livenessProbe.failureThreshold Failure threshold for livenessProbe
941
## @param nginx.livenessProbe.successThreshold Success threshold for livenessProbe
942
##
943
livenessProbe:
944
enabled: true
945
initialDelaySeconds: 20
946
periodSeconds: 10
947
timeoutSeconds: 5
948
failureThreshold: 6
949
successThreshold: 1
950
## @param nginx.readinessProbe.enabled Enable readinessProbe on NGINX containers
951
## @param nginx.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
952
## @param nginx.readinessProbe.periodSeconds Period seconds for readinessProbe
953
## @param nginx.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
954
## @param nginx.readinessProbe.failureThreshold Failure threshold for readinessProbe
955
## @param nginx.readinessProbe.successThreshold Success threshold for readinessProbe
956
##
957
readinessProbe:
958
enabled: true
959
initialDelaySeconds: 20
960
periodSeconds: 10
961
timeoutSeconds: 5
962
failureThreshold: 6
963
successThreshold: 1
964
## @param nginx.startupProbe.enabled Enable startupProbe on NGINX containers
965
## @param nginx.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
966
## @param nginx.startupProbe.periodSeconds Period seconds for startupProbe
967
## @param nginx.startupProbe.timeoutSeconds Timeout seconds for startupProbe
968
## @param nginx.startupProbe.failureThreshold Failure threshold for startupProbe
969
## @param nginx.startupProbe.successThreshold Success threshold for startupProbe
970
##
971
startupProbe:
972
enabled: false
973
initialDelaySeconds: 10
974
periodSeconds: 10
975
timeoutSeconds: 1
976
failureThreshold: 15
977
successThreshold: 1
978
## @param nginx.customLivenessProbe Custom livenessProbe that overrides the default one
979
##
980
customLivenessProbe: {}
981
## @param nginx.customReadinessProbe Custom readinessProbe that overrides the default one
982
##
983
customReadinessProbe: {}
984
## @param nginx.customStartupProbe Custom startupProbe that overrides the default one
985
##
986
customStartupProbe: {}
987
## NGINX resource requests and limits
988
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
989
## @param nginx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if nginx.resources is set (nginx.resources is recommended for production).
990
##
991
resourcesPreset: "small"
992
## @param nginx.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
993
## Example:
994
## resources:
995
## requests:
996
## cpu: 2
997
## memory: 512Mi
998
## limits:
999
## cpu: 3
1000
## memory: 1024Mi
1001
##
1002
resources: {}
1003
## Configure NGINX pods Security Context
1004
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1005
## @param nginx.podSecurityContext.enabled Enabled NGINX pods' Security Context
1006
## @param nginx.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1007
## @param nginx.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1008
## @param nginx.podSecurityContext.supplementalGroups Set filesystem extra groups
1009
## @param nginx.podSecurityContext.fsGroup Set NGINX pod's Security Context fsGroup
1010
##
1011
podSecurityContext:
1012
enabled: true
1013
fsGroupChangePolicy: Always
1014
sysctls: []
1015
supplementalGroups: []
1016
fsGroup: 1001
1017
## Configure NGINX containers (only main one) Security Context
1018
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1019
## @param nginx.containerSecurityContext.enabled Enabled containers' Security Context
1020
## @param nginx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1021
## @param nginx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1022
## @param nginx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1023
## @param nginx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1024
## @param nginx.containerSecurityContext.privileged Set container's Security Context privileged
1025
## @param nginx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1026
## @param nginx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1027
## @param nginx.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1028
## @param nginx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1029
##
1030
containerSecurityContext:
1031
enabled: true
1032
seLinuxOptions: {}
1033
runAsUser: 1001
1034
runAsGroup: 1001
1035
runAsNonRoot: true
1036
privileged: false
1037
readOnlyRootFilesystem: true
1038
allowPrivilegeEscalation: false
1039
capabilities:
1040
drop: ["ALL"]
1041
seccompProfile:
1042
type: "RuntimeDefault"
1043
## @param nginx.updateStrategy.type NGINX deployment strategy type - only really applicable for deployments with RWO PVs attached
1044
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
1045
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
1046
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
1047
##
1048
updateStrategy:
1049
type: RollingUpdate
1050
## @param nginx.lifecycleHooks LifecycleHook for the NGINX container(s) to automate configuration before or after startup
1051
##
1052
lifecycleHooks: {}
1053
## @param nginx.automountServiceAccountToken Mount Service Account token in pod
1054
##
1055
automountServiceAccountToken: false
1056
## Harbor Nginx ServiceAccount configuration
1057
##
1058
serviceAccount:
1059
## @param nginx.serviceAccount.create Specifies whether a ServiceAccount should be created
1060
##
1061
create: false
1062
## @param nginx.serviceAccount.name The name of the ServiceAccount to use.
1063
## If not set and create is true, a name is generated using the common.names.fullname template
1064
##
1065
name: ""
1066
## @param nginx.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1067
##
1068
automountServiceAccountToken: false
1069
## @param nginx.serviceAccount.annotations Additional custom annotations for the ServiceAccount
1070
##
1071
annotations: {}
1072
## @param nginx.hostAliases NGINX pods host aliases
1073
##
1074
hostAliases: []
1075
## @param nginx.podLabels Add additional labels to the NGINX pods (evaluated as a template)
1076
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1077
##
1078
podLabels: {}
1079
## @param nginx.podAnnotations Annotations to add to the NGINX pods (evaluated as a template)
1080
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1081
##
1082
podAnnotations: {}
1083
## @param nginx.podAffinityPreset NGINX Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1084
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1085
##
1086
podAffinityPreset: ""
1087
## @param nginx.podAntiAffinityPreset NGINX Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1088
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1089
##
1090
podAntiAffinityPreset: soft
1091
## Node affinity preset
1092
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1093
## Allowed values: soft, hard
1094
##
1095
nodeAffinityPreset:
1096
## @param nginx.nodeAffinityPreset.type NGINX Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1097
##
1098
type: ""
1099
## @param nginx.nodeAffinityPreset.key NGINX Node label key to match Ignored if `affinity` is set.
1100
## E.g.
1101
## key: "kubernetes.io/e2e-az-name"
1102
##
1103
key: ""
1104
## @param nginx.nodeAffinityPreset.values NGINX Node label values to match. Ignored if `affinity` is set.
1105
## E.g.
1106
## values:
1107
## - e2e-az1
1108
## - e2e-az2
1109
##
1110
values: []
1111
## @param nginx.affinity NGINX Affinity for pod assignment
1112
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1113
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
1114
##
1115
affinity: {}
1116
## @param nginx.nodeSelector NGINX Node labels for pod assignment
1117
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1118
##
1119
nodeSelector: {}
1120
## @param nginx.tolerations NGINX Tolerations for pod assignment
1121
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1122
##
1123
tolerations: []
1124
## @param nginx.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1125
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1126
##
1127
topologySpreadConstraints: []
1128
## @param nginx.priorityClassName Priority Class Name
1129
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
1130
##
1131
priorityClassName: ""
1132
## @param nginx.schedulerName Use an alternate scheduler, e.g. "stork".
1133
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1134
##
1135
schedulerName: ""
1136
## @param nginx.sidecars Add additional sidecar containers to the NGINX pods
1137
## Example:
1138
## sidecars:
1139
## - name: your-image-name
1140
## image: your-image
1141
## imagePullPolicy: Always
1142
## ports:
1143
## - name: portname
1144
## containerPort: 1234
1145
##
1146
sidecars: []
1147
## @param nginx.initContainers Add additional init containers to the NGINX pods
1148
## Example:
1149
## initContainers:
1150
## - name: your-image-name
1151
## image: your-image
1152
## imagePullPolicy: Always
1153
## ports:
1154
## - name: portname
1155
## containerPort: 1234
1156
##
1157
initContainers: []
1158
## Pod Disruption Budget configuration
1159
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1160
## @param nginx.pdb.create Enable/disable a Pod Disruption Budget creation
1161
## @param nginx.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1162
## @param nginx.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `nginx.pdb.minAvailable` and `nginx.pdb.maxUnavailable` are empty.
1163
##
1164
pdb:
1165
create: true
1166
minAvailable: ""
1167
maxUnavailable: ""
1168
## @param nginx.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the NGINX pods
1169
##
1170
extraVolumeMounts: []
1171
## @param nginx.extraVolumes Optionally specify extra list of additional volumes for the NGINX pods
1172
##
1173
extraVolumes: []
1174
## Network Policies
1175
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1176
##
1177
networkPolicy:
1178
## @param nginx.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1179
##
1180
enabled: true
1181
## @param nginx.networkPolicy.allowExternal Don't require server label for connections
1182
## The Policy model to apply. When set to false, only pods with the correct
1183
## server label will have network access to the ports server is listening
1184
## on. When true, server will accept connections from any source
1185
## (with the correct destination port).
1186
##
1187
allowExternal: true
1188
## @param nginx.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1189
##
1190
allowExternalEgress: true
1191
## @param nginx.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1192
## e.g:
1193
## extraIngress:
1194
## - ports:
1195
## - port: 1234
1196
## from:
1197
## - podSelector:
1198
## - matchLabels:
1199
## - role: frontend
1200
## - podSelector:
1201
## - matchExpressions:
1202
## - key: role
1203
## operator: In
1204
## values:
1205
## - frontend
1206
extraIngress: []
1207
## @param nginx.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1208
## e.g:
1209
## extraEgress:
1210
## - ports:
1211
## - port: 1234
1212
## to:
1213
## - podSelector:
1214
## - matchLabels:
1215
## - role: frontend
1216
## - podSelector:
1217
## - matchExpressions:
1218
## - key: role
1219
## operator: In
1220
## values:
1221
## - frontend
1222
##
1223
extraEgress: []
1224
## @param nginx.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1225
## @param nginx.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1226
##
1227
ingressNSMatchLabels: {}
1228
ingressNSPodMatchLabels: {}
1229
## @section Harbor Portal Parameters
1230
##
1231
portal:
1232
## Iamguarded Harbor Portal image
1233
## @param portal.image.registry [default: REGISTRY_NAME] Harbor Portal image registry
1234
## @param portal.image.repository [default: REPOSITORY_NAME/harbor-portal] Harbor Portal image repository
1235
## @skip portal.image.tag Harbor Portal image tag (immutable tags are recommended)
1236
## @param portal.image.digest Harbor Portal image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1237
## @param portal.image.pullPolicy Harbor Portal image pull policy
1238
## @param portal.image.pullSecrets Harbor Portal image pull secrets
1239
## @param portal.image.debug Enable Harbor Portal image debug mode
1240
##
1241
image:
1242
registry: cgr.dev
1243
repository: chainguard-private/harbor-portal-iamguarded
1244
tag: 2.14.2
1245
digest: ""
1246
## Specify a imagePullPolicy
1247
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1248
##
1249
pullPolicy: IfNotPresent
1250
## Optionally specify an array of imagePullSecrets.
1251
## Secrets must be manually created in the namespace.
1252
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1253
## e.g:
1254
## pullSecrets:
1255
## - myRegistryKeySecretName
1256
##
1257
pullSecrets: []
1258
## Enable debug mode
1259
##
1260
debug: false
1261
## Use TLS in the container
1262
##
1263
tls:
1264
## @param portal.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
1265
## Requires `internalTLS.enabled` to be set to `true``
1266
## Self-signed TLS certificates will be used otherwise
1267
##
1268
existingSecret: ""
1269
## @param portal.command Override default container command (useful when using custom images)
1270
##
1271
command: []
1272
## @param portal.args Override default container args (useful when using custom images)
1273
##
1274
args: []
1275
## @param portal.extraEnvVars Array with extra environment variables to add Harbor Portal pods
1276
##
1277
extraEnvVars: []
1278
## @param portal.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Portal pods
1279
##
1280
extraEnvVarsCM: ""
1281
## @param portal.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Portal pods
1282
##
1283
extraEnvVarsSecret: ""
1284
## @param portal.containerPorts.http Harbor Portal HTTP container port
1285
## @param portal.containerPorts.https Harbor Portal HTTPS container port
1286
##
1287
containerPorts:
1288
http: 8080
1289
https: 8443
1290
## @param portal.replicaCount Number of Harbor Portal replicas
1291
##
1292
replicaCount: 1
1293
## Configure extra options for Harbor Portal containers' liveness, readiness and startup probes
1294
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
1295
## @param portal.livenessProbe.enabled Enable livenessProbe on Harbor Portal containers
1296
## @param portal.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1297
## @param portal.livenessProbe.periodSeconds Period seconds for livenessProbe
1298
## @param portal.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1299
## @param portal.livenessProbe.failureThreshold Failure threshold for livenessProbe
1300
## @param portal.livenessProbe.successThreshold Success threshold for livenessProbe
1301
##
1302
livenessProbe:
1303
enabled: true
1304
initialDelaySeconds: 20
1305
periodSeconds: 10
1306
timeoutSeconds: 5
1307
failureThreshold: 6
1308
successThreshold: 1
1309
## @param portal.readinessProbe.enabled Enable readinessProbe on Harbor Portal containers
1310
## @param portal.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1311
## @param portal.readinessProbe.periodSeconds Period seconds for readinessProbe
1312
## @param portal.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1313
## @param portal.readinessProbe.failureThreshold Failure threshold for readinessProbe
1314
## @param portal.readinessProbe.successThreshold Success threshold for readinessProbe
1315
##
1316
readinessProbe:
1317
enabled: true
1318
initialDelaySeconds: 20
1319
periodSeconds: 10
1320
timeoutSeconds: 5
1321
failureThreshold: 6
1322
successThreshold: 1
1323
## @param portal.startupProbe.enabled Enable startupProbe on Harbor Portal containers
1324
## @param portal.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1325
## @param portal.startupProbe.periodSeconds Period seconds for startupProbe
1326
## @param portal.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1327
## @param portal.startupProbe.failureThreshold Failure threshold for startupProbe
1328
## @param portal.startupProbe.successThreshold Success threshold for startupProbe
1329
##
1330
startupProbe:
1331
enabled: false
1332
initialDelaySeconds: 5
1333
periodSeconds: 10
1334
timeoutSeconds: 1
1335
failureThreshold: 15
1336
successThreshold: 1
1337
## @param portal.customLivenessProbe Custom livenessProbe that overrides the default one
1338
##
1339
customLivenessProbe: {}
1340
## @param portal.customReadinessProbe Custom readinessProbe that overrides the default one
1341
##
1342
customReadinessProbe: {}
1343
## @param portal.customStartupProbe Custom startupProbe that overrides the default one
1344
##
1345
customStartupProbe: {}
1346
## Harbor Portal resource requests and limits
1347
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1348
## @param portal.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if portal.resources is set (portal.resources is recommended for production).
1349
##
1350
resourcesPreset: "small"
1351
## @param portal.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1352
## Example:
1353
## resources:
1354
## requests:
1355
## cpu: 2
1356
## memory: 512Mi
1357
## limits:
1358
## cpu: 3
1359
## memory: 1024Mi
1360
##
1361
resources: {}
1362
## Configure Harbor Portal pods Security Context
1363
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1364
## @param portal.podSecurityContext.enabled Enabled Harbor Portal pods' Security Context
1365
## @param portal.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1366
## @param portal.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1367
## @param portal.podSecurityContext.supplementalGroups Set filesystem extra groups
1368
## @param portal.podSecurityContext.fsGroup Set Harbor Portal pod's Security Context fsGroup
1369
##
1370
podSecurityContext:
1371
enabled: true
1372
fsGroupChangePolicy: Always
1373
sysctls: []
1374
supplementalGroups: []
1375
fsGroup: 1001
1376
## Configure Harbor Portal containers (only main one) Security Context
1377
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1378
## @param portal.containerSecurityContext.enabled Enabled containers' Security Context
1379
## @param portal.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1380
## @param portal.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1381
## @param portal.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1382
## @param portal.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1383
## @param portal.containerSecurityContext.privileged Set container's Security Context privileged
1384
## @param portal.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1385
## @param portal.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1386
## @param portal.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1387
## @param portal.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1388
##
1389
containerSecurityContext:
1390
enabled: true
1391
seLinuxOptions: {}
1392
runAsUser: 1001
1393
runAsGroup: 1001
1394
runAsNonRoot: true
1395
privileged: false
1396
readOnlyRootFilesystem: true
1397
allowPrivilegeEscalation: false
1398
capabilities:
1399
drop: ["ALL"]
1400
seccompProfile:
1401
type: "RuntimeDefault"
1402
## @param portal.updateStrategy.type Harbor Portal deployment strategy type - only really applicable for deployments with RWO PVs attached
1403
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
1404
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
1405
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
1406
##
1407
updateStrategy:
1408
type: RollingUpdate
1409
## @param portal.lifecycleHooks LifecycleHook for the Harbor Portal container(s) to automate configuration before or after startup
1410
##
1411
lifecycleHooks: {}
1412
## @param portal.hostAliases Harbor Portal pods host aliases
1413
##
1414
hostAliases: []
1415
## @param portal.podLabels Add additional labels to the Harbor Portal pods (evaluated as a template)
1416
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1417
##
1418
podLabels: {}
1419
## @param portal.podAnnotations Annotations to add to the Harbor Portal pods (evaluated as a template)
1420
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1421
##
1422
podAnnotations: {}
1423
## @param portal.podAffinityPreset Harbor Portal Pod affinity preset. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard`
1424
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1425
##
1426
podAffinityPreset: ""
1427
## @param portal.podAntiAffinityPreset Harbor Portal Pod anti-affinity preset. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard`
1428
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1429
##
1430
podAntiAffinityPreset: soft
1431
## Node affinity preset
1432
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1433
##
1434
nodeAffinityPreset:
1435
## @param portal.nodeAffinityPreset.type Harbor Portal Node affinity preset type. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard`
1436
##
1437
type: ""
1438
## @param portal.nodeAffinityPreset.key Harbor Portal Node label key to match Ignored if `portal.affinity` is set.
1439
## E.g.
1440
## key: "kubernetes.io/e2e-az-name"
1441
##
1442
key: ""
1443
## @param portal.nodeAffinityPreset.values Harbor Portal Node label values to match. Ignored if `portal.affinity` is set.
1444
## E.g.
1445
## values:
1446
## - e2e-az1
1447
## - e2e-az2
1448
##
1449
values: []
1450
## @param portal.affinity Harbor Portal Affinity for pod assignment
1451
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1452
## Note: portal.podAffinityPreset, portal.podAntiAffinityPreset, and portal.nodeAffinityPreset will be ignored when it's set
1453
##
1454
affinity: {}
1455
## @param portal.nodeSelector Harbor Portal Node labels for pod assignment
1456
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1457
##
1458
nodeSelector: {}
1459
## @param portal.tolerations Harbor Portal Tolerations for pod assignment
1460
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1461
##
1462
tolerations: []
1463
## @param portal.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1464
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1465
##
1466
topologySpreadConstraints: []
1467
## @param portal.priorityClassName Priority Class Name
1468
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
1469
##
1470
priorityClassName: ""
1471
## @param portal.schedulerName Use an alternate scheduler, e.g. "stork".
1472
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1473
##
1474
schedulerName: ""
1475
## @param portal.sidecars Add additional sidecar containers to the Harbor Portal pods
1476
## Example:
1477
## sidecars:
1478
## - name: your-image-name
1479
## image: your-image
1480
## imagePullPolicy: Always
1481
## ports:
1482
## - name: portname
1483
## containerPort: 1234
1484
##
1485
sidecars: []
1486
## @param portal.initContainers Add additional init containers to the Harbor Portal pods
1487
## Example:
1488
## initContainers:
1489
## - name: your-image-name
1490
## image: your-image
1491
## imagePullPolicy: Always
1492
## ports:
1493
## - name: portname
1494
## containerPort: 1234
1495
##
1496
initContainers: []
1497
## Pod Disruption Budget configuration
1498
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1499
## @param portal.pdb.create Enable/disable a Pod Disruption Budget creation
1500
## @param portal.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1501
## @param portal.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `portal.pdb.minAvailable` and `portal.pdb.maxUnavailable` are empty.
1502
##
1503
pdb:
1504
create: true
1505
minAvailable: ""
1506
maxUnavailable: ""
1507
## @param portal.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Portal pods
1508
##
1509
extraVolumeMounts: []
1510
## @param portal.extraVolumes Optionally specify extra list of additional volumes for the Harbor Portal pods
1511
##
1512
extraVolumes: []
1513
## @param portal.automountServiceAccountToken Mount Service Account token in pod
1514
##
1515
automountServiceAccountToken: false
1516
## Harbor Portal ServiceAccount configuration
1517
##
1518
serviceAccount:
1519
## @param portal.serviceAccount.create Specifies whether a ServiceAccount should be created
1520
##
1521
create: false
1522
## @param portal.serviceAccount.name The name of the ServiceAccount to use.
1523
## If not set and create is true, a name is generated using the common.names.fullname template
1524
##
1525
name: ""
1526
## @param portal.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1527
##
1528
automountServiceAccountToken: false
1529
## @param portal.serviceAccount.annotations Additional custom annotations for the ServiceAccount
1530
##
1531
annotations: {}
1532
## Harbor Portal service configuration
1533
##
1534
service:
1535
## @param portal.service.ports.http Harbor Portal HTTP service port
1536
## @param portal.service.ports.https Harbor Portal HTTPS service port
1537
##
1538
ports:
1539
http: 80
1540
https: 443
1541
## Network Policies
1542
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1543
##
1544
networkPolicy:
1545
## @param portal.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1546
##
1547
enabled: true
1548
## @param portal.networkPolicy.allowExternal Don't require server label for connections
1549
## The Policy model to apply. When set to false, only pods with the correct
1550
## server label will have network access to the ports server is listening
1551
## on. When true, server will accept connections from any source
1552
## (with the correct destination port).
1553
##
1554
allowExternal: true
1555
## @param portal.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1556
##
1557
allowExternalEgress: true
1558
## @param portal.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1559
## e.g:
1560
## extraIngress:
1561
## - ports:
1562
## - port: 1234
1563
## from:
1564
## - podSelector:
1565
## - matchLabels:
1566
## - role: frontend
1567
## - podSelector:
1568
## - matchExpressions:
1569
## - key: role
1570
## operator: In
1571
## values:
1572
## - frontend
1573
extraIngress: []
1574
## @param portal.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1575
## e.g:
1576
## extraEgress:
1577
## - ports:
1578
## - port: 1234
1579
## to:
1580
## - podSelector:
1581
## - matchLabels:
1582
## - role: frontend
1583
## - podSelector:
1584
## - matchExpressions:
1585
## - key: role
1586
## operator: In
1587
## values:
1588
## - frontend
1589
##
1590
extraEgress: []
1591
## @param portal.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1592
## @param portal.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1593
##
1594
ingressNSMatchLabels: {}
1595
ingressNSPodMatchLabels: {}
1596
## @section Harbor Core Parameters
1597
##
1598
core:
1599
## Iamguarded Harbor Core image
1600
## @param core.image.registry [default: REGISTRY_NAME] Harbor Core image registry
1601
## @param core.image.repository [default: REPOSITORY_NAME/harbor-core] Harbor Core image repository
1602
## @skip core.image.tag Harbor Core image tag (immutable tags are recommended)
1603
## @param core.image.digest Harbor Core image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1604
## @param core.image.pullPolicy Harbor Core image pull policy
1605
## @param core.image.pullSecrets Harbor Core image pull secrets
1606
## @param core.image.debug Enable Harbor Core image debug mode
1607
##
1608
image:
1609
registry: cgr.dev
1610
repository: chainguard-private/harbor-core-iamguarded
1611
tag: 2.14.2
1612
digest: ""
1613
## Specify a imagePullPolicy
1614
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1615
##
1616
pullPolicy: IfNotPresent
1617
## Optionally specify an array of imagePullSecrets.
1618
## Secrets must be manually created in the namespace.
1619
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1620
## e.g:
1621
## pullSecrets:
1622
## - myRegistryKeySecretName
1623
##
1624
pullSecrets: []
1625
## Enable debug mode
1626
##
1627
debug: false
1628
## @param core.quotaUpdateProvider Provider for updating project quota (usage). Allowed values: `db`, `redis`
1629
##
1630
quotaUpdateProvider: db
1631
## @param core.sessionLifetime Explicitly set a session timeout (in seconds) overriding the backend default
1632
##
1633
sessionLifetime: ""
1634
## @param core.artifactPullAsyncFlushDuration Time (in seconds) for async update artifact pull_time and repository pull_count
1635
##
1636
artifactPullAsyncFlushDuration: 10
1637
## @param core.gdpr.deleteUser Enable/disable GDPR user deletion
1638
## @param core.gdpr.auditLogsCompliant Enable/disable GDPR audit logs compliance
1639
##
1640
gdpr:
1641
deleteUser: false
1642
auditLogsCompliant: false
1643
## @param core.uaaSecret If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`.
1644
##
1645
uaaSecret: ""
1646
## @param core.secret Secret used for core server communicates with other components. Must be a string of 16 chars.
1647
## @param core.secretKey Secret key used for communications encryption. Must be a string of 16 chars
1648
## @param core.existingSecret Existing secret for core (expected keys: `secret` and `secretKey`)
1649
##
1650
secret: ""
1651
secretKey: ""
1652
existingSecret: ""
1653
## @param core.tokenKey Key of the certificate used for token encryption/decryption.
1654
## @param core.tokenCert Certificate used for token encryption/decryption.
1655
## @param core.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set
1656
##
1657
tokenKey: ""
1658
tokenCert: ""
1659
secretName: ""
1660
## @param core.existingEnvVarsSecret Existing secret for core envvars
1661
## The secret must contain the keys:
1662
## `CSRF_KEY` (optional - alternatively auto-generated),
1663
## `HARBOR_ADMIN_PASSWORD` (optional - alternatively auto-generated),
1664
## `POSTGRESQL_PASSWORD` (optional - alternatively uses weak upstream default. Read below if you set it. You must also set postgresql.auth.existingSecret to the same value as core.existingEnvVarsSecret for this to work!),
1665
## `postgres-password` (required if POSTGRESQL_PASSWORD is set & must be the same as POSTGRESQL_PASSWORD.)
1666
## `HARBOR_DATABASE_PASSWORD` (required if POSTGRESQL_PASSWORD is set & must be the same as POSTGRESQL_PASSWORD.)
1667
## `REGISTRY_CREDENTIAL_USERNAME` (optional - alternatively weak defaults),
1668
## `REGISTRY_CREDENTIAL_PASSWORD` (optional - alternatively weak defaults),
1669
## `_REDIS_URL_CORE` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/0")
1670
## `_REDIS_URL_REG` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/2")
1671
##
1672
## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
1673
## Notes:
1674
## As a EnvVars secret, this secret also store redis config urls
1675
## The HARBOR_ADMIN_PASSWORD is only required at initial deployment, once the password is set in database, it is not used anymore
1676
##
1677
existingEnvVarsSecret: ""
1678
## @param core.csrfKey The CSRF key. Will be generated automatically if it isn't specified
1679
##
1680
csrfKey: ""
1681
## Use TLS in the container
1682
##
1683
tls:
1684
## @param core.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
1685
## Requires `internalTLS.enabled` to be set to `true``
1686
## Self-signed TLS certificates will be used otherwise
1687
##
1688
existingSecret: ""
1689
## @param core.command Override default container command (useful when using custom images)
1690
##
1691
command: []
1692
## @param core.args Override default container args (useful when using custom images)
1693
##
1694
args: []
1695
## @param core.extraEnvVars Array with extra environment variables to add Harbor Core pods
1696
##
1697
extraEnvVars: []
1698
## @param core.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Core pods
1699
##
1700
extraEnvVarsCM: ""
1701
## @param core.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Core pods
1702
##
1703
extraEnvVarsSecret: ""
1704
## @param core.configOverwriteJson String containing a JSON with configuration overrides
1705
## Source: https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#harbor-user-settings
1706
##
1707
configOverwriteJson: ""
1708
## @param core.configOverwriteJsonSecret Secret containing the JSON configuration overrides
1709
## Source: https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#harbor-user-settings
1710
##
1711
configOverwriteJsonSecret: ""
1712
## @param core.containerPorts.http Harbor Core HTTP container port
1713
## @param core.containerPorts.https Harbor Core HTTPS container port
1714
## @param core.containerPorts.metrics Harbor Core metrics container port
1715
##
1716
containerPorts:
1717
http: 8080
1718
https: 8443
1719
metrics: 8001
1720
## @param core.replicaCount Number of Harbor Core replicas
1721
##
1722
replicaCount: 1
1723
## Configure extra options for Harbor Core containers' liveness, readiness and startup probes
1724
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
1725
## @param core.livenessProbe.enabled Enable livenessProbe on Harbor Core containers
1726
## @param core.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1727
## @param core.livenessProbe.periodSeconds Period seconds for livenessProbe
1728
## @param core.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1729
## @param core.livenessProbe.failureThreshold Failure threshold for livenessProbe
1730
## @param core.livenessProbe.successThreshold Success threshold for livenessProbe
1731
##
1732
livenessProbe:
1733
enabled: true
1734
initialDelaySeconds: 20
1735
periodSeconds: 10
1736
timeoutSeconds: 5
1737
failureThreshold: 6
1738
successThreshold: 1
1739
## @param core.readinessProbe.enabled Enable readinessProbe on Harbor Core containers
1740
## @param core.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1741
## @param core.readinessProbe.periodSeconds Period seconds for readinessProbe
1742
## @param core.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1743
## @param core.readinessProbe.failureThreshold Failure threshold for readinessProbe
1744
## @param core.readinessProbe.successThreshold Success threshold for readinessProbe
1745
##
1746
readinessProbe:
1747
enabled: true
1748
initialDelaySeconds: 20
1749
periodSeconds: 10
1750
timeoutSeconds: 5
1751
failureThreshold: 6
1752
successThreshold: 1
1753
## @param core.startupProbe.enabled Enable startupProbe on Harbor Core containers
1754
## @param core.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1755
## @param core.startupProbe.periodSeconds Period seconds for startupProbe
1756
## @param core.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1757
## @param core.startupProbe.failureThreshold Failure threshold for startupProbe
1758
## @param core.startupProbe.successThreshold Success threshold for startupProbe
1759
##
1760
startupProbe:
1761
enabled: false
1762
initialDelaySeconds: 5
1763
periodSeconds: 10
1764
timeoutSeconds: 1
1765
failureThreshold: 15
1766
successThreshold: 1
1767
## @param core.customLivenessProbe Custom livenessProbe that overrides the default one
1768
##
1769
customLivenessProbe: {}
1770
## @param core.customReadinessProbe Custom readinessProbe that overrides the default one
1771
##
1772
customReadinessProbe: {}
1773
## @param core.customStartupProbe Custom startupProbe that overrides the default one
1774
##
1775
customStartupProbe: {}
1776
## Harbor Core resource requests and limits
1777
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1778
## @param core.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if core.resources is set (core.resources is recommended for production).
1779
##
1780
resourcesPreset: "small"
1781
## @param core.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1782
## Example:
1783
## resources:
1784
## requests:
1785
## cpu: 2
1786
## memory: 512Mi
1787
## limits:
1788
## cpu: 3
1789
## memory: 1024Mi
1790
##
1791
resources: {}
1792
## Configure Harbor Core pods Security Context
1793
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1794
## @param core.podSecurityContext.enabled Enabled Harbor Core pods' Security Context
1795
## @param core.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1796
## @param core.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1797
## @param core.podSecurityContext.supplementalGroups Set filesystem extra groups
1798
## @param core.podSecurityContext.fsGroup Set Harbor Core pod's Security Context fsGroup
1799
##
1800
podSecurityContext:
1801
enabled: true
1802
fsGroupChangePolicy: Always
1803
sysctls: []
1804
supplementalGroups: []
1805
fsGroup: 1001
1806
## Configure Harbor Core containers (only main one) Security Context
1807
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1808
## @param core.containerSecurityContext.enabled Enabled containers' Security Context
1809
## @param core.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1810
## @param core.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1811
## @param core.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1812
## @param core.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1813
## @param core.containerSecurityContext.privileged Set container's Security Context privileged
1814
## @param core.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1815
## @param core.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1816
## @param core.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1817
## @param core.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1818
##
1819
containerSecurityContext:
1820
enabled: true
1821
seLinuxOptions: {}
1822
runAsUser: 1001
1823
runAsGroup: 1001
1824
runAsNonRoot: true
1825
privileged: false
1826
readOnlyRootFilesystem: true
1827
allowPrivilegeEscalation: false
1828
capabilities:
1829
drop: ["ALL"]
1830
seccompProfile:
1831
type: "RuntimeDefault"
1832
## @param core.updateStrategy.type Harbor Core deployment strategy type - only really applicable for deployments with RWO PVs attached
1833
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
1834
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
1835
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
1836
##
1837
updateStrategy:
1838
type: RollingUpdate
1839
## @param core.lifecycleHooks LifecycleHook for the Harbor Core container(s) to automate configuration before or after startup
1840
##
1841
lifecycleHooks: {}
1842
## @param core.hostAliases Harbor Core pods host aliases
1843
##
1844
hostAliases: []
1845
## @param core.podLabels Add additional labels to the Harbor Core pods (evaluated as a template)
1846
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1847
##
1848
podLabels: {}
1849
## @param core.podAnnotations Annotations to add to the Harbor Core pods (evaluated as a template)
1850
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1851
##
1852
podAnnotations: {}
1853
## @param core.podAffinityPreset Harbor Core Pod affinity preset. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard`
1854
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1855
##
1856
podAffinityPreset: ""
1857
## @param core.podAntiAffinityPreset Harbor Core Pod anti-affinity preset. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard`
1858
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1859
##
1860
podAntiAffinityPreset: soft
1861
## Node affinity preset
1862
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1863
##
1864
nodeAffinityPreset:
1865
## @param core.nodeAffinityPreset.type Harbor Core Node affinity preset type. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard`
1866
##
1867
type: ""
1868
## @param core.nodeAffinityPreset.key Harbor Core Node label key to match Ignored if `core.affinity` is set.
1869
## E.g.
1870
## key: "kubernetes.io/e2e-az-name"
1871
##
1872
key: ""
1873
## @param core.nodeAffinityPreset.values Harbor Core Node label values to match. Ignored if `core.affinity` is set.
1874
## E.g.
1875
## values:
1876
## - e2e-az1
1877
## - e2e-az2
1878
##
1879
values: []
1880
## @param core.affinity Harbor Core Affinity for pod assignment
1881
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1882
## Note: core.podAffinityPreset, core.podAntiAffinityPreset, and core.nodeAffinityPreset will be ignored when it's set
1883
##
1884
affinity: {}
1885
## @param core.nodeSelector Harbor Core Node labels for pod assignment
1886
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1887
##
1888
nodeSelector: {}
1889
## @param core.tolerations Harbor Core Tolerations for pod assignment
1890
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1891
##
1892
tolerations: []
1893
## @param core.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1894
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1895
##
1896
topologySpreadConstraints: []
1897
## @param core.priorityClassName Priority Class Name
1898
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
1899
##
1900
priorityClassName: ""
1901
## @param core.schedulerName Use an alternate scheduler, e.g. "stork".
1902
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1903
##
1904
schedulerName: ""
1905
## @param core.sidecars Add additional sidecar containers to the Harbor Core pods
1906
## Example:
1907
## sidecars:
1908
## - name: your-image-name
1909
## image: your-image
1910
## imagePullPolicy: Always
1911
## ports:
1912
## - name: portname
1913
## containerPort: 1234
1914
##
1915
sidecars: []
1916
## @param core.initContainers Add additional init containers to the Harbor Core pods
1917
## Example:
1918
## initContainers:
1919
## - name: your-image-name
1920
## image: your-image
1921
## imagePullPolicy: Always
1922
## ports:
1923
## - name: portname
1924
## containerPort: 1234
1925
##
1926
initContainers: []
1927
## Pod Disruption Budget configuration
1928
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1929
## @param core.pdb.create Enable/disable a Pod Disruption Budget creation
1930
## @param core.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1931
## @param core.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `core.pdb.minAvailable` and `core.pdb.maxUnavailable` are empty.
1932
##
1933
pdb:
1934
create: true
1935
minAvailable: ""
1936
maxUnavailable: ""
1937
## @param core.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Core pods
1938
##
1939
extraVolumeMounts: []
1940
## @param core.extraVolumes Optionally specify extra list of additional volumes for the Harbor Core pods
1941
##
1942
extraVolumes: []
1943
## @param core.automountServiceAccountToken Mount Service Account token in pod
1944
##
1945
automountServiceAccountToken: false
1946
## Harbor Core ServiceAccount configuration
1947
##
1948
serviceAccount:
1949
## @param core.serviceAccount.create Specifies whether a ServiceAccount should be created
1950
##
1951
create: false
1952
## @param core.serviceAccount.name The name of the ServiceAccount to use.
1953
## If not set and create is true, a name is generated using the common.names.fullname template
1954
##
1955
name: ""
1956
## @param core.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1957
##
1958
automountServiceAccountToken: false
1959
## @param core.serviceAccount.annotations Additional custom annotations for the ServiceAccount
1960
##
1961
annotations: {}
1962
## Harbor Core service configuration
1963
##
1964
service:
1965
## @param core.service.ports.http Harbor Core HTTP service port
1966
## @param core.service.ports.https Harbor Core HTTPS service port
1967
## @param core.service.ports.metrics Harbor Core metrics service port
1968
##
1969
ports:
1970
http: 80
1971
https: 443
1972
metrics: 8001
1973
## Network Policies
1974
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1975
##
1976
networkPolicy:
1977
## @param core.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1978
##
1979
enabled: true
1980
## @param core.networkPolicy.allowExternal Don't require server label for connections
1981
## The Policy model to apply. When set to false, only pods with the correct
1982
## server label will have network access to the ports server is listening
1983
## on. When true, server will accept connections from any source
1984
## (with the correct destination port).
1985
##
1986
allowExternal: true
1987
## @param core.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1988
##
1989
allowExternalEgress: true
1990
## @param core.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1991
## e.g:
1992
## extraIngress:
1993
## - ports:
1994
## - port: 1234
1995
## from:
1996
## - podSelector:
1997
## - matchLabels:
1998
## - role: frontend
1999
## - podSelector:
2000
## - matchExpressions:
2001
## - key: role
2002
## operator: In
2003
## values:
2004
## - frontend
2005
extraIngress: []
2006
## @param core.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
2007
## e.g:
2008
## extraEgress:
2009
## - ports:
2010
## - port: 1234
2011
## to:
2012
## - podSelector:
2013
## - matchLabels:
2014
## - role: frontend
2015
## - podSelector:
2016
## - matchExpressions:
2017
## - key: role
2018
## operator: In
2019
## values:
2020
## - frontend
2021
##
2022
extraEgress: []
2023
## @param core.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2024
## @param core.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2025
##
2026
ingressNSMatchLabels: {}
2027
ingressNSPodMatchLabels: {}
2028
## @section Harbor Jobservice Parameters
2029
##
2030
jobservice:
2031
## Iamguarded Harbor Jobservice image
2032
## @param jobservice.image.registry [default: REGISTRY_NAME] Harbor Jobservice image registry
2033
## @param jobservice.image.repository [default: REPOSITORY_NAME/harbor-jobservice] Harbor Jobservice image repository
2034
## @skip jobservice.image.tag Harbor Jobservice image tag (immutable tags are recommended)
2035
## @param jobservice.image.digest Harbor Jobservice image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2036
## @param jobservice.image.pullPolicy Harbor Jobservice image pull policy
2037
## @param jobservice.image.pullSecrets Harbor Jobservice image pull secrets
2038
## @param jobservice.image.debug Enable Harbor Jobservice image debug mode
2039
##
2040
image:
2041
registry: cgr.dev
2042
repository: chainguard-private/harbor-jobservice-iamguarded
2043
tag: 2.14.2
2044
digest: ""
2045
## Specify a imagePullPolicy
2046
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2047
##
2048
pullPolicy: IfNotPresent
2049
## Optionally specify an array of imagePullSecrets.
2050
## Secrets must be manually created in the namespace.
2051
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2052
## e.g:
2053
## pullSecrets:
2054
## - myRegistryKeySecretName
2055
##
2056
pullSecrets: []
2057
## Enable debug mode
2058
##
2059
debug: false
2060
## @param jobservice.maxJobWorkers The max job workers
2061
##
2062
maxJobWorkers: 10
2063
## @param jobservice.redisNamespace Redis namespace for jobservice
2064
##
2065
redisNamespace: harbor_job_service_namespace
2066
## @param jobservice.jobLogger The logger for jobs: `file`, `database` or `stdout`
2067
##
2068
jobLogger: file
2069
## @param jobservice.notification.webhookJobMaxRetry Maximum number of retries for webhook jobs
2070
## @param jobservice.notification.webhookJobHttpClientTimeout HTTP client timeout for webhook jobs (in seconds)
2071
##
2072
notification:
2073
webhookJobMaxRetry: 3
2074
webhookJobHttpClientTimeout: 3
2075
## @param jobservice.reaper.maxUpdateHours Max time (in hours) to wait for a task to finish
2076
## @param jobservice.reaper.maxDanglingHours Max time (in hours) for execution in running state without new task created
2077
##
2078
reaper:
2079
maxUpdateHours: 24
2080
maxDanglingHours: 168
2081
## @param jobservice.secret Secret used for job service communicates with other components. Must be a string of 16 chars.
2082
## @param jobservice.existingSecret Existing secret for jobservice (expected key: `secret`)
2083
##
2084
secret: ""
2085
existingSecret: ""
2086
## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars
2087
## The secret must contain the keys:
2088
## `REGISTRY_CREDENTIAL_PASSWORD` (optional),
2089
## `JOB_SERVICE_POOL_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/1"),
2090
##
2091
## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
2092
existingEnvVarsSecret: ""
2093
## Use TLS in the container
2094
##
2095
tls:
2096
## @param jobservice.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
2097
## Requires `internalTLS.enabled` to be set to `true``
2098
## Self-signed TLS certificates will be used otherwise
2099
##
2100
existingSecret: ""
2101
## @param jobservice.command Override default container command (useful when using custom images)
2102
##
2103
command: []
2104
## @param jobservice.args Override default container args (useful when using custom images)
2105
##
2106
args: []
2107
## @param jobservice.extraEnvVars Array with extra environment variables to add Harbor Jobservice pods
2108
##
2109
extraEnvVars: []
2110
## @param jobservice.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Jobservice pods
2111
##
2112
extraEnvVarsCM: ""
2113
## @param jobservice.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Jobservice pods
2114
##
2115
extraEnvVarsSecret: ""
2116
## @param jobservice.containerPorts.http Harbor Jobservice HTTP container port
2117
## @param jobservice.containerPorts.https Harbor Jobservice HTTPS container port
2118
## @param jobservice.containerPorts.metrics Harbor Jobservice metrics container port
2119
##
2120
containerPorts:
2121
http: 8080
2122
https: 8443
2123
metrics: 8001
2124
## @param jobservice.replicaCount Number of Harbor Jobservice replicas
2125
##
2126
replicaCount: 1
2127
## Configure extra options for Harbor Jobservice containers' liveness, readiness and startup probes
2128
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
2129
## @param jobservice.livenessProbe.enabled Enable livenessProbe on Harbor Jobservice containers
2130
## @param jobservice.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2131
## @param jobservice.livenessProbe.periodSeconds Period seconds for livenessProbe
2132
## @param jobservice.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2133
## @param jobservice.livenessProbe.failureThreshold Failure threshold for livenessProbe
2134
## @param jobservice.livenessProbe.successThreshold Success threshold for livenessProbe
2135
##
2136
livenessProbe:
2137
enabled: true
2138
initialDelaySeconds: 20
2139
periodSeconds: 10
2140
timeoutSeconds: 5
2141
failureThreshold: 6
2142
successThreshold: 1
2143
## @param jobservice.readinessProbe.enabled Enable readinessProbe on Harbor Jobservice containers
2144
## @param jobservice.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2145
## @param jobservice.readinessProbe.periodSeconds Period seconds for readinessProbe
2146
## @param jobservice.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2147
## @param jobservice.readinessProbe.failureThreshold Failure threshold for readinessProbe
2148
## @param jobservice.readinessProbe.successThreshold Success threshold for readinessProbe
2149
##
2150
readinessProbe:
2151
enabled: true
2152
initialDelaySeconds: 20
2153
periodSeconds: 10
2154
timeoutSeconds: 5
2155
failureThreshold: 6
2156
successThreshold: 1
2157
## @param jobservice.startupProbe.enabled Enable startupProbe on Harbor Jobservice containers
2158
## @param jobservice.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
2159
## @param jobservice.startupProbe.periodSeconds Period seconds for startupProbe
2160
## @param jobservice.startupProbe.timeoutSeconds Timeout seconds for startupProbe
2161
## @param jobservice.startupProbe.failureThreshold Failure threshold for startupProbe
2162
## @param jobservice.startupProbe.successThreshold Success threshold for startupProbe
2163
##
2164
startupProbe:
2165
enabled: false
2166
initialDelaySeconds: 5
2167
periodSeconds: 10
2168
timeoutSeconds: 1
2169
failureThreshold: 15
2170
successThreshold: 1
2171
## @param jobservice.customLivenessProbe Custom livenessProbe that overrides the default one
2172
##
2173
customLivenessProbe: {}
2174
## @param jobservice.customReadinessProbe Custom readinessProbe that overrides the default one
2175
##
2176
customReadinessProbe: {}
2177
## @param jobservice.customStartupProbe Custom startupProbe that overrides the default one
2178
##
2179
customStartupProbe: {}
2180
## Harbor Jobservice resource requests and limits
2181
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2182
## @param jobservice.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jobservice.resources is set (jobservice.resources is recommended for production).
2183
##
2184
resourcesPreset: "small"
2185
## @param jobservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2186
## Example:
2187
## resources:
2188
## requests:
2189
## cpu: 2
2190
## memory: 512Mi
2191
## limits:
2192
## cpu: 3
2193
## memory: 1024Mi
2194
##
2195
resources: {}
2196
## Configure Harbor Jobservice pods Security Context
2197
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2198
## @param jobservice.podSecurityContext.enabled Enabled Harbor Jobservice pods' Security Context
2199
## @param jobservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
2200
## @param jobservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
2201
## @param jobservice.podSecurityContext.supplementalGroups Set filesystem extra groups
2202
## @param jobservice.podSecurityContext.fsGroup Set Harbor Jobservice pod's Security Context fsGroup
2203
##
2204
podSecurityContext:
2205
enabled: true
2206
fsGroupChangePolicy: Always
2207
sysctls: []
2208
supplementalGroups: []
2209
fsGroup: 1001
2210
## Configure Harbor Jobservice containers (only main one) Security Context
2211
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2212
## @param jobservice.containerSecurityContext.enabled Enabled containers' Security Context
2213
## @param jobservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2214
## @param jobservice.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2215
## @param jobservice.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2216
## @param jobservice.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
2217
## @param jobservice.containerSecurityContext.privileged Set container's Security Context privileged
2218
## @param jobservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
2219
## @param jobservice.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
2220
## @param jobservice.containerSecurityContext.capabilities.drop List of capabilities to be dropped
2221
## @param jobservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
2222
##
2223
containerSecurityContext:
2224
enabled: true
2225
seLinuxOptions: {}
2226
runAsUser: 1001
2227
runAsGroup: 1001
2228
runAsNonRoot: true
2229
privileged: false
2230
readOnlyRootFilesystem: true
2231
allowPrivilegeEscalation: false
2232
capabilities:
2233
drop: ["ALL"]
2234
seccompProfile:
2235
type: "RuntimeDefault"
2236
## @param jobservice.updateStrategy.type Harbor Jobservice deployment strategy type - only really applicable for deployments with RWO PVs attached
2237
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
2238
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
2239
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
2240
##
2241
updateStrategy:
2242
type: RollingUpdate
2243
## @param jobservice.lifecycleHooks LifecycleHook for the Harbor Jobservice container(s) to automate configuration before or after startup
2244
##
2245
lifecycleHooks: {}
2246
## @param jobservice.hostAliases Harbor Jobservice pods host aliases
2247
##
2248
hostAliases: []
2249
## @param jobservice.podLabels Add additional labels to the Harbor Jobservice pods (evaluated as a template)
2250
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
2251
##
2252
podLabels: {}
2253
## @param jobservice.podAnnotations Annotations to add to the Harbor Jobservice pods (evaluated as a template)
2254
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
2255
##
2256
podAnnotations: {}
2257
## @param jobservice.podAffinityPreset Harbor Jobservice Pod affinity preset. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard`
2258
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2259
##
2260
podAffinityPreset: ""
2261
## @param jobservice.podAntiAffinityPreset Harbor Jobservice Pod anti-affinity preset. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard`
2262
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2263
##
2264
podAntiAffinityPreset: soft
2265
## Node affinity preset
2266
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
2267
##
2268
nodeAffinityPreset:
2269
## @param jobservice.nodeAffinityPreset.type Harbor Jobservice Node affinity preset type. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard`
2270
##
2271
type: ""
2272
## @param jobservice.nodeAffinityPreset.key Harbor Jobservice Node label key to match Ignored if `jobservice.affinity` is set.
2273
## E.g.
2274
## key: "kubernetes.io/e2e-az-name"
2275
##
2276
key: ""
2277
## @param jobservice.nodeAffinityPreset.values Harbor Jobservice Node label values to match. Ignored if `jobservice.affinity` is set.
2278
## E.g.
2279
## values:
2280
## - e2e-az1
2281
## - e2e-az2
2282
##
2283
values: []
2284
## @param jobservice.affinity Harbor Jobservice Affinity for pod assignment
2285
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2286
## Note: jobservice.podAffinityPreset, jobservice.podAntiAffinityPreset, and jobservice.nodeAffinityPreset will be ignored when it's set
2287
##
2288
affinity: {}
2289
## @param jobservice.nodeSelector Harbor Jobservice Node labels for pod assignment
2290
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2291
##
2292
nodeSelector: {}
2293
## @param jobservice.tolerations Harbor Jobservice Tolerations for pod assignment
2294
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2295
##
2296
tolerations: []
2297
## @param jobservice.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
2298
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
2299
##
2300
topologySpreadConstraints: []
2301
## @param jobservice.priorityClassName Priority Class Name
2302
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
2303
##
2304
priorityClassName: ""
2305
## @param jobservice.schedulerName Use an alternate scheduler, e.g. "stork".
2306
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2307
##
2308
schedulerName: ""
2309
## @param jobservice.sidecars Add additional sidecar containers to the Harbor Jobservice pods
2310
## Example:
2311
## sidecars:
2312
## - name: your-image-name
2313
## image: your-image
2314
## imagePullPolicy: Always
2315
## ports:
2316
## - name: portname
2317
## containerPort: 1234
2318
##
2319
sidecars: []
2320
## @param jobservice.initContainers Add additional init containers to the Harbor Jobservice pods
2321
## Example:
2322
## initContainers:
2323
## - name: your-image-name
2324
## image: your-image
2325
## imagePullPolicy: Always
2326
## ports:
2327
## - name: portname
2328
## containerPort: 1234
2329
##
2330
initContainers: []
2331
## Pod Disruption Budget configuration
2332
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
2333
## @param jobservice.pdb.create Enable/disable a Pod Disruption Budget creation
2334
## @param jobservice.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
2335
## @param jobservice.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `jobservice.pdb.minAvailable` and `jobservice.pdb.maxUnavailable` are empty.
2336
##
2337
pdb:
2338
create: true
2339
minAvailable: ""
2340
maxUnavailable: ""
2341
## @param jobservice.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Jobservice pods
2342
##
2343
extraVolumeMounts: []
2344
## @param jobservice.extraVolumes Optionally specify extra list of additional volumes for the Harbor Jobservice pods
2345
##
2346
extraVolumes: []
2347
## @param jobservice.automountServiceAccountToken Mount Service Account token in pod
2348
##
2349
automountServiceAccountToken: false
2350
## Harbor Jobservice ServiceAccount configuration
2351
##
2352
serviceAccount:
2353
## @param jobservice.serviceAccount.create Specifies whether a ServiceAccount should be created
2354
##
2355
create: false
2356
## @param jobservice.serviceAccount.name The name of the ServiceAccount to use.
2357
## If not set and create is true, a name is generated using the common.names.fullname template
2358
##
2359
name: ""
2360
## @param jobservice.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
2361
##
2362
automountServiceAccountToken: false
2363
## @param jobservice.serviceAccount.annotations Additional custom annotations for the ServiceAccount
2364
##
2365
annotations: {}
2366
## Harbor Jobservice service configuration
2367
##
2368
service:
2369
## @param jobservice.service.ports.http Harbor Jobservice HTTP service port
2370
## @param jobservice.service.ports.https Harbor Jobservice HTTPS service port
2371
## @param jobservice.service.ports.metrics Harbor Jobservice HTTPS service port
2372
##
2373
ports:
2374
http: 80
2375
https: 443
2376
metrics: 8001
2377
## Network Policies
2378
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2379
##
2380
networkPolicy:
2381
## @param jobservice.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
2382
##
2383
enabled: true
2384
## @param jobservice.networkPolicy.allowExternal Don't require server label for connections
2385
## The Policy model to apply. When set to false, only pods with the correct
2386
## server label will have network access to the ports server is listening
2387
## on. When true, server will accept connections from any source
2388
## (with the correct destination port).
2389
##
2390
allowExternal: true
2391
## @param jobservice.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2392
##
2393
allowExternalEgress: true
2394
## @param jobservice.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2395
## e.g:
2396
## extraIngress:
2397
## - ports:
2398
## - port: 1234
2399
## from:
2400
## - podSelector:
2401
## - matchLabels:
2402
## - role: frontend
2403
## - podSelector:
2404
## - matchExpressions:
2405
## - key: role
2406
## operator: In
2407
## values:
2408
## - frontend
2409
extraIngress: []
2410
## @param jobservice.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
2411
## e.g:
2412
## extraEgress:
2413
## - ports:
2414
## - port: 1234
2415
## to:
2416
## - podSelector:
2417
## - matchLabels:
2418
## - role: frontend
2419
## - podSelector:
2420
## - matchExpressions:
2421
## - key: role
2422
## operator: In
2423
## values:
2424
## - frontend
2425
##
2426
extraEgress: []
2427
## @param jobservice.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2428
## @param jobservice.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2429
##
2430
ingressNSMatchLabels: {}
2431
ingressNSPodMatchLabels: {}
2432
## @section Harbor Registry Parameters
2433
##
2434
2435
## Registry Parameters
2436
##
2437
registry:
2438
## @param registry.secret Secret is used to secure the upload state from client and registry storage backend. See: <https://github.com/docker/distribution/blob/master/docs/configuration.md>
2439
## and registry storage backend.
2440
## See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
2441
## If a secret key is not specified, Helm will generate one.
2442
## Must be a string of 16 chars.
2443
##
2444
secret: ""
2445
## @param registry.existingSecret Existing secret for registry
2446
## The secret must contain the keys:
2447
## `REGISTRY_HTPASSWD` (required - replaces insecure defaults),
2448
## `REGISTRY_HTTP_SECRET` (optional - generated on the fly if not secified),
2449
## `REGISTRY_REDIS_PASSWORD` (optional),
2450
##
2451
existingSecret: ""
2452
## @param registry.relativeurls Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL.
2453
##
2454
relativeurls: false
2455
## @param registry.credentials.username The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd)
2456
## @param registry.credentials.password The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation.
2457
## @param registry.credentials.htpasswd The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling
2458
##
2459
credentials:
2460
username: harbor_registry_user
2461
password: harbor_registry_password
2462
## If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
2463
## e.g. "htpasswd -nbBC10 $username $password"
2464
##
2465
htpasswd: harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m
2466
middleware:
2467
## @param registry.middleware.enabled Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See
2468
##
2469
enabled: false
2470
## @param registry.middleware.type CDN type for the middleware
2471
##
2472
type: cloudFront
2473
## @param registry.middleware.cloudFront.baseurl CloudFront CDN settings: Base URL
2474
## @param registry.middleware.cloudFront.keypairid CloudFront CDN settings: Keypair ID
2475
## @param registry.middleware.cloudFront.duration CloudFront CDN settings: Duration
2476
## @param registry.middleware.cloudFront.ipfilteredby CloudFront CDN settings: IP filters
2477
## @param registry.middleware.cloudFront.privateKeySecret CloudFront CDN settings: Secret name with the private key
2478
##
2479
cloudFront:
2480
baseurl: example.cloudfront.net
2481
keypairid: KEYPAIRID
2482
duration: 3000s
2483
ipfilteredby: none
2484
## The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
2485
## that allows access to CloudFront
2486
##
2487
privateKeySecret: my-secret
2488
## @param registry.uploadPurging.enabled Enable purging _upload directories
2489
## @param registry.uploadPurging.age Period of time to wait before removing files in _upload directories
2490
## @param registry.uploadPurging.interval Interval for purging operations
2491
## @param registry.uploadPurging.dryrun If true, the purge operation will not actually delete files, but will log what would be deleted
2492
##
2493
uploadPurging:
2494
enabled: true
2495
age: 168h
2496
interval: 24h
2497
dryrun: false
2498
## Use TLS in the container
2499
##
2500
tls:
2501
## @param registry.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
2502
## Requires `internalTLS.enabled` to be set to `true``
2503
## Self-signed TLS certificates will be used otherwise
2504
##
2505
existingSecret: ""
2506
## @param registry.replicaCount Number of Harbor Registry replicas
2507
##
2508
replicaCount: 1
2509
## Configure Harbor Registry pods Security Context
2510
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2511
## @param registry.podSecurityContext.enabled Enabled Harbor Registry pods' Security Context
2512
## @param registry.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
2513
## @param registry.podSecurityContext.sysctls Set kernel settings using the sysctl interface
2514
## @param registry.podSecurityContext.supplementalGroups Set filesystem extra groups
2515
## @param registry.podSecurityContext.fsGroup Set Harbor Registry pod's Security Context fsGroup
2516
##
2517
podSecurityContext:
2518
enabled: true
2519
fsGroupChangePolicy: Always
2520
sysctls: []
2521
supplementalGroups: []
2522
fsGroup: 1001
2523
## @param registry.updateStrategy.type Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached
2524
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
2525
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
2526
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
2527
##
2528
updateStrategy:
2529
type: RollingUpdate
2530
## @param registry.hostAliases Harbor Registry pods host aliases
2531
##
2532
hostAliases: []
2533
## @param registry.podLabels Add additional labels to the Harbor Registry pods (evaluated as a template)
2534
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
2535
##
2536
podLabels: {}
2537
## @param registry.podAnnotations Annotations to add to the Harbor Registry pods (evaluated as a template)
2538
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
2539
##
2540
podAnnotations: {}
2541
## @param registry.podAffinityPreset Harbor Registry Pod affinity preset. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard`
2542
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2543
##
2544
podAffinityPreset: ""
2545
## @param registry.podAntiAffinityPreset Harbor Registry Pod anti-affinity preset. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard`
2546
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2547
##
2548
podAntiAffinityPreset: soft
2549
## Node affinity preset
2550
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
2551
##
2552
nodeAffinityPreset:
2553
## @param registry.nodeAffinityPreset.type Harbor Registry Node affinity preset type. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard`
2554
##
2555
type: ""
2556
## @param registry.nodeAffinityPreset.key Harbor Registry Node label key to match Ignored if `registry.affinity` is set.
2557
## E.g.
2558
## key: "kubernetes.io/e2e-az-name"
2559
##
2560
key: ""
2561
## @param registry.nodeAffinityPreset.values Harbor Registry Node label values to match. Ignored if `registry.affinity` is set.
2562
## E.g.
2563
## values:
2564
## - e2e-az1
2565
## - e2e-az2
2566
##
2567
values: []
2568
## @param registry.affinity Harbor Registry Affinity for pod assignment
2569
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2570
## Note: registry.podAffinityPreset, registry.podAntiAffinityPreset, and registry.nodeAffinityPreset will be ignored when it's set
2571
##
2572
affinity: {}
2573
## @param registry.nodeSelector Harbor Registry Node labels for pod assignment
2574
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2575
##
2576
nodeSelector: {}
2577
## @param registry.tolerations Harbor Registry Tolerations for pod assignment
2578
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2579
##
2580
tolerations: []
2581
## @param registry.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
2582
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
2583
##
2584
topologySpreadConstraints: []
2585
## @param registry.priorityClassName Priority Class Name
2586
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
2587
##
2588
priorityClassName: ""
2589
## @param registry.schedulerName Use an alternate scheduler, e.g. "stork".
2590
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2591
##
2592
schedulerName: ""
2593
## @param registry.sidecars Add additional sidecar containers to the Harbor Registry pods
2594
## Example:
2595
## sidecars:
2596
## - name: your-image-name
2597
## image: your-image
2598
## imagePullPolicy: Always
2599
## ports:
2600
## - name: portname
2601
## containerPort: 1234
2602
##
2603
sidecars: []
2604
## @param registry.initContainers Add additional init containers to the Harbor Registry pods
2605
## Example:
2606
## initContainers:
2607
## - name: your-image-name
2608
## image: your-image
2609
## imagePullPolicy: Always
2610
## ports:
2611
## - name: portname
2612
## containerPort: 1234
2613
##
2614
initContainers: []
2615
## Pod Disruption Budget configuration
2616
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
2617
## @param registry.pdb.create Enable/disable a Pod Disruption Budget creation
2618
## @param registry.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
2619
## @param registry.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `registry.pdb.minAvailable` and `registry.pdb.maxUnavailable` are empty.
2620
##
2621
pdb:
2622
create: true
2623
minAvailable: ""
2624
maxUnavailable: ""
2625
## @param registry.extraVolumes Optionally specify extra list of additional volumes for the Harbor Registry pods
2626
##
2627
extraVolumes: []
2628
## @param registry.automountServiceAccountToken Mount Service Account token in pod
2629
##
2630
automountServiceAccountToken: false
2631
## Harbor Registry ServiceAccount configuration
2632
##
2633
serviceAccount:
2634
## @param registry.serviceAccount.create Specifies whether a ServiceAccount should be created
2635
##
2636
create: true
2637
## @param registry.serviceAccount.name The name of the ServiceAccount to use.
2638
## If not set and create is true, a name is generated using the common.names.fullname template
2639
##
2640
name: ""
2641
## @param registry.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
2642
##
2643
automountServiceAccountToken: false
2644
## @param registry.serviceAccount.annotations Additional custom annotations for the ServiceAccount
2645
##
2646
annotations: {}
2647
## Network Policies
2648
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2649
##
2650
networkPolicy:
2651
## @param registry.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
2652
##
2653
enabled: true
2654
## @param registry.networkPolicy.allowExternal Don't require server label for connections
2655
## The Policy model to apply. When set to false, only pods with the correct
2656
## server label will have network access to the ports server is listening
2657
## on. When true, server will accept connections from any source
2658
## (with the correct destination port).
2659
##
2660
allowExternal: true
2661
## @param registry.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2662
##
2663
allowExternalEgress: true
2664
## @param registry.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2665
## e.g:
2666
## extraIngress:
2667
## - ports:
2668
## - port: 1234
2669
## from:
2670
## - podSelector:
2671
## - matchLabels:
2672
## - role: frontend
2673
## - podSelector:
2674
## - matchExpressions:
2675
## - key: role
2676
## operator: In
2677
## values:
2678
## - frontend
2679
extraIngress: []
2680
## @param registry.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
2681
## e.g:
2682
## extraEgress:
2683
## - ports:
2684
## - port: 1234
2685
## to:
2686
## - podSelector:
2687
## - matchLabels:
2688
## - role: frontend
2689
## - podSelector:
2690
## - matchExpressions:
2691
## - key: role
2692
## operator: In
2693
## values:
2694
## - frontend
2695
##
2696
extraEgress: []
2697
## @param registry.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2698
## @param registry.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2699
##
2700
ingressNSMatchLabels: {}
2701
ingressNSPodMatchLabels: {}
2702
## Harbor Registry main container parameters
2703
##
2704
server:
2705
## Iamguarded Harbor Registry image
2706
## @param registry.server.image.registry [default: REGISTRY_NAME] Harbor Registry image registry
2707
## @param registry.server.image.repository [default: REPOSITORY_NAME/harbor-registry] Harbor Registry image repository
2708
## @skip registry.server.image.tag Harbor Registry image tag (immutable tags are recommended)
2709
## @param registry.server.image.digest Harbor Registry image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2710
## @param registry.server.image.pullPolicy Harbor Registry image pull policy
2711
## @param registry.server.image.pullSecrets Harbor Registry image pull secrets
2712
## @param registry.server.image.debug Enable Harbor Registry image debug mode
2713
##
2714
image:
2715
registry: cgr.dev
2716
repository: chainguard-private/harbor-registry-iamguarded
2717
tag: 2.14.2
2718
digest: ""
2719
## Specify a imagePullPolicy
2720
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2721
##
2722
pullPolicy: IfNotPresent
2723
## Optionally specify an array of imagePullSecrets.
2724
## Secrets must be manually created in the namespace.
2725
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2726
## e.g:
2727
## pullSecrets:
2728
## - myRegistryKeySecretName
2729
##
2730
pullSecrets: []
2731
## Enable debug mode
2732
##
2733
debug: false
2734
## @param registry.server.command Override default container command (useful when using custom images)
2735
##
2736
command: []
2737
## @param registry.server.args Override default container args (useful when using custom images)
2738
##
2739
args: []
2740
## @param registry.server.extraEnvVars Array with extra environment variables to add Harbor Registry main containers
2741
##
2742
extraEnvVars: []
2743
## @param registry.server.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Registry main containers
2744
##
2745
extraEnvVarsCM: ""
2746
## @param registry.server.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Registry main containers
2747
##
2748
extraEnvVarsSecret: ""
2749
## @param registry.server.containerPorts.http Harbor Registry HTTP container port
2750
## @param registry.server.containerPorts.https Harbor Registry HTTPS container port
2751
## @param registry.server.containerPorts.debug Harbor Registry debug container port
2752
## @param registry.server.containerPorts.metrics Harbor Registry metrics container port
2753
##
2754
containerPorts:
2755
http: 5000
2756
https: 5443
2757
debug: 5001
2758
metrics: 8001
2759
## Configure extra options for Harbor Registry main containers' liveness, readiness and startup probes
2760
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
2761
## @param registry.server.livenessProbe.enabled Enable livenessProbe on Harbor Registry main containers
2762
## @param registry.server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2763
## @param registry.server.livenessProbe.periodSeconds Period seconds for livenessProbe
2764
## @param registry.server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2765
## @param registry.server.livenessProbe.failureThreshold Failure threshold for livenessProbe
2766
## @param registry.server.livenessProbe.successThreshold Success threshold for livenessProbe
2767
##
2768
livenessProbe:
2769
enabled: true
2770
initialDelaySeconds: 20
2771
periodSeconds: 10
2772
timeoutSeconds: 5
2773
failureThreshold: 6
2774
successThreshold: 1
2775
## @param registry.server.readinessProbe.enabled Enable readinessProbe on Harbor Registry main containers
2776
## @param registry.server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2777
## @param registry.server.readinessProbe.periodSeconds Period seconds for readinessProbe
2778
## @param registry.server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2779
## @param registry.server.readinessProbe.failureThreshold Failure threshold for readinessProbe
2780
## @param registry.server.readinessProbe.successThreshold Success threshold for readinessProbe
2781
##
2782
readinessProbe:
2783
enabled: true
2784
initialDelaySeconds: 20
2785
periodSeconds: 10
2786
timeoutSeconds: 5
2787
failureThreshold: 6
2788
successThreshold: 1
2789
## @param registry.server.startupProbe.enabled Enable startupProbe on Harbor Registry main containers
2790
## @param registry.server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
2791
## @param registry.server.startupProbe.periodSeconds Period seconds for startupProbe
2792
## @param registry.server.startupProbe.timeoutSeconds Timeout seconds for startupProbe
2793
## @param registry.server.startupProbe.failureThreshold Failure threshold for startupProbe
2794
## @param registry.server.startupProbe.successThreshold Success threshold for startupProbe
2795
##
2796
startupProbe:
2797
enabled: false
2798
initialDelaySeconds: 5
2799
periodSeconds: 10
2800
timeoutSeconds: 1
2801
failureThreshold: 15
2802
successThreshold: 1
2803
## @param registry.server.customLivenessProbe Custom livenessProbe that overrides the default one
2804
##
2805
customLivenessProbe: {}
2806
## @param registry.server.customReadinessProbe Custom readinessProbe that overrides the default one
2807
##
2808
customReadinessProbe: {}
2809
## @param registry.server.customStartupProbe Custom startupProbe that overrides the default one
2810
##
2811
customStartupProbe: {}
2812
## Harbor Registry main resource requests and limits
2813
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2814
## @param registry.server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.server.resources is set (registry.server.resources is recommended for production).
2815
##
2816
resourcesPreset: "small"
2817
## @param registry.server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2818
## Example:
2819
## resources:
2820
## requests:
2821
## cpu: 2
2822
## memory: 512Mi
2823
## limits:
2824
## cpu: 3
2825
## memory: 1024Mi
2826
##
2827
resources: {}
2828
## Configure Harbor Registry main containers (only main one) Security Context
2829
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2830
## @param registry.server.containerSecurityContext.enabled Enabled containers' Security Context
2831
## @param registry.server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2832
## @param registry.server.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2833
## @param registry.server.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2834
## @param registry.server.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
2835
## @param registry.server.containerSecurityContext.privileged Set container's Security Context privileged
2836
## @param registry.server.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
2837
## @param registry.server.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
2838
## @param registry.server.containerSecurityContext.capabilities.drop List of capabilities to be dropped
2839
## @param registry.server.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
2840
##
2841
containerSecurityContext:
2842
enabled: true
2843
seLinuxOptions: {}
2844
runAsUser: 1001
2845
runAsGroup: 1001
2846
runAsNonRoot: true
2847
privileged: false
2848
readOnlyRootFilesystem: true
2849
allowPrivilegeEscalation: false
2850
capabilities:
2851
drop: ["ALL"]
2852
seccompProfile:
2853
type: "RuntimeDefault"
2854
## @param registry.server.lifecycleHooks LifecycleHook for the Harbor Registry main container(s) to automate configuration before or after startup
2855
##
2856
lifecycleHooks: {}
2857
## @param registry.server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Registry main pods
2858
##
2859
extraVolumeMounts: []
2860
## Harbor Registry service configuration
2861
##
2862
service:
2863
## @param registry.server.service.ports.http Harbor Registry HTTP service port
2864
## @param registry.server.service.ports.https Harbor Registry HTTPS service port
2865
## @param registry.server.service.ports.metrics Harbor Registry metrics service port
2866
##
2867
ports:
2868
http: 5000
2869
https: 5443
2870
metrics: 8001
2871
## Harbor Registryctl parameters
2872
##
2873
controller:
2874
## Iamguarded Harbor Registryctl image
2875
## @param registry.controller.image.registry [default: REGISTRY_NAME] Harbor Registryctl image registry
2876
## @param registry.controller.image.repository [default: REPOSITORY_NAME/harbor-registryctl] Harbor Registryctl image repository
2877
## @skip registry.controller.image.tag Harbor Registryctl image tag (immutable tags are recommended)
2878
## @param registry.controller.image.digest Harbor Registryctl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2879
## @param registry.controller.image.pullPolicy Harbor Registryctl image pull policy
2880
## @param registry.controller.image.pullSecrets Harbor Registryctl image pull secrets
2881
## @param registry.controller.image.debug Enable Harbor Registryctl image debug mode
2882
##
2883
image:
2884
registry: cgr.dev
2885
repository: chainguard-private/harbor-registryctl-iamguarded
2886
tag: 2.14.2
2887
digest: ""
2888
## Specify a imagePullPolicy
2889
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2890
##
2891
pullPolicy: IfNotPresent
2892
## Optionally specify an array of imagePullSecrets.
2893
## Secrets must be manually created in the namespace.
2894
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2895
## e.g:
2896
## pullSecrets:
2897
## - myRegistryKeySecretName
2898
##
2899
pullSecrets: []
2900
## Enable debug mode
2901
##
2902
debug: false
2903
## @param registry.controller.command Override default container command (useful when using custom images)
2904
##
2905
command: []
2906
## @param registry.controller.args Override default container args (useful when using custom images)
2907
##
2908
args: []
2909
## @param registry.controller.extraEnvVars Array with extra environment variables to add Harbor Registryctl containers
2910
##
2911
extraEnvVars: []
2912
## @param registry.controller.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Registryctl containers
2913
##
2914
extraEnvVarsCM: ""
2915
## @param registry.controller.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Registryctl containers
2916
##
2917
extraEnvVarsSecret: ""
2918
## @param registry.controller.containerPorts.http Harbor Registryctl HTTP container port
2919
## @param registry.controller.containerPorts.https Harbor Registryctl HTTPS container port
2920
##
2921
containerPorts:
2922
http: 8080
2923
https: 8443
2924
## Configure extra options for Harbor Registryctl containers' liveness, readiness and startup probes
2925
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
2926
## @param registry.controller.livenessProbe.enabled Enable livenessProbe on Harbor Registryctl containers
2927
## @param registry.controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2928
## @param registry.controller.livenessProbe.periodSeconds Period seconds for livenessProbe
2929
## @param registry.controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2930
## @param registry.controller.livenessProbe.failureThreshold Failure threshold for livenessProbe
2931
## @param registry.controller.livenessProbe.successThreshold Success threshold for livenessProbe
2932
##
2933
livenessProbe:
2934
enabled: true
2935
initialDelaySeconds: 20
2936
periodSeconds: 10
2937
timeoutSeconds: 5
2938
failureThreshold: 6
2939
successThreshold: 1
2940
## @param registry.controller.readinessProbe.enabled Enable readinessProbe on Harbor Registryctl containers
2941
## @param registry.controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2942
## @param registry.controller.readinessProbe.periodSeconds Period seconds for readinessProbe
2943
## @param registry.controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2944
## @param registry.controller.readinessProbe.failureThreshold Failure threshold for readinessProbe
2945
## @param registry.controller.readinessProbe.successThreshold Success threshold for readinessProbe
2946
##
2947
readinessProbe:
2948
enabled: true
2949
initialDelaySeconds: 20
2950
periodSeconds: 10
2951
timeoutSeconds: 5
2952
failureThreshold: 6
2953
successThreshold: 1
2954
## @param registry.controller.startupProbe.enabled Enable startupProbe on Harbor Registryctl containers
2955
## @param registry.controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
2956
## @param registry.controller.startupProbe.periodSeconds Period seconds for startupProbe
2957
## @param registry.controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe
2958
## @param registry.controller.startupProbe.failureThreshold Failure threshold for startupProbe
2959
## @param registry.controller.startupProbe.successThreshold Success threshold for startupProbe
2960
##
2961
startupProbe:
2962
enabled: false
2963
initialDelaySeconds: 5
2964
periodSeconds: 10
2965
timeoutSeconds: 1
2966
failureThreshold: 15
2967
successThreshold: 1
2968
## @param registry.controller.customLivenessProbe Custom livenessProbe that overrides the default one
2969
##
2970
customLivenessProbe: {}
2971
## @param registry.controller.customReadinessProbe Custom readinessProbe that overrides the default one
2972
##
2973
customReadinessProbe: {}
2974
## @param registry.controller.customStartupProbe Custom startupProbe that overrides the default one
2975
##
2976
customStartupProbe: {}
2977
## Harbor Registryctl resource requests and limits
2978
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2979
## @param registry.controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.controller.resources is set (registry.controller.resources is recommended for production).
2980
##
2981
resourcesPreset: "small"
2982
## @param registry.controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2983
## Example:
2984
## resources:
2985
## requests:
2986
## cpu: 2
2987
## memory: 512Mi
2988
## limits:
2989
## cpu: 3
2990
## memory: 1024Mi
2991
##
2992
resources: {}
2993
## Configure Harbor Registryctl containers (only main one) Security Context
2994
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2995
## @param registry.controller.containerSecurityContext.enabled Enabled containers' Security Context
2996
## @param registry.controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2997
## @param registry.controller.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2998
## @param registry.controller.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2999
## @param registry.controller.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
3000
## @param registry.controller.containerSecurityContext.privileged Set container's Security Context privileged
3001
## @param registry.controller.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
3002
## @param registry.controller.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
3003
## @param registry.controller.containerSecurityContext.capabilities.drop List of capabilities to be dropped
3004
## @param registry.controller.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
3005
##
3006
containerSecurityContext:
3007
enabled: true
3008
seLinuxOptions: {}
3009
runAsUser: 1001
3010
runAsGroup: 1001
3011
runAsNonRoot: true
3012
privileged: false
3013
readOnlyRootFilesystem: true
3014
allowPrivilegeEscalation: false
3015
capabilities:
3016
drop: ["ALL"]
3017
seccompProfile:
3018
type: "RuntimeDefault"
3019
## @param registry.controller.lifecycleHooks LifecycleHook for the Harbor Registryctl container(s) to automate configuration before or after startup
3020
##
3021
lifecycleHooks: {}
3022
## @param registry.controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Registryctl pods
3023
##
3024
extraVolumeMounts: []
3025
## Harbor Registryctl service configuration
3026
##
3027
service:
3028
## @param registry.controller.service.ports.http Harbor Registryctl HTTP service port
3029
## @param registry.controller.service.ports.https Harbor Registryctl HTTPS service port
3030
##
3031
ports:
3032
http: 8080
3033
https: 8443
3034
## @section Harbor Adapter Trivy Parameters
3035
##
3036
trivy:
3037
## Iamguarded Harbor Adapter Trivy image
3038
## @param trivy.image.registry [default: REGISTRY_NAME] Harbor Adapter Trivy image registry
3039
## @param trivy.image.repository [default: REPOSITORY_NAME/harbor-adapter-trivy] Harbor Adapter Trivy image repository
3040
## @skip trivy.image.tag Harbor Adapter Trivy image tag (immutable tags are recommended)
3041
## @param trivy.image.digest Harbor Adapter Trivy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
3042
## @param trivy.image.pullPolicy Harbor Adapter Trivy image pull policy
3043
## @param trivy.image.pullSecrets Harbor Adapter Trivy image pull secrets
3044
## @param trivy.image.debug Enable Harbor Adapter Trivy image debug mode
3045
##
3046
image:
3047
registry: cgr.dev
3048
repository: chainguard-private/harbor-adapter-trivy-iamguarded
3049
tag: 2.14.2
3050
digest: ""
3051
## Specify a imagePullPolicy
3052
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
3053
##
3054
pullPolicy: IfNotPresent
3055
## Optionally specify an array of imagePullSecrets.
3056
## Secrets must be manually created in the namespace.
3057
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
3058
## e.g:
3059
## pullSecrets:
3060
## - myRegistryKeySecretName
3061
##
3062
pullSecrets: []
3063
## Enable debug mode
3064
##
3065
debug: false
3066
## @param trivy.enabled Enable Trivy
3067
##
3068
enabled: true
3069
## @param trivy.debugMode The flag to enable Trivy debug mode
3070
##
3071
debugMode: false
3072
## @param trivy.vulnType Comma-separated list of vulnerability types. Possible values `os` and `library`.
3073
##
3074
vulnType: "os,library"
3075
## @param trivy.severity Comma-separated list of severities to be checked
3076
##
3077
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
3078
## @param trivy.ignoreUnfixed The flag to display only fixed vulnerabilities
3079
##
3080
ignoreUnfixed: false
3081
## @param trivy.insecure The flag to skip verifying registry certificate
3082
##
3083
insecure: false
3084
## @param trivy.existingEnvVarsSecret Existing secret for trivy
3085
## The secret must contain the keys:
3086
## `SCANNER_TRIVY_GITHUB_TOKEN` (optional)
3087
## `SCANNER_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5")
3088
## `SCANNER_STORE_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5")
3089
## `SCANNER_JOB_QUEUE_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5")
3090
##
3091
existingEnvVarsSecret: ""
3092
## @param trivy.gitHubToken The GitHub access token to download Trivy DB
3093
##
3094
## Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
3095
## It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
3096
## in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
3097
## timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
3098
## Currently, the database is updated every 12 hours and published as a new release to GitHub.
3099
##
3100
## Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
3101
## for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
3102
## requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
3103
## https://developer.github.com/v3/#rate-limiting
3104
##
3105
## You can create a GitHub token by following the instructions in
3106
## https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
3107
##
3108
gitHubToken: ""
3109
## @param trivy.skipUpdate The flag to disable Trivy DB downloads from GitHub
3110
## You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
3111
## If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
3112
## `/iamguarded/harbor-adapter-trivy/.cache/trivy/db/trivy.db` path.
3113
## ref: https://trivy.dev/dev/docs/configuration/db/
3114
##
3115
skipUpdate: false
3116
## @param trivy.skipJavaDbUpdate The flag to disable Trivy JAVA DB downloads.
3117
## You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
3118
## If the value is set to `true` you have to manually download the `trivy-java.db` file and mount it in the
3119
## `/iamguarded/harbor-adapter-trivy/.cache/trivy/java-db/trivy-java.db` path.
3120
##
3121
skipJavaDbUpdate: false
3122
## @param trivy.dbRepository OCI repositor(ies) to retrieve the trivy vulnerability database from
3123
dbRepository: ""
3124
## @param trivy.javaDbRepository OCI repositor(ies) to retrieve the Java trivy vulnerability database from
3125
javaDbRepository: ""
3126
## @param trivy.cacheDir Directory to store the cache
3127
##
3128
cacheDir: "/iamguarded/harbor-adapter-trivy/.cache"
3129
## Use TLS in the container
3130
##
3131
tls:
3132
## @param trivy.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
3133
## Requires `internalTLS.enabled` to be set to `true``
3134
## Self-signed TLS certificates will be used otherwise
3135
##
3136
existingSecret: ""
3137
## @param trivy.command Override default container command (useful when using custom images)
3138
##
3139
command: []
3140
## @param trivy.args Override default container args (useful when using custom images)
3141
##
3142
args: []
3143
## @param trivy.extraEnvVars Array with extra environment variables to add Trivy pods
3144
##
3145
extraEnvVars: []
3146
## @param trivy.extraEnvVarsCM ConfigMap containing extra environment variables for Trivy pods
3147
##
3148
extraEnvVarsCM: ""
3149
## @param trivy.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Trivy pods
3150
##
3151
extraEnvVarsSecret: ""
3152
## @param trivy.containerPorts.http Trivy HTTP container port
3153
## @param trivy.containerPorts.https Trivy HTTPS container port
3154
##
3155
containerPorts:
3156
http: 8080
3157
https: 8443
3158
## @param trivy.replicaCount Number of Trivy replicas
3159
##
3160
replicaCount: 1
3161
## Configure extra options for Trivy containers' liveness, readiness and startup probes
3162
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
3163
## @param trivy.livenessProbe.enabled Enable livenessProbe on Trivy containers
3164
## @param trivy.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
3165
## @param trivy.livenessProbe.periodSeconds Period seconds for livenessProbe
3166
## @param trivy.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
3167
## @param trivy.livenessProbe.failureThreshold Failure threshold for livenessProbe
3168
## @param trivy.livenessProbe.successThreshold Success threshold for livenessProbe
3169
##
3170
livenessProbe:
3171
enabled: true
3172
initialDelaySeconds: 20
3173
periodSeconds: 10
3174
timeoutSeconds: 5
3175
failureThreshold: 6
3176
successThreshold: 1
3177
## @param trivy.readinessProbe.enabled Enable readinessProbe on Trivy containers
3178
## @param trivy.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
3179
## @param trivy.readinessProbe.periodSeconds Period seconds for readinessProbe
3180
## @param trivy.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
3181
## @param trivy.readinessProbe.failureThreshold Failure threshold for readinessProbe
3182
## @param trivy.readinessProbe.successThreshold Success threshold for readinessProbe
3183
##
3184
readinessProbe:
3185
enabled: true
3186
initialDelaySeconds: 20
3187
periodSeconds: 10
3188
timeoutSeconds: 5
3189
failureThreshold: 6
3190
successThreshold: 1
3191
## @param trivy.startupProbe.enabled Enable startupProbe on Trivy containers
3192
## @param trivy.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
3193
## @param trivy.startupProbe.periodSeconds Period seconds for startupProbe
3194
## @param trivy.startupProbe.timeoutSeconds Timeout seconds for startupProbe
3195
## @param trivy.startupProbe.failureThreshold Failure threshold for startupProbe
3196
## @param trivy.startupProbe.successThreshold Success threshold for startupProbe
3197
##
3198
startupProbe:
3199
enabled: false
3200
initialDelaySeconds: 5
3201
periodSeconds: 10
3202
timeoutSeconds: 1
3203
failureThreshold: 15
3204
successThreshold: 1
3205
## @param trivy.customLivenessProbe Custom livenessProbe that overrides the default one
3206
##
3207
customLivenessProbe: {}
3208
## @param trivy.customReadinessProbe Custom readinessProbe that overrides the default one
3209
##
3210
customReadinessProbe: {}
3211
## @param trivy.customStartupProbe Custom startupProbe that overrides the default one
3212
##
3213
customStartupProbe: {}
3214
## Trivy resource requests and limits
3215
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3216
## @param trivy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if trivy.resources is set (trivy.resources is recommended for production).
3217
##
3218
resourcesPreset: "small"
3219
## @param trivy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3220
## Example:
3221
## resources:
3222
## requests:
3223
## cpu: 2
3224
## memory: 512Mi
3225
## limits:
3226
## cpu: 3
3227
## memory: 1024Mi
3228
##
3229
resources: {}
3230
## Configure Trivy pods Security Context
3231
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3232
## @param trivy.podSecurityContext.enabled Enabled Trivy pods' Security Context
3233
## @param trivy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
3234
## @param trivy.podSecurityContext.sysctls Set kernel settings using the sysctl interface
3235
## @param trivy.podSecurityContext.supplementalGroups Set filesystem extra groups
3236
## @param trivy.podSecurityContext.fsGroup Set Trivy pod's Security Context fsGroup
3237
##
3238
podSecurityContext:
3239
enabled: true
3240
fsGroupChangePolicy: Always
3241
sysctls: []
3242
supplementalGroups: []
3243
fsGroup: 1001
3244
## Configure Trivy containers (only main one) Security Context
3245
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
3246
## @param trivy.containerSecurityContext.enabled Enabled containers' Security Context
3247
## @param trivy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
3248
## @param trivy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
3249
## @param trivy.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
3250
## @param trivy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
3251
## @param trivy.containerSecurityContext.privileged Set container's Security Context privileged
3252
## @param trivy.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
3253
## @param trivy.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
3254
## @param trivy.containerSecurityContext.capabilities.drop List of capabilities to be dropped
3255
## @param trivy.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
3256
##
3257
containerSecurityContext:
3258
enabled: true
3259
seLinuxOptions: {}
3260
runAsUser: 1001
3261
runAsGroup: 1001
3262
runAsNonRoot: true
3263
privileged: false
3264
readOnlyRootFilesystem: true
3265
allowPrivilegeEscalation: false
3266
capabilities:
3267
drop: ["ALL"]
3268
seccompProfile:
3269
type: "RuntimeDefault"
3270
## @param trivy.updateStrategy.type Trivy deployment strategy type - only really applicable for deployments with RWO PVs attached
3271
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
3272
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
3273
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
3274
##
3275
updateStrategy:
3276
type: RollingUpdate
3277
## @param trivy.lifecycleHooks LifecycleHook for the Trivy container(s) to automate configuration before or after startup
3278
##
3279
lifecycleHooks: {}
3280
## @param trivy.hostAliases Trivy pods host aliases
3281
##
3282
hostAliases: []
3283
## @param trivy.podLabels Add additional labels to the Trivy pods (evaluated as a template)
3284
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
3285
##
3286
podLabels: {}
3287
## @param trivy.podAnnotations Annotations to add to the Trivy pods (evaluated as a template)
3288
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
3289
##
3290
podAnnotations: {}
3291
## @param trivy.podAffinityPreset Trivy Pod affinity preset. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard`
3292
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3293
##
3294
podAffinityPreset: ""
3295
## @param trivy.podAntiAffinityPreset Trivy Pod anti-affinity preset. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard`
3296
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3297
##
3298
podAntiAffinityPreset: soft
3299
## Node affinity preset
3300
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
3301
##
3302
nodeAffinityPreset:
3303
## @param trivy.nodeAffinityPreset.type Trivy Node affinity preset type. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard`
3304
##
3305
type: ""
3306
## @param trivy.nodeAffinityPreset.key Trivy Node label key to match Ignored if `trivy.affinity` is set.
3307
## E.g.
3308
## key: "kubernetes.io/e2e-az-name"
3309
##
3310
key: ""
3311
## @param trivy.nodeAffinityPreset.values Trivy Node label values to match. Ignored if `trivy.affinity` is set.
3312
## E.g.
3313
## values:
3314
## - e2e-az1
3315
## - e2e-az2
3316
##
3317
values: []
3318
## @param trivy.affinity Trivy Affinity for pod assignment
3319
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
3320
## Note: trivy.podAffinityPreset, trivy.podAntiAffinityPreset, and trivy.nodeAffinityPreset will be ignored when it's set
3321
##
3322
affinity: {}
3323
## @param trivy.nodeSelector Trivy Node labels for pod assignment
3324
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
3325
##
3326
nodeSelector: {}
3327
## @param trivy.tolerations Trivy Tolerations for pod assignment
3328
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
3329
##
3330
tolerations: []
3331
## @param trivy.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
3332
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
3333
##
3334
topologySpreadConstraints: []
3335
## @param trivy.priorityClassName Priority Class Name
3336
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
3337
##
3338
priorityClassName: ""
3339
## @param trivy.schedulerName Use an alternate scheduler, e.g. "stork".
3340
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
3341
##
3342
schedulerName: ""
3343
## @param trivy.sidecars Add additional sidecar containers to the Trivy pods
3344
## Example:
3345
## sidecars:
3346
## - name: your-image-name
3347
## image: your-image
3348
## imagePullPolicy: Always
3349
## ports:
3350
## - name: portname
3351
## containerPort: 1234
3352
##
3353
sidecars: []
3354
## @param trivy.initContainers Add additional init containers to the Trivy pods
3355
## Example:
3356
## initContainers:
3357
## - name: your-image-name
3358
## image: your-image
3359
## imagePullPolicy: Always
3360
## ports:
3361
## - name: portname
3362
## containerPort: 1234
3363
##
3364
initContainers: []
3365
## Pod Disruption Budget configuration
3366
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
3367
## @param trivy.pdb.create Enable/disable a Pod Disruption Budget creation
3368
## @param trivy.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
3369
## @param trivy.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `trivy.pdb.minAvailable` and `trivy.pdb.maxUnavailable` are empty.
3370
##
3371
pdb:
3372
create: true
3373
minAvailable: ""
3374
maxUnavailable: ""
3375
## @param trivy.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Trivy pods
3376
##
3377
extraVolumeMounts: []
3378
## @param trivy.extraVolumes Optionally specify extra list of additional volumes for the Trivy pods
3379
##
3380
extraVolumes: []
3381
## @param trivy.automountServiceAccountToken Mount Service Account token in pod
3382
##
3383
automountServiceAccountToken: false
3384
## Trivy ServiceAccount configuration
3385
##
3386
serviceAccount:
3387
## @param trivy.serviceAccount.create Specifies whether a ServiceAccount should be created
3388
##
3389
create: false
3390
## @param trivy.serviceAccount.name The name of the ServiceAccount to use.
3391
## If not set and create is true, a name is generated using the common.names.fullname template
3392
##
3393
name: ""
3394
## @param trivy.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
3395
##
3396
automountServiceAccountToken: false
3397
## @param trivy.serviceAccount.annotations Additional custom annotations for the ServiceAccount
3398
##
3399
annotations: {}
3400
## Trivy service configuration
3401
##
3402
service:
3403
## @param trivy.service.ports.http Trivy HTTP service port
3404
## @param trivy.service.ports.https Trivy HTTPS service port
3405
##
3406
ports:
3407
http: 8080
3408
https: 8443
3409
## Network Policies
3410
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
3411
##
3412
networkPolicy:
3413
## @param trivy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
3414
##
3415
enabled: true
3416
## @param trivy.networkPolicy.allowExternal Don't require server label for connections
3417
## The Policy model to apply. When set to false, only pods with the correct
3418
## server label will have network access to the ports server is listening
3419
## on. When true, server will accept connections from any source
3420
## (with the correct destination port).
3421
##
3422
allowExternal: true
3423
## @param trivy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
3424
##
3425
allowExternalEgress: true
3426
## @param trivy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
3427
## e.g:
3428
## extraIngress:
3429
## - ports:
3430
## - port: 1234
3431
## from:
3432
## - podSelector:
3433
## - matchLabels:
3434
## - role: frontend
3435
## - podSelector:
3436
## - matchExpressions:
3437
## - key: role
3438
## operator: In
3439
## values:
3440
## - frontend
3441
extraIngress: []
3442
## @param trivy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
3443
## e.g:
3444
## extraEgress:
3445
## - ports:
3446
## - port: 1234
3447
## to:
3448
## - podSelector:
3449
## - matchLabels:
3450
## - role: frontend
3451
## - podSelector:
3452
## - matchExpressions:
3453
## - key: role
3454
## operator: In
3455
## values:
3456
## - frontend
3457
##
3458
extraEgress: []
3459
## @param trivy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
3460
## @param trivy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
3461
##
3462
ingressNSMatchLabels: {}
3463
ingressNSPodMatchLabels: {}
3464
## @section Harbor Exporter Parameters
3465
##
3466
exporter:
3467
## Iamguarded Harbor Exporter image
3468
## @param exporter.image.registry [default: REGISTRY_NAME] Harbor Exporter image registry
3469
## @param exporter.image.repository [default: REPOSITORY_NAME/harbor-exporter] Harbor Exporter image repository
3470
## @skip exporter.image.tag Harbor Exporter image tag
3471
## @param exporter.image.digest Harbor Exporter image image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
3472
## @param exporter.image.pullPolicy Harbor exporter image pull policy
3473
## @param exporter.image.pullSecrets Specify docker-registry secret names as an array
3474
## @param exporter.image.debug Specify if debug logs should be enabled
3475
##
3476
image:
3477
registry: cgr.dev
3478
repository: chainguard-private/harbor-exporter-iamguarded
3479
tag: 2.14.2
3480
digest: ""
3481
## Specify a imagePullPolicy
3482
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
3483
##
3484
pullPolicy: IfNotPresent
3485
## Optionally specify an array of imagePullSecrets.
3486
## Secrets must be manually created in the namespace.
3487
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
3488
## e.g:
3489
## pullSecrets:
3490
## - myRegistryKeySecretName
3491
##
3492
pullSecrets: []
3493
## Enable debug mode
3494
##
3495
debug: false
3496
## @param exporter.cacheDuration Time (in seconds) collected values are cached for
3497
##
3498
cacheDuration: 20
3499
## @param exporter.cacheCleanInterval Time (in seconds) after which the cache is cleaned
3500
##
3501
cacheCleanInterval: 14400
3502
## @param exporter.command Override default container command (useful when using custom images)
3503
##
3504
command: []
3505
## @param exporter.args Override default container args (useful when using custom images)
3506
##
3507
args: []
3508
## @param exporter.extraEnvVars Array containing extra env vars
3509
## For example:
3510
## - name: HARBOR_DATABASE_SSLMODE
3511
## value: verify-ca
3512
##
3513
extraEnvVars: []
3514
## @param exporter.extraEnvVarsCM ConfigMap containing extra env vars
3515
##
3516
extraEnvVarsCM: ""
3517
## @param exporter.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data)
3518
##
3519
extraEnvVarsSecret: ""
3520
## @param exporter.containerPorts.metrics Harbor Exporter HTTP container port
3521
##
3522
containerPorts:
3523
metrics: 8001
3524
## @param exporter.replicaCount The replica count
3525
##
3526
replicaCount: 1
3527
## Harbor Exporter containers' liveness probe
3528
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
3529
## @param exporter.livenessProbe.enabled Enable livenessProbe
3530
## @param exporter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
3531
## @param exporter.livenessProbe.periodSeconds Period seconds for livenessProbe
3532
## @param exporter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
3533
## @param exporter.livenessProbe.failureThreshold Failure threshold for livenessProbe
3534
## @param exporter.livenessProbe.successThreshold Success threshold for livenessProbe
3535
##
3536
livenessProbe:
3537
enabled: true
3538
initialDelaySeconds: 20
3539
periodSeconds: 10
3540
timeoutSeconds: 5
3541
failureThreshold: 6
3542
successThreshold: 1
3543
## Harbor Exporter containers' readiness probe
3544
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
3545
## @param exporter.readinessProbe.enabled Enable readinessProbe
3546
## @param exporter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
3547
## @param exporter.readinessProbe.periodSeconds Period seconds for readinessProbe
3548
## @param exporter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
3549
## @param exporter.readinessProbe.failureThreshold Failure threshold for readinessProbe
3550
## @param exporter.readinessProbe.successThreshold Success threshold for readinessProbe
3551
##
3552
readinessProbe:
3553
enabled: true
3554
initialDelaySeconds: 20
3555
periodSeconds: 10
3556
timeoutSeconds: 5
3557
failureThreshold: 6
3558
successThreshold: 1
3559
## @param exporter.startupProbe.enabled Enable startupProbe on Harbor Exporter containers
3560
## @param exporter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
3561
## @param exporter.startupProbe.periodSeconds Period seconds for startupProbe
3562
## @param exporter.startupProbe.timeoutSeconds Timeout seconds for startupProbe
3563
## @param exporter.startupProbe.failureThreshold Failure threshold for startupProbe
3564
## @param exporter.startupProbe.successThreshold Success threshold for startupProbe
3565
##
3566
startupProbe:
3567
enabled: false
3568
initialDelaySeconds: 5
3569
periodSeconds: 10
3570
timeoutSeconds: 1
3571
failureThreshold: 15
3572
successThreshold: 1
3573
## @param exporter.customLivenessProbe Custom livenessProbe that overrides the default one
3574
##
3575
customLivenessProbe: {}
3576
## @param exporter.customReadinessProbe Custom readinessProbe that overrides the default one
3577
##
3578
customReadinessProbe: {}
3579
## @param exporter.customStartupProbe Custom startupProbe that overrides the default one
3580
##
3581
customStartupProbe: {}
3582
## Harbor Exporter resource requests and limits
3583
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3584
## @param exporter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if exporter.resources is set (exporter.resources is recommended for production).
3585
##
3586
resourcesPreset: "nano"
3587
## @param exporter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3588
## Example:
3589
## resources:
3590
## requests:
3591
## cpu: 2
3592
## memory: 512Mi
3593
## limits:
3594
## cpu: 3
3595
## memory: 1024Mi
3596
##
3597
resources: {}
3598
## Configure Exporter pods Security Context
3599
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3600
## @param exporter.podSecurityContext.enabled Enabled Exporter pods' Security Context
3601
## @param exporter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
3602
## @param exporter.podSecurityContext.sysctls Set kernel settings using the sysctl interface
3603
## @param exporter.podSecurityContext.supplementalGroups Set filesystem extra groups
3604
## @param exporter.podSecurityContext.fsGroup Set Exporter pod's Security Context fsGroup
3605
##
3606
podSecurityContext:
3607
enabled: true
3608
fsGroupChangePolicy: Always
3609
sysctls: []
3610
supplementalGroups: []
3611
fsGroup: 1001
3612
## Configure Exporter containers (only main one) Security Context
3613
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
3614
## @param exporter.containerSecurityContext.enabled Enabled containers' Security Context
3615
## @param exporter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
3616
## @param exporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
3617
## @param exporter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
3618
## @param exporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
3619
## @param exporter.containerSecurityContext.privileged Set container's Security Context privileged
3620
## @param exporter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
3621
## @param exporter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
3622
## @param exporter.containerSecurityContext.capabilities.drop List of capabilities to be dropped
3623
## @param exporter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
3624
##
3625
containerSecurityContext:
3626
enabled: true
3627
seLinuxOptions: {}
3628
runAsUser: 1001
3629
runAsGroup: 1001
3630
runAsNonRoot: true
3631
privileged: false
3632
readOnlyRootFilesystem: true
3633
allowPrivilegeEscalation: false
3634
capabilities:
3635
drop: ["ALL"]
3636
seccompProfile:
3637
type: "RuntimeDefault"
3638
## @param exporter.updateStrategy.type The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported
3639
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
3640
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
3641
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
3642
##
3643
updateStrategy:
3644
type: RollingUpdate
3645
## @param exporter.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
3646
##
3647
lifecycleHooks: {}
3648
## @param exporter.hostAliases Exporter pods host aliases
3649
##
3650
hostAliases: []
3651
## @param exporter.podLabels Add additional labels to the pod (evaluated as a template)
3652
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
3653
##
3654
podLabels: {}
3655
## @param exporter.podAnnotations Annotations to add to the exporter pod
3656
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
3657
##
3658
podAnnotations: {}
3659
## @param exporter.podAffinityPreset Harbor Exporter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
3660
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3661
##
3662
podAffinityPreset: ""
3663
## @param exporter.podAntiAffinityPreset Harbor Exporter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
3664
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3665
##
3666
podAntiAffinityPreset: soft
3667
## Node affinity preset
3668
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
3669
##
3670
nodeAffinityPreset:
3671
## @param exporter.nodeAffinityPreset.type Harbor Exporter Node affinity preset type. Ignored if `exporter.affinity` is set. Allowed values: `soft` or `hard`
3672
##
3673
type: ""
3674
## @param exporter.nodeAffinityPreset.key Harbor Exporter Node label key to match Ignored if `exporter.affinity` is set.
3675
## E.g.
3676
## key: "kubernetes.io/e2e-az-name"
3677
##
3678
key: ""
3679
## @param exporter.nodeAffinityPreset.values Harbor Exporter Node label values to match. Ignored if `exporter.affinity` is set.
3680
## E.g.
3681
## values:
3682
## - e2e-az1
3683
## - e2e-az2
3684
##
3685
values: []
3686
## @param exporter.affinity Harbor Exporter Affinity for pod assignment
3687
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
3688
## Note: `exporter.podAffinityPreset`, `exporter.podAntiAffinityPreset`, and `exporter.nodeAffinityPreset` will be ignored when it's set
3689
##
3690
affinity: {}
3691
## @param exporter.priorityClassName Exporter pods Priority Class Name
3692
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
3693
##
3694
priorityClassName: ""
3695
## @param exporter.schedulerName Name of the k8s scheduler (other than default)
3696
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
3697
##
3698
schedulerName: ""
3699
## @param exporter.nodeSelector Harbor Exporter Node labels for pod assignment
3700
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
3701
##
3702
nodeSelector: {}
3703
## @param exporter.tolerations Harbor Exporter Tolerations for pod assignment
3704
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
3705
##
3706
tolerations: []
3707
## @param exporter.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
3708
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
3709
##
3710
topologySpreadConstraints: []
3711
## @param exporter.initContainers Add additional init containers to the pod (evaluated as a template)
3712
##
3713
initContainers: []
3714
## Pod Disruption Budget configuration
3715
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
3716
## @param exporter.pdb.create Enable/disable a Pod Disruption Budget creation
3717
## @param exporter.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
3718
## @param exporter.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `exporter.pdb.minAvailable` and `exporter.pdb.maxUnavailable` are empty.
3719
##
3720
pdb:
3721
create: true
3722
minAvailable: ""
3723
maxUnavailable: ""
3724
## @param exporter.extraVolumeMounts
3725
##
3726
extraVolumeMounts: []
3727
## @param exporter.extraVolumes
3728
##
3729
extraVolumes: []
3730
## @param exporter.sidecars Attach additional containers to the pod (evaluated as a template)
3731
##
3732
sidecars: []
3733
## @param exporter.automountServiceAccountToken Mount Service Account token in pod
3734
##
3735
automountServiceAccountToken: false
3736
## Harbor Exporter ServiceAccount configuration
3737
##
3738
serviceAccount:
3739
## @param exporter.serviceAccount.create Specifies whether a ServiceAccount should be created
3740
##
3741
create: false
3742
## @param exporter.serviceAccount.name The name of the ServiceAccount to use.
3743
## If not set and create is true, a name is generated using the common.names.fullname template
3744
##
3745
name: ""
3746
## @param exporter.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
3747
##
3748
automountServiceAccountToken: false
3749
## @param exporter.serviceAccount.annotations Additional custom annotations for the ServiceAccount
3750
##
3751
annotations: {}
3752
## Exporter service configuration
3753
##
3754
service:
3755
## @param exporter.service.ports.metrics Exporter HTTP service port
3756
##
3757
ports:
3758
metrics: 8001
3759
## Network Policies
3760
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
3761
##
3762
networkPolicy:
3763
## @param exporter.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
3764
##
3765
enabled: true
3766
## @param exporter.networkPolicy.allowExternal Don't require server label for connections
3767
## The Policy model to apply. When set to false, only pods with the correct
3768
## server label will have network access to the ports server is listening
3769
## on. When true, server will accept connections from any source
3770
## (with the correct destination port).
3771
##
3772
allowExternal: true
3773
## @param exporter.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
3774
##
3775
allowExternalEgress: true
3776
## @param exporter.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
3777
## e.g:
3778
## extraIngress:
3779
## - ports:
3780
## - port: 1234
3781
## from:
3782
## - podSelector:
3783
## - matchLabels:
3784
## - role: frontend
3785
## - podSelector:
3786
## - matchExpressions:
3787
## - key: role
3788
## operator: In
3789
## values:
3790
## - frontend
3791
extraIngress: []
3792
## @param exporter.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
3793
## e.g:
3794
## extraEgress:
3795
## - ports:
3796
## - port: 1234
3797
## to:
3798
## - podSelector:
3799
## - matchLabels:
3800
## - role: frontend
3801
## - podSelector:
3802
## - matchExpressions:
3803
## - key: role
3804
## operator: In
3805
## values:
3806
## - frontend
3807
##
3808
extraEgress: []
3809
## @param exporter.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
3810
## @param exporter.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
3811
##
3812
ingressNSMatchLabels: {}
3813
ingressNSPodMatchLabels: {}
3814
## @section PostgreSQL Parameters
3815
##
3816
3817
## PostgreSQL chart configuration
3818
## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
3819
## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
3820
## @param postgresql.auth.postgresPassword Password for the "postgres" admin user
3821
## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
3822
## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
3823
## @param postgresql.primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration)
3824
## @param postgresql.primary.initdb.scripts [object] Initdb scripts to create Harbor databases
3825
##
3826
postgresql:
3827
enabled: true
3828
auth:
3829
enablePostgresUser: true
3830
postgresPassword: not-secure-database-password
3831
existingSecret: ""
3832
architecture: standalone
3833
primary:
3834
extendedConfiguration: |
3835
max_connections = 1024
3836
initdb:
3837
scripts:
3838
initial-registry.sql: |
3839
CREATE DATABASE registry ENCODING 'UTF8';
3840
\c registry;
3841
CREATE TABLE schema_migrations(version bigint not null primary key, dirty boolean not null);
3842
## PostgreSQL Primary resource requests and limits
3843
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3844
## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
3845
##
3846
resourcesPreset: "nano"
3847
## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3848
## Example:
3849
## resources:
3850
## requests:
3851
## cpu: 2
3852
## memory: 512Mi
3853
## limits:
3854
## cpu: 3
3855
## memory: 1024Mi
3856
##
3857
resources: {}
3858
image:
3859
digest: ""
3860
registry: cgr.dev
3861
repository: chainguard-private/postgres-iamguarded
3862
tag: 18.3-r2
3863
## External PostgreSQL configuration
3864
## All of these values are only used when postgresql.enabled is set to false
3865
## @param externalDatabase.host Database host
3866
## @param externalDatabase.port Database port number
3867
## @param externalDatabase.user Non-root username for Harbor
3868
## @param externalDatabase.password Password for the non-root username for Harbor
3869
## @param externalDatabase.sslmode External database ssl mode
3870
## @param externalDatabase.coreDatabase External database name for core
3871
## @param externalDatabase.existingSecret The name of an existing secret with database credentials
3872
## @param externalDatabase.existingSecretPasswordKey Password key on the existing secret
3873
##
3874
externalDatabase:
3875
host: localhost
3876
port: 5432
3877
user: bn_harbor
3878
password: ""
3879
sslmode: disable
3880
coreDatabase: ""
3881
existingSecret: ""
3882
existingSecretPasswordKey: "db-password"
3883
## @section Redis® parameters
3884
##
3885
3886
## Redis® chart configuration
3887
## @param redis.enabled Switch to enable or disable the Redis® helm
3888
## @param redis.tls.enabled Enable Redis TLS traffic
3889
## @param redis.tls.authClients Require Redis clients to authenticate. Mutual TLS is not supported by Harbor.
3890
## @param redis.tls.autoGenerated Enable autogenerated Redis TLS certificates
3891
## @param redis.tls.existingSecret The name of the existing secret that contains the Redis TLS certificates
3892
## @param redis.tls.certFilename Name of key in existing secret for the Redis TLS certificate
3893
## @param redis.tls.certKeyFilename Name of key in existing secret for the Redis TLS certificate key
3894
## @param redis.tls.certCAFilename Name of key in existing secret for the Redis CA certificate
3895
## @param redis.auth.enabled Enable password authentication
3896
## @param redis.auth.password Redis® password
3897
## @param redis.auth.existingSecret The name of an existing secret with Redis® credentials (expected key: `redis-password`)
3898
## @param redis.architecture Redis® architecture. Allowed values: `standalone` or `replication`
3899
## @param redis.sentinel.enabled Use Redis® Sentinel on Redis® pods.
3900
## @param redis.sentinel.masterSet Master set name
3901
## @param redis.sentinel.service.ports.sentinel Redis® service port for Redis® Sentinel
3902
##
3903
redis:
3904
enabled: true
3905
tls:
3906
## Redis TLS configuration
3907
enabled: false
3908
# Please note that Mutual TLS is not supported by Harbor.
3909
authClients: false
3910
autoGenerated: true
3911
existingSecret: ""
3912
certFilename: ""
3913
certKeyFilename: ""
3914
certCAFilename: ""
3915
auth:
3916
enabled: false
3917
## Redis® password (both master and slave). Defaults to a random 10-character alphanumeric string if not set and auth.enabled is true.
3918
## It should always be set using the password value or in the existingSecret to avoid issues
3919
## with Harbor.
3920
## The password value is ignored if existingSecret is set
3921
##
3922
password: ""
3923
existingSecret: ""
3924
architecture: standalone
3925
sentinel:
3926
enabled: false
3927
masterSet: mymaster
3928
service:
3929
ports:
3930
sentinel: 26379
3931
master:
3932
## Redis® master resource requests and limits
3933
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3934
## @param redis.master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production).
3935
##
3936
resourcesPreset: "nano"
3937
## @param redis.master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3938
## Example:
3939
## resources:
3940
## requests:
3941
## cpu: 2
3942
## memory: 512Mi
3943
## limits:
3944
## cpu: 3
3945
## memory: 1024Mi
3946
##
3947
resources: {}
3948
image:
3949
digest: ""
3950
registry: cgr.dev
3951
repository: chainguard-private/redis-iamguarded
3952
tag: 8.6.1
3953
## External Redis® configuration
3954
## All of these values are only used when redis.enabled is set to false
3955
## @param externalRedis.host Redis® host
3956
## @param externalRedis.port Redis® port number
3957
## @param externalRedis.username Redis® username (for Redis® ACL)
3958
## @param externalRedis.password Redis® password
3959
## @param externalRedis.existingSecret The name of an existing secret with Redis® credentials (expected key: `redis-password`)
3960
## @param externalRedis.coreDatabaseIndex Index for core database
3961
## @param externalRedis.jobserviceDatabaseIndex Index for jobservice database
3962
## @param externalRedis.registryDatabaseIndex Index for registry database
3963
## @param externalRedis.trivyAdapterDatabaseIndex Index for trivy adapter database
3964
## @param externalRedis.tls.enabled Enable Redis TLS traffic
3965
## @param externalRedis.tls.existingSecret The name of the existing secret that contains the Redis TLS certificates
3966
## @param externalRedis.tls.certCAFilename Name of key in existing secret for the Redis CA certificate
3967
##
3968
externalRedis:
3969
host: localhost
3970
port: 6379
3971
username: ""
3972
password: ""
3973
existingSecret: ""
3974
coreDatabaseIndex: "0"
3975
jobserviceDatabaseIndex: "1"
3976
registryDatabaseIndex: "2"
3977
trivyAdapterDatabaseIndex: "5"
3978
tls:
3979
enabled: false
3980
existingSecret: ""
3981
certCAFilename: ""
3982
## Redis® sentinel configuration
3983
## @param externalRedis.sentinel.enabled If external redis with sentinel is used, set it to `true`
3984
## @param externalRedis.sentinel.masterSet Name of sentinel masterSet if sentinel is used
3985
## @param externalRedis.sentinel.hosts Sentinel hosts and ports in the format
3986
##
3987
sentinel:
3988
enabled: false
3989
masterSet: "mymaster"
3990
hosts: ""
3991
## @param externalRedis.instancePerComponent Configure a Redis® per Harbor component
3992
instancePerComponent: false
3993
## @param externalRedis.core.host Redis® host for core service
3994
## @param externalRedis.core.port Redis® port number for core service
3995
## @param externalRedis.core.username Redis® username for core service (for Redis®6 ACL)
3996
## @param externalRedis.core.password Redis® password for core service
3997
## @param externalRedis.core.existingSecret The name of an existing secret with Redis® credentials for core service (expected key: `redis-password`)
3998
## @param externalRedis.core.index Index for core database
3999
## @param externalRedis.core.tls.enabled Enable Redis TLS traffic for core service
4000
## @param externalRedis.core.tls.existingSecret The name of the existing secret that contains the Redis TLS certificates for core service
4001
## @param externalRedis.core.tls.certCAFilename Name of key in existing secret for the Redis CA certificate
4002
## @param externalRedis.core.sentinel.enabled If external redis with sentinel is used, set it to `true`
4003
## @param externalRedis.core.sentinel.masterSet Name of sentinel masterSet if sentinel is used
4004
## @param externalRedis.core.sentinel.hosts Sentinel hosts and ports in the format
4005
##
4006
core:
4007
host: ""
4008
port: 6379
4009
username: ""
4010
password: ""
4011
existingSecret: ""
4012
index: 0
4013
tls:
4014
enabled: false
4015
existingSecret: ""
4016
certCAFilename: ""
4017
sentinel:
4018
enabled: false
4019
masterSet: "mymaster"
4020
hosts: ""
4021
## @param externalRedis.jobservice.host Redis® host for jobService service
4022
## @param externalRedis.jobservice.port Redis® port number for jobService service
4023
## @param externalRedis.jobservice.username Redis® username for jobService service (for Redis®6 ACL)
4024
## @param externalRedis.jobservice.password Redis® password for jobService service
4025
## @param externalRedis.jobservice.existingSecret The name of an existing secret with Redis® credentials for jobService service (expected key: `redis-password`)
4026
## @param externalRedis.jobservice.index Index for jobService database
4027
## @param externalRedis.jobservice.tls.enabled Enable Redis TLS traffic for jobService service
4028
## @param externalRedis.jobservice.tls.existingSecret The name of the existing secret that contains the Redis TLS certificates for jobService service
4029
## @param externalRedis.jobservice.tls.certCAFilename Name of key in existing secret for the Redis CA certificate
4030
## @param externalRedis.jobservice.sentinel.enabled If external redis with sentinel is used, set it to `true`
4031
## @param externalRedis.jobservice.sentinel.masterSet Name of sentinel masterSet if sentinel is used
4032
## @param externalRedis.jobservice.sentinel.hosts Sentinel hosts and ports in the format
4033
##
4034
jobservice:
4035
host: ""
4036
port: 6379
4037
username: ""
4038
password: ""
4039
existingSecret: ""
4040
index: 0
4041
tls:
4042
enabled: false
4043
existingSecret: ""
4044
certCAFilename: ""
4045
sentinel:
4046
enabled: false
4047
masterSet: "mymaster"
4048
hosts: ""
4049
## @param externalRedis.registry.host Redis® host for registry service
4050
## @param externalRedis.registry.port Redis® port number for registry service
4051
## @param externalRedis.registry.username Redis® username for registry service (for Redis®6 ACL)
4052
## @param externalRedis.registry.password Redis® password for registry service
4053
## @param externalRedis.registry.existingSecret The name of an existing secret with Redis® credentials for registry service (expected key: `redis-password`)
4054
## @param externalRedis.registry.index Index for registry database
4055
## @param externalRedis.registry.tls.enabled Enable Redis TLS traffic for registry service
4056
## @param externalRedis.registry.tls.existingSecret The name of the existing secret that contains the Redis TLS certificates for registry service
4057
## @param externalRedis.registry.tls.certCAFilename Name of key in existing secret for the Redis CA certificate
4058
## @param externalRedis.registry.sentinel.enabled If external redis with sentinel is used, set it to `true`
4059
## @param externalRedis.registry.sentinel.masterSet Name of sentinel masterSet if sentinel is used
4060
## @param externalRedis.registry.sentinel.hosts Sentinel hosts and ports in the format
4061
##
4062
registry:
4063
host: ""
4064
port: 6379
4065
username: ""
4066
password: ""
4067
existingSecret: ""
4068
index: 0
4069
tls:
4070
enabled: false
4071
existingSecret: ""
4072
certCAFilename: ""
4073
sentinel:
4074
enabled: false
4075
masterSet: "mymaster"
4076
hosts: ""
4077
## @param externalRedis.trivy.host Redis® host for trivy service
4078
## @param externalRedis.trivy.port Redis® port number for trivy service
4079
## @param externalRedis.trivy.username Redis® username for trivy service (for Redis®6 ACL)
4080
## @param externalRedis.trivy.password Redis® password for trivy service
4081
## @param externalRedis.trivy.existingSecret The name of an existing secret with Redis® credentials for trivy service (expected key: `redis-password`)
4082
## @param externalRedis.trivy.index Index for trivy database
4083
## @param externalRedis.trivy.tls.enabled Enable Redis TLS traffic for trivy service
4084
## @param externalRedis.trivy.tls.existingSecret The name of the existing secret that contains the Redis TLS certificates for trivy service
4085
## @param externalRedis.trivy.tls.certCAFilename Name of key in existing secret for the Redis CA certificate
4086
## @param externalRedis.trivy.sentinel.enabled If external redis with sentinel is used, set it to `true`
4087
## @param externalRedis.trivy.sentinel.masterSet Name of sentinel masterSet if sentinel is used
4088
## @param externalRedis.trivy.sentinel.hosts Sentinel hosts and ports in the format
4089
##
4090
trivy:
4091
host: ""
4092
port: 6379
4093
username: ""
4094
password: ""
4095
existingSecret: ""
4096
index: 0
4097
tls:
4098
enabled: false
4099
existingSecret: ""
4100
certCAFilename: ""
4101
sentinel:
4102
enabled: false
4103
masterSet: "mymaster"
4104
hosts: ""
4105
## @section Harbor metrics parameters
4106
##
4107
metrics:
4108
## @param metrics.enabled Whether or not to enable metrics for different
4109
##
4110
enabled: false
4111
## @param metrics.path Path where metrics are exposed
4112
##
4113
path: /metrics
4114
## Prometheus Operator ServiceMonitor configuration
4115
##
4116
serviceMonitor:
4117
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.enabled` to be `true`)
4118
##
4119
enabled: false
4120
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
4121
##
4122
namespace: ""
4123
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
4124
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
4125
##
4126
interval: ""
4127
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
4128
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
4129
##
4130
scrapeTimeout: ""
4131
## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
4132
##
4133
labels: {}
4134
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
4135
##
4136
selector: {}
4137
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
4138
##
4139
relabelings: []
4140
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
4141
##
4142
metricRelabelings: []
4143
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
4144
##
4145
honorLabels: false
4146
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
4147
##
4148
jobLabel: ""
4149