3656 lines
167 KiB
YAML
3656 lines
167 KiB
YAML
## @section Global parameters
|
|
## Global Docker image parameters
|
|
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
|
|
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
|
|
##
|
|
|
|
## @param global.imageRegistry Global Docker image registry
|
|
## @param global.imagePullSecrets Global Docker registry secret names as an array
|
|
## @param global.storageClass Global StorageClass for Persistent Volume(s)
|
|
##
|
|
global:
|
|
imageRegistry: ""
|
|
## E.g.
|
|
## imagePullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
imagePullSecrets: []
|
|
storageClass: ""
|
|
|
|
## @section Common Parameters
|
|
##
|
|
|
|
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
|
|
##
|
|
nameOverride: ""
|
|
## @param fullnameOverride String to fully override common.names.fullname template with a string
|
|
##
|
|
fullnameOverride: ""
|
|
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
|
|
##
|
|
kubeVersion: ""
|
|
## @param clusterDomain Kubernetes Cluster Domain
|
|
##
|
|
clusterDomain: cluster.local
|
|
## @param commonAnnotations Annotations to add to all deployed objects
|
|
##
|
|
commonAnnotations: {}
|
|
## @param commonLabels Labels to add to all deployed objects
|
|
##
|
|
commonLabels: {}
|
|
## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template).
|
|
##
|
|
extraDeploy: []
|
|
## Enable diagnostic mode in the deployment(s)/statefulset(s)
|
|
##
|
|
diagnosticMode:
|
|
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
|
|
##
|
|
enabled: false
|
|
## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s)
|
|
##
|
|
command:
|
|
- sleep
|
|
## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s)
|
|
##
|
|
args:
|
|
- infinity
|
|
|
|
## @section Harbor common parameters
|
|
##
|
|
|
|
## @param adminPassword The initial password of Harbor admin. Change it from portal after launching Harbor
|
|
##
|
|
adminPassword: "Harbor01@"
|
|
## @param externalURL The external URL for Harbor Core service
|
|
## It is used to
|
|
## 1) populate the docker/helm commands showed on portal
|
|
## 2) populate the token service URL returned to docker/notary client
|
|
##
|
|
## Format: protocol://domain[:port]. Usually:
|
|
## 1) if "exposureType" is "ingress", the "domain" should be
|
|
## the value of "ingress.hostname"
|
|
## 2) if "exposureType" is "proxy" and "service.type" is "ClusterIP",
|
|
## the "domain" should be the value of "service.clusterIP"
|
|
## 3) if "exposureType" is "proxy" and "service.type" is "NodePort",
|
|
## the "domain" should be the IP address of k8s node
|
|
## 4) if "exposureType" is "proxy" and "service.type" is "LoadBalancer",
|
|
## the "domain" should be the LoadBalancer IP
|
|
##
|
|
externalURL: https://harbor-dev.allarddcs.nl
|
|
## Note: If Harbor is exposed via Ingress, the NGINX server will not be used
|
|
## @param proxy.httpProxy The URL of the HTTP proxy server
|
|
## @param proxy.httpsProxy The URL of the HTTPS proxy server
|
|
## @param proxy.noProxy The URLs that the proxy settings not apply to
|
|
## @param proxy.components The component list that the proxy settings apply to
|
|
##
|
|
proxy:
|
|
httpProxy: ""
|
|
httpsProxy: ""
|
|
noProxy: 127.0.0.1,localhost,.local,.internal
|
|
components:
|
|
- core
|
|
- jobservice
|
|
- trivy
|
|
## @param logLevel The log level used for Harbor services. Allowed values are [ fatal \| error \| warn \| info \| debug \| trace ]
|
|
##
|
|
logLevel: debug
|
|
## TLS settings
|
|
## Note: TLS cert files need to provided in each components in advance.
|
|
##
|
|
internalTLS:
|
|
## @param internalTLS.enabled Use TLS in all the supported containers: chartmuseum, core, jobservice, portal, registry and trivy
|
|
##
|
|
enabled: false
|
|
## @param internalTLS.caBundleSecret Name of an existing secret with a custom CA that will be injected into the trust store for chartmuseum, core, jobservice, registry, trivy components
|
|
## The secret must contain the key "ca.crt"
|
|
##
|
|
caBundleSecret: ""
|
|
## IP family parameters
|
|
##
|
|
ipFamily:
|
|
## @param ipFamily.ipv6.enabled Enable listening on IPv6 ([::]) for NGINX-based components (NGINX,portal)
|
|
## Note: enabling IPv6 will cause NGINX to crash on start on systems with IPv6 disabled (`ipv6.disable` kernel flag)
|
|
##
|
|
ipv6:
|
|
enabled: false
|
|
## @param ipFamily.ipv4.enabled Enable listening on IPv4 for NGINX-based components (NGINX,portal)
|
|
##
|
|
ipv4:
|
|
enabled: true
|
|
|
|
## @section Traffic Exposure Parameters
|
|
##
|
|
|
|
## @param exposureType The way to expose Harbor. Allowed values are [ ingress \| proxy ]
|
|
## Use "proxy" to use a deploy NGINX proxy in front of Harbor services
|
|
## Use "ingress" to use an Ingress Controller as proxy
|
|
##
|
|
exposureType: ingress
|
|
#exposureType: proxy
|
|
|
|
## Service parameters
|
|
##
|
|
service:
|
|
## @param service.type NGINX proxy service type
|
|
##
|
|
type: ClusterIP
|
|
## @param service.ports.http NGINX proxy service HTTP port
|
|
## @param service.ports.https NGINX proxy service HTTPS port
|
|
## @param service.ports.notary Notary service port
|
|
##
|
|
ports:
|
|
http: 80
|
|
https: 443
|
|
## Node ports to expose
|
|
## @param service.nodePorts.http Node port for HTTP
|
|
## @param service.nodePorts.https Node port for HTTPS
|
|
## @param service.nodePorts.notary Node port for Notary
|
|
## NOTE: choose port between <30000-32767>
|
|
##
|
|
nodePorts:
|
|
http: ""
|
|
https: ""
|
|
notary: ""
|
|
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
|
|
## Values: ClientIP or None
|
|
## ref: https://kubernetes.io/docs/user-guide/services/
|
|
##
|
|
sessionAffinity: None
|
|
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
|
|
## sessionAffinityConfig:
|
|
## clientIP:
|
|
## timeoutSeconds: 300
|
|
##
|
|
sessionAffinityConfig: {}
|
|
## @param service.clusterIP NGINX proxy service Cluster IP
|
|
## e.g.:
|
|
## clusterIP: None
|
|
##
|
|
clusterIP: ""
|
|
## @param service.loadBalancerIP NGINX proxy service Load Balancer IP
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
|
|
##
|
|
loadBalancerIP: ""
|
|
## @param service.loadBalancerSourceRanges NGINX proxy service Load Balancer sources
|
|
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
|
|
## e.g:
|
|
## loadBalancerSourceRanges:
|
|
## - 10.10.10.0/24
|
|
##
|
|
loadBalancerSourceRanges: []
|
|
## @param service.externalTrafficPolicy NGINX proxy service external traffic policy
|
|
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
|
|
##
|
|
externalTrafficPolicy: Cluster
|
|
## @param service.annotations Additional custom annotations for NGINX proxy service
|
|
##
|
|
annotations: {}
|
|
## @param service.extraPorts Extra port to expose on NGINX proxy service
|
|
##
|
|
extraPorts: []
|
|
|
|
ingress:
|
|
## Configure the ingress resource that allows you to access Harbor Core
|
|
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
|
##
|
|
core:
|
|
## @param ingress.core.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
|
|
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
|
|
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
|
|
##
|
|
ingressClassName: "traefik"
|
|
## @param ingress.core.pathType Ingress path type
|
|
##
|
|
pathType: ImplementationSpecific
|
|
## @param ingress.core.apiVersion Force Ingress API version (automatically detected if not set)
|
|
##
|
|
apiVersion: ""
|
|
## @param ingress.core.controller The ingress controller type. Currently supports `default`, `gce` and `ncp`
|
|
## leave as `default` for most ingress controllers.
|
|
## set to `gce` if using the GCE ingress controller
|
|
## set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
|
|
##
|
|
controller: default
|
|
## @param ingress.core.hostname Default host for the ingress record
|
|
##
|
|
hostname: harbor-dev.allarddcs.nl
|
|
## @param ingress.core.annotations [object] Additional annotations for the Ingress resource.
|
|
## To enable certificate autogeneration, place here your cert-manager annotations.
|
|
## Use this parameter to set the required annotations for cert-manager, see
|
|
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
|
## e.g:
|
|
## annotations:
|
|
## kubernetes.io/ingress.class: nginx
|
|
## cert-manager.io/cluster-issuer: letsencrypt
|
|
##
|
|
annotations:
|
|
ingress.kubernetes.io/ssl-redirect: 'true'
|
|
ingress.kubernetes.io/proxy-body-size: '0'
|
|
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
|
|
nginx.ingress.kubernetes.io/proxy-body-size: '0'
|
|
cert-manager.io/cluster-issuer: 'letsencrypt'
|
|
## @param ingress.core.tls Enable TLS configuration for the host defined at `ingress.core.hostname` parameter
|
|
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.core.hostname }}`
|
|
## You can:
|
|
|
|
## - Use the `ingress.core.secrets` parameter to create this TLS secret
|
|
## - Rely on cert-manager to create it by setting the corresponding annotations
|
|
## - Rely on Helm to create self-signed certificates by setting `ingress.core.selfSigned=true`
|
|
##
|
|
tls: true
|
|
## @param ingress.core.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
|
|
##
|
|
selfSigned: false
|
|
## @param ingress.core.extraHosts An array with additional hostname(s) to be covered with the ingress record
|
|
## e.g:
|
|
## extraHosts:
|
|
## - name: core.harbor.domain
|
|
## path: /
|
|
##
|
|
extraHosts: []
|
|
## @param ingress.core.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
|
|
## e.g:
|
|
## extraPaths:
|
|
## - path: /*
|
|
## backend:
|
|
## serviceName: ssl-redirect
|
|
## servicePort: use-annotation
|
|
##
|
|
extraPaths: []
|
|
## @param ingress.core.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
|
|
## e.g:
|
|
## extraTls:
|
|
## - hosts:
|
|
## - core.harbor.domain
|
|
## secretName: core.harbor.domain-tls
|
|
##
|
|
extraTls: []
|
|
## @param ingress.core.secrets Custom TLS certificates as secrets
|
|
## NOTE: 'key' and 'certificate' are expected in PEM format
|
|
## NOTE: 'name' should line up with a 'secretName' set further up
|
|
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
|
|
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
|
|
## It is also possible to create and manage the certificates outside of this helm chart
|
|
## Please see README.md for more information
|
|
## e.g:
|
|
## secrets:
|
|
## - name: core.harbor.domain-tls
|
|
## key: |-
|
|
## -----BEGIN RSA PRIVATE KEY-----
|
|
## ...
|
|
## -----END RSA PRIVATE KEY-----
|
|
## certificate: |-
|
|
## -----BEGIN CERTIFICATE-----
|
|
## ...
|
|
## -----END CERTIFICATE-----
|
|
##
|
|
secrets: []
|
|
## @param ingress.core.extraRules Additional rules to be covered with this ingress record
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
|
|
## e.g:
|
|
## extraRules:
|
|
## - host: example.local
|
|
## http:
|
|
## path: /
|
|
## backend:
|
|
## service:
|
|
## name: example-svc
|
|
## port:
|
|
## name: http
|
|
##
|
|
extraRules: []
|
|
## Configure the ingress resource that allows you to access Notary
|
|
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
|
##
|
|
## @section Persistence Parameters
|
|
##
|
|
|
|
## The persistence is enabled by default and a default StorageClass
|
|
## is needed in the k8s cluster to provision volumes dynamically.
|
|
## Specify another StorageClass in the "storageClass" or set "existingClaim"
|
|
## if you have already existing persistent volumes to use
|
|
##
|
|
## For storing images and charts, you can also use "azure", "gcs", "s3",
|
|
## "swift" or "oss". Set it in the "imageChartStorage" section
|
|
##
|
|
persistence:
|
|
## @param persistence.enabled Enable the data persistence or not
|
|
##
|
|
enabled: true
|
|
## Resource Policy
|
|
## @param persistence.resourcePolicy Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted
|
|
##
|
|
resourcePolicy: ''
|
|
persistentVolumeClaim:
|
|
## @param persistence.persistentVolumeClaim.registry.existingClaim Name of an existing PVC to use
|
|
## @param persistence.persistentVolumeClaim.registry.storageClass PVC Storage Class for Harbor Registry data volume
|
|
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
|
|
## @param persistence.persistentVolumeClaim.registry.subPath The sub path used in the volume
|
|
## @param persistence.persistentVolumeClaim.registry.accessModes The access mode of the volume
|
|
## @param persistence.persistentVolumeClaim.registry.size The size of the volume
|
|
## @param persistence.persistentVolumeClaim.registry.annotations Annotations for the PVC
|
|
## @param persistence.persistentVolumeClaim.registry.selector Selector to match an existing Persistent Volume
|
|
##
|
|
registry:
|
|
existingClaim: "harbor-registry-pvc"
|
|
storageClass: ""
|
|
subPath: ""
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
size: 5Gi
|
|
annotations: {}
|
|
selector: {}
|
|
## @param persistence.persistentVolumeClaim.jobservice.existingClaim Name of an existing PVC to use
|
|
## @param persistence.persistentVolumeClaim.jobservice.storageClass PVC Storage Class for Harbor Jobservice data volume
|
|
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
|
|
## @param persistence.persistentVolumeClaim.jobservice.subPath The sub path used in the volume
|
|
## @param persistence.persistentVolumeClaim.jobservice.accessModes The access mode of the volume
|
|
## @param persistence.persistentVolumeClaim.jobservice.size The size of the volume
|
|
## @param persistence.persistentVolumeClaim.jobservice.annotations Annotations for the PVC
|
|
## @param persistence.persistentVolumeClaim.jobservice.selector Selector to match an existing Persistent Volume
|
|
##
|
|
jobservice:
|
|
existingClaim: "harbor-jobsvc-pvc"
|
|
storageClass: ""
|
|
subPath: ""
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
size: 1Gi
|
|
annotations: {}
|
|
selector: {}
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.existingClaim Name of an existing PVC to use
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.storageClass PVC Storage Class for Harbor Jobservice scan data volume
|
|
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.subPath The sub path used in the volume
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.accessModes The access mode of the volume
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.size The size of the volume
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.annotations Annotations for the PVC
|
|
## @param persistence.persistentVolumeClaim.jobservice.scanData.selector Selector to match an existing Persistent Volume
|
|
##
|
|
scanData:
|
|
existingClaim: "harbor-jobsvc-scandata-pvc"
|
|
storageClass: ""
|
|
subPath: ""
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
size: 1Gi
|
|
annotations: {}
|
|
selector: {}
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.existingClaim Name of an existing PVC to use
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.storageClass PVC Storage Class for Chartmuseum data volume
|
|
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.subPath The sub path used in the volume
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.accessModes The access mode of the volume
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.size The size of the volume
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.annotations Annotations for the PVC
|
|
## @param persistence.persistentVolumeClaim.chartmuseum.selector Selector to match an existing Persistent Volume
|
|
##
|
|
chartmuseum:
|
|
existingClaim: ""
|
|
storageClass: ""
|
|
subPath: "chartmuseum"
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
size: 5Gi
|
|
annotations: {}
|
|
selector: {}
|
|
## @param persistence.persistentVolumeClaim.trivy.storageClass PVC Storage Class for Trivy data volume
|
|
## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning
|
|
## @param persistence.persistentVolumeClaim.trivy.accessModes The access mode of the volume
|
|
## @param persistence.persistentVolumeClaim.trivy.size The size of the volume
|
|
## @param persistence.persistentVolumeClaim.trivy.annotations Annotations for the PVC
|
|
## @param persistence.persistentVolumeClaim.trivy.selector Selector to match an existing Persistent Volume
|
|
##
|
|
trivy:
|
|
storageClass: ""
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
size: 1Gi
|
|
annotations: {}
|
|
selector: {}
|
|
## Define which storage backend is used for registry and chartmuseum to store
|
|
## images and charts.
|
|
## ref: https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
|
|
##
|
|
imageChartStorage:
|
|
## @param persistence.imageChartStorage.caBundleSecret Specify the `caBundleSecret` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and chartmuseum's containers.
|
|
##
|
|
caBundleSecret: ""
|
|
## @param persistence.imageChartStorage.disableredirect The configuration for managing redirects from content backends. For backends which do not supported it (such as using MinIO® for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail
|
|
##
|
|
disableredirect: false
|
|
## @param persistence.imageChartStorage.type The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail
|
|
##
|
|
type: filesystem
|
|
## Images/charts storage parameters when type is "filesystem"
|
|
## @param persistence.imageChartStorage.filesystem.rootdirectory Filesystem storage type setting: Storage root directory
|
|
## @param persistence.imageChartStorage.filesystem.maxthreads Filesystem storage type setting: Maximum threads directory
|
|
##
|
|
filesystem:
|
|
rootdirectory: /storage
|
|
maxthreads: ""
|
|
|
|
## @section Tracing parameters
|
|
##
|
|
|
|
## Tracing parameters:
|
|
## tracing: Configure tracing for Harbor, only one of tracing.jeager.enabled and tracing.otel.enabled should be set
|
|
##
|
|
tracing:
|
|
## @param tracing.enabled Enable tracing
|
|
##
|
|
enabled: false
|
|
## @param tracing.sampleRate Tracing sample rate from 0 to 1
|
|
##
|
|
sampleRate: 1
|
|
## @param tracing.namespace Used to differentiate traces between different harbor services
|
|
##
|
|
namespace: ""
|
|
## @param tracing.attributes A key value dict containing user defined attributes used to initialize the trace provider
|
|
## e.g:
|
|
## attributes:
|
|
## application: harbor
|
|
##
|
|
attributes: {}
|
|
|
|
## @section Volume Permissions parameters
|
|
##
|
|
|
|
## Init containers parameters:
|
|
## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
|
|
##
|
|
volumePermissions:
|
|
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
|
|
##
|
|
enabled: false
|
|
## @param volumePermissions.image.registry Init container volume-permissions image registry
|
|
## @param volumePermissions.image.repository Init container volume-permissions image repository
|
|
## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
|
|
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
|
|
## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/os-shell
|
|
tag: 12-debian-12-r39
|
|
digest: ""
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## Example:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Init container resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param volumePermissions.resources.limits Init container volume-permissions resource limits
|
|
## @param volumePermissions.resources.requests Init container volume-permissions resource requests
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Init container' Security Context
|
|
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
|
|
## and not the below volumePermissions.containerSecurityContext.runAsUser
|
|
## @param volumePermissions.containerSecurityContext.enabled Enable init container Security Context
|
|
## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 0
|
|
|
|
## @section NGINX Parameters
|
|
##
|
|
|
|
nginx:
|
|
## Bitnami NGINX image
|
|
## ref: https://hub.docker.com/r/bitnami/nginx/tags/
|
|
## @param nginx.image.registry NGINX image registry
|
|
## @param nginx.image.repository NGINX image repository
|
|
## @param nginx.image.tag NGINX image tag (immutable tags are recommended)
|
|
## @param nginx.image.digest NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param nginx.image.pullPolicy NGINX image pull policy
|
|
## @param nginx.image.pullSecrets NGINX image pull secrets
|
|
## @param nginx.image.debug Enable NGINX image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/nginx
|
|
tag: 1.27.4-debian-12-r4
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## TLS parameters
|
|
##
|
|
tls:
|
|
## @param nginx.tls.enabled Enable TLS termination
|
|
##
|
|
enabled: false
|
|
## @param nginx.tls.existingSecret Existing secret name containing your own TLS certificates.
|
|
## The secret must contain the keys:
|
|
## `tls.crt` - the certificate (required),
|
|
## `tls.key` - the private key (required),
|
|
## `ca.crt` - CA certificate (optional)
|
|
## Self-signed TLS certificates will be used otherwise.
|
|
##
|
|
existingSecret: ""
|
|
## @param nginx.tls.commonName The common name used to generate the self-signed TLS certificates
|
|
##
|
|
commonName: harbor-dev.allarddcs.nl
|
|
## @param nginx.behindReverseProxy If NGINX is behind another reverse proxy, set to true
|
|
## if the reverse proxy already provides the 'X-Forwarded-Proto' header field.
|
|
## This is, for example, the case for the OpenShift HAProxy router.
|
|
##
|
|
behindReverseProxy: true
|
|
## @param nginx.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param nginx.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param nginx.extraEnvVars Array with extra environment variables to add NGINX pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param nginx.extraEnvVarsCM ConfigMap containing extra environment variables for NGINX pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param nginx.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for NGINX pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param nginx.containerPorts.http NGINX HTTP container port
|
|
## @param nginx.containerPorts.https NGINX HTTPS container port
|
|
## @param nginx.containerPorts.notary NGINX container port where Notary svc is exposed
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
notary: 4443
|
|
## @param nginx.replicaCount Number of NGINX replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for NGINX containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param nginx.livenessProbe.enabled Enable livenessProbe on NGINX containers
|
|
## @param nginx.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param nginx.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param nginx.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param nginx.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param nginx.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param nginx.readinessProbe.enabled Enable readinessProbe on NGINX containers
|
|
## @param nginx.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param nginx.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param nginx.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param nginx.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param nginx.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param nginx.startupProbe.enabled Enable startupProbe on NGINX containers
|
|
## @param nginx.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param nginx.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param nginx.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param nginx.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param nginx.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param nginx.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param nginx.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param nginx.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## NGINX resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param nginx.resources.limits The resources limits for the NGINX containers
|
|
## @param nginx.resources.requests The requested resources for the NGINX containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure NGINX pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param nginx.podSecurityContext.enabled Enabled NGINX pods' Security Context
|
|
## @param nginx.podSecurityContext.fsGroup Set NGINX pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure NGINX containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param nginx.containerSecurityContext.enabled Enabled NGINX containers' Security Context
|
|
## @param nginx.containerSecurityContext.runAsUser Set NGINX containers' Security Context runAsUser
|
|
## @param nginx.containerSecurityContext.runAsNonRoot Set NGINX containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param nginx.updateStrategy.type NGINX deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param nginx.lifecycleHooks LifecycleHook for the NGINX container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param nginx.hostAliases NGINX pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param nginx.podLabels Add additional labels to the NGINX pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param nginx.podAnnotations Annotations to add to the NGINX pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param nginx.podAffinityPreset NGINX Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param nginx.podAntiAffinityPreset NGINX Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param nginx.nodeAffinityPreset.type NGINX Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param nginx.nodeAffinityPreset.key NGINX Node label key to match Ignored if `affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param nginx.nodeAffinityPreset.values NGINX Node label values to match. Ignored if `affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param nginx.affinity NGINX Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param nginx.nodeSelector NGINX Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param nginx.tolerations NGINX Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param nginx.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param nginx.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param nginx.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param nginx.sidecars Add additional sidecar containers to the NGINX pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param nginx.initContainers Add additional init containers to the NGINX pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param nginx.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the NGINX pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param nginx.extraVolumes Optionally specify extra list of additional volumes for the NGINX pods
|
|
##
|
|
extraVolumes: []
|
|
|
|
## @section Harbor Portal Parameters
|
|
##
|
|
|
|
portal:
|
|
## Bitnami Harbor Portal image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-portal/tags/
|
|
## @param portal.image.registry Harbor Portal image registry
|
|
## @param portal.image.repository Harbor Portal image repository
|
|
## @param portal.image.tag Harbor Portal image tag (immutable tags are recommended)
|
|
## @param portal.image.digest Harbor Portal image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param portal.image.pullPolicy Harbor Portal image pull policy
|
|
## @param portal.image.pullSecrets Harbor Portal image pull secrets
|
|
## @param portal.image.debug Enable Harbor Portal image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-portal
|
|
tag: 2.12.2-debian-12-r4
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## Use TLS in the container
|
|
##
|
|
tls:
|
|
## @param portal.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
|
|
## Requires `internalTLS.enabled` to be set to `true``
|
|
## Self-signed TLS certificates will be used otherwise
|
|
##
|
|
existingSecret: ""
|
|
## @param portal.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param portal.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param portal.extraEnvVars Array with extra environment variables to add Harbor Portal pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param portal.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Portal pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param portal.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Portal pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param portal.containerPorts.http Harbor Portal HTTP container port
|
|
## @param portal.containerPorts.https Harbor Portal HTTPS container port
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
## @param portal.replicaCount Number of Harbor Portal replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Harbor Portal containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param portal.livenessProbe.enabled Enable livenessProbe on Harbor Portal containers
|
|
## @param portal.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param portal.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param portal.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param portal.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param portal.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param portal.readinessProbe.enabled Enable readinessProbe on Harbor Portal containers
|
|
## @param portal.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param portal.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param portal.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param portal.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param portal.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param portal.startupProbe.enabled Enable startupProbe on Harbor Portal containers
|
|
## @param portal.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param portal.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param portal.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param portal.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param portal.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param portal.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param portal.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param portal.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Portal resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param portal.resources.limits The resources limits for the Harbor Portal containers
|
|
## @param portal.resources.requests The requested resources for the Harbor Portal containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Portal pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param portal.podSecurityContext.enabled Enabled Harbor Portal pods' Security Context
|
|
## @param portal.podSecurityContext.fsGroup Set Harbor Portal pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Harbor Portal containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param portal.containerSecurityContext.enabled Enabled Harbor Portal containers' Security Context
|
|
## @param portal.containerSecurityContext.runAsUser Set Harbor Portal containers' Security Context runAsUser
|
|
## @param portal.containerSecurityContext.runAsNonRoot Set Harbor Portal containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param portal.updateStrategy.type Harbor Portal deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param portal.lifecycleHooks LifecycleHook for the Harbor Portal container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param portal.hostAliases Harbor Portal pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param portal.podLabels Add additional labels to the Harbor Portal pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param portal.podAnnotations Annotations to add to the Harbor Portal pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param portal.podAffinityPreset Harbor Portal Pod affinity preset. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param portal.podAntiAffinityPreset Harbor Portal Pod anti-affinity preset. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param portal.nodeAffinityPreset.type Harbor Portal Node affinity preset type. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param portal.nodeAffinityPreset.key Harbor Portal Node label key to match Ignored if `portal.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param portal.nodeAffinityPreset.values Harbor Portal Node label values to match. Ignored if `portal.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param portal.affinity Harbor Portal Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: portal.podAffinityPreset, portal.podAntiAffinityPreset, and portal.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param portal.nodeSelector Harbor Portal Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param portal.tolerations Harbor Portal Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param portal.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param portal.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param portal.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param portal.sidecars Add additional sidecar containers to the Harbor Portal pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param portal.initContainers Add additional init containers to the Harbor Portal pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param portal.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Portal pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param portal.extraVolumes Optionally specify extra list of additional volumes for the Harbor Portal pods
|
|
##
|
|
extraVolumes: []
|
|
## @param portal.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Harbor Portal service configuration
|
|
##
|
|
service:
|
|
## @param portal.service.ports.http Harbor Portal HTTP service port
|
|
## @param portal.service.ports.https Harbor Portal HTTPS service port
|
|
##
|
|
ports:
|
|
http: 80
|
|
https: 443
|
|
|
|
## @section Harbor Core Parameters
|
|
##
|
|
|
|
core:
|
|
## Bitnami Harbor Core image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-core/tags/
|
|
## @param core.image.registry Harbor Core image registry
|
|
## @param core.image.repository Harbor Core image repository
|
|
## @param core.image.tag Harbor Core image tag (immutable tags are recommended)
|
|
## @param core.image.digest Harbor Core image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param core.image.pullPolicy Harbor Core image pull policy
|
|
## @param core.image.pullSecrets Harbor Core image pull secrets
|
|
## @param core.image.debug Enable Harbor Core image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-core
|
|
tag: 2.12.2-debian-12-r7
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
|
|
## @param core.sessionLifetime Explicitly set a session timeout (in seconds) overriding the backend default.
|
|
##
|
|
sessionLifetime: ""
|
|
## @param core.uaaSecret If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`.
|
|
##
|
|
uaaSecret: ""
|
|
## @param core.secretKey The key used for encryption. Must be a string of 16 chars
|
|
## e.g:
|
|
## secretKey: "not-a-secure-string"
|
|
##
|
|
secretKey: ""
|
|
## @param core.secret Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.
|
|
##
|
|
secret: ""
|
|
## @param core.tokenKey Key of the certificate used for token encryption/decryption.
|
|
##
|
|
tokenKey: ""
|
|
## @param core.tokenCert Certificate used for token encryption/decryption.
|
|
##
|
|
tokenCert: ""
|
|
## @param core.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set
|
|
##
|
|
secretName: ""
|
|
## @param core.existingSecret Existing secret for core
|
|
## The secret must contain the keys:
|
|
## `secret` (required),
|
|
## `secretKey` (required),
|
|
##
|
|
existingSecret: ""
|
|
## @param core.existingEnvVarsSecret Existing secret for core envvars
|
|
## The secret must contain the keys:
|
|
## `CSRF_KEY` (required),
|
|
## `HARBOR_ADMIN_PASSWORD` (required),
|
|
## `POSTGRESQL_PASSWORD` (required),
|
|
## `REGISTRY_CREDENTIAL_USERNAME` (required),
|
|
## `REGISTRY_CREDENTIAL_PASSWORD` (required),
|
|
## `_REDIS_URL_CORE` (optional),
|
|
## `_REDIS_URL_REG` (optional),
|
|
##
|
|
## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
|
|
## Notes:
|
|
## As a EnvVars secret, this secret also store redis config urls
|
|
## The HARBOR_ADMIN_PASSWORD is only required at initial deployment, once the password is set in database, it is not used anymore
|
|
##
|
|
existingEnvVarsSecret: ""
|
|
## @param core.csrfKey The CSRF key. Will be generated automatically if it isn't specified
|
|
##
|
|
csrfKey: ""
|
|
## Use TLS in the container
|
|
##
|
|
tls:
|
|
## @param core.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
|
|
## Requires `internalTLS.enabled` to be set to `true``
|
|
## Self-signed TLS certificates will be used otherwise
|
|
##
|
|
existingSecret: ""
|
|
## @param core.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param core.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param core.extraEnvVars Array with extra environment variables to add Harbor Core pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param core.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Core pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param core.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Core pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param core.configOverwriteJson String containing a JSON with configuration overrides
|
|
## Source: https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#harbor-user-settings
|
|
##
|
|
configOverwriteJson: ""
|
|
## @param core.configOverwriteJsonSecret Secret containing the JSON configuration overrides
|
|
## Source: https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#harbor-user-settings
|
|
##
|
|
configOverwriteJsonSecret: ""
|
|
## @param core.containerPorts.http Harbor Core HTTP container port
|
|
## @param core.containerPorts.https Harbor Core HTTPS container port
|
|
## @param core.containerPorts.metrics Harbor Core metrics container port
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
metrics: 8001
|
|
## @param core.replicaCount Number of Harbor Core replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Harbor Core containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param core.livenessProbe.enabled Enable livenessProbe on Harbor Core containers
|
|
## @param core.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param core.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param core.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param core.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param core.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param core.readinessProbe.enabled Enable readinessProbe on Harbor Core containers
|
|
## @param core.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param core.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param core.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param core.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param core.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param core.startupProbe.enabled Enable startupProbe on Harbor Core containers
|
|
## @param core.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param core.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param core.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param core.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param core.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param core.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param core.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param core.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Core resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param core.resources.limits The resources limits for the Harbor Core containers
|
|
## @param core.resources.requests The requested resources for the Harbor Core containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Core pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param core.podSecurityContext.enabled Enabled Harbor Core pods' Security Context
|
|
## @param core.podSecurityContext.fsGroup Set Harbor Core pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Harbor Core containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param core.containerSecurityContext.enabled Enabled Harbor Core containers' Security Context
|
|
## @param core.containerSecurityContext.runAsUser Set Harbor Core containers' Security Context runAsUser
|
|
## @param core.containerSecurityContext.runAsNonRoot Set Harbor Core containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param core.updateStrategy.type Harbor Core deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param core.lifecycleHooks LifecycleHook for the Harbor Core container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param core.hostAliases Harbor Core pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param core.podLabels Add additional labels to the Harbor Core pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param core.podAnnotations Annotations to add to the Harbor Core pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param core.podAffinityPreset Harbor Core Pod affinity preset. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param core.podAntiAffinityPreset Harbor Core Pod anti-affinity preset. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param core.nodeAffinityPreset.type Harbor Core Node affinity preset type. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param core.nodeAffinityPreset.key Harbor Core Node label key to match Ignored if `core.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param core.nodeAffinityPreset.values Harbor Core Node label values to match. Ignored if `core.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param core.affinity Harbor Core Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: core.podAffinityPreset, core.podAntiAffinityPreset, and core.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param core.nodeSelector Harbor Core Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param core.tolerations Harbor Core Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param core.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param core.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param core.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param core.sidecars Add additional sidecar containers to the Harbor Core pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param core.initContainers Add additional init containers to the Harbor Core pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param core.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Core pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param core.extraVolumes Optionally specify extra list of additional volumes for the Harbor Core pods
|
|
##
|
|
extraVolumes: []
|
|
## @param core.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Harbor Core service configuration
|
|
##
|
|
service:
|
|
## @param core.service.ports.http Harbor Core HTTP service port
|
|
## @param core.service.ports.https Harbor Core HTTPS service port
|
|
## @param core.service.ports.metrics Harbor Core metrics service port
|
|
##
|
|
ports:
|
|
http: 80
|
|
https: 443
|
|
metrics: 8001
|
|
|
|
## @section Harbor Jobservice Parameters
|
|
##
|
|
|
|
jobservice:
|
|
## Bitnami Harbor Jobservice image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-jobservice/tags/
|
|
## @param jobservice.image.registry Harbor Jobservice image registry
|
|
## @param jobservice.image.repository Harbor Jobservice image repository
|
|
## @param jobservice.image.tag Harbor Jobservice image tag (immutable tags are recommended)
|
|
## @param jobservice.image.digest Harbor Jobservice image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param jobservice.image.pullPolicy Harbor Jobservice image pull policy
|
|
## @param jobservice.image.pullSecrets Harbor Jobservice image pull secrets
|
|
## @param jobservice.image.debug Enable Harbor Jobservice image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-jobservice
|
|
tag: 2.12.2-debian-12-r7
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param jobservice.maxJobWorkers The max job workers
|
|
##
|
|
maxJobWorkers: 10
|
|
## @param jobservice.redisNamespace Redis namespace for jobservice
|
|
##
|
|
redisNamespace: harbor_job_service_namespace
|
|
## @param jobservice.jobLogger The logger for jobs: `file`, `database` or `stdout`
|
|
##
|
|
jobLogger: file
|
|
## @param jobservice.secret Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.
|
|
## If a secret key is not specified, Helm will generate one.
|
|
## Must be a string of 16 chars.
|
|
##
|
|
secret: ""
|
|
## @param jobservice.existingSecret Existing secret for jobservice
|
|
## The secret must contain the keys:
|
|
## `secret` (required),
|
|
##
|
|
existingSecret: ""
|
|
## Use TLS in the container
|
|
##
|
|
tls:
|
|
## @param jobservice.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
|
|
## Requires `internalTLS.enabled` to be set to `true``
|
|
## Self-signed TLS certificates will be used otherwise
|
|
##
|
|
existingSecret: ""
|
|
## @param jobservice.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param jobservice.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param jobservice.extraEnvVars Array with extra environment variables to add Harbor Jobservice pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param jobservice.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Jobservice pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param jobservice.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Jobservice pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param jobservice.containerPorts.http Harbor Jobservice HTTP container port
|
|
## @param jobservice.containerPorts.https Harbor Jobservice HTTPS container port
|
|
## @param jobservice.containerPorts.metrics Harbor Jobservice metrics container port
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
metrics: 8001
|
|
## @param jobservice.replicaCount Number of Harbor Jobservice replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Harbor Jobservice containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param jobservice.livenessProbe.enabled Enable livenessProbe on Harbor Jobservice containers
|
|
## @param jobservice.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param jobservice.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param jobservice.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param jobservice.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param jobservice.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param jobservice.readinessProbe.enabled Enable readinessProbe on Harbor Jobservice containers
|
|
## @param jobservice.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param jobservice.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param jobservice.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param jobservice.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param jobservice.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param jobservice.startupProbe.enabled Enable startupProbe on Harbor Jobservice containers
|
|
## @param jobservice.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param jobservice.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param jobservice.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param jobservice.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param jobservice.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param jobservice.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param jobservice.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param jobservice.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Jobservice resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param jobservice.resources.limits The resources limits for the Harbor Jobservice containers
|
|
## @param jobservice.resources.requests The requested resources for the Harbor Jobservice containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Jobservice pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param jobservice.podSecurityContext.enabled Enabled Harbor Jobservice pods' Security Context
|
|
## @param jobservice.podSecurityContext.fsGroup Set Harbor Jobservice pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Harbor Jobservice containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param jobservice.containerSecurityContext.enabled Enabled Harbor Jobservice containers' Security Context
|
|
## @param jobservice.containerSecurityContext.runAsUser Set Harbor Jobservice containers' Security Context runAsUser
|
|
## @param jobservice.containerSecurityContext.runAsNonRoot Set Harbor Jobservice containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param jobservice.updateStrategy.type Harbor Jobservice deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param jobservice.lifecycleHooks LifecycleHook for the Harbor Jobservice container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param jobservice.hostAliases Harbor Jobservice pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param jobservice.podLabels Add additional labels to the Harbor Jobservice pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param jobservice.podAnnotations Annotations to add to the Harbor Jobservice pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param jobservice.podAffinityPreset Harbor Jobservice Pod affinity preset. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param jobservice.podAntiAffinityPreset Harbor Jobservice Pod anti-affinity preset. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param jobservice.nodeAffinityPreset.type Harbor Jobservice Node affinity preset type. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param jobservice.nodeAffinityPreset.key Harbor Jobservice Node label key to match Ignored if `jobservice.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param jobservice.nodeAffinityPreset.values Harbor Jobservice Node label values to match. Ignored if `jobservice.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param jobservice.affinity Harbor Jobservice Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: jobservice.podAffinityPreset, jobservice.podAntiAffinityPreset, and jobservice.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param jobservice.nodeSelector Harbor Jobservice Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param jobservice.tolerations Harbor Jobservice Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param jobservice.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param jobservice.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param jobservice.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param jobservice.sidecars Add additional sidecar containers to the Harbor Jobservice pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param jobservice.initContainers Add additional init containers to the Harbor Jobservice pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param jobservice.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Jobservice pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param jobservice.extraVolumes Optionally specify extra list of additional volumes for the Harbor Jobservice pods
|
|
##
|
|
extraVolumes: []
|
|
## @param jobservice.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Harbor Jobservice service configuration
|
|
##
|
|
service:
|
|
## @param jobservice.service.ports.http Harbor Jobservice HTTP service port
|
|
## @param jobservice.service.ports.https Harbor Jobservice HTTPS service port
|
|
## @param jobservice.service.ports.metrics Harbor Jobservice HTTPS service port
|
|
##
|
|
ports:
|
|
http: 80
|
|
https: 443
|
|
metrics: 8001
|
|
|
|
## @section Harbor Registry Parameters
|
|
##
|
|
|
|
## Registry Parameters
|
|
##
|
|
registry:
|
|
## @param registry.secret Secret is used to secure the upload state from client and registry storage backend. See: <https://github.com/docker/distribution/blob/master/docs/configuration.md>
|
|
## and registry storage backend.
|
|
## See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
|
|
## If a secret key is not specified, Helm will generate one.
|
|
## Must be a string of 16 chars.
|
|
##
|
|
secret: ""
|
|
## @param registry.existingSecret Existing secret for registry
|
|
## The secret must contain the keys:
|
|
## `REGISTRY_HTPASSWD` (required),
|
|
## `REGISTRY_HTTP_SECRET` (required),
|
|
## `REGISTRY_REDIS_PASSWORD` (optional),
|
|
##
|
|
existingSecret: ""
|
|
## @param registry.relativeurls Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL.
|
|
##
|
|
relativeurls: false
|
|
## @param registry.credentials.username The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd)
|
|
## @param registry.credentials.password The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation.
|
|
## @param registry.credentials.htpasswd The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling
|
|
##
|
|
credentials:
|
|
username: 'harbor_registry_user'
|
|
password: 'harbor_registry_password'
|
|
## If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
|
|
## e.g. "htpasswd -nbBC10 $username $password"
|
|
##
|
|
htpasswd: 'harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m'
|
|
middleware:
|
|
## @param registry.middleware.enabled Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See
|
|
##
|
|
enabled: false
|
|
## @param registry.middleware.type CDN type for the middleware
|
|
##
|
|
type: cloudFront
|
|
## @param registry.middleware.cloudFront.baseurl CloudFront CDN settings: Base URL
|
|
## @param registry.middleware.cloudFront.keypairid CloudFront CDN settings: Keypair ID
|
|
## @param registry.middleware.cloudFront.duration CloudFront CDN settings: Duration
|
|
## @param registry.middleware.cloudFront.ipfilteredby CloudFront CDN settings: IP filters
|
|
## @param registry.middleware.cloudFront.privateKeySecret CloudFront CDN settings: Secret name with the private key
|
|
##
|
|
cloudFront:
|
|
baseurl: example.cloudfront.net
|
|
keypairid: KEYPAIRID
|
|
duration: 3000s
|
|
ipfilteredby: none
|
|
## The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
|
|
## that allows access to CloudFront
|
|
##
|
|
privateKeySecret: 'my-secret'
|
|
## Use TLS in the container
|
|
##
|
|
tls:
|
|
## @param registry.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
|
|
## Requires `internalTLS.enabled` to be set to `true``
|
|
## Self-signed TLS certificates will be used otherwise
|
|
##
|
|
existingSecret: ""
|
|
## @param registry.replicaCount Number of Harbor Registry replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure Harbor Registry pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param registry.podSecurityContext.enabled Enabled Harbor Registry pods' Security Context
|
|
## @param registry.podSecurityContext.fsGroup Set Harbor Registry pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## @param registry.updateStrategy.type Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param registry.hostAliases Harbor Registry pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param registry.podLabels Add additional labels to the Harbor Registry pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param registry.podAnnotations Annotations to add to the Harbor Registry pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param registry.podAffinityPreset Harbor Registry Pod affinity preset. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param registry.podAntiAffinityPreset Harbor Registry Pod anti-affinity preset. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param registry.nodeAffinityPreset.type Harbor Registry Node affinity preset type. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param registry.nodeAffinityPreset.key Harbor Registry Node label key to match Ignored if `registry.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param registry.nodeAffinityPreset.values Harbor Registry Node label values to match. Ignored if `registry.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param registry.affinity Harbor Registry Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: registry.podAffinityPreset, registry.podAntiAffinityPreset, and registry.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param registry.nodeSelector Harbor Registry Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param registry.tolerations Harbor Registry Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param registry.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param registry.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param registry.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param registry.sidecars Add additional sidecar containers to the Harbor Registry pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param registry.initContainers Add additional init containers to the Harbor Registry pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param registry.extraVolumes Optionally specify extra list of additional volumes for the Harbor Registry pods
|
|
##
|
|
extraVolumes: []
|
|
## @param registry.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Harbor Registry main container parameters
|
|
##
|
|
server:
|
|
readTimeout: 900 # Set higher if needed
|
|
writeTimeout: 900 # Set higher if needed
|
|
maxLayerUploadTimeout: 600
|
|
## Bitnami Harbor Registry image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-registry/tags/
|
|
## @param registry.server.image.registry Harbor Registry image registry
|
|
## @param registry.server.image.repository Harbor Registry image repository
|
|
## @param registry.server.image.tag Harbor Registry image tag (immutable tags are recommended)
|
|
## @param registry.server.image.digest Harbor Registry image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param registry.server.image.pullPolicy Harbor Registry image pull policy
|
|
## @param registry.server.image.pullSecrets Harbor Registry image pull secrets
|
|
## @param registry.server.image.debug Enable Harbor Registry image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-registry
|
|
tag: 2.12.2-debian-12-r7
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param registry.server.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param registry.server.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param registry.server.extraEnvVars Array with extra environment variables to add Harbor Registry main containers
|
|
##
|
|
extraEnvVars: []
|
|
## @param registry.server.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Registry main containers
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param registry.server.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Registry main containers
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param registry.server.containerPorts.http Harbor Registry HTTP container port
|
|
## @param registry.server.containerPorts.https Harbor Registry HTTPS container port
|
|
## @param registry.server.containerPorts.debug Harbor Registry debug container port
|
|
## @param registry.server.containerPorts.metrics Harbor Registry metrics container port
|
|
##
|
|
containerPorts:
|
|
http: 5000
|
|
https: 5443
|
|
debug: 5001
|
|
metrics: 8001
|
|
## Configure extra options for Harbor Registry main containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param registry.server.livenessProbe.enabled Enable livenessProbe on Harbor Registry main containers
|
|
## @param registry.server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param registry.server.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param registry.server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param registry.server.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param registry.server.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param registry.server.readinessProbe.enabled Enable readinessProbe on Harbor Registry main containers
|
|
## @param registry.server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param registry.server.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param registry.server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param registry.server.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param registry.server.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param registry.server.startupProbe.enabled Enable startupProbe on Harbor Registry main containers
|
|
## @param registry.server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param registry.server.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param registry.server.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param registry.server.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param registry.server.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param registry.server.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param registry.server.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param registry.server.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Registry main resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param registry.server.resources.limits The resources limits for the Harbor Registry main containers
|
|
## @param registry.server.resources.requests The requested resources for the Harbor Registry main containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Registry main containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param registry.server.containerSecurityContext.enabled Enabled Harbor Registry main containers' Security Context
|
|
## @param registry.server.containerSecurityContext.runAsUser Set Harbor Registry main containers' Security Context runAsUser
|
|
## @param registry.server.containerSecurityContext.runAsNonRoot Set Harbor Registry main containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param registry.server.lifecycleHooks LifecycleHook for the Harbor Registry main container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param registry.server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Registry main pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## Harbor Registry service configuration
|
|
##
|
|
service:
|
|
## @param registry.server.service.ports.http Harbor Registry HTTP service port
|
|
## @param registry.server.service.ports.https Harbor Registry HTTPS service port
|
|
## @param registry.server.service.ports.metrics Harbor Registry metrics service port
|
|
##
|
|
ports:
|
|
http: 5000
|
|
https: 5443
|
|
metrics: 8001
|
|
## Harbor Registryctl parameters
|
|
##
|
|
controller:
|
|
## Bitnami Harbor Registryctl image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-registryctl/tags/
|
|
## @param registry.controller.image.registry Harbor Registryctl image registry
|
|
## @param registry.controller.image.repository Harbor Registryctl image repository
|
|
## @param registry.controller.image.tag Harbor Registryctl image tag (immutable tags are recommended)
|
|
## @param registry.controller.image.digest Harbor Registryctl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param registry.controller.image.pullPolicy Harbor Registryctl image pull policy
|
|
## @param registry.controller.image.pullSecrets Harbor Registryctl image pull secrets
|
|
## @param registry.controller.image.debug Enable Harbor Registryctl image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-registryctl
|
|
tag: 2.12.2-debian-12-r7
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param registry.controller.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param registry.controller.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param registry.controller.extraEnvVars Array with extra environment variables to add Harbor Registryctl containers
|
|
##
|
|
extraEnvVars: []
|
|
## @param registry.controller.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Registryctl containers
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param registry.controller.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Registryctl containers
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param registry.controller.containerPorts.http Harbor Registryctl HTTP container port
|
|
## @param registry.controller.containerPorts.https Harbor Registryctl HTTPS container port
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
## Configure extra options for Harbor Registryctl containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param registry.controller.livenessProbe.enabled Enable livenessProbe on Harbor Registryctl containers
|
|
## @param registry.controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param registry.controller.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param registry.controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param registry.controller.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param registry.controller.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param registry.controller.readinessProbe.enabled Enable readinessProbe on Harbor Registryctl containers
|
|
## @param registry.controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param registry.controller.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param registry.controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param registry.controller.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param registry.controller.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param registry.controller.startupProbe.enabled Enable startupProbe on Harbor Registryctl containers
|
|
## @param registry.controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param registry.controller.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param registry.controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param registry.controller.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param registry.controller.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param registry.controller.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param registry.controller.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param registry.controller.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Registryctl resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param registry.controller.resources.limits The resources limits for the Harbor Registryctl containers
|
|
## @param registry.controller.resources.requests The requested resources for the Harbor Registryctl containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Registryctl containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param registry.controller.containerSecurityContext.enabled Enabled Harbor Registryctl containers' Security Context
|
|
## @param registry.controller.containerSecurityContext.runAsUser Set Harbor Registryctl containers' Security Context runAsUser
|
|
## @param registry.controller.containerSecurityContext.runAsNonRoot Set Harbor Registryctl containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param registry.controller.lifecycleHooks LifecycleHook for the Harbor Registryctl container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param registry.controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Registryctl pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## Harbor Registryctl service configuration
|
|
##
|
|
service:
|
|
## @param registry.controller.service.ports.http Harbor Registryctl HTTP service port
|
|
## @param registry.controller.service.ports.https Harbor Registryctl HTTPS service port
|
|
##
|
|
ports:
|
|
http: 8080
|
|
https: 8443
|
|
|
|
## @section ChartMuseum Parameters
|
|
##
|
|
|
|
chartmuseum:
|
|
## Bitnami ChartMuseum image
|
|
## ref: https://hub.docker.com/r/bitnami/chartmuseum/tags/
|
|
## @param chartmuseum.image.registry ChartMuseum image registry
|
|
## @param chartmuseum.image.repository ChartMuseum image repository
|
|
## @param chartmuseum.image.tag ChartMuseum image tag (immutable tags are recommended)
|
|
## @param chartmuseum.image.digest ChartMuseum image image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param chartmuseum.image.pullPolicy ChartMuseum image pull policy
|
|
## @param chartmuseum.image.pullSecrets ChartMuseum image pull secrets
|
|
## @param chartmuseum.image.debug Enable ChartMuseum image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/chartmuseum
|
|
# tag: 0.15.0-debian-11-r99
|
|
tag: latest
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param chartmuseum.enabled Enable ChartMuseum
|
|
##
|
|
enabled: false
|
|
## @param chartmuseum.useRedisCache Specify if ChartMuseum will use redis cache
|
|
##
|
|
useRedisCache: false
|
|
## Set the absolute URL to access the chartmuseum repository and the endpoint where it will be available.
|
|
## @param chartmuseum.absoluteUrl Specify an absolute URL for ChartMuseum registry
|
|
## @param chartmuseum.chartRepoName Specify the endpoint for the chartmuseum registry. Only applicable if `chartmuseum.absoluteUrl` is `true`
|
|
##
|
|
absoluteUrl: false
|
|
chartRepoName: 'chartsRepo'
|
|
## @param chartmuseum.depth Support for multitenancy. More info [here](https://chartmuseum.com/docs/#multitenancy)
|
|
##
|
|
depth: 1
|
|
## @param chartmuseum.logJson Print logs on JSON format
|
|
##
|
|
logJson: false
|
|
## @param chartmuseum.disableMetrics Disable prometheus metrics exposure
|
|
##
|
|
disableMetrics: false
|
|
## @param chartmuseum.disableApi Disable all the routes prefixed with `/api`
|
|
##
|
|
disableApi: false
|
|
## @param chartmuseum.disableStatefiles Disable use of index-cache.yaml
|
|
##
|
|
disableStatefiles: false
|
|
## @param chartmuseum.allowOverwrite Allow chart versions to be re-uploaded without force querystring
|
|
##
|
|
allowOverwrite: true
|
|
## @param chartmuseum.anonymousGet Allow anonymous GET operations
|
|
##
|
|
anonymousGet: false
|
|
## Optional parameters for ChartMuseum not used by default.
|
|
## ref: https://chartmuseum.com/docs/#other-cli-options
|
|
## @param chartmuseum.contextPath Set the base context path for ChartMuseum
|
|
## @param chartmuseum.indexLimit Limit the number of parallels indexes for ChartMuseum
|
|
## @param chartmuseum.chartPostFormFieldName Form field which will be queried for the chart file content
|
|
## @param chartmuseum.provPostFormFieldName Form field which will be queried for the provenance file content
|
|
## @param chartmuseum.maxStorageObjects Maximum storage objects
|
|
## @param chartmuseum.maxUploadSize Maximum upload size
|
|
## @param chartmuseum.storageTimestampTolerance Timestamp tolerance size
|
|
##
|
|
contextPath: ""
|
|
indexLimit: ""
|
|
chartPostFormFieldName: ""
|
|
provPostFormFieldName: ""
|
|
maxStorageObjects: ""
|
|
maxUploadSize: ""
|
|
storageTimestampTolerance: "1s"
|
|
## Use TLS in the container
|
|
##
|
|
tls:
|
|
## @param chartmuseum.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
|
|
## Requires `internalTLS.enabled` to be set to `true``
|
|
## Self-signed TLS certificates will be used otherwise
|
|
##
|
|
existingSecret: ""
|
|
## @param chartmuseum.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param chartmuseum.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param chartmuseum.extraEnvVars Array with extra environment variables to add Chartmuseum pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param chartmuseum.extraEnvVarsCM ConfigMap containing extra environment variables for Chartmuseum pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param chartmuseum.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Chartmuseum pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param chartmuseum.containerPorts.http Chartmuseum HTTP container port
|
|
## @param chartmuseum.containerPorts.https Chartmuseum HTTPS container port
|
|
##
|
|
containerPorts:
|
|
http: 9999
|
|
https: 9443
|
|
## @param chartmuseum.replicaCount Number of Chartmuseum replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Chartmuseum containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param chartmuseum.livenessProbe.enabled Enable livenessProbe on Chartmuseum containers
|
|
## @param chartmuseum.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param chartmuseum.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param chartmuseum.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param chartmuseum.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param chartmuseum.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param chartmuseum.readinessProbe.enabled Enable readinessProbe on Chartmuseum containers
|
|
## @param chartmuseum.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param chartmuseum.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param chartmuseum.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param chartmuseum.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param chartmuseum.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param chartmuseum.startupProbe.enabled Enable startupProbe on Chartmuseum containers
|
|
## @param chartmuseum.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param chartmuseum.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param chartmuseum.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param chartmuseum.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param chartmuseum.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param chartmuseum.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param chartmuseum.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param chartmuseum.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Chartmuseum resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param chartmuseum.resources.limits The resources limits for the Chartmuseum containers
|
|
## @param chartmuseum.resources.requests The requested resources for the Chartmuseum containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Chartmuseum pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param chartmuseum.podSecurityContext.enabled Enabled Chartmuseum pods' Security Context
|
|
## @param chartmuseum.podSecurityContext.fsGroup Set Chartmuseum pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Chartmuseum containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param chartmuseum.containerSecurityContext.enabled Enabled Chartmuseum containers' Security Context
|
|
## @param chartmuseum.containerSecurityContext.runAsUser Set Chartmuseum containers' Security Context runAsUser
|
|
## @param chartmuseum.containerSecurityContext.runAsNonRoot Set Chartmuseum containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param chartmuseum.updateStrategy.type Chartmuseum deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param chartmuseum.lifecycleHooks LifecycleHook for the Chartmuseum container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param chartmuseum.hostAliases Chartmuseum pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param chartmuseum.podLabels Add additional labels to the Chartmuseum pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param chartmuseum.podAnnotations Annotations to add to the Chartmuseum pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param chartmuseum.podAffinityPreset Chartmuseum Pod affinity preset. Ignored if `chartmuseum.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param chartmuseum.podAntiAffinityPreset Chartmuseum Pod anti-affinity preset. Ignored if `chartmuseum.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param chartmuseum.nodeAffinityPreset.type Chartmuseum Node affinity preset type. Ignored if `chartmuseum.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param chartmuseum.nodeAffinityPreset.key Chartmuseum Node label key to match Ignored if `chartmuseum.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param chartmuseum.nodeAffinityPreset.values Chartmuseum Node label values to match. Ignored if `chartmuseum.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param chartmuseum.affinity Chartmuseum Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: chartmuseum.podAffinityPreset, chartmuseum.podAntiAffinityPreset, and chartmuseum.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param chartmuseum.nodeSelector Chartmuseum Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param chartmuseum.tolerations Chartmuseum Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param chartmuseum.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param chartmuseum.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param chartmuseum.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param chartmuseum.sidecars Add additional sidecar containers to the Chartmuseum pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param chartmuseum.initContainers Add additional init containers to the Chartmuseum pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param chartmuseum.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Chartmuseum pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param chartmuseum.extraVolumes Optionally specify extra list of additional volumes for the Chartmuseum pods
|
|
##
|
|
extraVolumes: []
|
|
## @param chartmuseum.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Chartmuseum service configuration
|
|
##
|
|
service:
|
|
## @param chartmuseum.service.ports.http Chartmuseum HTTP service port
|
|
## @param chartmuseum.service.ports.https Chartmuseum HTTPS service port
|
|
##
|
|
ports:
|
|
http: 80
|
|
https: 443
|
|
|
|
## @section Notary Parameters
|
|
##
|
|
|
|
## Notary Parameters
|
|
##
|
|
notary:
|
|
## @param notary.enabled Enable Notary
|
|
##
|
|
enabled: false
|
|
## @param notary.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `notary-signer-ca.crt`, `notary-signer.key` and `notary-signer.crt` that contain the CA, certificate and private key. They will be generated if not set.
|
|
## TLS certificate authority, certificate and private key for notary
|
|
## communications.
|
|
## The secret must contain keys named ca.crt, tls.crt and tls.key that
|
|
## contain the CA, certificate and private key.
|
|
## They will be generated if not set.
|
|
##
|
|
secretName: ""
|
|
server:
|
|
## Bitnami Harbor Notary Server image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-notary-server/tags/
|
|
## @param notary.server.image.registry Harbor Notary Server image registry
|
|
## @param notary.server.image.repository Harbor Notary Server image repository
|
|
## @param notary.server.image.tag Harbor Notary Server image tag (immutable tags are recommended)
|
|
## @param notary.server.image.digest Notary Server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param notary.server.image.pullPolicy Harbor Notary Server image pull policy
|
|
## @param notary.server.image.pullSecrets Harbor Notary Server image pull secrets
|
|
## @param notary.server.image.debug Enable Harbor Notary Server image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-notary-server
|
|
# tag: 2.8.1-debian-11-r0
|
|
tag: latest
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param notary.server.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param notary.server.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param notary.server.extraEnvVars Array with extra environment variables to add Harbor Notary Server pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param notary.server.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Notary Server pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param notary.server.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Notary Server pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param notary.server.containerPorts.server Harbor Notary Server container port
|
|
##
|
|
containerPorts:
|
|
server: 4443
|
|
## @param notary.server.replicaCount Number of Harbor Notary Server replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Harbor Notary Server containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param notary.server.livenessProbe.enabled Enable livenessProbe on Harbor Notary Server containers
|
|
## @param notary.server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param notary.server.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param notary.server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param notary.server.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param notary.server.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param notary.server.readinessProbe.enabled Enable readinessProbe on Harbor Notary Server containers
|
|
## @param notary.server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param notary.server.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param notary.server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param notary.server.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param notary.server.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param notary.server.startupProbe.enabled Enable startupProbe on Harbor Notary Server containers
|
|
## @param notary.server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param notary.server.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param notary.server.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param notary.server.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param notary.server.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param notary.server.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param notary.server.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param notary.server.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Notary Server resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param notary.server.resources.limits The resources limits for the Harbor Notary Server containers
|
|
## @param notary.server.resources.requests The requested resources for the Harbor Notary Server containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Notary Server pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param notary.server.podSecurityContext.enabled Enabled Harbor Notary Server pods' Security Context
|
|
## @param notary.server.podSecurityContext.fsGroup Set Harbor Notary Server pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Harbor Notary Server containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param notary.server.containerSecurityContext.enabled Enabled Harbor Notary Server containers' Security Context
|
|
## @param notary.server.containerSecurityContext.runAsUser Set Harbor Notary Server containers' Security Context runAsUser
|
|
## @param notary.server.containerSecurityContext.runAsNonRoot Set Harbor Notary Server containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param notary.server.updateStrategy.type Harbor Notary Server deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param notary.server.lifecycleHooks LifecycleHook for the Harbor Notary Server container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param notary.server.hostAliases Harbor Notary Server pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param notary.server.podLabels Add additional labels to the Harbor Notary Server pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param notary.server.podAnnotations Annotations to add to the Harbor Notary Server pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param notary.server.podAffinityPreset Harbor Notary Server Pod affinity preset. Ignored if `notary.server.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param notary.server.podAntiAffinityPreset Harbor Notary Server Pod anti-affinity preset. Ignored if `notary.server.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param notary.server.nodeAffinityPreset.type Harbor Notary Server Node affinity preset type. Ignored if `notary.server.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param notary.server.nodeAffinityPreset.key Harbor Notary Server Node label key to match Ignored if `notary.server.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param notary.server.nodeAffinityPreset.values Harbor Notary Server Node label values to match. Ignored if `notary.server.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param notary.server.affinity Harbor Notary Server Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: notary.server.podAffinityPreset, notary.server.podAntiAffinityPreset, and notary.server.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param notary.server.nodeSelector Harbor Notary Server Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param notary.server.tolerations Harbor Notary Server Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param notary.server.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param notary.server.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param notary.server.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param notary.server.sidecars Add additional sidecar containers to the Harbor Notary Server pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param notary.server.initContainers Add additional init containers to the Harbor Notary Server pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param notary.server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Notary Server pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param notary.server.extraVolumes Optionally specify extra list of additional volumes for the Harbor Notary Server pods
|
|
##
|
|
extraVolumes: []
|
|
## @param notary.server.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
signer:
|
|
## Bitnami Harbor Notary Signer image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-notary-signer/tags/
|
|
## @param notary.signer.image.registry Harbor Notary Signer image registry
|
|
## @param notary.signer.image.repository Harbor Notary Signer image repository
|
|
## @param notary.signer.image.tag Harbor Notary Signer image tag (immutable tags are recommended)
|
|
## @param notary.signer.image.digest Harbor Notary Signer image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param notary.signer.image.pullPolicy Harbor Notary Signer image pull policy
|
|
## @param notary.signer.image.pullSecrets Harbor Notary Signer image pull secrets
|
|
## @param notary.signer.image.debug Enable Harbor Notary Signer image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-notary-signer
|
|
# tag: 2.8.1-debian-11-r0
|
|
tag: latest
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param notary.signer.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param notary.signer.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param notary.signer.extraEnvVars Array with extra environment variables to add Harbor Notary Signer pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param notary.signer.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Notary Signer pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param notary.signer.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Notary Signer pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param notary.signer.containerPorts.signer Harbor Notary Signer container port
|
|
##
|
|
containerPorts:
|
|
signer: 7899
|
|
## @param notary.signer.replicaCount Number of Harbor Notary Signer replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Harbor Notary Signer containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param notary.signer.livenessProbe.enabled Enable livenessProbe on Harbor Notary Signer containers
|
|
## @param notary.signer.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param notary.signer.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param notary.signer.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param notary.signer.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param notary.signer.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param notary.signer.readinessProbe.enabled Enable readinessProbe on Harbor Notary Signer containers
|
|
## @param notary.signer.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param notary.signer.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param notary.signer.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param notary.signer.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param notary.signer.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param notary.signer.startupProbe.enabled Enable startupProbe on Harbor Notary Signer containers
|
|
## @param notary.signer.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param notary.signer.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param notary.signer.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param notary.signer.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param notary.signer.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param notary.signer.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param notary.signer.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param notary.signer.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Notary Signer resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param notary.signer.resources.limits The resources limits for the Harbor Notary Signer containers
|
|
## @param notary.signer.resources.requests The requested resources for the Harbor Notary Signer containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Harbor Notary Signer pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param notary.signer.podSecurityContext.enabled Enabled Harbor Notary Signer pods' Security Context
|
|
## @param notary.signer.podSecurityContext.fsGroup Set Harbor Notary Signer pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Harbor Notary Signer containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param notary.signer.containerSecurityContext.enabled Enabled Harbor Notary Signer containers' Security Context
|
|
## @param notary.signer.containerSecurityContext.runAsUser Set Harbor Notary Signer containers' Security Context runAsUser
|
|
## @param notary.signer.containerSecurityContext.runAsNonRoot Set Harbor Notary Signer containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param notary.signer.updateStrategy.type Harbor Notary Signer deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param notary.signer.lifecycleHooks LifecycleHook for the Harbor Notary Signer container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param notary.signer.hostAliases Harbor Notary Signer pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param notary.signer.podLabels Add additional labels to the Harbor Notary Signer pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param notary.signer.podAnnotations Annotations to add to the Harbor Notary Signer pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param notary.signer.podAffinityPreset Harbor Notary Signer Pod affinity preset. Ignored if `notary.signer.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param notary.signer.podAntiAffinityPreset Harbor Notary Signer Pod anti-affinity preset. Ignored if `notary.signer.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param notary.signer.nodeAffinityPreset.type Harbor Notary Signer Node affinity preset type. Ignored if `notary.signer.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param notary.signer.nodeAffinityPreset.key Harbor Notary Signer Node label key to match Ignored if `notary.signer.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param notary.signer.nodeAffinityPreset.values Harbor Notary Signer Node label values to match. Ignored if `notary.signer.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param notary.signer.affinity Harbor Notary Signer Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: notary.signer.podAffinityPreset, notary.signer.podAntiAffinityPreset, and notary.signer.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param notary.signer.nodeSelector Harbor Notary Signer Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param notary.signer.tolerations Harbor Notary Signer Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param notary.signer.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param notary.signer.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param notary.signer.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param notary.signer.sidecars Add additional sidecar containers to the Harbor Notary Signer pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param notary.signer.initContainers Add additional init containers to the Harbor Notary Signer pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param notary.signer.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Notary Signer pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param notary.signer.extraVolumes Optionally specify extra list of additional volumes for the Harbor Notary Signer pods
|
|
##
|
|
extraVolumes: []
|
|
## @param notary.signer.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Harbor Notary service configuration
|
|
##
|
|
service:
|
|
## @param notary.service.ports.server Harbor Notary server service port
|
|
## @param notary.service.ports.signer Harbor Notary signer service port
|
|
##
|
|
ports:
|
|
server: 4443
|
|
signer: 7899
|
|
|
|
## @section Harbor Adapter Trivy Parameters
|
|
##
|
|
|
|
trivy:
|
|
## Bitnami Harbor Adapter Trivy image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-adapter-trivy/tags/
|
|
## @param trivy.image.registry Harbor Adapter Trivy image registry
|
|
## @param trivy.image.repository Harbor Adapter Trivy image repository
|
|
## @param trivy.image.tag Harbor Adapter Trivy image tag (immutable tags are recommended)
|
|
## @param trivy.image.digest Harbor Adapter Trivy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param trivy.image.pullPolicy Harbor Adapter Trivy image pull policy
|
|
## @param trivy.image.pullSecrets Harbor Adapter Trivy image pull secrets
|
|
## @param trivy.image.debug Enable Harbor Adapter Trivy image debug mode
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-adapter-trivy
|
|
tag: 2.12.2-debian-12-r6
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param trivy.enabled Enable Trivy
|
|
##
|
|
enabled: true
|
|
## @param trivy.debugMode The flag to enable Trivy debug mode
|
|
##
|
|
debugMode: false
|
|
## @param trivy.vulnType Comma-separated list of vulnerability types. Possible values `os` and `library`.
|
|
##
|
|
vulnType: 'os,library'
|
|
## @param trivy.severity Comma-separated list of severities to be checked
|
|
##
|
|
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
|
## @param trivy.ignoreUnfixed The flag to display only fixed vulnerabilities
|
|
##
|
|
ignoreUnfixed: false
|
|
## @param trivy.insecure The flag to skip verifying registry certificate
|
|
##
|
|
insecure: true
|
|
## @param trivy.gitHubToken The GitHub access token to download Trivy DB
|
|
##
|
|
## Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
|
|
## It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
|
|
## in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
|
|
## timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
|
|
## Currently, the database is updated every 12 hours and published as a new release to GitHub.
|
|
##
|
|
## Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
|
|
## for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
|
|
## requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
|
|
## https://developer.github.com/v3/#rate-limiting
|
|
##
|
|
## You can create a GitHub token by following the instructions in
|
|
## https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
|
|
##
|
|
gitHubToken: ""
|
|
## @param trivy.skipUpdate The flag to disable Trivy DB downloads from GitHub
|
|
## You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
|
|
## If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
|
|
## `/home/scanner/.cache/trivy/db/trivy.db` path.
|
|
##
|
|
skipUpdate: false
|
|
## @param trivy.cacheDir Directory to store the cache
|
|
##
|
|
cacheDir: '/bitnami/harbor-adapter-trivy/.cache'
|
|
## Use TLS in the container
|
|
##
|
|
tls:
|
|
## @param trivy.tls.existingSecret Name of an existing secret with the certificates for internal TLS access
|
|
## Requires `internalTLS.enabled` to be set to `true``
|
|
## Self-signed TLS certificates will be used otherwise
|
|
##
|
|
existingSecret: ""
|
|
## @param trivy.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param trivy.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param trivy.extraEnvVars Array with extra environment variables to add Trivy pods
|
|
##
|
|
extraEnvVars: []
|
|
## @param trivy.extraEnvVarsCM ConfigMap containing extra environment variables for Trivy pods
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param trivy.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Trivy pods
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param trivy.containerPorts.http Trivy HTTP container port
|
|
## @param trivy.containerPorts.https Trivy HTTPS container port
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
## @param trivy.replicaCount Number of Trivy replicas
|
|
##
|
|
replicaCount: 1
|
|
## Configure extra options for Trivy containers' liveness, readiness and startup probes
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
|
|
## @param trivy.livenessProbe.enabled Enable livenessProbe on Trivy containers
|
|
## @param trivy.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param trivy.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param trivy.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param trivy.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param trivy.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param trivy.readinessProbe.enabled Enable readinessProbe on Trivy containers
|
|
## @param trivy.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param trivy.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param trivy.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param trivy.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param trivy.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param trivy.startupProbe.enabled Enable startupProbe on Trivy containers
|
|
## @param trivy.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param trivy.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param trivy.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param trivy.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param trivy.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param trivy.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param trivy.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param trivy.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Trivy resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param trivy.resources.limits [object] The resources limits for the Trivy containers
|
|
## @param trivy.resources.requests [object] The requested resources for the Trivy containers
|
|
##
|
|
resources:
|
|
requests:
|
|
cpu: 200m
|
|
memory: 512Mi
|
|
limits:
|
|
cpu: 1
|
|
memory: 1Gi
|
|
## Configure Trivy pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param trivy.podSecurityContext.enabled Enabled Trivy pods' Security Context
|
|
## @param trivy.podSecurityContext.fsGroup Set Trivy pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: false
|
|
fsGroup: 1001
|
|
## Configure Trivy containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param trivy.containerSecurityContext.enabled Enabled Trivy containers' Security Context
|
|
## @param trivy.containerSecurityContext.runAsUser Set Trivy containers' Security Context runAsUser
|
|
## @param trivy.containerSecurityContext.runAsNonRoot Set Trivy containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: false
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param trivy.updateStrategy.type Trivy deployment strategy type - only really applicable for deployments with RWO PVs attached
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param trivy.lifecycleHooks LifecycleHook for the Trivy container(s) to automate configuration before or after startup
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param trivy.hostAliases Trivy pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param trivy.podLabels Add additional labels to the Trivy pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param trivy.podAnnotations Annotations to add to the Trivy pods (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param trivy.podAffinityPreset Trivy Pod affinity preset. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param trivy.podAntiAffinityPreset Trivy Pod anti-affinity preset. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param trivy.nodeAffinityPreset.type Trivy Node affinity preset type. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param trivy.nodeAffinityPreset.key Trivy Node label key to match Ignored if `trivy.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param trivy.nodeAffinityPreset.values Trivy Node label values to match. Ignored if `trivy.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param trivy.affinity Trivy Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: trivy.podAffinityPreset, trivy.podAntiAffinityPreset, and trivy.nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param trivy.nodeSelector Trivy Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param trivy.tolerations Trivy Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param trivy.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param trivy.priorityClassName Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param trivy.schedulerName Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param trivy.sidecars Add additional sidecar containers to the Trivy pods
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: []
|
|
## @param trivy.initContainers Add additional init containers to the Trivy pods
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: []
|
|
## @param trivy.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Trivy pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param trivy.extraVolumes Optionally specify extra list of additional volumes for the Trivy pods
|
|
##
|
|
extraVolumes: []
|
|
## @param trivy.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Trivy service configuration
|
|
##
|
|
service:
|
|
## @param trivy.service.ports.http Trivy HTTP service port
|
|
## @param trivy.service.ports.https Trivy HTTPS service port
|
|
##
|
|
ports:
|
|
http: 8080
|
|
https: 8443
|
|
|
|
## @section Harbor Exporter Parameters
|
|
##
|
|
|
|
exporter:
|
|
## Bitnami Harbor Exporter image
|
|
## ref: https://hub.docker.com/r/bitnami/harbor-exporter/tags/
|
|
## @param exporter.image.registry Harbor Exporter image registry
|
|
## @param exporter.image.repository Harbor Exporter image repository
|
|
## @param exporter.image.tag Harbor Exporter image tag
|
|
## @param exporter.image.digest Harbor Exporter image image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
## @param exporter.image.pullPolicy Harbor exporter image pull policy
|
|
## @param exporter.image.pullSecrets Specify docker-registry secret names as an array
|
|
## @param exporter.image.debug Specify if debug logs should be enabled
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/harbor-exporter
|
|
tag: 2.12.2-debian-12-r7
|
|
digest: ""
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## e.g:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Enable debug mode
|
|
##
|
|
debug: false
|
|
## @param exporter.command Override default container command (useful when using custom images)
|
|
##
|
|
command: []
|
|
## @param exporter.args Override default container args (useful when using custom images)
|
|
##
|
|
args: []
|
|
## @param exporter.extraEnvVars Array containing extra env vars
|
|
## For example:
|
|
## - name: HARBOR_DATABASE_SSLMODE
|
|
## value: verify-ca
|
|
##
|
|
extraEnvVars: []
|
|
## @param exporter.extraEnvVarsCM ConfigMap containing extra env vars
|
|
##
|
|
extraEnvVarsCM: ""
|
|
## @param exporter.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data)
|
|
##
|
|
extraEnvVarsSecret: ""
|
|
## @param exporter.containerPorts.metrics Harbor Exporter HTTP container port
|
|
##
|
|
containerPorts:
|
|
metrics: 8001
|
|
## @param exporter.replicaCount The replica count
|
|
##
|
|
replicaCount: 1
|
|
## Harbor Exporter containers' liveness probe
|
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
|
|
## @param exporter.livenessProbe.enabled Enable livenessProbe
|
|
## @param exporter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
|
## @param exporter.livenessProbe.periodSeconds Period seconds for livenessProbe
|
|
## @param exporter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
|
## @param exporter.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
|
## @param exporter.livenessProbe.successThreshold Success threshold for livenessProbe
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## Harbor Exporter containers' readiness probe
|
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
|
|
## @param exporter.readinessProbe.enabled Enable readinessProbe
|
|
## @param exporter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
|
## @param exporter.readinessProbe.periodSeconds Period seconds for readinessProbe
|
|
## @param exporter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
|
## @param exporter.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
|
## @param exporter.readinessProbe.successThreshold Success threshold for readinessProbe
|
|
##
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
## @param exporter.startupProbe.enabled Enable startupProbe on Harbor Exporter containers
|
|
## @param exporter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
|
## @param exporter.startupProbe.periodSeconds Period seconds for startupProbe
|
|
## @param exporter.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
|
## @param exporter.startupProbe.failureThreshold Failure threshold for startupProbe
|
|
## @param exporter.startupProbe.successThreshold Success threshold for startupProbe
|
|
##
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 15
|
|
successThreshold: 1
|
|
## @param exporter.customLivenessProbe Custom livenessProbe that overrides the default one
|
|
##
|
|
customLivenessProbe: {}
|
|
## @param exporter.customReadinessProbe Custom readinessProbe that overrides the default one
|
|
##
|
|
customReadinessProbe: {}
|
|
## @param exporter.customStartupProbe Custom startupProbe that overrides the default one
|
|
##
|
|
customStartupProbe: {}
|
|
## Harbor Exporter resource requests and limits
|
|
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
|
## @param exporter.resources.limits The resources limits for the Harbor Exporter containers
|
|
## @param exporter.resources.requests The requested resources for the Harbor Exporter containers
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests: {}
|
|
## Configure Exporter pods Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
## @param exporter.podSecurityContext.enabled Enabled Exporter pods' Security Context
|
|
## @param exporter.podSecurityContext.fsGroup Set Exporter pod's Security Context fsGroup
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
## Configure Exporter containers (only main one) Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param exporter.containerSecurityContext.enabled Enabled Exporter containers' Security Context
|
|
## @param exporter.containerSecurityContext.runAsUser Set Exporter containers' Security Context runAsUser
|
|
## @param exporter.containerSecurityContext.runAsNonRoot Set Exporter containers' Security Context runAsNonRoot
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
## @param exporter.updateStrategy.type The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported
|
|
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
|
|
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
|
|
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
|
|
##
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
## @param exporter.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
|
|
##
|
|
lifecycleHooks: {}
|
|
## @param exporter.hostAliases Exporter pods host aliases
|
|
##
|
|
hostAliases: []
|
|
## @param exporter.podLabels Add additional labels to the pod (evaluated as a template)
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
## @param exporter.podAnnotations Annotations to add to the exporter pod
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
## @param exporter.podAffinityPreset Harbor Exporter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAffinityPreset: ""
|
|
## @param exporter.podAntiAffinityPreset Harbor Exporter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
##
|
|
nodeAffinityPreset:
|
|
## @param exporter.nodeAffinityPreset.type Harbor Exporter Node affinity preset type. Ignored if `exporter.affinity` is set. Allowed values: `soft` or `hard`
|
|
##
|
|
type: ""
|
|
## @param exporter.nodeAffinityPreset.key Harbor Exporter Node label key to match Ignored if `exporter.affinity` is set.
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## @param exporter.nodeAffinityPreset.values Harbor Exporter Node label values to match. Ignored if `exporter.affinity` is set.
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
## @param exporter.affinity Harbor Exporter Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: `exporter.podAffinityPreset`, `exporter.podAntiAffinityPreset`, and `exporter.nodeAffinityPreset` will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
## @param exporter.priorityClassName Exporter pods Priority Class Name
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
##
|
|
priorityClassName: ""
|
|
## @param exporter.schedulerName Name of the k8s scheduler (other than default)
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
schedulerName: ""
|
|
## @param exporter.serviceAccountName Name of the serviceAccountName for Harbor Exporter pods
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
serviceAccountName: ""
|
|
## @param exporter.nodeSelector Harbor Exporter Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
## @param exporter.tolerations Harbor Exporter Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
## @param exporter.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
|
##
|
|
topologySpreadConstraints: []
|
|
## @param exporter.initContainers Add additional init containers to the pod (evaluated as a template)
|
|
##
|
|
initContainers: []
|
|
## @param exporter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Chartmuseum pods
|
|
##
|
|
extraVolumeMounts: []
|
|
## @param exporter.extraVolumes Optionally specify extra list of additional volumes for the Chartmuseum pods
|
|
##
|
|
extraVolumes: []
|
|
## @param exporter.sidecars Attach additional containers to the pod (evaluated as a template)
|
|
##
|
|
sidecars: []
|
|
## @param exporter.automountServiceAccountToken Automount service account token
|
|
##
|
|
automountServiceAccountToken: false
|
|
## Exporter service configuration
|
|
##
|
|
service:
|
|
## @param exporter.service.ports.metrics Exporter HTTP service port
|
|
##
|
|
ports:
|
|
metrics: 8001
|
|
|
|
## @section PostgreSQL Parameters
|
|
##
|
|
|
|
## PostgreSQL chart configuration
|
|
## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
|
|
## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
|
|
## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
|
|
## @param postgresql.auth.postgresPassword Password for the "postgres" admin user
|
|
## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
|
|
## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
|
|
## @param postgresql.primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration)
|
|
## @param postgresql.primary.initdb.scripts [object] Initdb scripts to create Harbor databases
|
|
##
|
|
postgresql:
|
|
enabled: false
|
|
## Override PostgreSQL default image as 14.x is not supported https://goharbor.io/docs/2.4.0/install-config/
|
|
## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql
|
|
## @param postgresql.image.registry PostgreSQL image registry
|
|
## @param postgresql.image.repository PostgreSQL image repository
|
|
## @param postgresql.image.tag PostgreSQL image tag (immutable tags are recommended)
|
|
## @param postgresql.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnamilegacy/postgresql
|
|
# tag: 13.15.0-debian-12-r2
|
|
tag: 14.16.0-debian-12-r4
|
|
digest: ""
|
|
auth:
|
|
enablePostgresUser: true
|
|
postgresPassword: harbor
|
|
existingSecret: ""
|
|
architecture: standalone
|
|
primary:
|
|
extendedConfiguration: |
|
|
max_connections = 1024
|
|
initdb:
|
|
scripts:
|
|
initial-notaryserver.sql: |
|
|
CREATE DATABASE notaryserver;
|
|
CREATE USER server;
|
|
alter user server with encrypted password 'password';
|
|
GRANT ALL PRIVILEGES ON DATABASE notaryserver TO server;
|
|
initial-notarysigner.sql: |
|
|
CREATE DATABASE notarysigner;
|
|
CREATE USER signer;
|
|
alter user signer with encrypted password 'password';
|
|
GRANT ALL PRIVILEGES ON DATABASE notarysigner TO signer;
|
|
initial-registry.sql: |
|
|
CREATE DATABASE registry ENCODING 'UTF8';
|
|
\c registry;
|
|
CREATE TABLE schema_migrations(version bigint not null primary key, dirty boolean not null);
|
|
## External PostgreSQL configuration
|
|
## All of these values are only used when postgresql.enabled is set to false
|
|
## @param externalDatabase.host Database host
|
|
## @param externalDatabase.port Database port number
|
|
## @param externalDatabase.user Non-root username for Harbor
|
|
## @param externalDatabase.password Password for the non-root username for Harbor
|
|
## @param externalDatabase.sslmode External database ssl mode
|
|
## @param externalDatabase.coreDatabase External database name for core
|
|
## @param externalDatabase.notaryServerDatabase External database name for notary server
|
|
## @param externalDatabase.notaryServerUsername External database username for notary server
|
|
## @param externalDatabase.notaryServerPassword External database password for notary server
|
|
## @param externalDatabase.notarySignerDatabase External database name for notary signer
|
|
## @param externalDatabase.notarySignerUsername External database username for notary signer
|
|
## @param externalDatabase.notarySignerPassword External database password for notary signer
|
|
##
|
|
externalDatabase:
|
|
host: postgres13.postgres.svc.cluster.local
|
|
# host: 192.168.2.235
|
|
port: 5432
|
|
user: harbor
|
|
password: "harbor"
|
|
sslmode: disable
|
|
coreDatabase: "harbor"
|
|
notaryServerDatabase: "harbor"
|
|
notaryServerUsername: "harbor"
|
|
notaryServerPassword: "harbor"
|
|
notarySignerDatabase: "harbor"
|
|
notarySignerUsername: "harbor"
|
|
notarySignerPassword: "harbor"
|
|
|
|
## @section Redis® parameters
|
|
##
|
|
|
|
## Redis® chart configuration
|
|
## ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml
|
|
## @param redis.enabled Switch to enable or disable the Redis® helm
|
|
## @param redis.auth.enabled Enable password authentication
|
|
## @param redis.auth.password Redis® password
|
|
## @param redis.auth.existingSecret The name of an existing secret with Redis® credentials
|
|
## @param redis.architecture Redis® architecture. Allowed values: `standalone` or `replication`
|
|
## @param redis.sentinel.enabled Use Redis® Sentinel on Redis® pods.
|
|
## @param redis.sentinel.masterSet Master set name
|
|
## @param redis.sentinel.service.ports.sentinel Redis® service port for Redis® Sentinel
|
|
##
|
|
redis:
|
|
enabled: false
|
|
storageClass: ""
|
|
auth:
|
|
enabled: true
|
|
## Redis® password (both master and slave). Defaults to a random 10-character alphanumeric string if not set and auth.enabled is true.
|
|
## It should always be set using the password value or in the existingSecret to avoid issues
|
|
## with Harbor.
|
|
## The password value is ignored if existingSecret is set
|
|
##
|
|
password: "Redis01"
|
|
existingSecret: ""
|
|
architecture: standalone
|
|
sentinel:
|
|
enabled: false
|
|
masterSet: mymaster
|
|
service:
|
|
ports:
|
|
sentinel: 26379
|
|
|
|
## External Redis® configuration
|
|
## All of these values are only used when redis.enabled is set to false
|
|
## @param externalRedis.host Redis® host
|
|
## @param externalRedis.port Redis® port number
|
|
## @param externalRedis.password Redis® password
|
|
## @param externalRedis.coreDatabaseIndex Index for core database
|
|
## @param externalRedis.jobserviceDatabaseIndex Index for jobservice database
|
|
## @param externalRedis.registryDatabaseIndex Index for registry database
|
|
## @param externalRedis.chartmuseumDatabaseIndex Index for chartmuseum database
|
|
## @param externalRedis.trivyAdapterDatabaseIndex Index for chartmuseum database
|
|
##
|
|
externalRedis:
|
|
host: 192.168.2.182
|
|
# host: 192.168.2.221
|
|
port: 6379
|
|
password: "Redis01@"
|
|
coreDatabaseIndex: '0'
|
|
jobserviceDatabaseIndex: '1'
|
|
registryDatabaseIndex: '2'
|
|
chartmuseumDatabaseIndex: '3'
|
|
trivyAdapterDatabaseIndex: '5'
|
|
## Redis® sentinel configuration
|
|
## @param externalRedis.sentinel.enabled If external redis with sentinal is used, set it to `true`
|
|
## @param externalRedis.sentinel.masterSet Name of sentinel masterSet if sentinel is used
|
|
## @param externalRedis.sentinel.hosts Sentinel hosts and ports in the format
|
|
##
|
|
sentinel:
|
|
enabled: false
|
|
masterSet: 'mymaster'
|
|
hosts: ""
|
|
|
|
## @section Harbor metrics parameters
|
|
##
|
|
metrics:
|
|
## @param metrics.enabled Whether or not to enable metrics for different
|
|
##
|
|
enabled: false
|
|
## @param metrics.path Path where metrics are exposed
|
|
##
|
|
path: /metrics
|
|
## Prometheus Operator ServiceMonitor configuration
|
|
##
|
|
serviceMonitor:
|
|
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.enabled` to be `true`)
|
|
##
|
|
enabled: false
|
|
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
|
|
##
|
|
namespace: ""
|
|
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
|
|
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
|
|
##
|
|
interval: ""
|
|
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
|
|
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
|
|
##
|
|
scrapeTimeout: ""
|
|
## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
|
|
##
|
|
labels: {}
|
|
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
|
|
## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
|
|
##
|
|
selector: {}
|
|
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
|
|
##
|
|
relabelings: []
|
|
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
|
|
##
|
|
metricRelabelings: []
|
|
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
|
|
##
|
|
honorLabels: false
|
|
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
|
|
##
|
|
jobLabel: ""
|