bitnami/harbor

Chart version: 8.1.0
Api version: v1
App version: 2.1.0
Harbor is an an open source trusted cloud native registry proje...
application
Chart Type
Active
Status
Unknown
License
2839
Downloads
https://charts.bitnami.com/bitnami
Set me up:
helm repo add center https://repo.chartcenter.io
Install Chart:
helm install harbor center/bitnami/harbor
Versions (0)

Harbor

This Helm chart has been developed based on goharbor/harbor-helm chart but including some features common to the Bitnami chart library. For example, the following changes have been introduced:

  • Possibility to pull all the required images from a private registry through the Global Docker image parameters.
  • Redis and PostgreSQL are managed as chart dependencies.
  • Liveness and Readiness probes for all deployments are exposed to the values.yaml.
  • Uses new Helm chart labels formating.
  • Uses Bitnami container images:
    • non-root by default
    • published for debian-10 and ol-7
  • This chart support the Harbor optional components Chartmuseum, Clair and Notary integrations.

TL;DR

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/harbor

Introduction

This Helm chart installs Harbor in a Kubernetes cluster. Welcome to contribute to Helm Chart for Harbor.

Prerequisites

  • Kubernetes 1.12+
  • Helm 2.12+ or Helm 3.0-beta3+
  • PV provisioner support in the underlying infrastructure
  • ReadWriteMany volumes for deployment scaling

Installing the Chart

Install the Harbor helm chart with a release name my-release:

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/harbor

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete --purge my-release

Additionaly, if persistence.resourcePolicy is set to keep, you should manually delete the PVCs.

Parameters

The following tables list the configurable parameters of the Harbor chart and their default values per section/component:

Global Parameters

Parameter Description Default
global.imageRegistry Global Docker image registry nil
global.imagePullSecrets Global Docker registry secret names as an array [] (does not add image pull secrets to deployed pods)
global.storageClass Global storage class for dynamic provisioning nil

Common Parameters

Parameter Description Default
caBundleSecretName The custom ca bundle secret name, the secret must contain key named “ca.crt” which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components. nil

| commonLabels | Labels to add to all deployed objects | nil | | commonAnnotations | Annotations to add to all deployed objects | [] | | internalTLS.enabled | Use TLS in all the supported containers: chartmuseum, clair, core, jobservice, portal, registry and trivy | false | | logLevel | The log level | debug | | forcePassword | Option to ensure all passwords and keys are set by the user | false | | harborAdminPassword | The initial password of Harbor admin. Change it from portal after launching Harbor | random 10 character long alphanumeric string | | nameOverride | String to partially override common.names.fullname template with a string (will prepend the release name) | nil | | fullnameOverride | String to fully override common.names.fullname template with a string | nil | | containerSecurityContext | Container security podSecurityContext | { runAsUser: 1001, runAsNonRoot: true } | | podSecurityContext | Pod security context | { fsGroup: 1001 } | | volumePermissions.enabled | Enable init container that changes volume permissions in the data directory (for cases where the default k8s runAsUser and fsUser values do not work) | false | | volumePermissions.image.registry | Init container volume-permissions image registry | docker.io | | volumePermissions.image.repository | Init container volume-permissions image name | bitnami/minideb | | volumePermissions.image.tag | Init container volume-permissions image tag | buster | | volumePermissions.image.pullSecrets | Specify docker-registry secret names as an array | [] (does not add image pull secrets to deployed pods) | | volumePermissions.image.pullPolicy | Init container volume-permissions image pull policy | Always | | volumePermissions.resources | Init container resource requests/limit | nil | | proxy.httpProxy | The URL of the HTTP proxy server | | | proxy.httpsProxy | The URL of the HTTPS proxy server | | | proxy.noProxy | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | | proxy.components | The component list that the proxy settings apply to | core, jobservice, clair | | externalURL | The external URL for Harbor core service | https://core.harbor.domain | | extraDeploy | Array of extra objects to deploy with the release (evaluated as a template). | nil |

Traffic Exposure Parameters

Parameter Description Default
service.type The way how to expose the service: Ingress, ClusterIP, NodePort or LoadBalancer LoadBalancer
service.tls.enabled Enable the tls or not (for external access) true
service.tls.existingSecret Existing secret name containing your own TLS certificates. The secret must contain the keys: tls.crt - the certificate (required), tls.key - the private key (required), ca.crt - the certificate of CA (optional). Self-signed TLS certificates will be used otherwise. nil
service.tls.notaryExistingSecret By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the service.type is ingress. nil
service.tls.commonName The common name used to generate the certificate, it’s necessary when the service.type is ClusterIP or NodePort and service.tls.existingSecret is null nil
service.ports.http The service port Harbor listens on when serving with HTTP 80
service.ports.https The service port Harbor listens on when serving with HTTPS 443
service.ports.notary The service port Notary listens on. Only needed when notary.enabled is set to true 4443
service.nodePorts.http The service nodePort Harbor listens on when serving with HTTP nil
service.nodePorts.https The service nodePort Harbor listens on when serving with HTTPS nil
service.nodePorts.notary The service nodePort Notary listens on. Only needed when notary.enabled is set to true nil
service.annotations The annotations attached to the loadBalancer service {}
service.loadBalancerIP Load Balancer IP nil
service.externalTrafficPolicy Enable client source IP preservation Cluster
service.loadBalancerSourceRanges List of IP address ranges to assign to loadBalancerSourceRanges []
ingress.enabled Deploy ingress rules false
ingress.controller The ingress controller type. Currently supports default, gce and ncp default
ingress.hosts.core The host of Harbor core service in ingress rule core.harbor.domain
ingress.hosts.notary The host of Harbor Notary service in ingress rule notary.harbor.domain
ingress.annotations The annotations used in ingress nil

Persistence Parameters

Parameter Description Default
persistence.enabled Enable the data persistence or not true
persistence.resourcePolicy Setting it to keep to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted keep
persistence.persistentVolumeClaim.registry.existingClaim Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components nil
persistence.persistentVolumeClaim.registry.storageClass Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning nil
persistence.persistentVolumeClaim.registry.subPath The sub path used in the volume nil
persistence.persistentVolumeClaim.registry.accessMode The access mode of the volume ReadWriteOnce
persistence.persistentVolumeClaim.registry.size The size of the volume 5Gi
persistence.persistentVolumeClaim.jobservice.existingClaim Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components nil
persistence.persistentVolumeClaim.jobservice.storageClass Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning nil
persistence.persistentVolumeClaim.jobservice.subPath The sub path used in the volume nil
persistence.persistentVolumeClaim.jobservice.accessMode The access mode of the volume ReadWriteOnce
persistence.persistentVolumeClaim.jobservice.size The size of the volume 1Gi
persistence.persistentVolumeClaim.chartmuseum.existingClaim Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components nil
persistence.persistentVolumeClaim.chartmuseum.storageClass Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning nil
persistence.persistentVolumeClaim.chartmuseum.subPath The sub path used in the volume nil
persistence.persistentVolumeClaim.chartmuseum.accessMode The access mode of the volume ReadWriteOnce
persistence.persistentVolumeClaim.chartmuseum.size The size of the volume 5Gi
persistence.persistentVolumeClaim.trivy.existingClaim Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components nil
persistence.persistentVolumeClaim.trivy.storageClass Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning nil
persistence.persistentVolumeClaim.trivy.accessMode The access mode of the volume ReadWriteOnce
persistence.persistentVolumeClaim.trivy.size The size of the volume 5Gi
persistence.imageChartStorage.disableredirect The configuration for managing redirects from content backends. For backends which do not supported it (such as using minio for s3 storage type), please set it to true to disable redirects. Refer to the guide for more information about the detail false
persistence.imageChartStorage.caBundleSecretName Specify the caBundleSecretName if the storage service uses a self-signed certificate. The secret must contain keys named ca.crt which will be injected into the trust store of registry’s and chartmuseum’s containers.
persistence.imageChartStorage.type The type of storage for images and charts: filesystem, azure, gcs, s3, swift or oss. The type must be filesystem if you want to use persistent volumes for registry and chartmuseum. Refer to the guide for more information about the detail filesystem
persistence.imageChartStorage.azure.accountname Azure storage type setting: Name of the Azure account nil
persistence.imageChartStorage.azure.accountkey Azure storage type setting: Key of the Azure account nil
persistence.imageChartStorage.azure.container Azure storage type setting: Container nil
persistence.imageChartStorage.azure.storagePrefix Azure storage type setting: Storage prefix nil
persistence.imageChartStorage.azure.realm Azure storage type setting: Realm of the Azure account nil
persistence.imageChartStorage.gcs.accountname GCS storage type setting: Name of the bucket nil
persistence.imageChartStorage.gcs.encodedkey GCS storage type setting: Base64 encoded key nil
persistence.imageChartStorage.gcs.bucket GCS storage type setting: Bucket name nil
persistence.imageChartStorage.gcs.rootdirectory GCS storage type setting: Root directory name nil
persistence.imageChartStorage.gcs.chunksize GCS storage type setting: Chunk size name nil
persistence.imageChartStorage.s3.accesskey S3 storage type setting: Access key name nil
persistence.imageChartStorage.s3.secretkey S3 storage type setting: Secret Key name nil
persistence.imageChartStorage.s3.regionendpoint S3 storage type setting: Region Endpoint nil
persistence.imageChartStorage.s3.encrypt S3 storage type setting: Encrypt nil
persistence.imageChartStorage.s3.keyid S3 storage type setting: Key ID nil
persistence.imageChartStorage.s3.region S3 storage type setting: Region nil
persistence.imageChartStorage.s3.secure S3 storage type setting: Secure nil
persistence.imageChartStorage.s3.v4auth S3 storage type setting: V4 authorization nil
persistence.imageChartStorage.s3.chunksize S3 storage type setting: V4 authorization nil
persistence.imageChartStorage.s3.bucket S3 storage type setting: Bucket name nil
persistence.imageChartStorage.s3.rootdirectory S3 storage type setting: Root directory name nil
persistence.imageChartStorage.s3.storageclass S3 storage type setting: Storage class nil
persistence.imageChartStorage.s3.sse S3 storage type setting: SSE name nil
persistence.imageChartStorage.swift.authurl Swift storage type setting: Authentication url nil
persistence.imageChartStorage.swift.username Swift storage type setting: Authentication url nil
persistence.imageChartStorage.swift.password Swift storage type setting: Password nil
persistence.imageChartStorage.swift.container Swift storage type setting: Container nil
persistence.imageChartStorage.swift.region Swift storage type setting: Region nil
persistence.imageChartStorage.swift.tenant Swift storage type setting: Tenant nil
persistence.imageChartStorage.swift.tenantid Swift storage type setting: TenantID nil
persistence.imageChartStorage.swift.domain Swift storage type setting: Domain nil
persistence.imageChartStorage.swift.domainid Swift storage type setting: DomainID nil
persistence.imageChartStorage.swift.insecureskipverify Swift storage type setting: Verification nil
persistence.imageChartStorage.swift.trustid Swift storage type setting: TrustID nil
persistence.imageChartStorage.swift.chunksize Swift storage type setting: Chunk nil
persistence.imageChartStorage.swift.prefix Swift storage type setting: Prefix nil
persistence.imageChartStorage.swift.secretkey Swift storage type setting: Secre Key nil
persistence.imageChartStorage.swift.accesskey Swift storage type setting: Access Key nil
persistence.imageChartStorage.swift.authversion Swift storage type setting: Auth nil
persistence.imageChartStorage.swift.endpointtype Swift storage type setting: Endpoint nil
persistence.imageChartStorage.swift.tempurlcontainerkey Swift storage type setting: Temp URL container key nil
persistence.imageChartStorage.swift.tempurlmethods Swift storage type setting: Temp URL methods nil
persistence.imageChartStorage.oss.accesskeyid OSS storage type setting: Access key ID nil
persistence.imageChartStorage.oss.endpoint OSS storage type setting: Endpoint nil
persistence.imageChartStorage.oss.internal OSS storage type setting: Internal nil
persistence.imageChartStorage.oss.encrypt OSS storage type setting: Encrypt nil
persistence.imageChartStorage.oss.secure OSS storage type setting: Secure nil
persistence.imageChartStorage.oss.chunksize OSS storage type setting: Chunk nil
persistence.imageChartStorage.oss.rootdirectory OSS storage type setting: Directory nil
persistence.imageChartStorage.oss.secretkey OSS storage type setting: Secret key nil
persistence.imageChartStorage.oss.accesskeysecret OSS storage type setting: Access key secret name containing the token nil
persistence.imageChartStorage.oss.region OSS storage type setting: Region name nil
persistence.imageChartStorage.oss.bucket OSS storage type setting: Bucket name nil
persistence.imageChartStorage.filesystem.rootdirectory Filesystem storage type setting: Storage root directory nil
persistence.imageChartStorage.filesystem.maxthreads Filesystem storage type setting: Maximum threads directory nil

Nginx Parameters

NOTE: If you expose the service via ingress, the Nginx will not be used

Parameter Description Default
nginxImage.registry Registry for Nginx image docker.io
nginxImage.repository Repository for Nginx image bitnami/nginx
nginxImage.tag Tag for Nginx image {TAG_NAME}
nginxImage.pullPolicy Harbor Portal image pull policy IfNotPresent
nginxImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
nginxImage.debug Specify if debug logs should be enabled false
nginx.replicas The replica count 1
nginx.resources The resources to allocate for container undefined
nginx.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
nginx.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
nginx.affinity Node/Pod affinities {} (The value is evaluated as a template)
nginx.podAnnotations Annotations to add to the nginx pod {}
nginx.behindReverseProxy If nginx is behind another reverse proxy, set to true false
nginx.extraEnvVars Array containing extra env vars nil
nginx.extraEnvVarsCM ConfigMap containing extra env vars nil
nginx.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
nginx.command Override default container command (useful when using custom images) nil
nginx.args Override default container args (useful when using custom images) nil
nginx.livenessProbe Liveness probe configuration Check values.yaml file
nginx.readinessProbe Readiness probe configuration Check values.yaml file
nginx.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
nginx.customLivenessProbe Override default liveness probe nil
nginx.customReadinessProbe Override default readiness probe nil
nginx.updateStrategy Deployment update strategy nil
nginx.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
nginx.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
nginx.sidecars Attach additional containers to the pod (evaluated as a template) nil
nginx.initContainers Add additional init containers to the pod (evaluated as a template) nil
nginx.podLabels Add additional labels to the pod (evaluated as a template) nil

Harbor Portal Parameters

Parameter Description Default
portalImage.registry Registry for portal image docker.io
portalImage.repository Repository for portal image bitnami/harbor-portal
portalImage.tag Tag for portal image {TAG_NAME}
portalImage.pullPolicy Harbor Portal image pull policy IfNotPresent
portalImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
portalImage.debug Specify if debug logs should be enabled false
portal.replicas The replica count 1
portal.resources The resources to allocate for container undefined
portal.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
portal.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
portal.affinity Node/Pod affinities {} (The value is evaluated as a template)
portal.podAnnotations Annotations to add to the portal pod {}
portal.livenessProbe Liveness probe configuration for Portal Check values.yaml file
portal.readinessProbe Readines probe configuration for Portal Check values.yaml file
portal.extraEnvVars Array containing extra env vars nil
portal.extraEnvVarsCM ConfigMap containing extra env vars nil
portal.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
portal.command Override default container command (useful when using custom images) nil
portal.args Override default container args (useful when using custom images) nil
portal.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
portal.customLivenessProbe Override default liveness probe nil
portal.customReadinessProbe Override default readiness probe nil
portal.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
portal.updateStrategy Deployment update strategy nil
portal.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
portal.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
portal.sidecars Attach additional containers to the pod (evaluated as a template) nil
portal.initContainers Add additional init containers to the pod (evaluated as a template) nil
portal.podLabels Add additional labels to the pod (evaluated as a template) nil

Harbor Core Parameters

Parameter Description Default
coreImage.registry Registry for core image docker.io
coreImage.repository Repository for Harbor core image bitnami/harbor-core
coreImage.tag Tag for Harbor core image {TAG_NAME}
coreImage.pullPolicy Harbor Core image pull policy IfNotPresent
coreImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
coreImage.debug Specify if debug logs should be enabled false
core.secretKey The key used for encryption. Must be a string of 16 chars Random 16 character long alphanumeric string
core.uaaSecretName If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key ca.crt.
core.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
core.csrfKey CSRF key
core.replicas The replica count 1
core.resources The resources to allocate for container undefined
core.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
core.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
core.affinity Node/Pod affinities {} (The value is evaluated as a template)
core.podAnnotations Annotations to add to the core pod {}
core.secret Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. nil
core.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: tls.crt - the certificate and tls.key - the private key. The default key pair will be used if it isn’t set nil
core.livenessProbe Liveness probe configuration for Core Check values.yaml file
core.readinessProbe Readines probe configuration for Core Check values.yaml file
core.extraEnvVars Array containing extra env vars nil
core.extraEnvVarsCM ConfigMap containing extra env vars nil
core.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
core.command Override default container command (useful when using custom images) nil
core.args Override default container args (useful when using custom images) nil
core.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
core.customLivenessProbe Override default liveness probe nil
core.customReadinessProbe Override default readiness probe nil
core.updateStrategy Deployment update strategy nil
core.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
core.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
core.sidecars Attach additional containers to the pod (evaluated as a template) nil
core.initContainers Add additional init containers to the pod (evaluated as a template) nil
core.podLabels Add additional labels to the pod (evaluated as a template) nil

Harbor Jobservice Parameters

Parameter Description Default
jobserviceImage.registry Registry for jobservice image docker.io
jobserviceImage.repository Repository for jobservice image bitnami/harbor-jobservice
jobserviceImage.tag Tag for jobservice image {TAG_NAME}
jobserviceImage.pullPolicy Harbor Jobservice image pull policy IfNotPresent
jobserviceImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
jobserviceImage.debug Specify if debug logs should be enabled false
jobservice.replicas The replica count 1
jobservice.updateStrategy.type The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn’t supported RollingUpdate
jobservice.maxJobWorkers The max job workers 10
jobservice.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
jobservice.jobLogger The logger for jobs: file, database or stdout file
jobservice.resources The resources to allocate for container undefined
jobservice.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
jobservice.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
jobservice.affinity Node/Pod affinities {} (The value is evaluated as a template)
jobservice.podAnnotations Annotations to add to the jobservice pod {}
jobservice.secret Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. Random 16 character long alphanumeric string
jobservice.livenessProbe Liveness probe configuration for Job Service Check values.yaml file
jobservice.readinessProbe Readines probe configuration for Job Service Check values.yaml file
jobservice.extraEnvVars Array containing extra env vars nil
jobservice.extraEnvVarsCM ConfigMap containing extra env vars nil
jobservice.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
jobservice.command Override default container command (useful when using custom images) nil
jobservice.args Override default container args (useful when using custom images) nil
jobservice.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
jobservice.customLivenessProbe Override default liveness probe nil
jobservice.customReadinessProbe Override default readiness probe nil
jobservice.updateStrategy Deployment update strategy nil
jobservice.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
jobservice.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
jobservice.sidecars Attach additional containers to the pod (evaluated as a template) nil
jobservice.initContainers Add additional init containers to the pod (evaluated as a template) nil
jobservice.podLabels Add additional labels to the pod (evaluated as a template) nil

Harbor Registry Parameters

Parameter Description Default
registryImage.registry Registry for registry image docker.io
registryImage.repository Repository for registry image bitnami/harbor-registry
registryImage.tag Tag for registry image {TAG_NAME}
registryImage.pullPolicy Harbor Registry image pull policy IfNotPresent
registryImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
registryImage.debug Specify if debug logs should be enabled false
registryctlImage.registry Registry for registryctl image docker.io
registryctlImage.repository Repository for registryctl controller image bitnami/harbor-registryctl
registryctlImage.tag Tag for registrycrtl controller image {TAG_NAME}
registryctlImage.pullPolicy Harbor Registryctl image pull policy IfNotPresent
registryctlImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
registryctlImage.debug Specify if debug logs should be enabled false
registry.relativeurls Make the registry return relative URLs in Location headers. false
registry.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
registry.replicas The replica count 1
registry.credentials.username The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. harbor_registry_user
registry.credentials.password The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. It is suggested you update this value before installation. harbor_registry_password
registry.credentials.htpasswd The content of htpasswd file based on the value of registry.credentials.username registry.credentials.password. Currently helm does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling htpasswd: htpasswd -nbBC10 $username $password. More details see official_docs. harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m
registry.updateStrategy.type The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn’t supported RollingUpdate
registry.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
registry.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
registry.affinity Node/Pod affinities {} (The value is evaluated as a template)
registry.podAnnotations Annotations to add to the registry pod {}
registry.middleware.enabled Middleware is used to add support for a CDN between backend storage and docker pull recipient. See official docs.
registry.middleware.type CDN type for the middleware
registry.middleware.cloudFront.baseurl CloudFront CDN settings: Base URL
registry.middleware.cloudFront.keypairid CloudFront CDN settings: Keypair ID
registry.middleware.cloudFront.duration CloudFront CDN settings: Duration
registry.middleware.cloudFront.ipfilteredby CloudFront CDN settings: IP filters
registry.middleware.cloudFront.privateKeySecret CloudFront CDN settings: Secret name with the private key
registry.secret Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. nil
registry.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
registry.updateStrategy Deployment update strategy nil
registry.sidecars Attach additional containers to the pod (evaluated as a template) nil
registry.initContainers Add additional init containers to the pod (evaluated as a template) nil
registry.podLabels Add additional labels to the pod (evaluated as a template) nil
registry.server.resources The resources to allocate for container undefined
registry.server.livenessProbe Liveness probe configuration for Registry Check values.yaml file
registry.server.readinessProbe Readines probe configuration for Registry Check values.yaml file
registry.server.extraEnvVars Array containing extra env vars nil
registry.server.extraEnvVarsCM ConfigMap containing extra env vars nil
registry.server.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
registry.server.command Override default container command (useful when using custom images) nil
registry.server.args Override default container args (useful when using custom images) nil
registry.server.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
registry.server.customLivenessProbe Override default liveness probe nil
registry.server.customReadinessProbe Override default readiness probe nil
registry.server.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
registry.controller.resources The resources to allocate for container undefined
registry.controller.livenessProbe Liveness probe configuration for Registry Check values.yaml file
registry.controller.readinessProbe Readines probe configuration for Registry Check values.yaml file
registry.controller.extraEnvVars Array containing extra env vars nil
registry.controller.extraEnvVarsCM ConfigMap containing extra env vars nil
registry.controller.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
registry.controller.command Override default container command (useful when using custom images) nil
registry.controller.args Override default container args (useful when using custom images) nil
registry.controller.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
registry.controller.customLivenessProbe Override default liveness probe nil
registry.controller.customReadinessProbe Override default readiness probe nil
registry.controller.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil

ChartMuseum Parameters

Parameter Description Default
chartMuseumImage.registry Registry for ChartMuseum image docker.io
chartMuseumImage.repository Repository for clair image bitnami/chartmuseum
chartMuseumImage.tag Tag for ChartMuseum image {TAG_NAME}
chartMuseumImage.pullPolicy ChartMuseum image pull policy IfNotPresent
chartMuseumImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
chartMuseumImage.debug Specify if debug logs should be enabled false
chartmuseum.enabled Enable ChartMuseum true
chartmuseum.replicas Number of ChartMuseum replicas 1
chartmuseum.resources The resources to allocate for container undefined
chartmuseum.updateStrategy The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn’t supported RollingUpdate
chartmuseum.useRedisCache Specify if ChartMuseum will use redis cache true
chartmuseum.absoluteUrl Specify an absolute URL for ChartMuseum registry false
chartmuseum.chartRepoName Specify the endpoint for the chartmuseum registry. Only applicable if chartmuseum.absoluteUrl is true chartsRepo
chartmuseum.maxUploadSize Maximum upload size nil
chartmuseum.maxStorageObjects Maximum storage objects nil
chartmuseum.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
chartmuseum.depth Support for multitenancy. More info here 1
chartmuseum.logJson Print logs on JSON format false
chartmuseum.disableMetrics Disable prometheus metrics exposure false
chartmuseum.disableApi Disable all the routes prefixed with /api false
chartmuseum.disableStatefiles Disable use of index-cache.yaml false
chartmuseum.allowOverwrite Allow chart versions to be re-uploaded without force querystring true
chartmuseum.anonymousGet Allow anonymous GET operations false
chartmuseum.contextPath Set the base context path for ChartMuseum nil
chartmuseum.indexLimit Limit the number of parallels indexes for ChartMuseum nil
chartmuseum.chartPostFormFieldName Form field which will be queried for the chart file content nil
chartmuseum.provPostFormFieldName Form field which will be queried for the provenance file content nil
chartmuseum.extraEnvVars Allow to pass extra environment variables to the chartmuseum image nil
chartmuseum.livenessProbe Liveness probe configuration Check values.yaml file
chartmuseum.readinessProbe Readiness probe configuration Check values.yaml file
chartmuseum.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
chartmuseum.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
chartmuseum.affinity Node/Pod affinities {} (The value is evaluated as a template)
chartmuseum.podAnnotations Annotations to add to the chartmuseum pod {}
chartmuseum.extraEnvVars Array containing extra env vars nil
chartmuseum.extraEnvVarsCM ConfigMap containing extra env vars nil
chartmuseum.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
chartmuseum.command Override default container command (useful when using custom images) nil
chartmuseum.args Override default container args (useful when using custom images) nil
chartmuseum.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
chartmuseum.customLivenessProbe Override default liveness probe nil
chartmuseum.customReadinessProbe Override default readiness probe nil
chartmuseum.updateStrategy Deployment update strategy nil
chartmuseum.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
chartmuseum.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
chartmuseum.sidecars Attach additional containers to the pod (evaluated as a template) nil
chartmuseum.initContainers Add additional init containers to the pod (evaluated as a template) nil
chartmuseum.podLabels Add additional labels to the pod (evaluated as a template) nil

Clair Parameters

Parameter Description Default
clairImage.registry Registry for clair image docker.io
clairImage.repository Repository for clair image bitnami/harbor-clair
clairImage.tag Tag for clair image {TAG_NAME}
clairImage.pullPolicy Harbor clair image pull policy IfNotPresent
clairImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
clairImage.debug Specify if debug logs should be enabled false
clairAdapterImage.registry Registry for clair adapter image docker.io
clairAdapterImage.repository Repository for clair adapter image bitnami/harbor-adapter-clair
clairAdapterImage.tag Tag for clair adapter image {TAG_NAME}
clairAdapterImage.pullPolicy Harbor clair adapter image pull policy IfNotPresent
clairAdapterImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
clairAdapterImage.debug Specify if debug logs should be enabled false
clair.updateStrategy The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn’t supported RollingUpdate
clair.enabled Enable Clair true
clair.replicas The replica count 1
clair.httpProxy The http proxy used to update vulnerabilities database from internet undefined
clair.httpsProxy The https proxy used to update vulnerabilities database from internet undefined
clair.updatersInterval The interval of clair updaters (hours), set to 0 to disable 12
clair.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
clair.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
clair.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
clair.affinity Node/Pod affinities {} (The value is evaluated as a template)
clair.podAnnotations Annotations to add to the clair pod {}
clair.podLabels Add additional labels to the pod (evaluated as a template) nil
clair.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
clair.sidecars Attach additional containers to the pod (evaluated as a template) nil
clair.initContainers Add additional init containers to the pod (evaluated as a template) nil
clair.server.resources The resources to allocate for container undefined
clair.server.livenessProbe Liveness probe configuration Check values.yaml file
clair.server.readinessProbe Readiness probe configuration Check values.yaml file
clair.server.extraEnvVars Array containing extra env vars nil
clair.server.extraEnvVarsCM ConfigMap containing extra env vars nil
clair.server.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
clair.server.command Override default container command (useful when using custom images) nil
clair.server.args Override default container args (useful when using custom images) nil
clair.server.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
clair.server.customLivenessProbe Override default liveness probe nil
clair.server.customReadinessProbe Override default readiness probe nil
clair.server.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
clair.adapter.resources The resources to allocate for container undefined
clair.adapter.livenessProbe Liveness probe configuration Check values.yaml file
clair.adapter.readinessProbe Readiness probe configuration Check values.yaml file
clair.adapter.extraEnvVars Array containing extra env vars nil
clair.adapter.extraEnvVarsCM ConfigMap containing extra env vars nil
clair.adapter.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
clair.adapter.command Override default container command (useful when using custom images) nil
clair.adapter.args Override default container args (useful when using custom images) nil
clair.adapter.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
clair.adapter.customLivenessProbe Override default liveness probe nil
clair.adapter.customReadinessProbe Override default readiness probe nil
clair.adapter.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil

Notary Parameters

Parameter Description Default
notary.enabled Enable Notary true
notaryServerImage.registry Registry for notary server image docker.io
notaryServerImage.repository Repository for notary server image bitnami/harbor-notary-server
notaryServerImage.tag Tag for notary server image 1.10.1-debian-10-r0
notaryServerImage.debug Specify if debug logs should be enabled false
notaryServerImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
notaryServerImage.pullPolicy Harbor notary server image pull policy IfNotPresent
notarySignerImage.registry Registry for notary signer images docker.io
notarySignerImage.debug Specify if debug logs should be enabled false
notarySignerImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
notarySignerImage.repository Repository for notary signer image bitnami/harbor-notary-signer
notarySignerImage.tag Tag for notary signer image 1.10.1-debian-10-r0
notarySignerImage.pullPolicy Harbor notary signer image pull policy IfNotPresent
notary.server.replicas The replica count 1
notary.server.resources The resources to allocate for container {}
notary.signer.replicas The replica count 1
notary.signer.resources The resources to allocate for container {}
notary.server.nodeSelector Node labels for pod assignment {}
notary.server.tolerations Tolerations for pod assignment []
notary.server.affinity Node/Pod affinities {}
notary.server.podAnnotations Annotations to add to the notary pod {}
notary.signer.nodeSelector Node labels for pod assignment {}
notary.signer.tolerations Tolerations for pod assignment []
notary.signer.affinity Node/Pod affinities {}
notary.signer.podAnnotations Annotations to add to the notary pod {}
notary.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named notary-signer-ca.crt, notary-signer.key and notary-signer.crt that contain the CA, certificate and private key. They will be generated if not set. nil
notary.server.extraEnvVars Array containing extra env vars nil
notary.server.extraEnvVarsCM ConfigMap containing extra env vars nil
notary.server.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
notary.server.command Override default container command (useful when using custom images) nil
notary.server.args Override default container args (useful when using custom images) nil
notary.server.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
notary.server.customLivenessProbe Override default liveness probe nil
notary.server.customReadinessProbe Override default readiness probe nil
notary.server.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
notary.server.livenessProbe Liveness probe configuration for Portal Check values.yaml file
notary.server.readinessProbe Readines probe configuration for Portal Check values.yaml file
notary.server.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
notary.server.sidecars Attach additional containers to the pod (evaluated as a template) nil
notary.server.initContainers Add additional init containers to the pod (evaluated as a template) nil
notary.server.updateStrategy Deployment update strategy nil
notary.server.podLabels Add additional labels to the pod (evaluated as a template) nil
notary.signer.extraEnvVars Array containing extra env vars nil
notary.signer.extraEnvVarsCM ConfigMap containing extra env vars nil
notary.signer.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
notary.signer.command Override default container command (useful when using custom images) nil
notary.signer.args Override default container args (useful when using custom images) nil
notary.signer.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
notary.signer.customLivenessProbe Override default liveness probe nil
notary.signer.customReadinessProbe Override default readiness probe nil
notary.signer.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
notary.signer.podLabels Add additional labels to the pod (evaluated as a template) nil
notary.signer.podAnnotations Annotations to add to the notary.signer pod {}
notary.signer.affinity Node/Pod affinities {} (The value is evaluated as a template)
notary.signer.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
notary.signer.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
notary.signer.livenessProbe Liveness probe configuration for Portal Check values.yaml file
notary.signer.readinessProbe Readines probe configuration for Portal Check values.yaml file
notary.signer.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
notary.signer.sidecars Attach additional containers to the pod (evaluated as a template) nil
notary.signer.initContainers Add additional init containers to the pod (evaluated as a template) nil
notary.signer.updateStrategy Deployment update strategy nil

Harbor Trivy Parameters

Parameter Description Default
trivy.enabled Enable Trivy true
trivyImage.registry Registry for trivy image docker.io
trivyImage.repository Repository for trivy image bitnami/harbor-trivy
trivyImage.tag Tag for trivy image {TAG_NAME}
trivyImage.pullPolicy Harbor trivy image pull policy IfNotPresent
trivyImage.pullSecrets Specify docker-registry secret names as an array [] (does not add image pull secrets to deployed pods)
trivyImage.debug Specify if debug logs should be enabled false
trivy.automountServiceAccountToken Automount service account token in the Trivy containers false
trivy.debugMode The flag to enable Trivy debug mode false
trivy.vulnType Comma-separated list of vulnerability types. Possible values os and library. os,library
trivy.severity Comma-separated list of severities to be checked UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.ignoreUnfixed The flag to display only fixed vulnerabilities false
trivy.insecure The flag to skip verifying registry certificate false
trivy.skipUpdate The flag to disable Trivy DB downloads from GitHub false
trivy.gitHubToken The GitHub access token to download Trivy DB
trivy.tls.existingSecret Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated nil
trivy.cacheDir Directory to store the cache ”/opt/bitnami/trivy/tmp/cache
trivy.replicas The replica count 1
trivy.resources The resources to allocate for container undefined
trivy.nodeSelector Node labels for pod assignment {} (The value is evaluated as a template)
trivy.tolerations Tolerations for pod assignment [] (The value is evaluated as a template)
trivy.affinity Node/Pod affinities {} (The value is evaluated as a template)
trivy.podAnnotations Annotations to add to the trivy pod {}
trivy.livenessProbe Liveness probe configuration for trivy Check values.yaml file
trivy.readinessProbe Readines probe configuration for trivy Check values.yaml file
trivy.extraEnvVars Array containing extra env vars nil
trivy.extraEnvVarsCM ConfigMap containing extra env vars nil
trivy.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) nil
trivy.command Override default container command (useful when using custom images) nil
trivy.args Override default container args (useful when using custom images) nil
trivy.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template
trivy.customLivenessProbe Override default liveness probe nil
trivy.customReadinessProbe Override default readiness probe nil
trivy.updateStrategy Deployment update strategy nil
trivy.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts nil
trivy.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. nil
trivy.sidecars Attach additional containers to the pod (evaluated as a template) nil
trivy.initContainers Add additional init containers to the pod (evaluated as a template) nil
trivy.podLabels Add additional labels to the pod (evaluated as a template) nil

PostgreSQL Parameters

Parameter Description Default
postgresql.enabled If external database is used, set it to false true
postgresql.nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) nil
postgresql.postgresqlUsername Postgresql username postgres
postgresql.postgresqlPassword Postgresql password not-a-secure-database-password
postgresql.postgresqlExtendedConf Extended runtime config parameters (appended to main or default configuration) {"maxConnections": "1024"}
postgresql.replication.enabled Enable replicated postgresql false
postgresql.persistence.enabled Enable persistence for PostgreSQL true
postgresql.initdbScripts Initdb scripts to create Harbor databases See values.yaml file
externalDatabase.host Host of the external database localhost
externalDatabase.port Port of the external database 5432
externalDatabase.user Existing username in the external db bn_harbor
externalDatabase.password Password for the above username nil
externalDatabase.coreDatabase External database name for core nil
externalDatabase.clairDatabase External database name for clair nil
externalDatabase.clairUsername External database username for clair nil
externalDatabase.clairPassword External database password for clair nil
externalDatabase.notaryServerDatabase External database name for notary server nil
externalDatabase.notaryServerUsername External database username for notary server nil
externalDatabase.notaryServerPassword External database password for notary server nil
externalDatabase.notarySignerDatabase External database name for notary signer nil
externalDatabase.notarySignerUsername External database username for notary signer nil
externalDatabase.notarySignerPassword External database password for notary signer nil
externalDatabase.sslmode External database ssl mode nil

Redis Parameters

Parameter Description Default
redis.enabled If external redis is used, set it to false true
redis.nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) nil
redis.password Redis password nil
redis.usePassword Use redis password false
redis.cluster.enabled Enable cluster redis false
redis.master.persistence.enabled Enable persistence for master Redis true
redis.slave.persistence.enabled Enable persistence for slave Redis true
externalRedis.host Host of the external redis localhost
externalRedis.port Port of the external redis 6379
externalRedis.password Password for the external redis nil
externalRedis.jobserviceDatabaseIndex Index for jobservice database 1
externalRedis.registryDatabaseIndex Index for registry database 2
externalRedis.chartmuseumDatabaseIndex Index for chartmuseum database 3
externalRedis.clairAdapterDatabaseIndex Index for chartmuseum database 3
externalRedis.trivyAdapterDatabaseIndex Index for chartmuseum database 3

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install my-release \
  --set harborAdminPassword=password \
    bitnami/harbor

The above command sets the Harbor administrator account password to password.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

$ helm install my-release -f values.yaml bitnami/harbor

Configuration and installation details

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

Production configuration

This chart includes a values-production.yaml file where you can find some parameters oriented to production configuration in comparison to the regular values.yaml. You can use this file instead of the default one.

  • The way how to expose the service: Ingress, ClusterIP, NodePort or LoadBalancer: “`diff

  • ingress.enabled: false

  • ingress.enabled: true

    - The common name used to generate the certificate. It's necessary when the `service.type` is `ClusterIP` or `NodePort` and `service.tls.secretName` is null:
    ```diff
    - service.tls.commonName: "core.harbor.domain"
    + service.tls.commonName: ""
    
  • Option to ensure all passwords and keys are set by the user: “`diff

  • forcePassword: false

  • forcePassword: true

    - Option to deploy Redis cluster:
    ```diff
    - redis.cluster.enabled: false
    + redis.cluster.enabled: true
    
  • Option to deploy PostgreSQL replication cluster: “`diff

  • postgresql.replication.enabled: false

  • postgresql.replication.enabled: true

    - Internal TLS is enabled by default:
    ```diff
    - internalTLS.enabled: false
    + internalTLS.enabled: true
    

Configure the way how to expose Harbor service:

  • Ingress: The ingress controller must be installed in the Kubernetes cluster. Notes: if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue #5291 for the detail.
  • ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
  • NodePort: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting NodeIP:NodePort.
  • LoadBalancer: Exposes the service externally using a cloud provider’s load balancer.

Sidecars and Init Containers

If you have a need for additional containers to run within the same pod as any of the Harbor components (e.g. an additional metrics or logging exporter), you can do so via the sidecars config parameter inside each component subsection. Simply define your container according to the Kubernetes container spec.

core:
  sidecars:
    - name: your-image-name
      image: your-image
      imagePullPolicy: Always
      ports:
        - name: portname
        containerPort: 1234

Similarly, you can add extra init containers using the initContainers parameter.

core:
  initContainers:
    - name: your-image-name
      image: your-image
      imagePullPolicy: Always
      ports:
        - name: portname
          containerPort: 1234

Adding extra environment variables

In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the extraEnvVars property inside each component subsection.

core:
  extraEnvVars:
    - name: LOG_LEVEL
      value: error

Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM or the extraEnvVarsSecret values inside each component subsection.

Configure the external URL:

The external URL for Harbor core service is used to:

  1. populate the docker/helm commands showed on portal
  2. populate the token service URL returned to docker/notary client

Format: protocol://domain[:port]. Usually:

  • if expose the service via Ingress, the domain should be the value of ingress.hosts.core
  • if expose the service via ClusterIP, the domain should be the value of service.clusterIP.name
  • if expose the service via NodePort, the domain should be the IP address of one Kubernetes node
  • if expose the service via LoadBalancer, set the domain as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider

If Harbor is deployed behind the proxy, set it as the URL of proxy.

Configure data persistence:

  • Disable: The data does not survive the termination of a pod.
  • Persistent Volume Claim(default): A default StorageClass is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the storageClass or set existingClaim if you have already existing persistent volumes to use.
  • External Storage(only for images and charts): For images and charts, the external storages are supported: azure, gcs, s3 swift and oss.

Configure the secrets:

  • Secret keys: Secret keys are used for secure communication between components. Fill core.secret, jobservice.secret and registry.secret to configure.
  • Certificates: Used for token encryption/decryption. Fill core.secretName to configure.

Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: #107).

Adjust permissions of persistent volume mountpoint

As the images run as non-root by default, it is necessary to adjust the ownership of the persistent volumes so that the containers can write data into it.

By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.

You can enable this initContainer by setting volumePermissions.enabled to true.

Upgrade

NOTE: In you are upgrading an installation that contains a high amount of data, it is recommended to disable the liveness/readiness probes as the migration can take a substantial amount of time.

8.0.0

Redis dependency version was bumped to the new major version 11.x.x, which introduced breaking changes regarding sentinel. By default, this Chart does not use of this feature and hence no issues are expected between upgrades. You may refer to Redis Upgrading Notes for further information.

7.0.0

This major version include a major change in the PostgreSQL subchart labeling. Backwards compatibility from previous versions to this one is not guarantee during the upgrade.

You can find more information about the changes in the PostgreSQL subchart and a way to workaround the helm upgrade issue in the “Upgrade to 9.0.0” section of the PostgreSQL README.

6.0.0 to 6.0.2

Due to an issue with Trivy volumeClaimTemplates, the upgrade needs to be done in two steps:

  • Upgrade the chart to 6.0.2 with trivy.enabled=false
$ helm upgrade bitnami/chart --version 6.0.2 --set trivy.enabled=false <REST OF THE UPGRADE PARAMETERS>
  • Execute a new upgrade setting trivy.enabled=true
$ helm upgrade bitnami/chart --set trivy.enabled=true <REST OF THE UPGRADE PARAMETERS>

6.0.0

The chart was changed to adapt to the common Bitnami chart standards. Now it includes common elements such as sidecar and init container support, custom commands, custom liveness/readiness probes, extra environment variables support, extra pod annotations and labels, among others. In addition, it adds a new Trivy deployment for image scanning.

No issues are expected between upgrades but please double check the updated parameter list as some of them could have been renamed. Please pay special attention to the following changes:

  • service.type=ingress is not allowed anymore. Instead, set the value ingress.enabled=true.
  • secretKey has been moved to core.secretKey.

4.0.0

PostgreSQL and Redis dependencies were updated to the use the latest major versions, 8.x.x and 10.x.x, respectively. These major versions do not include changes that should break backwards compatibilities, check the links below for more information:

3.0.0

Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes’ point of view, so you cannot “upgrade” those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.

In c085d396a0515be7217d65e92f4fbd474840908b the apiVersion of the deployment resources was updated to apps/v1 in tune with the api’s deprecated, resulting in compatibility breakage.

This major version signifies this change.

2.0.0

In this version, two major changes were performed:

For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs:

Welcome to the Bitnami postgresql container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues
Send us your feedback at containers@bitnami.com

INFO  ==> ** Starting PostgreSQL setup **
NFO  ==> Validating settings in POSTGRESQL_* env vars..
INFO  ==> Initializing PostgreSQL database...
INFO  ==> postgresql.conf file not detected. Generating it...
INFO  ==> pg_hba.conf file not detected. Generating it...
INFO  ==> Deploying PostgreSQL with persisted data...
INFO  ==> Configuring replication parameters
INFO  ==> Loading custom scripts...
INFO  ==> Enabling remote connections
INFO  ==> Stopping PostgreSQL...
INFO  ==> ** PostgreSQL setup finished! **

INFO  ==> ** Starting PostgreSQL **
  [1] FATAL:  database files are incompatible with server
  [1] DETAIL:  The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3.

In this case, you should migrate the data from the old PostgreSQL chart to the new one following an approach similar to that described in this section from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one.