charts/bitnami/harbor

Harbor

This Helm chart has been developed based on goharbor/harbor-helm chart but including some features common to the Bitnami chart library. For example, the following changes have been introduced:

• Possibility to pull all the required images from a private registry through the Global Docker image parameters.
• Redis^TM and PostgreSQL are managed as chart dependencies.
• Liveness and Readiness probes for all deployments are exposed to the values.yaml.
• Uses new Helm chart labels formatting.
• Uses Bitnami container images:
  • non-root by default
  • published for debian-10 and ol-7
• This chart support the Harbor optional components Chartmuseum, Clair and Notary integrations.

TL;DR

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/harbor

Introduction

This Helm chart installs Harbor in a Kubernetes cluster. Welcome to contribute to Helm Chart for Harbor.

Prerequisites

• Kubernetes 1.12+
• Helm 3.1.0
• PV provisioner support in the underlying infrastructure
• ReadWriteMany volumes for deployment scaling

Installing the Chart

Install the Harbor helm chart with a release name my-release:

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/harbor

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete --purge my-release

Additionally, if persistence.resourcePolicy is set to keep, you should manually delete the PVCs.

Parameters

The following tables list the configurable parameters of the Harbor chart and their default values per section/component:

Global Parameters

Parameter	Description	Default
global.imageRegistry	Global Docker image registry	nil
global.imagePullSecrets	Global Docker registry secret names as an array	[] (does not add image pull secrets to deployed pods)
global.storageClass	Global storage class for dynamic provisioning	nil

Common Parameters

Parameter	Description	Default
caBundleSecretName	The custom ca bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components.	nil
commonLabels	Labels to add to all deployed objects	nil
commonAnnotations	Annotations to add to all deployed objects	[]
kubeVersion	Force target Kubernetes version (using Helm capabilities if not set)	nil
internalTLS.enabled	Use TLS in all the supported containers: chartmuseum, clair, core, jobservice, portal, registry and trivy	false
logLevel	The log level	debug
forcePassword	Option to ensure all passwords and keys are set by the user	false
harborAdminPassword	The initial password of Harbor admin. Change it from portal after launching Harbor	random 10 character long alphanumeric string
nameOverride	String to partially override common.names.fullname template with a string (will prepend the release name)	nil
fullnameOverride	String to fully override common.names.fullname template with a string	nil
containerSecurityContext	Container security podSecurityContext	{ runAsUser: 1001, runAsNonRoot: true }
podSecurityContext	Pod security context	{ fsGroup: 1001 }
volumePermissions.enabled	Enable init container that changes volume permissions in the data directory (for cases where the default k8s runAsUser and fsUser values do not work)	false
volumePermissions.image.registry	Init container volume-permissions image registry	docker.io
volumePermissions.image.repository	Init container volume-permissions image name	bitnami/minideb
volumePermissions.image.tag	Init container volume-permissions image tag	buster
volumePermissions.image.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
volumePermissions.image.pullPolicy	Init container volume-permissions image pull policy	Always
volumePermissions.resources	Init container resource requests/limit	nil
proxy.httpProxy	The URL of the HTTP proxy server
proxy.httpsProxy	The URL of the HTTPS proxy server
proxy.noProxy	The URLs that the proxy settings not apply to	127.0.0.1,localhost,.local,.internal
proxy.components	The component list that the proxy settings apply to	core, jobservice, clair
externalURL	The external URL for Harbor core service	https://core.harbor.domain
extraDeploy	Array of extra objects to deploy with the release (evaluated as a template).	nil

Traffic Exposure Parameters

Parameter	Description	Default
service.type	The way how to expose the service: Ingress, ClusterIP, NodePort or LoadBalancer	LoadBalancer
service.tls.enabled	Enable the tls or not (for external access)	true
service.tls.existingSecret	Existing secret name containing your own TLS certificates. The secret must contain the keys: tls.crt - the certificate (required), tls.key - the private key (required), ca.crt - the certificate of CA (optional). Self-signed TLS certificates will be used otherwise.	nil
service.tls.notaryExistingSecret	By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the service.type is ingress.	nil
service.tls.commonName	The common name used to generate the certificate, it's necessary when the service.type is ClusterIP or NodePort and service.tls.existingSecret is null	nil
service.ports.http	The service port Harbor listens on when serving with HTTP	80
service.ports.https	The service port Harbor listens on when serving with HTTPS	443
service.ports.notary	The service port Notary listens on. Only needed when notary.enabled is set to true	4443
service.nodePorts.http	The service nodePort Harbor listens on when serving with HTTP	nil
service.nodePorts.https	The service nodePort Harbor listens on when serving with HTTPS	nil
service.nodePorts.notary	The service nodePort Notary listens on. Only needed when notary.enabled is set to true	nil
service.annotations	The annotations attached to the loadBalancer service	{}
service.loadBalancerIP	Load Balancer IP	nil
service.externalTrafficPolicy	Enable client source IP preservation	Cluster
service.loadBalancerSourceRanges	List of IP address ranges to assign to loadBalancerSourceRanges	[]
ingress.enabled	Deploy ingress rules	false
ingress.apiVersion	Override ingress api version	``
ingress.pathType	Ingress path type	ImplementationSpecific
ingress.controller	The ingress controller type. Currently supports default, gce and ncp	default
ingress.hosts.core	The host of Harbor core service in ingress rule	core.harbor.domain
ingress.hosts.notary	The host of Harbor Notary service in ingress rule	notary.harbor.domain
ingress.annotations	The annotations used in ingress	nil

Persistence Parameters

Parameter	Description	Default
persistence.enabled	Enable the data persistence or not	true
persistence.resourcePolicy	Setting it to keep to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted	keep
persistence.persistentVolumeClaim.registry.existingClaim	Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components	nil
persistence.persistentVolumeClaim.registry.storageClass	Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning	nil
persistence.persistentVolumeClaim.registry.subPath	The sub path used in the volume	nil
persistence.persistentVolumeClaim.registry.accessMode	The access mode of the volume	ReadWriteOnce
persistence.persistentVolumeClaim.registry.size	The size of the volume	5Gi
persistence.persistentVolumeClaim.jobservice.existingClaim	Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components	nil
persistence.persistentVolumeClaim.jobservice.storageClass	Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning	nil
persistence.persistentVolumeClaim.jobservice.subPath	The sub path used in the volume	nil
persistence.persistentVolumeClaim.jobservice.accessMode	The access mode of the volume	ReadWriteOnce
persistence.persistentVolumeClaim.jobservice.size	The size of the volume	1Gi
persistence.persistentVolumeClaim.chartmuseum.existingClaim	Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components	nil
persistence.persistentVolumeClaim.chartmuseum.storageClass	Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning	nil
persistence.persistentVolumeClaim.chartmuseum.subPath	The sub path used in the volume	nil
persistence.persistentVolumeClaim.chartmuseum.accessMode	The access mode of the volume	ReadWriteOnce
persistence.persistentVolumeClaim.chartmuseum.size	The size of the volume	5Gi
persistence.persistentVolumeClaim.trivy.existingClaim	Use the existing PVC which must be created manually before bound, and specify the subPath if the PVC is shared with other components	nil
persistence.persistentVolumeClaim.trivy.storageClass	Specify the storageClass used to provision the volume. Or the default StorageClass will be used(the default). Set it to - to disable dynamic provisioning	nil
persistence.persistentVolumeClaim.trivy.accessMode	The access mode of the volume	ReadWriteOnce
persistence.persistentVolumeClaim.trivy.size	The size of the volume	5Gi
persistence.imageChartStorage.disableredirect	The configuration for managing redirects from content backends. For backends which do not supported it (such as using MinIOTM for s3 storage type), please set it to true to disable redirects. Refer to the guide for more information about the detail	false
persistence.imageChartStorage.caBundleSecretName	Specify the caBundleSecretName if the storage service uses a self-signed certificate. The secret must contain keys named ca.crt which will be injected into the trust store of registry's and chartmuseum's containers.
persistence.imageChartStorage.type	The type of storage for images and charts: filesystem, azure, gcs, s3, swift or oss. The type must be filesystem if you want to use persistent volumes for registry and chartmuseum. Refer to the guide for more information about the detail	filesystem
persistence.imageChartStorage.azure.accountname	Azure storage type setting: Name of the Azure account	nil
persistence.imageChartStorage.azure.accountkey	Azure storage type setting: Key of the Azure account	nil
persistence.imageChartStorage.azure.container	Azure storage type setting: Container	nil
persistence.imageChartStorage.azure.storagePrefix	Azure storage type setting: Storage prefix	nil
persistence.imageChartStorage.azure.realm	Azure storage type setting: Realm of the Azure account	nil
persistence.imageChartStorage.gcs.accountname	GCS storage type setting: Name of the bucket	nil
persistence.imageChartStorage.gcs.encodedkey	GCS storage type setting: Base64 encoded key	nil
persistence.imageChartStorage.gcs.bucket	GCS storage type setting: Bucket name	nil
persistence.imageChartStorage.gcs.rootdirectory	GCS storage type setting: Root directory name	nil
persistence.imageChartStorage.gcs.chunksize	GCS storage type setting: Chunk size name	nil
persistence.imageChartStorage.s3.accesskey	S3 storage type setting: Access key name	nil
persistence.imageChartStorage.s3.secretkey	S3 storage type setting: Secret Key name	nil
persistence.imageChartStorage.s3.regionendpoint	S3 storage type setting: Region Endpoint	nil
persistence.imageChartStorage.s3.encrypt	S3 storage type setting: Encrypt	nil
persistence.imageChartStorage.s3.keyid	S3 storage type setting: Key ID	nil
persistence.imageChartStorage.s3.region	S3 storage type setting: Region	nil
persistence.imageChartStorage.s3.secure	S3 storage type setting: Secure	nil
persistence.imageChartStorage.s3.v4auth	S3 storage type setting: V4 authorization	nil
persistence.imageChartStorage.s3.chunksize	S3 storage type setting: V4 authorization	nil
persistence.imageChartStorage.s3.bucket	S3 storage type setting: Bucket name	nil
persistence.imageChartStorage.s3.rootdirectory	S3 storage type setting: Root directory name	nil
persistence.imageChartStorage.s3.storageclass	S3 storage type setting: Storage class	nil
persistence.imageChartStorage.s3.sse	S3 storage type setting: SSE name	nil
persistence.imageChartStorage.swift.authurl	Swift storage type setting: Authentication url	nil
persistence.imageChartStorage.swift.username	Swift storage type setting: Authentication url	nil
persistence.imageChartStorage.swift.password	Swift storage type setting: Password	nil
persistence.imageChartStorage.swift.container	Swift storage type setting: Container	nil
persistence.imageChartStorage.swift.region	Swift storage type setting: Region	nil
persistence.imageChartStorage.swift.tenant	Swift storage type setting: Tenant	nil
persistence.imageChartStorage.swift.tenantid	Swift storage type setting: TenantID	nil
persistence.imageChartStorage.swift.domain	Swift storage type setting: Domain	nil
persistence.imageChartStorage.swift.domainid	Swift storage type setting: DomainID	nil
persistence.imageChartStorage.swift.insecureskipverify	Swift storage type setting: Verification	nil
persistence.imageChartStorage.swift.trustid	Swift storage type setting: TrustID	nil
persistence.imageChartStorage.swift.chunksize	Swift storage type setting: Chunk	nil
persistence.imageChartStorage.swift.prefix	Swift storage type setting: Prefix	nil
persistence.imageChartStorage.swift.secretkey	Swift storage type setting: Secre Key	nil
persistence.imageChartStorage.swift.accesskey	Swift storage type setting: Access Key	nil
persistence.imageChartStorage.swift.authversion	Swift storage type setting: Auth	nil
persistence.imageChartStorage.swift.endpointtype	Swift storage type setting: Endpoint	nil
persistence.imageChartStorage.swift.tempurlcontainerkey	Swift storage type setting: Temp URL container key	nil
persistence.imageChartStorage.swift.tempurlmethods	Swift storage type setting: Temp URL methods	nil
persistence.imageChartStorage.oss.accesskeyid	OSS storage type setting: Access key ID	nil
persistence.imageChartStorage.oss.endpoint	OSS storage type setting: Endpoint	nil
persistence.imageChartStorage.oss.internal	OSS storage type setting: Internal	nil
persistence.imageChartStorage.oss.encrypt	OSS storage type setting: Encrypt	nil
persistence.imageChartStorage.oss.secure	OSS storage type setting: Secure	nil
persistence.imageChartStorage.oss.chunksize	OSS storage type setting: Chunk	nil
persistence.imageChartStorage.oss.rootdirectory	OSS storage type setting: Directory	nil
persistence.imageChartStorage.oss.secretkey	OSS storage type setting: Secret key	nil
persistence.imageChartStorage.oss.accesskeysecret	OSS storage type setting: Access key secret name containing the token	nil
persistence.imageChartStorage.oss.region	OSS storage type setting: Region name	nil
persistence.imageChartStorage.oss.bucket	OSS storage type setting: Bucket name	nil
persistence.imageChartStorage.filesystem.rootdirectory	Filesystem storage type setting: Storage root directory	nil
persistence.imageChartStorage.filesystem.maxthreads	Filesystem storage type setting: Maximum threads directory	nil

Nginx Parameters

NOTE: If you expose the service via ingress, the Nginx will not be used

Parameter	Description	Default
nginxImage.registry	Registry for Nginx image	docker.io
nginxImage.repository	Repository for Nginx image	bitnami/nginx
nginxImage.tag	Tag for Nginx image	{TAG_NAME}
nginxImage.pullPolicy	Harbor Portal image pull policy	IfNotPresent
nginxImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
nginxImage.debug	Specify if debug logs should be enabled	false
nginx.replicas	The replica count	1
nginx.resources	The resources to allocate for container	undefined
nginx.podAffinityPreset	NGINX Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
nginx.podAntiAffinityPreset	NGINX Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
nginx.nodeAffinityPreset.type	NGINX Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
nginx.nodeAffinityPreset.key	NGINX Node label key to match Ignored if affinity is set.	""
nginx.nodeAffinityPreset.values	NGINX Node label values to match. Ignored if affinity is set.	[]
nginx.affinity	NGINX Affinity for pod assignment	{} (evaluated as a template)
nginx.nodeSelector	NGINX Node labels for pod assignment	{} (evaluated as a template)
nginx.tolerations	NGINX Tolerations for pod assignment	[] (evaluated as a template)
nginx.podAnnotations	Annotations to add to the nginx pod	{}
nginx.behindReverseProxy	If nginx is behind another reverse proxy, set to true	false
nginx.extraEnvVars	Array containing extra env vars	nil
nginx.extraEnvVarsCM	ConfigMap containing extra env vars	nil
nginx.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
nginx.command	Override default container command (useful when using custom images)	nil
nginx.args	Override default container args (useful when using custom images)	nil
nginx.livenessProbe	Liveness probe configuration	Check values.yaml file
nginx.readinessProbe	Readiness probe configuration	Check values.yaml file
nginx.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
nginx.customLivenessProbe	Override default liveness probe	nil
nginx.customReadinessProbe	Override default readiness probe	nil
nginx.updateStrategy	Deployment update strategy	nil
nginx.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
nginx.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
nginx.hostAliases	Specify hostAliases for the Pod to use	nil
nginx.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
nginx.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
nginx.podLabels	Add additional labels to the pod (evaluated as a template)	nil

Harbor Portal Parameters

Parameter	Description	Default
portalImage.registry	Registry for portal image	docker.io
portalImage.repository	Repository for portal image	bitnami/harbor-portal
portalImage.tag	Tag for portal image	{TAG_NAME}
portalImage.pullPolicy	Harbor Portal image pull policy	IfNotPresent
portalImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
portalImage.debug	Specify if debug logs should be enabled	false
portal.replicas	The replica count	1
portal.resources	The resources to allocate for container	undefined
portal.podAffinityPreset	Harbor Portal Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
portal.podAntiAffinityPreset	Harbor Portal Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
portal.nodeAffinityPreset.type	Harbor Portal Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
portal.nodeAffinityPreset.key	Harbor Portal Node label key to match Ignored if affinity is set.	""
portal.nodeAffinityPreset.values	Harbor Portal Node label values to match. Ignored if affinity is set.	[]
portal.affinity	Harbor Portal Affinity for pod assignment	{} (evaluated as a template)
portal.nodeSelector	Harbor Portal Node labels for pod assignment	{} (evaluated as a template)
portal.tolerations	Harbor Portal Tolerations for pod assignment	[] (evaluated as a template)
portal.podAnnotations	Annotations to add to the portal pod	{}
portal.livenessProbe	Liveness probe configuration for Portal	Check values.yaml file
portal.readinessProbe	Readines probe configuration for Portal	Check values.yaml file
portal.extraEnvVars	Array containing extra env vars	nil
portal.extraEnvVarsCM	ConfigMap containing extra env vars	nil
portal.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
portal.command	Override default container command (useful when using custom images)	nil
portal.args	Override default container args (useful when using custom images)	nil
portal.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
portal.customLivenessProbe	Override default liveness probe	nil
portal.customReadinessProbe	Override default readiness probe	nil
portal.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
portal.updateStrategy	Deployment update strategy	nil
portal.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
portal.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
portal.hostAliases	Specify hostAliases for the Pod to use	nil
portal.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
portal.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
portal.podLabels	Add additional labels to the pod (evaluated as a template)	nil

Harbor Core Parameters

Parameter	Description	Default
coreImage.registry	Registry for core image	docker.io
coreImage.repository	Repository for Harbor core image	bitnami/harbor-core
coreImage.tag	Tag for Harbor core image	{TAG_NAME}
coreImage.pullPolicy	Harbor Core image pull policy	IfNotPresent
coreImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
coreImage.debug	Specify if debug logs should be enabled	false
core.secretKey	The key used for encryption. Must be a string of 16 chars	Random 16 character long alphanumeric string
core.uaaSecretName	If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key ca.crt.	``
core.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
core.csrfKey	CSRF key	``
core.replicas	The replica count	1
core.resources	The resources to allocate for container	undefined
core.podAffinityPreset	Harbor core Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
core.podAntiAffinityPreset	Harbor core Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
core.nodeAffinityPreset.type	Harbor core Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
core.nodeAffinityPreset.key	Harbor core Node label key to match Ignored if affinity is set.	""
core.nodeAffinityPreset.values	Harbor core Node label values to match. Ignored if affinity is set.	[]
core.affinity	Harbor core Affinity for pod assignment	{} (evaluated as a template)
core.nodeSelector	Harbor core Node labels for pod assignment	{} (evaluated as a template)
core.tolerations	Harbor core Tolerations for pod assignment	[] (evaluated as a template)
core.podAnnotations	Annotations to add to the core pod	{}
core.secret	Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.	nil
core.secretName	Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: tls.crt - the certificate and tls.key - the private key. The default key pair will be used if it isn't set	nil
core.livenessProbe	Liveness probe configuration for Core	Check values.yaml file
core.readinessProbe	Readines probe configuration for Core	Check values.yaml file
core.startupProbe	Startup probe configuration for Core	Check values.yaml file
core.extraEnvVars	Array containing extra env vars	nil
core.extraEnvVarsCM	ConfigMap containing extra env vars	nil
core.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
core.command	Override default container command (useful when using custom images)	nil
core.args	Override default container args (useful when using custom images)	nil
core.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
core.customLivenessProbe	Override default liveness probe	nil
core.customReadinessProbe	Override default readiness probe	nil
core.customStartupProbe	Override default Startup Probe probe	nil
core.updateStrategy	Deployment update strategy	nil
core.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
core.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
core.hostAliases	Specify hostAliases for the Pod to use	nil
core.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
core.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
core.podLabels	Add additional labels to the pod (evaluated as a template)	nil

Harbor Jobservice Parameters

Parameter	Description	Default
jobserviceImage.registry	Registry for jobservice image	docker.io
jobserviceImage.repository	Repository for jobservice image	bitnami/harbor-jobservice
jobserviceImage.tag	Tag for jobservice image	{TAG_NAME}
jobserviceImage.pullPolicy	Harbor Jobservice image pull policy	IfNotPresent
jobserviceImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
jobserviceImage.debug	Specify if debug logs should be enabled	false
jobservice.replicas	The replica count	1
jobservice.updateStrategy.type	The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported	RollingUpdate
jobservice.maxJobWorkers	The max job workers	10
jobservice.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
jobservice.jobLogger	The logger for jobs: file, database or stdout	file
jobservice.resources	The resources to allocate for container	undefined
jobservice.podAffinityPreset	Harbor Jobservice Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
jobservice.podAntiAffinityPreset	Harbor Jobservice Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
jobservice.nodeAffinityPreset.type	Harbor Jobservice Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
jobservice.nodeAffinityPreset.key	Harbor Jobservice Node label key to match Ignored if affinity is set.	""
jobservice.nodeAffinityPreset.values	Harbor Jobservice Node label values to match. Ignored if affinity is set.	[]
jobservice.affinity	Harbor Jobservice Affinity for pod assignment	{} (evaluated as a template)
jobservice.nodeSelector	Harbor Jobservice Node labels for pod assignment	{} (evaluated as a template)
jobservice.tolerations	Harbor Jobservice Tolerations for pod assignment	[] (evaluated as a template)
jobservice.podAnnotations	Annotations to add to the jobservice pod	{}
jobservice.secret	Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.	Random 16 character long alphanumeric string
jobservice.livenessProbe	Liveness probe configuration for Job Service	Check values.yaml file
jobservice.readinessProbe	Readines probe configuration for Job Service	Check values.yaml file
jobservice.extraEnvVars	Array containing extra env vars	nil
jobservice.extraEnvVarsCM	ConfigMap containing extra env vars	nil
jobservice.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
jobservice.command	Override default container command (useful when using custom images)	nil
jobservice.args	Override default container args (useful when using custom images)	nil
jobservice.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
jobservice.customLivenessProbe	Override default liveness probe	nil
jobservice.customReadinessProbe	Override default readiness probe	nil
jobservice.updateStrategy	Deployment update strategy	nil
jobservice.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
jobservice.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
jobservice.hostAliases	Specify hostAliases for the Pod to use	nil
jobservice.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
jobservice.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
jobservice.podLabels	Add additional labels to the pod (evaluated as a template)	nil

Harbor Registry Parameters

Parameter	Description	Default
registryImage.registry	Registry for registry image	docker.io
registryImage.repository	Repository for registry image	bitnami/harbor-registry
registryImage.tag	Tag for registry image	{TAG_NAME}
registryImage.pullPolicy	Harbor Registry image pull policy	IfNotPresent
registryImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
registryImage.debug	Specify if debug logs should be enabled	false
registryctlImage.registry	Registry for registryctl image	docker.io
registryctlImage.repository	Repository for registryctl controller image	bitnami/harbor-registryctl
registryctlImage.tag	Tag for registrycrtl controller image	{TAG_NAME}
registryctlImage.pullPolicy	Harbor Registryctl image pull policy	IfNotPresent
registryctlImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
registryctlImage.debug	Specify if debug logs should be enabled	false
registry.relativeurls	Make the registry return relative URLs in Location headers.	false
registry.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
registry.replicas	The replica count	1
registry.credentials.username	The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs.	harbor_registry_user
registry.credentials.password	The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. It is suggested you update this value before installation.	harbor_registry_password
registry.credentials.htpasswd	The content of htpasswd file based on the value of registry.credentials.username registry.credentials.password. Currently helm does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling htpasswd: htpasswd -nbBC10 $username $password. More details see official_docs.	harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m
registry.updateStrategy.type	The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported	RollingUpdate
registry.podAffinityPreset	Harbor Registry Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
registry.podAntiAffinityPreset	Harbor Registry Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
registry.nodeAffinityPreset.type	Harbor Registry Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
registry.nodeAffinityPreset.key	Harbor Registry Node label key to match Ignored if affinity is set.	""
registry.nodeAffinityPreset.values	Harbor Registry Node label values to match. Ignored if affinity is set.	[]
registry.affinity	Harbor Registry Affinity for pod assignment	{} (evaluated as a template)
registry.nodeSelector	Harbor Registry Node labels for pod assignment	{} (evaluated as a template)
registry.tolerations	Harbor Registry Tolerations for pod assignment	[] (evaluated as a template)
registry.podAnnotations	Annotations to add to the registry pod	{}
registry.middleware.enabled	Middleware is used to add support for a CDN between backend storage and docker pull recipient. See official docs.
registry.middleware.type	CDN type for the middleware
registry.middleware.cloudFront.baseurl	CloudFront CDN settings: Base URL
registry.middleware.cloudFront.keypairid	CloudFront CDN settings: Keypair ID
registry.middleware.cloudFront.duration	CloudFront CDN settings: Duration
registry.middleware.cloudFront.ipfilteredby	CloudFront CDN settings: IP filters
registry.middleware.cloudFront.privateKeySecret	CloudFront CDN settings: Secret name with the private key
registry.secret	Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.	nil
registry.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
registry.hostAliases	Specify hostAliases for the Pod to use	nil
registry.updateStrategy	Deployment update strategy	nil
registry.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
registry.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
registry.podLabels	Add additional labels to the pod (evaluated as a template)	nil
registry.server.resources	The resources to allocate for container	undefined
registry.server.livenessProbe	Liveness probe configuration for Registry	Check values.yaml file
registry.server.readinessProbe	Readines probe configuration for Registry	Check values.yaml file
registry.server.extraEnvVars	Array containing extra env vars	nil
registry.server.extraEnvVarsCM	ConfigMap containing extra env vars	nil
registry.server.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
registry.server.command	Override default container command (useful when using custom images)	nil
registry.server.args	Override default container args (useful when using custom images)	nil
registry.server.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
registry.server.customLivenessProbe	Override default liveness probe	nil
registry.server.customReadinessProbe	Override default readiness probe	nil
registry.server.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
registry.controller.resources	The resources to allocate for container	undefined
registry.controller.livenessProbe	Liveness probe configuration for Registry	Check values.yaml file
registry.controller.readinessProbe	Readines probe configuration for Registry	Check values.yaml file
registry.controller.extraEnvVars	Array containing extra env vars	nil
registry.controller.extraEnvVarsCM	ConfigMap containing extra env vars	nil
registry.controller.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
registry.controller.command	Override default container command (useful when using custom images)	nil
registry.controller.args	Override default container args (useful when using custom images)	nil
registry.controller.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
registry.controller.customLivenessProbe	Override default liveness probe	nil
registry.controller.customReadinessProbe	Override default readiness probe	nil
registry.controller.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil

ChartMuseum Parameters

Parameter	Description	Default
chartMuseumImage.registry	Registry for ChartMuseum image	docker.io
chartMuseumImage.repository	Repository for clair image	bitnami/chartmuseum
chartMuseumImage.tag	Tag for ChartMuseum image	{TAG_NAME}
chartMuseumImage.pullPolicy	ChartMuseum image pull policy	IfNotPresent
chartMuseumImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
chartMuseumImage.debug	Specify if debug logs should be enabled	false
chartmuseum.enabled	Enable ChartMuseum	true
chartmuseum.replicas	Number of ChartMuseum replicas	1
chartmuseum.resources	The resources to allocate for container	undefined
chartmuseum.updateStrategy	The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported	RollingUpdate
chartmuseum.useRedisCache	Specify if ChartMuseum will use redis cache	true
chartmuseum.absoluteUrl	Specify an absolute URL for ChartMuseum registry	false
chartmuseum.chartRepoName	Specify the endpoint for the chartmuseum registry. Only applicable if chartmuseum.absoluteUrl is true	chartsRepo
chartmuseum.maxUploadSize	Maximum upload size	nil
chartmuseum.storageTimestampTolerance	Timestamp tolerance size	1s
chartmuseum.maxStorageObjects	Maximum storage objects	nil
chartmuseum.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
chartmuseum.depth	Support for multitenancy. More info here	1
chartmuseum.logJson	Print logs on JSON format	false
chartmuseum.disableMetrics	Disable prometheus metrics exposure	false
chartmuseum.disableApi	Disable all the routes prefixed with /api	false
chartmuseum.disableStatefiles	Disable use of index-cache.yaml	false
chartmuseum.allowOverwrite	Allow chart versions to be re-uploaded without force querystring	true
chartmuseum.anonymousGet	Allow anonymous GET operations	false
chartmuseum.contextPath	Set the base context path for ChartMuseum	nil
chartmuseum.indexLimit	Limit the number of parallels indexes for ChartMuseum	nil
chartmuseum.chartPostFormFieldName	Form field which will be queried for the chart file content	nil
chartmuseum.provPostFormFieldName	Form field which will be queried for the provenance file content	nil
chartmuseum.extraEnvVars	Allow to pass extra environment variables to the chartmuseum image	nil
chartmuseum.livenessProbe	Liveness probe configuration	Check values.yaml file
chartmuseum.readinessProbe	Readiness probe configuration	Check values.yaml file
chartmuseum.podAffinityPreset	ChartMuseum Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
chartmuseum.podAntiAffinityPreset	ChartMuseum Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
chartmuseum.nodeAffinityPreset.type	ChartMuseum Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
chartmuseum.nodeAffinityPreset.key	ChartMuseum Node label key to match Ignored if affinity is set.	""
chartmuseum.nodeAffinityPreset.values	ChartMuseum Node label values to match. Ignored if affinity is set.	[]
chartmuseum.affinity	ChartMuseum Affinity for pod assignment	{} (evaluated as a template)
chartmuseum.nodeSelector	ChartMuseum Node labels for pod assignment	{} (evaluated as a template)
chartmuseum.tolerations	ChartMuseum Tolerations for pod assignment	[] (evaluated as a template)
chartmuseum.podAnnotations	Annotations to add to the chartmuseum pod	{}
chartmuseum.podAnnotations	Annotations to add to the chartmuseum pod	{}
chartmuseum.extraEnvVars	Array containing extra env vars	nil
chartmuseum.extraEnvVarsCM	ConfigMap containing extra env vars	nil
chartmuseum.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
chartmuseum.command	Override default container command (useful when using custom images)	nil
chartmuseum.args	Override default container args (useful when using custom images)	nil
chartmuseum.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
chartmuseum.customLivenessProbe	Override default liveness probe	nil
chartmuseum.customReadinessProbe	Override default readiness probe	nil
chartmuseum.updateStrategy	Deployment update strategy	nil
chartmuseum.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
chartmuseum.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
chartmuseum.hostAliases	Specify hostAliases for the Pod to use	nil
chartmuseum.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
chartmuseum.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
chartmuseum.podLabels	Add additional labels to the pod (evaluated as a template)	nil

Clair Parameters

Parameter	Description	Default
clairImage.registry	Registry for clair image	docker.io
clairImage.repository	Repository for clair image	bitnami/harbor-clair
clairImage.tag	Tag for clair image	{TAG_NAME}
clairImage.pullPolicy	Harbor clair image pull policy	IfNotPresent
clairImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
clairImage.debug	Specify if debug logs should be enabled	false
clairAdapterImage.registry	Registry for clair adapter image	docker.io
clairAdapterImage.repository	Repository for clair adapter image	bitnami/harbor-adapter-clair
clairAdapterImage.tag	Tag for clair adapter image	{TAG_NAME}
clairAdapterImage.pullPolicy	Harbor clair adapter image pull policy	IfNotPresent
clairAdapterImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
clairAdapterImage.debug	Specify if debug logs should be enabled	false
clair.updateStrategy	The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported	RollingUpdate
clair.enabled	Enable Clair	true
clair.replicas	The replica count	1
clair.httpProxy	The http proxy used to update vulnerabilities database from internet	undefined
clair.httpsProxy	The https proxy used to update vulnerabilities database from internet	undefined
clair.updatersInterval	The interval of clair updaters (hours), set to 0 to disable	12
clair.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
clair.podAffinityPreset	Harbor Clair Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
clair.podAntiAffinityPreset	Harbor Clair Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
clair.nodeAffinityPreset.type	Harbor Clair Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
clair.nodeAffinityPreset.key	Harbor Clair Node label key to match Ignored if affinity is set.	""
clair.nodeAffinityPreset.values	Harbor Clair Node label values to match. Ignored if affinity is set.	[]
clair.affinity	Harbor Clair Affinity for pod assignment	{} (evaluated as a template)
clair.nodeSelector	Harbor Clair Node labels for pod assignment	{} (evaluated as a template)
clair.tolerations	Harbor Clair Tolerations for pod assignment	[] (evaluated as a template)
clair.podAnnotations	Annotations to add to the clair pod	{}
clair.podLabels	Add additional labels to the pod (evaluated as a template)	nil
clair.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
clair.hostAliases	Specify hostAliases for the Pod to use	nil
clair.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
clair.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
clair.server.resources	The resources to allocate for container	undefined
clair.server.livenessProbe	Liveness probe configuration	Check values.yaml file
clair.server.readinessProbe	Readiness probe configuration	Check values.yaml file
clair.server.extraEnvVars	Array containing extra env vars	nil
clair.server.extraEnvVarsCM	ConfigMap containing extra env vars	nil
clair.server.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
clair.server.command	Override default container command (useful when using custom images)	nil
clair.server.args	Override default container args (useful when using custom images)	nil
clair.server.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
clair.server.customLivenessProbe	Override default liveness probe	nil
clair.server.customReadinessProbe	Override default readiness probe	nil
clair.server.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
clair.adapter.resources	The resources to allocate for container	undefined
clair.adapter.livenessProbe	Liveness probe configuration	Check values.yaml file
clair.adapter.readinessProbe	Readiness probe configuration	Check values.yaml file
clair.adapter.extraEnvVars	Array containing extra env vars	nil
clair.adapter.extraEnvVarsCM	ConfigMap containing extra env vars	nil
clair.adapter.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
clair.adapter.command	Override default container command (useful when using custom images)	nil
clair.adapter.args	Override default container args (useful when using custom images)	nil
clair.adapter.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
clair.adapter.customLivenessProbe	Override default liveness probe	nil
clair.adapter.customReadinessProbe	Override default readiness probe	nil
clair.adapter.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil

Notary Parameters

Parameter	Description	Default
notary.enabled	Enable Notary	true
notaryServerImage.registry	Registry for notary server image	docker.io
notaryServerImage.repository	Repository for notary server image	bitnami/harbor-notary-server
notaryServerImage.tag	Tag for notary server image	1.10.1-debian-10-r0
notaryServerImage.debug	Specify if debug logs should be enabled	false
notaryServerImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
notaryServerImage.pullPolicy	Harbor notary server image pull policy	IfNotPresent
notarySignerImage.registry	Registry for notary signer images	docker.io
notarySignerImage.debug	Specify if debug logs should be enabled	false
notarySignerImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
notarySignerImage.repository	Repository for notary signer image	bitnami/harbor-notary-signer
notarySignerImage.tag	Tag for notary signer image	1.10.1-debian-10-r0
notarySignerImage.pullPolicy	Harbor notary signer image pull policy	IfNotPresent
notary.server.replicas	The replica count	1
notary.server.resources	The resources to allocate for container	{}
notary.server.podLabels	Add additional labels to the pod (evaluated as a template)	nil
notary.server.podAnnotations	Annotations to add to the notary pod	{}
notary.server.podAffinityPreset	Notary server Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
notary.server.podAntiAffinityPreset	Notary server Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
notary.server.nodeAffinityPreset.type	Notary server Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
notary.server.nodeAffinityPreset.key	Notary server Node label key to match Ignored if affinity is set.	""
notary.server.nodeAffinityPreset.values	Notary server Node label values to match. Ignored if affinity is set.	[]
notary.server.affinity	Notary server Affinity for pod assignment	{} (evaluated as a template)
notary.server.nodeSelector	Notary server Node labels for pod assignment	{} (evaluated as a template)
notary.server.tolerations	Notary server Tolerations for pod assignment	[] (evaluated as a template)
notary.secretName	Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named notary-signer-ca.crt, notary-signer.key and notary-signer.crt that contain the CA, certificate and private key. They will be generated if not set.	nil
notary.server.extraEnvVars	Array containing extra env vars	nil
notary.server.extraEnvVarsCM	ConfigMap containing extra env vars	nil
notary.server.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
notary.server.command	Override default container command (useful when using custom images)	nil
notary.server.args	Override default container args (useful when using custom images)	nil
notary.server.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
notary.server.customLivenessProbe	Override default liveness probe	nil
notary.server.customReadinessProbe	Override default readiness probe	nil
notary.server.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
notary.server.livenessProbe	Liveness probe configuration for Portal	Check values.yaml file
notary.server.readinessProbe	Readines probe configuration for Portal	Check values.yaml file
notary.server.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
notary.server.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
notary.server.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
notary.server.updateStrategy	Deployment update strategy	nil
notary.signer.extraEnvVars	Array containing extra env vars	nil
notary.signer.extraEnvVarsCM	ConfigMap containing extra env vars	nil
notary.signer.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
notary.signer.command	Override default container command (useful when using custom images)	nil
notary.signer.args	Override default container args (useful when using custom images)	nil
notary.signer.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
notary.signer.customLivenessProbe	Override default liveness probe	nil
notary.signer.customReadinessProbe	Override default readiness probe	nil
notary.signer.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
notary.signer.replicas	The replica count	1
notary.signer.resources	The resources to allocate for container	{}
notary.signer.podLabels	Add additional labels to the pod (evaluated as a template)	nil
notary.signer.podAnnotations	Annotations to add to the notary.signer pod	{}
notary.signer.podAffinityPreset	Notary signer Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
notary.signer.podAntiAffinityPreset	Notary signer Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
notary.signer.nodeAffinityPreset.type	Notary signer Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
notary.signer.nodeAffinityPreset.key	Notary signer Node label key to match Ignored if affinity is set.	""
notary.signer.nodeAffinityPreset.values	Notary signer Node label values to match. Ignored if affinity is set.	[]
notary.signer.affinity	Notary signer Affinity for pod assignment	{} (evaluated as a template)
notary.signer.nodeSelector	Notary signer Node labels for pod assignment	{} (evaluated as a template)
notary.signer.tolerations	Notary signer Tolerations for pod assignment	[] (evaluated as a template)
notary.signer.livenessProbe	Liveness probe configuration for Portal	Check values.yaml file
notary.signer.readinessProbe	Readines probe configuration for Portal	Check values.yaml file
notary.signer.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
notary.signer.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
notary.signer.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
notary.signer.updateStrategy	Deployment update strategy	nil

Harbor Trivy Parameters

Parameter	Description	Default
trivy.enabled	Enable Trivy	true
trivyImage.registry	Registry for trivy image	docker.io
trivyImage.repository	Repository for trivy image	bitnami/harbor-trivy
trivyImage.tag	Tag for trivy image	{TAG_NAME}
trivyImage.pullPolicy	Harbor trivy image pull policy	IfNotPresent
trivyImage.pullSecrets	Specify docker-registry secret names as an array	[] (does not add image pull secrets to deployed pods)
trivyImage.debug	Specify if debug logs should be enabled	false
trivy.automountServiceAccountToken	Automount service account token in the Trivy containers	false
trivy.debugMode	The flag to enable Trivy debug mode	false
trivy.vulnType	Comma-separated list of vulnerability types. Possible values os and library.	os,library
trivy.severity	Comma-separated list of severities to be checked	UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy.ignoreUnfixed	The flag to display only fixed vulnerabilities	false
trivy.insecure	The flag to skip verifying registry certificate	false
trivy.skipUpdate	The flag to disable Trivy DB downloads from GitHub	false
trivy.gitHubToken	The GitHub access token to download Trivy DB
trivy.tls.existingSecret	Name of a secret with the certificates for internal TLS access. Requires internalTLS.enabled to be set to true. If this values is not set it will be automatically generated	nil
trivy.cacheDir	Directory to store the cache	"/opt/bitnami/trivy/tmp/cache
trivy.replicas	The replica count	1
trivy.resources	The resources to allocate for container	undefined
trivy.podAffinityPreset	Trivy Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
trivy.podAntiAffinityPreset	Trivy Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
trivy.nodeAffinityPreset.type	Trivy Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
trivy.nodeAffinityPreset.key	Trivy Node label key to match Ignored if affinity is set.	""
trivy.nodeAffinityPreset.values	Trivy Node label values to match. Ignored if affinity is set.	[]
trivy.affinity	Trivy Affinity for pod assignment	{} (evaluated as a template)
trivy.nodeSelector	Trivy Node labels for pod assignment	{} (evaluated as a template)
trivy.tolerations	Trivy Tolerations for pod assignment	[] (evaluated as a template)
trivy.podAnnotations	Annotations to add to the trivy pod	{}
trivy.livenessProbe	Liveness probe configuration for trivy	Check values.yaml file
trivy.readinessProbe	Readines probe configuration for trivy	Check values.yaml file
trivy.extraEnvVars	Array containing extra env vars	nil
trivy.extraEnvVarsCM	ConfigMap containing extra env vars	nil
trivy.extraEnvVarsSecret	Secret containing extra env vars (in case of sensitive data)	nil
trivy.command	Override default container command (useful when using custom images)	nil
trivy.args	Override default container args (useful when using custom images)	nil
trivy.lifecycleHooks	LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template	``
trivy.customLivenessProbe	Override default liveness probe	nil
trivy.customReadinessProbe	Override default readiness probe	nil
trivy.updateStrategy	Deployment update strategy	nil
trivy.extraVolumes	Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts	nil
trivy.extraVolumeMounts	Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes.	nil
trivy.hostAliases	Specify hostAliases for the Pod to use	nil
trivy.sidecars	Attach additional containers to the pod (evaluated as a template)	nil
trivy.initContainers	Add additional init containers to the pod (evaluated as a template)	nil
trivy.podLabels	Add additional labels to the pod (evaluated as a template)	nil

PostgreSQL Parameters

Parameter	Description	Default
postgresql.enabled	If external database is used, set it to false	true
postgresql.nameOverride	String to partially override common.names.fullname template with a string (will prepend the release name)	nil
postgresql.postgresqlUsername	Postgresql username	postgres
postgresql.postgresqlPassword	Postgresql password	not-a-secure-database-password
postgresql.postgresqlExtendedConf	Extended runtime config parameters (appended to main or default configuration)	{"maxConnections": "1024"}
postgresql.replication.enabled	Enable replicated postgresql	false
postgresql.persistence.enabled	Enable persistence for PostgreSQL	true
postgresql.initdbScripts	Initdb scripts to create Harbor databases	See values.yaml file
externalDatabase.host	Host of the external database	localhost
externalDatabase.port	Port of the external database	5432
externalDatabase.user	Existing username in the external db	bn_harbor
externalDatabase.password	Password for the above username	nil
externalDatabase.coreDatabase	External database name for core	nil
externalDatabase.clairDatabase	External database name for clair	nil
externalDatabase.clairUsername	External database username for clair	nil
externalDatabase.clairPassword	External database password for clair	nil
externalDatabase.notaryServerDatabase	External database name for notary server	nil
externalDatabase.notaryServerUsername	External database username for notary server	nil
externalDatabase.notaryServerPassword	External database password for notary server	nil
externalDatabase.notarySignerDatabase	External database name for notary signer	nil
externalDatabase.notarySignerUsername	External database username for notary signer	nil
externalDatabase.notarySignerPassword	External database password for notary signer	nil
externalDatabase.sslmode	External database ssl mode	disable

Redis^TM Parameters

Parameter	Description	Default
redis.enabled	If external redis is used, set it to false	true
redis.nameOverride	String to partially override common.names.fullname template with a string (will prepend the release name)	nil
redis.password	RedisTM password	nil
redis.usePassword	Use redis password	false
redis.cluster.enabled	Enable cluster redis	false
redis.master.persistence.enabled	Enable persistence for master RedisTM	true
redis.slave.persistence.enabled	Enable persistence for slave RedisTM	true
externalRedis.host	Host of the external redis	localhost
externalRedis.port	Port of the external redis	6379
externalRedis.password	Password for the external redis	nil
externalRedis.coreDatabaseIndex	Index for core database	0
externalRedis.jobserviceDatabaseIndex	Index for jobservice database	1
externalRedis.registryDatabaseIndex	Index for registry database	2
externalRedis.chartmuseumDatabaseIndex	Index for chartmuseum database	3
externalRedis.clairAdapterDatabaseIndex	Index for chartmuseum database	3
externalRedis.trivyAdapterDatabaseIndex	Index for chartmuseum database	3

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install my-release \
  --set harborAdminPassword=password \
    bitnami/harbor

The above command sets the Harbor administrator account password to password.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

$ helm install my-release -f values.yaml bitnami/harbor

Configuration and installation details

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

Configure the way how to expose Harbor service:

• Ingress: The ingress controller must be installed in the Kubernetes cluster. Notes: if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue #5291 for the detail.
• ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
• NodePort: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting NodeIP:NodePort.
• LoadBalancer: Exposes the service externally using a cloud provider’s load balancer.

Sidecars and Init Containers

If you have a need for additional containers to run within the same pod as any of the Harbor components (e.g. an additional metrics or logging exporter), you can do so via the sidecars config parameter inside each component subsection. Simply define your container according to the Kubernetes container spec.

core:
  sidecars:
    - name: your-image-name
      image: your-image
      imagePullPolicy: Always
      ports:
        - name: portname
        containerPort: 1234

Similarly, you can add extra init containers using the initContainers parameter.

core:
  initContainers:
    - name: your-image-name
      image: your-image
      imagePullPolicy: Always
      ports:
        - name: portname
          containerPort: 1234

Adding extra environment variables

In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the extraEnvVars property inside each component subsection.

core:
  extraEnvVars:
    - name: LOG_LEVEL
      value: error

Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM or the extraEnvVarsSecret values inside each component subsection.

Configure the external URL:

The external URL for Harbor core service is used to:

1. populate the docker/helm commands showed on portal
2. populate the token service URL returned to docker/notary client

Format: protocol://domain[:port]. Usually:

• if expose the service via Ingress, the domain should be the value of ingress.hosts.core
• if expose the service via ClusterIP, the domain should be the value of service.clusterIP.name
• if expose the service via NodePort, the domain should be the IP address of one Kubernetes node
• if expose the service via LoadBalancer, set the domain as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider

If Harbor is deployed behind the proxy, set it as the URL of proxy.

Configure data persistence:

• Disable: The data does not survive the termination of a pod.
• Persistent Volume Claim(default): A default StorageClass is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the storageClass or set existingClaim if you have already existing persistent volumes to use.
• External Storage(only for images and charts): For images and charts, the external storages are supported: azure, gcs, s3 swift and oss.

Configure the secrets:

• Secret keys: Secret keys are used for secure communication between components. Fill core.secret, jobservice.secret and registry.secret to configure.
• Certificates: Used for token encryption/decryption. Fill core.secretName to configure.

Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: #107).

Setting Pod's affinity

This chart allows you to set your custom affinity using the XXX.affinity parameter(s). Find more information about Pod's affinity in the kubernetes documentation.

As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the XXX.podAffinityPreset, XXX.podAntiAffinityPreset, or XXX.nodeAffinityPreset parameters.

Adjust permissions of persistent volume mountpoint

As the images run as non-root by default, it is necessary to adjust the ownership of the persistent volumes so that the containers can write data into it.

By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.

You can enable this initContainer by setting volumePermissions.enabled to true.

Troubleshooting

Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.

Upgrading

NOTE: In you are upgrading an installation that contains a high amount of data, it is recommended to disable the liveness/readiness probes as the migration can take a substantial amount of time.

To 9.0.0

On November 13, 2020, Helm v2 support was formally finished, this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.

What changes were introduced in this major version?

• Previous versions of this Helm Chart use apiVersion: v1 (installable by both Helm 2 and 3), this Helm Chart was updated to apiVersion: v2 (installable by Helm 3 only). Here you can find more information about the apiVersion field.
• Move dependency information from the requirements.yaml to the Chart.yaml
• After running helm dependency update, a Chart.lock file is generated containing the same structure used in the previous requirements.lock
• The different fields present in the Chart.yaml file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
• This chart depends on the PostgreSQL 10 instead of PostgreSQL 9. Apart from the same changes that are described in this section, there are also other major changes due to the master/slave nomenclature was replaced by primary/readReplica. Here you can find more information about the changes introduced.

Considerations when upgrading to this version

• If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
• If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the official Helm documentation about migrating from Helm v2 to v3
• If you want to upgrade to this version from a previous one installed with Helm v3, it should be done reusing the PVC used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is harbor):

NOTE: Please, create a backup of your database before running any of those actions.

Export secrets and required values to update

$ export HARBOR_ADMIN_PASSWORD=$(kubectl get secret --namespace default harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode)
$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default harbor-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=harbor,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}")

Delete statefulsets

Delete PostgreSQL statefulset. Notice the option --cascade=false:

$ kubectl delete statefulsets.apps harbor-postgresql --cascade=false

Upgrade the chart release

$ helm upgrade harbor bitnami/harbor \
    --set harborAdminPassword=$HARBOR_ADMIN_PASSWORD \
    --set postgresql.postgresqlPassword=$POSTGRESQL_PASSWORD \
    --set postgresql.persistence.existingClaim=$POSTGRESQL_PVC

Force new statefulset to create a new pod for postgresql

$ kubectl delete pod harbor-postgresql-0

Finally, you should see the lines below in MariaDB container logs:

$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}")
...
postgresql 08:05:12.59 INFO  ==> Deploying PostgreSQL with persisted data...
...

Useful links

• https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
• https://helm.sh/docs/topics/v2_v3_migration/
• https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/

To 8.0.0

Redis^TM dependency version was bumped to the new major version 11.x.x, which introduced breaking changes regarding sentinel. By default, this Chart does not use of this feature and hence no issues are expected between upgrades. You may refer to Redis^TM Upgrading Notes for further information.

To 7.0.0

This major version include a major change in the PostgreSQL subchart labeling. Backwards compatibility from previous versions to this one is not guarantee during the upgrade.

You can find more information about the changes in the PostgreSQL subchart and a way to workaround the helm upgrade issue in the "Upgrade to 9.0.0" section of the PostgreSQL README.

From 6.0.0 to 6.0.2

Due to an issue with Trivy volumeClaimTemplates, the upgrade needs to be done in two steps:

• Upgrade the chart to 6.0.2 with trivy.enabled=false

$ helm upgrade bitnami/chart --version 6.0.2 --set trivy.enabled=false <REST OF THE UPGRADE PARAMETERS>

• Execute a new upgrade setting trivy.enabled=true

$ helm upgrade bitnami/chart --set trivy.enabled=true <REST OF THE UPGRADE PARAMETERS>

To 6.0.0

The chart was changed to adapt to the common Bitnami chart standards. Now it includes common elements such as sidecar and init container support, custom commands, custom liveness/readiness probes, extra environment variables support, extra pod annotations and labels, among others. In addition, it adds a new Trivy deployment for image scanning.

No issues are expected between upgrades but please double check the updated parameter list as some of them could have been renamed. Please pay special attention to the following changes:

• service.type=ingress is not allowed anymore. Instead, set the value ingress.enabled=true.
• secretKey has been moved to core.secretKey.

To 4.0.0

PostgreSQL and Redis^TM dependencies were updated to the use the latest major versions, 8.x.x and 10.x.x, respectively. These major versions do not include changes that should break backwards compatibilities, check the links below for more information:

• PostgreSQL Upgrade notes
• Redis^TM Upgrade notes

To 3.0.0

Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.

In c085d396a0 the apiVersion of the deployment resources was updated to apps/v1 in tune with the api's deprecated, resulting in compatibility breakage.

This major version signifies this change.

To 2.0.0

In this version, two major changes were performed:

• This chart depends on the Redis^TM 5 chart instead of Redis^TM 4. There is a breaking change that will affect releases with metrics.enabled: true, since the default tag for the exporter image is now v1.x.x. This introduces many changes including metrics names. You'll want to use this dashboard now. Please see the redis_exporter github page for more details.
• This chart depends on the PostgreSQL 11 chart instead of PostgreSQL 10. You can find the main difference and notable changes in the following links: https://www.postgresql.org/about/news/1894/ and https://www.postgresql.org/about/featurematrix/.

For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs:

Welcome to the Bitnami postgresql container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues
Send us your feedback at containers@bitnami.com

INFO  ==> ** Starting PostgreSQL setup **
NFO  ==> Validating settings in POSTGRESQL_* env vars..
INFO  ==> Initializing PostgreSQL database...
INFO  ==> postgresql.conf file not detected. Generating it...
INFO  ==> pg_hba.conf file not detected. Generating it...
INFO  ==> Deploying PostgreSQL with persisted data...
INFO  ==> Configuring replication parameters
INFO  ==> Loading custom scripts...
INFO  ==> Enabling remote connections
INFO  ==> Stopping PostgreSQL...
INFO  ==> ** PostgreSQL setup finished! **

INFO  ==> ** Starting PostgreSQL **
  [1] FATAL:  database files are incompatible with server
  [1] DETAIL:  The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3.

In this case, you should migrate the data from the old PostgreSQL chart to the new one following an approach similar to that described in this section from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one.