andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Charts CI 

```
Updated:
  clastix/kamaji:
    - 1.0.0
  dynatrace/dynatrace-operator:
    - 1.2.0
  f5/nginx-ingress:
    - 1.3.0
  haproxy/haproxy:
    - 1.40.0
  harbor/harbor:
    - 1.15.0
  instana/instana-agent:
    - 1.2.73
  jenkins/jenkins:
    - 5.3.3
  jfrog/artifactory-ha:
    - 107.84.16
  jfrog/artifactory-jcr:
    - 107.84.16
  kasten/k10:
    - 7.0.3
    - 7.0.2
  kubecost/cost-analyzer:
    - 2.3.1
  kuma/kuma:
    - 2.8.0
  linkerd/linkerd-control-plane:
    - 2024.6.4
  linkerd/linkerd-crds:
    - 2024.6.4
  loft/loft:
    - 3.4.8
  mongodb/community-operator:
    - 0.10.0
  new-relic/nri-bundle:
    - 5.0.84
  percona/psmdb-db:
    - 1.16.2
  percona/psmdb-operator:
    - 1.16.2
  percona/pxc-operator:
    - 1.14.2
  redpanda/redpanda:
    - 5.8.11
  speedscale/speedscale-operator:
    - 2.2.74
  stackstate/stackstate-k8s-agent:
    - 1.0.88
  weka/csi-wekafsplugin:
    - 2.4.0
  yugabyte/yugabyte:
    - 2.18.8
  yugabyte/yugaware:
    - 2.18.8
```
pull/1037/head
github-actions[bot] 2024-07-02 21:26:01 +00:00
parent e0763f2bc6
commit a5f05b0b73
391 changed files with 20421 additions and 7667 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/clastix/kamaji-1.0.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/dynatrace/dynatrace-operator-1.2.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/f5/nginx-ingress-1.3.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/haproxy/haproxy-1.40.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/harbor/harbor-1.15.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/instana/instana-agent-1.2.73.tgz Normal file
View File

Binary file not shown.

BIN
assets/jenkins/jenkins-5.3.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/jfrog/artifactory-ha-107.84.16.tgz Normal file
View File

Binary file not shown.

BIN
assets/jfrog/artifactory-jcr-107.84.16.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-7.0.201.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-7.0.301.tgz Normal file
View File

Binary file not shown.

BIN
assets/kubecost/cost-analyzer-2.2.5.tgz
View File

Binary file not shown.

BIN
assets/kubecost/cost-analyzer-2.3.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/kuma/kuma-2.8.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.6.2.tgz
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.6.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-crds-2024.6.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/loft/loft-3.4.8.tgz Normal file
View File

Binary file not shown.

BIN
assets/mongodb/community-operator-0.10.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/new-relic/nri-bundle-5.0.84.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/psmdb-db-1.16.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/psmdb-operator-1.16.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/pxc-operator-1.14.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-5.8.11.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.2.74.tgz Normal file
View File

Binary file not shown.

BIN
assets/stackstate/stackstate-k8s-agent-1.0.88.tgz Normal file
View File

Binary file not shown.

BIN
assets/weka/csi-wekafsplugin-2.4.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/yugabyte/yugabyte-2.18.8.tgz Normal file
View File

Binary file not shown.

BIN
assets/yugabyte/yugaware-2.18.8.tgz Normal file
View File

Binary file not shown.

4
charts/clastix/kamaji/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.21.0-0'
catalog.cattle.io/release-name: kamaji
apiVersion: v2
appVersion: v0.5.1
appVersion: v1.0.0
description: Kamaji is the Hosted Control Plane Manager for Kubernetes.
home: https://github.com/clastix/kamaji
icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png
@ -22,4 +22,4 @@ name: kamaji
sources:
- https://github.com/clastix/kamaji
type: application
version: 0.15.3
version: 1.0.0

6
charts/clastix/kamaji/README.md
View File

@ -1,6 +1,6 @@
# kamaji
![Version: 0.15.3](https://img.shields.io/badge/Version-0.15.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.5.1](https://img.shields.io/badge/AppVersion-v0.5.1-informational?style=flat-square)
![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square)
Kamaji is the Hosted Control Plane Manager for Kubernetes.
@ -77,7 +77,7 @@ Here the values you can override:
| datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). |
| datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) |
| datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. |
| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. |
| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. |
| datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. |
| datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
| datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
@ -90,6 +90,7 @@ Here the values you can override:
| datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. |
| datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
| datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
| datastore.tlsConfig.enabled | bool | `true` | |
| etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) |
| etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji |
| etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image |
@ -133,6 +134,7 @@ Here the values you can override:
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `"kamaji-controller-manager"` | |
| serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured |
| telemetry | object | `{"disabled":false}` | Disable the analytics traces collection |
| temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") |
| tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate |

49
charts/clastix/kamaji/crds/datastore.yaml
View File

@ -71,10 +71,12 @@ spec:
minLength: 1
type: string
name:
description: name is unique within a namespace to reference a secret resource.
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
description: namespace defines the space within which
the secret name must be unique.
type: string
required:
- keyPath
@ -98,10 +100,12 @@ spec:
minLength: 1
type: string
name:
description: name is unique within a namespace to reference a secret resource.
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
description: namespace defines the space within which
the secret name must be unique.
type: string
required:
- keyPath
@ -118,6 +122,7 @@ spec:
- etcd
- MySQL
- PostgreSQL
- NATS
type: string
endpoints:
description: |-
@ -128,7 +133,9 @@ spec:
minItems: 1
type: array
tlsConfig:
description: Defines the TLS/SSL configuration required to connect to the data store in a secure way.
description: |-
Defines the TLS/SSL configuration required to connect to the data store in a secure way.
This value is optional.
properties:
certificateAuthority:
description: |-
@ -152,10 +159,12 @@ spec:
minLength: 1
type: string
name:
description: name is unique within a namespace to reference a secret resource.
description: name is unique within a namespace to
reference a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
description: namespace defines the space within which
the secret name must be unique.
type: string
required:
- keyPath
@ -179,10 +188,12 @@ spec:
minLength: 1
type: string
name:
description: name is unique within a namespace to reference a secret resource.
description: name is unique within a namespace to
reference a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
description: namespace defines the space within which
the secret name must be unique.
type: string
required:
- keyPath
@ -193,7 +204,8 @@ spec:
- certificate
type: object
clientCertificate:
description: Specifies the SSL/TLS key and private key pair used to connect to the data store.
description: Specifies the SSL/TLS key and private key pair used
to connect to the data store.
properties:
certificate:
properties:
@ -212,10 +224,12 @@ spec:
minLength: 1
type: string
name:
description: name is unique within a namespace to reference a secret resource.
description: name is unique within a namespace to
reference a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
description: namespace defines the space within which
the secret name must be unique.
type: string
required:
- keyPath
@ -239,10 +253,12 @@ spec:
minLength: 1
type: string
name:
description: name is unique within a namespace to reference a secret resource.
description: name is unique within a namespace to
reference a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
description: namespace defines the space within which
the secret name must be unique.
type: string
required:
- keyPath
@ -255,18 +271,17 @@ spec:
type: object
required:
- certificateAuthority
- clientCertificate
type: object
required:
- driver
- endpoints
- tlsConfig
type: object
status:
description: DataStoreStatus defines the observed state of DataStore.
properties:
usedBy:
description: List of the Tenant Control Planes, namespaced named, using this data store.
description: List of the Tenant Control Planes, namespaced named,
using this data store.
items:
type: string
type: array

1144
charts/clastix/kamaji/crds/tenantcontrolplane.yaml
View File

File diff suppressed because it is too large Load Diff

3
charts/clastix/kamaji/templates/controller.yaml
View File

@ -34,6 +34,9 @@ spec:
- --metrics-bind-address={{ .Values.metricsBindAddress }}
- --tmp-directory={{ .Values.temporaryDirectoryPath }}
- --datastore={{ include "datastore.fullname" . }}
{{- if .Values.telemetry.disabled }}
- --disable-telemetry
{{- end }}
{{- if .Values.loggingDevel.enable }}
- --zap-devel
{{- end }}

5
charts/clastix/kamaji/templates/datastore.yaml
View File

@ -20,9 +20,14 @@ spec:
secretReference:
{{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.datastore.tlsConfig.enabled }}
tlsConfig:
certificateAuthority:
{{- include "datastore.certificateAuthority" . | indent 6 }}
{{- if .Values.datastore.tlsConfig.clientCertificate }}
clientCertificate:
{{- include "datastore.clientCertificate" . | indent 6 }}
{{- end }}
{{- end}}
{{- end}}

21
charts/clastix/kamaji/templates/validatingwebhookconfiguration.yaml
View File

@ -8,6 +8,27 @@ metadata:
{{- include "kamaji.labels" $data | nindent 4 }}
name: kamaji-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "kamaji.webhookServiceName" . }}
namespace: {{ .Release.Namespace }}
path: /telemetry
failurePolicy: Ignore
name: telemetry.kamaji.clastix.io
rules:
- apiGroups:
- kamaji.clastix.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- tenantcontrolplanes
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:

12
charts/clastix/kamaji/values.yaml
View File

@ -60,7 +60,7 @@ etcd:
# -- The custom annotations to add to the PVC
customAnnotations: {}
# volumeType: local
# -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods
tolerations: []
@ -162,7 +162,7 @@ loggingDevel:
datastore:
# -- (bool) Enable the Kamaji Datastore creation (default=true)
enabled: true
# -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to.
# -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to.
nameOverride:
# -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd).
driver: etcd
@ -184,6 +184,7 @@ datastore:
# -- The Secret key where the data is stored.
keyPath:
tlsConfig:
enabled: true
certificateAuthority:
certificate:
# -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore.
@ -218,4 +219,9 @@ datastore:
cfssl:
image:
repository: cfssl/cfssl
tag: latest
tag: latest
# -- Disable the analytics traces collection
telemetry:
disabled: false

4
charts/dynatrace/dynatrace-operator/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.19.0-0'
catalog.cattle.io/release-name: dynatrace-operator
apiVersion: v2
appVersion: 1.1.1
appVersion: 1.2.0
description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift
home: https://www.dynatrace.com/
icon: https://assets.dynatrace.com/global/resources/Signet_Logo_RGB_CP_512x512px.png
@ -20,4 +20,4 @@ name: dynatrace-operator
sources:
- https://github.com/Dynatrace/dynatrace-operator
type: application
version: 1.1.1
version: 1.2.0

14
charts/dynatrace/dynatrace-operator/questions.yml
View File

@ -179,20 +179,6 @@ questions:
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.provisioner.limits.cpu
label: "CPU resource limits settings for Dynatrace CSI Driver's provisioner container"
description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's provisioner container can use. Default: 300m"
default: "300m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.provisioner.limits.memory
label: "Memory resource limits settings for Dynatrace CSI Driver's provisioner container"
description: "The maximum amount of memory that the Dynatrace CSI Driver's provisioner container can use. Pod restarted if exceeded. Default: 100Mi"
default: "100Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.registrar.requests.cpu
label: "CPU resource requests settings for Dynatrace CSI Driver's registrar container"
description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's registrar container should request. Affects scheduling. Default: 20m"

3117
charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml
View File

File diff suppressed because it is too large Load Diff

11
charts/dynatrace/dynatrace-operator/templates/Common/csi/daemonset.yaml
View File

@ -262,19 +262,12 @@ spec:
{{- if .Values.csidriver.nodeSelector }}
nodeSelector: {{- toYaml .Values.csidriver.nodeSelector | nindent 8 }}
{{- end }}
{{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
tolerations:
{{- if .Values.csidriver.tolerations }}
{{- toYaml .Values.csidriver.tolerations | nindent 8 }}
{{- end }}
- key: kubernetes.io/arch
value: arm64
effect: NoSchedule
- key: kubernetes.io/arch
value: amd64
effect: NoSchedule
- key: kubernetes.io/arch
value: ppc64le
effect: NoSchedule
{{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
- key: ToBeDeletedByClusterAutoscaler
operator: Exists
effect: NoSchedule

8
charts/dynatrace/dynatrace-operator/templates/Common/operator/clusterrole-operator.yaml
View File

@ -57,6 +57,14 @@ rules:
- update
- delete
- list
- apiGroups:
- ""
resources:
- services
resourceNames:
- kubernetes
verbs:
- get
- apiGroups:
- ""
resources:

30
charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml
View File

@ -85,23 +85,7 @@ spec:
{{- include "dynatrace-operator.startupProbe" . | nindent 10 }}
securityContext:
{{- toYaml .Values.operator.securityContext | nindent 12 }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- if ne (include "dynatrace-operator.platform" .) "gke-autopilot" }}
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
{{- end }}
- key: kubernetes.io/os
operator: In
values:
- linux
{{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
volumes:
- emptyDir: { }
name: tmp-cert-dir
@ -119,13 +103,5 @@ spec:
{{- if .Values.operator.tolerations }}
{{- toYaml .Values.operator.tolerations | nindent 8 }}
{{- end }}
- key: kubernetes.io/arch
value: arm64
effect: NoSchedule
- key: kubernetes.io/arch
value: amd64
effect: NoSchedule
- key: kubernetes.io/arch
value: ppc64le
effect: NoSchedule
{{ end }}
{{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
{{ end }}

30
charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml
View File

@ -67,23 +67,7 @@ spec:
volumes:
- emptyDir: {}
name: certs-dir
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- if ne (include "dynatrace-operator.platform" .) "gke-autopilot"}}
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
{{- end }}
- key: kubernetes.io/os
operator: In
values:
- linux
{{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
containers:
- name: webhook
args:
@ -147,13 +131,5 @@ spec:
{{- if .Values.webhook.tolerations }}
{{- toYaml .Values.webhook.tolerations | nindent 8 }}
{{- end }}
- key: kubernetes.io/arch
value: arm64
effect: NoSchedule
- key: kubernetes.io/arch
value: amd64
effect: NoSchedule
- key: kubernetes.io/arch
value: ppc64le
effect: NoSchedule
{{ end }}
{{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
{{ end }}

2
charts/dynatrace/dynatrace-operator/templates/Common/webhook/validatingwebhookconfiguration.yaml
View File

@ -36,7 +36,7 @@ webhooks:
apiGroups:
- dynatrace.com
apiVersions:
- v1beta1
- v1beta2
resources:
- dynakubes
name: webhook.dynatrace.com

1
charts/dynatrace/dynatrace-operator/templates/_helpers.tpl
View File

@ -59,5 +59,4 @@ startupProbe:
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 1
{{- println }}
{{- end -}}

36
charts/dynatrace/dynatrace-operator/templates/_platform.tpl
View File

@ -20,8 +20,6 @@ Auto-detect the platform (if not set), according to the available APIVersions
{{- printf .Values.platform -}}
{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
{{- printf "openshift" -}}
{{- else if .Capabilities.APIVersions.Has "auto.gke.io/v1" }}
{{- printf "gke-autopilot" -}}
{{- else }}
{{- printf "kubernetes" -}}
{{- end -}}
@ -52,3 +50,37 @@ Enforces that platform is set to a valid one
{{- define "dynatrace-operator.platformRequired" -}}
{{- $platformIsSet := printf "%s" (required "Platform needs to be set to kubernetes, openshift, google-marketplace, or gke-autopilot" (include "dynatrace-operator.platformIsValid" .))}}
{{- end -}}
{{- define "dynatrace-operator.nodeAffinity" -}}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
{{- end -}}
{{- define "dynatrace-operator.defaultTolerations" -}}
- key: kubernetes.io/arch
value: arm64
effect: NoSchedule
- key: kubernetes.io/arch
value: amd64
effect: NoSchedule
- key: kubernetes.io/arch
value: ppc64le
effect: NoSchedule
- key: kubernetes.io/arch
value: s390x
effect: NoSchedule
{{- end -}}

5
charts/dynatrace/dynatrace-operator/values.yaml
View File

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# may be set to "kubernetes", "openshift", or "gke-autopilot"
# may be set to "kubernetes", "openshift", "gke-autopilot" (deprecated)
platform: ""
#image qualifier; OBSOLETE -> use imageref instead!
@ -156,9 +156,6 @@ csidriver:
requests:
cpu: 300m
memory: 100Mi
limits:
cpu: 300m
memory: 100Mi
registrar:
securityContext:
runAsUser: 0

8
charts/f5/nginx-ingress/Chart.yaml
View File

@ -4,10 +4,10 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.23.0-0'
catalog.cattle.io/release-name: nginx-ingress
apiVersion: v2
appVersion: 3.5.2
appVersion: 3.6.0
description: NGINX Ingress Controller
home: https://github.com/nginxinc/kubernetes-ingress
icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png
icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png
keywords:
- ingress
- nginx
@ -17,6 +17,6 @@ maintainers:
name: nginxinc
name: nginx-ingress
sources:
- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress
- https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress
type: application
version: 1.2.2
version: 1.3.0

37
charts/f5/nginx-ingress/README.md
View File

@ -2,7 +2,7 @@
## Introduction
This chart deploys the NGINX Ingress Controller in your Kubernetes cluster.
This chart deploys NGINX Ingress Controller in your Kubernetes cluster.
## Prerequisites
@ -51,10 +51,10 @@ kubectl apply -f crds/
Alternatively, CRDs can be upgraded without pulling the chart by running:
```console
kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml
```
In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
In the above command, `v3.6.0` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
> **Note**
>
@ -87,14 +87,14 @@ To install the chart with the release name my-release (my-release is the name th
For NGINX:
```console
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0
```
For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry
`myregistry.example.com`)
```console
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
```
This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to
@ -109,7 +109,7 @@ CRDs](#upgrading-the-crds).
To upgrade the release `my-release`:
```console
helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0
```
### Uninstalling the Chart
@ -150,7 +150,7 @@ upgrading/deleting the CRDs.
1. Pull the chart sources:
```console
helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2
helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.3.0
```
2. Change your working directory to nginx-ingress:
@ -236,7 +236,7 @@ The steps you should follow depend on the Helm release name:
Selector: app=nginx-ingress-nginx-ingress
```
2. Checkout the latest available tag using `git checkout v3.5.2`
2. Checkout the latest available tag using `git checkout v3.6.0`
3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
@ -288,7 +288,7 @@ reviewing its events:
Selector: app=<helm_release_name>-nginx-ingress
```
2. Checkout the latest available tag using `git checkout v3.5.2`
2. Checkout the latest available tag using `git checkout v3.6.0`
3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
@ -355,7 +355,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.logLevel` | The log level of the Ingress Controller. | 1 |
|`controller.image.digest` | The image digest of the Ingress Controller. | None |
|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress |
|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.2 |
|`controller.image.tag` | The tag of the Ingress Controller image. | 3.6.0 |
|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent |
|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} |
|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" |
@ -386,7 +386,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 |
|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true |
|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.6.0, do not set the value to false. | true |
|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false |
|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" |
|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" |
@ -443,6 +443,20 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} |
|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} |
|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false |
|`controller.appprotect.v5` | Enables App Protect WAF v5. | false |
|`controller.appprotect.volumes` | Volumes for App Protect WAF v5. | [{"name": "app-protect-bd-config", "emptyDir": {}},{"name": "app-protect-config", "emptyDir": {}},{"name": "app-protect-bundles", "emptyDir": {}}] |
|`controller.appprotect.enforcer.host` | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" |
|`controller.appprotect.enforcer.port` | Port that the App Protect WAF v5 Enforcer runs on. | 50000 |
|`controller.appprotect.enforcer.image` | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer |
|`controller.appprotect.enforcer.tag` | The tag of the App Protect WAF v5 Enforcer. | "5.2.0" |
|`controller.appprotect.enforcer.digest` | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "5.2.0" |
|`controller.appprotect.enforcer.pullPolicy` | The pull policy for the App Protect WAF v5 Enforcer image. | "5.2.0" |
|`controller.appprotect.enforcer.securityContext` | The security context for App Protect WAF v5 Enforcer container. | {} |
|`controller.appprotect.configManager.image` | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr |
|`controller.appprotect.configManager.tag` | The tag of the App Protect WAF v5 Configuration Manager. | "5.2.0" |
|`controller.appprotect.configManager.digest` | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "5.2.0" |
|`controller.appprotect.configManager.pullPolicy` | The pull policy for the App Protect WAF v5 Configuration Manager image. | "5.2.0" |
|`controller.appprotect.configManager.securityContext` | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} |
|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false |
|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false |
|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 |
@ -473,6 +487,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.telemetryReporting.enable` | Enable telemetry reporting. | true |
|`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false |
|`rbac.create` | Configures RBAC. | true |
|`rbac.clusterrole.create` | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true |
|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
|`prometheus.port` | Configures the port to scrape the metrics. | 9113 |
|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http |

133
charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml
View File

@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: aplogconfs.appprotect.f5.com
spec:
group: appprotect.f5.com
@ -15,66 +14,70 @@ spec:
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: APLogConf is the Schema for the APLogConfs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: APLogConfSpec defines the desired state of APLogConf
properties:
content:
properties:
escaping_characters:
items:
properties:
from:
type: string
to:
type: string
type: object
type: array
format:
enum:
- splunk
- arcsight
- default
- user-defined
- grpc
type: string
format_string:
type: string
list_delimiter:
type: string
list_prefix:
type: string
list_suffix:
type: string
max_message_size:
pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$
type: string
max_request_size:
pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$
type: string
type: object
filter:
properties:
request_type:
enum:
- all
- illegal
- blocked
type: string
type: object
type: object
type: object
served: true
storage: true
- name: v1beta1
schema:
openAPIV3Schema:
description: APLogConf is the Schema for the APLogConfs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: APLogConfSpec defines the desired state of APLogConf
properties:
content:
properties:
escaping_characters:
items:
properties:
from:
type: string
to:
type: string
type: object
type: array
format:
enum:
- splunk
- arcsight
- default
- user-defined
- grpc
type: string
format_string:
type: string
list_delimiter:
type: string
list_prefix:
type: string
list_suffix:
type: string
max_message_size:
pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$
type: string
max_request_size:
pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]{3}|10[0-2][0-9][0-9]|[1-9]k|10k|any)$
type: string
type: object
filter:
properties:
request_type:
enum:
- all
- illegal
- blocked
type: string
type: object
type: object
type: object
served: true
storage: true

4150
charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml
View File

File diff suppressed because it is too large Load Diff

151
charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml
View File

@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: apusersigs.appprotect.f5.com
spec:
group: appprotect.f5.com
@ -15,79 +14,85 @@ spec:
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: APUserSig is the Schema for the apusersigs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: APUserSigSpec defines the desired state of APUserSig
- name: v1beta1
schema:
openAPIV3Schema:
description: APUserSig is the Schema for the apusersigs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: APUserSigSpec defines the desired state of APUserSig
properties:
properties:
properties:
type: string
signatures:
items:
properties:
accuracy:
enum:
- high
- medium
- low
type: string
attackType:
type: string
signatures:
items:
properties:
accuracy:
enum:
- high
- medium
- low
type: string
attackType:
properties:
name:
type: string
type: object
description:
type: string
name:
type: string
references:
properties:
type:
enum:
- bugtraq
- cve
- nessus
- url
type: string
value:
type: string
type: object
risk:
enum:
- high
- medium
- low
type: string
rule:
type: string
signatureType:
enum:
- request
- response
type: string
systems:
items:
properties:
name:
type: string
type: object
description:
type: string
name:
type: string
references:
properties:
type:
enum:
- bugtraq
- cve
- nessus
- url
type: string
value:
type: string
type: object
risk:
enum:
- high
- medium
- low
type: string
rule:
type: string
signatureType:
enum:
- request
- response
type: string
systems:
items:
properties:
name:
type: string
type: object
type: array
type: object
type: array
tag:
type: string
type: object
type: object
served: true
storage: true
type: array
type: object
type: array
softwareVersion:
type: string
tag:
type: string
type: object
type: object
served: true
storage: true

21
charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml
View File

@ -67,6 +67,25 @@ spec:
type: string
type: array
type: object
apiKey:
description: APIKey defines an API Key policy.
properties:
clientSecret:
type: string
suppliedIn:
description: SuppliedIn defines the locations API Key should be
supplied in.
properties:
header:
items:
type: string
type: array
query:
items:
type: string
type: array
type: object
type: object
basicAuth:
description: |-
BasicAuth holds HTTP Basic authentication configuration
@ -172,6 +191,8 @@ spec:
type: string
rejectCode:
type: integer
scale:
type: boolean
zoneSize:
type: string
type: object

40
charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml
View File

@ -148,6 +148,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object
@ -276,6 +286,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object
@ -383,6 +403,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object
@ -489,6 +519,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object

40
charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml
View File

@ -210,6 +210,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object
@ -338,6 +348,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object
@ -445,6 +465,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object
@ -551,6 +581,16 @@ spec:
type: string
code:
type: integer
headers:
items:
description: Header defines an HTTP Header.
properties:
name:
type: string
value:
type: string
type: object
type: array
type:
type: string
type: object

71
charts/f5/nginx-ingress/templates/_helpers.tpl
View File

@ -152,10 +152,27 @@ Expand wildcard TLS name.
Expand image name.
*/}}
{{- define "nginx-ingress.image" -}}
{{- if .Values.controller.image.digest -}}
{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}}
{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion ) }}
{{- end -}}
{{- define "nap-enforcer.image" -}}
{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.enforcer.image "default" .Chart.AppVersion ) }}
{{- end -}}
{{- define "nap-config-manager.image" -}}
{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.configManager.image "default" .Chart.AppVersion ) }}
{{- end -}}
{{/*
Accepts an image struct like .Values.controller.image along with a default value to use
if the digest or tag is not set. Can be called like:
include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion
*/}}
{{- define "nginx-ingress.image-digest-or-tag" -}}
{{- if .image.digest -}}
{{- printf "%s@%s" .image.repository .image.digest -}}
{{- else -}}
{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}}
{{- printf "%s:%s" .image.repository (default .default .image.tag) -}}
{{- end -}}
{{- end -}}
@ -198,6 +215,9 @@ Build the args for the service binary.
{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }}
- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }}
{{ end }}
{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.v5 }}
- -app-protect-enforcer-address="{{ .Values.controller.appprotect.enforcer.host | default "127.0.0.1" }}:{{ .Values.controller.appprotect.enforcer.port | default 50000 }}"
{{- end }}
- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }}
{{- if .Values.controller.appprotectdos.enable }}
- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }}
@ -312,6 +332,9 @@ List of volumes for controller.
- name: nginx-log
emptyDir: {}
{{- end }}
{{- if .Values.controller.appprotect.v5 }}
{{- toYaml .Values.controller.appprotect.volumes }}
{{- end }}
{{- if .Values.controller.volumes }}
{{ toYaml .Values.controller.volumes }}
{{- end }}
@ -361,6 +384,16 @@ volumeMounts:
- mountPath: /var/log/nginx
name: nginx-log
{{- end }}
{{- if .Values.controller.appprotect.v5 }}
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: app-protect-config
mountPath: /opt/app_protect/config
# app-protect-bundles is mounted so that Ingress Controller
# can verify that referenced bundles are present
- name: app-protect-bundles
mountPath: /etc/app_protect/bundles
{{- end }}
{{- if .Values.controller.volumeMounts }}
{{ toYaml .Values.controller.volumeMounts }}
{{- end }}
@ -378,6 +411,38 @@ volumeMounts:
{{- end -}}
{{- end -}}
{{- define "nginx-ingress.appprotect.v5" -}}
{{- if .Values.controller.appprotect.v5}}
- name: waf-enforcer
image: {{ include "nap-enforcer.image" . }}
imagePullPolicy: "{{ .Values.controller.appprotect.enforcer.image.pullPolicy }}"
{{- if .Values.controller.appprotect.enforcer.securityContext }}
securityContext:
{{ toYaml .Values.controller.appprotect.enforcer.securityContext | nindent 6 }}
{{- end }}
env:
- name: ENFORCER_PORT
value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}"
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: waf-config-mgr
image: {{ include "nap-config-manager.image" . }}
imagePullPolicy: "{{ .Values.controller.appprotect.configManager.image.pullPolicy }}"
{{- if .Values.controller.appprotect.configManager.securityContext }}
securityContext:
{{ toYaml .Values.controller.appprotect.configManager.securityContext | nindent 6 }}
{{- end }}
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: app-protect-config
mountPath: /opt/app_protect/config
- name: app-protect-bundles
mountPath: /etc/app_protect/bundles
{{- end}}
{{- end -}}
{{- define "nginx-ingress.agentConfiguration" -}}
log:
level: {{ .Values.nginxAgent.logLevel }}

3
charts/f5/nginx-ingress/templates/clusterrole.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.rbac.create }}
{{- if and .Values.rbac.create .Values.rbac.clusterrole.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -68,6 +68,7 @@ rules:
- ingressclasses
verbs:
- get
- list
{{- if .Values.controller.reportIngressStatus.enable }}
- apiGroups:
- networking.k8s.io

0
charts/f5/nginx-ingress/templates/clusterrolebiding.yaml → charts/f5/nginx-ingress/templates/clusterrolebinding.yaml
View File

3
charts/f5/nginx-ingress/templates/controller-daemonset.yaml
View File

@ -134,6 +134,9 @@ spec:
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }}
{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }}
initContainers:
{{- end }}

3
charts/f5/nginx-ingress/templates/controller-deployment.yaml
View File

@ -141,6 +141,9 @@ spec:
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }}
{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }}
initContainers:
{{- end }}

0
charts/f5/nginx-ingress/templates/controller-rolebiding.yaml → charts/f5/nginx-ingress/templates/controller-rolebinding.yaml
View File

2
charts/f5/nginx-ingress/values-icp.yaml
View File

@ -4,7 +4,7 @@ controller:
nginxplus: true
image:
repository: mycluster.icp:8500/kube-system/nginx-plus-ingress
tag: "3.5.2"
tag: "3.6.0"
nodeSelector:
beta.kubernetes.io/arch: "amd64"
proxy: true

2
charts/f5/nginx-ingress/values-plus.yaml
View File

@ -3,4 +3,4 @@ controller:
nginxplus: true
image:
repository: nginx-plus-ingress
tag: "3.5.2"
tag: "3.6.0"

308
charts/f5/nginx-ingress/values.schema.json
View File

@ -46,13 +46,13 @@
"type": "object",
"default": {},
"title": "The selectorLabels Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels"
},
"annotations": {
"type": "object",
"default": {},
"title": "The annotations Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
},
"nginxplus": {
"type": "boolean",
@ -119,6 +119,15 @@
true
]
},
"v5": {
"type": "boolean",
"default": false,
"title": "Enables App Protect WAF v5.",
"examples": [
false,
true
]
},
"logLevel": {
"type": "string",
"default": "",
@ -139,6 +148,201 @@
"debug",
"trace"
]
},
"volumes": {
"type": "array",
"default": [
{
"name": "app-protect-bd-config",
"emptyDir": {}
},
{
"name": "app-protect-config",
"emptyDir": {}
},
{
"name": "app-protect-bundles",
"emptyDir": {}
}
],
"title": "Volumes for App Protect WAF v5",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume"
}
},
"enforcer": {
"type": "object",
"properties": {
"host": {
"type": "string",
"default": "127.0.0.1",
"title": "Port which the App Protect WAF v5 Enforcer process runs on",
"examples": [
"127.0.0.1"
]
},
"port": {
"type": "integer",
"default": 50000,
"title": "Port which the App Protect WAF v5 Enforcer process runs on",
"examples": [
50000
]
},
"image": {
"type": "object",
"default": {},
"title": "The image Schema",
"required": [
"repository"
],
"properties": {
"repository": {
"type": "string",
"default": "private-registry.nginx.com/nap/waf-enforcer",
"title": "The repository of the App Protect WAF v5 Enforcer image",
"examples": [
"private-registry.nginx.com/nap/waf-enforcer"
]
},
"tag": {
"type": "string",
"default": "5.2.0",
"title": "The tag of the App Protect WAF v5 Enforcer image",
"examples": [
"5.2.0"
]
},
"digest": {
"type": "string",
"default": "",
"title": "The digest of the App Protect WAF v5 Enforcer image",
"examples": [
"sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572"
]
},
"pullPolicy": {
"type": "string",
"default": "IfNotPresent",
"title": "The pullPolicy for the App Protect WAF v5 Enforcer image",
"allOf": [
{
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy"
},
{
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
],
"examples": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"examples": [
{
"repository": "private-registry.nginx.com/nap/waf-enforcer",
"tag": "5.2.0",
"pullPolicy": "IfNotPresent"
}
]
},
"securityContext": {
"type": "object",
"default": {},
"title": "The securityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
}
}
},
"configManager": {
"type": "object",
"properties": {
"image": {
"type": "object",
"default": {},
"title": "The image Schema",
"required": [
"repository"
],
"properties": {
"repository": {
"type": "string",
"default": "private-registry.nginx.com/nap/waf-config-mgr",
"title": "The repository of the App Protect WAF v5 Config Manager image",
"examples": [
"private-registry.nginx.com/nap/waf-config-mgr"
]
},
"tag": {
"type": "string",
"default": "5.2.0",
"title": "The tag of the App Protect WAF v5 Config Manager image",
"examples": [
"5.2.0"
]
},
"digest": {
"type": "string",
"default": "",
"title": "The digest of the App Protect WAF v5 Config Manager image",
"examples": [
"sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572"
]
},
"pullPolicy": {
"type": "string",
"default": "IfNotPresent",
"title": "The pullPolicy for the App Protect WAF v5 Config Manager image",
"allOf": [
{
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy"
},
{
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
],
"examples": [
"Always",
"IfNotPresent",
"Never"
]
}
},
"examples": [
{
"repository": "private-registry.nginx.com/nap/waf-config-mgr",
"tag": "5.2.0",
"pullPolicy": "IfNotPresent"
}
]
},
"securityContext": {
"type": "object",
"default": {
"allowPrivilegeEscalation": false,
"runAsUser": 101,
"runAsNonRoot": true,
"capabilities": {
"drop": [
"all"
]
}
},
"title": "The securityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
}
}
}
},
"examples": [
@ -226,7 +430,7 @@
"^.*$": {
"anyOf": [
{
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort"
},
{
"type": "boolean"
@ -242,7 +446,7 @@
"title": "The containerPort Schema",
"patternProperties": {
"^.*$": {
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort"
}
},
"additionalProperties": false
@ -251,7 +455,7 @@
"type": "string",
"allOf": [
{
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy"
},
{
"enum": [
@ -301,7 +505,7 @@
"title": "The customPorts to expose on the NGINX Ingress Controller pod",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort"
},
"examples": [
[
@ -336,10 +540,10 @@
},
"tag": {
"type": "string",
"default": "3.5.2",
"default": "3.6.0",
"title": "The tag of the Ingress Controller image",
"examples": [
"3.5.2"
"3.6.0"
]
},
"digest": {
@ -356,7 +560,7 @@
"title": "The pullPolicy for the Ingress Controller image",
"allOf": [
{
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy"
},
{
"enum": [
@ -376,7 +580,7 @@
"examples": [
{
"repository": "nginx/nginx-ingress",
"tag": "3.5.2",
"tag": "3.6.0",
"pullPolicy": "IfNotPresent"
}
]
@ -385,7 +589,7 @@
"type": "object",
"default": {},
"title": "The lifecycle Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle"
},
"customConfigMap": {
"type": "string",
@ -413,7 +617,7 @@
"type": "object",
"default": {},
"title": "The annotations Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
},
"entries": {
"type": "object",
@ -500,43 +704,43 @@
"type": "object",
"default": {},
"title": "The nodeSelector Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector"
},
"terminationGracePeriodSeconds": {
"type": "integer",
"default": 30,
"title": "The terminationGracePeriodSeconds Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds"
},
"podSecurityContext": {
"type": "object",
"default": {},
"title": "The podSecurityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
},
"securityContext": {
"type": "object",
"default": {},
"title": "The securityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
},
"initContainerSecurityContext": {
"type": "object",
"default": {},
"title": "The initContainerSecurityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
},
"resources": {
"type": "object",
"default": {},
"title": "The resources Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements"
},
"initContainerResources": {
"type": "object",
"default": {},
"title": "The resources Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements"
},
"tolerations": {
"type": "array",
@ -544,20 +748,20 @@
"title": "The tolerations Schema",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration"
}
},
"affinity": {
"type": "object",
"default": {},
"title": "The affinity Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity"
},
"topologySpreadConstraints": {
"type": "object",
"default": {},
"title": "The topologySpreadConstraints Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints"
},
"env": {
"type": "array",
@ -565,7 +769,7 @@
"title": "The env Schema",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar"
}
},
"volumes": {
@ -574,7 +778,7 @@
"title": "The volumes Schema",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume"
}
},
"volumeMounts": {
@ -583,7 +787,7 @@
"title": "The volumeMounts Schema",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount"
}
},
"initContainers": {
@ -592,14 +796,14 @@
"title": "The initContainers Schema",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container"
}
},
"minReadySeconds": {
"type": "integer",
"default": 0,
"title": "The minReadySeconds Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds"
},
"strategy": {
"type": "object",
@ -607,7 +811,7 @@
"title": "The strategy Schema",
"allOf": [
{
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy"
},
{
"properties": {
@ -629,7 +833,7 @@
"title": "The extraContainers Schema",
"items": {
"type": "object",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container"
}
},
"replicaCount": {
@ -897,19 +1101,19 @@
"type": "string",
"default": "",
"title": "The type",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type"
},
"externalTrafficPolicy": {
"type": "string",
"default": "",
"title": "The externalTrafficPolicy",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy"
},
"annotations": {
"type": "object",
"default": {},
"title": "The annotations",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
},
"extraLabels": {
"type": "object",
@ -925,13 +1129,13 @@
"type": "string",
"default": "",
"title": "The loadBalancerIP",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP"
},
"externalIPs": {
"type": "array",
"default": [],
"title": "The externalIPs",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs"
},
"loadBalancerSourceRanges": {
"type": "array",
@ -946,13 +1150,13 @@
"type": "boolean",
"default": false,
"title": "The allocateLoadBalancerNodePorts Schema",
"ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts"
"ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts"
},
"ipFamilyPolicy": {
"type": "string",
"default": "",
"title": "The ipFamilyPolicy Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy",
"examples": [
""
]
@ -961,7 +1165,7 @@
"type": "array",
"default": [],
"title": "The ipFamilies Schema",
"ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies"
"ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies"
},
"httpPort": {
"type": "object",
@ -1065,7 +1269,7 @@
"title": "The customPorts",
"items": {
"type": "object",
"ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort"
"ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort"
}
}
},
@ -1107,7 +1311,7 @@
"type": "object",
"default": {},
"title": "The annotations Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
},
"name": {
"type": "string",
@ -1252,7 +1456,7 @@
"type": "object",
"default": {},
"title": "The annotations Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
}
},
"examples": [
@ -1276,13 +1480,13 @@
"type": "object",
"default": {},
"title": "The annotations Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
},
"extraLabels": {
"type": "object",
"default": {},
"title": "The extraLabels Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels"
}
},
"examples": [
@ -1296,7 +1500,7 @@
"type": "string",
"default": "",
"title": "The priorityClassName",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName"
},
"podDisruptionBudget": {
"type": "object",
@ -1313,13 +1517,13 @@
"type": "object",
"default": {},
"title": "The annotations Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations"
},
"minAvailable": {
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable"
},
"maxUnavailable": {
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable"
}
},
"examples": [
@ -1358,7 +1562,7 @@
"initialDelaySeconds": {
"type": "integer",
"default": 0,
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds"
}
},
"examples": [
@ -1466,7 +1670,7 @@
"customPorts": [],
"image": {
"repository": "nginx/nginx-ingress",
"tag": "3.5.2",
"tag": "3.6.0",
"digest": "",
"pullPolicy": "IfNotPresent"
},
@ -1681,7 +1885,7 @@
"type": "object",
"default": {},
"title": "The labels Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels"
}
}
},
@ -1703,13 +1907,13 @@
"type": "object",
"default": {},
"title": "The labels Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels"
},
"selectorMatchLabels": {
"type": "object",
"default": {},
"title": "The selectorMatchLabels Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels"
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels"
},
"endpoints": {
"type": "array",
@ -2007,7 +2211,7 @@
"customPorts": [],
"image": {
"repository": "nginx/nginx-ingress",
"tag": "3.5.2",
"tag": "3.6.0",
"digest": "",
"pullPolicy": "IfNotPresent"
},

75
charts/f5/nginx-ingress/values.yaml
View File

@ -21,9 +21,65 @@ controller:
appprotect:
## Enable the App Protect WAF module in the Ingress Controller.
enable: false
## Enables App Protect WAF v5.
v5: false
## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace
# logLevel: fatal
# Volumes for App Protect WAF v5
# Required volumes are: app-protect-bd-config, app-protect-config, and app-protect-bundles
volumes:
- name: app-protect-bd-config
emptyDir: {}
- name: app-protect-config
emptyDir: {}
- name: app-protect-bundles
emptyDir: {}
## Configuration for App Protect WAF v5 Enforcer
enforcer:
# Host that the App Protect WAF v5 Enforcer runs on.
# This will normally be "127.0.0.1" as the Enforcer container
# will run in the same pod as the Ingress Controller container.
host: "127.0.0.1"
# Port that the App Protect WAF v5 Enforcer runs on.
port: 50000
image:
## The image repository of the App Protect WAF v5 Enforcer.
repository: private-registry.nginx.com/nap/waf-enforcer
## The tag of the App Protect WAF v5 Enforcer image.
tag: "5.2.0"
## The digest of the App Protect WAF v5 Enforcer image.
## If digest is specified it has precedence over tag and will be used instead
# digest: "sha256:CHANGEME"
## The pull policy for the App Protect WAF v5 Enforcer image.
pullPolicy: IfNotPresent
securityContext: {}
## Configuration for App Protect WAF v5 Configuration Manager
configManager:
image:
## The image repository of the App Protect WAF v5 Configuration Manager.
repository: private-registry.nginx.com/nap/waf-config-mgr
## The tag of the App Protect WAF v5 Configuration Manager image.
tag: "5.2.0"
## The digest of the App Protect WAF v5 Configuration Manager image.
## If digest is specified it has precedence over tag and will be used instead
# digest: "sha256:CHANGEME"
## The pull policy for the App Protect WAF v5 Configuration Manager image.
pullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsUser: 101 #nginx
runAsNonRoot: true
capabilities:
drop:
- all
## Support for App Protect DoS
appprotectdos:
## Enable the App Protect DoS module in the Ingress Controller.
@ -78,7 +134,7 @@ controller:
repository: nginx/nginx-ingress
## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag.
# tag: "3.5.2"
# tag: "3.6.0"
## The digest of the Ingress Controller image.
## If digest is specified it has precedence over tag and will be used instead
# digest: "sha256:CHANGEME"
@ -173,7 +229,8 @@ controller:
type: RuntimeDefault
## The security context for the Ingress Controller containers.
securityContext: {} # Remove curly brackets before adding values
securityContext:
{} # Remove curly brackets before adding values
# allowPrivilegeEscalation: true
# readOnlyRootFilesystem: true
# runAsUser: 101 #nginx
@ -265,19 +322,19 @@ controller:
## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes.
name: nginx
## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false.
## Creates a new IngressClass object with the name "controller.ingressClass.name". To use an existing IngressClass with the same name, set this value to false. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false.
create: true
## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create".
setAsDefaultIngress: false
## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel".
## Comma separated list of namespaces to watch for Ingress resources. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel".
watchNamespace: ""
## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace".
## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace".
watchNamespaceLabel: ""
## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces.
## Comma separated list of namespaces to watch for Secret resources. By default, the Ingress Controller watches all namespaces.
watchSecretNamespace: ""
## Enable the custom resources.
@ -286,7 +343,7 @@ controller:
## Enable OIDC policies.
enableOIDC: false
## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default.
## Include year in log header. This parameter will be removed in release 3.7 and the year will be included by default.
includeYear: false
## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
@ -501,6 +558,10 @@ rbac:
## Configures RBAC.
create: true
clusterrole:
## Create ClusterRole
create: true
prometheus:
## Expose NGINX or NGINX Plus metrics in the Prometheus format.
create: true

6
charts/haproxy/haproxy/Chart.yaml
View File

@ -1,12 +1,12 @@
annotations:
artifacthub.io/changes: |
- Replace tpl with default for Ingress Controller image tag (#244)
- Use Ingress Controller 3.0.0 version for base image
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller
catalog.cattle.io/kube-version: '>=1.23.0-0'
catalog.cattle.io/release-name: haproxy
apiVersion: v2
appVersion: 1.11.4
appVersion: 3.0.0
description: A Helm chart for HAProxy Kubernetes Ingress Controller
home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png
@ -21,4 +21,4 @@ name: haproxy
sources:
- https://github.com/haproxytech/kubernetes-ingress
type: application
version: 1.39.4
version: 1.40.0

12
charts/haproxy/haproxy/templates/controller-proxy-service.yaml
View File

@ -52,6 +52,18 @@ spec:
nodePort: {{ .Values.controller.service.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enablePorts.https }}
- name: https
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
targetPort: {{ .Values.controller.service.targetPorts.https }}
{{- if .Values.controller.service.nodePorts.https }}
nodePort: {{ .Values.controller.service.nodePorts.https }}
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

14
charts/harbor/harbor/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.20-0'
catalog.cattle.io/release-name: harbor
apiVersion: v1
appVersion: 2.10.2
appVersion: 2.11.0
description: An open source trusted cloud native registry that stores, signs, and
scans content
home: https://goharbor.io
@ -14,14 +14,16 @@ keywords:
- registry
- harbor
maintainers:
- email: yinw@vmware.com
- email: yan-yw.wang@broadcom.com
name: Yan Wang
- email: wenkai.yin@broadcom.com
name: Wenkai Yin
- email: hweiwei@vmware.com
name: Weiwei He
- email: yshengwen@vmware.com
- email: miner.yang@broadcom.com
name: Miner Yang
- email: shengwen.yu@broadcom.com
name: Shengwen Yu
name: harbor
sources:
- https://github.com/goharbor/harbor
- https://github.com/goharbor/harbor-helm
version: 1.14.2
version: 1.15.0

667
charts/harbor/harbor/README.md
View File

@ -75,334 +75,345 @@ helm uninstall my-release
The following table lists the configurable parameters of the Harbor chart and the default values.
| Parameter | Description | Default |
| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
| **Expose** | | |
| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` |
| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` |
| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` |
| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | |
| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | |
| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` |
| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | |
| `expose.ingress.annotations` | The annotations used commonly for ingresses | |
| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} |
| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} |
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} |
| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` |
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` |
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` |
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` |
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` |
| `expose.loadBalancer.name` | The name of service | `harbor` |
| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` |
| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` |
| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} |
| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] |
| **Internal TLS** | | |
| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` |
| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false`
| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` |
| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | |
| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | |
| **IPFamily** | | |
| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components `true` |
| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components `true` |
| **Persistence** | | |
| `persistence.enabled` | Enable the data persistence or not | `true` |
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` |
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | |
|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | |
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` |
| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | |
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` |
| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` |
| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` |
| **General** | | |
| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | |
| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | |
| `imagePullPolicy` | The image pull policy | |
| `imagePullSecrets` | The imagePullSecrets names for all deployments | |
| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` |
| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
| `existingSecretAdminPassword` | The name of secret where admin password can be found. | |
| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` |
| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | |
| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` |
| `proxy.httpProxy` | The URL of the HTTP proxy server | |
| `proxy.httpsProxy` | The URL of the HTTPS proxy server | |
| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy |
| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` |
| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | |
| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` |
| `nginx.image.tag` | Image tag | `dev` |
| `nginx.replicas` | The replica count | `1` |
| `nginx.revisionHistoryLimit` | The revision history limit | `10` |
| `nginx.resources` | The [resources] to allocate for container | undefined |
| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` |
| `nginx.tolerations` | Tolerations for pod assignment | `[]` |
| `nginx.affinity` | Node/Pod affinities | `{}` |
| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
| `nginx.priorityClassName` | The priority class to run the pod as | |
| **Portal** | | |
| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` |
| `portal.image.tag` | Tag for portal image | `dev` |
| `portal.replicas` | The replica count | `1` |
| `portal.revisionHistoryLimit` | The revision history limit | `10` |
| `portal.resources` | The [resources] to allocate for container | undefined |
| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `portal.nodeSelector` | Node labels for pod assignment | `{}` |
| `portal.tolerations` | Tolerations for pod assignment | `[]` |
| `portal.affinity` | Node/Pod affinities | `{}` |
| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` |
| `portal.priorityClassName` | The priority class to run the pod as | |
| **Core** | | |
| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` |
| `core.image.tag` | Tag for Harbor core image | `dev` |
| `core.replicas` | The replica count | `1` |
| `core.revisionHistoryLimit` | The revision history limit | `10` |
| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` |
| `core.resources` | The [resources] to allocate for container | undefined |
| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `core.nodeSelector` | Node labels for pod assignment | `{}` |
| `core.tolerations` | Tolerations for pod assignment | `[]` |
| `core.affinity` | Node/Pod affinities | `{}` |
| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.serviceAnnotations` | Annotations to add to the core service | `{}` |
| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | |
| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` |
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | |
| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | |
| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | |
| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | |
| `core.priorityClassName` | The priority class to run the pod as | |
| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | |
| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` |
| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` |
| **Jobservice** | | |
| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` |
| `jobservice.image.tag` | Tag for jobservice image | `dev` |
| `jobservice.replicas` | The replica count | `1` |
| `jobservice.revisionHistoryLimit` | The revision history limit | `10` |
| `jobservice.maxJobWorkers` | The max job workers | `10` |
| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` |
| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` |
| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` |
| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` |
| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` |
| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` |
| `jobservice.resources` | The [resources] to allocate for container | undefined |
| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` |
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` |
| `jobservice.affinity` | Node/Pod affinities | `{}` |
| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `jobservice.priorityClassName` | The priority class to run the pod as | |
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| **Registry** | | |
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
| `registry.registry.image.tag` | Tag for registry image | `dev` |
| `registry.registry.resources` | The [resources] to allocate for container | undefined |
| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` |
| `registry.controller.image.tag` | Tag for registry controller image | `dev` |
| `registry.controller.resources` | The [resources] to allocate for container | undefined |
| `registry.replicas` | The replica count | `1` |
| `registry.revisionHistoryLimit` | The revision history limit | `10` |
| `registry.nodeSelector` | Node labels for pod assignment | `{}` |
| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `registry.tolerations` | Tolerations for pod assignment | `[]` |
| `registry.affinity` | Node/Pod affinities | `{}` |
| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | |
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `registry.priorityClassName` | The priority class to run the pod as | |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` |
| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` |
| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined |
| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` |
| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` |
| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` |
| `registry.upload_purging.interval` | The interval of the purge operations | `24h` |
| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` |
| **[Trivy][trivy]** | | |
| `trivy.enabled` | The flag to enable Trivy scanner | `true` |
| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` |
| `trivy.image.tag` | Tag for Trivy adapter image | `dev` |
| `trivy.resources` | The [resources] to allocate for Trivy adapter container | |
| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `trivy.replicas` | The number of Pod replicas | `1` |
| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` |
| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` |
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` |
| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` |
| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` |
| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` |
| `trivy.timeout` | The duration to wait for scan completion | `5m0s` |
| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | |
| `trivy.priorityClassName` | The priority class to run the pod as | |
| `trivy.topologySpreadConstraints` | The priority class to run the pod as | |
| **Database** | | |
| `database.type` | If external database is used, set it to `external` | `internal` |
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.password` | The password for database | `changeit` |
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
| `database.internal.resources` | The [resources] to allocate for container | undefined |
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined |
| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined |
| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `database.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `database.internal.affinity` | Node/Pod affinities | `{}` |
| `database.internal.priorityClassName` | The priority class to run the pod as | |
| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 |
| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 |
| `database.external.host` | The hostname of external database | `192.168.0.1` |
| `database.external.port` | The port of external database | `5432` |
| `database.external.username` | The username of external database | `user` |
| `database.external.password` | The password of external database | `password` |
| `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
| `database.podAnnotations` | Annotations to add to the database pod | `{}` |
| **Redis** | | |
| `redis.type` | If external redis is used, set it to `external` | `internal` |
| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` |
| `redis.internal.image.tag` | Tag for redis image | `dev` |
| `redis.internal.resources` | The [resources] to allocate for container | undefined |
| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `redis.internal.affinity` | Node/Pod affinities | `{}` |
| `redis.internal.priorityClassName` | The priority class to run the pod as | |
| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` |
| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` |
| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
| `redis.external.addr` | The addr of external Redis: <host_redis>:<port_redis>. When using sentinel, it should be <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> | `192.168.0.2:6379` |
| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | |
| `redis.external.coreDatabaseIndex` | The database index for core | `0` |
| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
| `redis.external.registryDatabaseIndex` | The database index for registry | `2` |
| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` |
| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
| `redis.external.username` | The username of external Redis | |
| `redis.external.password` | The password of external Redis | |
| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` |
| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
| **Exporter** | | |
| `exporter.replicas` | The replica count | `1` |
| `exporter.revisionHistoryLimit` | The revision history limit | `10` |
| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` |
| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` |
| `exporter.image.tag` | Tag for exporter image | `dev` |
| `exporter.nodeSelector` | Node labels for pod assignment | `{}` |
| `exporter.tolerations` | Tolerations for pod assignment | `[]` |
| `exporter.affinity` | Node/Pod affinities | `{}` |
| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` |
| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` |
| `exporter.priorityClassName` | The priority class to run the pod as | |
| **Metrics** | | |
| `metrics.enabled` | if enable harbor metrics | `false` |
| `metrics.core.path` | the url path for core metrics | `/metrics` |
| `metrics.core.port` | the port for core metrics | `8001` |
| `metrics.registry.path` | the url path for registry metrics | `/metrics` |
| `metrics.registry.port` | the port for registry metrics | `8001` |
| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` |
| `metrics.exporter.port` | the port for exporter metrics | `8001` |
| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` |
| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` |
| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` |
| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` |
| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` |
| **Trace** | | |
| `trace.enabled` | Enable tracing or not | `false` |
| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` |
| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` |
| `trace.namespace` | Namespace used to differentiate different harbor services | |
| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | |
| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` |
| `trace.jaeger.username` | The username of jaeger | |
| `trace.jaeger.password` | The password of jaeger | |
| `trace.jaeger.agent_host` | The agent host of jaeger | |
| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` |
| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` |
| `trace.otel.url_path` | The URL path of otel | `/v1/traces` |
| `trace.otel.compression` | Whether enable compression or not for otel | `false` |
| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` |
| `trace.otel.timeout` | The timeout in seconds of otel | `10` |
| **Cache** | | |
| `cache.enabled` | Enable cache layer or not | `false` |
| `cache.expireHours` | The expire hours of cache layer | `24` |
| Parameter | Description | Default |
|-----------------------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
| **Expose** | | |
| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` |
| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` |
| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` |
| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | |
| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | |
| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` |
| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | |
| `expose.ingress.annotations` | The annotations used commonly for ingresses | |
| `expose.ingress.labels` | The labels specific to ingress | {} |
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} |
| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` |
| `expose.clusterIP.annotations` | The annotations used commonly for clusterIP | |
| `expose.clusterIP.labels` | The labels specific to clusterIP | {} |
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` |
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` |
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` |
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` |
| `expose.nodePort.annotations` | The annotations used commonly for nodePort | |
| `expose.nodePort.labels` | The labels specific to nodePort | {} |
| `expose.loadBalancer.name` | The name of service | `harbor` |
| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` |
| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` |
| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` |
| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} |
| `expose.loadBalancer.labels` | The labels specific to loadBalancer | {} |
| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] |
| **Internal TLS** | | |
| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` |
| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false`
| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` |
| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | |
| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | |
| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | |
| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | |
| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | |
| **IPFamily** | | |
| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components `true` |
| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components `true` |
| **Persistence** | | |
| `persistence.enabled` | Enable the data persistence or not | `true` |
| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` |
| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` |
| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | |
| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` |
| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | |
| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | |
| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | |
| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | |
| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` |
| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` |
| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | |
| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` |
| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | |
| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` |
| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` |
| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` |
| **General** | | |
| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` |
| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | |
| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | |
| `imagePullPolicy` | The image pull policy | |
| `imagePullSecrets` | The imagePullSecrets names for all deployments | |
| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` |
| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
| `existingSecretAdminPassword` | The name of secret where admin password can be found. | |
| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` |
| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | |
| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` |
| `proxy.httpProxy` | The URL of the HTTP proxy server | |
| `proxy.httpsProxy` | The URL of the HTTPS proxy server | |
| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy |
| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` |
| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | |
| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` |
| `nginx.image.tag` | Image tag | `dev` |
| `nginx.replicas` | The replica count | `1` |
| `nginx.revisionHistoryLimit` | The revision history limit | `10` |
| `nginx.resources` | The [resources] to allocate for container | undefined |
| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `nginx.nodeSelector` | Node labels for pod assignment | `{}` |
| `nginx.tolerations` | Tolerations for pod assignment | `[]` |
| `nginx.affinity` | Node/Pod affinities | `{}` |
| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` |
| `nginx.priorityClassName` | The priority class to run the pod as | |
| **Portal** | | |
| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` |
| `portal.image.tag` | Tag for portal image | `dev` |
| `portal.replicas` | The replica count | `1` |
| `portal.revisionHistoryLimit` | The revision history limit | `10` |
| `portal.resources` | The [resources] to allocate for container | undefined |
| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `portal.nodeSelector` | Node labels for pod assignment | `{}` |
| `portal.tolerations` | Tolerations for pod assignment | `[]` |
| `portal.affinity` | Node/Pod affinities | `{}` |
| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` |
| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` |
| `portal.priorityClassName` | The priority class to run the pod as | |
| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
| **Core** | | |
| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` |
| `core.image.tag` | Tag for Harbor core image | `dev` |
| `core.replicas` | The replica count | `1` |
| `core.revisionHistoryLimit` | The revision history limit | `10` |
| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` |
| `core.resources` | The [resources] to allocate for container | undefined |
| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `core.nodeSelector` | Node labels for pod assignment | `{}` |
| `core.tolerations` | Tolerations for pod assignment | `[]` |
| `core.affinity` | Node/Pod affinities | `{}` |
| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.serviceAnnotations` | Annotations to add to the core service | `{}` |
| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | |
| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` |
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | |
| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | |
| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | |
| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | |
| `core.priorityClassName` | The priority class to run the pod as | |
| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | |
| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` |
| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` |
| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
| **Jobservice** | | |
| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` |
| `jobservice.image.tag` | Tag for jobservice image | `dev` |
| `jobservice.replicas` | The replica count | `1` |
| `jobservice.revisionHistoryLimit` | The revision history limit | `10` |
| `jobservice.maxJobWorkers` | The max job workers | `10` |
| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` |
| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` |
| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` |
| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` |
| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` |
| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` |
| `jobservice.resources` | The [resources] to allocate for container | undefined |
| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` |
| `jobservice.tolerations` | Tolerations for pod assignment | `[]` |
| `jobservice.affinity` | Node/Pod affinities | `{}` |
| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `jobservice.priorityClassName` | The priority class to run the pod as | |
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
| **Registry** | | |
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
| `registry.registry.image.tag` | Tag for registry image | `dev` |
| `registry.registry.resources` | The [resources] to allocate for container | undefined |
| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` |
| `registry.controller.image.tag` | Tag for registry controller image | `dev` |
| `registry.controller.resources` | The [resources] to allocate for container | undefined |
| `registry.replicas` | The replica count | `1` |
| `registry.revisionHistoryLimit` | The revision history limit | `10` |
| `registry.nodeSelector` | Node labels for pod assignment | `{}` |
| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `registry.tolerations` | Tolerations for pod assignment | `[]` |
| `registry.affinity` | Node/Pod affinities | `{}` |
| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | |
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `registry.priorityClassName` | The priority class to run the pod as | |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` |
| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` |
| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined |
| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` |
| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` |
| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` |
| `registry.upload_purging.interval` | The interval of the purge operations | `24h` |
| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` |
| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
| **[Trivy][trivy]** | | |
| `trivy.enabled` | The flag to enable Trivy scanner | `true` |
| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` |
| `trivy.image.tag` | Tag for Trivy adapter image | `dev` |
| `trivy.resources` | The [resources] to allocate for Trivy adapter container | |
| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `trivy.replicas` | The number of Pod replicas | `1` |
| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` |
| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` |
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` |
| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` |
| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` |
| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` |
| `trivy.timeout` | The duration to wait for scan completion | `5m0s` |
| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | |
| `trivy.priorityClassName` | The priority class to run the pod as | |
| `trivy.topologySpreadConstraints` | The priority class to run the pod as | |
| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` |
| **Database** | | |
| `database.type` | If external database is used, set it to `external` | `internal` |
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.password` | The password for database | `changeit` |
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
| `database.internal.resources` | The [resources] to allocate for container | undefined |
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined |
| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined |
| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `database.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `database.internal.affinity` | Node/Pod affinities | `{}` |
| `database.internal.priorityClassName` | The priority class to run the pod as | |
| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 |
| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 |
| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` |
| `database.external.host` | The hostname of external database | `192.168.0.1` |
| `database.external.port` | The port of external database | `5432` |
| `database.external.username` | The username of external database | `user` |
| `database.external.password` | The password of external database | `password` |
| `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
| `database.podAnnotations` | Annotations to add to the database pod | `{}` |
| **Redis** | | |
| `redis.type` | If external redis is used, set it to `external` | `internal` |
| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` |
| `redis.internal.image.tag` | Tag for redis image | `dev` |
| `redis.internal.resources` | The [resources] to allocate for container | undefined |
| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` |
| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` |
| `redis.internal.affinity` | Node/Pod affinities | `{}` |
| `redis.internal.priorityClassName` | The priority class to run the pod as | |
| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` |
| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` |
| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` |
| `redis.external.addr` | The addr of external Redis: <host_redis>:<port_redis>. When using sentinel, it should be <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> | `192.168.0.2:6379` |
| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | |
| `redis.external.coreDatabaseIndex` | The database index for core | `0` |
| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` |
| `redis.external.registryDatabaseIndex` | The database index for registry | `2` |
| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` |
| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` |
| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` |
| `redis.external.username` | The username of external Redis | |
| `redis.external.password` | The password of external Redis | |
| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` |
| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` |
| **Exporter** | | |
| `exporter.replicas` | The replica count | `1` |
| `exporter.revisionHistoryLimit` | The revision history limit | `10` |
| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` |
| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` |
| `exporter.image.tag` | Tag for exporter image | `dev` |
| `exporter.nodeSelector` | Node labels for pod assignment | `{}` |
| `exporter.tolerations` | Tolerations for pod assignment | `[]` |
| `exporter.affinity` | Node/Pod affinities | `{}` |
| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` |
| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` |
| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` |
| `exporter.priorityClassName` | The priority class to run the pod as | |
| **Metrics** | | |
| `metrics.enabled` | if enable harbor metrics | `false` |
| `metrics.core.path` | the url path for core metrics | `/metrics` |
| `metrics.core.port` | the port for core metrics | `8001` |
| `metrics.registry.path` | the url path for registry metrics | `/metrics` |
| `metrics.registry.port` | the port for registry metrics | `8001` |
| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` |
| `metrics.exporter.port` | the port for exporter metrics | `8001` |
| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` |
| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` |
| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` |
| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` |
| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` |
| **Trace** | | |
| `trace.enabled` | Enable tracing or not | `false` |
| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` |
| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` |
| `trace.namespace` | Namespace used to differentiate different harbor services | |
| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | |
| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` |
| `trace.jaeger.username` | The username of jaeger | |
| `trace.jaeger.password` | The password of jaeger | |
| `trace.jaeger.agent_host` | The agent host of jaeger | |
| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` |
| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` |
| `trace.otel.url_path` | The URL path of otel | `/v1/traces` |
| `trace.otel.compression` | Whether enable compression or not for otel | `false` |
| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` |
| `trace.otel.timeout` | The timeout in seconds of otel | `10` |
| **Cache** | | |
| `cache.enabled` | Enable cache layer or not | `false` |
| `cache.expireHours` | The expire hours of cache layer | `24` |
[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
[trivy]: https://github.com/aquasecurity/trivy

17
charts/harbor/harbor/templates/_helpers.tpl
View File

@ -25,12 +25,27 @@ If release name contains chart name it will be used as a full name.
{{- end }}
{{- end }}
{{/* Helm required labels: legacy */}}
{{- define "harbor.legacy.labels" -}}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}}
{{/* Helm required labels */}}
{{- define "harbor.labels" -}}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
app: "{{ template "harbor.name" . }}"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "harbor.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: {{ include "harbor.name" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- end -}}
{{/* matchLabels */}}
@ -563,4 +578,4 @@ app: "{{ template "harbor.name" . }}"
{{/* Allow KubeVersion to be overridden. */}}
{{- define "harbor.ingress.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}}
{{- end -}}
{{- end -}}

11
charts/harbor/harbor/templates/core/core-dpl.yaml
View File

@ -5,6 +5,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: core
app.kubernetes.io/component: core
spec:
replicas: {{ .Values.core.replicas }}
revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }}
@ -15,8 +16,9 @@ spec:
template:
metadata:
labels:
{{ include "harbor.matchLabels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: core
app.kubernetes.io/component: core
{{- if .Values.core.podLabels }}
{{ toYaml .Values.core.podLabels | indent 8 }}
{{- end }}
@ -55,6 +57,10 @@ spec:
component: core
{{- end }}
{{- end }}
{{- with .Values.core.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: core
image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
@ -144,6 +150,9 @@ spec:
{{- with .Values.core.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.core.containerPort" . }}
volumeMounts:

3
charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml
View File

@ -47,6 +47,9 @@ spec:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
volumeMounts:
- name: config

30
charts/harbor/harbor/templates/database/database-ss.yaml
View File

@ -7,6 +7,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: database
app.kubernetes.io/component: database
spec:
replicas: 1
serviceName: "{{ template "harbor.database" . }}"
@ -19,6 +20,7 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: database
app.kubernetes.io/component: database
{{- if .Values.database.podLabels }}
{{ toYaml .Values.database.podLabels | indent 8 }}
{{- end }}
@ -41,23 +43,6 @@ spec:
automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
initContainers:
# as we change the data directory to a sub folder to support psp, the init container here
# is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756
# for more detail.
# we may remove it after several releases
- name: "data-migrator"
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command: ["/bin/sh"]
args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"]
{{- if .Values.database.internal.initContainer.migrator.resources }}
resources:
{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }}
{{- end }}
volumeMounts:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: {{ $database.subPath }}
# with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume
# this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph
# use this init container to correct the permission
@ -65,6 +50,9 @@ spec:
- name: "data-permissions-ensurer"
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
command: ["/bin/sh"]
args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
{{- if .Values.database.internal.initContainer.permissions.resources }}
@ -75,10 +63,16 @@ spec:
- name: database-data
mountPath: /var/lib/postgresql/data
subPath: {{ $database.subPath }}
{{- with .Values.database.internal.extrInitContainers }}
{{- toYaml . | nindent 6 }}
{{- end }}
containers:
- name: database
image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
livenessProbe:
exec:
command:
@ -147,7 +141,7 @@ spec:
- metadata:
name: "database-data"
labels:
{{ include "harbor.labels" . | indent 8 }}
{{ include "harbor.legacy.labels" . | indent 8 }}
annotations:
{{- range $key, $value := $database.annotations }}
{{ $key }}: {{ $value | quote }}

9
charts/harbor/harbor/templates/exporter/exporter-dpl.yaml
View File

@ -6,6 +6,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: exporter
app.kubernetes.io/component: exporter
spec:
replicas: {{ .Values.exporter.replicas }}
revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }}
@ -18,10 +19,13 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: exporter
app.kubernetes.io/component: exporter
{{- if .Values.exporter.podLabels }}
{{ toYaml .Values.exporter.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/exporter/exporter-cm-env.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/exporter/exporter-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
@ -97,8 +101,11 @@ spec:
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
ports:
- containerPort: {{ template "harbor.core.containerPort" . }}
- containerPort: {{ .Values.metrics.exporter.port }}
volumeMounts:
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}

7
charts/harbor/harbor/templates/ingress/ingress.yaml
View File

@ -37,8 +37,8 @@ metadata:
name: "{{ template "harbor.ingress" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if $ingress.harbor.labels }}
{{ toYaml $ingress.harbor.labels | indent 4 }}
{{- if $ingress.labels }}
{{ toYaml $ingress.labels | indent 4 }}
{{- end }}
annotations:
{{ toYaml $ingress.annotations | indent 4 }}
@ -51,9 +51,6 @@ metadata:
ncp/http-redirect: "true"
{{- end }}
{{- end }}
{{- if $ingress.harbor.annotations }}
{{ toYaml $ingress.harbor.annotations | indent 4 }}
{{- end }}
spec:
{{- if $ingress.className }}
ingressClassName: {{ $ingress.className }}

9
charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml
View File

@ -5,6 +5,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: jobservice
app.kubernetes.io/component: jobservice
spec:
replicas: {{ .Values.jobservice.replicas }}
revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }}
@ -22,6 +23,7 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: jobservice
app.kubernetes.io/component: jobservice
{{- if .Values.jobservice.podLabels }}
{{ toYaml .Values.jobservice.podLabels | indent 8 }}
{{- end }}
@ -61,6 +63,10 @@ spec:
component: jobservice
{{- end }}
{{- end }}
{{- with .Values.jobservice.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: jobservice
image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
@ -116,6 +122,9 @@ spec:
{{- with .Values.jobservice.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "harbor.jobservice" . }}-env"

1
charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml
View File

@ -14,6 +14,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: jobservice
app.kubernetes.io/component: jobservice
spec:
accessModes:
- {{ $jobLog.accessMode }}

8
charts/harbor/harbor/templates/nginx/deployment.yaml
View File

@ -6,6 +6,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: nginx
app.kubernetes.io/component: nginx
spec:
replicas: {{ .Values.nginx.replicas }}
revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }}
@ -18,6 +19,7 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: nginx
app.kubernetes.io/component: nginx
{{- if .Values.nginx.podLabels }}
{{ toYaml .Values.nginx.podLabels | indent 8 }}
{{- end }}
@ -87,10 +89,14 @@ spec:
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
ports:
- containerPort: 8080
{{- if .Values.expose.tls.enabled }}
- containerPort: 8443
- containerPort: 4443
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/nginx/nginx.conf

13
charts/harbor/harbor/templates/nginx/service.yaml
View File

@ -7,6 +7,9 @@ metadata:
name: {{ $clusterIP.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if .Values.expose.clusterIP.labels }}
{{ toYaml $clusterIP.labels | indent 4 }}
{{- end }}
{{- with $clusterIP.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
@ -30,6 +33,13 @@ spec:
name: {{ $nodePort.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if .Values.expose.nodePort.labels }}
{{ toYaml $nodePort.labels | indent 4 }}
{{- end }}
{{- with $nodePort.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: NodePort
ports:
@ -52,6 +62,9 @@ spec:
name: {{ $loadBalancer.name }}
labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if .Values.expose.loadBalancer.labels }}
{{ toYaml $loadBalancer.labels | indent 4 }}
{{- end }}
{{- with $loadBalancer.annotations }}
annotations:
{{- toYaml . | nindent 4 }}

11
charts/harbor/harbor/templates/portal/deployment.yaml
View File

@ -5,6 +5,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: portal
app.kubernetes.io/component: portal
spec:
replicas: {{ .Values.portal.replicas }}
revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }}
@ -15,8 +16,9 @@ spec:
template:
metadata:
labels:
{{ include "harbor.matchLabels" . | indent 8 }}
{{ include "harbor.labels" . | indent 8 }}
component: portal
app.kubernetes.io/component: portal
{{- if .Values.portal.podLabels }}
{{ toYaml .Values.portal.podLabels | indent 8 }}
{{- end }}
@ -52,6 +54,10 @@ spec:
component: portal
{{- end }}
{{- end }}
{{- with .Values.portal.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: portal
image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
@ -64,6 +70,9 @@ spec:
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
livenessProbe:
httpGet:
path: /

11
charts/harbor/harbor/templates/redis/statefulset.yaml
View File

@ -7,6 +7,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: redis
app.kubernetes.io/component: redis
spec:
replicas: 1
serviceName: {{ template "harbor.redis" . }}
@ -19,6 +20,7 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: redis
app.kubernetes.io/component: redis
{{- if .Values.redis.podLabels }}
{{ toYaml .Values.redis.podLabels | indent 8 }}
{{- end }}
@ -39,10 +41,17 @@ spec:
{{- end }}
automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }}
terminationGracePeriodSeconds: 120
{{- with .Values.redis.internal.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: redis
image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
livenessProbe:
tcpSocket:
port: 6379
@ -95,7 +104,7 @@ spec:
- metadata:
name: data
labels:
{{ include "harbor.labels" . | indent 8 }}
{{ include "harbor.legacy.labels" . | indent 8 }}
annotations:
{{- range $key, $value := $redis.annotations }}
{{ $key }}: {{ $value | quote }}

14
charts/harbor/harbor/templates/registry/registry-dpl.yaml
View File

@ -7,6 +7,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: registry
app.kubernetes.io/component: registry
spec:
replicas: {{ .Values.registry.replicas }}
revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }}
@ -24,6 +25,7 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: registry
app.kubernetes.io/component: registry
{{- if .Values.registry.podLabels }}
{{ toYaml .Values.registry.podLabels | indent 8 }}
{{- end }}
@ -64,6 +66,10 @@ spec:
component: registry
{{- end }}
{{- end }}
{{- with .Values.registry.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: registry
image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
@ -86,6 +92,9 @@ spec:
resources:
{{ toYaml .Values.registry.registry.resources | indent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
args: ["serve", "/etc/registry/config.yml"]
envFrom:
- secretRef:
@ -166,7 +175,7 @@ spec:
{{- end }}
ports:
- containerPort: {{ template "harbor.registry.containerPort" . }}
- containerPort: 5001
- containerPort: {{ ternary .Values.metrics.registry.port 5001 .Values.metrics.enabled }}
volumeMounts:
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
@ -222,6 +231,9 @@ spec:
resources:
{{ toYaml .Values.registry.controller.resources | indent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
envFrom:
- configMapRef:
name: "{{ template "harbor.registryCtl" . }}"

1
charts/harbor/harbor/templates/registry/registry-pvc.yaml
View File

@ -15,6 +15,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: registry
app.kubernetes.io/component: registry
spec:
accessModes:
- {{ $registry.accessMode }}

14
charts/harbor/harbor/templates/trivy/trivy-sts.yaml
View File

@ -7,6 +7,7 @@ metadata:
labels:
{{ include "harbor.labels" . | indent 4 }}
component: trivy
app.kubernetes.io/component: trivy
spec:
replicas: {{ .Values.trivy.replicas }}
serviceName: {{ template "harbor.trivy" . }}
@ -19,6 +20,7 @@ spec:
labels:
{{ include "harbor.labels" . | indent 8 }}
component: trivy
app.kubernetes.io/component: trivy
{{- if .Values.trivy.podLabels }}
{{ toYaml .Values.trivy.podLabels | indent 8 }}
{{- end }}
@ -54,13 +56,17 @@ spec:
component: trivy
{{- end }}
{{- end }}
{{- with .Values.trivy.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: trivy
image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
securityContext:
privileged: false
allowPrivilegeEscalation: false
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }}
{{- end }}
env:
{{- if has "trivy" .Values.proxy.components }}
- name: HTTP_PROXY
@ -203,7 +209,7 @@ spec:
- metadata:
name: data
labels:
{{ include "harbor.labels" . | indent 8 }}
{{ include "harbor.legacy.labels" . | indent 8 }}
annotations:
{{- range $key, $value := $trivy.annotations }}
{{ $key }}: {{ $value | quote }}

540
charts/harbor/harbor/values.yaml
View File

@ -46,23 +46,22 @@ expose:
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
harbor:
# harbor ingress-specific annotations
annotations: {}
# harbor ingress-specific labels
labels: {}
# ingress-specific labels
labels: {}
clusterIP:
# The name of ClusterIP service
name: harbor
# The ip address of the ClusterIP service (leave empty for acquiring dynamic ip)
staticClusterIP: ""
# Annotations on the ClusterIP service
annotations: {}
ports:
# The service port Harbor listens on when serving HTTP
httpPort: 80
# The service port Harbor listens on when serving HTTPS
httpsPort: 443
# Annotations on the ClusterIP service
annotations: {}
# ClusterIP-specific labels
labels: {}
nodePort:
# The name of NodePort service
name: harbor
@ -77,6 +76,10 @@ expose:
port: 443
# The node port Harbor listens on when serving HTTPS
nodePort: 30003
# Annotations on the nodePort service
annotations: {}
# nodePort-specific labels
labels: {}
loadBalancer:
# The name of LoadBalancer service
name: harbor
@ -87,7 +90,10 @@ expose:
httpPort: 80
# The service port Harbor listens on when serving HTTPS
httpsPort: 443
# Annotations on the loadBalancer service
annotations: {}
# loadBalancer-specific labels
labels: {}
sourceRanges: []
# The external URL for Harbor core service. It is used to
@ -105,69 +111,6 @@ expose:
# If Harbor is deployed behind the proxy, set it as the URL of proxy
externalURL: https://core.harbor.domain
# The internal TLS used for harbor components secure communicating. In order to enable https
# in each component tls cert files need to provided in advance.
internalTLS:
# If internal TLS enabled
enabled: false
# enable strong ssl ciphers (default: false)
strong_ssl_ciphers: false
# There are three ways to provide tls
# 1) "auto" will generate cert automatically
# 2) "manual" need provide cert file manually in following value
# 3) "secret" internal certificates from secret
certSource: "auto"
# The content of trust ca, only available when `certSource` is "manual"
trustCa: ""
# core related cert configuration
core:
# secret name for core's tls certs
secretName: ""
# Content of core's TLS cert file, only available when `certSource` is "manual"
crt: ""
# Content of core's TLS key file, only available when `certSource` is "manual"
key: ""
# jobservice related cert configuration
jobservice:
# secret name for jobservice's tls certs
secretName: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
key: ""
# registry related cert configuration
registry:
# secret name for registry's tls certs
secretName: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
key: ""
# portal related cert configuration
portal:
# secret name for portal's tls certs
secretName: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
key: ""
# trivy related cert configuration
trivy:
# secret name for trivy's tls certs
secretName: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
key: ""
ipFamily:
# ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component
ipv6:
enabled: true
# ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component
ipv4:
enabled: true
# The persistence is enabled by default and a default StorageClass
# is needed in the k8s cluster to provision volumes dynamically.
# Specify another StorageClass in the "storageClass" or set "existingClaim"
@ -230,7 +173,7 @@ persistence:
annotations: {}
# Define which storage backend is used for registry to store
# images and charts. Refer to
# https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage
# https://github.com/distribution/distribution/blob/main/docs/content/about/configuration.md#storage
# for the detail.
imageChartStorage:
# Specify whether to disable `redirect` for images and chart storage, for
@ -324,6 +267,76 @@ persistence:
#chunksize: 10M
#rootdirectory: rootdirectory
# The initial password of Harbor admin. Change it from portal after launching Harbor
# or give an existing secret for it
# key in secret is given via (default to HARBOR_ADMIN_PASSWORD)
# existingSecretAdminPassword:
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
harborAdminPassword: "Harbor12345"
# The internal TLS used for harbor components secure communicating. In order to enable https
# in each component tls cert files need to provided in advance.
internalTLS:
# If internal TLS enabled
enabled: false
# enable strong ssl ciphers (default: false)
strong_ssl_ciphers: false
# There are three ways to provide tls
# 1) "auto" will generate cert automatically
# 2) "manual" need provide cert file manually in following value
# 3) "secret" internal certificates from secret
certSource: "auto"
# The content of trust ca, only available when `certSource` is "manual"
trustCa: ""
# core related cert configuration
core:
# secret name for core's tls certs
secretName: ""
# Content of core's TLS cert file, only available when `certSource` is "manual"
crt: ""
# Content of core's TLS key file, only available when `certSource` is "manual"
key: ""
# jobservice related cert configuration
jobservice:
# secret name for jobservice's tls certs
secretName: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
key: ""
# registry related cert configuration
registry:
# secret name for registry's tls certs
secretName: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
key: ""
# portal related cert configuration
portal:
# secret name for portal's tls certs
secretName: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
key: ""
# trivy related cert configuration
trivy:
# secret name for trivy's tls certs
secretName: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
key: ""
ipFamily:
# ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component
ipv6:
enabled: true
# ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component
ipv4:
enabled: true
imagePullPolicy: IfNotPresent
# Use this set to assign a list of default pullSecrets
@ -339,13 +352,6 @@ updateStrategy:
# debug, info, warning, error or fatal
logLevel: info
# The initial password of Harbor admin. Change it from portal after launching Harbor
# or give an existing secret for it
# key in secret is given via (default to HARBOR_ADMIN_PASSWORD)
# existingSecretAdminPassword:
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
harborAdminPassword: "Harbor12345"
# The name of the secret which contains key named "ca.crt". Setting this enables the
# download link on portal to download the CA certificate when the certificate isn't
# generated automatically
@ -381,11 +387,103 @@ enableMigrateHelmHook: false
# contains a base64 encoded CA Certificate named `ca.crt`.
# uaaSecretName:
metrics:
enabled: false
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
## Create prometheus serviceMonitor to scrape harbor metrics.
## This requires the monitoring.coreos.com/v1 CRD. Please see
## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md
##
serviceMonitor:
enabled: false
additionalLabels: {}
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval: ""
# Metric relabel configs to apply to samples before ingestion.
metricRelabelings:
[]
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# Relabel configs to apply to samples before ingestion.
relabelings:
[]
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
trace:
enabled: false
# trace provider: jaeger or otel
# jaeger should be 1.26+
provider: jaeger
# set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
sample_rate: 1
# namespace used to differentiate different harbor services
# namespace:
# attributes is a key value dict contains user defined attributes used to initialize trace provider
# attributes:
# application: harbor
jaeger:
# jaeger supports two modes:
# collector mode(uncomment endpoint and uncomment username, password if needed)
# agent mode(uncomment agent_host and agent_port)
endpoint: http://hostname:14268/api/traces
# username:
# password:
# agent_host: hostname
# export trace data by jaeger.thrift in compact mode
# agent_port: 6831
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
# timeout is in seconds
timeout: 10
# cache layer configurations
# if this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which help to improve the performance of high concurrent pulling manifest.
cache:
# default is not enabled.
enabled: false
# default keep cache for one day.
expireHours: 24
## set Container Security Context to comply with PSP restricted policy if necessary
## each of the conatiner will apply the same security context
## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience
containerSecurityContext:
privileged: false
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
capabilities:
drop:
- ALL
# If service exposed via "ingress", the Nginx will not be used
nginx:
image:
repository: goharbor/nginx-photon
tag: v2.10.2
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
@ -416,7 +514,7 @@ nginx:
portal:
image:
repository: goharbor/harbor-portal
tag: v2.10.2
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
@ -445,11 +543,18 @@ portal:
serviceAnnotations: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
core:
image:
repository: goharbor/harbor-core
tag: v2.10.2
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
@ -480,6 +585,15 @@ core:
podLabels: {}
## Additional service annotations
serviceAnnotations: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
## User settings configuration json string
configureUserSettings:
# The provider for updating project quota(usage), there are 2 options, redis or db.
@ -516,8 +630,6 @@ core:
existingXsrfSecret: ""
# If using existingSecret, the key
existingXsrfSecretKey: CSRF_KEY
## The priority class to run the pod as
priorityClassName:
# The time duration for async update artifact pull_time and repository
# pull_count, the unit is second. Will be 10 seconds if it isn't set.
# eg. artifactPullAsyncFlushDuration: 10
@ -529,30 +641,13 @@ core:
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v2.10.2
replicas: 1
revisionHistoryLimit: 10
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLoggers:
- file
# - database
# - stdout
# The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
loggerSweeperDuration: 14 #days
notification:
webhook_job_max_retry: 3
webhook_job_http_client_timeout: 3 # in seconds
reaper:
# the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
max_update_hours: 24
# the max time for execution in running state without new task created
max_dangling_hours: 168
replicas: 1
revisionHistoryLimit: 10
# resources:
# requests:
# memory: 256Mi
@ -571,6 +666,31 @@ jobservice:
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLoggers:
- file
# - database
# - stdout
# The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
loggerSweeperDuration: 14 #days
notification:
webhook_job_max_retry: 3
webhook_job_http_client_timeout: 3 # in seconds
reaper:
# the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24
max_update_hours: 24
# the max time for execution in running state without new task created
max_dangling_hours: 168
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
@ -579,18 +699,12 @@ jobservice:
existingSecret: ""
# Key within the existing secret for the job service secret
existingSecretKey: JOBSERVICE_SECRET
## The priority class to run the pod as
priorityClassName:
registry:
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
registry:
image:
repository: goharbor/registry-photon
tag: v2.10.2
tag: v2.11.0
# resources:
# requests:
# memory: 256Mi
@ -599,13 +713,16 @@ registry:
controller:
image:
repository: goharbor/harbor-registryctl
tag: v2.10.2
tag: v2.11.0
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
extraEnvVars: []
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
@ -623,6 +740,13 @@ registry:
podLabels: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# Secret is used to secure the upload state from client
# and registry storage backend.
# See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http
@ -670,13 +794,43 @@ trivy:
# repository the repository for Trivy adapter image
repository: goharbor/trivy-adapter-photon
# tag the tag for Trivy adapter image
tag: v2.10.2
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
# replicas the number of Pod replicas
replicas: 1
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# debugMode the flag to enable Trivy debug mode with more verbose scanning log
debugMode: false
# vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
@ -712,7 +866,7 @@ trivy:
# skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
# `/home/scanner/.cache/trivy/java-db/trivy-java.db` path
#
skipJavaDBUpdate: false
skipJavaDBUpdate: false
# The offlineScan option prevents Trivy from sending API requests to identify dependencies.
#
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
@ -725,48 +879,19 @@ trivy:
securityCheck: "vuln"
# The duration to wait for scan completion
timeout: 5m0s
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
## Additional deployment annotations
podAnnotations: {}
## Additional deployment labels
podLabels: {}
## The priority class to run the pod as
priorityClassName:
database:
# if external database is used, set "type" to "external"
# and fill the connection information in "external" section
type: internal
internal:
image:
repository: goharbor/harbor-db
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
image:
repository: goharbor/harbor-db
tag: v2.10.2
# The initial superuser password for internal database
password: "changeit"
# The size limit for Shared memory, pgSQL use it for shared_buffer
# More details see:
# https://github.com/goharbor/harbor/issues/15034
shmSizeLimit: 512Mi
# resources:
# requests:
# memory: 256Mi
@ -783,6 +908,19 @@ database:
affinity: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
extrInitContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# The initial superuser password for internal database
password: "changeit"
# The size limit for Shared memory, pgSQL use it for shared_buffer
# More details see:
# https://github.com/goharbor/harbor/issues/15034
shmSizeLimit: 512Mi
initContainer:
migrator: {}
# resources:
@ -815,7 +953,7 @@ database:
maxIdleConns: 100
# The maximum number of open connections to the database per pod (core+exporter).
# If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgre of harbor.
# Note: the default number of connections is 1024 for harbor's postgres.
maxOpenConns: 900
## Additional deployment annotations
podAnnotations: {}
@ -827,13 +965,13 @@ redis:
# and fill the connection information in "external" section
type: internal
internal:
image:
repository: goharbor/redis-photon
tag: v2.11.0
# set the service account to be used, default if left empty
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
image:
repository: goharbor/redis-photon
tag: v2.10.2
# resources:
# requests:
# memory: 256Mi
@ -844,6 +982,13 @@ redis:
affinity: {}
## The priority class to run the pod as
priorityClassName:
# containers to be run before the controller's container starts.
initContainers: []
# Example:
#
# - name: wait
# image: busybox
# command: [ 'sh', '-c', "sleep 20" ]
# # jobserviceDatabaseIndex defaults to "1"
# # registryDatabaseIndex defaults to "2"
# # trivyAdapterIndex defaults to "5"
@ -882,6 +1027,12 @@ redis:
podLabels: {}
exporter:
image:
repository: goharbor/harbor-exporter
tag: v2.11.0
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
# resources:
@ -892,101 +1043,16 @@ exporter:
podAnnotations: {}
## Additional deployment labels
podLabels: {}
serviceAccountName: ""
# mount the service account token
automountServiceAccountToken: false
image:
repository: goharbor/harbor-exporter
tag: v2.10.2
nodeSelector: {}
tolerations: []
affinity: {}
# Spread Pods across failure-domains like regions, availability zones or nodes
topologySpreadConstraints: []
## The priority class to run the pod as
priorityClassName:
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# nodeTaintsPolicy: Honor
# whenUnsatisfiable: DoNotSchedule
cacheDuration: 23
cacheCleanInterval: 14400
## The priority class to run the pod as
priorityClassName:
metrics:
enabled: false
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
## Create prometheus serviceMonitor to scrape harbor metrics.
## This requires the monitoring.coreos.com/v1 CRD. Please see
## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md
##
serviceMonitor:
enabled: false
additionalLabels: {}
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval: ""
# Metric relabel configs to apply to samples before ingestion.
metricRelabelings:
[]
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# Relabel configs to apply to samples before ingestion.
relabelings:
[]
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
trace:
enabled: false
# trace provider: jaeger or otel
# jaeger should be 1.26+
provider: jaeger
# set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
sample_rate: 1
# namespace used to differentiate different harbor services
# namespace:
# attributes is a key value dict contains user defined attributes used to initialize trace provider
# attributes:
# application: harbor
jaeger:
# jaeger supports two modes:
# collector mode(uncomment endpoint and uncomment username, password if needed)
# agent mode(uncomment agent_host and agent_port)
endpoint: http://hostname:14268/api/traces
# username:
# password:
# agent_host: hostname
# export trace data by jaeger.thrift in compact mode
# agent_port: 6831
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
# timeout is in seconds
timeout: 10
# cache layer configurations
# if this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which help to improve the performance of high concurrent pulling manifest.
cache:
# default is not enabled.
enabled: false
# default keep cache for one day.
expireHours: 24

4
charts/instana/instana-agent/Chart.yaml
View File

@ -9,7 +9,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.21-0'
catalog.cattle.io/release-name: instana-agent
apiVersion: v2
appVersion: 1.270.0
appVersion: 1.275.0
description: Instana Agent for Kubernetes
home: https://www.instana.com/
icon: https://agents.instana.io/helm/stan-logo-2020.png
@ -23,4 +23,4 @@ maintainers:
name: instana-agent
sources:
- https://github.com/instana/instana-agent-docker
version: 1.2.72
version: 1.2.73

15
charts/instana/instana-agent/README.md
View File

@ -117,6 +117,7 @@ The following table lists the configurable parameters of the Instana chart and t
| `agent.pod.requests.memory` | Container memory requests in MiB | `768Mi` |
| `agent.pod.tolerations` | Tolerations for pod assignment | `[]` |
| `agent.pod.affinity` | Affinity for pod assignment | `{}` |
| `agent.serviceMesh.enabled` | Activate Instana Agent JVM monitoring service mesh support for Istio or OpenShift ServiceMesh | `true` |
| `agent.env` | Additional environment variables for the agent | `{}` |
| `agent.redactKubernetesSecrets` | Enable additional secrets redaction for selected Kubernetes resources | `nil` See [Kubernetes secrets](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#secrets) for more details. |
| `cluster.name` | Display name of the monitored cluster | Value of `zone.name` |
@ -366,6 +367,20 @@ zones:
## Changelog
### 1.2.73
* Fix label for `io.instana/zone` to reflect the real agent mode
* Change the charts flag from ENABLE_AGENT_SOCKET to serviceMesh.enabled
* Add type: DirectoryOrCreate to DaemonSet definitions to ensure required directories exist
### 1.2.72
* Add minReadySeconds field to agent daemonset yaml
### 1.2.71
* Fix usage of digest for pulling images
### 1.2.70
* Allow the configuration of `minReadySeconds` for the agent daemonset and deployment

4
charts/instana/instana-agent/templates/_helpers.tpl
View File

@ -251,6 +251,10 @@ Composes a container image from a dict containing a "name" field (required), "ta
- name: INSTANA_AGENT_HTTP_LISTEN
value: {{ .Values.agent.listenAddress | quote }}
{{- end }}
{{- if .Values.agent.serviceMesh.enabled }}
- name: ENABLE_AGENT_SOCKET
value: {{ .Values.agent.serviceMesh.enabled | quote }}
{{- end }}
{{- if .Values.agent.redactKubernetesSecrets }}
- name: INSTANA_KUBERNETES_REDACT_SECRETS
value: {{ .Values.agent.redactKubernetesSecrets | quote }}

2
charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml
View File

@ -35,7 +35,7 @@ spec:
{{- toYaml $.Values.agent.pod.labels | nindent 8 }}
{{- end }}
{{- include "instana-agent.commonLabels" $ | nindent 8 }}
instana/agent-mode: {{ $.Values.agent.mode | default "APM" | quote }}
instana/agent-mode: {{ $mode | default "APM" | quote }}
annotations:
{{- if $.Values.agent.pod.annotations }}
{{- toYaml $.Values.agent.pod.annotations | nindent 8 }}

4
charts/instana/instana-agent/templates/agent-daemonset.yaml
View File

@ -173,12 +173,15 @@ spec:
- name: var-run-kubo
hostPath:
path: /var/vcap/sys/run/docker
type: DirectoryOrCreate
- name: var-run-containerd
hostPath:
path: /var/vcap/sys/run/containerd
type: DirectoryOrCreate
- name: var-containerd-config
hostPath:
path: /var/vcap/jobs/containerd/config
type: DirectoryOrCreate
{{- end }}
- name: sys
hostPath:
@ -192,6 +195,7 @@ spec:
- name: var-data
hostPath:
path: /var/data
type: DirectoryOrCreate
- name: machine-id
hostPath:
path: /etc/machine-id

11
charts/instana/instana-agent/templates/k8s-sensor-role.yaml
View File

@ -85,16 +85,7 @@ rules:
- watch
-
apiGroups:
- autoscaling/v1
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
-
apiGroups:
- autoscaling/v2
- autoscaling
resources:
- horizontalpodautoscalers
verbs:

10
charts/instana/instana-agent/values.yaml
View File

@ -7,7 +7,7 @@ agent:
# agent.key is the secret token which your agent uses to authenticate to Instana's servers.
key: null
# agent.downloadKey is key, sometimes known ass "sales key", that allows you to download,
# agent.downloadKey is key, sometimes known as "sales key", that allows you to download,
# software from Instana.
# downloadKey: null
@ -174,6 +174,10 @@ agent:
host:
repository: null
# agent.serviceMesh.enabled sets the ENABLE_AGENT_SOCKET environment variable.
serviceMesh:
enabled: true
cluster:
# cluster.name represents the name that will be assigned to this cluster in Instana
name: null
@ -254,10 +258,10 @@ k8s_sensor:
# k8s_sensor.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
memory: 128Mi
# k8s_sensor.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods.
cpu: 10m
cpu: 120m
limits:
# k8s_sensor.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
memory: 1536Mi
memory: 2048Mi
# k8s_sensor.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
cpu: 500m
affinity:

12
charts/jenkins/jenkins/CHANGELOG.md
View File

@ -12,6 +12,18 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0.
The changelog until v1.5.7 was auto-generated based on git commits.
Those entries include a reference to the git commit to be able to get more details.
## 5.3.3
Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1`
## 5.3.2
Update `kubernetes` to version `4248.vfa_9517757b_b_a_`
## 5.3.1
Fix Tiltfile deprecated value reference
## 5.3.0
Add `controller.topologySpreadConstraints`

6
charts/jenkins/jenkins/Chart.yaml
View File

@ -1,14 +1,14 @@
annotations:
artifacthub.io/category: integration-delivery
artifacthub.io/changes: |
- Add `controller.topologySpreadConstraints`
- Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1`
artifacthub.io/images: |
- name: jenkins
image: docker.io/jenkins/jenkins:2.452.2-jdk17
- name: k8s-sidecar
image: docker.io/kiwigrid/k8s-sidecar:1.27.4
- name: inbound-agent
image: jenkins/inbound-agent:3248.v65ecb_254c298-1
image: jenkins/inbound-agent:3256.v88a_f6e922152-1
artifacthub.io/license: Apache-2.0
artifacthub.io/links: |
- name: Chart Source
@ -50,4 +50,4 @@ sources:
- https://github.com/maorfr/kube-tasks
- https://github.com/jenkinsci/configuration-as-code-plugin
type: application
version: 5.3.0
version: 5.3.3

4
charts/jenkins/jenkins/VALUES.md
View File

@ -28,7 +28,7 @@ The following tables list the configurable parameters of the Jenkins chart and t
| [agent.hostNetworking](./values.yaml#L937) | bool | Enables the agent to use the host network | `false` |
| [agent.idleMinutes](./values.yaml#L1072) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
| [agent.image.repository](./values.yaml#L916) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
| [agent.image.tag](./values.yaml#L918) | string | Tag of the image to pull | `"3248.v65ecb_254c298-1"` |
| [agent.image.tag](./values.yaml#L918) | string | Tag of the image to pull | `"3256.v88a_f6e922152-1"` |
| [agent.imagePullSecretName](./values.yaml#L925) | string | Name of the secret to be used to pull the image | `nil` |
| [agent.inheritYamlMergeStrategy](./values.yaml#L1092) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
| [agent.jenkinsTunnel](./values.yaml#L897) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
@ -157,7 +157,7 @@ The following tables list the configurable parameters of the Jenkins chart and t
| [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
| [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` |
| [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4246.v5a_12b_1fe120e","workflow-aggregator:596.v8c21c963d92d","git:5.2.2","configuration-as-code:1810.v9b_c30a_249a_4c"]` |
| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4248.vfa_9517757b_b_a_","workflow-aggregator:596.v8c21c963d92d","git:5.2.2","configuration-as-code:1810.v9b_c30a_249a_4c"]` |
| [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` |
| [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
| [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |

4
charts/jenkins/jenkins/values.yaml
View File

@ -393,7 +393,7 @@ controller:
# Plugins will be installed during Jenkins controller start
# -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
installPlugins:
- kubernetes:4246.v5a_12b_1fe120e
- kubernetes:4248.vfa_9517757b_b_a_
- workflow-aggregator:596.v8c21c963d92d
- git:5.2.2
- configuration-as-code:1810.v9b_c30a_249a_4c
@ -915,7 +915,7 @@ agent:
# -- Repository to pull the agent jnlp image from
repository: "jenkins/inbound-agent"
# -- Tag of the image to pull
tag: "3248.v65ecb_254c298-1"
tag: "3256.v88a_f6e922152-1"
# -- Configure working directory for default agent
workingDir: "/home/jenkins/agent"
nodeUsageMode: "NORMAL"

3
charts/jfrog/artifactory-ha/CHANGELOG.md
View File

@ -1,7 +1,7 @@
# JFrog Artifactory-ha Chart Changelog
All changes to this chart will be documented in this file
## [107.84.15] - May 29, 2024
## [107.84.16] - June 27, 2024
* Added image section for `initContainers` instead of `initContainerImage`
* Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy`
* Removed loggers.image section
@ -23,6 +23,7 @@ All changes to this chart will be documented in this file
* Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962)
* Added .Values.artifactory.unifiedSecretsPrependReleaseName` for unified secret to prepend release name
* Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml
* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892)
## [107.83.0] - Mar 12, 2024
* Added image section for `metadata` and `observability`

6
charts/jfrog/artifactory-ha/Chart.yaml
View File

@ -1,11 +1,11 @@
annotations:
artifactoryServiceVersion: 7.84.18
artifactoryServiceVersion: 7.84.19
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: JFrog Artifactory HA
catalog.cattle.io/kube-version: '>= 1.19.0-0'
catalog.cattle.io/release-name: artifactory-ha
apiVersion: v2
appVersion: 7.84.15
appVersion: 7.84.16
dependencies:
- condition: postgresql.enabled
name: postgresql
@ -27,4 +27,4 @@ name: artifactory-ha
sources:
- https://github.com/jfrog/charts
type: application
version: 107.84.15
version: 107.84.16

3
charts/jfrog/artifactory-ha/templates/_helpers.tpl
View File

@ -321,8 +321,7 @@ Return the proper artifactory chart image names
Return the proper artifactory app version
*/}}
{{- define "artifactory-ha.app.version" -}}
{{- $image := split ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory")) | toString) -}}
{{- $tag := $image._1 -}}
{{- $tag := (splitList ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}}
{{- printf "%s" $tag -}}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More