-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathharbor-data-values.yaml
219 lines (205 loc) · 7.36 KB
/
harbor-data-values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
#! The namespace to install Harbor
namespace: harbor
#! The FQDN for accessing Harbor admin UI and Registry service.
hostname:
#! The network port of the Envoy service in Contour or other Ingress Controller.
port:
https: 443
#! The log level of core, exporter, jobservice, registry. Its value is debug, info, warning, error or fatal.
logLevel: info
#! [Optional] The certificate for the ingress if you want to use your own TLS certificate.
#! We will issue the certificate by cert-manager when it's empty.
tlsCertificate:
#! [Required] the certificate
tls.crt:
#! [Required] the private key
tls.key:
#! [Optional] the certificate of CA, this enables the download
#! link on portal to download the certificate of CA
ca.crt:
#! Use contour http proxy instead of the ingress when it's true
enableContourHttpProxy: true
#! [Required] The initial password of Harbor admin.
harborAdminPassword:
#! [Required] The secret key used for encryption. Must be a string of 16 chars.
secretKey:
database:
#! [Required] The initial password of the postgres database.
password:
core:
replicas: 1
#! [Required] Secret is used when core server communicates with other components.
secret:
#! [Required] The XSRF key. Must be a string of 32 chars.
xsrfKey:
jobservice:
replicas: 1
#! [Required] Secret is used when job service communicates with other components.
secret:
registry:
replicas: 1
#! [Required] Secret is used to secure the upload state from client
#! and registry storage backend.
#! See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
secret:
notary:
#! Whether to install Notary
enabled: true
trivy:
#! enabled the flag to enable Trivy scanner
enabled: true
replicas: 1
#! gitHubToken the GitHub access token to download Trivy DB
gitHubToken: ""
#! skipUpdate the flag to disable Trivy DB downloads from GitHub
#!
#! You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
#! If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
#! `/home/scanner/.cache/trivy/db/trivy.db` path.
skipUpdate: false
#! The persistence is always enabled and a default StorageClass
#! is needed in the k8s cluster to provision volumes dynamically.
#! Specify another StorageClass in the "storageClass" or set "existingClaim"
#! if you have already existing persistent volumes to use
#!
#! For storing images and charts, you can also use "azure", "gcs", "s3",
#! "swift" or "oss". Set it in the "imageChartStorage" section
persistence:
persistentVolumeClaim:
registry:
#! Use the existing PVC which must be created manually before bound,
#! and specify the "subPath" if the PVC is shared with other components
existingClaim: ""
#! Specify the "storageClass" used to provision the volume. Or the default
#! StorageClass will be used(the default).
#! Set it to "-" to disable dynamic provisioning
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 50Gi
jobservice:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 2Gi
database:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
redis:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 2Gi
trivy:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 15Gi
#! Define which storage backend is used for registry and chartmuseum to store
#! images and charts. Refer to
#! https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
#! for the detail.
imageChartStorage:
#! Specify whether to disable `redirect` for images and chart storage, for
#! backends which not supported it (such as using minio for `s3` storage type), please disable
#! it. To disable redirects, simply set `disableredirect` to `true` instead.
#! Refer to
#! https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
#! for the detail.
disableredirect: false
#! Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
#! The secret must contain keys named "ca.crt" which will be injected into the trust store
#! of registry's and chartmuseum's containers.
#! caBundleSecretName:
#! Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
#! "oss" and fill the information needed in the corresponding section. The type
#! must be "filesystem" if you want to use persistent volumes for registry
#! and chartmuseum
type: filesystem
filesystem:
rootdirectory: /storage
#! maxthreads: 100
azure:
accountname: accountname #! required
accountkey: base64encodedaccountkey #! required
container: containername #! required
realm: core.windows.net #! optional
gcs:
bucket: bucketname #! required
#! The base64 encoded json file which contains the key
encodedkey: base64-encoded-json-key-file #! optional
rootdirectory: null #! optional
chunksize: 5242880 #! optional
s3:
region: us-west-1 #! required
bucket: bucketname #! required
accesskey: null #! eg, awsaccesskey
secretkey: null #! eg, awssecretkey
regionendpoint: null #! optional, eg, http://myobjects.local
encrypt: false #! optional
keyid: null #! eg, mykeyid
secure: true #! optional
skipverify: false #! optional
v4auth: true #! optional
chunksize: null #! optional
rootdirectory: null #! optional
storageclass: STANDARD #! optional
multipartcopychunksize: null #! optional
multipartcopymaxconcurrency: null #! optional
multipartcopythresholdsize: null #! optional
swift:
authurl: https://storage.myprovider.com/v3/auth
username: username
password: password
container: containername
region: null #! eg, fr
tenant: null #! eg, tenantname
tenantid: null #! eg, tenantid
domain: null #! eg, domainname
domainid: null #! eg, domainid
trustid: null #! eg, trustid
insecureskipverify: null #! bool eg, false
chunksize: null #! eg, 5M
prefix: null #! eg
secretkey: null #! eg, secretkey
accesskey: null #! eg, accesskey
authversion: null #! eg, 3
endpointtype: null #! eg, public
tempurlcontainerkey: null #! eg, false
tempurlmethods: null #! eg
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
endpoint: null #! eg, endpoint
internal: null #! eg, false
encrypt: null #! eg, false
secure: null #! eg, true
chunksize: null #! eg, 10M
rootdirectory: null #! eg, rootdirectory
#! The http/https network proxy for core, exporter, jobservice, trivy
proxy:
httpProxy:
httpsProxy:
noProxy: 127.0.0.1,localhost,.local,.internal
#! The PSP names used by Harbor pods. The names are separated by ','. 'null' means all PSP can be used.
pspNames: null
#! The metrics used by core, registry and exporter
metrics:
enabled: true
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001