redis: fullnameOverride: redis auth: sentinel: false existingSecret: redis-creds existingSecretPasswordKey: REDIS_PASSWORD master: persistence: size: 1Gi replica: persistence: size: 1Gi sentinel: enabled: true minio: fullnameOverride: minio mode: distributed ingress: enabled: true hostname: 'minio-harbor.example.com' annotations: route.openshift.io/termination: edge auth: existingSecret: 'minio-admin-ui' forceNewKeys: true persistence: size: 5Gi provisioning: enabled: true buckets: - name: harbor usersExistingSecrets: - centralized-minio-users policies: - name: harbor statements: - resources: - "arn:aws:s3:::harbor" - "arn:aws:s3:::harbor/*" actions: - "s3:*" effect: "Allow" harbor: # we use harbor secret to consolidate all the secrets existingSecretAdminPassword: harbor existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD existingSecretSecretKey: harbor core: replicas: 2 xsrfKey: "somekey" # (FIXME) This is not yet merged and still not released configureUserSettings: | { "auth_mode": "oidc_auth", "oidc_name": "keycloak", "oidc_endpoint": "https://keycloak.example.com/auth/realms/shared", "oidc_client_id": "harbor", "oidc_client_secret": "YOURSECRET", "oidc_groups_claim": "roles", "oidc_admin_group": "administrator", "oidc_scope": "openid,email,profile,roles", "oidc_auto_onboard": "true", "oidc_user_claim": "preferred_username" } jobservice: replicas: 2 secret: SomeSecret jobLoggers: - database registry: replicas: 2 credentials: # username is defined in existingSecret below, but this value also used by jobservice, so let's align it username: harbor_registry_user # we use harbor secret to consolidate all the secrets # Secret keys must be REGISTRY_PASSWD and REGISTRY_HTPASSWD. For key REGISTRY_PASSWD the value is the password. # For key REGISTRY_HTPASSWD the value is the string in the password file generated by htpasswd where the username # is harbor_registry_user and the encryption type is bcrypt. # For example: `htpasswd -bBc passwordfile harbor_registry_user harbor_registry_password`. The username must be harbor_registry_user! existingSecret: harbor fullnameOverride: harbor externalURL: https://registry.example.com ipFamily: # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component ipv6: enabled: false expose: tls: # we are behind a load balancer, so we don't need to use TLS enabled: false ingress: hosts: core: registry.example.com harbor: annotations: route.openshift.io/termination: edge # Use recreate strategy to avoid registry volume stuck in mounting status updateStrategy: type: Recreate persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: trivy: size: 3Gi imageChartStorage: type: "s3" # https://github.com/goharbor/harbor-helm/issues/1318 disableredirect: true s3: bucket: harbor existingSecret: harbor-s3 regionendpoint: "http://minio.harbor.svc.cluster.local:9000" portal: replicas: 2 notary: enabled: false database: type: external external: host: "harbor-primary.harbor.svc" port: "5432" username: "harbor" existingSecret: "harbor-pguser-harbor" sslmode: "require" redis: type: external external: sentinelMasterSet: "mymaster" addr: "redis-node-0.redis-headless.harbor.svc.cluster.local:26379,redis-node-1.redis-headless.harbor.svc.cluster.local:26379,redis-node-2.redis-headless.harbor.svc.cluster.local:26379" # https://github.com/goharbor/harbor-helm/issues/1352 # existingSecret: "harbor-redis" # Take the value from "add-ons/harbor-ha-okd/templates/external-secrets/redis-creds.yaml" secret password: SomeSecret # Configuration for setting up resources in Keycloak to enable OIDC authentication. # Prerequisite: Ensure that the Keycloak Operator is installed and integrated with Keycloak. # Refer to the installation guide for the Keycloak Operator: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/keycloak-operator # # Additionally, necessary Keycloak resources such as realms, roles, and groups must be created # to support component functionality. This can be done using the provided add-ons or manually: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/kuberocketci-rbac oidc: enabled: false # This section enables configuration for using External Secrets Operator (ESO) as the secret manager. # Prerequisite: Ensure that ESO is installed in the cluster. # Refer to the EDP cluster add-on for ESO installation and setup: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/external-secrets # # Ensure that you have created the necessary roles for ESO integration. # Follow the detailed instructions here: # https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration#aws-parameter-store-scenario-in-kuberocketci eso: # -- Install components of the ESO. enabled: true # -- Defines provider type. One of `aws` or `generic`. type: "aws" # -- Defines Secret Store name. secretStoreName: "aws-parameterstore" # -- Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. secretName: "/infra/core/addons/harbor-ha-okd" # -- Role ARN for the ExternalSecretOperator to assume. roleArn: arn:aws:iam::012345678910:role/AWSIRSA_Shared_ExternalSecretOperatorAccess # Defines Secret Store configuration. Used when eso.type is set to "generic". generic: secretStore: # -- Defines SecretStore provider configuration. providerConfig: {} # gcpsm: # projectID: "alphabet-123"