harbor: # we use harbor secret to consolidate all the secrets existingSecretAdminPassword: harbor existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD existingSecretSecretKey: harbor core: xsrfKey: "somekey" # (FIXME) This is not yet merged and still not released configureUserSettings: | { "auth_mode": "oidc_auth", "oidc_name": "keycloak", "oidc_endpoint": "https://keycloak.example.com/auth/realms/shared", "oidc_client_id": "harbor", "oidc_client_secret": "YOURSECRET", "oidc_groups_claim": "roles", "oidc_admin_group": "administrator", "oidc_scope": "openid,email,profile,roles", "oidc_auto_onboard": "true", "oidc_user_claim": "preferred_username" } jobservice: secret: SomeSecret registry: secret: SomeSecret credentials: # username is defined in existingSecret below, but this value also used by jobservice, so let's align it username: harbor_registry_user # we use harbor secret to consolidate all the secrets # Secret keys must be REGISTRY_PASSWD and REGISTRY_HTPASSWD. For key REGISTRY_PASSWD the value is the password. # For key REGISTRY_HTPASSWD the value is the string in the password file generated by htpasswd where the username # is harbor_registry_user and the encryption type is bcrypt. # For example: `htpasswd -bBc passwordfile harbor_registry_user harbor_registry_password`. The username must be harbor_registry_user! existingSecret: harbor fullnameOverride: harbor externalURL: https://registry.example.com ipFamily: # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component ipv6: enabled: false expose: tls: # we are behind a load balancer, so we don't need to use TLS enabled: false ingress: hosts: core: registry.example.com notary: notary.example.com # Use recreate strategy to avoid registry volume stuck in mounting status updateStrategy: type: Recreate persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: storageClass: "ebs-sc" size: 30Gi jobservice: jobLog: storageClass: "ebs-sc" size: 1Gi database: storageClass: "ebs-sc" size: 2Gi redis: storageClass: "ebs-sc" size: 1Gi trivy: storageClass: "ebs-sc" size: 5Gi database: internal: password: "somesecret" # Configuration for setting up resources in Keycloak to enable OIDC authentication. # Prerequisite: Ensure that the Keycloak Operator is installed and integrated with Keycloak. # Refer to the installation guide for the Keycloak Operator: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/keycloak-operator # # Additionally, necessary Keycloak resources such as realms, roles, and groups must be created # to support component functionality. This can be done using the provided add-ons or manually: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/kuberocketci-rbac oidc: enabled: false # This section enables configuration for using External Secrets Operator (ESO) as the secret manager. # Prerequisite: Ensure that ESO is installed in the cluster. # Refer to the EDP cluster add-on for ESO installation and setup: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/external-secrets # # Ensure that you have created the necessary roles for ESO integration. # Follow the detailed instructions here: # https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration#aws-parameter-store-scenario-in-kuberocketci eso: # -- Install components of the ESO. enabled: true # -- Defines provider type. One of `aws` or `generic`. type: "aws" # -- Defines Secret Store name. secretStoreName: "aws-parameterstore" # -- Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. secretName: "/infra/core/addons/harbor" # -- Role ARN for the ExternalSecretOperator to assume. roleArn: arn:aws:iam::012345678910:role/AWSIRSA_Shared_ExternalSecretOperatorAccess # Defines Secret Store configuration. Used when eso.type is set to "generic". generic: secretStore: # -- Defines SecretStore provider configuration. providerConfig: {} # gcpsm: # projectID: "alphabet-123"