update

conf/notary-server.json

@@ -19,7 +19,7 @@
   "auth": {
     "type": "token",
     "options": {
-      "realm": "{{ .Values.externalURL }}/service/token",
+      "realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token",
       "service": "harbor-notary",
       "issuer": "harbor-token-issuer",
       "rootcertbundle": "/root.crt"

values-aliyun.yaml → raws/values-aliyun.yaml

@@ -73,17 +73,17 @@ secretKey: "IpTIscRIgmerlare"
 portal:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
-    tag: v2.1.1
+    tag: v2.1.3
 
 core:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
-    tag: v2.1.1
+    tag: v2.1.3
 
 jobservice:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
-    tag: v2.1.1
+    tag: v2.1.3
 
 registry:
   registry:
@@ -98,12 +98,12 @@ registry:
   controller:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
-      tag: v2.1.1
+      tag: v2.1.3
 
 chartmuseum:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum
-    tag: v2.1.1
+    tag: v2.1.3
   nodeSelector: {}
   # nodeSelector:
   #   harbor: enabled
@@ -117,33 +117,33 @@ clair:
   clair:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair
-      tag: v2.1.1
+      tag: v2.1.3
   adapter:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter
-      tag: v2.1.1
+      tag: v2.1.3
 
 trivy:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter
-    tag: v2.1.1
+    tag: v2.1.3
 
 notary:
   server:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server
-      tag: v2.1.1
+      tag: v2.1.3
   signer:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer
-      tag: v2.1.1
+      tag: v2.1.3
 
 database:
   type: internal
   internal:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
-      tag: v2.1.1
+      tag: v2.1.3
     password: "spaceIN511"
     resources:
       limits:

values-arm.yaml → raws/values-arm.yaml

@@ -73,17 +73,17 @@ secretKey: "IpTIscRIgmerlare"
 portal:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
-    tag: v2.1.1-arm64
+    tag: v2.1.3-arm64
 
 core:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
-    tag: v2.1.1-arm64
+    tag: v2.1.3-arm64
 
 jobservice:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
-    tag: v2.1.1-arm64
+    tag: v2.1.3-arm64
 
 registry:
   registry:
@@ -98,12 +98,12 @@ registry:
   controller:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
-      tag: v2.1.1-arm64
+      tag: v2.1.3-arm64
 
 chartmuseum:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum
-    tag: v2.1.1-arm64
+    tag: v2.1.3-arm64
   nodeSelector: {}
   # nodeSelector:
   #   harbor: enabled
@@ -117,33 +117,33 @@ clair:
   clair:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair
-      tag: v2.1.1-arm64
+      tag: v2.1.3-arm64
   adapter:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter
-      tag: v2.1.1-arm64
+      tag: v2.1.3-arm64
 
 trivy:
   image:
     repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter
-    tag: v2.1.1-arm64
+    tag: v2.1.3-arm64
 
 notary:
   server:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server
-      tag: v2.1.1-arm64
+      tag: v2.1.3-arm64
   signer:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer
-      tag: v2.1.1-arm64
+      tag: v2.1.3-arm64
 
 database:
   type: internal
   internal:
     image:
       repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
-      tag: v2.1.1-arm64
+      tag: v2.1.3-arm64
     password: "spaceIN511"
     resources:
       limits:

raws/values.yaml

+expose:
+  # Set the way how to expose the service. Set the type as "ingress",
+  # "clusterIP", "nodePort" or "loadBalancer" and fill the information
+  # in the corresponding section
+  type: ingress
+  tls:
+    # Enable the tls or not. Note: if the type is "ingress" and the tls
+    # is disabled, the port must be included in the command when pull/push
+    # images. Refer to https://github.com/goharbor/harbor/issues/5291
+    # for the detail.
+    enabled: true
+    # The source of the tls certificate. Set it as "auto", "secret"
+    # or "none" and fill the information in the corresponding section
+    # 1) auto: generate the tls certificate automatically
+    # 2) secret: read the tls certificate from the specified secret.
+    # The tls certificate can be generated manually or by cert manager
+    # 3) none: configure no tls certificate for the ingress. If the default
+    # tls certificate is configured in the ingress controller, choose this option
+    certSource: auto
+    auto:
+      # The common name used to generate the certificate, it's necessary
+      # when the type isn't "ingress"
+      commonName: ""
+    secret:
+      # The name of secret which contains keys named:
+      # "tls.crt" - the certificate
+      # "tls.key" - the private key
+      secretName: ""
+      # The name of secret which contains keys named:
+      # "tls.crt" - the certificate
+      # "tls.key" - the private key
+      # Only needed when the "expose.type" is "ingress".
+      notarySecretName: ""
+  ingress:
+    hosts:
+      core: core.harbor.domain
+      notary: notary.harbor.domain
+    # set to the type of ingress controller if it has specific requirements.
+    # leave as `default` for most ingress controllers.
+    # set to `gce` if using the GCE ingress controller
+    # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
+    controller: default
+    annotations:
+      ingress.kubernetes.io/ssl-redirect: "true"
+      ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  clusterIP:
+    # The name of ClusterIP service
+    name: harbor
+    ports:
+      # The service port Harbor listens on when serving with HTTP
+      httpPort: 80
+      # The service port Harbor listens on when serving with HTTPS
+      httpsPort: 443
+      # The service port Notary listens on. Only needed when notary.enabled
+      # is set to true
+      notaryPort: 4443
+  nodePort:
+    # The name of NodePort service
+    name: harbor
+    ports:
+      http:
+        # The service port Harbor listens on when serving with HTTP
+        port: 80
+        # The node port Harbor listens on when serving with HTTP
+        nodePort: 30002
+      https:
+        # The service port Harbor listens on when serving with HTTPS
+        port: 443
+        # The node port Harbor listens on when serving with HTTPS
+        nodePort: 30003
+      # Only needed when notary.enabled is set to true
+      notary:
+        # The service port Notary listens on
+        port: 4443
+        # The node port Notary listens on
+        nodePort: 30004
+  loadBalancer:
+    # The name of LoadBalancer service
+    name: harbor
+    # Set the IP if the LoadBalancer supports assigning IP
+    IP: ""
+    ports:
+      # The service port Harbor listens on when serving with HTTP
+      httpPort: 80
+      # The service port Harbor listens on when serving with HTTPS
+      httpsPort: 443
+      # The service port Notary listens on. Only needed when notary.enabled
+      # is set to true
+      notaryPort: 4443
+    annotations: {}
+    sourceRanges: []
+
+# The external URL for Harbor core service. It is used to
+# 1) populate the docker/helm commands showed on portal
+# 2) populate the token service URL returned to docker/notary client
+#
+# Format: protocol://domain[:port]. Usually:
+# 1) if "expose.type" is "ingress", the "domain" should be
+# the value of "expose.ingress.hosts.core"
+# 2) if "expose.type" is "clusterIP", the "domain" should be
+# the value of "expose.clusterIP.name"
+# 3) if "expose.type" is "nodePort", the "domain" should be
+# the IP address of k8s node
+#
+# If Harbor is deployed behind the proxy, set it as the URL of proxy
+externalURL: https://core.harbor.domain
+
+# The internal TLS used for harbor components secure communicating. In order to enable https
+# in each components tls cert files need to provided in advance.
+internalTLS:
+  # If internal TLS enabled
+  enabled: false
+  # There are three ways to provide tls
+  # 1) "auto" will generate cert automatically
+  # 2) "manual" need provide cert file manually in following value
+  # 3) "secret" internal certificates from secret
+  certSource: "auto"
+  # The content of trust ca, only available when `certSource` is "manual"
+  trustCa: ""
+  # core related cert configuration
+  core:
+    # secret name for core's tls certs
+    secretName: ""
+    # Content of core's TLS cert file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of core's TLS key file, only available when `certSource` is "manual"
+    key: ""
+  # jobservice related cert configuration
+  jobservice:
+    # secret name for jobservice's tls certs
+    secretName: ""
+    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
+    key: ""
+  # registry related cert configuration
+  registry:
+    # secret name for registry's tls certs
+    secretName: ""
+    # Content of registry's TLS key file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of registry's TLS key file, only available when `certSource` is "manual"
+    key: ""
+  # portal related cert configuration
+  portal:
+    # secret name for portal's tls certs
+    secretName: ""
+    # Content of portal's TLS key file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of portal's TLS key file, only available when `certSource` is "manual"
+    key: ""
+  # chartmuseum related cert configuration
+  chartmuseum:
+    # secret name for chartmuseum's tls certs
+    secretName: ""
+    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
+    key: ""
+  # clair related cert configuration
+  clair:
+    # secret name for clair's tls certs
+    secretName: ""
+    # Content of clair's TLS key file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of clair's TLS key file, only available when `certSource` is "manual"
+    key: ""
+  # trivy related cert configuration
+  trivy:
+    # secret name for trivy's tls certs
+    secretName: ""
+    # Content of trivy's TLS key file, only available when `certSource` is "manual"
+    crt: ""
+    # Content of trivy's TLS key file, only available when `certSource` is "manual"
+    key: ""
+
+# The persistence is enabled by default and a default StorageClass
+# is needed in the k8s cluster to provision volumes dynamicly.
+# Specify another StorageClass in the "storageClass" or set "existingClaim"
+# if you have already existing persistent volumes to use
+#
+# For storing images and charts, you can also use "azure", "gcs", "s3",
+# "swift" or "oss". Set it in the "imageChartStorage" section
+persistence:
+  enabled: true
+  # Setting it to "keep" to avoid removing PVCs during a helm delete
+  # operation. Leaving it empty will delete PVCs after the chart deleted
+  # (this does not apply for PVCs that are created for internal database
+  # and redis components, i.e. they are never deleted automatically)
+  resourcePolicy: "keep"
+  persistentVolumeClaim:
+    registry:
+      # Use the existing PVC which must be created manually before bound,
+      # and specify the "subPath" if the PVC is shared with other components
+      existingClaim: ""
+      # Specify the "storageClass" used to provision the volume. Or the default
+      # StorageClass will be used(the default).
+      # Set it to "-" to disable dynamic provisioning
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 5Gi
+    chartmuseum:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 5Gi
+    jobservice:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 1Gi
+    # If external database is used, the following settings for database will
+    # be ignored
+    database:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 1Gi
+    # If external Redis is used, the following settings for Redis will
+    # be ignored
+    redis:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 1Gi
+    trivy:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 5Gi
+  # Define which storage backend is used for registry and chartmuseum to store
+  # images and charts. Refer to
+  # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
+  # for the detail.
+  imageChartStorage:
+    # Specify whether to disable `redirect` for images and chart storage, for
+    # backends which not supported it (such as using minio for `s3` storage type), please disable
+    # it. To disable redirects, simply set `disableredirect` to `true` instead.
+    # Refer to
+    # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
+    # for the detail.
+    disableredirect: false
+    # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
+    # The secret must contain keys named "ca.crt" which will be injected into the trust store
+    # of registry's and chartmuseum's containers.
+    # caBundleSecretName:
+
+    # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
+    # "oss" and fill the information needed in the corresponding section. The type
+    # must be "filesystem" if you want to use persistent volumes for registry
+    # and chartmuseum
+    type: filesystem
+    filesystem:
+      rootdirectory: /storage
+      #maxthreads: 100
+    azure:
+      accountname: accountname
+      accountkey: base64encodedaccountkey
+      container: containername
+      #realm: core.windows.net
+    gcs:
+      bucket: bucketname
+      # The base64 encoded json file which contains the key
+      encodedkey: base64-encoded-json-key-file
+      #rootdirectory: /gcs/object/name/prefix
+      #chunksize: "5242880"
+    s3:
+      region: us-west-1
+      bucket: bucketname
+      #accesskey: awsaccesskey
+      #secretkey: awssecretkey
+      #regionendpoint: http://myobjects.local
+      #encrypt: false
+      #keyid: mykeyid
+      #secure: true
+      #skipverify: false
+      #v4auth: true
+      #chunksize: "5242880"
+      #rootdirectory: /s3/object/name/prefix
+      #storageclass: STANDARD
+      #multipartcopychunksize: "33554432"
+      #multipartcopymaxconcurrency: 100
+      #multipartcopythresholdsize: "33554432"
+    swift:
+      authurl: https://storage.myprovider.com/v3/auth
+      username: username
+      password: password
+      container: containername
+      #region: fr
+      #tenant: tenantname
+      #tenantid: tenantid
+      #domain: domainname
+      #domainid: domainid
+      #trustid: trustid
+      #insecureskipverify: false
+      #chunksize: 5M
+      #prefix:
+      #secretkey: secretkey
+      #accesskey: accesskey
+      #authversion: 3
+      #endpointtype: public
+      #tempurlcontainerkey: false
+      #tempurlmethods:
+    oss:
+      accesskeyid: accesskeyid
+      accesskeysecret: accesskeysecret
+      region: regionname
+      bucket: bucketname
+      #endpoint: endpoint
+      #internal: false
+      #encrypt: false
+      #secure: true
+      #chunksize: 10M
+      #rootdirectory: rootdirectory
+
+imagePullPolicy: IfNotPresent
+
+# Use this set to assign a list of default pullSecrets
+imagePullSecrets:
+#  - name: docker-registry-secret
+#  - name: internal-registry-secret
+
+# The update strategy for deployments with persistent volumes(jobservice, registry
+# and chartmuseum): "RollingUpdate" or "Recreate"
+# Set it as "Recreate" when "RWM" for volumes isn't supported
+updateStrategy:
+  type: RollingUpdate
+
+# debug, info, warning, error or fatal
+logLevel: info
+
+# The initial password of Harbor admin. Change it from portal after launching Harbor
+harborAdminPassword: "Harbor12345"
+
+# The name of the secret which contains key named "ca.crt". Setting this enables the
+# download link on portal to download the certificate of CA when the certificate isn't
+# generated automatically
+caSecretName: ""
+
+# The secret key used for encryption. Must be a string of 16 chars.
+secretKey: "not-a-secure-key"
+
+# The proxy settings for updating clair vulnerabilities from the Internet and replicating
+# artifacts from/to the registries that cannot be reached directly
+proxy:
+  httpProxy:
+  httpsProxy:
+  noProxy: 127.0.0.1,localhost,.local,.internal
+  components:
+    - core
+    - jobservice
+    - clair
+    - trivy
+
+# The custom ca bundle secret, the secret must contain key named "ca.crt"
+# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
+# caBundleSecretName: ""
+
+## UAA Authentication Options
+# If you're using UAA for authentication behind a self-signed
+# certificate you will need to provide the CA Cert.
+# Set uaaSecretName below to provide a pre-created secret that
+# contains a base64 encoded CA Certificate named `ca.crt`.
+# uaaSecretName:
+
+# If expose the service via "ingress", the Nginx will not be used
+nginx:
+  image:
+    repository: goharbor/nginx-photon
+    tag: v2.1.3
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  replicas: 1
+  # resources:
+  #  requests:
+  #    memory: 256Mi
+  #    cpu: 100m
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+portal:
+  image:
+    repository: goharbor/harbor-portal
+    tag: v2.1.3
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  replicas: 1
+  # resources:
+  #  requests:
+  #    memory: 256Mi
+  #    cpu: 100m
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+core:
+  image:
+    repository: goharbor/harbor-core
+    tag: v2.1.3
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  replicas: 1
+  ## Startup probe values
+  startupProbe:
+    enabled: true
+    initialDelaySeconds: 10
+  # resources:
+  #  requests:
+  #    memory: 256Mi
+  #    cpu: 100m
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+  # Secret is used when core server communicates with other components.
+  # If a secret key is not specified, Helm will generate one.
+  # Must be a string of 16 chars.
+  secret: ""
+  # Fill the name of a kubernetes secret if you want to use your own
+  # TLS certificate and private key for token encryption/decryption.
+  # The secret must contain keys named:
+  # "tls.crt" - the certificate
+  # "tls.key" - the private key
+  # The default key pair will be used if it isn't set
+  secretName: ""
+  # The XSRF key. Will be generated automatically if it isn't specified
+  xsrfKey: ""
+
+jobservice:
+  image:
+    repository: goharbor/harbor-jobservice
+    tag: v2.1.3
+  replicas: 1
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  maxJobWorkers: 10
+  # The logger for jobs: "file", "database" or "stdout"
+  jobLogger: file
+  # resources:
+  #   requests:
+  #     memory: 256Mi
+  #     cpu: 100m
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+  # Secret is used when job service communicates with other components.
+  # If a secret key is not specified, Helm will generate one.
+  # Must be a string of 16 chars.
+  secret: ""
+
+registry:
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  registry:
+    image:
+      repository: goharbor/registry-photon
+      tag: v2.1.3
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+  controller:
+    image:
+      repository: goharbor/harbor-registryctl
+      tag: v2.1.3
+
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+  replicas: 1
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+  # Secret is used to secure the upload state from client
+  # and registry storage backend.
+  # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
+  # If a secret key is not specified, Helm will generate one.
+  # Must be a string of 16 chars.
+  secret: ""
+  # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
+  relativeurls: false
+  credentials:
+    username: "harbor_registry_user"
+    password: "harbor_registry_password"
+    # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
+    # e.g. "htpasswd -nbBC10 $username $password"
+    htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
+
+  middleware:
+    enabled: false
+    type: cloudFront
+    cloudFront:
+      baseurl: example.cloudfront.net
+      keypairid: KEYPAIRID
+      duration: 3000s
+      ipfilteredby: none
+      # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
+      # that allows access to CloudFront
+      privateKeySecret: "my-secret"
+
+chartmuseum:
+  enabled: true
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
+  absoluteUrl: false
+  image:
+    repository: goharbor/chartmuseum-photon
+    tag: v2.1.3
+  replicas: 1
+  # resources:
+  #  requests:
+  #    memory: 256Mi
+  #    cpu: 100m
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+clair:
+  enabled: true
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  clair:
+    image:
+      repository: goharbor/clair-photon
+      tag: v2.1.3
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+  adapter:
+    image:
+      repository: goharbor/clair-adapter-photon
+      tag: v2.1.3
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+  replicas: 1
+  # The interval of clair updaters, the unit is hour, set to 0 to
+  # disable the updaters
+  updatersInterval: 12
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+trivy:
+  # enabled the flag to enable Trivy scanner
+  enabled: true
+  image:
+    # repository the repository for Trivy adapter image
+    repository: goharbor/trivy-adapter-photon
+    # tag the tag for Trivy adapter image
+    tag: v2.1.3
+  # set the service account to be used, default if left empty
+  serviceAccountName: ""
+  # replicas the number of Pod replicas
+  replicas: 1
+  # debugMode the flag to enable Trivy debug mode with more verbose scanning log
+  debugMode: false
+  # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
+  vulnType: "os,library"
+  # severity a comma-separated list of severities to be checked
+  severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+  # ignoreUnfixed the flag to display only fixed vulnerabilities
+  ignoreUnfixed: false
+  # insecure the flag to skip verifying registry certificate
+  insecure: false
+  # gitHubToken the GitHub access token to download Trivy DB
+  #
+  # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
+  # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
+  # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
+  # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
+  # Currently, the database is updated every 12 hours and published as a new release to GitHub.
+  #
+  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
+  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
+  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
+  # https://developer.github.com/v3/#rate-limiting
+  #
+  # You can create a GitHub token by following the instructions in
+  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
+  gitHubToken: ""
+  # skipUpdate the flag to disable Trivy DB downloads from GitHub
+  #
+  # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
+  # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
+  # `/home/scanner/.cache/trivy/db/trivy.db` path.
+  skipUpdate: false
+  resources:
+    requests:
+      cpu: 200m
+      memory: 512Mi
+    limits:
+      cpu: 1
+      memory: 1Gi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+notary:
+  enabled: true
+  server:
+    # set the service account to be used, default if left empty
+    serviceAccountName: ""
+    image:
+      repository: goharbor/notary-server-photon
+      tag: v2.1.3
+    replicas: 1
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+  signer:
+    # set the service account to be used, default if left empty
+    serviceAccountName: ""
+    image:
+      repository: goharbor/notary-signer-photon
+      tag: v2.1.3
+    replicas: 1
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  ## Additional deployment annotations
+  podAnnotations: {}
+  # Fill the name of a kubernetes secret if you want to use your own
+  # TLS certificate authority, certificate and private key for notary
+  # communications.
+  # The secret must contain keys named ca.crt, tls.crt and tls.key that
+  # contain the CA, certificate and private key.
+  # They will be generated if not set.
+  secretName: ""
+
+database:
+  # if external database is used, set "type" to "external"
+  # and fill the connection informations in "external" section
+  type: internal
+  internal:
+    # set the service account to be used, default if left empty
+    serviceAccountName: ""
+    image:
+      repository: goharbor/harbor-db
+      tag: v2.1.3
+    # The initial superuser password for internal database
+    password: "changeit"
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+  external:
+    host: "192.168.0.1"
+    port: "5432"
+    username: "user"
+    password: "password"
+    coreDatabase: "registry"
+    clairDatabase: "clair"
+    notaryServerDatabase: "notary_server"
+    notarySignerDatabase: "notary_signer"
+    # "disable" - No SSL
+    # "require" - Always SSL (skip verification)
+    # "verify-ca" - Always SSL (verify that the certificate presented by the
+    # server was signed by a trusted CA)
+    # "verify-full" - Always SSL (verify that the certification presented by the
+    # server was signed by a trusted CA and the server host name matches the one
+    # in the certificate)
+    sslmode: "disable"
+  # The maximum number of connections in the idle connection pool.
+  # If it <=0, no idle connections are retained.
+  maxIdleConns: 50
+  # The maximum number of open connections to the database.
+  # If it <= 0, then there is no limit on the number of open connections.
+  # Note: the default number of connections is 1024 for postgre of harbor.
+  maxOpenConns: 1000
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+redis:
+  # if external Redis is used, set "type" to "external"
+  # and fill the connection informations in "external" section
+  type: internal
+  internal:
+    # set the service account to be used, default if left empty
+    serviceAccountName: ""
+    image:
+      repository: goharbor/redis-photon
+      tag: v2.1.3
+    # resources:
+    #  requests:
+    #    memory: 256Mi
+    #    cpu: 100m
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+  external:
+    # support redis, redis+sentinel
+    # addr for redis: <host_redis>:<port_redis>
+    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
+    addr: "192.168.0.2:6379"
+    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
+    sentinelMasterSet: ""
+    # The "coreDatabaseIndex" must be "0" as the library Harbor
+    # used doesn't support configuring it
+    coreDatabaseIndex: "0"
+    jobserviceDatabaseIndex: "1"
+    registryDatabaseIndex: "2"
+    chartmuseumDatabaseIndex: "3"
+    clairAdapterIndex: "4"
+    trivyAdapterIndex: "5"
+    password: ""
+  ## Additional deployment annotations
+  podAnnotations: {}
+
+commonLabels:
+  app.bd-apaas.com/cluster-component: registry
\ No newline at end of file

templates/NOTES.txt

 Please wait for several minutes for Harbor deployment to complete.
-Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}
+Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.{{ $.Values.global.host }}
 For more details, please visit https://github.com/goharbor/harbor

templates/_helpers.tpl

+{{/*
+Create chart arch suffix.
+*/}}
+{{- define "beagle.arch" -}}
+{{- if not (eq "amd64" .Values.global.arch) -}}
+{{- print "-" .Values.global.arch -}}
+{{- else -}}
+{{- print "" -}}
+{{- end -}}
+{{- end }}
+
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.

templates/chartmuseum/chartmuseum-cm.yaml

@@ -21,7 +21,7 @@ data:
   CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}"
   BASIC_AUTH_USER: "chart_controller"
 {{- if .Values.chartmuseum.absoluteUrl }}
-  CHART_URL: {{ .Values.externalURL }}/chartrepo
+  CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo
 {{- end }}
   DEPTH: "1"
 {{- if eq .Values.logLevel "debug" }}

templates/chartmuseum/chartmuseum-dpl.yaml

@@ -46,8 +46,12 @@ spec:
       {{- end }}
       containers:
       - name: chartmuseum
-        image: {{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.chartmuseum.image.repository }}
+        image: "{{ .Values.chartmuseum.image.repository }}"
+{{- else }}
+        image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         livenessProbe:
           httpGet:
             path: /health

templates/clair/clair-dpl.yaml

@@ -39,8 +39,12 @@ spec:
       {{- end }}
       containers:
       - name: clair
-        image: {{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.clair.clair.image.repository }}
+        image: "{{ .Values.clair.clair.image.repository }}"
+{{- else }}
+        image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         livenessProbe:
           httpGet:
             path: /health

templates/core/core-cm.yaml

@@ -21,7 +21,7 @@ data:
   POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
   POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
   POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
-  EXT_ENDPOINT: "{{ .Values.externalURL }}"
+  EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}"
   CORE_URL: "{{ template "harbor.coreURL" . }}"
   JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
   REGISTRY_URL: "{{ template "harbor.registryURL" . }}"

templates/core/core-dpl.yaml

@@ -40,8 +40,12 @@ spec:
       {{- end }}
       containers:
       - name: core
-        image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.core.image.repository }}
+        image: "{{ .Values.core.image.repository }}"
+{{- else }}
+        image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         {{- if .Values.core.startupProbe.enabled }}
         startupProbe:
           httpGet:

templates/database/database-ss.yaml

@@ -36,8 +36,12 @@ spec:
       - name: "change-permission-of-directory"
         securityContext:
           runAsUser: 0
-        image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.database.internal.image.repository }}
+        image: "{{ .Values.database.internal.image.repository }}"
+{{- else }}
+        image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         command: ["/bin/sh"]
         args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"]
         volumeMounts:
@@ -45,8 +49,12 @@ spec:
           mountPath: /var/lib/postgresql/data
           subPath: {{ $database.subPath }}
       - name: "remove-lost-found"
-        image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.database.internal.image.repository }}
+        image: "{{ .Values.database.internal.image.repository }}"
+{{- else }}
+        image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
         volumeMounts:
         - name: database-data
@@ -54,8 +62,12 @@ spec:
           subPath: {{ $database.subPath }}
       containers:
       - name: database
-        image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.database.internal.image.repository }}
+        image: "{{ .Values.database.internal.image.repository }}"
+{{- else }}
+        image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         livenessProbe:
           exec:
             command:

templates/ingress/ingress.yaml

@@ -28,6 +28,7 @@
 {{- end }}
 
 ---
+{{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}}
 {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: extensions/v1beta1
 {{- else }}
@@ -55,7 +56,7 @@ spec:
   - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
     {{- if $ingress.hosts.core }}
     hosts:
-    - {{ $ingress.hosts.core }}
+    - {{ $ingress.hosts.core }}.{{ $.Values.global.host }}
     {{- end }}
   {{- end }}
   rules:
@@ -86,7 +87,7 @@ spec:
           serviceName: {{ template "harbor.core" . }}
           servicePort: {{ template "harbor.core.servicePort" . }}
     {{- if $ingress.hosts.core }}
-    host: {{ $ingress.hosts.core }}
+    host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }}
     {{- end }}
 
 {{- if .Values.notary.enabled  }}
@@ -115,7 +116,7 @@ spec:
   - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }}
     {{- if $ingress.hosts.notary }}
     hosts:
-    - {{ $ingress.hosts.notary }}
+    - {{ $ingress.hosts.notary }}.{{ $.Values.global.host }}
     {{- end }}
   {{- end }}
   rules:
@@ -126,8 +127,9 @@ spec:
           serviceName: {{ template "harbor.notary-server" . }}
           servicePort: 4443
     {{- if $ingress.hosts.notary }}
-    host: {{ $ingress.hosts.notary }}
+    host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }}
     {{- end }}
 {{- end }}
 
 {{- end }}
+{{- end }}
\ No newline at end of file

templates/ingress/ingresshost.yaml

@@ -11,7 +11,7 @@ metadata:
   labels:
     {{ include "harbor.labels" . | nindent 4 }}
 spec:
-  host: "{{ .Values.expose.ingress.hosts.core }}" 
+  host: "{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}" 
 ---
 apiVersion: bcc.bd-apaas.com/v1alpha1
 kind: IngressHost
@@ -24,5 +24,5 @@ metadata:
   labels:
     {{ include "harbor.labels" . | nindent 4 }}
 spec:
-  host: "{{ .Values.expose.ingress.hosts.notary }}" 
+  host: "{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}" 
 {{- end -}}

templates/ingress/ingressroute.yaml

@@ -14,39 +14,39 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
       kind: Rule
       services:
       - name: {{ template "harbor.portal" . }}
         port: {{ template "harbor.portal.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/api/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/service/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/v2/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`)
       kind: Rule
       middlewares:
         - name: "{{ template "harbor.ingress" . }}-https"
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/chartrepo/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/c/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.notary }}`) && PathPrefix(`/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
       kind: Rule
       services:
       - name: {{ template "harbor.notary-server" . }}
@@ -68,37 +68,37 @@ spec:
   entryPoints:
     - web
   routes:
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
       kind: Rule
       services:
       - name: {{ template "harbor.portal" . }}
         port: {{ template "harbor.portal.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/api/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/service/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/v2/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/chartrepo/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.core }}`) && PathPrefix(`/c/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`)
       kind: Rule
       services:
       - name: {{ template "harbor.core" . }}
         port: {{ template "harbor.core.servicePort" . }}
-    - match: Host(`{{ .Values.expose.ingress.hosts.notary }}`) && PathPrefix(`/`)
+    - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
       kind: Rule
       services:
       - name: {{ template "harbor.notary-server" . }}

templates/jobservice/jobservice-dpl.yaml

@@ -46,8 +46,12 @@ spec:
       {{- end }}
       containers:
       - name: jobservice
-        image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.jobservice.image.repository }}
+        image: "{{ .Values.jobservice.image.repository }}"
+{{- else }}
+        image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         livenessProbe:
           httpGet:
             path: /api/v1/stats

templates/nginx/deployment.yaml

@@ -41,8 +41,12 @@ spec:
       {{- end }}
       containers:
       - name: nginx
-        image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
-        imagePullPolicy: "{{ .Values.imagePullPolicy }}"
+{{- if contains "/" .Values.nginx.image.repository }}
+        image: "{{ .Values.nginx.image.repository }}"
+{{- else }}
+        image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         {{- $_ := set . "scheme" "HTTP" -}}
         {{- $_ := set . "port" "8080" -}}
         {{- if .Values.expose.tls.enabled }}

templates/notary/notary-server.yaml

@@ -35,8 +35,12 @@ spec:
       {{- end }}
       containers:
       - name: notary-server
-        image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.notary.server.image.repository }}
+        image: "{{ .Values.notary.server.image.repository }}"
+{{- else }}
+        image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
 {{- if .Values.notary.server.resources }}
         resources:
 {{ toYaml .Values.notary.server.resources | indent 10 }}

templates/notary/notary-signer.yaml

@@ -31,8 +31,12 @@ spec:
       {{- end }}
       containers:
       - name: notary-signer
-        image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.notary.signer.image.repository }}
+        image: "{{ .Values.notary.signer.image.repository }}"
+{{- else }}
+        image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
 {{- if .Values.notary.signer.resources }}
         resources:
 {{ toYaml .Values.notary.signer.resources | indent 10 }}

templates/portal/deployment.yaml

@@ -35,8 +35,12 @@ spec:
 {{- end }}
       containers:
       - name: portal
-        image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.portal.image.repository }}
+        image: "{{ .Values.portal.image.repository }}"
+{{- else }}
+        image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
 {{- if .Values.portal.resources }}
         resources:
 {{ toYaml .Values.portal.resources | indent 10 }}

templates/redis/statefulset.yaml

@@ -37,6 +37,12 @@ spec:
       - name: redis
         image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.chartmuseum.image.repository }}
+        image: "{{ .Values.chartmuseum.image.repository }}"
+{{- else }}
+        image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         livenessProbe:
           tcpSocket:
             port: 6379

templates/registry/registry-dpl.yaml

@@ -46,8 +46,12 @@ spec:
       {{- end }}
       containers:
       - name: registry
-        image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.registry.image.repository }}
+        image: "{{ .Values.registry.image.repository }}"
+{{- else }}
+        image: "{{ .Values.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.image.repository }}:{{ .Values.registry.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
         livenessProbe:
           httpGet:
             path: /

templates/trivy/trivy-sts.yaml

@@ -44,8 +44,12 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: trivy
-          image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
-          imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- if contains "/" .Values.trivy.image.repository }}
+          image: "{{ .Values.trivy.image.repository }}"
+{{- else }}
+          image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
+{{- end }}
+          imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
           securityContext:
             privileged: false
             allowPrivilegeEscalation: false

values-operator.yaml

+global:
+  hub: registry.cn-qingdao.aliyuncs.com/wod
+  imagePullPolicy: "IfNotPresent"
+  arch: amd64
+  host: wodcloud.local
\ No newline at end of file

values.yaml

@@ -8,7 +8,7 @@ expose:
     # is disabled, the port must be included in the command when pull/push
     # images. Refer to https://github.com/goharbor/harbor/issues/5291
     # for the detail.
-    enabled: true
+    enabled: false
     # The source of the tls certificate. Set it as "auto", "secret"
     # or "none" and fill the information in the corresponding section
     # 1) auto: generate the tls certificate automatically
@@ -33,8 +33,8 @@ expose:
       notarySecretName: ""
   ingress:
     hosts:
-      core: core.harbor.domain
-      notary: notary.harbor.domain
+      core: hub
+      notary: notary
     # set to the type of ingress controller if it has specific requirements.
     # leave as `default` for most ingress controllers.
     # set to `gce` if using the GCE ingress controller
@@ -105,7 +105,7 @@ expose:
 # the IP address of k8s node
 #
 # If Harbor is deployed behind the proxy, set it as the URL of proxy
-externalURL: https://core.harbor.domain
+externalURL: https://hub
 
 # The internal TLS used for harbor components secure communicating. In order to enable https
 # in each components tls cert files need to provided in advance.
@@ -198,19 +198,19 @@ persistence:
       # Specify the "storageClass" used to provision the volume. Or the default
       # StorageClass will be used(the default).
       # Set it to "-" to disable dynamic provisioning
-      storageClass: ""
+      storageClass: "hostpath"
       subPath: ""
       accessMode: ReadWriteOnce
-      size: 5Gi
+      size: 500Gi
     chartmuseum:
       existingClaim: ""
-      storageClass: ""
+      storageClass: "hostpath"
       subPath: ""
       accessMode: ReadWriteOnce
       size: 5Gi
     jobservice:
       existingClaim: ""
-      storageClass: ""
+      storageClass: "hostpath"
       subPath: ""
       accessMode: ReadWriteOnce
       size: 1Gi
@@ -218,21 +218,21 @@ persistence:
     # be ignored
     database:
       existingClaim: ""
-      storageClass: ""
+      storageClass: "hostpath"
       subPath: ""
       accessMode: ReadWriteOnce
-      size: 1Gi
+      size: 10Gi
     # If external Redis is used, the following settings for Redis will
     # be ignored
     redis:
       existingClaim: ""
-      storageClass: ""
+      storageClass: "hostpath"
       subPath: ""
       accessMode: ReadWriteOnce
       size: 1Gi
     trivy:
       existingClaim: ""
-      storageClass: ""
+      storageClass: "hostpath"
       subPath: ""
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -338,7 +338,7 @@ updateStrategy:
 logLevel: info
 
 # The initial password of Harbor admin. Change it from portal after launching Harbor
-harborAdminPassword: "Harbor12345"
+harborAdminPassword: "spaceIN511"
 
 # The name of the secret which contains key named "ca.crt". Setting this enables the
 # download link on portal to download the certificate of CA when the certificate isn't
@@ -346,7 +346,7 @@ harborAdminPassword: "Harbor12345"
 caSecretName: ""
 
 # The secret key used for encryption. Must be a string of 16 chars.
-secretKey: "not-a-secure-key"
+secretKey: "IpTIscRIgmerlare"
 
 # The proxy settings for updating clair vulnerabilities from the Internet and replicating
 # artifacts from/to the registries that cannot be reached directly
@@ -374,7 +374,7 @@ proxy:
 # If expose the service via "ingress", the Nginx will not be used
 nginx:
   image:
-    repository: goharbor/nginx-photon
+    repository: nginx
     tag: v2.1.3
   # set the service account to be used, default if left empty
   serviceAccountName: ""
@@ -391,7 +391,7 @@ nginx:
 
 portal:
   image:
-    repository: goharbor/harbor-portal
+    repository: harbor-portal
     tag: v2.1.3
   # set the service account to be used, default if left empty
   serviceAccountName: ""
@@ -408,7 +408,7 @@ portal:
 
 core:
   image:
-    repository: goharbor/harbor-core
+    repository: harbor-core
     tag: v2.1.3
   # set the service account to be used, default if left empty
   serviceAccountName: ""
@@ -442,7 +442,7 @@ core:
 
 jobservice:
   image:
-    repository: goharbor/harbor-jobservice
+    repository: harbor-jobservice
     tag: v2.1.3
   replicas: 1
   # set the service account to be used, default if left empty
@@ -469,15 +469,16 @@ registry:
   serviceAccountName: ""
   registry:
     image:
-      repository: goharbor/registry-photon
-      tag: v2.1.3
-    # resources:
-    #  requests:
-    #    memory: 256Mi
-    #    cpu: 100m
+      repository: registry
+      tag: 2.7.1
+    resources:
+      limits:
+        memory: 4Gi
+      requests:
+        memory: 256Mi
   controller:
     image:
-      repository: goharbor/harbor-registryctl
+      repository: harbor-registryctl
       tag: v2.1.3
 
     # resources:
@@ -524,8 +525,13 @@ chartmuseum:
   # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
   absoluteUrl: false
   image:
-    repository: goharbor/chartmuseum-photon
+    repository: harbor-chartmuseum
     tag: v2.1.3
+  storageSpec:
+    type: hostPath
+    emptyDir: {}
+    hostPath:
+      root: /data 
   replicas: 1
   # resources:
   #  requests:
@@ -543,7 +549,7 @@ clair:
   serviceAccountName: ""
   clair:
     image:
-      repository: goharbor/clair-photon
+      repository: harbor-clair
       tag: v2.1.3
     # resources:
     #  requests:
@@ -551,7 +557,7 @@ clair:
     #    cpu: 100m
   adapter:
     image:
-      repository: goharbor/clair-adapter-photon
+      repository: harbor-clair-adapter
       tag: v2.1.3
     # resources:
     #  requests:
@@ -572,7 +578,7 @@ trivy:
   enabled: true
   image:
     # repository the repository for Trivy adapter image
-    repository: goharbor/trivy-adapter-photon
+    repository: harbor-trivy-adapter
     # tag the tag for Trivy adapter image
     tag: v2.1.3
   # set the service account to be used, default if left empty
@@ -630,7 +636,7 @@ notary:
     # set the service account to be used, default if left empty
     serviceAccountName: ""
     image:
-      repository: goharbor/notary-server-photon
+      repository: harbor-notary-server
       tag: v2.1.3
     replicas: 1
     # resources:
@@ -641,7 +647,7 @@ notary:
     # set the service account to be used, default if left empty
     serviceAccountName: ""
     image:
-      repository: goharbor/notary-signer-photon
+      repository: harbor-notary-signer
       tag: v2.1.3
     replicas: 1
     # resources:
@@ -669,14 +675,15 @@ database:
     # set the service account to be used, default if left empty
     serviceAccountName: ""
     image:
-      repository: goharbor/harbor-db
+      repository: harbor-db
       tag: v2.1.3
     # The initial superuser password for internal database
-    password: "changeit"
-    # resources:
-    #  requests:
-    #    memory: 256Mi
-    #    cpu: 100m
+    password: "spaceIN511"
+    resources:
+      limits:
+        memory: 4Gi
+      requests:
+        memory: 256Mi
     nodeSelector: {}
     tolerations: []
     affinity: {}
@@ -715,8 +722,8 @@ redis:
     # set the service account to be used, default if left empty
     serviceAccountName: ""
     image:
-      repository: goharbor/redis-photon
-      tag: v2.1.3
+      repository: redis
+      tag: 6.0.9
     # resources:
     #  requests:
     #    memory: 256Mi