update

.github/workflows/integration.yaml

-name: Integration test
-
-on:
-  pull_request:
-  push:
-
-jobs:
-  integration-test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        k8s_version: [v1.18.2, v1.17.5, v1.16.9]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Setup Docker
-        uses: docker-practice/actions-setup-docker@0.0.1
-        with:
-          docker_version: 18.09
-          docker_channel: stable
-          docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}'
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.0.0-rc.1
-        with:
-          version: v0.8.1
-          node_image: kindest/node:${{ matrix.k8s_version }}
-          cluster_name: kind-cluster-${{ matrix.k8s_version }}
-          config: test/integration/kind-cluster.yaml
-
-      - name: Install Nginx ingress controller
-        run: |
-          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml
-          kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s
-
-      - name: Set up Go 1.13
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.13
-
-      - name: Cache go mod
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set /etc/hosts
-        run: |
-         sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts"
-         sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts"
-
-      - name: Run integration tests
-        working-directory: ./test
-        run:
-          go test -v -timeout 30m github.com/goharbor/harbor-helm/integration
\ No newline at end of file

.github/workflows/lint.yaml

-name: Lint
-
-on:
-  pull_request:
-  push:
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        helm_version: [3.2.3, 2.16.8]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          path: harbor
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v1
-        with:
-          version: '${{ matrix.helm_version }}'
-
-      - name: Helm version
-        run:
-          helm version -c
-
-      - name: Run lint
-        working-directory: ./harbor
-        run:
-          helm lint .
-
-      - name: Update dependency
-        working-directory: ./harbor
-        run:
-          helm dependency update .
-
-      - name: Run template for ingress expose
-        working-directory: ./harbor
-        run:
-          helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
-
-      - name: Run template for nodePort expose
-        working-directory: ./harbor
-        run:
-          helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
\ No newline at end of file

.github/workflows/unittest.yaml

-name: Unit test
-
-on:
-  pull_request:
-  push:
-
-jobs:
-  unit-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up Helm 3.2.3
-        uses: azure/setup-helm@v1
-        with:
-          version: '3.2.3'
-
-      - name: Set up Go 1.13
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.13
-
-      - name: Cache go mod
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Run unit tests
-        working-directory: ./test
-        run:
-          go test -v github.com/goharbor/harbor-helm/unittest

templates/chartmuseum/chartmuseum-dpl.yaml

@@ -103,8 +103,6 @@ spec:
         volumeMounts:
         - name: chartmuseum-data
           mountPath: /chart_storage
-        - name: etc-localtime
-          mountPath: /etc/localtime
           subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }}
         {{- if .Values.internalTLS.enabled }}
         - name: chart-internal-certs
@@ -124,15 +122,11 @@ spec:
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
-      {{- if eq .Values.chartmuseum.storageSpec.type "hostPath" }}
-      - name: chartmuseum-data
-        hostPath:
-          path: {{.Values.chartmuseum.storageSpec.hostPath.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/chartmuseum
-      {{- else if eq .Values.chartmuseum.storageSpec.type "emptyDir" }}
       - name: chartmuseum-data
+      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }}
+      {{- else }}
         emptyDir: {}
       {{- end }}
       {{- if .Values.internalTLS.enabled }}

templates/chartmuseum/chartmuseum-pvc.yaml

+{{- if .Values.chartmuseum.enabled }}
+{{- $persistence := .Values.persistence -}}
+{{- if $persistence.enabled }}
+{{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}}
+{{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "harbor.chartmuseum" . }}
+  {{- if eq $persistence.resourcePolicy "keep" }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+    component: chartmuseum
+spec:
+  accessModes: 
+    - {{ $chartmuseum.accessMode }}
+  resources:
+    requests:
+      storage: {{ $chartmuseum.size }}
+  {{- if $chartmuseum.storageClass }}
+    {{- if eq "-" $chartmuseum.storageClass }}
+  storageClassName: ""
+    {{- else }}
+  storageClassName: {{ $chartmuseum.storageClass }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/chartmuseum/chartmuseum-tls.yaml

+{{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }}
+{{- end }}
+{{- end }}

templates/clair/clair-dpl.yaml

@@ -139,12 +139,7 @@ spec:
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
         {{- end }}
-        - name: etc-localtime
-          mountPath: /etc/localtime
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: config
         secret:
           secretName: "{{ template "harbor.clair" . }}"

templates/clair/clair-tls.yaml

+{{- if and .Values.clair.enabled .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/core/core-dpl.yaml

@@ -93,8 +93,6 @@ spec:
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
         volumeMounts:
-        - name: etc-localtime
-          mountPath: /etc/localtime
         - name: config
           mountPath: /etc/core/app.conf
           subPath: app.conf
@@ -127,9 +125,6 @@ spec:
 {{ toYaml .Values.core.resources | indent 10 }}
 {{- end }}
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: config
         configMap:
           name: {{ template "harbor.core" . }}

templates/core/core-tls.yaml

+{{- if and .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.core.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/database/database-ss.yaml

@@ -76,24 +76,19 @@ spec:
           - secretRef:
               name: "{{ template "harbor.database" . }}"
         volumeMounts:
-        - name: etc-localtime
-          mountPath: /etc/localtime
         - name: database-data
           mountPath: /var/lib/postgresql/data
           subPath: {{ $database.subPath }}
       {{- if not .Values.persistence.enabled }}
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
-      {{- if eq .Values.database.internal.storageSpec.type "hostPath" }}
-      - name: "database-data"
-        hostPath:
-          path: {{.Values.database.internal.storageSpec.hostPath.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/database
-      {{- else if eq .Values.database.internal.storageSpec.type "emptyDir" }}
       - name: "database-data"
         emptyDir: {}
-      {{- end }}
+      {{- else if $database.existingClaim }}
+      volumes:
+      - name: "database-data"
+        persistentVolumeClaim:
+          claimName: {{ $database.existingClaim }}
+      {{- end -}}
     {{- with .Values.database.internal.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -106,14 +101,23 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
     {{- end }}
-  {{- if eq .Values.database.internal.storageSpec.type "volumeClaimTemplate" }}
+  {{- if and .Values.persistence.enabled (not $database.existingClaim) }}
   volumeClaimTemplates:
   - metadata:
       name: "database-data"
       labels:
 {{ include "harbor.labels" . | indent 8 }}
-        app: database
     spec:
-{{ toYaml $.Values.database.internal.storageSpec.volumeClaimTemplate.spec | indent 6 }}
+      accessModes: [{{ $database.accessMode | quote }}]
+      {{- if $database.storageClass }}
+      {{- if (eq "-" $database.storageClass) }}
+      storageClassName: ""
+      {{- else }}
+      storageClassName: "{{ $database.storageClass }}"
+      {{- end }}
+      {{- end }}
+      resources:
+        requests:
+          storage: {{ $database.size | quote }}
   {{- end -}}
   {{- end -}}

templates/jobservice/jobservice-dpl.yaml

@@ -95,6 +95,7 @@ spec:
           subPath: config.yml
         - name: job-logs
           mountPath: /var/log/jobs
+          subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
         {{- if .Values.internalTLS.enabled }}
         - name: jobservice-internal-certs
           mountPath: /etc/harbor/ssl/jobservice
@@ -102,17 +103,17 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
-        - name: etc-localtime
-          mountPath: /etc/localtime
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: jobservice-config
         configMap:
           name: "{{ template "harbor.jobservice" . }}"
       - name: job-logs
+        {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
+        {{- else }}
         emptyDir: {}
+        {{- end }}
       {{- if .Values.internalTLS.enabled }}
       - name: jobservice-internal-certs
         secret:

templates/jobservice/jobservice-pvc.yaml

+{{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}}
+{{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }}
+{{- if eq .Values.jobservice.jobLogger "file" }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "harbor.jobservice" . }}
+  {{- if eq .Values.persistence.resourcePolicy "keep" }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+    component: jobservice
+spec:
+  accessModes: 
+    - {{ $jobservice.accessMode }}
+  resources:
+    requests:
+      storage: {{ $jobservice.size }}
+  {{- if $jobservice.storageClass }}
+    {{- if eq "-" $jobservice.storageClass }}
+  storageClassName: ""
+    {{- else }}
+  storageClassName: {{ $jobservice.storageClass }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/jobservice/jobservice-tls.yaml

+{{- if and .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/notary/notary-server.yaml

@@ -56,12 +56,7 @@ spec:
         - name: signer-certificate
           mountPath: /etc/ssl/notary/ca.crt
           subPath: ca.crt
-        - name: etc-localtime
-          mountPath: /etc/localtime
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: config
         secret:
           secretName: "{{ template "harbor.notary-server" . }}"

templates/notary/notary-signer.yaml

@@ -54,12 +54,7 @@ spec:
         - name: signer-certificate
           mountPath: /etc/ssl/notary/tls.key
           subPath: tls.key
-        - name: etc-localtime
-          mountPath: /etc/localtime
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: config
         secret:
           secretName: "{{ template "harbor.notary-server" . }}"

templates/portal/deployment.yaml

@@ -65,12 +65,7 @@ spec:
         - name: portal-internal-certs
           mountPath: /etc/harbor/ssl/portal
         {{- end }}
-        - name: etc-localtime
-          mountPath: /etc/localtime
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: portal-config
         configMap:
           name: "{{ template "harbor.portal" . }}"

templates/portal/tls.yaml

+{{- if and .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }}
+{{- end }}
+{{- end }}

templates/redis/statefulset.yaml

@@ -52,16 +52,11 @@ spec:
 {{ toYaml .Values.redis.internal.resources | indent 10 }}
 {{- end }}
         volumeMounts:
-        - name: etc-localtime
-          mountPath: /etc/localtime
         - name: data
           mountPath: /var/lib/redis
           subPath: {{ $redis.subPath }}
       {{- if not .Values.persistence.enabled }}
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       - name: data
         emptyDir: {}
       {{- else if $redis.existingClaim }}

templates/registry/registry-dpl.yaml

@@ -129,8 +129,6 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
-        - name: etc-localtime
-          mountPath: /etc/localtime 
       - name: registryctl
         image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
@@ -205,12 +203,7 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
-        - name: etc-localtime
-          mountPath: /etc/localtime 
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime 
       - name: registry-htpasswd
         secret:
           secretName: {{ template "harbor.registry" . }}
@@ -227,24 +220,13 @@ spec:
       - name: registry-config
         configMap:
           name: "{{ template "harbor.registry" . }}"
-    {{- if eq .Values.registry.storageSpec.type "hostPath" }}
-      - name: registry-data
-        hostPath:
-          path: {{.Values.registry.storageSpec.hostPath.root | default "/data" }}/{{ .Release.Namespace }}/{{ .Release.Name }}/registry
-    {{- else if eq .Values.registry.storageSpec.type "emptyDir" }}
       - name: registry-data
+      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }}
+      {{- else }}
         emptyDir: {}
       {{- end }}
-    {{- if eq .Values.registry.storageSpec.type "volumeClaimTemplate" }}
-  volumeClaimTemplates:
-  - metadata:
-      name: registry-data
-      labels:          
-{{ include "harbor.labels" . | indent 8 }}
-        app: registry
-    spec:
-{{ toYaml $.Values.registry.storageSpec.volumeClaimTemplate.spec | indent 6 }}
-  {{- end }} 
       {{- if .Values.internalTLS.enabled }}
       - name: registry-internal-certs
         secret:

templates/registry/registry-pvc.yaml

+{{- if .Values.persistence.enabled }}
+{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}}
+{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "harbor.registry" . }}
+  {{- if eq .Values.persistence.resourcePolicy "keep" }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+    component: registry
+spec:
+  accessModes: 
+    - {{ $registry.accessMode }}
+  resources:
+    requests:
+      storage: {{ $registry.size }}
+  {{- if $registry.storageClass }}
+    {{- if eq "-" $registry.storageClass }}
+  storageClassName: ""
+    {{- else }}
+  storageClassName: {{ $registry.storageClass }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/registry/registry-tls.yaml

+{{- if and .Values.internalTLS.enabled }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }}
+{{- end }}
+{{- end }}
\ No newline at end of file

templates/trivy/trivy-sts.yaml

@@ -110,8 +110,6 @@ spec:
             - name: api-server
               containerPort: {{ template "harbor.trivy.containerPort" . }}
           volumeMounts:
-          - name: etc-localtime
-            mountPath: /etc/localtime
           - name: data
             mountPath: /home/scanner/.cache
             subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }}
@@ -145,9 +143,6 @@ spec:
 {{ toYaml .Values.trivy.resources | indent 12 }}
       {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
       volumes:
-      - name: etc-localtime
-        hostPath:
-          path: /etc/localtime
       {{- if .Values.internalTLS.enabled }}
       - name: trivy-internal-certs
         secret:

templates/trivy/trivy-tls.yaml

+{{- if and .Values.trivy.enabled .Values.internalTLS.enabled  }}
+{{- if eq .Values.internalTLS.certSource "manual" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
+  labels:
+{{ include "harbor.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
+  tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }}
+  tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }}
+{{- end }}
+{{- end }}

values-overrides.yaml

@@ -6,6 +6,10 @@ expose:
     hosts:
       core: hub.ywtest.wodcloud.com 
       notary: notary.ywtest.wodcloud.com
+    # set to the type of ingress controller if it has specific requirements.
+    # leave as `default` for most ingress controllers.
+    # set to `gce` if using the GCE ingress controller
+    # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
     controller: default
     annotations:
       ingress.kubernetes.io/ssl-redirect: "true"
@@ -18,7 +22,8 @@ expose:
       httpPort: 80
       httpsPort: 443
       notaryPort: 4443
-
+    annotations: {}
+    sourceRanges: []
 externalURL: https://hub.ywtest.wodcloud.com
 
 internalTLS:
@@ -26,6 +31,57 @@ internalTLS:
 
 persistence:
   enabled: false
+  # Setting it to "keep" to avoid removing PVCs during a helm delete
+  # operation. Leaving it empty will delete PVCs after the chart deleted
+  # (this does not apply for PVCs that are created for internal database
+  # and redis components, i.e. they are never deleted automatically)
+  resourcePolicy: "keep"
+  persistentVolumeClaim:
+    registry:
+      # Use the existing PVC which must be created manually before bound,
+      # and specify the "subPath" if the PVC is shared with other components
+      existingClaim: ""
+      # Specify the "storageClass" used to provision the volume. Or the default
+      # StorageClass will be used(the default).
+      # Set it to "-" to disable dynamic provisioning
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 5Gi
+    chartmuseum:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 5Gi
+    jobservice:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 1Gi
+    # If external database is used, the following settings for database will
+    # be ignored
+    database:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 1Gi
+    # If external Redis is used, the following settings for Redis will
+    # be ignored
+    redis:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 1Gi
+    trivy:
+      existingClaim: ""
+      storageClass: ""
+      subPath: ""
+      accessMode: ReadWriteOnce
+      size: 5Gi
   # Define which storage backend is used for registry and chartmuseum to store
   imageChartStorage:
     disableredirect: false
@@ -36,6 +92,8 @@ persistence:
 
 imagePullPolicy: IfNotPresent
 
+imagePullSecrets:
+
 updateStrategy:
   type: RollingUpdate
 logLevel: info
@@ -43,6 +101,8 @@ logLevel: info
 harborAdminPassword: "spaceIN511"
 secretKey: "not-a-secure-key"
 
+caSecretName: ""
+
 proxy:
   httpProxy:
   httpsProxy:
@@ -53,31 +113,61 @@ proxy:
     - clair
     - trivy
 
+# If expose the service via "ingress", the Nginx will not be used
+nginx:
+  image:
+    repository: reg.local:5000/wod/nginx-photon
+    tag: v2.1.0
+  serviceAccountName: ""
+  replicas: 1
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
+
 portal:
   image:
     repository: reg.local:5000/wod/harbor-portal
     tag: v2.1.0
+  serviceAccountName: ""
   replicas: 1
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
 
 core:
   image:
     repository: reg.local:5000/wod/harbor-core
     tag: v2.1.0
+  serviceAccountName: ""
   replicas: 1
   startupProbe:
     initialDelaySeconds: 10
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
+  secret: ""
+  secretName: ""
+  xsrfKey: ""
 
 jobservice:
   image:
     repository: reg.local:5000/wod/harbor-jobservice
     tag: v2.1.0
   replicas: 1
+  serviceAccountName: ""
   maxJobWorkers: 10
   jobLogger: file
-  nodeSelector: 
-    harbor: enabled
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
+  secret: ""
 
 registry:
+  serviceAccountName: ""
   registry:
     image:
       repository: reg.local:5000/wod/registry-photon
@@ -86,48 +176,47 @@ registry:
     image:
       repository: reg.local:5000/wod/harbor-registryctl
       tag: v2.1.0
+
   replicas: 1
-  nodeSelector: 
-    harbor: enabled
-  storageSpec:
-    # type: emptyDir , hostPath , volumeClaimTemplate
-    type: hostPath
-    emptyDir: {}
-    hostPath:
-      root: /data
-    volumeClaimTemplate:
-      spec:
-        storageClassName: rook-ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 100Gi
-      selector: {}
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
+  secret: ""
   relativeurls: false
   credentials:
     username: "harbor_registry_user"
     password: "harbor_registry_password"
     htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
+
   middleware:
     enabled: false
+    type: cloudFront
+    cloudFront:
+      baseurl: example.cloudfront.net
+      keypairid: KEYPAIRID
+      duration: 3000s
+      ipfilteredby: none
+      # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
+      # that allows access to CloudFront
+      privateKeySecret: "my-secret"
 
 chartmuseum:
   enabled: true
+  serviceAccountName: ""
   absoluteUrl: false
   image:
     repository: reg.local:5000/wod/chartmuseum-photon
     tag: v2.1.0
   replicas: 1
-  nodeSelector: 
-    harbor: enabled
-  storageSpec:
-    type: hostPath
-    emptyDir: {}
-    hostPath:
-      root: /data
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
 
 clair:
   enabled: true
+  serviceAccountName: ""
   clair:
     image:
       repository: reg.local:5000/wod/clair-photon
@@ -138,21 +227,24 @@ clair:
       tag: v2.1.0
   replicas: 1
   updatersInterval: 12
-  nodeSelector: 
-    harbor: enabled
-
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
 
 trivy:
   enabled: true
   image:
     repository: reg.local:5000/wod/trivy-adapter-photon
     tag: v2.1.0
+  serviceAccountName: ""
   replicas: 1
   debugMode: false
   vulnType: "os,library"
   severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   ignoreUnfixed: false
   insecure: false
+  gitHubToken: ""
   skipUpdate: false
   resources:
     requests:
@@ -161,22 +253,32 @@ trivy:
     limits:
       cpu: 1
       memory: 1Gi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
 
 notary:
   enabled: true
   server:
+    serviceAccountName: ""
     image:
       repository: reg.local:5000/wod/notary-server-photon
       tag: v2.1.0
     replicas: 1
   signer:
+    serviceAccountName: ""
     image:
       repository: reg.local:5000/wod/notary-signer-photon
       tag: v2.1.0
     replicas: 1
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  podAnnotations: {}
+  secretName: ""
 
 database:
-# if external database is used, set "type" to "external" and fill the connection informations in "external" section
   type: internal
   internal:
     serviceAccountName: ""
@@ -184,28 +286,11 @@ database:
       repository: reg.local:5000/wod/harbor-db
       tag: v2.1.0
     password: "spaceIN511"
-    resources:
-      limits:
-        memory: 4Gi
-      requests:
-        memory: 256Mi
-    nodeSelector:
-      harbor: enabled
-    storageSpec:
-      type: hostPath
-      emptyDir: {}
-      hostPath:
-        root: /data
-      volumeClaimTemplate:
-        spec:
-          storageClassName: rook-ceph-block
-          accessModes: ["ReadWriteOnce"]
-          resources:
-            requests:
-              storage: 20Gi
-        selector: {}
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
   external:
-    host: "harbor-harbor-database.devops"
+    host: "harbor-db.devops"
     port: "5432"
     username: "postgres"
     password: "spaceIN511"
@@ -213,10 +298,24 @@ database:
     clairDatabase: "clair"
     notaryServerDatabase: "notary_server"
     notarySignerDatabase: "notary_signer"
+  podAnnotations: {}
 
 redis:
   type: internal
   internal:
+    serviceAccountName: ""
     image:
       repository: reg.local:5000/wod/redis-photon
       tag: v2.1.0
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+  external:
+    coreDatabaseIndex: "0"
+    jobserviceDatabaseIndex: "1"
+    registryDatabaseIndex: "2"
+    chartmuseumDatabaseIndex: "3"
+    clairAdapterIndex: "4"
+    trivyAdapterIndex: "5"
+    password: ""
+  podAnnotations: {}