update

7d41e5ec · 舒成 · a06d036a · 7d41e5ec · 7d41e5ec · 7d41e5ec
Commit 7d41e5ec authored Sep 30, 2021 by 舒成
96 changed files
--- a/.beagle.yml
+++ b/.beagle.yml
 kind: pipeline
 name: docker
 trigger:
  branch:
    - release-v2.1
 platform:
  runner: 10.11.92.34
 volumes:
  - name: charts
    host:
      path: /data/downloads/k8s/charts
  - name: docker
    host:
      path: /var/run/docker.sock
 steps:
  - name: charts
    image: registry.cn-qingdao.aliyuncs.com/wod/helm:v3.6.0
    volumes:
      - name: charts
        path: /charts
    commands:
      - helm package . -d /charts/
  - name: ansible-amd64
    image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0
    commands:
      - >-
        ansible-playbook /etc/ansible/linux/main.yml
        --extra-vars
        '{
          "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}",
          "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz",
          "TARGET_ARCH":"amd64",
          "TARGET_VERSION":"v2.1.3"
        }'
        --extra-vars "@ansible/images.yaml"
  - name: ansible-arm64
    image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0
    commands:
      - >-
        ansible-playbook /etc/ansible/linux/main.yml
        --extra-vars
        '{
          "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}",
          "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz",
          "TARGET_ARCH":"arm64",
          "TARGET_VERSION":"v2.1.3"
        }'
        --extra-vars "@ansible/images.yaml"
  - name: ansible-ppc64le
    image: registry.cn-qingdao.aliyuncs.com/wod/ansible-image:v1.0
    commands:
      - >-
        ansible-playbook /etc/ansible/linux/main.yml
        --extra-vars
        '{
          "REGISTRY_DATA_PATH": "/data/downloads/k8s/registry/{{ TARGET_ARCH }}",
          "REGISTRY_DATA_FILE": "images-harbor-{{ TARGET_VERSION }}.tar.gz",
          "TARGET_ARCH":"ppc64le",
          "TARGET_VERSION":"v2.1.3"
        }'
        --extra-vars "@ansible/images.yaml"
 ---
 kind: secret
 name: REGISTRY_USER_ALIYUN
 get:
  name: USERNAME
  path: devops-registry-aliyun
 ---
 kind: secret
 name: REGISTRY_PASSWORD_ALIYUN
 get:
  name: PASSWORD
  path: devops-registry-aliyun
--- a/.github/workflows/integration.yaml
+++ b/.github/workflows/integration.yaml
 name: Integration test
 on:
  pull_request:
  push:
 jobs:
  integration-test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        k8s_version: [v1.18.2, v1.17.5, v1.16.9]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Setup Docker
        uses: docker-practice/actions-setup-docker@0.0.1
        with:
          docker_version: 18.09
          docker_channel: stable
          docker_daemon_json: '{"insecure-registries":["0.0.0.0/0"]}'
      - name: Create kind cluster
        uses: helm/kind-action@v1.0.0-rc.1
        with:
          version: v0.8.1
          node_image: kindest/node:${{ matrix.k8s_version }}
          cluster_name: kind-cluster-${{ matrix.k8s_version }}
          config: test/integration/kind-cluster.yaml
      - name: Install Nginx ingress controller
        run: |
          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.3.0/deploy/static/provider/kind/deploy.yaml
          kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s
      - name: Set up Go 1.13
        uses: actions/setup-go@v2
        with:
          go-version: 1.13
      - name: Cache go mod
        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Set /etc/hosts
        run: |
         sudo -- sh -c "echo '127.0.0.1 harbor.local' >> /etc/hosts"
         sudo -- sh -c "echo '127.0.0.1 notary.harbor.local' >> /etc/hosts"
      - name: Run integration tests
        working-directory: ./test
        run:
          go test -v -timeout 30m github.com/goharbor/harbor-helm/integration
\ No newline at end of file
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
 name: Lint
 on:
  pull_request:
  push:
 jobs:
  lint:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        helm_version: [3.2.3, 2.16.8]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          path: harbor
      - name: Set up Helm
        uses: azure/setup-helm@v1
        with:
          version: '${{ matrix.helm_version }}'
      - name: Helm version
        run:
          helm version -c
      - name: Run lint
        working-directory: ./harbor
        run:
          helm lint .
      - name: Update dependency
        working-directory: ./harbor
        run:
          helm dependency update .
      - name: Run template for ingress expose
        working-directory: ./harbor
        run:
          helm template --set "expose.type=ingress" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
      - name: Run template for nodePort expose
        working-directory: ./harbor
        run:
          helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
\ No newline at end of file
--- a/.github/workflows/unittest.yaml
+++ b/.github/workflows/unittest.yaml
 name: Unit test
 on:
  pull_request:
  push:
 jobs:
  unit-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Set up Helm 3.2.3
        uses: azure/setup-helm@v1
        with:
          version: '3.2.3'
      - name: Set up Go 1.13
        uses: actions/setup-go@v2
        with:
          go-version: 1.13
      - name: Cache go mod
        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Run unit tests
        working-directory: ./test
        run:
          go test -v github.com/goharbor/harbor-helm/unittest
--- a/.gitignore
+++ b/.gitignore
 charts/*
 requirements.lock
\ No newline at end of file
--- a/.helmignore
+++ b/.helmignore
 docs/*
 .git/*
 .gitignore
 CONTRIBUTING.md
 .travis.yaml
 test/*
 raws/*
 .beagle.yml
 CONTRIBUTING.md
 Deploy.md
 .github/*
 values-operator.yaml
\ No newline at end of file
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
 # Contributing to Helm Chart for Harbor
 Please follow [Harbor contributing guide](https://github.com/goharbor/harbor/blob/master/CONTRIBUTING.md) to learn how to make code contribution.
 ## Contributers
 Thanks very much to all contributers who submitted pull requests to Helm Chart for Harbor.
 - [Paul Czarkowski @paulczar](https://github.com/paulczar)
 - [Luca Innocenti Mirri @lucaim](https://github.com/lucaim)
 - [Steven Arnott @ArcticSnowman](https://github.com/ArcticSnowman)
 - [Alex M @draeron](https://github.com/draeron)
 - [SangJun Yun](https://github.com/YunSangJun)
--- a/Chart.yaml
+++ b/Chart.yaml
 apiVersion: v1
 name: beagle-harbor
 version: 2.1.3
 appVersion: 2.1.3
 description: An open source trusted cloud native registry that stores, signs, and scans content
 keywords:
  - docker
  - registry
  - harbor
 home: https://goharbor.io
 icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png
 sources:
  - https://github.com/goharbor/harbor
  - https://github.com/goharbor/harbor-helm
 maintainers:
  - name: Wenkai Yin
    email: yinw@vmware.com
  - name: Weiwei He
    email: hweiwei@vmware.com
  - name: Qian Deng
    email: dengq@vmware.com
 engine: gotpl
--- a/Deploy.md
+++ b/Deploy.md
 # harbor
 ## install
 ```bash
 # 1.install
 kubectl create ns devops
 helm install \
 --namespace=devops \
 harbor \
 /etc/kubernetes/helm/beagle-harbor \
 -f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml
 # uninstall
 helm uninstall \
 --namespace=devops \
 harbor
 # update
 helm upgrade \
 --namespace=devops \
 harbor \
 /etc/kubernetes/helm/beagle-harbor \
 -f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml
 # template
 helm template \
 --namespace=devops \
 harbor \
 /etc/kubernetes/helm/beagle-harbor \
 -f /etc/kubernetes/helm/beagle-harbor/values-overrides.yaml > /etc/kubernetes/helm/beagle-harbor/dist.yaml
 # package
 helm package . -d C:/Tmp/Charts
 ```
 ## images x86_64
 ```bash
 # gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor
 registry.cn-qingdao.aliyuncs.com/wod/harbor-portal:v2.1.3
 registry.cn-qingdao.aliyuncs.com/wod/harbor-core:v2.1.3
 registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v2.1.3
 registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v2.1.3
 # gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-db
 registry.cn-qingdao.aliyuncs.com/wod/harbor-db:v2.1.3
 # registry
 registry.cn-qingdao.aliyuncs.com/wod/registry:2.7.1
 # gitlab.wodcloud.com/cloud/chartmuseum
 registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum:v2.1.3
 # gitlab.wodcloud.com/cloud/clair
 registry.cn-qingdao.aliyuncs.com/wod/harbor-clair:v2.1.3
 # gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-scanner-clair
 registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter:v2.1.3
 # gitlab.wodcloud.com/cloud/harbor-scanner-trivy
 registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter:v2.1.3
 # gitlab.wodcloud.com/cloud/notary
 registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server:v2.1.3
 registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer:v2.1.3
 # redis
 registry.cn-qingdao.aliyuncs.com/wod/redis:6.0.9
 ```
 ## images arm64
 ```bash
 # gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor
 registry.cn-qingdao.aliyuncs.com/wod/harbor-portal:v2.1.3-arm64
 registry.cn-qingdao.aliyuncs.com/wod/harbor-core:v2.1.3-arm64
 registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice:v2.1.3-arm64
 registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl:v2.1.3-arm64
 # gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-db
 registry.cn-qingdao.aliyuncs.com/wod/harbor-db:v2.1.3-arm64
 # registry
 registry.cn-qingdao.aliyuncs.com/wod/registry:2.7.1-arm64
 # gitlab.wodcloud.com/cloud/chartmuseum
 registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum:v2.1.3-arm64
 # gitlab.wodcloud.com/cloud/clair
 registry.cn-qingdao.aliyuncs.com/wod/harbor-clair:v2.1.3-arm64
 # gitlab.wodcloud.com/cloud/awecloud-goharbor-harbor-scanner-clair
 registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter:v2.1.3-arm64
 # gitlab.wodcloud.com/cloud/harbor-scanner-trivy
 registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter:v2.1.3-arm64
 # gitlab.wodcloud.com/cloud/notary
 registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server:v2.1.3-arm64
 registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer:v2.1.3-arm64
 # redis
 registry.cn-qingdao.aliyuncs.com/wod/redis:6.0.9-arm64
 ```
--- a/LICENSE
+++ b/LICENSE
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/REAME.md
+++ b/REAME.md
--- a/ansible/images.yaml
+++ b/ansible/images.yaml
 IMAGES:
  - repo: harbor-portal
    tag: "v2.1.3"
  - repo: harbor-core
    tag: "v2.1.3"
  - repo: harbor-jobservice
    tag: "v2.1.3"
  - repo: harbor-db
    tag: "v2.1.3"
  - repo: harbor-registryctl
    tag: "v2.1.3"
  - repo: harbor-chartmuseum
    tag: "v2.1.3"
  - repo: harbor-clair
    tag: "v2.1.3"
  - repo: harbor-clair-adapter
    tag: "v2.1.3"
  - repo: harbor-trivy-adapter
    tag: "v2.1.3"
  - repo: harbor-notary-server
    tag: "v2.1.3"
  - repo: harbor-notary-signer
    tag: "v2.1.3"
  - repo: registry
    tag: "2.7.1"
  - repo: redis
    tag: "6.0.9"
\ No newline at end of file
--- a/cert/tls.crt
+++ b/cert/tls.crt
 -----BEGIN CERTIFICATE-----
 MIIE0zCCArugAwIBAgIJAPY/OzLMeVq2MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTkw
 NDE4MDIyNzM3WhcNMjkwNDE1MDIyNzM3WjAAMIICIjANBgkqhkiG9w0BAQEFAAOC
 Ag8AMIICCgKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o
 F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr
 PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT
 RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q
 LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp
 UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q
 w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc
 jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr
 vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d
 1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN
 2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA
 AaNQME4wHQYDVR0OBBYEFFhNhTo4UAC2PUsf8jYaWj160vGEMB8GA1UdIwQYMBaA
 FFhNhTo4UAC2PUsf8jYaWj160vGEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
 BQADggIBAMAsEtVlELMwdtcifHeOT0kOmf5wo9In/eFSgscCzBMDaRx2B3q36AoS
 Il7XWAZpevaR7W7yeARKaAshBLhygUqLD0zWbKlSN9Hprd1wdpM0ffyPpN5dxOYA
 er04y12GRnCbMYqi4cvztP4TinXqq2yHSYhLbO9qkI5gbWVxkRuIcMKvixddllNY
 Q3obJaDDHmovM3+g/G+1YFgt4qES38XnJ7BrSshHnn5EIQh286xfJriyrK2hHbLJ
 qz0YuF6G3DXPeWGgXvj0Hipc0f8UDZkKkk/eGEI6vEkytyvoepoZI2XbAf/ZMy5n
 KwuhEn4hhkFMwWaSWp/h0QdMCaxk4BVSOqmNVaLSB7+FjsIj4CasFotYiyJ2gpRB
 Nf8QaS4bz0Tn1eBbC8ksj+e3ZWeX2b5wVMjql9jTt2X1ICs8KKe3vEBkjqT2AUi2
 52TtKzm73aWrz/GPy/Q2LCor3Fh9FGVSBOBBDXGy6MJpNHJnYVH9EENFGOh85ol1
 2pADOBB5vAU/kLB5LHPj2kue/FMiHaNnrSYIGrMlBSX2jj9EYa1uuUH+pd4MBj1F
 5uH8ORiaQ6ht2+WHklxic1Rj5yTYQwVlH70CBOn+qVEdo63yQwzAMJKFIwlGUQEX
 jiljgc86q4cZtUTFrcwMidbk+8Q6+JbDVg7HV/+pnC+wnv197kwe
 -----END CERTIFICATE-----
--- a/cert/tls.key
+++ b/cert/tls.key
 -----BEGIN RSA PRIVATE KEY-----
 MIIJKQIBAAKCAgEA3xlUJs2b/aI2NLoy4OIQ+dn/yMb/O99iKDRyZKpH8rSOmS+o
 F9unmSAzL65XA/v6nY0OLI/dASDjkqkBpIdTGzogR5f8UiB6osuEY7V71XZdzWLr
 PjnJq6ZLAaoKmwG80W5+Wd6V8PygOx52mkr1w7IWKz+1ZLI5izbppon7XVGVRaAT
 RvNZDiJ6CeJpcJ5H723lkf5RvJWatZLCYIYDbRfTiKsyQ/SlRcv5BVfHg/LJSH9Q
 LGRhPMARldl9wyZCwZZDHxheI4a+26aa8MY3u9st/l0/Oo6VCTGpMiEhiGF2LVjp
 UWq/+BP4SFEvJfq/DuinI139W/5aZZ7/HwRPlmYU6pXTRLyIg7jd+19fJwR7X37q
 w0o8t06FhjmrCzaYCUjoReqDmHaNmZN/ddvG7jZWBu+jNh0YavsyQyCIVmv6yqSc
 jPiD9uivxqTwjJidIBRfuUrz3aERQ7cQgf0qhqjIzflzHbFKhILocBWq7zyNl9hr
 vUGT/WZcw0t/OtM72SPaplmTgVbbQRxf2VHzyptGIvtydlXK8thxOMpXo4e+Sl8d
 1gdQcC4oisN9F29oNs8P5yFQP//xYuv8C607nCj1DzrId5avG/NVfKB/fbDKEFgN
 2WhHInTzPLEcjF4fErcUAEuWW0buX/6FHCG3iTtrqyD92KTVDfN1J56rrcsCAwEA
 AQKCAgEAk8q8s4PrvYby79UVlWJNKqceykwBkxE1fjrYORWQ2hiAirxGV5+8lDT/
 k6ujm1EWwb5K0HxxRKkb+PEa1HqNNHE6JxNpJKK9exDlYAQ+x7dFBqVr/2nazmo4
 MB8MLYlmIztWWoSYwe8o2mEg4q+bxYs5Imdu7AkhE7dJ63hm23gLMfeMLalRqopu
 XBPwE5nXP6aGuUNHtG1K8tQJDlZY+LEbAeOfReNQhT9NdRukYSW579vfKblJrSvz
 ulg89sVm3cWEK5pB6rj9wJbK94voKftVqbbuBwWjd1a9pibKhwVBe2L2FWhpSZc5
 F/coC7njTaYT6tr91y5VhhJhIZQCf/vv4Zl5XhFHs5VTZNbM/OfqyFQLYXVJO48K
 F7tmazAEQQBQwVZqH9C9NQdzPHWmc38Okhtc1wzaqn/rg9+1sgAMD8hWCtQJUe97
 b9ymh5A0Z4QXKpyFT0b+pXcD1jRha07UtkX+/zLJ9HpAXcUmzkG+j5CXNpnxsIq5
 fJFeq3hBj9w6n4h+50M4W0Fse5YoEUsc3B0fz8BlQBb+YJLFLNH34MH8p1l0ZDYJ
 yae0psxlBijg4OPZ+WCBa+jtFW4LiWgEcxwgz8w+hEOAQr2a1Dc7w8jd+Y4IK8Um
 lTVs5dbp4mOmPMlRv/GM7kDudFqbMg3YFwXg3QbquVqLZzEzjVkCggEBAPJKZbCW
 YfLejkS/fkRyV3VIb54mKwQHoMWub88tPgGuXzjsJyd5QTQ58PpUjXrLHmn8lS2+
 viE8GJylKwN1yMlZw40+kZhpHUpCWx/2ZKjAqvqA9OOKo2fv6Hd/wOAnU4CtioC1
 pri7lKFYXoP8DtQVwHYvIzCRqDnhc4mwJDqzTC9xduI+svxzl4xH82fx0jrPiFY+
 /wOdXjyfIPjyhHC4jPTWbairwXS9dBjSl128aIRT580/yXE/SYAugg05jKtg5zQA
 So13MTezXRHXdO0di3tEMHGREEkFpeVnnPQvCCedK0DV36iNwiWc8pwdfLMVneTt
 DKwZedCx+o/7ev0CggEBAOu48DGEJJJzHxVR5mY1K2AlZyYtpTOWehK1zX74JvM3
 YxN4nd+Zx5n9uSPmmKzqF3TU+44RVtdJK6ejoFE8dMDTNWaSLW/ZDmN1nT0njvOn
 IWJn59ynOChWWKZgXZ/9UqGR7Pt6OxSkkex9c/fYBsMX/xusdXQigeogl0iOYVFW
 gXIiiLRLHpHJsK/uNxIizj0hTYYn7uD7PRENwFRcCYf8J1eUFbd6DuCVWeQCKWgf
 Nd2tSWoi0Vylj4uUX8Iw0tjLNMD5CREJEk4GSv4EDSmvUdv1LiBKJCL2lEcgoPeC
 oOD2iCc5KqgnmQraRilFFk8RVXA9PWZGY3C0b6TVmmcCggEANZO2AOKALlCAbTtb
 FI+kP08RP4t5H58AMjZsiweaGo0QiWnPDq+Fd6MIYpKn5mtcAlvUMRVovbioSJtN
 c6psB/pNf8JCN82mqHEb7WlywM46AMLbZCWYFLe8VBBv+iE4GdBGPEfu4hK4vyTn
 YZAvRz64HGo4Adlztbjg76V/nWtggW05uLXcpm55KJAQhv+2WULjBw9PHOGDoSwf
 Am2+U567rLht70prsQDj10laJ2QuSHS1YXGlfeFcw3eFUp9TN+JpvdoCol2lCIgl
 IHjgZj6ORWfCvpoxW7RgBuZukqCD0R60HdYtavxN3jtiepsapA83pxO0JapMgZWZ
 rpURkQKCAQBOcEv9Liu9T/GX9pjkiezVIZ0hZy8B66DTeQvYpFrRtCyT3h8quNFi
 vLtO5v0HDR6hEf5jWAG9wet07U37ulJfl+i9KQdVoLTZA9o+71ryWTsSs+DD3CEj
 yxfUxVxiULmeaiChzhq608h7GYPthUU6xlFttAWhj5oLfqzYyAg6OL76a+Nxm02g
 1ayl3m8U6eAXF23kpoUm+HNpqVnGuJmzVoUA75YKZ+NreEdhSBbfPwN9sJwtZUil
 u7H4kHcM95Ix8eysCjKqKIqezBlITbDTnjNvLjcbJ5C+0a6lvIXT1vQR5/eGlc9M
 BWE360pNkV/LD8mOf9Jepi2Q43oDL9EhAoIBAQDTWImfy0K9gGzA2rPy169mWYQK
 OlcnD3+hQq6x51Zn1e/texFeVlhHn4rrnRdCFOAp47uFkJ2m72GCVD74EwQucK9y
 AD5jorqgVHqCKZdkHjb2V60Mzm6g3rtL9WJXFVLvNBb/QGB2vgHVOO0zqiqGZj4e
 Ex7l2m//5SE4DLtn70J9CgG1HtXCS8dWrGPL1pzDnk8VXtnoXzb0LChLUFEgZRmh
 cV6AFHEK2H8wBHviNyehsRQiDkl2AiWOcJNvkzW68ck2nJjRWyPYK1JL3NCKpB3Q
 OohrP0fHcWAXMW97wFXZhRfnQfDxxIOlj3McYT0AlanXd0F4NGc2Nvmphx04
 -----END RSA PRIVATE KEY-----
--- a/conf/clair.yaml
+++ b/conf/clair.yaml
 clair:
  database:
    type: pgsql
    options:
      source: "{{ template "harbor.database.clair" . }}"
      # Number of elements kept in the cache
      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
      cachesize: 16384
  api:
    # API server port
    port: 6060
    healthport: 6061
    # Deadline before an API request will respond with a 503
    timeout: 300s
  updater:
    interval: {{ .Values.clair.updatersInterval }}h
--- a/conf/notary-server.json
+++ b/conf/notary-server.json
 {
  "server": {
    "http_addr": ":4443"
  },
  "trust_service": {
    "type": "remote",
    "hostname": "{{ template "harbor.notary-signer" . }}",
    "port": "7899",
    "tls_ca_file": "/etc/ssl/notary/ca.crt",
    "key_algorithm": "ecdsa"
  },
  "logging": {
    "level": "{{ .Values.logLevel }}"
  },
  "storage": {
    "backend": "postgres",
    "db_url": "{{ template "harbor.database.notaryServer" . }}"
  },
  "auth": {
    "type": "token",
    "options": {
      "realm": "{{ .Values.externalURL }}.{{ $.Values.global.host }}/service/token",
      "service": "harbor-notary",
      "issuer": "harbor-token-issuer",
      "rootcertbundle": "/root.crt"
    }
  }
 }
\ No newline at end of file
--- a/conf/notary-signer.json
+++ b/conf/notary-signer.json
 {
  "server": {
    "grpc_addr": ":7899",
    "tls_cert_file": "/etc/ssl/notary/tls.crt",
    "tls_key_file": "/etc/ssl/notary/tls.key"
  },
  "logging": {
    "level": "{{ .Values.logLevel }}"
  },
  "storage": {
    "backend": "postgres",
    "db_url": "{{ template "harbor.database.notarySigner" . }}",
    "default_alias": "defaultalias"
  }
 }
\ No newline at end of file
--- a/docs/High Availability.md
+++ b/docs/High Availability.md
 ---
 title: Harbor High Availability Guide
 ---
 ## Goal
 Deploy Harbor on K8S via helm to make it highly available, that is, if one of node that has Harbor's container running becomes un accessible. Users does not experience interrupt of service of Harbor.
 ## Prerequisites
 - Kubernetes cluster 1.10+
 - Helm 2.10.0+
 - High available ingress controller (Harbor does not manage the external endpoint)
 - High available PostgreSQL database (Harbor does not handle the deployment of HA of database)
 - High available Redis (Harbor does not handle the deployment of HA of Redis)
 - PVC that can be shared across nodes or external object storage
 ## Architecture
 Most of Harbor's components are stateless now.  So we can simply increase the replica of the pods to make sure the components are distributed to multiple worker nodes, and leverage the "Service" mechanism of K8S to ensure the connectivity across pods.
 As for storage layer, it is expected that the user provide high available PostgreSQL, Redis cluster for application data and PVCs or object storage for storing images and charts.
 ![HA](img/ha.png)
 ## Usage
 ### Download Chart
 Download Harbor helm chart:
 ```bash
 helm repo add harbor https://helm.goharbor.io
 helm fetch harbor/harbor --untar
 ```
 ### Configuration
 Configure the followings items in `values.yaml`, you can also set them as parameters via `--set` flag during running `helm install`:
 - **Ingress rule**
   Configure the `expose.ingress.hosts.core` and `expose.ingress.hosts.notary`.
 - **External URL**
   Configure the `externalURL`.
 - **External PostgreSQL**
   Set the `database.type` to `external` and fill the information in `database.external` section.
   Four empty databases should be created manually for `Harbor core`, `Clair`, `Notary server` and `Notary signer` and configure them in the section. Harbor will create tables automatically when starting up.
 - **External Redis**
   Set the `redis.type` to `external` and fill the information in `redis.external` section.
   As the Redis client used by Harbor's upstream projects doesn't support `Sentinel`, Harbor can only work with a single entry point Redis. You can refer to this [guide](https://community.pivotal.io/s/article/How-to-setup-HAProxy-and-Redis-Sentinel-for-automatic-failover-between-Redis-Master-and-Slave-servers) to setup a HAProxy before the Redis to expose a single entry point.
 - **Storage**
   By default, a default `StorageClass` is needed in the K8S cluster to provision volumes to store images, charts and job logs.
   If you want to specify the `StorageClass`, set `persistence.persistentVolumeClaim.registry.storageClass`, `persistence.persistentVolumeClaim.chartmuseum.storageClass` and `persistence.persistentVolumeClaim.jobservice.storageClass`.
   If you use `StorageClass`, for both default or specified one, set `persistence.persistentVolumeClaim.registry.accessMode`, `persistence.persistentVolumeClaim.chartmuseum.accessMode` and `persistence.persistentVolumeClaim.jobservice.accessMode` as `ReadWriteMany`, and make sure that the persistent volumes must can be shared cross different nodes.
   You can also use the existing PVCs to store data, set `persistence.persistentVolumeClaim.registry.existingClaim`, `persistence.persistentVolumeClaim.chartmuseum.existingClaim` and `persistence.persistentVolumeClaim.jobservice.existingClaim`.
   If you have no PVCs that can be shared across nodes, you can use external object storage to store images and charts and store the job logs in database. Set the `persistence.imageChartStorage.type` to the value you want to use and fill the corresponding section and set `jobservice.jobLogger` to `database`.
 - **Replica**
   Set `portal.replicas`, `core.replicas`, `jobservice.replicas`, `registry.replicas`, `chartmuseum.replicas`, `clair.replicas`, `notary.server.replicas` and `notary.signer.replicas` to `n`(`n`>=2).
 ### Installation
 Install the Harbor helm chart with a release name `my-release`:  
 helm 2:
 ```bash
 helm install --name my-release .
 ```
 helm 3:
 ```
 helm install my-release .
 ```
--- a/docs/Upgrade.md
+++ b/docs/Upgrade.md
 ---
 title: Upgrade Guide
 ---
 This guide is used to upgrade Harbor deployed by chart since version 0.3.0.
 ## Notes
 - As the database schema may change between different versions of Harbor, there is a progress to migrate the schema during the upgrade and the downtime cannot be avoid
 - The database schema cannot be downgraded automatically, so the `helm rollback` is not supported
 ## Upgrade
 ### 1. Backup database
 Backup the database used by Harbor in case the upgrade process fails.
 ### 2. Download new chart
 Download the latest version of Harbor chart.
 ### 3. Configure new chart
 Configure the new chart to make sure that the configuration items have the same values with the old one.
 > Note: if TLS is enabled and the certificate is generated by chart automatically, a new certificate will be generated and overwrite the old one during the upgrade, this may cause some issues if you have distributed the certificate. You can follow the below steps to configure the new chart to use the old certificate:
 1) Get the secret name which certificate is stored in:
    ```bash
    kubectl get secret
    ```
    Find the secret whose name ends with `-harbor-ingress` (expose service via `Ingress`) or `-harbor-nginx`(expose service via `ClusterIP` or `NodePort`)
 2) Export the secret as yaml file:
    ```bash
    kubectl get secret <secret-name-from-step-1> -o yaml > secret.yaml
    ```
 3) Rename the secret by setting `metadata.name` in `secret.yaml`
 4) Create a new secret:
    ```bash
    kubectl create -f secret.yaml
    ```
 5) Configure the chart to use the new secret by setting `expose.tls.secretName` as the value you set in step **3**
 ### 4. Upgrade
 Run upgrade command:
 ```bash
 helm upgrade release-name --force .
 ```
 > The `--force` is necessary if upgrade from version 0.3.0 due to issue [#30](https://github.com/goharbor/harbor-helm/issues/30).
 ## Known issues
 - The job logs will be lost if you upgrade from version 0.3.0 as the logs are store in a `emptyDir` in 0.3.0.
--- a/docs/_index.md
+++ b/docs/_index.md
 ---
 title: Managing Harbor with Helm
 weight: 50
 ---
 This documentation focuses on deploying and managing Harbor via [Helm](https://helm.sh). For general documentation for Harbor, please see the [Harbor docs](https://goharbor.io/docs).
\ No newline at end of file
--- a/raws/values-aliyun.yaml
+++ b/raws/values-aliyun.yaml
 expose:
  type: ingress
  tls:
    enabled: false
  ingress:
    hosts:
      core: hub.wodcloud.local
      notary: notary.wodcloud.local
    annotations:
      ingress.kubernetes.io/proxy-body-size: "0"
 externalURL: https://hub.wodcloud.local
 persistence:
  enabled: true
  persistentVolumeClaim:
    registry:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    database:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    redis:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi  
  imageChartStorage:
    # s3 , filesystem
    type: filesystem
    s3:
      accesskey: AKIAIOSFODNN7EXAMPLE
      secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      region: us-east-1
      regionendpoint: http://minio.wodcloud.local
      bucket: registry
      encrypt: false
      v4auth: true
      chunksize: '5242880'
      rootdirectory: /      
 imagePullPolicy: IfNotPresent
 logLevel: info
 harborAdminPassword: "spaceIN511"
 secretKey: "IpTIscRIgmerlare"
 portal:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
    tag: v2.1.3
 core:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
    tag: v2.1.3
 jobservice:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
    tag: v2.1.3
 registry:
  registry:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/registry
      tag: 2.7.1
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
  controller:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
      tag: v2.1.3
 chartmuseum:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum
    tag: v2.1.3
  nodeSelector: {}
  # nodeSelector:
  #   harbor: enabled
  storageSpec:
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data    
 clair:
  clair:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair
      tag: v2.1.3
  adapter:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter
      tag: v2.1.3
 trivy:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter
    tag: v2.1.3
 notary:
  server:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server
      tag: v2.1.3
  signer:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer
      tag: v2.1.3
 database:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
      tag: v2.1.3
    password: "spaceIN511"
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
 redis:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/redis
      tag: 6.0.9
\ No newline at end of file
--- a/raws/values-arm.yaml
+++ b/raws/values-arm.yaml
 expose:
  type: ingress
  tls:
    enabled: false
  ingress:
    hosts:
      core: hub.wodcloud.local
      notary: notary.wodcloud.local
    annotations:
      ingress.kubernetes.io/proxy-body-size: "0"
 externalURL: https://hub.wodcloud.local
 persistence:
  enabled: true
  persistentVolumeClaim:
    registry:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    database:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    redis:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi  
  imageChartStorage:
    # s3 , filesystem
    type: filesystem
    s3:
      accesskey: AKIAIOSFODNN7EXAMPLE
      secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      region: us-east-1
      regionendpoint: http://minio.wodcloud.local
      bucket: registry
      encrypt: false
      v4auth: true
      chunksize: '5242880'
      rootdirectory: /      
 imagePullPolicy: IfNotPresent
 logLevel: info
 harborAdminPassword: "spaceIN511"
 secretKey: "IpTIscRIgmerlare"
 portal:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
    tag: v2.1.3-arm64
 core:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
    tag: v2.1.3-arm64
 jobservice:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
    tag: v2.1.3-arm64
 registry:
  registry:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/registry
      tag: 2.7.1-arm64
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
  controller:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
      tag: v2.1.3-arm64
 chartmuseum:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum
    tag: v2.1.3-arm64
  nodeSelector: {}
  # nodeSelector:
  #   harbor: enabled
  storageSpec:
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data    
 clair:
  clair:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair
      tag: v2.1.3-arm64
  adapter:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter
      tag: v2.1.3-arm64
 trivy:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter
    tag: v2.1.3-arm64
 notary:
  server:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server
      tag: v2.1.3-arm64
  signer:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer
      tag: v2.1.3-arm64
 database:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
      tag: v2.1.3-arm64
    password: "spaceIN511"
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
 redis:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/redis
      tag: 6.0.9-arm64
\ No newline at end of file
--- a/raws/values-pg.yaml
+++ b/raws/values-pg.yaml
 expose:
  type: ingress
  tls:
    enabled: false
  ingress:
    hosts:
      core: hub.test.wodcloud.com
      notary: notary.test.wodcloud.com
    annotations:
      ingress.kubernetes.io/proxy-body-size: "0"
 externalURL: https://hub.test.wodcloud.com
 persistence:
  enabled: true
  imageChartStorage:
    # s3 , filesystem
    type: filesystem
    filesystem:
      rootdirectory: /data
    #s3:
     # accesskey: AKIAIOSFODNN7EXAMPLE
     # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
     # region: us-east-1
     # regionendpoint: https://minio.sxwh.local
     # bucket: registry
     # encrypt: false
     # v4auth: true
     # chunksize: '5242880'
     # rootdirectory: /
 imagePullPolicy: IfNotPresent
 logLevel: info
 harborAdminPassword: "spaceIN511"
 secretKey: "IpTIscRIgmerlare"
 portal:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
    tag: v1.8.2
  replicas: 1
 core:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
    tag: v1.8.2
  replicas: 1
 jobservice:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
    tag: v1.8.2
  replicas: 1
  maxJobWorkers: 10
  jobLogger: file
 registry:
  registry:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/registry
      tag: 2.7.1
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
  nodeSelector:
    harbor: enabled  
  storageSpec:
    # type: emptyDir , hostPath , volumeClaimTemplate
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data
    volumeClaimTemplate:
      spec:
        storageClassName: rook-ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 100Gi
      selector: {}    
  controller:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
      tag: v1.8.2
  replicas: 1
 chartmuseum:
  enabled: true
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon
    tag: v0.9.0-v1.8.2
  replicas: 1
  nodeSelector:
    harbor: enabled  
  storageSpec:
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data    
 clair:
  enabled: true
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon
    tag: v2.0.8-v1.8.2
  replicas: 1
 notary:
  enabled: true
  server:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon
      tag: v0.6.1-v1.8.2
    replicas: 1
  signer:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon
      tag: v0.6.1-v1.8.2
    replicas: 1
 database:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
      tag: v1.8.2
    password: "spaceIN511"
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
    nodeSelector:
      harbor: enabled
    storageSpec:
      type: hostPath
      emptyDir: {}
      hostPath:
        root: /data         
      volumeClaimTemplate:
        spec:
          storageClassName: rook-ceph-block
          accessModes: ["ReadWriteOnce"]
          resources:
            requests:
              storage: 20Gi
        selector: {}
 redis:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/redis
      tag: 4.0.14-alpine
\ No newline at end of file
--- a/raws/values-ppc64le.yaml
+++ b/raws/values-ppc64le.yaml
 expose:
  type: ingress
  tls:
    enabled: false
  ingress:
    hosts:
      core: hub.wodcloud.local
      notary: notary.wodcloud.local
    annotations:
      ingress.kubernetes.io/proxy-body-size: "0"
 externalURL: https://hub.wodcloud.local
 persistence:
  enabled: true
  persistentVolumeClaim:
    registry:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    database:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    redis:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi  
  imageChartStorage:
    # s3 , filesystem
    type: filesystem
    s3:
      accesskey: AKIAIOSFODNN7EXAMPLE
      secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      region: us-east-1
      regionendpoint: http://minio.wodcloud.local
      bucket: registry
      encrypt: false
      v4auth: true
      chunksize: '5242880'
      rootdirectory: /      
 imagePullPolicy: IfNotPresent
 logLevel: info
 harborAdminPassword: "spaceIN511"
 secretKey: "IpTIscRIgmerlare"
 portal:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
    tag: v2.1.3-ppc64le
 core:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
    tag: v2.1.3-ppc64le
 jobservice:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
    tag: v2.1.3-ppc64le
 registry:
  registry:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/registry
      tag: 2.7.1-ppc64le
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
  controller:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
      tag: v2.1.3-ppc64le
 chartmuseum:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-chartmuseum
    tag: v2.1.1-ppc64le
  nodeSelector: {}
  # nodeSelector:
  #   harbor: enabled
  storageSpec:
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data    
 clair:
  clair:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair
      tag: v2.1.1-ppc64le
  adapter:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-clair-adapter
      tag: v2.1.1-ppc64le
 trivy:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-trivy-adapter
    tag: v2.1.1-ppc64le
 notary:
  server:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-server
      tag: v2.1.1-ppc64le
  signer:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-notary-signer
      tag: v2.1.1-ppc64le
 database:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-db
      tag: v2.1.3-ppc64le
    password: "spaceIN511"
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
 redis:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/redis
      tag: 6.0.9-ppc64le
\ No newline at end of file
--- a/raws/values-stolon.yaml
+++ b/raws/values-stolon.yaml
 expose:
  type: ingress
  tls:
    enabled: false
  ingress:
    hosts:
      core: hub.test.wodcloud.com
      notary: notary.test.wodcloud.com
    annotations:
      ingress.kubernetes.io/proxy-body-size: "0"
 externalURL: https://hub.test.wodcloud.com
 persistence:
  enabled: true
  imageChartStorage:
    # s3 , filesystem
    type: filesystem
    filesystem:
      rootdirectory: /data
    #s3:
     # accesskey: AKIAIOSFODNN7EXAMPLE
     # secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
     # region: us-east-1
     # regionendpoint: https://minio.sxwh.local
     # bucket: registry
     # encrypt: false
     # v4auth: true
     # chunksize: '5242880'
     # rootdirectory: /
 imagePullPolicy: IfNotPresent
 logLevel: info
 harborAdminPassword: "spaceIN511"
 secretKey: "IpTIscRIgmerlare"
 portal:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-portal
    tag: v1.8.2
  replicas: 1
 core:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-core
    tag: v1.8.2
  replicas: 1
 jobservice:
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-jobservice
    tag: v1.8.2
  replicas: 1
  maxJobWorkers: 10
  jobLogger: file
 registry:
  registry:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/registry
      tag: 2.7.1
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
  nodeSelector:
    harbor: enabled  
  storageSpec:
    # type: emptyDir , hostPath , volumeClaimTemplate
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data
    volumeClaimTemplate:
      spec:
        storageClassName: rook-ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 100Gi
      selector: {}    
  controller:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/harbor-registryctl
      tag: v1.8.2
  replicas: 1
 chartmuseum:
  enabled: true
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/chartmuseum-photon
    tag: v0.9.0-v1.8.2
  replicas: 1
  nodeSelector:
    harbor: enabled  
  storageSpec:
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data    
 clair:
  enabled: true
  image:
    repository: registry.cn-qingdao.aliyuncs.com/wod/clair-photon
    tag: v2.0.8-v1.8.2
  replicas: 1
 notary:
  enabled: true
  server:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/notary-server-photon
      tag: v0.6.1-v1.8.2
    replicas: 1
  signer:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/notary-signer-photon
      tag: v0.6.1-v1.8.2
    replicas: 1
 database:
  type: external
  external:
    host: "stolon-proxy.devops"
    port: "5432"
    username: "postgres"
    password: "spaceIN511"
    coreDatabase: "hub_registry"
    clairDatabase: "hub_clair"
    notaryServerDatabase: "hub_notary_server"
    notarySignerDatabase: "hub_notary_signer"
    sslmode: "disable"
 redis:
  type: internal
  internal:
    image:
      repository: registry.cn-qingdao.aliyuncs.com/wod/redis
      tag: 4.0.14-alpine
\ No newline at end of file
--- a/raws/values.yaml
+++ b/raws/values.yaml
 expose:
  # Set the way how to expose the service. Set the type as "ingress",
  # "clusterIP", "nodePort" or "loadBalancer" and fill the information
  # in the corresponding section
  type: ingress
  tls:
    # Enable the tls or not. Note: if the type is "ingress" and the tls
    # is disabled, the port must be included in the command when pull/push
    # images. Refer to https://github.com/goharbor/harbor/issues/5291
    # for the detail.
    enabled: true
    # The source of the tls certificate. Set it as "auto", "secret"
    # or "none" and fill the information in the corresponding section
    # 1) auto: generate the tls certificate automatically
    # 2) secret: read the tls certificate from the specified secret.
    # The tls certificate can be generated manually or by cert manager
    # 3) none: configure no tls certificate for the ingress. If the default
    # tls certificate is configured in the ingress controller, choose this option
    certSource: auto
    auto:
      # The common name used to generate the certificate, it's necessary
      # when the type isn't "ingress"
      commonName: ""
    secret:
      # The name of secret which contains keys named:
      # "tls.crt" - the certificate
      # "tls.key" - the private key
      secretName: ""
      # The name of secret which contains keys named:
      # "tls.crt" - the certificate
      # "tls.key" - the private key
      # Only needed when the "expose.type" is "ingress".
      notarySecretName: ""
  ingress:
    hosts:
      core: core.harbor.domain
      notary: notary.harbor.domain
    # set to the type of ingress controller if it has specific requirements.
    # leave as `default` for most ingress controllers.
    # set to `gce` if using the GCE ingress controller
    # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
    controller: default
    annotations:
      ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
  clusterIP:
    # The name of ClusterIP service
    name: harbor
    ports:
      # The service port Harbor listens on when serving with HTTP
      httpPort: 80
      # The service port Harbor listens on when serving with HTTPS
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      notaryPort: 4443
  nodePort:
    # The name of NodePort service
    name: harbor
    ports:
      http:
        # The service port Harbor listens on when serving with HTTP
        port: 80
        # The node port Harbor listens on when serving with HTTP
        nodePort: 30002
      https:
        # The service port Harbor listens on when serving with HTTPS
        port: 443
        # The node port Harbor listens on when serving with HTTPS
        nodePort: 30003
      # Only needed when notary.enabled is set to true
      notary:
        # The service port Notary listens on
        port: 4443
        # The node port Notary listens on
        nodePort: 30004
  loadBalancer:
    # The name of LoadBalancer service
    name: harbor
    # Set the IP if the LoadBalancer supports assigning IP
    IP: ""
    ports:
      # The service port Harbor listens on when serving with HTTP
      httpPort: 80
      # The service port Harbor listens on when serving with HTTPS
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      notaryPort: 4443
    annotations: {}
    sourceRanges: []
 # The external URL for Harbor core service. It is used to
 # 1) populate the docker/helm commands showed on portal
 # 2) populate the token service URL returned to docker/notary client
 #
 # Format: protocol://domain[:port]. Usually:
 # 1) if "expose.type" is "ingress", the "domain" should be
 # the value of "expose.ingress.hosts.core"
 # 2) if "expose.type" is "clusterIP", the "domain" should be
 # the value of "expose.clusterIP.name"
 # 3) if "expose.type" is "nodePort", the "domain" should be
 # the IP address of k8s node
 #
 # If Harbor is deployed behind the proxy, set it as the URL of proxy
 externalURL: https://core.harbor.domain
 # The internal TLS used for harbor components secure communicating. In order to enable https
 # in each components tls cert files need to provided in advance.
 internalTLS:
  # If internal TLS enabled
  enabled: false
  # There are three ways to provide tls
  # 1) "auto" will generate cert automatically
  # 2) "manual" need provide cert file manually in following value
  # 3) "secret" internal certificates from secret
  certSource: "auto"
  # The content of trust ca, only available when `certSource` is "manual"
  trustCa: ""
  # core related cert configuration
  core:
    # secret name for core's tls certs
    secretName: ""
    # Content of core's TLS cert file, only available when `certSource` is "manual"
    crt: ""
    # Content of core's TLS key file, only available when `certSource` is "manual"
    key: ""
  # jobservice related cert configuration
  jobservice:
    # secret name for jobservice's tls certs
    secretName: ""
    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
    key: ""
  # registry related cert configuration
  registry:
    # secret name for registry's tls certs
    secretName: ""
    # Content of registry's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of registry's TLS key file, only available when `certSource` is "manual"
    key: ""
  # portal related cert configuration
  portal:
    # secret name for portal's tls certs
    secretName: ""
    # Content of portal's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of portal's TLS key file, only available when `certSource` is "manual"
    key: ""
  # chartmuseum related cert configuration
  chartmuseum:
    # secret name for chartmuseum's tls certs
    secretName: ""
    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
    key: ""
  # clair related cert configuration
  clair:
    # secret name for clair's tls certs
    secretName: ""
    # Content of clair's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of clair's TLS key file, only available when `certSource` is "manual"
    key: ""
  # trivy related cert configuration
  trivy:
    # secret name for trivy's tls certs
    secretName: ""
    # Content of trivy's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of trivy's TLS key file, only available when `certSource` is "manual"
    key: ""
 # The persistence is enabled by default and a default StorageClass
 # is needed in the k8s cluster to provision volumes dynamicly.
 # Specify another StorageClass in the "storageClass" or set "existingClaim"
 # if you have already existing persistent volumes to use
 #
 # For storing images and charts, you can also use "azure", "gcs", "s3",
 # "swift" or "oss". Set it in the "imageChartStorage" section
 persistence:
  enabled: true
  # Setting it to "keep" to avoid removing PVCs during a helm delete
  # operation. Leaving it empty will delete PVCs after the chart deleted
  # (this does not apply for PVCs that are created for internal database
  # and redis components, i.e. they are never deleted automatically)
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      # Use the existing PVC which must be created manually before bound,
      # and specify the "subPath" if the PVC is shared with other components
      existingClaim: ""
      # Specify the "storageClass" used to provision the volume. Or the default
      # StorageClass will be used(the default).
      # Set it to "-" to disable dynamic provisioning
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # If external database is used, the following settings for database will
    # be ignored
    database:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # If external Redis is used, the following settings for Redis will
    # be ignored
    redis:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
  # Define which storage backend is used for registry and chartmuseum to store
  # images and charts. Refer to
  # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
  # for the detail.
  imageChartStorage:
    # Specify whether to disable `redirect` for images and chart storage, for
    # backends which not supported it (such as using minio for `s3` storage type), please disable
    # it. To disable redirects, simply set `disableredirect` to `true` instead.
    # Refer to
    # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
    # for the detail.
    disableredirect: false
    # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
    # The secret must contain keys named "ca.crt" which will be injected into the trust store
    # of registry's and chartmuseum's containers.
    # caBundleSecretName:
    # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
    # "oss" and fill the information needed in the corresponding section. The type
    # must be "filesystem" if you want to use persistent volumes for registry
    # and chartmuseum
    type: filesystem
    filesystem:
      rootdirectory: /storage
      #maxthreads: 100
    azure:
      accountname: accountname
      accountkey: base64encodedaccountkey
      container: containername
      #realm: core.windows.net
    gcs:
      bucket: bucketname
      # The base64 encoded json file which contains the key
      encodedkey: base64-encoded-json-key-file
      #rootdirectory: /gcs/object/name/prefix
      #chunksize: "5242880"
    s3:
      region: us-west-1
      bucket: bucketname
      #accesskey: awsaccesskey
      #secretkey: awssecretkey
      #regionendpoint: http://myobjects.local
      #encrypt: false
      #keyid: mykeyid
      #secure: true
      #skipverify: false
      #v4auth: true
      #chunksize: "5242880"
      #rootdirectory: /s3/object/name/prefix
      #storageclass: STANDARD
      #multipartcopychunksize: "33554432"
      #multipartcopymaxconcurrency: 100
      #multipartcopythresholdsize: "33554432"
    swift:
      authurl: https://storage.myprovider.com/v3/auth
      username: username
      password: password
      container: containername
      #region: fr
      #tenant: tenantname
      #tenantid: tenantid
      #domain: domainname
      #domainid: domainid
      #trustid: trustid
      #insecureskipverify: false
      #chunksize: 5M
      #prefix:
      #secretkey: secretkey
      #accesskey: accesskey
      #authversion: 3
      #endpointtype: public
      #tempurlcontainerkey: false
      #tempurlmethods:
    oss:
      accesskeyid: accesskeyid
      accesskeysecret: accesskeysecret
      region: regionname
      bucket: bucketname
      #endpoint: endpoint
      #internal: false
      #encrypt: false
      #secure: true
      #chunksize: 10M
      #rootdirectory: rootdirectory
 imagePullPolicy: IfNotPresent
 # Use this set to assign a list of default pullSecrets
 imagePullSecrets:
 #  - name: docker-registry-secret
 #  - name: internal-registry-secret
 # The update strategy for deployments with persistent volumes(jobservice, registry
 # and chartmuseum): "RollingUpdate" or "Recreate"
 # Set it as "Recreate" when "RWM" for volumes isn't supported
 updateStrategy:
  type: RollingUpdate
 # debug, info, warning, error or fatal
 logLevel: info
 # The initial password of Harbor admin. Change it from portal after launching Harbor
 harborAdminPassword: "Harbor12345"
 # The name of the secret which contains key named "ca.crt". Setting this enables the
 # download link on portal to download the certificate of CA when the certificate isn't
 # generated automatically
 caSecretName: ""
 # The secret key used for encryption. Must be a string of 16 chars.
 secretKey: "not-a-secure-key"
 # The proxy settings for updating clair vulnerabilities from the Internet and replicating
 # artifacts from/to the registries that cannot be reached directly
 proxy:
  httpProxy:
  httpsProxy:
  noProxy: 127.0.0.1,localhost,.local,.internal
  components:
    - core
    - jobservice
    - clair
    - trivy
 # The custom ca bundle secret, the secret must contain key named "ca.crt"
 # which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
 # caBundleSecretName: ""
 ## UAA Authentication Options
 # If you're using UAA for authentication behind a self-signed
 # certificate you will need to provide the CA Cert.
 # Set uaaSecretName below to provide a pre-created secret that
 # contains a base64 encoded CA Certificate named `ca.crt`.
 # uaaSecretName:
 # If expose the service via "ingress", the Nginx will not be used
 nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 portal:
  image:
    repository: goharbor/harbor-portal
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 core:
  image:
    repository: goharbor/harbor-core
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  replicas: 1
  ## Startup probe values
  startupProbe:
    enabled: true
    initialDelaySeconds: 10
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used when core server communicates with other components.
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  secret: ""
  # Fill the name of a kubernetes secret if you want to use your own
  # TLS certificate and private key for token encryption/decryption.
  # The secret must contain keys named:
  # "tls.crt" - the certificate
  # "tls.key" - the private key
  # The default key pair will be used if it isn't set
  secretName: ""
  # The XSRF key. Will be generated automatically if it isn't specified
  xsrfKey: ""
 jobservice:
  image:
    repository: goharbor/harbor-jobservice
    tag: v2.1.3
  replicas: 1
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  maxJobWorkers: 10
  # The logger for jobs: "file", "database" or "stdout"
  jobLogger: file
  # resources:
  #   requests:
  #     memory: 256Mi
  #     cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used when job service communicates with other components.
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  secret: ""
 registry:
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  registry:
    image:
      repository: goharbor/registry-photon
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  controller:
    image:
      repository: goharbor/harbor-registryctl
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  replicas: 1
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used to secure the upload state from client
  # and registry storage backend.
  # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  secret: ""
  # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
  relativeurls: false
  credentials:
    username: "harbor_registry_user"
    password: "harbor_registry_password"
    # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
    # e.g. "htpasswd -nbBC10 $username $password"
    htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
  middleware:
    enabled: false
    type: cloudFront
    cloudFront:
      baseurl: example.cloudfront.net
      keypairid: KEYPAIRID
      duration: 3000s
      ipfilteredby: none
      # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
      # that allows access to CloudFront
      privateKeySecret: "my-secret"
 chartmuseum:
  enabled: true
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
  absoluteUrl: false
  image:
    repository: goharbor/chartmuseum-photon
    tag: v2.1.3
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 clair:
  enabled: true
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  clair:
    image:
      repository: goharbor/clair-photon
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  adapter:
    image:
      repository: goharbor/clair-adapter-photon
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  replicas: 1
  # The interval of clair updaters, the unit is hour, set to 0 to
  # disable the updaters
  updatersInterval: 12
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 trivy:
  # enabled the flag to enable Trivy scanner
  enabled: true
  image:
    # repository the repository for Trivy adapter image
    repository: goharbor/trivy-adapter-photon
    # tag the tag for Trivy adapter image
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  # replicas the number of Pod replicas
  replicas: 1
  # debugMode the flag to enable Trivy debug mode with more verbose scanning log
  debugMode: false
  # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
  vulnType: "os,library"
  # severity a comma-separated list of severities to be checked
  severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  # ignoreUnfixed the flag to display only fixed vulnerabilities
  ignoreUnfixed: false
  # insecure the flag to skip verifying registry certificate
  insecure: false
  # gitHubToken the GitHub access token to download Trivy DB
  #
  # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
  # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
  # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
  # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
  # Currently, the database is updated every 12 hours and published as a new release to GitHub.
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  gitHubToken: ""
  # skipUpdate the flag to disable Trivy DB downloads from GitHub
  #
  # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
  # `/home/scanner/.cache/trivy/db/trivy.db` path.
  skipUpdate: false
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1
      memory: 1Gi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 notary:
  enabled: true
  server:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: goharbor/notary-server-photon
      tag: v2.1.3
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  signer:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: goharbor/notary-signer-photon
      tag: v2.1.3
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Fill the name of a kubernetes secret if you want to use your own
  # TLS certificate authority, certificate and private key for notary
  # communications.
  # The secret must contain keys named ca.crt, tls.crt and tls.key that
  # contain the CA, certificate and private key.
  # They will be generated if not set.
  secretName: ""
 database:
  # if external database is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: internal
  internal:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: goharbor/harbor-db
      tag: v2.1.3
    # The initial superuser password for internal database
    password: "changeit"
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    # "disable" - No SSL
    # "require" - Always SSL (skip verification)
    # "verify-ca" - Always SSL (verify that the certificate presented by the
    # server was signed by a trusted CA)
    # "verify-full" - Always SSL (verify that the certification presented by the
    # server was signed by a trusted CA and the server host name matches the one
    # in the certificate)
    sslmode: "disable"
  # The maximum number of connections in the idle connection pool.
  # If it <=0, no idle connections are retained.
  maxIdleConns: 50
  # The maximum number of open connections to the database.
  # If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgre of harbor.
  maxOpenConns: 1000
  ## Additional deployment annotations
  podAnnotations: {}
 redis:
  # if external Redis is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: internal
  internal:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: goharbor/redis-photon
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    # support redis, redis+sentinel
    # addr for redis: <host_redis>:<port_redis>
    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    addr: "192.168.0.2:6379"
    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
    sentinelMasterSet: ""
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    clairAdapterIndex: "4"
    trivyAdapterIndex: "5"
    password: ""
  ## Additional deployment annotations
  podAnnotations: {}
 commonLabels:
  app.bd-apaas.com/cluster-component: registry
\ No newline at end of file
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
 Please wait for several minutes for Harbor deployment to complete.
 Then you should be able to visit the Harbor portal at {{ .Values.externalURL }}.{{ $.Values.global.host }}
 For more details, please visit https://github.com/goharbor/harbor
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
 {{/*
 Create chart imageArch suffix.
 */}}
 {{- define ".beagle.imageArch" -}}
 {{- if not (eq "amd64" .Values.global.imageArch) -}}
 {{- print "-" .Values.global.imageArch -}}
 {{- else -}}
 {{- print "" -}}
 {{- end -}}
 {{- end }}
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "harbor.name" -}}
 {{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "harbor.fullname" -}}
 {{- $name := default "harbor" .Values.nameOverride -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/* Helm required labels */}}
 {{- define "harbor.labels" -}}
 heritage: {{ .Release.Service }}
 release: {{ .Release.Name }}
 chart: {{ .Chart.Name }}
 app: "{{ template "harbor.name" . }}"
 {{- if .Values.commonLabels}}
 {{ toYaml .Values.commonLabels }}
 {{- end }}
 {{- end -}}
 {{/* matchLabels */}}
 {{- define "harbor.matchLabels" -}}
 release: {{ .Release.Name }}
 app: "{{ template "harbor.name" . }}"
 {{- end -}}
 {{- define "harbor.autoGenCert" -}}
  {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
    {{- printf "true" -}}
  {{- else -}}
    {{- printf "false" -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.autoGenCertForIngress" -}}
  {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}}
    {{- printf "true" -}}
  {{- else -}}
    {{- printf "false" -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.autoGenCertForNginx" -}}
  {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}}
    {{- printf "true" -}}
  {{- else -}}
    {{- printf "false" -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.host" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- template "harbor.database" . }}
  {{- else -}}
    {{- .Values.database.external.host -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.port" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "5432" -}}
  {{- else -}}
    {{- .Values.database.external.port -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.username" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "postgres" -}}
  {{- else -}}
    {{- .Values.database.external.username -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.rawPassword" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- .Values.database.internal.password -}}
  {{- else -}}
    {{- .Values.database.external.password -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.escapedRawPassword" -}}
  {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}}
 {{- end -}}
 {{- define "harbor.database.encryptedPassword" -}}
  {{- include "harbor.database.rawPassword" . | b64enc | quote -}}
 {{- end -}}
 {{- define "harbor.database.coreDatabase" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "registry" -}}
  {{- else -}}
    {{- .Values.database.external.coreDatabase -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.clairDatabase" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "postgres" -}}
  {{- else -}}
    {{- .Values.database.external.clairDatabase -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.notaryServerDatabase" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "notaryserver" -}}
  {{- else -}}
    {{- .Values.database.external.notaryServerDatabase -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.notarySignerDatabase" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "notarysigner" -}}
  {{- else -}}
    {{- .Values.database.external.notarySignerDatabase -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.sslmode" -}}
  {{- if eq .Values.database.type "internal" -}}
    {{- printf "%s" "disable" -}}
  {{- else -}}
    {{- .Values.database.external.sslmode -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.database.clair" -}}
 postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
 {{- end -}}
 {{- define "harbor.database.notaryServer" -}}
 postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
 {{- end -}}
 {{- define "harbor.database.notarySigner" -}}
 postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
 {{- end -}}
 {{- define "harbor.redis.scheme" -}}
  {{- with .Values.redis }}
    {{- ternary "redis+sentinel" "redis"  (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
  {{- end }}
 {{- end -}}
 /*host:port*/
 {{- define "harbor.redis.addr" -}}
  {{- with .Values.redis }}
    {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }}
  {{- end }}
 {{- end -}}
 {{- define "harbor.redis.masterSet" -}}
  {{- with .Values.redis }}
    {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }}
  {{- end }}
 {{- end -}}
 {{- define "harbor.redis.password" -}}
  {{- with .Values.redis }}
    {{- ternary "" .external.password (eq .type "internal") }}
  {{- end }}
 {{- end -}}
 /*scheme://[redis:password@]host:port[/master_set]*/
 {{- define "harbor.redis.url" -}}
  {{- with .Values.redis }}
    {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
    {{- $cred := ternary (printf "redis:%s@" (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
  {{- end }}
 {{- end -}}
 /*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
 {{- define "harbor.redis.urlForCore" -}}
  {{- with .Values.redis }}
    {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }}
    {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
  {{- end }}
 {{- end -}}
 /*scheme://[redis:password@]addr/db_index*/
 {{- define "harbor.redis.urlForJobservice" -}}
  {{- with .Values.redis }}
    {{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }}
    {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}}
  {{- end }}
 {{- end -}}
 /*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
 {{- define "harbor.redis.urlForRegistry" -}}
  {{- with .Values.redis }}
    {{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }}
    {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
  {{- end }}
 {{- end -}}
 /*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
 {{- define "harbor.redis.urlForClair" -}}
  {{- with .Values.redis }}
    {{- $index := ternary "4" .external.clairAdapterIndex (eq .type "internal") }}
    {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
  {{- end }}
 {{- end -}}
 /*scheme://[redis:password@]addr/db_index?idle_timeout_seconds=30*/
 {{- define "harbor.redis.urlForTrivy" -}}
  {{- with .Values.redis }}
    {{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }}
    {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}}
  {{- end }}
 {{- end -}}
 {{- define "harbor.redis.dbForRegistry" -}}
  {{- with .Values.redis }}
    {{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }}
  {{- end }}
 {{- end -}}
 {{- define "harbor.redis.dbForChartmuseum" -}}
  {{- with .Values.redis }}
    {{- ternary "3" .external.chartmuseumDatabaseIndex (eq .type "internal") }}
  {{- end }}
 {{- end -}}
 {{- define "harbor.portal" -}}
  {{- printf "%s-portal" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.core" -}}
  {{- printf "%s-core" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.redis" -}}
  {{- printf "%s-redis" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.jobservice" -}}
  {{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.registry" -}}
  {{- printf "%s-registry" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.chartmuseum" -}}
  {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.database" -}}
  {{- printf "%s-database" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.clair" -}}
  {{- printf "%s-clair" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.trivy" -}}
  {{- printf "%s-trivy" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.notary-server" -}}
  {{- printf "%s-notary-server" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.notary-signer" -}}
  {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.nginx" -}}
  {{- printf "%s-nginx" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.ingress" -}}
  {{- printf "%s-ingress" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.ingress-notary" -}}
  {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}}
 {{- end -}}
 {{- define "harbor.noProxy" -}}
  {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.chartmuseum" .) (include "harbor.clair" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) .Values.proxy.noProxy -}}
 {{- end -}}
 {{- define "harbor.caBundleVolume" -}}
 - name: ca-bundle-certs
  secret:
    secretName: {{ .Values.caBundleSecretName }}
 {{- end -}}
 {{- define "harbor.caBundleVolumeMount" -}}
 - name: ca-bundle-certs
  mountPath: /harbor_cust_cert/custom-ca.crt
  subPath: ca.crt
 {{- end -}}
 {{/* scheme for all components except notary because it only support http mode */}}
 {{- define "harbor.component.scheme" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "https" -}}
  {{- else -}}
    {{- printf "http" -}}
  {{- end -}}
 {{- end -}}
 {{/* chartmuseum component container port */}}
 {{- define "harbor.chartmuseum.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "9443" -}}
  {{- else -}}
    {{- printf "9999" -}}
  {{- end -}}
 {{- end -}}
 {{/* chartmuseum component service port */}}
 {{- define "harbor.chartmuseum.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "443" -}}
  {{- else -}}
    {{- printf "80" -}}
  {{- end -}}
 {{- end -}}
 {{/* clair adapter component container port */}}
 {{- define "harbor.clairAdapter.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* clair adapter component service port */}}
 {{- define "harbor.clairAdapter.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* core component container port */}}
 {{- define "harbor.core.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* core component service port */}}
 {{- define "harbor.core.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "443" -}}
  {{- else -}}
    {{- printf "80" -}}
  {{- end -}}
 {{- end -}}
 {{/* jobservice component container port */}}
 {{- define "harbor.jobservice.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* jobservice component service port */}}
 {{- define "harbor.jobservice.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "443" -}}
  {{- else -}}
    {{- printf "80" -}}
  {{- end -}}
 {{- end -}}
 {{/* portal component container port */}}
 {{- define "harbor.portal.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* portal component service port */}}
 {{- define "harbor.portal.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "443" -}}
  {{- else -}}
    {{- printf "80" -}}
  {{- end -}}
 {{- end -}}
 {{/* registry component container port */}}
 {{- define "harbor.registry.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "5443" -}}
  {{- else -}}
    {{- printf "5000" -}}
  {{- end -}}
 {{- end -}}
 {{/* registry component service port */}}
 {{- define "harbor.registry.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "5443" -}}
  {{- else -}}
    {{- printf "5000" -}}
  {{- end -}}
 {{- end -}}
 {{/* registryctl component container port */}}
 {{- define "harbor.registryctl.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* registryctl component service port */}}
 {{- define "harbor.registryctl.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* trivy component container port */}}
 {{- define "harbor.trivy.containerPort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* trivy component service port */}}
 {{- define "harbor.trivy.servicePort" -}}
  {{- if .Values.internalTLS.enabled -}}
    {{- printf "8443" -}}
  {{- else -}}
    {{- printf "8080" -}}
  {{- end -}}
 {{- end -}}
 {{/* CLAIR_ADAPTER_URL */}}
 {{- define "harbor.clairAdapterURL" -}}
  {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.clair" .) (include "harbor.clairAdapter.servicePort" .) -}}
 {{- end -}}
 {{/* CORE_URL */}}
 {{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}}
 {{- define "harbor.coreURL" -}}
  {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}}
 {{- end -}}
 {{/* JOBSERVICE_URL */}}
 {{- define "harbor.jobserviceURL" -}}
  {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .)  (include "harbor.fullname" .) -}}
 {{- end -}}
 {{/* PORTAL_URL */}}
 {{- define "harbor.portalURL" -}}
  {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}}
 {{- end -}}
 {{/* REGISTRY_URL */}}
 {{- define "harbor.registryURL" -}}
  {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}}
 {{- end -}}
 {{/* REGISTRY_CONTROLLER_URL */}}
 {{- define "harbor.registryControllerURL" -}}
  {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}}
 {{- end -}}
 {{/* TOKEN_SERVICE_URL */}}
 {{- define "harbor.tokenServiceURL" -}}
  {{- printf "%s/service/token" (include "harbor.coreURL" .) -}}
 {{- end -}}
 {{/* TRIVY_ADAPTER_URL */}}
 {{- define "harbor.trivyAdapterURL" -}}
  {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}}
 {{- end -}}
 {{- define "harbor.internalTLS.chartmuseum.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.chartmuseum.secretName -}}
  {{- else -}}
    {{- printf "%s-chartmuseum-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.internalTLS.clair.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.clair.secretName -}}
  {{- else -}}
    {{- printf "%s-clair-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.internalTLS.core.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.core.secretName -}}
  {{- else -}}
    {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.internalTLS.jobservice.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.jobservice.secretName -}}
  {{- else -}}
    {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.internalTLS.portal.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.portal.secretName -}}
  {{- else -}}
    {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.internalTLS.registry.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.registry.secretName -}}
  {{- else -}}
    {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.internalTLS.trivy.secretName" -}}
  {{- if eq .Values.internalTLS.certSource "secret" -}}
    {{- .Values.internalTLS.trivy.secretName -}}
  {{- else -}}
    {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.tlsCoreSecretForIngress" -}}
  {{- if eq .Values.expose.tls.certSource "none" -}}
    {{- printf "" -}}
  {{- else if eq .Values.expose.tls.certSource "secret" -}}
    {{- .Values.expose.tls.secret.secretName -}}
  {{- else -}}
    {{- include "harbor.ingress" . -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.tlsNotarySecretForIngress" -}}
  {{- if eq .Values.expose.tls.certSource "none" -}}
    {{- printf "" -}}
  {{- else if eq .Values.expose.tls.certSource "secret" -}}
    {{- .Values.expose.tls.secret.notarySecretName -}}
  {{- else -}}
    {{- include "harbor.ingress" . -}}
  {{- end -}}
 {{- end -}}
 {{- define "harbor.tlsSecretForNginx" -}}
  {{- if eq .Values.expose.tls.certSource "secret" -}}
    {{- .Values.expose.tls.secret.secretName -}}
  {{- else -}}
    {{- include "harbor.nginx" . -}}
  {{- end -}}
 {{- end -}}
--- a/templates/chartmuseum/chartmuseum-cm.yaml
+++ b/templates/chartmuseum/chartmuseum-cm.yaml
 {{- if .Values.chartmuseum.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "harbor.chartmuseum" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  PORT: "{{ template "harbor.chartmuseum.containerPort" . }}"
 {{- if .Values.internalTLS.enabled }}
  TLS_CERT: "/etc/harbor/ssl/chartmuseum/tls.crt"
  TLS_KEY: "/etc/harbor/ssl/chartmuseum/tls.key"
 {{- end }}
  {{- if eq "redis" (include "harbor.redis.scheme" .) }}
  CACHE: "redis"
  {{- else }}
  CACHE: "redis_sentinel"
  CACHE_REDIS_MASTERNAME: "{{ template "harbor.redis.masterSet" . }}"
  {{- end }}
  CACHE_REDIS_ADDR: "{{ template "harbor.redis.addr" . }}"
  CACHE_REDIS_DB: "{{ template "harbor.redis.dbForChartmuseum" . }}"
  BASIC_AUTH_USER: "chart_controller"
 {{- if .Values.chartmuseum.absoluteUrl }}
  CHART_URL: {{ .Values.externalURL }}.{{ $.Values.global.host }}/chartrepo
 {{- end }}
  DEPTH: "1"
 {{- if eq .Values.logLevel "debug" }}
  DEBUG: "true"
 {{- else }}
  DEBUG: "false"
 {{- end }}
  LOG_JSON: "true"
  DISABLE_METRICS: "false"
  DISABLE_API: "false"
  DISABLE_STATEFILES: "false"
  ALLOW_OVERWRITE: "true"
  AUTH_ANONYMOUS_GET: "false"
  CONTEXT_PATH: ""
  INDEX_LIMIT: "0"
  MAX_STORAGE_OBJECTS: "0"
  MAX_UPLOAD_SIZE: "20971520"
  CHART_POST_FORM_FIELD_NAME: "chart"
  PROV_POST_FORM_FIELD_NAME: "prov"
 {{- $storage := .Values.persistence.imageChartStorage }}
 {{- $storageType := $storage.type }}
 {{- if eq $storageType "filesystem" }}
  STORAGE: "local"
  STORAGE_LOCAL_ROOTDIR: "/chart_storage"
 {{- else if eq $storageType "azure" }}
  STORAGE: "microsoft"
  STORAGE_MICROSOFT_CONTAINER: {{ $storage.azure.container }}
  AZURE_STORAGE_ACCOUNT: {{ $storage.azure.accountname }}
  AZURE_BASE_URL: {{ $storage.azure.realm }}
  STORAGE_MICROSOFT_PREFIX: "/azure/harbor/charts"
 {{- else if eq $storageType "gcs" }}
  STORAGE: "google"
  STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
  GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
  {{- if $storage.gcs.rootdirectory }}
  STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
  {{- end }}
 {{- else if eq $storageType "s3" }}
  STORAGE: "amazon"
  STORAGE_AMAZON_BUCKET: {{ $storage.s3.bucket }}
  {{- if $storage.s3.rootdirectory }}
  STORAGE_AMAZON_PREFIX: {{ $storage.s3.rootdirectory }}
  {{- end }}
  STORAGE_AMAZON_REGION: {{ $storage.s3.region }}
  {{- if $storage.s3.regionendpoint }}
  STORAGE_AMAZON_ENDPOINT: {{ $storage.s3.regionendpoint }}
  {{- end }}
  {{- if $storage.s3.accesskey }}
  AWS_ACCESS_KEY_ID: {{ $storage.s3.accesskey }}
  {{- end }}
  {{- if $storage.s3.keyid }}
  STORAGE_AMAZON_SSE: aws:kms
  {{- end }}
 {{- else if eq $storageType "swift" }}
  STORAGE: "openstack"
  STORAGE_OPENSTACK_CONTAINER: {{ $storage.swift.container }}
  {{- if $storage.swift.prefix }}
  STORAGE_OPENSTACK_PREFIX: {{ $storage.swift.prefix }}
  {{- end }}
  {{- if $storage.swift.region }}
  STORAGE_OPENSTACK_REGION: {{ $storage.swift.region }}
  {{- end }}
  OS_AUTH_URL: {{ $storage.swift.authurl }}
  OS_USERNAME: {{ $storage.swift.username }}
  {{- if $storage.swift.tenantid }}
  OS_PROJECT_ID: {{ $storage.swift.tenantid }}
  {{- end }}
  {{- if $storage.swift.tenant }}
  OS_PROJECT_NAME: {{ $storage.swift.tenant }}
  {{- end }}
  {{- if $storage.swift.domainid }}
  OS_DOMAIN_ID: {{ $storage.swift.domainid }}
  {{- end }}
  {{- if $storage.swift.domain }}
  OS_DOMAIN_NAME: {{ $storage.swift.domain }}
  {{- end }}
 {{- else if eq $storageType "oss" }}
  STORAGE: "alibaba"
  STORAGE_ALIBABA_BUCKET: {{ $storage.oss.bucket }}
  {{- if $storage.oss.rootdirectory }}
  STORAGE_ALIBABA_PREFIX: {{ $storage.oss.rootdirectory }}
  {{- end }}
  {{- if $storage.oss.endpoint }}
  STORAGE_ALIBABA_ENDPOINT: {{ $storage.oss.endpoint }}
  {{- end }}
  ALIBABA_CLOUD_ACCESS_KEY_ID: {{ $storage.oss.accesskeyid }}
 {{- end }}
  STORAGE_TIMESTAMP_TOLERANCE: 1s
 {{- end }}
--- a/templates/chartmuseum/chartmuseum-dpl.yaml
+++ b/templates/chartmuseum/chartmuseum-dpl.yaml
 {{- if .Values.chartmuseum.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: "{{ template "harbor.chartmuseum" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: chartmuseum
 spec:
  replicas: {{ .Values.chartmuseum.replicas }}
  strategy:
    type: {{ .Values.updateStrategy.type }}
    {{- if eq .Values.updateStrategy.type "Recreate" }}
    rollingUpdate: null
    {{- end }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: chartmuseum
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: chartmuseum
      annotations:
        checksum/configmap: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-cm.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-secret.yaml") . | sha256sum }}
        checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/chartmuseum/chartmuseum-tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.chartmuseum.podAnnotations }}
 {{ toYaml .Values.chartmuseum.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.chartmuseum.serviceAccountName }}
      serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: chartmuseum
 {{- if contains "/" .Values.chartmuseum.image.repository }}
        image: "{{ .Values.chartmuseum.image.repository }}"
 {{- else }}
        image: "{{ .Values.chartmuseum.image.hub | default .Values.global.hub }}/{{ .Values.chartmuseum.image.repository }}:{{ .Values.chartmuseum.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /health
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.chartmuseum.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.chartmuseum.containerPort" . }}
          initialDelaySeconds: 1
          periodSeconds: 10
 {{- if .Values.chartmuseum.resources }}
        resources:
 {{ toYaml .Values.chartmuseum.resources | indent 10 }}
 {{- end }}
        envFrom:
        - configMapRef:
            name: "{{ template "harbor.chartmuseum" . }}"
        - secretRef:
            name: "{{ template "harbor.chartmuseum" . }}"
        env:
          {{- if has "chartmuseum" .Values.proxy.components }}
          - name: HTTP_PROXY
            value: "{{ .Values.proxy.httpProxy }}"
          - name: HTTPS_PROXY
            value: "{{ .Values.proxy.httpsProxy }}"
          - name: NO_PROXY
            value: "{{ template "harbor.noProxy" . }}"
          {{- end }}
          {{- if .Values.internalTLS.enabled }}
          - name: INTERNAL_TLS_ENABLED
            value: "true"
          - name: INTERNAL_TLS_KEY_PATH
            value: /etc/harbor/ssl/chartmuseum/tls.key
          - name: INTERNAL_TLS_CERT_PATH
            value: /etc/harbor/ssl/chartmuseum/tls.crt
          - name: INTERNAL_TLS_TRUST_CA_PATH
            value: /etc/harbor/ssl/chartmuseum/ca.crt
          {{- end }}
          - name: BASIC_AUTH_PASS
            valueFrom:
              secretKeyRef:
                name: {{ template "harbor.core" . }}
                key: secret
          - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
            name: AWS_SDK_LOAD_CONFIG
            value: "1"
        ports:
        - containerPort: {{ template "harbor.chartmuseum.containerPort" . }}
        volumeMounts:
        - name: chartmuseum-data
          mountPath: /chart_storage
          subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }}
        {{- if .Values.internalTLS.enabled }}
        - name: chart-internal-certs
          mountPath: /etc/harbor/ssl/chartmuseum
        {{- end }}
        {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
        - name: gcs-key
          mountPath: /etc/chartmuseum/gcs-key.json
          subPath: gcs-key.json
        {{- end }}
        {{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
        - name: storage-service-ca
          mountPath: /harbor_cust_cert/custom-ca-bundle.crt
          subPath: ca.crt
        {{- end }}
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
      volumes:
      - name: chartmuseum-data
      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
        persistentVolumeClaim:
          claimName: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.existingClaim | default (include "harbor.chartmuseum" .) }}
      {{- else }}
        emptyDir: {}
      {{- end }}
      {{- if .Values.internalTLS.enabled }}
      - name: chart-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }}
      {{- end }}
      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
      - name: gcs-key
        secret:
          secretName: {{ template "harbor.registry" . }}
          items:
            - key: GCS_KEY_DATA
              path: gcs-key.json
      {{- end }}
      {{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
      - name: storage-service-ca
        secret:
          secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
      {{- end }}
      {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
      {{- with .Values.chartmuseum.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
      {{- end }}
      {{- with .Values.chartmuseum.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
      {{- end }}
      {{- with .Values.chartmuseum.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
      {{- end }}
 {{- end }}
--- a/templates/chartmuseum/chartmuseum-pvc.yaml
+++ b/templates/chartmuseum/chartmuseum-pvc.yaml
 {{- if .Values.chartmuseum.enabled }}
 {{- $persistence := .Values.persistence -}}
 {{- if $persistence.enabled }}
 {{- $chartmuseum := $persistence.persistentVolumeClaim.chartmuseum -}}
 {{- if and (not $chartmuseum.existingClaim) (eq $persistence.imageChartStorage.type "filesystem") }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "harbor.chartmuseum" . }}
  {{- if eq $persistence.resourcePolicy "keep" }}
  annotations:
    helm.sh/resource-policy: keep
  {{- end }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: chartmuseum
 spec:
  accessModes: 
    - {{ $chartmuseum.accessMode }}
  resources:
    requests:
      storage: {{ $chartmuseum.size }}
  {{- if $chartmuseum.storageClass }}
    {{- if eq "-" $chartmuseum.storageClass }}
  storageClassName: ""
    {{- else }}
  storageClassName: {{ $chartmuseum.storageClass }}
    {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/chartmuseum/chartmuseum-secret.yaml
+++ b/templates/chartmuseum/chartmuseum-secret.yaml
 {{- if .Values.chartmuseum.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.chartmuseum" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
 {{- $storage := .Values.persistence.imageChartStorage }}
 {{- $storageType := $storage.type }}
 {{- if eq $storageType "azure" }}
  AZURE_STORAGE_ACCESS_KEY: {{ $storage.azure.accountkey | b64enc | quote }}
 {{- else if eq $storageType "gcs" }}
  # TODO support the keyfile of gcs
 {{- else if eq $storageType "s3" }}
  {{- if $storage.s3.secretkey }}
  AWS_SECRET_ACCESS_KEY: {{ $storage.s3.secretkey | b64enc | quote }}
  {{- end }}
 {{- else if eq $storageType "swift" }}
  OS_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
 {{- else if eq $storageType "oss" }}
  ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/chartmuseum/chartmuseum-svc.yaml
+++ b/templates/chartmuseum/chartmuseum-svc.yaml
 {{- if .Values.chartmuseum.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.chartmuseum" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - port: {{ template "harbor.chartmuseum.servicePort" . }}
      targetPort: {{ template "harbor.chartmuseum.containerPort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: chartmuseum
 {{- end }}
\ No newline at end of file
--- a/templates/chartmuseum/chartmuseum-tls.yaml
+++ b/templates/chartmuseum/chartmuseum-tls.yaml
 {{- if and .Values.chartmuseum.enabled .Values.internalTLS.enabled }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  tls.ca: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.chartmuseum.crt\" is required!" .Values.internalTLS.chartmuseum.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.chartmuseum.key\" is required!" .Values.internalTLS.chartmuseum.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
--- a/templates/clair/clair-dpl.yaml
+++ b/templates/clair/clair-dpl.yaml
 {{ if .Values.clair.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "harbor.clair" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: clair
 spec:
  replicas: {{ .Values.clair.replicas }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: clair
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: clair
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }}
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/clair/clair-tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.clair.podAnnotations }}
 {{ toYaml .Values.clair.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.clair.serviceAccountName }}
      serviceAccountName: {{ .Values.clair.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: clair
 {{- if contains "/" .Values.clair.clair.image.repository }}
        image: "{{ .Values.clair.clair.image.repository }}"
 {{- else }}
        image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /health
            port: 6061
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 6061
          initialDelaySeconds: 30
          periodSeconds: 10
        args: ["-log-level", "{{ .Values.logLevel }}"]
        env:
        {{- if has "clair" .Values.proxy.components }}
        - name: HTTP_PROXY
          value: "{{ .Values.proxy.httpProxy }}"
        - name: HTTPS_PROXY
          value: "{{ .Values.proxy.httpsProxy }}"
        - name: NO_PROXY
          value: "{{ template "harbor.noProxy" . }}"
        {{- end }}
 {{- if .Values.clair.clair.resources }}
        resources:
 {{ toYaml .Values.clair.clair.resources | indent 10 }}
 {{- end }}
        ports:
        - containerPort: 6060
        volumeMounts:
        - name: config
          mountPath: /etc/clair/config.yaml
          subPath: config.yaml
        {{- if .Values.internalTLS.enabled }}
        - name: clair-internal-certs
          mountPath: /etc/harbor/ssl/clair
        {{- end }}
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
      - name: adapter
 {{- if contains "/" .Values.clair.adapter.image.repository }}
        image: "{{ .Values.clair.adapter.image.repository }}"
 {{- else }}
        image: "{{ .Values.clair.adapter.image.hub | default .Values.global.hub }}/{{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /probe/healthy
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.clairAdapter.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /probe/ready
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.clairAdapter.containerPort" . }}
          initialDelaySeconds: 30
          periodSeconds: 10
        env:
        - name: SCANNER_CLAIR_URL
          # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin
          value: "http://127.0.0.1:6060"
        - name: SCANNER_STORE_REDIS_URL
          valueFrom:
              secretKeyRef:
                name: {{ template "harbor.clair" . }}
                key: redis
        - name: SCANNER_CLAIR_DATABASE_URL
          valueFrom:
              secretKeyRef:
                name: {{ template "harbor.clair" . }}
                key: database
        {{- if .Values.internalTLS.enabled }}
        - name: INTERNAL_TLS_ENABLED
          value: "true"
        - name: SCANNER_API_SERVER_ADDR
          value: ":8443"
        - name: SCANNER_API_SERVER_TLS_KEY
          value: /etc/harbor/ssl/clair/tls.key
        - name: SCANNER_API_SERVER_TLS_CERTIFICATE
          value: /etc/harbor/ssl/clair/tls.crt
        {{- end }}
        - name: SCANNER_LOG_LEVEL
          value: "{{ .Values.logLevel }}"
 {{- if .Values.clair.adapter.resources }}
        resources:
 {{ toYaml .Values.clair.adapter.resources | indent 10 }}
 {{- end }}
        ports:
        - containerPort: {{ template "harbor.clairAdapter.containerPort" . }}
        {{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }}
        volumeMounts:
        {{- if .Values.internalTLS.enabled }}
        - name: clair-internal-certs
          mountPath: /etc/harbor/ssl/clair
        {{- end }}
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
        {{- end }}
      volumes:
      - name: config
        secret:
          secretName: "{{ template "harbor.clair" . }}"
      {{- if .Values.internalTLS.enabled }}
      - name: clair-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.clair.secretName" . }}
      {{- end }}
      {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
    {{- with .Values.clair.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.clair.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.clair.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
 {{ end }}
--- a/templates/clair/clair-secret.yaml
+++ b/templates/clair/clair-secret.yaml
 {{- if .Values.clair.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "harbor.clair" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  config.yaml: {{ tpl (.Files.Get "conf/clair.yaml") . | b64enc }}
  redis: {{ include "harbor.redis.urlForClair" . | b64enc }}
  database: {{ include "harbor.database.clair" . | b64enc }}
 {{- end }} 
\ No newline at end of file
--- a/templates/clair/clair-svc.yaml
+++ b/templates/clair/clair-svc.yaml
 {{ if .Values.clair.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.clair" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - name: adapter
      port: {{ include "harbor.clairAdapter.servicePort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: clair
 {{ end }}
--- a/templates/clair/clair-tls.yaml
+++ b/templates/clair/clair-tls.yaml
 {{- if and .Values.clair.enabled .Values.internalTLS.enabled }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.clair.crt\" is required!" .Values.internalTLS.clair.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.clair.key\" is required!" .Values.internalTLS.clair.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/core/core-cm.yaml
+++ b/templates/core/core-cm.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "harbor.core" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  app.conf: |+
    appname = Harbor
    runmode = prod
    enablegzip = true
    [prod]
    httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }}
  PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}"
  DATABASE_TYPE: "postgresql"
  POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}"
  POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}"
  POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}"
  POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}"
  POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}"
  POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}"
  POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}"
  EXT_ENDPOINT: "{{ .Values.externalURL }}.{{ $.Values.global.host }}"
  CORE_URL: "{{ template "harbor.coreURL" . }}"
  JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}"
  REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
  TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
  WITH_NOTARY: "{{ .Values.notary.enabled }}"
  NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443"
  CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}"
  WITH_CLAIR: "{{ .Values.clair.enabled }}"
  CLAIR_ADAPTER_URL: "{{ template "harbor.clairAdapterURL" . }}"
  WITH_TRIVY: {{ .Values.trivy.enabled | quote }}
  TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}"
  REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}"
  WITH_CHARTMUSEUM: "{{ .Values.chartmuseum.enabled }}"
  CHART_REPOSITORY_URL: "{{ template "harbor.component.scheme" . }}://{{ template "harbor.chartmuseum" . }}"
  LOG_LEVEL: "{{ .Values.logLevel }}"
  CONFIG_PATH: "/etc/core/app.conf"
  CHART_CACHE_DRIVER: "redis"
  _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}"
  _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}"
  PORTAL_URL: "{{ template "harbor.portalURL" . }}"
  REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
  REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
  {{- if .Values.uaaSecretName }}
  UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt"
  {{- end }}
  {{- if has "core" .Values.proxy.components }}
  HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
  HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
  NO_PROXY: "{{ template "harbor.noProxy" . }}"
  {{- end }}
  PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor"
  {{- if hasKey .Values.core "gcTimeWindowHours" }}
  #make the GC time window configurable for testing
  GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}"
  {{- end }}
\ No newline at end of file
--- a/templates/core/core-dpl.yaml
+++ b/templates/core/core-dpl.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "harbor.core" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: core
 spec:
  replicas: {{ .Values.core.replicas }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: core
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: core
      annotations:
        checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
        checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.core.podAnnotations }}
 {{ toYaml .Values.core.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.core.serviceAccountName }}
      serviceAccountName: {{ .Values.core.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: core
 {{- if contains "/" .Values.core.image.repository }}
        image: "{{ .Values.core.image.repository }}"
 {{- else }}
        image: "{{ .Values.core.image.hub | default .Values.global.hub }}/{{ .Values.core.image.repository }}:{{ .Values.core.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        {{- if .Values.core.startupProbe.enabled }}
        startupProbe:
          httpGet:
            path: /api/v2.0/ping
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.core.containerPort" . }}
          failureThreshold: 360
          initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }}
          periodSeconds: 10
        {{- end }}
        livenessProbe:
          httpGet:
            path: /api/v2.0/ping
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.core.containerPort" . }}
          failureThreshold: 2
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/v2.0/ping
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.core.containerPort" . }}
          failureThreshold: 2
          periodSeconds: 10
        envFrom:
        - configMapRef:
            name: "{{ template "harbor.core" . }}"
        - secretRef:
            name: "{{ template "harbor.core" . }}"
        env:
          - name: CORE_SECRET
            valueFrom:
              secretKeyRef:
                name: {{ template "harbor.core" . }}
                key: secret
          - name: JOBSERVICE_SECRET
            valueFrom:
              secretKeyRef:
                name: "{{ template "harbor.jobservice" . }}"
                key: JOBSERVICE_SECRET
         {{- if .Values.internalTLS.enabled }}
          - name: INTERNAL_TLS_ENABLED
            value: "true"
          - name: INTERNAL_TLS_KEY_PATH
            value: /etc/harbor/ssl/core/tls.key
          - name: INTERNAL_TLS_CERT_PATH
            value: /etc/harbor/ssl/core/tls.crt
          - name: INTERNAL_TLS_TRUST_CA_PATH
            value: /etc/harbor/ssl/core/ca.crt
         {{- end }}
        ports:
        - containerPort: {{ template "harbor.core.containerPort" . }}
        volumeMounts:
        - name: config
          mountPath: /etc/core/app.conf
          subPath: app.conf
        - name: secret-key
          mountPath: /etc/core/key
          subPath: key
        - name: token-service-private-key
          mountPath: /etc/core/private_key.pem
          subPath: tls.key
        {{- if .Values.expose.tls.enabled }}
        - name: ca-download
          mountPath: /etc/core/ca
        {{- end }}
        {{- if .Values.uaaSecretName }}
        - name: auth-ca-cert
          mountPath: /etc/core/auth-ca/auth-ca.crt
          subPath: auth-ca.crt
        {{- end }}
        {{- if .Values.internalTLS.enabled }}
        - name: core-internal-certs
          mountPath: /etc/harbor/ssl/core
        {{- end }}
        - name: psc
          mountPath: /etc/core/token
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
 {{- if .Values.core.resources }}
        resources:
 {{ toYaml .Values.core.resources | indent 10 }}
 {{- end }}
      volumes:
      - name: config
        configMap:
          name: {{ template "harbor.core" . }}
          items:
            - key: app.conf
              path: app.conf
      - name: secret-key
        secret:
          secretName: {{ template "harbor.core" . }}
          items:
            - key: secretKey
              path: key
      - name: token-service-private-key
        secret:
          {{- if .Values.core.secretName }}
          secretName: {{ .Values.core.secretName }}
          {{- else }}
          secretName: {{ template "harbor.core" . }}
          {{- end }}
      {{- if .Values.expose.tls.enabled }}
      - name: ca-download
        secret:
        {{- if .Values.caSecretName }}
          secretName: {{ .Values.caSecretName }}
        {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }}
          secretName: "{{ template "harbor.ingress" . }}"
        {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }}
          secretName: {{ template "harbor.tlsSecretForNginx" . }}
        {{- end }}
      {{- end }}
      {{- if .Values.uaaSecretName }}
      - name: auth-ca-cert
        secret:
          secretName: {{ .Values.uaaSecretName }}
          items:
            - key: ca.crt
              path: auth-ca.crt
      {{- end }}
      {{- if .Values.internalTLS.enabled }}
      - name: core-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.core.secretName" . }}
      {{- end }}
      - name: psc
        emptyDir: {}
      {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
    {{- with .Values.core.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.core.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.core.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
--- a/templates/core/core-secret.yaml
+++ b/templates/core/core-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "harbor.core" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  secretKey: {{ .Values.secretKey | b64enc | quote }}
  secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
 {{- if not .Values.core.secretName }}
  tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
  tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
 {{- end }}
  HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
  POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
  REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
  CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
--- a/templates/core/core-svc.yaml
+++ b/templates/core/core-svc.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "harbor.core" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
 {{- if  (eq .Values.expose.ingress.controller "gce") }}
  type: NodePort
 {{- end }}
  ports:
    - port: {{ template "harbor.core.servicePort" . }}
      targetPort: {{ template "harbor.core.containerPort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: core
--- a/templates/core/core-tls.yaml
+++ b/templates/core/core-tls.yaml
 {{- if and .Values.internalTLS.enabled }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.core.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/database/database-secret.yaml
+++ b/templates/database/database-secret.yaml
 {{- if eq .Values.database.type "internal" -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.database" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
 {{- end -}}
--- a/templates/database/database-ss.yaml
+++ b/templates/database/database-ss.yaml
 {{- if eq .Values.database.type "internal" -}}
 {{- $database := .Values.persistence.persistentVolumeClaim.database -}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: "{{ template "harbor.database" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: database
 spec:
  replicas: 1
  serviceName: "{{ template "harbor.database" . }}"
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: database
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: database
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }}
 {{- if .Values.database.podAnnotations }}
 {{ toYaml .Values.database.podAnnotations | indent 8 }}
 {{- end }}
    spec:
 {{- if .Values.database.internal.serviceAccountName }}
      serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      initContainers:
      - name: "change-permission-of-directory"
        securityContext:
          runAsUser: 0
 {{- if contains "/" .Values.database.internal.image.repository }}
        image: "{{ .Values.database.internal.image.repository }}"
 {{- else }}
        image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        command: ["/bin/sh"]
        args: ["-c", "chown -R postgres:postgres /var/lib/postgresql/data"]
        volumeMounts:
        - name: database-data
          mountPath: /var/lib/postgresql/data
          subPath: {{ $database.subPath }}
      - name: "remove-lost-found"
 {{- if contains "/" .Values.database.internal.image.repository }}
        image: "{{ .Values.database.internal.image.repository }}"
 {{- else }}
        image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        command: ["rm", "-Rf", "/var/lib/postgresql/data/lost+found"]
        volumeMounts:
        - name: database-data
          mountPath: /var/lib/postgresql/data
          subPath: {{ $database.subPath }}
      containers:
      - name: database
 {{- if contains "/" .Values.database.internal.image.repository }}
        image: "{{ .Values.database.internal.image.repository }}"
 {{- else }}
        image: "{{ .Values.database.internal.image.hub | default .Values.global.hub }}/{{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        livenessProbe:
          exec:
            command:
            - /docker-healthcheck.sh
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          exec:
            command:
            - /docker-healthcheck.sh
          initialDelaySeconds: 1
          periodSeconds: 10
 {{- if .Values.database.internal.resources }}
        resources:
 {{ toYaml .Values.database.internal.resources | indent 10 }}
 {{- end }}
        envFrom:
          - secretRef:
              name: "{{ template "harbor.database" . }}"
        volumeMounts:
        - name: database-data
          mountPath: /var/lib/postgresql/data
          subPath: {{ $database.subPath }}
      {{- if not .Values.persistence.enabled }}
      volumes:
      - name: "database-data"
        emptyDir: {}
      {{- else if $database.existingClaim }}
      volumes:
      - name: "database-data"
        persistentVolumeClaim:
          claimName: {{ $database.existingClaim }}
      {{- end -}}
    {{- with .Values.database.internal.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.database.internal.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.database.internal.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
  {{- if and .Values.persistence.enabled (not $database.existingClaim) }}
  volumeClaimTemplates:
  - metadata:
      name: "database-data"
      labels:
 {{ include "harbor.labels" . | indent 8 }}
    spec:
      accessModes: [{{ $database.accessMode | quote }}]
      {{- if $database.storageClass }}
      {{- if (eq "-" $database.storageClass) }}
      storageClassName: ""
      {{- else }}
      storageClassName: "{{ $database.storageClass }}"
      {{- end }}
      {{- end }}
      resources:
        requests:
          storage: {{ $database.size | quote }}
  {{- end -}}
  {{- end -}}
--- a/templates/database/database-svc.yaml
+++ b/templates/database/database-svc.yaml
 {{- if eq .Values.database.type "internal" -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.database" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - port: 5432
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: database
 {{- end -}}
\ No newline at end of file
--- a/templates/ingress/ingress.yaml
+++ b/templates/ingress/ingress.yaml
 {{- if eq .Values.expose.type "ingress" }}
 {{- $ingress := .Values.expose.ingress -}}
 {{- $tls := .Values.expose.tls -}}
 {{- if eq .Values.expose.ingress.controller "gce" }}
  {{- $_ := set . "portal_path" "/*" -}}
  {{- $_ := set . "api_path" "/api/*" -}}
  {{- $_ := set . "service_path" "/service/*" -}}
  {{- $_ := set . "v2_path" "/v2/*" -}}
  {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
  {{- $_ := set . "controller_path" "/c/*" -}}
  {{- $_ := set . "notary_path" "/" -}}
 {{- else if eq .Values.expose.ingress.controller "ncp" }}
  {{- $_ := set . "portal_path" "/.*" -}}
  {{- $_ := set . "api_path" "/api/.*" -}}
  {{- $_ := set . "service_path" "/service/.*" -}}
  {{- $_ := set . "v2_path" "/v2/.*" -}}
  {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
  {{- $_ := set . "controller_path" "/c/.*" -}}
  {{- $_ := set . "notary_path" "/.*" -}}
 {{- else }}
  {{- $_ := set . "portal_path" "/" -}}
  {{- $_ := set . "api_path" "/api" -}}
  {{- $_ := set . "service_path" "/service" -}}
  {{- $_ := set . "v2_path" "/v2" -}}
  {{- $_ := set . "chartrepo_path" "/chartrepo" -}}
  {{- $_ := set . "controller_path" "/c" -}}
  {{- $_ := set . "notary_path" "/" -}}
 {{- end }}
 ---
 {{- if not (.Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1") -}}
 {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: extensions/v1beta1
 {{- else }}
 apiVersion: networking.k8s.io/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: "{{ template "harbor.ingress" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
  annotations:
 {{ toYaml $ingress.annotations | indent 4 }}
 {{- if .Values.internalTLS.enabled }}
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 {{- end }}
 {{- if eq .Values.expose.ingress.controller "ncp" }}
    ncp/use-regex: "true"
    {{- if $tls.enabled }}
    ncp/http-redirect: "true"
    {{- end }}
 {{- end }}
 spec:
  {{- if $tls.enabled }}
  tls:
  - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
    {{- if $ingress.hosts.core }}
    hosts:
    - {{ $ingress.hosts.core }}.{{ $.Values.global.host }}
    {{- end }}
  {{- end }}
  rules:
  - http:
      paths:
      - path: {{ .portal_path }}
        backend:
          serviceName: {{ template "harbor.portal" . }}
          servicePort: {{ template "harbor.portal.servicePort" . }}
      - path: {{ .api_path }}
        backend:
          serviceName: {{ template "harbor.core" . }}
          servicePort: {{ template "harbor.core.servicePort" . }}
      - path: {{ .service_path }}
        backend:
          serviceName: {{ template "harbor.core" . }}
          servicePort: {{ template "harbor.core.servicePort" . }}
      - path: {{ .v2_path }}
        backend:
          serviceName: {{ template "harbor.core" . }}
          servicePort: {{ template "harbor.core.servicePort" . }}
      - path: {{ .chartrepo_path }}
        backend:
          serviceName: {{ template "harbor.core" . }}
          servicePort: {{ template "harbor.core.servicePort" . }}
      - path: {{ .controller_path }}
        backend:
          serviceName: {{ template "harbor.core" . }}
          servicePort: {{ template "harbor.core.servicePort" . }}
    {{- if $ingress.hosts.core }}
    host: {{ $ingress.hosts.core }}.{{ $.Values.global.host }}
    {{- end }}
 {{- if .Values.notary.enabled  }}
 ---
 {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: extensions/v1beta1
 {{- else }}
 apiVersion: networking.k8s.io/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: "{{ template "harbor.ingress-notary" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
  annotations:
 {{ toYaml $ingress.annotations | indent 4 }}
 {{- if eq .Values.expose.ingress.controller "ncp" }}
    ncp/use-regex: "true"
    {{- if $tls.enabled }}
    ncp/http-redirect: "true"
    {{- end }}
 {{- end }}
 spec:
  {{- if $tls.enabled }}
  tls:
  - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }}
    {{- if $ingress.hosts.notary }}
    hosts:
    - {{ $ingress.hosts.notary }}.{{ $.Values.global.host }}
    {{- end }}
  {{- end }}
  rules:
  - http:
      paths:
      - path: {{ .notary_path }}
        backend:
          serviceName: {{ template "harbor.notary-server" . }}
          servicePort: 4443
    {{- if $ingress.hosts.notary }}
    host: {{ $ingress.hosts.notary }}.{{ $.Values.global.host }}
    {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/ingress/ingresshost.yaml
+++ b/templates/ingress/ingresshost.yaml
 {{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}}
 ---
 apiVersion: bcc.bd-apaas.com/v1alpha1
 kind: IngressHost
 metadata:
  name: "{{ template "harbor.ingress" . }}-core"
  annotations:
    {{- with .Values.expose.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
    {{ include "harbor.labels" . | nindent 4 }}
 spec:
  host: "{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}" 
 ---
 apiVersion: bcc.bd-apaas.com/v1alpha1
 kind: IngressHost
 metadata:
  name: "{{ template "harbor.ingress" . }}-notary"
  annotations:
    {{- with .Values.expose.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
    {{ include "harbor.labels" . | nindent 4 }}
 spec:
  host: "{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}" 
 {{- end -}}
--- a/templates/ingress/ingressroute.yaml
+++ b/templates/ingress/ingressroute.yaml
 {{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}}
 ---
 apiVersion: bcc.bd-apaas.com/v1alpha1
 kind: IngressRoute
 metadata:
  name: "{{ template "harbor.ingress" . }}"
  annotations:
    {{- with .Values.expose.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
    {{ include "harbor.labels" . | nindent 4 }}
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
      kind: Rule
      services:
      - name: {{ template "harbor.portal" . }}
        port: {{ template "harbor.portal.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`)
      kind: Rule
      middlewares:
        - name: "{{ template "harbor.ingress" . }}-https"
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
      kind: Rule
      services:
      - name: {{ template "harbor.notary-server" . }}
        port: 4443
  tls:
    certResolver: default
 ---
 apiVersion: bcc.bd-apaas.com/v1alpha1
 kind: IngressRoute
 metadata:
  name: "{{ template "harbor.ingress" . }}-http"
  annotations:
    {{- with .Values.expose.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
    {{ include "harbor.labels" . | nindent 4 }}
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
      kind: Rule
      services:
      - name: {{ template "harbor.portal" . }}
        port: {{ template "harbor.portal.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/api/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/service/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/v2/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/chartrepo/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.core }}.{{ $.Values.global.host }}`) && PathPrefix(`/c/`)
      kind: Rule
      services:
      - name: {{ template "harbor.core" . }}
        port: {{ template "harbor.core.servicePort" . }}
    - match: Host(`{{ .Values.expose.ingress.hosts.notary }}.{{ $.Values.global.host }}`) && PathPrefix(`/`)
      kind: Rule
      services:
      - name: {{ template "harbor.notary-server" . }}
        port: 4443
 {{- end -}}
--- a/templates/ingress/middleware.yaml
+++ b/templates/ingress/middleware.yaml
 {{- if .Capabilities.APIVersions.Has "bcc.bd-apaas.com/v1alpha1" -}}
 apiVersion: bcc.bd-apaas.com/v1alpha1
 kind: Middleware
 metadata:
  name: "{{ template "harbor.ingress" . }}-https"
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
 {{- end -}}
\ No newline at end of file
--- a/templates/ingress/secret.yaml
+++ b/templates/ingress/secret.yaml
 {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
 {{- $ca := genCA "harbor-ca" 365 }}
 {{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.ingress" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  tls.crt: {{ $cert.Cert | b64enc | quote }}
  tls.key: {{ $cert.Key | b64enc | quote }}
  ca.crt: {{ $ca.Cert | b64enc | quote }}
 {{- end }}
\ No newline at end of file
--- a/templates/internal/auto-tls.yaml
+++ b/templates/internal/auto-tls.yaml
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
 {{- $ca := genCA "harbor-internal-ca" 365 }}
 {{- $coreCN := (include "harbor.core" .) }}
 {{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }}
 {{- $jsCN := (include "harbor.jobservice" .) }}
 {{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }}
 {{- $regCN := (include "harbor.registry" .) }}
 {{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }}
 {{- $portalCN := (include "harbor.portal" .) }}
 {{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.core.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $coreCrt.Cert | b64enc | quote }}
  tls.key: {{ $coreCrt.Key | b64enc | quote }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $jsCrt.Cert | b64enc | quote }}
  tls.key: {{ $jsCrt.Key | b64enc | quote }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $regCrt.Cert | b64enc | quote }}
  tls.key: {{ $regCrt.Key | b64enc | quote }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $portalCrt.Cert | b64enc | quote }}
  tls.key: {{ $portalCrt.Key | b64enc | quote }}
 {{- if .Values.chartmuseum.enabled }}
 ---
 {{- $chartCN := (include "harbor.chartmuseum" .) }}
 {{- $chartCrt := genSignedCert $chartCN nil (list $chartCN) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.chartmuseum.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $chartCrt.Cert | b64enc | quote }}
  tls.key: {{ $chartCrt.Key | b64enc | quote }}
 {{- end }}
 {{- if .Values.clair.enabled }}
 ---
 {{- $clairCN := (include "harbor.clair" .) }}
 {{- $clairCrt := genSignedCert $clairCN nil (list $clairCN) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.clair.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $clairCrt.Cert | b64enc | quote }}
  tls.key: {{ $clairCrt.Key | b64enc | quote }}
 {{- end }}
 {{- if and .Values.trivy.enabled}}
 ---
 {{- $trivyCN := (include "harbor.trivy" .) }}
 {{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $trivyCrt.Cert | b64enc | quote }}
  tls.key: {{ $trivyCrt.Key | b64enc | quote }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/jobservice/jobservice-cm-env.yaml
+++ b/templates/jobservice/jobservice-cm-env.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "harbor.jobservice" . }}-env"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  CORE_URL: "{{ template "harbor.coreURL" . }}"
  TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}"
  REGISTRY_URL: "{{ template "harbor.registryURL" . }}"
  REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}"
  REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}"
  {{- if has "jobservice" .Values.proxy.components }}
  HTTP_PROXY: "{{ .Values.proxy.httpProxy }}"
  HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}"
  NO_PROXY: "{{ template "harbor.noProxy" . }}"
  {{- end }}
--- a/templates/jobservice/jobservice-cm.yaml
+++ b/templates/jobservice/jobservice-cm.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "harbor.jobservice" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  config.yml: |+
    #Server listening port
    protocol: "{{ template "harbor.component.scheme" . }}"
    port: {{ template "harbor.jobservice.containerPort". }}
    {{- if .Values.internalTLS.enabled }}
    https_config:
      cert: "/etc/harbor/ssl/jobservice/tls.crt"
      key: "/etc/harbor/ssl/jobservice/tls.key"
    {{- end }}
    worker_pool:
      workers: {{ .Values.jobservice.maxJobWorkers }}
      backend: "redis"
      redis_pool:
        redis_url: "{{ template "harbor.redis.urlForJobservice" . }}"
        namespace: "harbor_job_service_namespace"
        idle_timeout_second: 3600
    job_loggers:
      {{- if eq .Values.jobservice.jobLogger "file" }}
      - name: "FILE"
        level: {{ .Values.logLevel | upper }}
        settings: # Customized settings of logger
          base_dir: "/var/log/jobs"
        sweeper:
          duration: 14 #days
          settings: # Customized settings of sweeper
            work_dir: "/var/log/jobs"
      {{- else if eq .Values.jobservice.jobLogger "database" }}
      - name: "DB"
        level: {{ .Values.logLevel | upper }}
        sweeper:
          duration: 14 #days
      {{- else }}
      - name: "STD_OUTPUT"
        level: {{ .Values.logLevel | upper }}
      {{- end }}
    #Loggers for the job service
    loggers:
      - name: "STD_OUTPUT"
        level: {{ .Values.logLevel | upper }}
\ No newline at end of file
--- a/templates/jobservice/jobservice-dpl.yaml
+++ b/templates/jobservice/jobservice-dpl.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: "{{ template "harbor.jobservice" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: jobservice
 spec:
  replicas: {{ .Values.jobservice.replicas }}
  strategy:
    type: {{ .Values.updateStrategy.type }}
    {{- if eq .Values.updateStrategy.type "Recreate" }}
    rollingUpdate: null
    {{- end }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: jobservice
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: jobservice
      annotations:
        checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }}
        checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
        checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.jobservice.podAnnotations }}
 {{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.jobservice.serviceAccountName }}
      serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: jobservice
 {{- if contains "/" .Values.jobservice.image.repository }}
        image: "{{ .Values.jobservice.image.repository }}"
 {{- else }}
        image: "{{ .Values.jobservice.image.hub | default .Values.global.hub }}/{{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /api/v1/stats
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.jobservice.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/v1/stats
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.jobservice.containerPort" . }}
          initialDelaySeconds: 20
          periodSeconds: 10
 {{- if .Values.jobservice.resources }}
        resources:
 {{ toYaml .Values.jobservice.resources | indent 10 }}
 {{- end }}
        env:
          - name: CORE_SECRET
            valueFrom:
              secretKeyRef:
                name: {{ template "harbor.core" . }}
                key: secret
          {{- if .Values.internalTLS.enabled }}
          - name: INTERNAL_TLS_ENABLED
            value: "true"
          - name: INTERNAL_TLS_KEY_PATH
            value: /etc/harbor/ssl/jobservice/tls.key
          - name: INTERNAL_TLS_CERT_PATH
            value: /etc/harbor/ssl/jobservice/tls.crt
          - name: INTERNAL_TLS_TRUST_CA_PATH
            value: /etc/harbor/ssl/jobservice/ca.crt
          {{- end }}
        envFrom:
        - configMapRef:
            name: "{{ template "harbor.jobservice" . }}-env"
        - secretRef:
            name: "{{ template "harbor.jobservice" . }}"
        ports:
        - containerPort: {{ template "harbor.jobservice.containerPort" . }}
        volumeMounts:
        - name: jobservice-config
          mountPath: /etc/jobservice/config.yml
          subPath: config.yml
        - name: job-logs
          mountPath: /var/log/jobs
          subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
        {{- if .Values.internalTLS.enabled }}
        - name: jobservice-internal-certs
          mountPath: /etc/harbor/ssl/jobservice
        {{- end }}
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
      volumes:
      - name: jobservice-config
        configMap:
          name: "{{ template "harbor.jobservice" . }}"
      - name: job-logs
        {{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }}
        persistentVolumeClaim:
          claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.existingClaim | default (include "harbor.jobservice" .) }}
        {{- else }}
        emptyDir: {}
        {{- end }}
      {{- if .Values.internalTLS.enabled }}
      - name: jobservice-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }}
      {{- end }}
      {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
    {{- with .Values.jobservice.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.jobservice.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.jobservice.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
--- a/templates/jobservice/jobservice-pvc.yaml
+++ b/templates/jobservice/jobservice-pvc.yaml
 {{- $jobservice := .Values.persistence.persistentVolumeClaim.jobservice -}}
 {{- if and .Values.persistence.enabled (not $jobservice.existingClaim) }}
 {{- if eq .Values.jobservice.jobLogger "file" }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "harbor.jobservice" . }}
  {{- if eq .Values.persistence.resourcePolicy "keep" }}
  annotations:
    helm.sh/resource-policy: keep
  {{- end }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: jobservice
 spec:
  accessModes: 
    - {{ $jobservice.accessMode }}
  resources:
    requests:
      storage: {{ $jobservice.size }}
  {{- if $jobservice.storageClass }}
    {{- if eq "-" $jobservice.storageClass }}
  storageClassName: ""
    {{- else }}
  storageClassName: {{ $jobservice.storageClass }}
    {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/jobservice/jobservice-secrets.yaml
+++ b/templates/jobservice/jobservice-secrets.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.jobservice" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
  REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
--- a/templates/jobservice/jobservice-svc.yaml
+++ b/templates/jobservice/jobservice-svc.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.jobservice" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - port: {{ template "harbor.jobservice.servicePort" . }}
      targetPort: {{ template "harbor.jobservice.containerPort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: jobservice
--- a/templates/jobservice/jobservice-tls.yaml
+++ b/templates/jobservice/jobservice-tls.yaml
 {{- if and .Values.internalTLS.enabled }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/nginx/configmap-http.yaml
+++ b/templates/nginx/configmap-http.yaml
 {{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }}
 {{- $scheme := (include "harbor.component.scheme" .) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "harbor.nginx" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  nginx.conf: |+
    worker_processes auto;
    pid /tmp/nginx.pid;
    events {
      worker_connections 1024;
      use epoll;
      multi_accept on;
    }
    http {
      client_body_temp_path /tmp/client_body_temp;
      proxy_temp_path /tmp/proxy_temp;
      fastcgi_temp_path /tmp/fastcgi_temp;
      uwsgi_temp_path /tmp/uwsgi_temp;
      scgi_temp_path /tmp/scgi_temp;
      tcp_nodelay on;
      # this is necessary for us to be able to disable request buffering in all cases
      proxy_http_version 1.1;
      upstream core {
        server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
      }
      upstream portal {
        server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }};
      }
      log_format timed_combined '[$time_local]:$remote_addr - '
        '"$request" $status $body_bytes_sent '
        '"$http_referer" "$http_user_agent" '
        '$request_time $upstream_response_time $pipe';
      access_log /dev/stdout timed_combined;
      server {
        listen 8080;
        server_tokens off;
        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;
        # Add extra headers
        add_header X-Frame-Options DENY;
        add_header Content-Security-Policy "frame-ancestors 'none'";
        location / {
          proxy_pass {{ $scheme }}://portal/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /api/ {
          proxy_pass {{ $scheme }}://core/api/;
        {{- if and .Values.internalTLS.enabled }}
          proxy_ssl_verify        off;
          proxy_ssl_session_reuse on;
        {{- end }}
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /chartrepo/ {
          proxy_pass {{ $scheme }}://core/chartrepo/;
        {{- if and .Values.internalTLS.enabled }}
          proxy_ssl_verify        off;
          proxy_ssl_session_reuse on;
        {{- end }}
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /c/ {
          proxy_pass {{ $scheme }}://core/c/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /v1/ {
          return 404;
        }
        location /v2/ {
          proxy_pass {{ $scheme }}://core/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /service/ {
          proxy_pass {{ $scheme }}://core/service/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
      location /service/notifications {
          return 404;
        }
      }
    }
 {{- end }}
--- a/templates/nginx/configmap-https.yaml
+++ b/templates/nginx/configmap-https.yaml
 {{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
 {{- $scheme := (include "harbor.component.scheme" .) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "harbor.nginx" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  nginx.conf: |+
    worker_processes auto;
    pid /tmp/nginx.pid;
    events {
      worker_connections 1024;
      use epoll;
      multi_accept on;
    }
    http {
      client_body_temp_path /tmp/client_body_temp;
      proxy_temp_path /tmp/proxy_temp;
      fastcgi_temp_path /tmp/fastcgi_temp;
      uwsgi_temp_path /tmp/uwsgi_temp;
      scgi_temp_path /tmp/scgi_temp;
      tcp_nodelay on;
      # this is necessary for us to be able to disable request buffering in all cases
      proxy_http_version 1.1;
      upstream core {
        server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
      }
      upstream portal {
        server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
      }
      {{- if .Values.notary.enabled }}
      upstream notary-server {
        server {{ template "harbor.notary-server" . }}:4443;
      }
      {{- end }}
      log_format timed_combined '[$time_local]:$remote_addr - '
        '"$request" $status $body_bytes_sent '
        '"$http_referer" "$http_user_agent" '
        '$request_time $upstream_response_time $pipe';
      access_log /dev/stdout timed_combined;
      {{- if .Values.notary.enabled }}
      server {
        listen 4443 ssl;
        server_tokens off;
        # ssl
        ssl_certificate /etc/nginx/cert/tls.crt;
        ssl_certificate_key /etc/nginx/cert/tls.key;
        # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
        ssl_protocols tlsv1.1 tlsv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:ssl:10m;
        # disable any limits to avoid http 413 for large image uploads
        client_max_body_size 0;
        # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;
        location /v2/ {
          proxy_pass http://notary-server/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
      }
      {{- end }}
      server {
        listen 8443 ssl;
    #    server_name harbordomain.com;
        server_tokens off;
        # SSL
        ssl_certificate /etc/nginx/cert/tls.crt;
        ssl_certificate_key /etc/nginx/cert/tls.key;
        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;
        # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;
        # Add extra headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header Content-Security-Policy "frame-ancestors 'none'";
        location / {
          proxy_pass {{ $scheme }}://portal/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_cookie_path / "/; HttpOnly; Secure";
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /api/ {
          proxy_pass {{ $scheme }}://core/api/;
        {{- if and .Values.internalTLS.enabled }}
          proxy_ssl_verify        off;
          proxy_ssl_session_reuse on;
        {{- end }}
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_cookie_path / "/; Secure";
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /chartrepo/ {
          proxy_pass {{ $scheme }}://core/chartrepo/;
        {{- if and .Values.internalTLS.enabled }}
          proxy_ssl_verify        off;
          proxy_ssl_session_reuse on;
        {{- end }}
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_cookie_path / "/; Secure";
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /c/ {
          proxy_pass {{ $scheme }}://core/c/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_cookie_path / "/; Secure";
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /v1/ {
          return 404;
        }
        location /v2/ {
          proxy_pass {{ $scheme }}://core/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }
        location /service/ {
          proxy_pass {{ $scheme }}://core/service/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_cookie_path / "/; Secure";
          proxy_buffering off;
          proxy_request_buffering off;
        }
      location /service/notifications {
          return 404;
        }
      }
        server {
          listen 8080;
          #server_name harbordomain.com;
          return 301 https://$host$request_uri;
      }
    }
 {{- end }}
--- a/templates/nginx/deployment.yaml
+++ b/templates/nginx/deployment.yaml
 {{- if ne .Values.expose.type "ingress" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "harbor.nginx" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: nginx
 spec:
  replicas: {{ .Values.nginx.replicas }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: nginx
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: nginx
      annotations:
      {{- if not .Values.expose.tls.enabled }}
        checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }}
      {{- else }}
        checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }}
      {{- end }}
      {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
        checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }}
      {{- end }}
 {{- if .Values.nginx.podAnnotations }}
 {{ toYaml .Values.nginx.podAnnotations | indent 8 }}
 {{- end }}
    spec:
 {{- if .Values.nginx.serviceAccountName }}
      serviceAccountName: {{ .Values.nginx.serviceAccountName }}
 {{- end }}
      securityContext:
        fsGroup: 10000
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: nginx
 {{- if contains "/" .Values.nginx.image.repository }}
        image: "{{ .Values.nginx.image.repository }}"
 {{- else }}
        image: "{{ .Values.nginx.image.hub | default .Values.global.hub }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        {{- $_ := set . "scheme" "HTTP" -}}
        {{- $_ := set . "port" "8080" -}}
        {{- if .Values.expose.tls.enabled }}
          {{- $_ := set . "scheme" "HTTPS" -}}
          {{- $_ := set . "port" "8443" -}}
        {{- end }}
        livenessProbe:
          httpGet:
            scheme: {{ .scheme }}
            path: /
            port: {{ .port }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            scheme: {{ .scheme }}
            path: /
            port: {{ .port }}
          initialDelaySeconds: 1
          periodSeconds: 10
 {{- if .Values.nginx.resources }}
        resources:
 {{ toYaml .Values.nginx.resources | indent 10 }}
 {{- end }}
        ports:
        - containerPort: 8080
        - containerPort: 8443
        - containerPort: 4443
        volumeMounts:
        - name: config
          mountPath: /etc/nginx/nginx.conf
          subPath: nginx.conf
        {{- if .Values.expose.tls.enabled }}
        - name: certificate
          mountPath: /etc/nginx/cert
        {{- end }}
      volumes:
      - name: config
        configMap:
          name: {{ template "harbor.nginx" . }}
      {{- if .Values.expose.tls.enabled }}
      - name: certificate
        secret:
          secretName: {{ template "harbor.tlsSecretForNginx" . }}
      {{- end }}
    {{- with .Values.nginx.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.nginx.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.nginx.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
 {{- end }}
--- a/templates/nginx/secret.yaml
+++ b/templates/nginx/secret.yaml
 {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
 {{- $ca := genCA "harbor-ca" 365 }}
 {{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "harbor.nginx" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }}
  {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }}
  tls.crt: {{ $cert.Cert | b64enc | quote }}
  tls.key: {{ $cert.Key | b64enc | quote }}
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  {{- else }}
  {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}
  tls.crt: {{ $cert.Cert | b64enc | quote }}
  tls.key: {{ $cert.Key | b64enc | quote }}
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/nginx/service.yaml
+++ b/templates/nginx/service.yaml
 {{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }}
 apiVersion: v1
 kind: Service
 metadata:
 {{- if eq .Values.expose.type "clusterIP" }}
 {{- $clusterIP := .Values.expose.clusterIP }}
  name: {{ $clusterIP.name }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  type: ClusterIP
  ports:
    - name: http
      port: {{ $clusterIP.ports.httpPort }}
      targetPort: 8080
    {{- if .Values.expose.tls.enabled }}
    - name: https
      port: {{ $clusterIP.ports.httpsPort }}
      targetPort: 8443
    {{- end }}
    {{- if .Values.notary.enabled }}
    - name: notary
      port: {{ $clusterIP.ports.notaryPort }}
      targetPort: 4443
    {{- end }}
 {{- else if eq .Values.expose.type "nodePort" }}
 {{- $nodePort := .Values.expose.nodePort }}
  name: {{ $nodePort.name }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  type: NodePort
  ports:
    - name: http
      port: {{ $nodePort.ports.http.port }}
      targetPort: 8080
      {{- if $nodePort.ports.http.nodePort }}
      nodePort: {{ $nodePort.ports.http.nodePort }}
      {{- end }}
    {{- if .Values.expose.tls.enabled }}
    - name: https
      port: {{ $nodePort.ports.https.port }}
      targetPort: 8443
      {{- if $nodePort.ports.https.nodePort }}
      nodePort: {{ $nodePort.ports.https.nodePort }}
      {{- end }}
    {{- end }}
    {{- if .Values.notary.enabled }}
    - name: notary
      port: {{ $nodePort.ports.notary.port }}
      targetPort: 4443
      {{- if $nodePort.ports.notary.nodePort }}
      nodePort: {{ $nodePort.ports.notary.nodePort }}
      {{- end }}
    {{- end }}
 {{- else if eq .Values.expose.type "loadBalancer" }}
 {{- $loadBalancer := .Values.expose.loadBalancer }}
  name: {{ $loadBalancer.name }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 {{- with $loadBalancer.annotations }}
  annotations:
  {{- toYaml . | nindent 4 }}
 {{- end }}
 spec:
  type: LoadBalancer
  {{- with $loadBalancer.sourceRanges }}
  loadBalancerSourceRanges:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- if $loadBalancer.IP }}
  loadBalancerIP: {{ $loadBalancer.IP }}
  {{- end }}
  ports:
    - name: http
      port: {{ $loadBalancer.ports.httpPort }}
      targetPort: 8080
    {{- if .Values.expose.tls.enabled }}
    - name: https
      port: {{ $loadBalancer.ports.httpsPort }}
      targetPort: 8443
    {{- end }}
    {{- if .Values.notary.enabled }}
    - name: notary
      port: {{ $loadBalancer.ports.notaryPort }}
      targetPort: 4443
    {{- end }}
 {{- end }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: nginx
 {{- end }}
--- a/templates/notary/notary-secret.yaml
+++ b/templates/notary/notary-secret.yaml
 {{- if and .Values.notary.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "harbor.notary-server" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: notary
 type: Opaque
 data:
  {{- if not .Values.notary.secretName }}
  {{- $ca := genCA "harbor-notary-ca" 365 }}
  {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }}
  ca.crt: {{ $ca.Cert | b64enc | quote }}
  tls.crt: {{ $cert.Cert | b64enc | quote }}
  tls.key: {{ $cert.Key | b64enc | quote }}
  {{- end }}
  server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }}
  signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }}
 {{- end }}
--- a/templates/notary/notary-server.yaml
+++ b/templates/notary/notary-server.yaml
 {{ if .Values.notary.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "harbor.notary-server" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: notary-server
 spec:
  replicas: {{ .Values.notary.server.replicas }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: notary-server
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: notary-server
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
        checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
 {{- if .Values.notary.podAnnotations }}
 {{ toYaml .Values.notary.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.notary.server.serviceAccountName }}
      serviceAccountName: {{ .Values.notary.server.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: notary-server
 {{- if contains "/" .Values.notary.server.image.repository }}
        image: "{{ .Values.notary.server.image.repository }}"
 {{- else }}
        image: "{{ .Values.notary.server.image.hub | default .Values.global.hub }}/{{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
 {{- if .Values.notary.server.resources }}
        resources:
 {{ toYaml .Values.notary.server.resources | indent 10 }}
 {{- end }}
        env:
        - name: MIGRATIONS_PATH
          value: migrations/server/postgresql
        - name: DB_URL
          value: {{ template "harbor.database.notaryServer" . }}
        volumeMounts:
        - name: config
          mountPath: /etc/notary/server-config.postgres.json
          subPath: server.json
        - name: token-service-certificate
          mountPath: /root.crt
          subPath: tls.crt
        - name: signer-certificate
          mountPath: /etc/ssl/notary/ca.crt
          subPath: ca.crt
      volumes:
      - name: config
        secret:
          secretName: "{{ template "harbor.notary-server" . }}"
      - name: token-service-certificate
        secret:
          {{- if .Values.core.secretName }}
          secretName: {{ .Values.core.secretName }}
          {{- else }}
          secretName: {{ template "harbor.core" . }}
          {{- end }}
      - name: signer-certificate
        secret:
          {{- if .Values.notary.secretName }}
          secretName: {{ .Values.notary.secretName }}
          {{- else }}
          secretName: {{ template "harbor.notary-server" . }}
          {{- end }}
    {{- with .Values.notary.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.notary.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.notary.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
 {{ end }}
--- a/templates/notary/notary-signer.yaml
+++ b/templates/notary/notary-signer.yaml
 {{ if .Values.notary.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "harbor.notary-signer" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: notary-signer
 spec:
  replicas: {{ .Values.notary.signer.replicas }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: notary-signer
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: notary-signer
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.notary.signer.serviceAccountName }}
      serviceAccountName: {{ .Values.notary.signer.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: notary-signer
 {{- if contains "/" .Values.notary.signer.image.repository }}
        image: "{{ .Values.notary.signer.image.repository }}"
 {{- else }}
        image: "{{ .Values.notary.signer.image.hub | default .Values.global.hub }}/{{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
 {{- if .Values.notary.signer.resources }}
        resources:
 {{ toYaml .Values.notary.signer.resources | indent 10 }}
 {{- end }}
        env:
        - name: MIGRATIONS_PATH
          value: migrations/signer/postgresql
        - name: DB_URL
          value: {{ template "harbor.database.notarySigner" . }}
        - name: NOTARY_SIGNER_DEFAULTALIAS
          value: defaultalias
        volumeMounts:
        - name: config
          mountPath: /etc/notary/signer-config.postgres.json
          subPath: signer.json
        - name: signer-certificate
          mountPath: /etc/ssl/notary/tls.crt
          subPath: tls.crt
        - name: signer-certificate
          mountPath: /etc/ssl/notary/tls.key
          subPath: tls.key
      volumes:
      - name: config
        secret:
          secretName: "{{ template "harbor.notary-server" . }}"
      - name: signer-certificate
        secret:
          {{- if .Values.notary.secretName }}
          secretName: {{ .Values.notary.secretName }}
          {{- else }}
          secretName: {{ template "harbor.notary-server" . }}
          {{- end }}
    {{- with .Values.notary.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.notary.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.notary.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
 {{ end }}
--- a/templates/notary/notary-svc.yaml
+++ b/templates/notary/notary-svc.yaml
 {{ if .Values.notary.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "harbor.notary-server" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
 {{- if  (eq .Values.expose.ingress.controller "gce") }}
  type: NodePort
 {{- end }}
  ports:
  - port: 4443
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: notary-server
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "harbor.notary-signer" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
  - port: 7899
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: notary-signer
 {{ end }}
\ No newline at end of file
--- a/templates/portal/configmap.yaml
+++ b/templates/portal/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "harbor.portal" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  nginx.conf: |+
    worker_processes auto;
    pid /tmp/nginx.pid;
    events {
        worker_connections  1024;
    }
    http {
        client_body_temp_path /tmp/client_body_temp;
        proxy_temp_path /tmp/proxy_temp;
        fastcgi_temp_path /tmp/fastcgi_temp;
        uwsgi_temp_path /tmp/uwsgi_temp;
        scgi_temp_path /tmp/scgi_temp;
        server {
    {{- if .Values.internalTLS.enabled }}
            listen {{ template "harbor.portal.containerPort" . }} ssl;
            # SSL
            ssl_certificate /etc/harbor/ssl/portal/tls.crt;
            ssl_certificate_key /etc/harbor/ssl/portal/tls.key;
            # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
            ssl_protocols TLSv1.2;
            ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
            ssl_prefer_server_ciphers on;
            ssl_session_cache shared:SSL:10m;
    {{- else }}
            listen {{ template "harbor.portal.containerPort" . }};
    {{- end }}
            server_name  localhost;
            root   /usr/share/nginx/html;
            index  index.html index.htm;
            include /etc/nginx/mime.types;
            gzip on;
            gzip_min_length 1000;
            gzip_proxied expired no-cache no-store private auth;
            gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
            location / {
                try_files $uri $uri/ /index.html;
            }
            location = /index.html {
                add_header Cache-Control "no-store, no-cache, must-revalidate";
            }
        }
    }
--- a/templates/portal/deployment.yaml
+++ b/templates/portal/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: "{{ template "harbor.portal" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: portal
 spec:
  replicas: {{ .Values.portal.replicas }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: portal
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: portal
      annotations:
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.portal.podAnnotations }}
 {{ toYaml .Values.portal.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
 {{- if .Values.portal.serviceAccountName }}
      serviceAccountName: {{ .Values.portal.serviceAccountName }}
 {{- end }}
      containers:
      - name: portal
 {{- if contains "/" .Values.portal.image.repository }}
        image: "{{ .Values.portal.image.repository }}"
 {{- else }}
        image: "{{ .Values.portal.image.hub | default .Values.global.hub }}/{{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
 {{- if .Values.portal.resources }}
        resources:
 {{ toYaml .Values.portal.resources | indent 10 }}
 {{- end }}
        livenessProbe:
          httpGet:
            path: /
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.portal.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.portal.containerPort" . }}
          initialDelaySeconds: 1
          periodSeconds: 10
        ports:
        - containerPort: {{ template "harbor.portal.containerPort" . }}
        volumeMounts:
        - name: portal-config
          mountPath: /etc/nginx/nginx.conf
          subPath: nginx.conf
        {{- if .Values.internalTLS.enabled }}
        - name: portal-internal-certs
          mountPath: /etc/harbor/ssl/portal
        {{- end }}
      volumes:
      - name: portal-config
        configMap:
          name: "{{ template "harbor.portal" . }}"
      {{- if .Values.internalTLS.enabled }}
      - name: portal-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.portal.secretName" . }}
      {{- end }}
    {{- with .Values.portal.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.portal.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.portal.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
--- a/templates/portal/service.yaml
+++ b/templates/portal/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.portal" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - port: {{ template "harbor.portal.servicePort" . }}
      targetPort: {{ template "harbor.portal.containerPort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: portal
--- a/templates/portal/tls.yaml
+++ b/templates/portal/tls.yaml
 {{- if and .Values.internalTLS.enabled }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.portal.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
--- a/templates/redis/service.yaml
+++ b/templates/redis/service.yaml
 {{- if eq .Values.redis.type "internal" -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "harbor.redis" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - port: 6379
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: redis
 {{- end -}}
\ No newline at end of file
--- a/templates/redis/statefulset.yaml
+++ b/templates/redis/statefulset.yaml
 {{- if eq .Values.redis.type "internal" -}}
 {{- $redis := .Values.persistence.persistentVolumeClaim.redis -}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: {{ template "harbor.redis" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: redis
 spec:
  replicas: 1
  serviceName: {{ template "harbor.redis" . }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: redis
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: redis
 {{- if .Values.redis.podAnnotations }}
      annotations:
 {{ toYaml .Values.redis.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 999
 {{- if .Values.redis.internal.serviceAccountName }}
      serviceAccountName: {{ .Values.redis.internal.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: redis
 {{- if contains "/" .Values.redis.internal.image.repository }}
        image: "{{ .Values.redis.internal.image.repository }}"
 {{- else }}
        image: "{{ .Values.redis.internal.image.hub | default .Values.global.hub }}/{{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
        livenessProbe:
          tcpSocket:
            port: 6379
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          tcpSocket:
            port: 6379
          initialDelaySeconds: 1
          periodSeconds: 10
 {{- if .Values.redis.internal.resources }}
        resources:
 {{ toYaml .Values.redis.internal.resources | indent 10 }}
 {{- end }}
        volumeMounts:
        - name: data
          mountPath: /var/lib/redis
          subPath: {{ $redis.subPath }}
      {{- if not .Values.persistence.enabled }}
      volumes:
      - name: data
        emptyDir: {}
      {{- else if $redis.existingClaim }}
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: {{ $redis.existingClaim }}
      {{- end -}}
    {{- with .Values.redis.internal.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.redis.internal.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.redis.internal.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
  {{- if and .Values.persistence.enabled (not $redis.existingClaim) }}
  volumeClaimTemplates:
  - metadata:
      name: data
      labels:
 {{ include "harbor.labels" . | indent 8 }}
    spec:
      accessModes: [{{ $redis.accessMode | quote }}]
      {{- if $redis.storageClass }}
      {{- if (eq "-" $redis.storageClass) }}
      storageClassName: ""
      {{- else }}
      storageClassName: "{{ $redis.storageClass }}"
      {{- end }}
      {{- end }}
      resources:
        requests:
          storage: {{ $redis.size | quote }}
  {{- end -}}
  {{- end -}}
--- a/templates/registry/registry-cm.yaml
+++ b/templates/registry/registry-cm.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "harbor.registry" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 data:
  config.yml: |+
    version: 0.1
    log:
      {{- if eq .Values.logLevel "warning" }}
      level: warn
      {{- else if eq .Values.logLevel "fatal" }}
      level: error
      {{- else }}
      level: {{ .Values.logLevel }}
      {{- end }}
      fields:
        service: registry
    storage:
      {{- $storage := .Values.persistence.imageChartStorage }}
      {{- $type := $storage.type }}
      {{- if eq $type "filesystem" }}
      filesystem:
        rootdirectory: {{ $storage.filesystem.rootdirectory }}
        {{- if $storage.filesystem.maxthreads }}
        maxthreads: {{ $storage.filesystem.maxthreads }}
        {{- end }}
      {{- else if eq $type "azure" }}
      azure:
        accountname: {{ $storage.azure.accountname }}
        container: {{ $storage.azure.container }}
        {{- if $storage.azure.realm }}
        realm: {{ $storage.azure.realm }}
        {{- end }}
      {{- else if eq $type "gcs" }}
      gcs:
        bucket: {{ $storage.gcs.bucket }}
        keyfile: /etc/registry/gcs-key.json
        {{- if $storage.gcs.rootdirectory }}
        rootdirectory: {{ $storage.gcs.rootdirectory }}
        {{- end }}
        {{- if $storage.gcs.chunksize }}
        chunksize: {{ $storage.gcs.chunksize }}
        {{- end }}
      {{- else if eq $type "s3" }}
      s3:
        region: {{ $storage.s3.region }}
        bucket: {{ $storage.s3.bucket }}
        {{- if $storage.s3.regionendpoint }}
        regionendpoint: {{ $storage.s3.regionendpoint }}
        {{- end }}
        {{- if $storage.s3.encrypt }}
        encrypt: {{ $storage.s3.encrypt }}
        {{- end }}
        {{- if $storage.s3.keyid }}
        keyid: {{ $storage.s3.keyid }}
        {{- end }}
        {{- if $storage.s3.secure }}
        secure: {{ $storage.s3.secure }}
        {{- end }}
        {{- if and $storage.s3.secure $storage.s3.skipverify }}
        skipverify: {{ $storage.s3.skipverify }}
        {{- end }}
        {{- if $storage.s3.v4auth }}
        v4auth: {{ $storage.s3.v4auth }}
        {{- end }}
        {{- if $storage.s3.chunksize }}
        chunksize: {{ $storage.s3.chunksize }}
        {{- end }}
        {{- if $storage.s3.rootdirectory }}
        rootdirectory: {{ $storage.s3.rootdirectory }}
        {{- end }}
        {{- if $storage.s3.storageclass }}
        storageclass: {{ $storage.s3.storageclass }}
        {{- end }}
        {{- if $storage.s3.multipartcopychunksize }}
        multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }}
        {{- end }}
        {{- if $storage.s3.multipartcopymaxconcurrency }}
        multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }}
        {{- end }}
        {{- if $storage.s3.multipartcopythresholdsize }}
        multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }}
        {{- end }}
      {{- else if eq $type "swift" }}
      swift:
        authurl: {{ $storage.swift.authurl }}
        username: {{ $storage.swift.username }}
        container: {{ $storage.swift.container }}
        {{- if $storage.swift.region }}
        region: {{ $storage.swift.region }}
        {{- end }}
        {{- if $storage.swift.tenant }}
        tenant: {{ $storage.swift.tenant }}
        {{- end }}
        {{- if $storage.swift.tenantid }}
        tenantid: {{ $storage.swift.tenantid }}
        {{- end }}
        {{- if $storage.swift.domain }}
        domain: {{ $storage.swift.domain }}
        {{- end }}
        {{- if $storage.swift.domainid }}
        domainid: {{ $storage.swift.domainid }}
        {{- end }}
        {{- if $storage.swift.trustid }}
        trustid: {{ $storage.swift.trustid }}
        {{- end }}
        {{- if $storage.swift.insecureskipverify }}
        insecureskipverify: {{ $storage.swift.insecureskipverify }}
        {{- end }}
        {{- if $storage.swift.chunksize }}
        chunksize: {{ $storage.swift.chunksize }}
        {{- end }}
        {{- if $storage.swift.prefix }}
        prefix: {{ $storage.swift.prefix }}
        {{- end }}
        {{- if $storage.swift.authversion }}
        authversion: {{ $storage.swift.authversion }}
        {{- end }}
        {{- if $storage.swift.endpointtype }}
        endpointtype: {{ $storage.swift.endpointtype }}
        {{- end }}
        {{- if $storage.swift.tempurlcontainerkey }}
        tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }}
        {{- end }}
        {{- if $storage.swift.tempurlmethods }}
        tempurlmethods: {{ $storage.swift.tempurlmethods }}
        {{- end }}
      {{- else if eq $type "oss" }}
      oss:
        accesskeyid: {{ $storage.oss.accesskeyid }}
        region: {{ $storage.oss.region }}
        bucket: {{ $storage.oss.bucket }}
        {{- if $storage.oss.endpoint }}
        endpoint: {{ $storage.oss.endpoint }}
        {{- end }}
        {{- if $storage.oss.internal }}
        internal: {{ $storage.oss.internal }}
        {{- end }}
        {{- if $storage.oss.encrypt }}
        encrypt: {{ $storage.oss.encrypt }}
        {{- end }}
        {{- if $storage.oss.secure }}
        secure: {{ $storage.oss.secure }}
        {{- end }}
        {{- if $storage.oss.chunksize }}
        chunksize: {{ $storage.oss.chunksize }}
        {{- end }}
        {{- if $storage.oss.rootdirectory }}
        rootdirectory: {{ $storage.oss.rootdirectory }}
        {{- end }}
      {{- end }}
      cache:
        layerinfo: redis
      maintenance:
        uploadpurging:
          enabled: false
      delete:
        enabled: true
      redirect:
        disable: {{ $storage.disableredirect }}
    redis:
      addr: {{ template "harbor.redis.addr" . }}
      {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }}
      sentinelMasterSet: {{ template "harbor.redis.masterSet" . }}
      {{- end }}
      db: {{ template "harbor.redis.dbForRegistry" . }}
      password: {{ template "harbor.redis.password" . }}
      readtimeout: 10s
      writetimeout: 10s
      dialtimeout: 10s
    http:
      addr: :{{ template "harbor.registry.containerPort" . }}
      relativeurls: {{ .Values.registry.relativeurls }}
      {{- if .Values.internalTLS.enabled }}
      tls:
        certificate: /etc/harbor/ssl/registry/tls.crt
        key: /etc/harbor/ssl/registry/tls.key
        minimumtls: tls1.2
      {{- end }}
      # set via environment variable
      # secret: placeholder
      debug:
        addr: localhost:5001
    auth:
      htpasswd:
        realm: harbor-registry-basic-realm
        path: /etc/registry/passwd
    validation:
      disabled: true
    compatibility:
      schema1:
        enabled: true
    {{- if .Values.registry.middleware.enabled }}
    {{- $middleware := .Values.registry.middleware }}
    {{- $middlewareType := $middleware.type }}
    {{- if eq $middlewareType "cloudFront" }}
    middleware:
      storage:
        - name: cloudfront
          options:
            baseurl: {{ $middleware.cloudFront.baseurl }}
            privatekey: /etc/registry/pk.pem
            keypairid: {{ $middleware.cloudFront.keypairid }}
            duration: {{ $middleware.cloudFront.duration }}
            ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }}
    {{- end }}
    {{- end }}
  ctl-config.yml: |+
    ---
    {{- if .Values.internalTLS.enabled }}
    protocol: "https"
    port: 8443
    https_config:
      cert: "/etc/harbor/ssl/registry/tls.crt"
      key: "/etc/harbor/ssl/registry/tls.key"
    {{- else }}
    protocol: "http"
    port: 8080
    {{- end }}
    log_level: {{ .Values.logLevel }}
    registry_config: "/etc/registry/config.yml"
--- a/templates/registry/registry-dpl.yaml
+++ b/templates/registry/registry-dpl.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: "{{ template "harbor.registry" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: registry
 spec:
  replicas: {{ .Values.registry.replicas }}
  strategy:
    type: {{ .Values.updateStrategy.type }}
    {{- if eq .Values.updateStrategy.type "Recreate" }}
    rollingUpdate: null
    {{- end }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: registry
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: registry
      annotations:
        checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }}
        checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
        checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.registry.podAnnotations }}
 {{ toYaml .Values.registry.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      securityContext:
        fsGroup: 10000
 {{- if .Values.registry.serviceAccountName }}
      serviceAccountName: {{ .Values.registry.serviceAccountName }}
 {{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: registry
 {{- if contains "/" .Values.registry.registry.image.repository }}
        image: "{{ .Values.registry.registry.image.repository }}"
 {{- else }}
        image: "{{ .Values.registry.registry.image.hub | default .Values.global.hub }}/{{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.registry.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.registry.containerPort" . }}
          initialDelaySeconds: 1
          periodSeconds: 10
 {{- if .Values.registry.registry.resources }}
        resources:
 {{ toYaml .Values.registry.registry.resources | indent 10 }}
 {{- end }}
        args: ["serve", "/etc/registry/config.yml"]
        envFrom:
        - secretRef:
            name: "{{ template "harbor.registry" . }}"
        env:
        {{- if has "registry" .Values.proxy.components }}
        - name: HTTP_PROXY
          value: "{{ .Values.proxy.httpProxy }}"
        - name: HTTPS_PROXY
          value: "{{ .Values.proxy.httpsProxy }}"
        - name: NO_PROXY
          value: "{{ template "harbor.noProxy" . }}"
        {{- end }}
        {{- if .Values.internalTLS.enabled }}
        - name: INTERNAL_TLS_ENABLED
          value: "true"
        - name: INTERNAL_TLS_KEY_PATH
          value: /etc/harbor/ssl/registry/tls.key
        - name: INTERNAL_TLS_CERT_PATH
          value: /etc/harbor/ssl/registry/tls.crt
        - name: INTERNAL_TLS_TRUST_CA_PATH
          value: /etc/harbor/ssl/registry/ca.crt
        {{- end }}
        ports:
        - containerPort: {{ template "harbor.registry.containerPort" . }}
        - containerPort: 5001
        volumeMounts:
        - name: registry-data
          mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
          subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
        - name: registry-root-certificate
          mountPath: /etc/registry/root.crt
          subPath: tls.crt
        - name: registry-htpasswd
          mountPath: /etc/registry/passwd
          subPath: passwd
        - name: registry-config
          mountPath: /etc/registry/config.yml
          subPath: config.yml
        {{- if .Values.internalTLS.enabled }}
        - name: registry-internal-certs
          mountPath: /etc/harbor/ssl/registry
        {{- end }}
        {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
        - name: gcs-key
          mountPath: /etc/registry/gcs-key.json
          subPath: gcs-key.json
        {{- end }}
        {{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
        - name: storage-service-ca
          mountPath: /harbor_cust_cert/custom-ca-bundle.crt
          subPath: ca.crt
        {{- end }}
        {{- if .Values.registry.middleware.enabled }}
        {{- if eq .Values.registry.middleware.type "cloudFront" }}
        - name: cloudfront-key
          mountPath: /etc/registry/pk.pem
          subPath: pk.pem
        {{- end }}
        {{- end }}
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
      - name: registryctl
 {{- if contains "/" .Values.registry.controller.image.repository }}
        image: "{{ .Values.registry.controller.image.repository }}"
 {{- else }}
        image: "{{ .Values.registry.controller.image.hub | default .Values.global.hub }}/{{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /api/health
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.registryctl.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/health
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.registryctl.containerPort" . }}
          initialDelaySeconds: 1
          periodSeconds: 10
 {{- if .Values.registry.controller.resources }}
        resources:
 {{ toYaml .Values.registry.controller.resources | indent 10 }}
 {{- end }}
        envFrom:
        - secretRef:
            name: "{{ template "harbor.registry" . }}"
        env:
        - name: CORE_SECRET
          valueFrom:
            secretKeyRef:
              name: {{ template "harbor.core" . }}
              key: secret
        - name: JOBSERVICE_SECRET
          valueFrom:
            secretKeyRef:
              name: {{ template "harbor.jobservice" . }}
              key: JOBSERVICE_SECRET
        {{- if .Values.internalTLS.enabled }}
        - name: INTERNAL_TLS_ENABLED
          value: "true"
        - name: INTERNAL_TLS_KEY_PATH
          value: /etc/harbor/ssl/registry/tls.key
        - name: INTERNAL_TLS_CERT_PATH
          value: /etc/harbor/ssl/registry/tls.crt
        - name: INTERNAL_TLS_TRUST_CA_PATH
          value: /etc/harbor/ssl/registry/ca.crt
        {{- end }}
        ports:
        - containerPort: {{ template "harbor.registryctl.containerPort" . }}
        volumeMounts:
        - name: registry-data
          mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
          subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
        - name: registry-config
          mountPath: /etc/registry/config.yml
          subPath: config.yml
        - name: registry-config
          mountPath: /etc/registryctl/config.yml
          subPath: ctl-config.yml
        {{- if .Values.internalTLS.enabled }}
        - name: registry-internal-certs
          mountPath: /etc/harbor/ssl/registry
        {{- end }}
        {{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
        - name: storage-service-ca
          mountPath: /harbor_cust_cert/custom-ca-bundle.crt
          subPath: ca.crt
        {{- end }}
        {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
        - name: gcs-key
          mountPath: /etc/registry/gcs-key.json
          subPath: gcs-key.json
        {{- end }}
        {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
      volumes:
      - name: registry-htpasswd
        secret:
          secretName: {{ template "harbor.registry" . }}
          items:
            - key: REGISTRY_HTPASSWD
              path: passwd
      - name: registry-root-certificate
        secret:
          {{- if .Values.core.secretName }}
          secretName: {{ .Values.core.secretName }}
          {{- else }}
          secretName: {{ template "harbor.core" . }}
          {{- end }}
      - name: registry-config
        configMap:
          name: "{{ template "harbor.registry" . }}"
      - name: registry-data
      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}
        persistentVolumeClaim:
          claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }}
      {{- else }}
        emptyDir: {}
      {{- end }}
      {{- if .Values.internalTLS.enabled }}
      - name: registry-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.registry.secretName" . }}
      {{- end }}
      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
      - name: gcs-key
        secret:
          secretName: {{ template "harbor.registry" . }}
          items:
            - key: GCS_KEY_DATA
              path: gcs-key.json
      {{- end }}
      {{- if .Values.persistence.imageChartStorage.caBundleSecretName }}
      - name: storage-service-ca
        secret:
          secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }}
      {{- end }}
      {{- if .Values.registry.middleware.enabled }}
      {{- if eq .Values.registry.middleware.type "cloudFront" }}
      - name: cloudfront-key
        secret:
          secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }}
          items:
            - key: CLOUDFRONT_KEY_DATA
              path: pk.pem
      {{- end }}
      {{- end }}
      {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
    {{- with .Values.registry.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.registry.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.registry.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
--- a/templates/registry/registry-pvc.yaml
+++ b/templates/registry/registry-pvc.yaml
 {{- if .Values.persistence.enabled }}
 {{- $registry := .Values.persistence.persistentVolumeClaim.registry -}}
 {{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "harbor.registry" . }}
  {{- if eq .Values.persistence.resourcePolicy "keep" }}
  annotations:
    helm.sh/resource-policy: keep
  {{- end }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: registry
 spec:
  accessModes: 
    - {{ $registry.accessMode }}
  resources:
    requests:
      storage: {{ $registry.size }}
  {{- if $registry.storageClass }}
    {{- if eq "-" $registry.storageClass }}
  storageClassName: ""
    {{- else }}
  storageClassName: {{ $registry.storageClass }}
    {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/registry/registry-secret.yaml
+++ b/templates/registry/registry-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.registry" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }}
  REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
  REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }}
  {{- $storage := .Values.persistence.imageChartStorage }}
  {{- $type := $storage.type }}
  {{- if eq $type "azure" }}
  REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
  {{- else if eq $type "gcs" }}
  GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
  {{- else if eq $type "s3" }}
  {{- if $storage.s3.accesskey }}
  REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
  {{- end }}
  {{- if $storage.s3.secretkey }}
  REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
  {{- end }}
  {{- else if eq $type "swift" }}
  REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
  {{- if $storage.swift.secretkey }}
  REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
  {{- end }}
  {{- if $storage.swift.accesskey }}
  REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
  {{- end }}
  {{- else if eq $type "oss" }}
  REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
  {{- end }}
--- a/templates/registry/registry-svc.yaml
+++ b/templates/registry/registry-svc.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.registry" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - name: registry
      port: {{ template "harbor.registry.servicePort" . }}
    - name: controller
      port: {{ template "harbor.registryctl.servicePort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: registry
\ No newline at end of file
--- a/templates/registry/registry-tls.yaml
+++ b/templates/registry/registry-tls.yaml
 {{- if and .Values.internalTLS.enabled }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.registry.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/templates/trivy/trivy-secret.yaml
+++ b/templates/trivy/trivy-secret.yaml
 {{- if .Values.trivy.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "harbor.trivy" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
  redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }}
  gitHubToken: {{  .Values.trivy.gitHubToken | default "" | b64enc | quote }}
 {{- end }}
--- a/templates/trivy/trivy-sts.yaml
+++ b/templates/trivy/trivy-sts.yaml
 {{- if .Values.trivy.enabled }}
 {{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: {{ template "harbor.trivy" . }}
  labels:
 {{ include "harbor.labels" . | indent 4 }}
    component: trivy
 spec:
  replicas: {{ .Values.trivy.replicas }}
  serviceName: {{  template "harbor.trivy" . }}
  selector:
    matchLabels:
 {{ include "harbor.matchLabels" . | indent 6 }}
      component: trivy
  template:
    metadata:
      labels:
 {{ include "harbor.labels" . | indent 8 }}
        component: trivy
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }}
 {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }}
 {{- end }}
 {{- if .Values.trivy.podAnnotations }}
 {{ toYaml .Values.trivy.podAnnotations | indent 8 }}
 {{- end }}
    spec:
 {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
 {{- end }}
 {{- if .Values.trivy.serviceAccountName }}
      serviceAccountName: {{ .Values.trivy.serviceAccountName }}
 {{- end }}
      securityContext:
        runAsNonRoot: true
        runAsUser: 10000
        fsGroup: 10000
      automountServiceAccountToken: false
      containers:
        - name: trivy
 {{- if contains "/" .Values.trivy.image.repository }}
          image: "{{ .Values.trivy.image.repository }}"
 {{- else }}
          image: "{{ .Values.trivy.image.hub | default .Values.global.hub }}/{{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag | default .Values.global.tag }}{{ template ".beagle.imageArch" . }}"
 {{- end }}
          imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
          securityContext:
            privileged: false
            allowPrivilegeEscalation: false
          env:
          {{- if has "trivy" .Values.proxy.components }}
            - name: HTTP_PROXY
              value: "{{ .Values.proxy.httpProxy }}"
            - name: HTTPS_PROXY
              value: "{{ .Values.proxy.httpsProxy }}"
            - name: NO_PROXY
              value: "{{ template "harbor.noProxy" . }}"
          {{- end }}
            - name: "SCANNER_LOG_LEVEL"
              value: {{ .Values.logLevel | quote }}
            - name: "SCANNER_TRIVY_CACHE_DIR"
              value: "/home/scanner/.cache/trivy"
            - name: "SCANNER_TRIVY_REPORTS_DIR"
              value: "/home/scanner/.cache/reports"
            - name: "SCANNER_TRIVY_DEBUG_MODE"
              value: {{ .Values.trivy.debugMode | quote }}
            - name: "SCANNER_TRIVY_VULN_TYPE"
              value: {{ .Values.trivy.vulnType | quote }}
            - name: "SCANNER_TRIVY_GITHUB_TOKEN"
              valueFrom:
                secretKeyRef:
                  name: {{ template "harbor.trivy" . }}
                  key: gitHubToken
            - name: "SCANNER_TRIVY_SEVERITY"
              value: {{ .Values.trivy.severity | quote }}
            - name: "SCANNER_TRIVY_IGNORE_UNFIXED"
              value: {{ .Values.trivy.ignoreUnfixed | default false | quote }}
            - name: "SCANNER_TRIVY_SKIP_UPDATE"
              value: {{ .Values.trivy.skipUpdate | default false | quote }}
            - name: "SCANNER_TRIVY_INSECURE"
              value: {{ .Values.trivy.insecure | default false | quote }}
            - name: SCANNER_API_SERVER_ADDR
              value: ":{{ template "harbor.trivy.containerPort" . }}"
            {{- if .Values.internalTLS.enabled }}
            - name: INTERNAL_TLS_ENABLED
              value: "true"
            - name: SCANNER_API_SERVER_TLS_KEY
              value: /etc/harbor/ssl/trivy/tls.key
            - name: SCANNER_API_SERVER_TLS_CERTIFICATE
              value: /etc/harbor/ssl/trivy/tls.crt
            {{- end }}
            - name: "SCANNER_REDIS_URL"
              valueFrom:
                secretKeyRef:
                  name: {{ template "harbor.trivy" . }}
                  key: redisURL
            - name: "SCANNER_STORE_REDIS_URL"
              valueFrom:
                secretKeyRef:
                  name: {{ template "harbor.trivy" . }}
                  key: redisURL
            - name: "SCANNER_JOB_QUEUE_REDIS_URL"
              valueFrom:
                secretKeyRef:
                  name: {{ template "harbor.trivy" . }}
                  key: redisURL
          ports:
            - name: api-server
              containerPort: {{ template "harbor.trivy.containerPort" . }}
          volumeMounts:
          - name: data
            mountPath: /home/scanner/.cache
            subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }}
            readOnly: false
          {{- if .Values.internalTLS.enabled }}
          - name: trivy-internal-certs
            mountPath: /etc/harbor/ssl/trivy
          {{- end }}
          {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 10 }}
          {{- end }}
          livenessProbe:
            httpGet:
              scheme: {{ include "harbor.component.scheme" . | upper }}
              path: /probe/healthy
              port: api-server
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 10
          readinessProbe:
            httpGet:
              scheme: {{ include "harbor.component.scheme" . | upper }}
              path: /probe/ready
              port: api-server
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          resources:
 {{ toYaml .Values.trivy.resources | indent 12 }}
      {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
      volumes:
      {{- if .Values.internalTLS.enabled }}
      - name: trivy-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.trivy.secretName" . }}
      {{- end }}
      {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
      {{- if not .Values.persistence.enabled }}
      - name: "data"
        emptyDir: {}
      {{- else if $trivy.existingClaim }}
      - name: "data"
        persistentVolumeClaim:
          claimName: {{ $trivy.existingClaim }}
      {{- end }}
      {{- end }}
    {{- with .Values.trivy.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.trivy.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.trivy.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
    {{- end }}
 {{- if and .Values.persistence.enabled (not $trivy.existingClaim) }}
  volumeClaimTemplates:
  - metadata:
      name: data
      labels:
 {{ include "harbor.labels" . | indent 8 }}
    spec:
      accessModes: [{{ $trivy.accessMode | quote }}]
      {{- if $trivy.storageClass }}
      {{- if (eq "-" $trivy.storageClass) }}
      storageClassName: ""
      {{- else }}
      storageClassName: "{{ $trivy.storageClass }}"
      {{- end }}
      {{- end }}
      resources:
        requests:
          storage: {{ $trivy.size | quote }}
 {{- end }}
 {{- end }}
--- a/templates/trivy/trivy-svc.yaml
+++ b/templates/trivy/trivy-svc.yaml
 {{ if .Values.trivy.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "harbor.trivy" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
  ports:
    - name: api-server
      protocol: TCP
      port: {{ template "harbor.trivy.servicePort" . }}
  selector:
 {{ include "harbor.matchLabels" . | indent 4 }}
    component: trivy
 {{ end }}
--- a/templates/trivy/trivy-tls.yaml
+++ b/templates/trivy/trivy-tls.yaml
 {{- if and .Values.trivy.enabled .Values.internalTLS.enabled  }}
 {{- if eq .Values.internalTLS.certSource "manual" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: "{{ template "harbor.internalTLS.trivy.secretName" . }}"
  labels:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
  ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }}
  tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }}
  tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }}
 {{- end }}
 {{- end }}
--- a/test/go.mod
+++ b/test/go.mod
 module github.com/goharbor/harbor-helm
 go 1.13
 require (
 	github.com/gruntwork-io/terratest v0.28.2
 	github.com/stretchr/testify v1.6.0
 	k8s.io/api v0.18.3
 )
--- a/test/go.sum
+++ b/test/go.sum
--- a/test/install_helm.sh
+++ b/test/install_helm.sh
 #/bin/bash
 set -e
 version=${HELM_VERSION}
 if [ "$version" = "2" ]
 then
    dist="helm-v2.8.0-linux-amd64.tar.gz"
    # as the helm v3 removes tiller, here appends the "-c" option 
    # to args only when running helm v2 to display the client version
    version_args="-c"
 elif [ "$version" = "3" ]
 then
    # the "template" command doesn't work for helm beta3:
    # https://github.com/helm/helm/issues/6404, use the beta2 for now
    dist="helm-v3.0.0-beta.2-linux-amd64.tar.gz"
 else
    echo "unsupported helm version: $version"
    exit 1
 fi
 wget -O /tmp/${dist} https://get.helm.sh/${dist}
 tar -zxvf /tmp/${dist} -C /tmp/
 sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
 helm version $version_args
 echo "Helm installed"
\ No newline at end of file
--- a/test/integration/base.go
+++ b/test/integration/base.go
 package integration
 import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
 	"os/exec"
 	"strings"
 	"time"
 	"github.com/gruntwork-io/terratest/modules/helm"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/stretchr/testify/suite"
 )
 var (
 	client = &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
 			},
 		},
 	}
 )
 func NewBaseTestSuite(values map[string]string) BaseTestSuite {
 	if values == nil {
 		values = map[string]string{}
 	}
 	return BaseTestSuite{
 		Options: &helm.Options{
 			KubectlOptions: &k8s.KubectlOptions{
 				Namespace: "default",
 			},
 			SetValues: values,
 		},
 		ReleaseName: "harbor",
 		URL:         values["externalURL"],
 	}
 }
 type BaseTestSuite struct {
 	suite.Suite
 	Options     *helm.Options
 	ReleaseName string
 	URL         string // the external URL of Harbor
 }
 func (b *BaseTestSuite) SetupSuite() {
 	helm.Install(b.T(), b.Options, "../..", b.ReleaseName)
 	b.waitUntilHealthy(b.URL)
 }
 type overallStatus struct {
 	Status     string             `json:"status"`
 	Components []*componentStatus `json:"components"`
 }
 type componentStatus struct {
 	Name   string `json:"name"`
 	Status string `json:"status"`
 	Error  string `json:"error,omitempty"`
 }
 func (b *BaseTestSuite) waitUntilHealthy(url string) {
 	url = fmt.Sprintf("%s/api/v2.0/health", url)
 	log.Printf("wait until Harbor is healthy by calling health check API: %s ...", url)
 	for i := 0; i < 60; i++ {
 		time.Sleep(10 * time.Second)
 		resp, err := client.Get(url)
 		if err != nil {
 			log.Printf("failed to call the health API: %v, retry 10 seconds later...", err)
 			continue
 		}
 		if resp.StatusCode != http.StatusOK {
 			log.Printf("the response status code %d != 200, retry 10 seconds later...", resp.StatusCode)
 			continue
 		}
 		data, err := ioutil.ReadAll(resp.Body)
 		b.Require().Nil(err)
 		resp.Body.Close()
 		status := &overallStatus{}
 		err = json.Unmarshal(data, status)
 		b.Require().Nil(err)
 		if status.Status != "healthy" {
 			for _, component := range status.Components {
 				if component.Status == "healthy" {
 					continue
 				}
 				log.Printf("the status of component %s isn't healthy: %s , retry 10 seconds later...",
 					component.Name, component.Error)
 				break
 			}
 			continue
 		}
 		log.Printf("the status is healthy")
 		return
 	}
 	b.FailNow("the status still isn't healthy after several retries")
 }
 func (b *BaseTestSuite) TestPush() {
 	addr := strings.TrimPrefix(b.URL, "http://")
 	addr = strings.TrimPrefix(addr, "https://")
 	// push image
 	b.T().Log("pushing the image...")
 	cmdStr := fmt.Sprintf("docker pull hello-world:latest;docker tag hello-world:latest %s/library/hello-world:latest; docker login %s -u admin -p Harbor12345;docker push %s/library/hello-world:latest",
 		addr, addr, addr)
 	cmd := exec.Command("/bin/sh", "-c", cmdStr)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	err := cmd.Run()
 	b.Require().Nil(err)
 	// delete image in local
 	b.T().Log("deleting the image in local")
 	cmdStr = fmt.Sprintf("docker rmi %s/library/hello-world:latest", addr)
 	cmd = exec.Command("/bin/sh", "-c", cmdStr)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	err = cmd.Run()
 	b.Require().Nil(err)
 	// pull image
 	b.T().Log("pull the image...")
 	cmdStr = fmt.Sprintf("docker pull %s/library/hello-world:latest", addr)
 	cmd = exec.Command("/bin/sh", "-c", cmdStr)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	err = cmd.Run()
 	b.Require().Nil(err)
 }
 func (b *BaseTestSuite) TearDownSuite() {
 	helm.Delete(b.T(), &helm.Options{}, b.ReleaseName, true)
 }
--- a/test/integration/ingress_test.go
+++ b/test/integration/ingress_test.go
 package integration
 import (
 	"fmt"
 	"testing"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/stretchr/testify/suite"
 )
 type IngressTestSuite struct {
 	BaseTestSuite
 }
 func (i *IngressTestSuite) TestIngress() {
 	k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress", i.ReleaseName))
 	k8s.GetIngress(i.T(), i.Options.KubectlOptions, fmt.Sprintf("%s-harbor-ingress-notary", i.ReleaseName))
 }
 func TestIngressTestSuite(t *testing.T) {
 	suite.Run(t, &IngressTestSuite{
 		BaseTestSuite: NewBaseTestSuite(map[string]string{
 			"expose.ingress.hosts.core":   "harbor.local",
 			"expose.ingress.hosts.notary": "notary.harbor.local",
 			"externalURL":                 "https://harbor.local",
 		}),
 	})
 }
--- a/test/integration/kind-cluster.yaml
+++ b/test/integration/kind-cluster.yaml
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP
  - containerPort: 30003
    hostPort: 30003
    protocol: TCP
--- a/test/integration/node_port_test.go
+++ b/test/integration/node_port_test.go
 package integration
 import (
 	"testing"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/stretchr/testify/suite"
 )
 type NodePortTestSuite struct {
 	BaseTestSuite
 }
 func (n *NodePortTestSuite) TestNodePort() {
 	service := k8s.GetService(n.T(), n.Options.KubectlOptions, "harbor")
 	n.Equal("NodePort", string(service.Spec.Type))
 }
 func TestNodePortTestSuite(t *testing.T) {
 	suite.Run(t, &NodePortTestSuite{
 		BaseTestSuite: NewBaseTestSuite(map[string]string{
 			"expose.type":                          "nodePort",
 			"expose.tls.auto.commonName":           "127.0.0.1",
 			"expose.nodePort.ports.https.nodePort": "30003",
 			"externalURL":                          "https://127.0.0.1:30003",
 		}),
 	})
 }
--- a/test/test.go
+++ b/test/test.go
 package test
--- a/test/unittest/trivy_stateful_set_test.go
+++ b/test/unittest/trivy_stateful_set_test.go
 package unittest
 import (
 	"os"
 	"testing"
 	"github.com/gruntwork-io/terratest/modules/helm"
 	"github.com/gruntwork-io/terratest/modules/logger"
 	"github.com/stretchr/testify/suite"
 	appsV1 "k8s.io/api/apps/v1"
 )
 type TrivyStatefulSetTestSuite struct {
 	suite.Suite
 }
 func (suite *TrivyStatefulSetTestSuite) render(values map[string]string) *appsV1.StatefulSet {
 	helmChartPath := "../../"
 	options := &helm.Options{
 		SetValues: values,
 	}
 	debug := os.Getenv("debug")
 	if debug != "true" {
 		options.Logger = logger.Discard
 	}
 	output := helm.RenderTemplate(suite.T(), options, helmChartPath, "harbor", []string{"templates/trivy/trivy-sts.yaml"})
 	var ss appsV1.StatefulSet
 	helm.UnmarshalK8SYaml(suite.T(), output, &ss)
 	return &ss
 }
 func (suite *TrivyStatefulSetTestSuite) TestPersistenceDisabled() {
 	values := map[string]string{
 		"persistence.enabled": "false",
 		"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
 	}
 	ss := suite.render(values)
 	suite.Len(ss.Spec.Template.Spec.Volumes, 1)
 	suite.NotNil(ss.Spec.Template.Spec.Volumes[0].EmptyDir)
 	suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 }
 func (suite *TrivyStatefulSetTestSuite) TestPersistenceEnabled() {
 	values := map[string]string{
 		"persistence.enabled": "true",
 	}
 	ss := suite.render(values)
 	suite.Len(ss.Spec.Template.Spec.Volumes, 0)
 	suite.Len(ss.Spec.VolumeClaimTemplates, 1)
 }
 func (suite *TrivyStatefulSetTestSuite) TestExistingClaim() {
 	values := map[string]string{
 		"persistence.enabled": "true",
 		"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
 	}
 	ss := suite.render(values)
 	suite.Len(ss.Spec.Template.Spec.Volumes, 1)
 	suite.NotNil(ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim)
 	suite.Equal("trivy-data", ss.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName)
 	suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 }
 func (suite *TrivyStatefulSetTestSuite) TestInternalTLSEnabled() {
 	{
 		values := map[string]string{
 			"internalTLS.enabled": "true",
 			"persistence.enabled": "false",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 2)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 	}
 	{
 		values := map[string]string{
 			"internalTLS.enabled": "true",
 			"persistence.enabled": "true",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 1)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 1)
 	}
 	{
 		values := map[string]string{
 			"internalTLS.enabled": "true",
 			"persistence.enabled": "true",
 			"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 2)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 	}
 }
 func (suite *TrivyStatefulSetTestSuite) TestCustomCA() {
 	{
 		values := map[string]string{
 			"caBundleSecretName":  "ca-bundle-secret",
 			"persistence.enabled": "false",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 2)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 	}
 	{
 		values := map[string]string{
 			"caBundleSecretName":  "ca-bundle-secret",
 			"internalTLS.enabled": "true",
 			"persistence.enabled": "false",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 3)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 	}
 	{
 		values := map[string]string{
 			"caBundleSecretName":  "ca-bundle-secret",
 			"internalTLS.enabled": "true",
 			"persistence.enabled": "true",
 			"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 3)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 	}
 	{
 		values := map[string]string{
 			"caBundleSecretName":  "ca-bundle-secret",
 			"persistence.enabled": "true",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 1)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 1)
 	}
 	{
 		values := map[string]string{
 			"caBundleSecretName":  "ca-bundle-secret",
 			"persistence.enabled": "true",
 			"persistence.persistentVolumeClaim.trivy.existingClaim": "trivy-data",
 		}
 		ss := suite.render(values)
 		suite.Len(ss.Spec.Template.Spec.Volumes, 2)
 		suite.Len(ss.Spec.VolumeClaimTemplates, 0)
 	}
 }
 func TestTrivyStatefulSetTestSuite(t *testing.T) {
 	suite.Run(t, &TrivyStatefulSetTestSuite{})
 }
--- a/test/verify.sh
+++ b/test/verify.sh
 #/bin/bash
 set -e
 helm lint .
 # expose the service via ingress, this disables the deployment of nginx
 helm template --set "expose.type=ingress" --output-dir /tmp/ .
 # expose the service via node port, this enables the deployment of nginx
 helm template --set "expose.type=nodePort,expose.tls.commonName=127.0.0.1" --output-dir /tmp/ .
\ No newline at end of file
--- a/values-operator.yaml
+++ b/values-operator.yaml
 global:
  hub: registry.cn-qingdao.aliyuncs.com/wod
  imagePullPolicy: "IfNotPresent"
  imageArch: amd64
  host: wodcloud.local
\ No newline at end of file
--- a/values.yaml
+++ b/values.yaml
 expose:
  # Set the way how to expose the service. Set the type as "ingress",
  # "clusterIP", "nodePort" or "loadBalancer" and fill the information
  # in the corresponding section
  type: ingress
  tls:
    # Enable the tls or not. Note: if the type is "ingress" and the tls
    # is disabled, the port must be included in the command when pull/push
    # images. Refer to https://github.com/goharbor/harbor/issues/5291
    # for the detail.
    enabled: false
    # The source of the tls certificate. Set it as "auto", "secret"
    # or "none" and fill the information in the corresponding section
    # 1) auto: generate the tls certificate automatically
    # 2) secret: read the tls certificate from the specified secret.
    # The tls certificate can be generated manually or by cert manager
    # 3) none: configure no tls certificate for the ingress. If the default
    # tls certificate is configured in the ingress controller, choose this option
    certSource: auto
    auto:
      # The common name used to generate the certificate, it's necessary
      # when the type isn't "ingress"
      commonName: ""
    secret:
      # The name of secret which contains keys named:
      # "tls.crt" - the certificate
      # "tls.key" - the private key
      secretName: ""
      # The name of secret which contains keys named:
      # "tls.crt" - the certificate
      # "tls.key" - the private key
      # Only needed when the "expose.type" is "ingress".
      notarySecretName: ""
  ingress:
    hosts:
      core: hub
      notary: notary
    # set to the type of ingress controller if it has specific requirements.
    # leave as `default` for most ingress controllers.
    # set to `gce` if using the GCE ingress controller
    # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
    controller: default
    annotations:
      ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
  clusterIP:
    # The name of ClusterIP service
    name: harbor
    ports:
      # The service port Harbor listens on when serving with HTTP
      httpPort: 80
      # The service port Harbor listens on when serving with HTTPS
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      notaryPort: 4443
  nodePort:
    # The name of NodePort service
    name: harbor
    ports:
      http:
        # The service port Harbor listens on when serving with HTTP
        port: 80
        # The node port Harbor listens on when serving with HTTP
        nodePort: 30002
      https:
        # The service port Harbor listens on when serving with HTTPS
        port: 443
        # The node port Harbor listens on when serving with HTTPS
        nodePort: 30003
      # Only needed when notary.enabled is set to true
      notary:
        # The service port Notary listens on
        port: 4443
        # The node port Notary listens on
        nodePort: 30004
  loadBalancer:
    # The name of LoadBalancer service
    name: harbor
    # Set the IP if the LoadBalancer supports assigning IP
    IP: ""
    ports:
      # The service port Harbor listens on when serving with HTTP
      httpPort: 80
      # The service port Harbor listens on when serving with HTTPS
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      notaryPort: 4443
    annotations: {}
    sourceRanges: []
 # The external URL for Harbor core service. It is used to
 # 1) populate the docker/helm commands showed on portal
 # 2) populate the token service URL returned to docker/notary client
 #
 # Format: protocol://domain[:port]. Usually:
 # 1) if "expose.type" is "ingress", the "domain" should be
 # the value of "expose.ingress.hosts.core"
 # 2) if "expose.type" is "clusterIP", the "domain" should be
 # the value of "expose.clusterIP.name"
 # 3) if "expose.type" is "nodePort", the "domain" should be
 # the IP address of k8s node
 #
 # If Harbor is deployed behind the proxy, set it as the URL of proxy
 externalURL: https://hub
 # The internal TLS used for harbor components secure communicating. In order to enable https
 # in each components tls cert files need to provided in advance.
 internalTLS:
  # If internal TLS enabled
  enabled: false
  # There are three ways to provide tls
  # 1) "auto" will generate cert automatically
  # 2) "manual" need provide cert file manually in following value
  # 3) "secret" internal certificates from secret
  certSource: "auto"
  # The content of trust ca, only available when `certSource` is "manual"
  trustCa: ""
  # core related cert configuration
  core:
    # secret name for core's tls certs
    secretName: ""
    # Content of core's TLS cert file, only available when `certSource` is "manual"
    crt: ""
    # Content of core's TLS key file, only available when `certSource` is "manual"
    key: ""
  # jobservice related cert configuration
  jobservice:
    # secret name for jobservice's tls certs
    secretName: ""
    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of jobservice's TLS key file, only available when `certSource` is "manual"
    key: ""
  # registry related cert configuration
  registry:
    # secret name for registry's tls certs
    secretName: ""
    # Content of registry's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of registry's TLS key file, only available when `certSource` is "manual"
    key: ""
  # portal related cert configuration
  portal:
    # secret name for portal's tls certs
    secretName: ""
    # Content of portal's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of portal's TLS key file, only available when `certSource` is "manual"
    key: ""
  # chartmuseum related cert configuration
  chartmuseum:
    # secret name for chartmuseum's tls certs
    secretName: ""
    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
    key: ""
  # clair related cert configuration
  clair:
    # secret name for clair's tls certs
    secretName: ""
    # Content of clair's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of clair's TLS key file, only available when `certSource` is "manual"
    key: ""
  # trivy related cert configuration
  trivy:
    # secret name for trivy's tls certs
    secretName: ""
    # Content of trivy's TLS key file, only available when `certSource` is "manual"
    crt: ""
    # Content of trivy's TLS key file, only available when `certSource` is "manual"
    key: ""
 # The persistence is enabled by default and a default StorageClass
 # is needed in the k8s cluster to provision volumes dynamicly.
 # Specify another StorageClass in the "storageClass" or set "existingClaim"
 # if you have already existing persistent volumes to use
 #
 # For storing images and charts, you can also use "azure", "gcs", "s3",
 # "swift" or "oss". Set it in the "imageChartStorage" section
 persistence:
  enabled: true
  # Setting it to "keep" to avoid removing PVCs during a helm delete
  # operation. Leaving it empty will delete PVCs after the chart deleted
  # (this does not apply for PVCs that are created for internal database
  # and redis components, i.e. they are never deleted automatically)
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      # Use the existing PVC which must be created manually before bound,
      # and specify the "subPath" if the PVC is shared with other components
      existingClaim: ""
      # Specify the "storageClass" used to provision the volume. Or the default
      # StorageClass will be used(the default).
      # Set it to "-" to disable dynamic provisioning
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # If external database is used, the following settings for database will
    # be ignored
    database:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 10Gi
    # If external Redis is used, the following settings for Redis will
    # be ignored
    redis:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy:
      existingClaim: ""
      storageClass: "hostpath"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
  # Define which storage backend is used for registry and chartmuseum to store
  # images and charts. Refer to
  # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
  # for the detail.
  imageChartStorage:
    # Specify whether to disable `redirect` for images and chart storage, for
    # backends which not supported it (such as using minio for `s3` storage type), please disable
    # it. To disable redirects, simply set `disableredirect` to `true` instead.
    # Refer to
    # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
    # for the detail.
    disableredirect: false
    # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate.
    # The secret must contain keys named "ca.crt" which will be injected into the trust store
    # of registry's and chartmuseum's containers.
    # caBundleSecretName:
    # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift",
    # "oss" and fill the information needed in the corresponding section. The type
    # must be "filesystem" if you want to use persistent volumes for registry
    # and chartmuseum
    type: filesystem
    filesystem:
      rootdirectory: /storage
      #maxthreads: 100
    azure:
      accountname: accountname
      accountkey: base64encodedaccountkey
      container: containername
      #realm: core.windows.net
    gcs:
      bucket: bucketname
      # The base64 encoded json file which contains the key
      encodedkey: base64-encoded-json-key-file
      #rootdirectory: /gcs/object/name/prefix
      #chunksize: "5242880"
    s3:
      region: us-west-1
      bucket: bucketname
      #accesskey: awsaccesskey
      #secretkey: awssecretkey
      #regionendpoint: http://myobjects.local
      #encrypt: false
      #keyid: mykeyid
      #secure: true
      #skipverify: false
      #v4auth: true
      #chunksize: "5242880"
      #rootdirectory: /s3/object/name/prefix
      #storageclass: STANDARD
      #multipartcopychunksize: "33554432"
      #multipartcopymaxconcurrency: 100
      #multipartcopythresholdsize: "33554432"
    swift:
      authurl: https://storage.myprovider.com/v3/auth
      username: username
      password: password
      container: containername
      #region: fr
      #tenant: tenantname
      #tenantid: tenantid
      #domain: domainname
      #domainid: domainid
      #trustid: trustid
      #insecureskipverify: false
      #chunksize: 5M
      #prefix:
      #secretkey: secretkey
      #accesskey: accesskey
      #authversion: 3
      #endpointtype: public
      #tempurlcontainerkey: false
      #tempurlmethods:
    oss:
      accesskeyid: accesskeyid
      accesskeysecret: accesskeysecret
      region: regionname
      bucket: bucketname
      #endpoint: endpoint
      #internal: false
      #encrypt: false
      #secure: true
      #chunksize: 10M
      #rootdirectory: rootdirectory
 imagePullPolicy: IfNotPresent
 # Use this set to assign a list of default pullSecrets
 imagePullSecrets:
 #  - name: docker-registry-secret
 #  - name: internal-registry-secret
 # The update strategy for deployments with persistent volumes(jobservice, registry
 # and chartmuseum): "RollingUpdate" or "Recreate"
 # Set it as "Recreate" when "RWM" for volumes isn't supported
 updateStrategy:
  type: RollingUpdate
 # debug, info, warning, error or fatal
 logLevel: info
 # The initial password of Harbor admin. Change it from portal after launching Harbor
 harborAdminPassword: "spaceIN511"
 # The name of the secret which contains key named "ca.crt". Setting this enables the
 # download link on portal to download the certificate of CA when the certificate isn't
 # generated automatically
 caSecretName: ""
 # The secret key used for encryption. Must be a string of 16 chars.
 secretKey: "IpTIscRIgmerlare"
 # The proxy settings for updating clair vulnerabilities from the Internet and replicating
 # artifacts from/to the registries that cannot be reached directly
 proxy:
  httpProxy:
  httpsProxy:
  noProxy: 127.0.0.1,localhost,.local,.internal
  components:
    - core
    - jobservice
    - clair
    - trivy
 # The custom ca bundle secret, the secret must contain key named "ca.crt"
 # which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
 # caBundleSecretName: ""
 ## UAA Authentication Options
 # If you're using UAA for authentication behind a self-signed
 # certificate you will need to provide the CA Cert.
 # Set uaaSecretName below to provide a pre-created secret that
 # contains a base64 encoded CA Certificate named `ca.crt`.
 # uaaSecretName:
 # If expose the service via "ingress", the Nginx will not be used
 nginx:
  image:
    repository: nginx
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 portal:
  image:
    repository: harbor-portal
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 core:
  image:
    repository: harbor-core
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  replicas: 1
  ## Startup probe values
  startupProbe:
    enabled: true
    initialDelaySeconds: 10
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used when core server communicates with other components.
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  secret: ""
  # Fill the name of a kubernetes secret if you want to use your own
  # TLS certificate and private key for token encryption/decryption.
  # The secret must contain keys named:
  # "tls.crt" - the certificate
  # "tls.key" - the private key
  # The default key pair will be used if it isn't set
  secretName: ""
  # The XSRF key. Will be generated automatically if it isn't specified
  xsrfKey: ""
 jobservice:
  image:
    repository: harbor-jobservice
    tag: v2.1.3
  replicas: 1
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  maxJobWorkers: 10
  # The logger for jobs: "file", "database" or "stdout"
  jobLogger: file
  # resources:
  #   requests:
  #     memory: 256Mi
  #     cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used when job service communicates with other components.
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  secret: ""
 registry:
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  registry:
    image:
      repository: registry
      tag: 2.7.1
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
  controller:
    image:
      repository: harbor-registryctl
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  replicas: 1
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Secret is used to secure the upload state from client
  # and registry storage backend.
  # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
  # If a secret key is not specified, Helm will generate one.
  # Must be a string of 16 chars.
  secret: ""
  # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
  relativeurls: false
  credentials:
    username: "harbor_registry_user"
    password: "harbor_registry_password"
    # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
    # e.g. "htpasswd -nbBC10 $username $password"
    htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
  middleware:
    enabled: false
    type: cloudFront
    cloudFront:
      baseurl: example.cloudfront.net
      keypairid: KEYPAIRID
      duration: 3000s
      ipfilteredby: none
      # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
      # that allows access to CloudFront
      privateKeySecret: "my-secret"
 chartmuseum:
  enabled: true
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  # Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
  absoluteUrl: false
  image:
    repository: harbor-chartmuseum
    tag: v2.1.3
  storageSpec:
    type: hostPath
    emptyDir: {}
    hostPath:
      root: /data 
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 clair:
  enabled: true
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  clair:
    image:
      repository: harbor-clair
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  adapter:
    image:
      repository: harbor-clair-adapter
      tag: v2.1.3
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  replicas: 1
  # The interval of clair updaters, the unit is hour, set to 0 to
  # disable the updaters
  updatersInterval: 12
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 trivy:
  # enabled the flag to enable Trivy scanner
  enabled: true
  image:
    # repository the repository for Trivy adapter image
    repository: harbor-trivy-adapter
    # tag the tag for Trivy adapter image
    tag: v2.1.3
  # set the service account to be used, default if left empty
  serviceAccountName: ""
  # replicas the number of Pod replicas
  replicas: 1
  # debugMode the flag to enable Trivy debug mode with more verbose scanning log
  debugMode: false
  # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
  vulnType: "os,library"
  # severity a comma-separated list of severities to be checked
  severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  # ignoreUnfixed the flag to display only fixed vulnerabilities
  ignoreUnfixed: false
  # insecure the flag to skip verifying registry certificate
  insecure: false
  # gitHubToken the GitHub access token to download Trivy DB
  #
  # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
  # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
  # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
  # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
  # Currently, the database is updated every 12 hours and published as a new release to GitHub.
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  gitHubToken: ""
  # skipUpdate the flag to disable Trivy DB downloads from GitHub
  #
  # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
  # `/home/scanner/.cache/trivy/db/trivy.db` path.
  skipUpdate: false
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1
      memory: 1Gi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
 notary:
  enabled: true
  server:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: harbor-notary-server
      tag: v2.1.3
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  signer:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: harbor-notary-signer
      tag: v2.1.3
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## Additional deployment annotations
  podAnnotations: {}
  # Fill the name of a kubernetes secret if you want to use your own
  # TLS certificate authority, certificate and private key for notary
  # communications.
  # The secret must contain keys named ca.crt, tls.crt and tls.key that
  # contain the CA, certificate and private key.
  # They will be generated if not set.
  secretName: ""
 database:
  # if external database is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: internal
  internal:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: harbor-db
      tag: v2.1.3
    # The initial superuser password for internal database
    password: "spaceIN511"
    resources:
      limits:
        memory: 4Gi
      requests:
        memory: 256Mi
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    # "disable" - No SSL
    # "require" - Always SSL (skip verification)
    # "verify-ca" - Always SSL (verify that the certificate presented by the
    # server was signed by a trusted CA)
    # "verify-full" - Always SSL (verify that the certification presented by the
    # server was signed by a trusted CA and the server host name matches the one
    # in the certificate)
    sslmode: "disable"
  # The maximum number of connections in the idle connection pool.
  # If it <=0, no idle connections are retained.
  maxIdleConns: 50
  # The maximum number of open connections to the database.
  # If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgre of harbor.
  maxOpenConns: 1000
  ## Additional deployment annotations
  podAnnotations: {}
 redis:
  # if external Redis is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: internal
  internal:
    # set the service account to be used, default if left empty
    serviceAccountName: ""
    image:
      repository: redis
      tag: 6.0.9
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    # support redis, redis+sentinel
    # addr for redis: <host_redis>:<port_redis>
    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    addr: "192.168.0.2:6379"
    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
    sentinelMasterSet: ""
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    clairAdapterIndex: "4"
    trivyAdapterIndex: "5"
    password: ""
  ## Additional deployment annotations
  podAnnotations: {}
 commonLabels:
  app.bd-apaas.com/cluster-component: registry
\ No newline at end of file