This document guides user to learn the related fields defined in the HarborCluster
CRD and then customize their Harbor cluster deployment stack.
CRD version: v1beta1
Describe the spec fields with YAML code snippets and comments. All the parts here share the head YAML code snippet shown below.
kind: HarborCluster
name: harborcluster-sample
namespace: cluster-sample-ns
# ... Skipped fields
# ...
# ... Skipped fields
(required): Expose the access endpoints of Harbor core services as well as notary service (optional).
# ... Skipped fields
# Expose core services
core: # Required
# TLS setting
tls: # Optional
# Certificate reference
certificateRef: <cert-ref> # Optional
# Expose service with ingress way
# Host of the exposed service
host: <> # Required
# Ingress controller type, support ["gce","ncp","contour","default"]
# "default" means nginx
controller: default # Optional, default value = "default"
# Annotations applied to the ingress
annotations: # Optional
key: value
# Set the ingress class name. If it is not set, the system default one will be picked up.
ingressClassName: ingressClass # Optional
# Expose notary service when it is configured
notary: # Optional
## Totally same with above [expose.core] part, skipped here.
# ... Skipped fields
(required): the public URL with pattern https?://.*
for accessing Harbor registry.
# ... Skipped fields
externalURL: # Required
# ... Skipped fields
(optional): enable secure communications between Harbor components if it is set.
# ... Skipped fields
internalTLS: # Optional
enabled: true # Optional, default = false
# ... Skipped fields
(optional): set the log level of the Harbor loggers.
# ... Skipped fields
# Support settings ["debug","info","warning","error","fatal"]
logLevel: "debug" # Optional, default = "info"
# ... Skipped fields
(required): the secret reference containing the preset admin password.
# ... Skipped fields
harborAdminPasswordRef: "myAdminPwd" # Required
# ... Skipped fields
(optional): the update strategy.
# ... Skipped fields
updateStrategyType: "RollingUpdate" # Optional, default="RollingUpdate"
# ... Skipped fields
(optional): keep the version of the Harbor deployed to cluster. It's mainly used in the version upgrading case.
# ... Skipped fields
# Example: 2.4.0
version: <Harbor version> # Optional
# ... Skipped fields
(optional): configure proxy settings for related Harbor components.
# ... Skipped fields
proxy: # Optional
# HTTP proxy
httpProxy: # Optional, pattern="https?://.+"
# HTTPS proxy
httpsProxy: # Optional, pattern="https?://.+"
# No proxy
noProxy: # Optional, default=["","localhost",".local",".internal"]
- localhost
- .local
- .internal
# Configure proxy settings for which components
components: # Optional, default=[core,jobservice,trivy]
- core
- jobservice
- trivy
# ... Skipped fields
configures the general image source from where pulling images. Image settings configured here are applicable to all the components.
# ... Skipped fields
imageSource: # Optional
# The root repository path of the component images.
# e.g: if it is set to '', then the core image path will be ''
repository: # Required
# The tag suffix of the component images.
# e.g: if it is set to `-staging`, then the core image path will be '<version>-staging'
tagSuffix: -staging # Optional
# Image pull policy. Support values are ["Always","Never","IfNotPresent"].
# More info:
imagePullPolicy: Always # Optional, default = IfNotPresent
# Image pull secrets
imagePullSecrets: # Optional
- name: myHarborRegSecret
# ... Skipped fields
Network settings for the deploying Harbor.
# ... Skipped fields
# Network settings
network: # Optional
# Set what IP families are used for the deploying Harbor
- IPv4
- IPv6
# ... Skipped fields
Tracing settings for the deploying Harbor.
# ... Skipped fields
# Tracing settings
trace: # Optional
# Enable tracing or not
enabled: false # Optional, default is false
# Used to differentiate different harbor services.
namespace: core # Optional
# Set `sampleRate` to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth.
sampleRate: 1 # Optional, default is 1
# A key value dict contains user defined attributes used to initialize trace provider.
attributes: # Optional
key: value
# The tracing provider: 'jaeger' or 'otel'
provider: jaeger # Required
# Spec for jaeger provider if provider is set to jaeger
jaeger: # Optional
# Serve mode. `collector` or `agent`
mode: collector # Required
# Configuration for collector mode
collector: # Optional
# The endpoint of the jaeger collector
endpoint: # Required
# The username of the jaeger collector
username: foo
# The password secret reference name of the jaeger collector
passwordRef: foobar
# Configuration for agent mode
agent: # Optional
# The host of the jaeger agent
host: # Required
# The port of the jaeger agent
port: 8000
# Spec for otel provider if provider is set to otel.
otel: # Optional
# The endpoint of otel
endpoint: # Required
# The URL path of otel
urlPath: /otel # Required
# Whether enable compression or not for otel
compression: false # Optional
# Whether establish insecure connection or not for otel
insecure: true # Optional
# The timeout of otel
timeout: 10s # Optional, default is 10s
# ... Skipped fields
Each Harbor component has its own spec to accept configurations and shares the common spec shown below.
# ... Skipped fields
# Besides the common component spec, no extra parts for component 'portal'
# Common component spec
# Image name for the component. It will override the default one.
image: my-portal # Optional
# Image pull policy. It will override the global 'imageSource' settings and the default one.
imagePullPolicy: # Optional, default = IfNotPresent
# Image pull secrets. It will override the global 'imageSource' settings if it has been set.
- name: myHarborRegSecretOfPortal
# Replicas is the number of desired replicas.
# This is a pointer to distinguish between explicit zero and unspecified.
# More info:
replicas: 3 # Optional
# ServiceAccountName is the name of the ServiceAccount to use to run this component.
# More info:
serviceAccountName: mySA # Optional
# NodeSelector is a selector which must be true for the component to fit on a node.
# Selector which must match a node's labels for the pod to be scheduled on that node.
# More info:
nodeSelector: # Optional
key: value
# If specified, the pod's tolerations.
# More info:
tolerations: {} # Optional
# Compute Resources required by this component.
# Cannot be updated.
# More info:
resources: # Optional
# Limits describes the maximum amount of compute resources allowed.
# More info:
limits: {} # Optional
# Requests describes the minimum amount of compute resources required.
# If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
# otherwise to an implementation-defined value.
# More info:
requests: {} # Optional
# The following components also includes the common spec shown above.
# ... Skip duplicated configurations here
core: {}
jobservice: {}
registry: {}
registryctl: {}
chartmuseum: {}
trivy: {}
exporter: {}
server: {}
signer: {}
# ... Skipped fields
Extra configurations for Harbor component core
# ... Skipped fields
# ... Skipped common component spec here
# Extra configurations
# Certificates need to be injected into core
certificateRefs: # Optional
- cert1
- cert2
# Token issuer
tokenIssuer: myIssuer # Required
# Metrics settings
metrics: # optional
enabled: false # optional, default is false
port: 8001 # optional, default is 8001
path: /metrics # optional, default is /metrics
# ... Skipped fields
Extra configurations for Harbor component jobservice
# ... Skipped fields
# ... Skipped common component spec here
# Extra configurations
# Certificates need to be injected into jobservice
certificateRefs: # Optional
- cert1
- cert2
# The number of workers
workerCount: 10 # Optional, default = 10 , minimal = 1
# Metrics settings
metrics: # optional
# Similar to the section shown in the `core` component
# Skip here
# ... Skipped fields
Extra configurations for Harbor component registry
# ... Skipped fields
# ... Skipped common component spec here
# Extra configurations
# Enable relative URLs
relativeURLs: true # Optional, default = true
# Middlewares for storage
storageMiddlewares: # Optional
- name: m1 # Required
optionsRef: op1 # Optional
metrics: # optional
# Similar to the section shown in the `core` component
# Skip here
# ... Skipped fields
Extra configurations for Harbor component chartmuseum
# ... Skipped fields
# ... Skipped common component spec here
# Extra configurations
# Certificates need to be injected into chartmuseum
certificateRefs: # Optional
- cert1
- cert2
# Harbor defaults ChartMuseum to returning relative URLs,
# If you want using absolute URL you should enable it.
absoluteUrl: false # Optional, default = false
# ... Skipped fields
Extra configurations for Harbor component trivy
# ... Skipped fields
# ... Skipped common component spec here
# Extra configurations
# Certificates need to be injected into chartmuseum
certificateRefs: # Optional
- cert1
- cert2
# The name of the secret containing the token to connect to GitHub API.
githubTokenRef: github-token # Optional
# The flag to enable or disable Trivy DB downloads from GitHub
skipUpdate: false # Optional, default = false
# Storage used for keep data by trivy.
storage: # required
# ReportsPersistentVolume specify the persistent volume used to store Trivy reports.
reportsPersistentVolume: # Optional, if it is not set, then empty dir will be used.
# Inline the corev1.PersistentVolumeClaimVolumeSource
# ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
# More info:
claimName: myPVC # Required
# Will force the ReadOnly setting in VolumeMounts.
readOnly: false # Optional
prefix: myPrefix # Optional
# CachePersistentVolume specify the persistent volume used to store Trivy cache.
# Same configurations with ReportsPersistentVolume.
cachePersistentVolume: {} # Optional, if it is not set, then empty dir will be used.
# ... Skipped fields
Extra configurations for Harbor component notary
# ... Skipped fields
server: {} # Skipped common component spec here ...
signer: {} # Skipped common component spec here ...
# Extra configurations
# Inject migration configuration to notary resources
migrationEnabled: true # Optional, default = true
# ... Skipped fields
So far, there are 6 options for storage configurations: FileSystem
(Persistent Volume), S3 , Swift, Azure, Gcs and MinIO.
Configure filesystem
as backend storage.
# ... Skipped fields
kind: "FileSystem"
# FileSystem is an implementation of the storagedriver.StorageDriver interface which uses the local filesystem.
# The local filesystem can be a remote volume.
# See:
filesystem: # Optional
chartPersistentVolume: # Optional
# Inline the corev1.PersistentVolumeClaimVolumeSource
# ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
# More info:
claimName: myPVC # Required
# Will force the ReadOnly setting in VolumeMounts.
readOnly: false # Optional
prefix: myPrefix # Optional
registryPersistentVolume: # Optional
# ... Skipped the same fields with 'chartPersistentVolume': 'claimName', 'readOnly' and 'prefix'.
# ...
# Max threads
maxthreads: 100 # Optional, default = 100, minimal = 25
# ... Skipped fields
Configure s3
as backend storage.
# ... Skipped fields
kind: "S3"
# Configure S3 as the backend storage of Harbor.
# An implementation of the storagedriver.StorageDriver interface which uses Amazon S3 or S3 compatible services for object storage.
# See:
s3: # Optional
# The AWS Access Key.
# If you use IAM roles, omit to fetch temporary credentials from IAM.
accesskey: ak # Optional
# Reference to the secret containing the AWS Secret Key.
# If you use IAM roles, omit to fetch temporary credentials from IAM.
secretkeyRef: secret # Optional
# The AWS region in which your bucket exists.
# For the moment, the Go AWS library in use does not use the newer DNS based bucket routing.
# For a list of regions, see
region: us-east-1 # Required
# Endpoint for S3 compatible storage services (Minio, etc).
regionendpoint: Minio # Required
# The bucket name in which you want to store the registry’s data.
bucket: default # Required
# This is a prefix that is applied to all S3 keys to allow you to segment data in your bucket if necessary.
rootdirectory: registry # Optional
# The S3 storage class applied to each registry file.
storageclass: STANDARD # Optional, default="STANDARD"
# KMS key ID to use for encryption (encrypt must be true, or this parameter is ignored).
keyid: kid # Optional
# Specifies whether the registry stores the image in encrypted format or not. A boolean value.
encrypt: false # Optional, default=false
# Skips TLS verification when the value is set to true.
skipverify: false # Optional, default=false
# Certificate
certificateRef: cert # Optional
# Indicates whether to use HTTPS instead of HTTP. A boolean value.
secure: true # Optional, default=true
# Indicates whether the registry uses Version 4 of AWS’s authentication.
v4auth: true # Optional, default=true
# The S3 API requires multipart upload chunks to be at least 5MB.
chunksize: 5242880 # Optional, minimal = 5242880
# ... Skipped fields
Configure swift
as backend storage.
This method is not recommended since Swift is enventual consistent.
Please use S3 Middleware in front of Swift and configure 2nd method: S3 storage.
# ... Skipped fields
kind: Swift
# Configure Swift as the backend storage of Harbor.
# An implementation of the storagedriver.StorageDriver interface that uses OpenStack Swift for object storage.
# See:
swift: # Optional
# URL for obtaining an auth token.
# or
authurl: # Required
# The Openstack user name.
username: openstack-user # Required
# Secret name containing the Openstack password.
passwordRef: secret # Required
# The Openstack region in which your container exists.
region: region-1 # Optional
# The name of your Swift container where you wish to store the registry’s data.
# The driver creates the named container during its initialization.
container: container1 # Required
# You can either use tenant or tenantid.
tenant: myTenant # Optional
# You can either use tenant or tenantid.
tenantid: myTenantID # Optional
# Your Openstack domain name for Identity v3 API. You can either use domain or domainid.
domain: sampleDomain # Optional
# Your Openstack domain ID for Identity v3 API. You can either use domain or domainid.
domainid: did # Optional
# Your Openstack trust ID for Identity v3 API.
trustid: myTrustID # Optional
# Skips TLS verification if the value is set to true.
insecureskipverify: false # Optional, default=false
# Size of the data segments for the Swift Dynamic Large Objects.
# This value should be a number.
chunksize: 5242880 # Optional, minimal=5242880
# This is a prefix that is applied to all Swift keys to allow you to segment data in your container if necessary. Defaults to the container’s root.
prefix: registry # Optional
# The secret key used to generate temporary URLs.
secretkeyRef: key # Optional
# The access key to generate temporary URLs. It is used by HP Cloud Object Storage in addition to the secretkey parameter.
accesskey: ak # Optional
# Specify the OpenStack Auth’s version, for example 3. By default the driver autodetects the auth’s version from the authurl.
authversion: 3 # Optional
# The endpoint type used when connecting to swift.
# Supports values ["public","internal","admin"]
endpointtype: public # Optional, default=public
# ... Skipped fields
The minio storage configuration can be configured to let the Harbor operator automatically deploy an in-cluster S3 compatible service with HA supported as the backend storage service of the deploying Harbor.
# ... Skipped fields
# Kind of which storage service to be used. Only support MinIO now.
kind: MinIO # Required
# MinIO configurations
spec: # Required
# Image name for the MinIO. It will override the default one.
image: my-minio # Optional
# Image pull policy. It will override the global 'imageSource' settings and the default one.
imagePullPolicy: # Optional, default = IfNotPresent
# Image pull secrets. It will override the global 'imageSource' settings if it has been set.
- name: myHarborRegSecretOfMinIO
# Redirection configurations.
redirect: # Required
# Determine if the redirection of minio storage is enabled.
enable: true # Optional, default=true
# If 'enable' is set to be true, then configure extra settings here.
# Expose MinIO service for client accessing.
# Same configuration with the top level 'expose' section.
expose: # Optional
# TLS setting
tls: # Optional
# Certificate reference
certificateRef: <cert-ref> # Optional
# Expose service with ingress way
# Host of the exposed service
host: <> # Required
# Ingress controller type, support ["gce","ncp","default"]
controller: default # Optional, default value = "default"
# Annotations applied to the ingress
annotations: # Optional
key: value
# Reference to the secret containing the MinIO access key and secret key.
secretRef: minioSecret # Optional
# Supply number of replicas.
# For standalone mode, supply 1. For distributed mode, supply 4 or more.
# Note that the operator does not support upgrading from standalone to distributed mode.
# Specially, 'replicas'*'volumesPerServer' should be >=4.
replicas: 4 # Required, minimal=1
# Number of persistent volumes that will be attached per server
# Specially, 'replicas'*'volumesPerServer' should be >=4.
volumesPerServer: 1 # Required, minimal=1
# VolumeClaimTemplate allows a user to specify how volumes inside a MinIOInstance.
# More info:
volumeClaimTemplate: {} # Optional
# If provided, use these requests and limit for cpu/memory resource allocation
# More info:
resources: # Optional
# Limits describes the maximum amount of compute resources allowed.
# More info:
limits: {} # Optional
# Requests describes the minimum amount of compute resources required.
# If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
# otherwise to an implementation-defined value.
# More info:
requests: {} # Optional
# ... Skipped fields
Two alternatives provided to configure the database service used by the deploying Harbor.
Standard database configurations can be used to set the existing pre-deployed or cloud database services as the dependent database of the deploying Harbor.
# ... Skipped fields
# Configure existing pre-deployed or cloud database service.
kind: PostgreSQL
# PostgreSQL user name to connect as.
# Defaults to be the same as the operating system name of the user running the application.
username: postsql # Required
# Secret containing the password to be used if the server demands password authentication.
passwordRef: psqlSecret # Optional
# PostgreSQL hosts.
# At least 1.
# Name of host to connect to.
# If a host name begins with a slash, it specifies Unix-domain communication rather than
# TCP/IP communication; the value is the name of the directory in which the socket file is stored.
- host: psql # Required
# Port number to connect to at the server host,
# or socket file name extension for Unix-domain connections.
# Zero, specifies the default port number established when PostgreSQL was built.
port: 5432 # Optional
# PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security.
# Supports values ["disable","allow","prefer","require","verify-ca","verify-full"].
sslMode: prefer # Optional, default=prefer
prefix: prefix # Optional
# ... Skipped fields
The in-cluster database configuration can be configured to let the Harbor operator automatically deploy an in-cluster PostgreSQL database service with HA supported as the dependent database of the deploying Harbor.
# ... Skipped fields
# database configurations.
# Set the kind of which database service to be used.
kind: "Zlando/PostgreSQL" # Required
# storage spec
spec: # Required
# Image name for the PostgresSQL. It will override the default one.
image: my-psql # Optional
# Image pull policy. It will override the global 'imageSource' settings and the default one.
imagePullPolicy: # Optional, default = IfNotPresent
# Image pull secrets. It will override the global 'imageSource' settings if it has been set.
- name: myHarborRegSecretOfPsql
# Specify the storage size for the PostgresSQL.
storage: 1Gi # Optional, default="1Gi"
# Replicas of PostgresSQL instances.
replicas: 3 # Optional, default=3
# The storage class used for creating storage.
storageClassName: default # Optional
# If provided, use these requests and limit for cpu/memory resource allocation
# More info:
resources: # Optional
# Limits describes the maximum amount of compute resources allowed.
# More info:
limits: {} # Optional
# Requests describes the minimum amount of compute resources required.
# If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
# otherwise to an implementation-defined value.
# More info:
requests: {} # Optional
# ... Skipped fields
Two alternatives provided to configure the cache(Redis
) service used by the deploying Harbor.
Standard cache configurations can be used to set the existing pre-deployed or cloud cache services as the dependent cache of the deploying Harbor.
# ... Skipped fields
# Cache configuration.
cache: # Optional
kind: "Redis"
# Server host.
host: # Required
# Server port.
port: 6347 # Required
# For setting sentinel masterSet.
sentinelMasterSet: sentinel # Optional
# Secret containing the password to use when connecting to the server.
passwordRef: pwdSecret # Optional
# Secret containing the client certificate to authenticate with.
certificateRef: cert # Optional
# ... Skipped fields
The in-cluster cache configuration can be configured to let the Harbor operator automatically deploy an in-cluster Redis service with HA supported as the dependent cache of the deploying Harbor.
# ... Skipped fields
# cache configurations.
# Set the kind of cache service to be used. Only support 'Redis' now.
kind: RedisFailover # Required
# Redis configuration spec.
spec: # Required
# Image name for the Redis. It will override the default one.
image: my-redis # Optional
# Image pull policy. It will override the global 'imageSource' settings and the default one.
imagePullPolicy: # Optional, default = IfNotPresent
# Image pull secrets. It will override the global 'imageSource' settings if it has been set.
- name: myHarborRegSecretOfRedis
# Redis sentinel
sentinel: # Required
# Replicas of the sentinel service.
replicas: 3 # Optional, default=3
# Redis server.
server: # Required
# Replicas of the server.
replicas: 3 # Optional, default=3
# Storage class used to apply storage of redis.
StorageClassName: default # Optional
# Storage size.
storage: 1Gi # Optional
# If provided, use these requests and limit for cpu/memory resource allocation
# More info:
resources: # Optional
# Limits describes the maximum amount of compute resources allowed.
# More info:
limits: {} # Optional
# Requests describes the minimum amount of compute resources required.
# If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
# otherwise to an implementation-defined value.
# More info:
requests: {} # Optional
# ... Skipped fields
The status spec of the CR HarborCluster
is described as below:
# Show the versioning info of the running operator.
# The code commit for building the running operator.
controllerGitCommit: <commit_hash> # Optional
# The version of the running operator.
controllerVersion: 1.0.0 # Optional
# Name of the operator controller.
controllerName: harbor
# Overall status of HarborCluster CR.
# Status can be "creating", "healthy" and "unhealthy"
status: healthy
# Condition list
# The type of the condition.
# It can be "ServiceReady", "StorageReady", "DatabaseReady", "CacheReady" and "ConfigurationReady".
type: ServiceReady
# Status is the status of the condition.
# Can be True, False, Unknown.
status: True
# Last time the condition transitioned from one status to another.
lastTransitionTime: <time> # Optional
# Unique, one-word, CamelCase reason for the condition's last transition.
reason: "reason" # Optional
# Human-readable message indicating details about last transition.
message: "message" # Optional