Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing.
This is the multi-page printable view of this section. Click here to print.
Harbor configuration
- 1: v2.5.0
1 - v2.5.0
Trivy, Notary and Chartmuseum are not supported at this moment.
Configuring Harbor in EKS Anywhere package spec
The following table lists the configurable parameters of the Harbor package spec and the default values.
| Parameter | Description | Default |
|---|---|---|
| General | ||
externalURL |
The external URL for Harbor core service | https://127.0.0.1:30003 |
imagePullPolicy |
The image pull policy | IfNotPresent |
logLevel |
The log level: debug, info, warning, error or fatal |
info |
harborAdminPassword |
The initial password of Harbor admin. Change it from portal after launching Harbor | Harbor12345 |
secretKey |
The key used for encryption. Must be a string of 16 chars | "" |
| Expose | ||
expose.type |
How to expose the service: nodePort or loadBalancer, other values will be ignored and the creation of service will be skipped. |
nodePort |
expose.tls.enabled |
Enable TLS or not. | true |
expose.tls.certSource |
The source of the TLS certificate. Set as auto, secret or none and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate. |
secret |
expose.tls.auto.commonName |
The common name used to generate the certificate, it’s necessary when expose.tls.certSource is set to auto |
|
expose.tls.secret.secretName |
The name of secret which contains keys named: tls.crt - the certificate; tls.key - the private key |
harbor-tls-secret |
expose.nodePort.name |
The name of NodePort service | harbor |
expose.nodePort.ports.http.port |
The service port Harbor listens on when serving HTTP | 80 |
expose.nodePort.ports.http.nodePort |
The node port Harbor listens on when serving HTTP | 30002 |
expose.nodePort.ports.https.port |
The service port Harbor listens on when serving HTTPS | 443 |
expose.nodePort.ports.https.nodePort |
The node port Harbor listens on when serving HTTPS | 30003 |
expose.loadBalancer.name |
The name of service | harbor |
expose.loadBalancer.IP |
The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | "" |
expose.loadBalancer.ports.httpPort |
The service port Harbor listens on when serving HTTP | 80 |
expose.loadBalancer.ports.httpsPort |
The service port Harbor listens on when serving HTTPS | 30002 |
expose.loadBalancer.annotations |
The annotations attached to the loadBalancer service | {} |
expose.loadBalancer.sourceRanges |
List of IP address ranges to assign to loadBalancerSourceRanges | [] |
| Internal TLS | ||
internalTLS.enabled |
Enable TLS for the components (core, jobservice, portal, registry) | true |
| Persistence | ||
persistence.resourcePolicy |
Setting it to keep to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. |
keep |
persistence.persistentVolumeClaim.registry.size |
The size of the volume | 5Gi |
persistence.persistentVolumeClaim.registry.storageClass |
Specify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning |
"" |
persistence.persistentVolumeClaim.jobservice.size |
The size of the volume | 1Gi |
persistence.persistentVolumeClaim.jobservice.storageClass |
Specify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning |
"" |
persistence.persistentVolumeClaim.database.size |
The size of the volume. If external database is used, the setting will be ignored | 1Gi |
persistence.persistentVolumeClaim.database.storageClass |
Specify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning. If external database is used, the setting will be ignored |
"" |
persistence.persistentVolumeClaim.redis.size |
The size of the volume. If external Redis is used, the setting will be ignored | 1Gi |
persistence.persistentVolumeClaim.redis.storageClass |
Specify the storageClass used to provision the volume. Or the default StorageClass will be used (the default). Set it to - to disable dynamic provisioning. If external Redis is used, the setting will be ignored |
"" |