ansible/roles/harbor/defaults/main.yaml

harbor_enabled: true
harbor_publish: false
harbor_short_name: "harbor"
harbor_use_external_db: true
harbor_default_values:
  expose:
    tls:
      certSource: secret
      secret:
        secretName: "{{ harbor_short_name }}.{{ domain }}-tls"
        notarySecretName: "notary.{{ harbor_short_name }}.{{ domain }}-tls"
    ingress:
      className: "{{ external_ingress_class if harbor_publish else internal_ingress_class }}"
      hosts:
        core: "{{ harbor_short_name }}.{{ domain }}"
        notary: "notary.{{ harbor_short_name }}.{{ domain }}"
      annotations:
        cert-manager.io/cluster-issuer: "letsencrypt-prod"
        nginx.ingress.kubernetes.io/proxy-body-size: "0"
        nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
        nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
  externalURL: "https://{{ harbor_short_name }}.{{ domain }}"
  
  # The persistence is enabled by default and a default StorageClass
  # is needed in the k8s cluster to provision volumes dynamicly.
  # Specify another StorageClass in the "storageClass" or set "existingClaim"
  # if you have already existing persistent volumes to use
  #
  # For storing images and charts, you can also use "azure", "gcs", "s3",
  # "swift" or "oss". Set it in the "imageChartStorage" section
  persistence:
    enabled: true
    # Setting it to "keep" to avoid removing PVCs during a helm delete
    # operation. Leaving it empty will delete PVCs after the chart deleted
    # (this does not apply for PVCs that are created for internal database
    # and redis components, i.e. they are never deleted automatically)
    resourcePolicy: "keep"
    persistentVolumeClaim:
      registry:
        # Use the existing PVC which must be created manually before bound,
        # and specify the "subPath" if the PVC is shared with other components
        existingClaim: ""
        # Specify the "storageClass" used to provision the volume. Or the default
        # StorageClass will be used(the default).
        # Set it to "-" to disable dynamic provisioning
        storageClass: "{{ harbor_registry_storage | default(harbor_storage) | default('nfs-hdd') }}"
        subPath: ""
        accessMode: "{{ harbor_registry_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
        size: "{{ harbor_registry_size | default('100Gi') }}"
      chartmuseum:
        existingClaim: ""
        storageClass: "{{ harbor_charts_storage | default(harbor_storage) | default('nfs-ssd') }}"
        subPath: ""
        accessMode: "{{ harbor_charts_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
        size: "{{ harbor_charts_size | default('50Gi') }}"
      jobservice:
        existingClaim: ""
        storageClass: "{{ harbor_jobservice_storage | default(harbor_storage) | default('nfs-ssd') }}"
        subPath: ""
        accessMode: "{{ harbor_jobservice_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
        size: "{{ harbor_jobservice_size | default('5Gi') }}"
      # If external database is used, the following settings for database will
      # be ignored
      database:
        existingClaim: ""
        storageClass: "{{ harbor_database_storage | default(harbor_storage) | default('nfs-ssd') }}"
        subPath: ""
        accessMode: "{{ harbor_database_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
        size: "{{ harbor_database_size | default('10Gi') }}"
      # If external Redis is used, the following settings for Redis will
      # be ignored
      redis:
        existingClaim: ""
        storageClass: "{{ harbor_redis_storage | default(harbor_storage) | default('nfs-ssd') }}"
        subPath: ""
        accessMode: "{{ harbor_redis_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
        size: "{{ harbor_redis_size | default('5Gi') }}"
      trivy:
        existingClaim: ""
        storageClass: "{{ harbor_trivy_storage | default(harbor_storage) | default('nfs-ssd') }}"
        subPath: ""
        accessMode: "{{ harbor_trivy_storage_mode | default(harbor_storage_mode) | default('ReadWriteMany') }}"
        size: "{{ harbor_trivy_size | default('10Gi') }}"
  
  imagePullPolicy: IfNotPresent
  
  # The update strategy for deployments with persistent volumes(jobservice, registry
  # and chartmuseum): "RollingUpdate" or "Recreate"
  # Set it as "Recreate" when "RWM" for volumes isn't supported
  updateStrategy:
    type: RollingUpdate
  
  # debug, info, warning, error or fatal
  logLevel: info
  
  # The initial password of Harbor admin. Change it from portal after launching Harbor
  harborAdminPassword: "{{ harbor_admin_pass | default(harbor_admin_password) }}"
  
  # The secret key used for encryption. Must be a string of 16 chars.
  secretKey: "{{ harbor_encription_key | default('not-a-secure-key') }}"
  
  jobservice:
    maxJobWorkers: 32
  registry:
    credentials:
      username: "harbor_registry_user"
      password: "{{ harbor_registry_user_password }}"
      # If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
      # e.g. "htpasswd -nbBC10 $username $password"
      htpasswd: "harbor_registry_user:{{ harbor_registry_user_htpasswd_hash }}"
  
  database:
    # if external database is used, set "type" to "external"
    # and fill the connection informations in "external" section
    type: external
    external:
      host: "{{ postgres_db_team | default(namespace) }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local"
      username: "{{ harbor_db_username | default(omit) }}"
      password: "{{ harbor_db_password | default(omit) }}"
      coreDatabase: "harbor_registry"
      notaryServerDatabase: "harbor_notary_server"
      notarySignerDatabase: "harbor_notary_signer"

harbor_readonly_ingress_definition: |
  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    name: harbor-public-ingress
    namespace: "{{ harbor_namespace | default(namespace) }}"
  spec:
    ingressClassName: "{{ external_ingress_class }}"
    rules:
    - host: "{{ harbor_readonly_ingress }}"
      http:
        paths:
        - backend:
            service:
              name: harbor-core
              port:
                number: 80
          path: /v2
          pathType: ImplementationSpecific
        - backend:
            service:
              name: harbor-core
              port:
                number: 80
          path: /chartrepo
          pathType: ImplementationSpecific
        - backend:
            service:
              name: harbor-core
              port:
                number: 80
          path: /api
          pathType: ImplementationSpecific
    tls:
    - hosts:
      - "{{ harbor_readonly_ingress }}"
      secretName: "{{ harbor_readonly_ingress }}-tls"