helm简单部署harbor(ingress方式暴露)

helm repo add harbor https://helm.goharbor.io
helm repo add harbor https://helm.goharbor.io

# 创建密钥
kubectl -n tools  create secret tls harbor-tls --key 123.top.key --cert 123.top.pem

vim values.yaml

# 修改处
    certSource: secret  使用自定义证书
    auto:
      commonName: "harbor-tls"
    secret:
      secretName: "harbor-tls"
      
#  替换成你的域名
   core: registry.123.top
   externalURL: https://registry.123.top
   
# storageClass 部分都要写自己的动态存储
# 例如这样
  persistentVolumeClaim:
    registry:
      existingClaim: ""
      storageClass: "rook-ceph-block"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 50Gi
# 登录密码设置
harborAdminPassword: "123qweASD"

# 最后监控开启
metrics:
 enabled: true
 
# 其他全部默认

完整的yaml

# grep -Ev '^\s*#|^$' values.yaml
expose:
 type: ingress
 tls:
   enabled: true
   certSource: secret
   auto:
     commonName: "harbor-tls"
   secret:
     secretName: "harbor-tls"
 ingress:
   hosts:
     core: registry.exchangs.top
   controller: default
   kubeVersionOverride: ""
   className: "nginx"
   annotations:
     ingress.kubernetes.io/ssl-redirect: "true"
     ingress.kubernetes.io/proxy-body-size: "0"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/proxy-body-size: "0"
   harbor:
     annotations: {}
     labels: {}
 clusterIP:
   name: harbor
   staticClusterIP: ""
   annotations: {}
   ports:
     httpPort: 80
     httpsPort: 443
 nodePort:
   name: harbor
   ports:
     http:
       port: 80
       nodePort: 30002
     https:
       port: 443
       nodePort: 30003
 loadBalancer:
   name: harbor
   IP: ""
   ports:
     httpPort: 80
     httpsPort: 443
   annotations: {}
   sourceRanges: []
externalURL: https://registry.exchangs.top
internalTLS:
 enabled: false
 strong_ssl_ciphers: false
 certSource: "auto"
 trustCa: ""
 core:
   secretName: ""
   crt: ""
   key: ""
 jobservice:
   secretName: ""
   crt: ""
   key: ""
 registry:
   secretName: ""
   crt: ""
   key: ""
 portal:
   secretName: ""
   crt: ""
   key: ""
 trivy:
   secretName: ""
   crt: ""
   key: ""
ipFamily:
 ipv6:
   enabled: true
 ipv4:
   enabled: true
persistence:
 enabled: true
 resourcePolicy: "keep"
 persistentVolumeClaim:
   registry:
     existingClaim: ""
     storageClass: "rook-ceph-block"
     subPath: ""
     accessMode: ReadWriteOnce
     size: 50Gi
     annotations: {}
   jobservice:
     jobLog:
       existingClaim: ""
       storageClass: "rook-ceph-block"
       subPath: ""
       accessMode: ReadWriteOnce
       size: 1Gi
       annotations: {}
   database:
     existingClaim: ""
     storageClass: "rook-ceph-block"
     subPath: ""
     accessMode: ReadWriteOnce
     size: 5Gi
     annotations: {}
   redis:
     existingClaim: ""
     storageClass: "rook-ceph-block"
     subPath: ""
     accessMode: ReadWriteOnce
     size: 2Gi
     annotations: {}
   trivy:
     existingClaim: ""
     storageClass: "rook-ceph-block"
     subPath: ""
     accessMode: ReadWriteOnce
     size: 6Gi
     annotations: {}
 imageChartStorage:
   disableredirect: false
   type: filesystem
   filesystem:
     rootdirectory: /storage
   azure:
     accountname: accountname
     accountkey: base64encodedaccountkey
     container: containername
     existingSecret: ""
   gcs:
     bucket: bucketname
     encodedkey: base64-encoded-json-key-file
     existingSecret: ""
     useWorkloadIdentity: false
   s3:
     region: us-west-1
     bucket: bucketname
   swift:
     authurl: https://storage.myprovider.com/v3/auth
     username: username
     password: password
     container: containername
     existingSecret: ""
   oss:
     accesskeyid: accesskeyid
     accesskeysecret: accesskeysecret
     region: regionname
     bucket: bucketname
     existingSecret: ""
imagePullPolicy: IfNotPresent
imagePullSecrets:
updateStrategy:
 type: RollingUpdate
logLevel: info
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
harborAdminPassword: "123qweASD"
caSecretName: ""
secretKey: "not-a-secure-key"
existingSecretSecretKey: ""
proxy:
 httpProxy:
 httpsProxy:
 noProxy: 127.0.0.1,localhost,.local,.internal
 components:
   - core
   - jobservice
   - trivy
enableMigrateHelmHook: false
nginx:
 image:
   repository: goharbor/nginx-photon
   tag: v2.10.2
 serviceAccountName: ""
 automountServiceAccountToken: false
 replicas: 1
 revisionHistoryLimit: 10
 extraEnvVars: []
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 podAnnotations: {}
 podLabels: {}
 priorityClassName:
portal:
 image:
   repository: goharbor/harbor-portal
   tag: v2.10.2
 serviceAccountName: ""
 automountServiceAccountToken: false
 replicas: 1
 revisionHistoryLimit: 10
 extraEnvVars: []
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 podAnnotations: {}
 podLabels: {}
 serviceAnnotations: {}
 priorityClassName:
core:
 image:
   repository: goharbor/harbor-core
   tag: v2.10.2
 serviceAccountName: ""
 automountServiceAccountToken: false
 replicas: 1
 revisionHistoryLimit: 10
 startupProbe:
   enabled: true
   initialDelaySeconds: 10
 extraEnvVars: []
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 podAnnotations: {}
 podLabels: {}
 serviceAnnotations: {}
 configureUserSettings:
 quotaUpdateProvider: db # Or redis
 secret: ""
 existingSecret: ""
 secretName: ""
 tokenKey: |
 tokenCert: |
 xsrfKey: ""
 existingXsrfSecret: ""
 existingXsrfSecretKey: CSRF_KEY
 priorityClassName:
 artifactPullAsyncFlushDuration:
 gdpr:
   deleteUser: false
   auditLogsCompliant: false
jobservice:
 image:
   repository: goharbor/harbor-jobservice
   tag: v2.10.2
 replicas: 1
 revisionHistoryLimit: 10
 serviceAccountName: ""
 automountServiceAccountToken: false
 maxJobWorkers: 10
 jobLoggers:
   - file
 loggerSweeperDuration: 14 #days
 notification:
   webhook_job_max_retry: 3
   webhook_job_http_client_timeout: 3 # in seconds
 reaper:
   max_update_hours: 24
   max_dangling_hours: 168
 extraEnvVars: []
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints:
 podAnnotations: {}
 podLabels: {}
 secret: ""
 existingSecret: ""
 existingSecretKey: JOBSERVICE_SECRET
 priorityClassName:
registry:
 serviceAccountName: ""
 automountServiceAccountToken: false
 registry:
   image:
     repository: goharbor/registry-photon
     tag: v2.10.2
   extraEnvVars: []
 controller:
   image:
     repository: goharbor/harbor-registryctl
     tag: v2.10.2
   extraEnvVars: []
 replicas: 1
 revisionHistoryLimit: 10
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 podAnnotations: {}
 podLabels: {}
 priorityClassName:
 secret: ""
 existingSecret: ""
 existingSecretKey: REGISTRY_HTTP_SECRET
 relativeurls: false
 credentials:
   username: "harbor_registry_user"
   password: "harbor_registry_password"
   existingSecret: ""
   htpasswdString: ""
 middleware:
   enabled: false
   type: cloudFront
   cloudFront:
     baseurl: example.cloudfront.net
     keypairid: KEYPAIRID
     duration: 3000s
     ipfilteredby: none
     privateKeySecret: "my-secret"
 upload_purging:
   enabled: true
   age: 168h
   interval: 24h
   dryrun: false
trivy:
 enabled: true
 image:
   repository: goharbor/trivy-adapter-photon
   tag: v2.10.2
 serviceAccountName: ""
 automountServiceAccountToken: false
 replicas: 1
 debugMode: false
 vulnType: "os,library"
 severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
 ignoreUnfixed: false
 insecure: false
 gitHubToken: ""
 skipUpdate: false
 skipJavaDBUpdate: false
 offlineScan: false
 securityCheck: "vuln"
 timeout: 5m0s
 resources:
   requests:
     cpu: 200m
     memory: 512Mi
   limits:
     cpu: 1
     memory: 1Gi
 extraEnvVars: []
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 podAnnotations: {}
 podLabels: {}
 priorityClassName:
database:
 type: internal
 internal:
   serviceAccountName: ""
   automountServiceAccountToken: false
   image:
     repository: goharbor/harbor-db
     tag: v2.10.2
   password: "changeit"
   shmSizeLimit: 512Mi
   livenessProbe:
     timeoutSeconds: 1
   readinessProbe:
     timeoutSeconds: 1
   extraEnvVars: []
   nodeSelector: {}
   tolerations: []
   affinity: {}
   priorityClassName:
   initContainer:
     migrator: {}
     permissions: {}
 external:
   host: "192.168.0.1"
   port: "5432"
   username: "user"
   password: "password"
   coreDatabase: "registry"
   existingSecret: ""
   sslmode: "disable"
 maxIdleConns: 100
 maxOpenConns: 900
 podAnnotations: {}
 podLabels: {}
redis:
 type: internal
 internal:
   serviceAccountName: ""
   automountServiceAccountToken: false
   image:
     repository: goharbor/redis-photon
     tag: v2.10.2
   extraEnvVars: []
   nodeSelector: {}
   tolerations: []
   affinity: {}
   priorityClassName:
   jobserviceDatabaseIndex: "1"
   registryDatabaseIndex: "2"
   trivyAdapterIndex: "5"
 external:
   addr: "192.168.0.2:6379"
   sentinelMasterSet: ""
   coreDatabaseIndex: "0"
   jobserviceDatabaseIndex: "1"
   registryDatabaseIndex: "2"
   trivyAdapterIndex: "5"
   username: ""
   password: ""
   existingSecret: ""
 podAnnotations: {}
 podLabels: {}
exporter:
 replicas: 1
 revisionHistoryLimit: 10
 extraEnvVars: []
 podAnnotations: {}
 podLabels: {}
 serviceAccountName: ""
 automountServiceAccountToken: false
 image:
   repository: goharbor/harbor-exporter
   tag: v2.10.2
 nodeSelector: {}
 tolerations: []
 affinity: {}
 topologySpreadConstraints: []
 cacheDuration: 23
 cacheCleanInterval: 14400
 priorityClassName:
metrics:
 enabled: true
 core:
   path: /metrics
   port: 8001
 registry:
   path: /metrics
   port: 8001
 jobservice:
   path: /metrics
   port: 8001
 exporter:
   path: /metrics
   port: 8001
 serviceMonitor:
   enabled: false
   additionalLabels: {}
   interval: ""
   metricRelabelings:
     []
   relabelings:
     []
trace:
 enabled: false
 provider: jaeger
 sample_rate: 1
 jaeger:
   endpoint: http://hostname:14268/api/traces
 otel:
   endpoint: hostname:4318
   url_path: /v1/traces
   compression: false
   insecure: true
   timeout: 10
cache:
 enabled: false
 expireHours: 24

安装

helm -n tools install harbor -f values.yaml harbor-1.14.2.tgz