This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Harbor Configuration

1: Harbor
2: Harbor use cases
3: v2.5.0
4: v2.5.1
5: v2.7.1

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing. For EKS Anywhere deployments, common use cases for Harbor include:

Supporting Airgapped environments.
Running a registry mirror that is closer to the build and run environment to improve the image transfer efficiency.
Following any company policies around image locality.

For additional Harbor use cases see Harbor use cases .

Best Practice

Any supported EKS Anywhere curated package should be modified through package yaml files (with kind: Package) and applied through the command eksctl anywhere apply package -f packageFileName. Modifying objects outside of package yaml files may lead to unpredictable behaviors.

For automatic namespace (targetNamespace) creation, see createNamespace field: PackagebundleController.spec

Configuration options for Harbor

1 - Harbor

Install/upgrade/uninstall Harbor

If you have not already done so, make sure your cluster meets the package prerequisites. Be sure to refer to the troubleshooting guide in the event of a problem.

Important

Starting at eksctl anywhere version v0.12.0, packages on workload clusters are remotely managed by the management cluster.
While following this guide to install packages on a workload cluster, please make sure the kubeconfig is pointing to the management cluster that was used to create the workload cluster. The only exception is the kubectl create namespace command below, which should be run with kubeconfig pointing to the workload cluster.

Install

Set the KUBECONFIG environment variable to use the config of the management cluster
```
export KUBECONFIG=<path to management cluster kubeconfig>
```

Generate the package configuration

eksctl anywhere generate package harbor --cluster <cluster-name> > harbor.yaml

Add the desired configuration to harbor.yaml

Please see complete configuration options for all configuration options and their default values.

Important

All configuration options are listed in dot notations (e.g., expose.tls.enabled) in the doc, but they have to be transformed to hierachical structures when specified in the config section in the YAML spec.
Harbor web portal is exposed through NodePort by default, and its default port number is 30003 with TLS enabled and 30002 with TLS disabled.
TLS is enabled by default for connections to Harbor web portal, and a secret resource named harbor-tls-secret is required for that purpose. It can be provisioned through cert-manager or manually with the following command using self-signed certificate:
```
kubectl create secret tls harbor-tls-secret --cert=[path to certificate file] --key=[path to key file] -n eksa-packages
```
secretKey has to be set as a string of 16 characters for encryption.

TLS example with auto certificate generation

apiVersion: packages.eks.amazonaws.com/v1alpha1
kind: Package
metadata:
   name: my-harbor
   namespace: eksa-packages-<cluster-name>
spec:
   packageName: harbor
   config: |-
      secretKey: "use-a-secret-key"
      externalURL: https://harbor.eksa.demo:30003
      expose:
         tls:
            certSource: auto
            auto:
               commonName: "harbor.eksa.demo"

Non-TLS example

apiVersion: packages.eks.amazonaws.com/v1alpha1
kind: Package
metadata:
   name: my-harbor
   namespace: eksa-packages-<cluster-name>
spec:
   packageName: harbor
   config: |-
      secretKey: "use-a-secret-key"
      externalURL: http://harbor.eksa.demo:30002
      expose:
         tls:
            enabled: false

Install Harbor

eksctl anywhere create packages -f harbor.yaml

Check Harbor

eksctl anywhere get packages --cluster <cluster-name>

Example command output

NAME        PACKAGE   AGE     STATE       CURRENTVERSION             TARGETVERSION        DETAIL
my-harbor   harbor    5m34s   installed   v2.5.1                     v2.5.1 (latest)

Harbor web portal is accessible at whatever externalURL is set to. See complete configuration options for all default values.

Harbor web portal

Update

To update package configuration, update harbor.yaml file, and run the following command:

eksctl anywhere apply package -f harbor.yaml

Upgrade

Note

New versions of software packages will be automatically downloaded but not automatically installed. You can always manually run eksctl to check and install updates.

Verify a new bundle is available

eksctl anywhere get packagebundle

Example command output

NAME         VERSION   STATE
v1.25-120    1.25      active (upgrade available)
v1.26-120    1.26      inactive

Upgrade Harbor

eksctl anywhere upgrade packages --bundle-version v1.26-120

Check Harbor

eksctl anywhere get packages --cluster <cluster-name>

Example command output

NAME        PACKAGE   AGE     STATE       CURRENTVERSION             TARGETVERSION        DETAIL
my-harbor   Harbor    14m     installed   v2.7.1                     v2.7.1 (latest)

Uninstall

Uninstall Harbor
Important
- By default, PVCs created for jobservice and registry are not removed during a package delete operation, which can be changed by leaving persistence.resourcePolicy empty.
```
eksctl anywhere delete package --cluster <cluster-name> my-harbor
```

2 - Harbor use cases

Try some harbor use cases

Important

To install Harbor package, please follow the installation guide.

Proxy a public Amazon Elastic Container Registry (ECR) repository

This use case is to use Harbor to proxy and cache images from a public ECR repository, which helps limit the amount of requests made to a public ECR repository, avoiding consuming too much bandwidth or being throttled by the registry server.

Login

Log in to the Harbor web portal with the default credential as shown below
```
admin
Harbor12345
```
Create a registry proxy

Navigate to Registries on the left panel, and then click on NEW ENDPOINT button. Choose Docker Registry as the Provider, and enter public-ecr as the Name, and enter https://public.ecr.aws/ as the Endpoint URL. Save it by clicking on OK.
Create a proxy project

Navigate to Projects on the left panel and click on the NEW PROJECT button. Enter proxy-project as the Project Name, check Public access level, and turn on Proxy Cache and choose public-ecr from the pull-down list. Save the configuration by clicking on OK.
Pull images
Note
- harbor.eksa.demo:30003 should be replaced with whatever externalURL is set to in the Harbor package YAML file.
```
docker pull harbor.eksa.demo:30003/proxy-project/cloudwatch-agent/cloudwatch-agent:latest
```

Proxy a private Amazon Elastic Container Registry (ECR) repository

This use case is to use Harbor to proxy and cache images from a private ECR repository, which helps limit the amount of requests made to a private ECR repository, avoiding consuming too much bandwidth or being throttled by the registry server.

Login

Log in to the Harbor web portal with the default credential as shown below
```
admin
Harbor12345
```
Create a registry proxy

In order for Harbor to proxy a remote private ECR registry, an IAM credential with necessary permissions need to be created. Usually, it follows three steps:
1. Policy
  
  This is where you specify all necessary permissions. Please refer to private repository policies , IAM permissions for pushing an image and ECR policy examples to figure out the minimal set of required permissions.
  
  For simplicity, the build-in policy AdministratorAccess is used here.
2. User group
  
  This is an easy way to manage a pool of users who share the same set of permissions by attaching the policy to the group.
3. User
  
  Create a user and add it to the user group. In addition, please navigate to Security credentials to generate an access key. Access keys consists of two parts: an access key ID and a secret access key. Please save both as they are used in the next step.
Navigate to Registries on the left panel, and then click on NEW ENDPOINT button. Choose Aws ECR as Provider, and enter private-ecr as Name, https://[ACCOUNT NUMBER].dkr.ecr.us-west-2.amazonaws.com/ as Endpoint URL, use the access key ID part of the generated access key as Access ID, and use the secret access key part of the generated access key as Access Secret. Save it by click on OK.
Create a proxy project

Navigate to Projects on the left panel and click on NEW PROJECT button. Enter proxy-private-project as Project Name, check Public access level, and turn on Proxy Cache and choose private-ecr from the pull-down list. Save the configuration by clicking on OK.

Pull images

Create a repository in the target private ECR registry

Harbor private ecr repository

Push an image to the created repository

docker pull alpine
docker tag alpine [ACCOUNT NUMBER].dkr.ecr.us-west-2.amazonaws.com/alpine:latest
docker push [ACCOUNT NUMBER].dkr.ecr.us-west-2.amazonaws.com/alpine:latest

Note

harbor.eksa.demo:30003 should be replaced with whatever externalURL is set to in the Harbor package YAML file.

docker pull harbor.eksa.demo:30003/proxy-private-project/alpine:latest

Repository replication from Harbor to a private Amazon Elastic Container Registry (ECR) repository

This use case is to use Harbor to replicate local images and charts to a private ECR repository in push mode. When a replication rule is set, all resources that match the defined filter patterns are replicated to the destination registry when the triggering condition is met.

Login

Log in to the Harbor web portal with the default credential as shown below
```
admin
Harbor12345
```
Create a nonproxy project
Create a registry proxy

In order for Harbor to proxy a remote private ECR registry, an IAM credential with necessary permissions need to be created. Usually, it follows three steps:
1. Policy
  
  This is where you specify all necessary permissions. Please refer to private repository policies , IAM permissions for pushing an image and ECR policy examples to figure out the minimal set of required permissions.
  
  For simplicity, the build-in policy AdministratorAccess is used here.
2. User group
  
  This is an easy way to manage a pool of users who share the same set of permissions by attaching the policy to the group.
3. User
  
  Create a user and add it to the user group. In addition, please navigate to Security credentials to generate an access key. Access keys consists of two parts: an access key ID and a secret access key. Please save both as they are used in the next step.
Navigate to Registries on the left panel, and then click on the NEW ENDPOINT button. Choose Aws ECR as the Provider, and enter private-ecr as the Name, https://[ACCOUNT NUMBER].dkr.ecr.us-west-2.amazonaws.com/ as the Endpoint URL, use the access key ID part of the generated access key as Access ID, and use the secret access key part of the generated access key as Access Secret. Save it by clicking on OK.
Create a replication rule
Prepare an image
Note
- harbor.eksa.demo:30003 should be replaced with whatever externalURL is set to in the Harbor package YAML file.
```
docker pull alpine
docker tag alpine:latest harbor.eksa.demo:30003/nonproxy-project/alpine:latest
```
Authenticate with Harbor with the default credential as shown below
```
admin
Harbor12345
```
Note
- harbor.eksa.demo:30003 should be replaced with whatever externalURL is set to in the Harbor package YAML file.
```
docker logout
docker login harbor.eksa.demo:30003
```
Push images

Create a repository in the target private ECR registry
Note
- harbor.eksa.demo:30003 should be replaced with whatever externalURL is set to in the Harbor package YAML file.
```
docker push harbor.eksa.demo:30003/nonproxy-project/alpine:latest
```
The image should appear in the target ECR repository shortly.

Set up trivy image scanner in an air-gapped environment

This use case is to manually import vulnerability database to Harbor trivy when Harbor is running in an air-gapped environment. All the following commands are assuming Harbor is running in the default namespace.

Configure trivy

TLS example with auto certificate generation

apiVersion: packages.eks.amazonaws.com/v1alpha1
kind: Package
metadata:
   name: my-harbor
   namespace: eksa-packages
spec:
   packageName: harbor
   config: |-
     secretKey: "use-a-secret-key"
     externalURL: https://harbor.eksa.demo:30003
     expose:
       tls:
         certSource: auto
         auto:
           commonName: "harbor.eksa.demo"
       trivy:
         skipUpdate: true
         offlineScan: true

Non-TLS example

apiVersion: packages.eks.amazonaws.com/v1alpha1
kind: Package
metadata:
   name: my-harbor
   namespace: eksa-packages
spec:
   packageName: harbor
   config: |-
     secretKey: "use-a-secret-key"
     externalURL: http://harbor.eksa.demo:30002
     expose:
       tls:
         enabled: false
     trivy:
       skipUpdate: true
       offlineScan: true

If Harbor is already running without the above trivy configurations, run the following command to update both skipUpdate and offlineScan

kubectl edit statefulsets/harbor-helm-trivy

Download the vulnerability database to your local host

Please follow oras installation instruction .
```
oras pull ghcr.io/aquasecurity/trivy-db:2 -a
```

Upload database to trivy pod from your local host

kubectl cp db.tar.gz harbor-helm-trivy-0:/home/scanner/.cache/trivy -c trivy

Set up database on Harbor trivy pod

kubectl exec -it harbor-helm-trivy-0 -c trivy bash
cd /home/scanner/.cache/trivy
mkdir db
mv db.tar.gz db
cd db
tar zxvf db.tar.gz

3 - v2.5.0

Trivy, Notary and Chartmuseum are not supported at this moment.

Configuring Harbor in EKS Anywhere package spec

The following table lists the configurable parameters of the Harbor package spec and the default values.

Parameter	Description	Default
General
`externalURL`	The external URL for Harbor core service	`https://127.0.0.1:30003`
`imagePullPolicy`	The image pull policy	`IfNotPresent`
`logLevel`	The log level: `debug`, `info`, `warning`, `error` or `fatal`	`info`
`harborAdminPassword`	The initial password of the Harbor `admin` account. Change it from the portal after launching Harbor	`Harbor12345`
`secretKey`	The key used for encryption. Must be a string of 16 chars	""
Expose
`expose.type`	How to expose the service: `nodePort` or `loadBalancer`, other values will be ignored and the creation of the service will be skipped.	`nodePort`
`expose.tls.enabled`	Enable TLS or not.	`true`
`expose.tls.certSource`	The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate.	`secret`
`expose.tls.auto.commonName`	The common name used to generate the certificate. It’s necessary when `expose.tls.certSource` is set to `auto`
`expose.tls.secret.secretName`	The name of the secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key	`harbor-tls-secret`
`expose.nodePort.name`	The name of the NodePort service	`harbor`
`expose.nodePort.ports.http.port`	The service port Harbor listens on when serving HTTP	`80`
`expose.nodePort.ports.http.nodePort`	The node port Harbor listens on when serving HTTP	`30002`
`expose.nodePort.ports.https.port`	The service port Harbor listens on when serving HTTPS	`443`
`expose.nodePort.ports.https.nodePort`	The node port Harbor listens on when serving HTTPS	`30003`
`expose.loadBalancer.name`	The name of the service	`harbor`
`expose.loadBalancer.IP`	The IP address of the loadBalancer. It only works when the loadBalancer supports assigning an IP address	`""`
`expose.loadBalancer.ports.httpPort`	The service port Harbor listens on when serving HTTP	`80`
`expose.loadBalancer.ports.httpsPort`	The service port Harbor listens on when serving HTTPS	`30002`
`expose.loadBalancer.annotations`	The annotations attached to the loadBalancer service	{}
`expose.loadBalancer.sourceRanges`	List of IP address ranges to assign to loadBalancerSourceRanges	[]
Internal TLS
`internalTLS.enabled`	Enable TLS for the components (core, jobservice, portal, and registry)	`true`
Persistence
`persistence.resourcePolicy`	Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart is deleted. Does not affect PVCs created for internal database and redis components.	`keep`
`persistence.persistentVolumeClaim.registry.size`	The size of the volume	`5Gi`
`persistence.persistentVolumeClaim.registry.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
`persistence.persistentVolumeClaim.jobservice.size`	The size of the volume	`1Gi`
`persistence.persistentVolumeClaim.jobservice.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
`persistence.persistentVolumeClaim.database.size`	The size of the volume. If an external database is used, the setting will be ignored	`1Gi`
`persistence.persistentVolumeClaim.database.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If an external database is used, the setting will be ignored	""
`persistence.persistentVolumeClaim.redis.size`	The size of the volume. If an external Redis is used, the setting will be ignored	`1Gi`
`persistence.persistentVolumeClaim.redis.storageClass`	Specify the `storageClass` used to provision the volumem, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If an external Redis is used, the setting will be ignored	""
Registry
`registry.relativeurls`	If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy	`false`

4 - v2.5.1

Notary and Chartmuseum are not supported at this moment.

Configuring Harbor in EKS Anywhere package spec

The following table lists the configurable parameters of the Harbor package spec and the default values.

Parameter	Description	Default
General
`externalURL`	The external URL for Harbor core service	`https://127.0.0.1:30003`
`imagePullPolicy`	The image pull policy	`IfNotPresent`
`logLevel`	The log level: `debug`, `info`, `warning`, `error` or `fatal`	`info`
`harborAdminPassword`	The initial password of the Harbor `admin` account. Change it from the portal after launching Harbor	`Harbor12345`
`secretKey`	The key used for encryption. Must be a string of 16 chars	""
Expose
`expose.type`	How to expose the service: `nodePort` or `loadBalancer`, other values will be ignored and the creation of the service will be skipped.	`nodePort`
`expose.tls.enabled`	Enable TLS or not.	`true`
`expose.tls.certSource`	The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate.	`secret`
`expose.tls.auto.commonName`	The common name used to generate the certificate. It’s necessary when `expose.tls.certSource` is set to `auto`
`expose.tls.secret.secretName`	The name of the secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key	`harbor-tls-secret`
`expose.nodePort.name`	The name of the NodePort service	`harbor`
`expose.nodePort.ports.http.port`	The service port Harbor listens on when serving HTTP	`80`
`expose.nodePort.ports.http.nodePort`	The node port Harbor listens on when serving HTTP	`30002`
`expose.nodePort.ports.https.port`	The service port Harbor listens on when serving HTTPS	`443`
`expose.nodePort.ports.https.nodePort`	The node port Harbor listens on when serving HTTPS	`30003`
`expose.loadBalancer.name`	The name of the service	`harbor`
`expose.loadBalancer.IP`	The IP address of the loadBalancer. It only works when loadBalancer supports assigning an IP address	`""`
`expose.loadBalancer.ports.httpPort`	The service port Harbor listens on when serving HTTP	`80`
`expose.loadBalancer.ports.httpsPort`	The service port Harbor listens on when serving HTTPS	`30002`
`expose.loadBalancer.annotations`	The annotations attached to the loadBalancer service	{}
`expose.loadBalancer.sourceRanges`	List of IP address ranges to assign to loadBalancerSourceRanges	[]
Internal TLS
`internalTLS.enabled`	Enable TLS for the components (core, jobservice, portal, and registry)	`true`
Persistence
`persistence.resourcePolicy`	Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart is deleted. Does not affect PVCs created for internal database and redis components.	`keep`
`persistence.persistentVolumeClaim.registry.size`	The size of the volume	`5Gi`
`persistence.persistentVolumeClaim.registry.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
`persistence.persistentVolumeClaim.jobservice.size`	The size of the volume	`1Gi`
`persistence.persistentVolumeClaim.jobservice.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
`persistence.persistentVolumeClaim.database.size`	The size of the volume. If an external database is used, the setting will be ignored	`1Gi`
`persistence.persistentVolumeClaim.database.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If an external database is used, the setting will be ignored	""
`persistence.persistentVolumeClaim.redis.size`	The size of the volume. If an external Redis is used, the setting will be ignored	`1Gi`
`persistence.persistentVolumeClaim.redis.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If an external Redis is used, the setting will be ignored	""
`persistence.persistentVolumeClaim.trivy.size`	The size of the volume	`5Gi`
`persistence.persistentVolumeClaim.trivy.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
Trivy
`trivy.enabled`	The flag to enable Trivy scanner	`true`
`trivy.vulnType`	Comma-separated list of vulnerability types. Possible values `os` and `library`.	`os,library`
`trivy.severity`	Comma-separated list of severities to be checked	`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`
`trivy.skipUpdate`	The flag to disable Trivy DB downloads from GitHub	`false`
`trivy.offlineScan`	The flag prevents Trivy from sending API requests to identify dependencies.	`false`
Registry
`registry.relativeurls`	If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy	`false`

5 - v2.7.1

Notary and Chartmuseum are not supported at this moment.

Configuring Harbor in EKS Anywhere package spec

The following table lists the configurable parameters of the Harbor package spec and the default values.

Parameter	Description	Default
General
`externalURL`	The external URL for Harbor core service	`https://127.0.0.1:30003`
`imagePullPolicy`	The image pull policy	`IfNotPresent`
`logLevel`	The log level: `debug`, `info`, `warning`, `error` or `fatal`	`info`
`harborAdminPassword`	The initial password of the Harbor `admin` account. Change it from the portal after launching Harbor	`Harbor12345`
`secretKey`	The key used for encryption. Must be a string of 16 chars	""
Expose
`expose.type`	How to expose the service: `nodePort` or `loadBalancer`, other values will be ignored and the creation of the service will be skipped.	`nodePort`
`expose.tls.enabled`	Enable TLS or not.	`true`
`expose.tls.certSource`	The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate.	`secret`
`expose.tls.auto.commonName`	The common name used to generate the certificate. It’s necessary when `expose.tls.certSource` is set to `auto`
`expose.tls.secret.secretName`	The name of the secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key	`harbor-tls-secret`
`expose.nodePort.name`	The name of the NodePort service	`harbor`
`expose.nodePort.ports.http.port`	The service port Harbor listens on when serving HTTP	`80`
`expose.nodePort.ports.http.nodePort`	The node port Harbor listens on when serving HTTP	`30002`
`expose.nodePort.ports.https.port`	The service port Harbor listens on when serving HTTPS	`443`
`expose.nodePort.ports.https.nodePort`	The node port Harbor listens on when serving HTTPS	`30003`
`expose.loadBalancer.name`	The name of the service	`harbor`
`expose.loadBalancer.IP`	The IP address of the loadBalancer. It only works when loadBalancer supports assigning an IP address	`""`
`expose.loadBalancer.ports.httpPort`	The service port Harbor listens on when serving HTTP	`80`
`expose.loadBalancer.ports.httpsPort`	The service port Harbor listens on when serving HTTPS	`30002`
`expose.loadBalancer.annotations`	The annotations attached to the loadBalancer service	{}
`expose.loadBalancer.sourceRanges`	List of IP address ranges to assign to loadBalancerSourceRanges	[]
Internal TLS
`internalTLS.enabled`	Enable TLS for the components (core, jobservice, portal, and registry)	`true`
Persistence
`persistence.resourcePolicy`	Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart is deleted. Does not affect PVCs created for internal database and redis components.	`keep`
`persistence.persistentVolumeClaim.registry.size`	The size of the volume	`5Gi`
`persistence.persistentVolumeClaim.registry.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
`persistence.persistentVolumeClaim.jobservice.jobLog.size`	The size of the volume	`1Gi`
`persistence.persistentVolumeClaim.jobservice.jobLog.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
`persistence.persistentVolumeClaim.database.size`	The size of the volume. If an external database is used, the setting will be ignored	`1Gi`
`persistence.persistentVolumeClaim.database.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If an external database is used, the setting will be ignored	""
`persistence.persistentVolumeClaim.redis.size`	The size of the volume. If an external Redis is used, the setting will be ignored	`1Gi`
`persistence.persistentVolumeClaim.redis.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If an external Redis is used, the setting will be ignored	""
`persistence.persistentVolumeClaim.trivy.size`	The size of the volume	`5Gi`
`persistence.persistentVolumeClaim.trivy.storageClass`	Specify the `storageClass` used to provision the volume, or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning	""
Trivy
`trivy.enabled`	The flag to enable Trivy scanner	`true`
`trivy.vulnType`	Comma-separated list of vulnerability types. Possible values `os` and `library`.	`os,library`
`trivy.severity`	Comma-separated list of severities to be checked	`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`
`trivy.skipUpdate`	The flag to disable Trivy DB downloads from GitHub	`false`
`trivy.offlineScan`	The flag prevents Trivy from sending API requests to identify dependencies.	`false`
Registry
`registry.relativeurls`	If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy	`false`