expose: type: ingress tls: # Enable TLS - cert-manager will manage the certificate enabled: true # Use "secret" to reference an existing/external secret managed by cert-manager # DO NOT use "auto" (Harbor's self-signed CA conflicts with cert-manager) certSource: secret secret: # This secret will be created and managed by cert-manager via the ingress annotation secretName: "harbor-ingress" ingress: className: traefik annotations: # TEMPORARY: Using staging to avoid rate limits (switch back to 'letsencrypt' after March 23, 2026) cert-manager.io/cluster-issuer: letsencrypt-staging # Traefik specific annotations for HTTPS routing traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" hosts: core: harbor.dvirlabs.com notary: notary.dvirlabs.com externalURL: https://harbor.dvirlabs.com harborAdminPassword: "SuperSecurePassword123" persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: registry: storageClass: nfs-client accessMode: ReadWriteOnce size: 400Gi chartmuseum: storageClass: nfs-client accessMode: ReadWriteOnce size: 5Gi jobservice: storageClass: nfs-client accessMode: ReadWriteOnce size: 1Gi database: storageClass: nfs-client accessMode: ReadWriteOnce size: 5Gi redis: storageClass: nfs-client accessMode: ReadWriteOnce size: 5Gi trivy: storageClass: nfs-client accessMode: ReadWriteOnce size: 10Gi database: type: internal trivy: enabled: true metrics: enabled: true core: enabled: true path: /metrics port: 8001 exporter: enabled: true path: /metrics port: 8001 jobservice: enabled: true path: /metrics port: 8001 registry: enabled: true path: /metrics port: 8001 exporter: enabled: true cache: enabled: true nodeSelector: workload: general affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: workload operator: In values: - general - key: node-role.kubernetes.io/control-plane operator: DoesNotExist