apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: harbor
  namespace: harbor
spec:
  interval: 10m
  timeout: 15m
  chart:
    spec:
      chart: harbor
      version: "1.16.x"
      sourceRef:
        kind: HelmRepository
        name: harbor
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
  values:
    externalURL: https://harbor.n0ball.tw
    expose:
      type: ingress
      tls:
        enabled: true
        certSource: secret
        secret:
          secretName: harbor-tls
      ingress:
        hosts:
          core: harbor.n0ball.tw
        className: traefik
        annotations:
          cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
    persistence:
      enabled: true
      persistentVolumeClaim:
        registry:
          storageClass: longhorn
          size: 20Gi
        jobservice:
          jobLog:
            storageClass: longhorn
            size: 1Gi
    existingSecretAdminPassword: harbor-admin-secret
    existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
    database:
      type: external
      external:
        host: pgbouncer.default.svc.cluster.local
        port: "6432"
        username: harbor
        coreDatabase: harbor
        existingSecret: harbor-db-secret
        sslmode: disable
    redis:
      type: internal
    existingSecretSecretKey: harbor-secret-key
    core:
      configureUserSettings: |
        {
          "auth_mode": "oidc_auth",
          "oidc_name": "Keycloak",
          "oidc_endpoint": "https://keycloak.n0ball.tw/realms/homelab",
          "oidc_client_id": "harbor",
          "oidc_client_secret": "3YuRQxgMI3j0CG/Gb95c2AvksYD8dOCV",
          "oidc_groups_claim": "groups",
          "oidc_scope": "openid,profile,email",
          "oidc_auto_onboard": true,
          "oidc_admin_group": "harbor-admins",
          "self_registration": false
        }
    trivy:
      enabled: true