API Reference¶
Packages¶
harbor.harbor-operator.io/v1alpha1¶
Package v1alpha1 contains API Schema definitions for the harbor v1alpha1 API group.
Resource Types¶
- ClusterHarborConnection
- Configuration
- GCSchedule
- HarborConnection
- ImmutableTagRule
- Label
- Member
- Project
- PurgeAuditSchedule
- Quota
- Registry
- ReplicationPolicy
- RetentionPolicy
- Robot
- ScanAllSchedule
- ScannerRegistration
- User
- UserGroup
- WebhookPolicy
CVEAllowlist¶
CVEAllowlist defines the CVE allowlist configuration.
Appears in: - ProjectSpec
| Field | Description | Default | Validation |
|---|---|---|---|
id integer |
|||
project_id integer |
|||
expires_at integer |
|||
items CVEAllowlistItem array |
|||
creation_time Time |
|||
update_time Time |
CVEAllowlistItem¶
CVEAllowlistItem defines a single CVE allowlist entry.
Appears in: - CVEAllowlist
| Field | Description | Default | Validation |
|---|---|---|---|
cve_id string |
ClusterHarborConnection¶
ClusterHarborConnection is the Schema for the clusterharborconnections API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
ClusterHarborConnection |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec HarborConnectionSpec |
Configuration¶
Configuration is the Schema for the configurations API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Configuration |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ConfigurationSpec |
ConfigurationSpec¶
ConfigurationSpec defines the desired state of Harbor system configuration.
Appears in: - Configuration
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
settings object (keys:string, values:JSON) |
Settings contains Harbor configuration keys and their desired values. Values can be strings, numbers, booleans, or JSON objects. |
Optional: {} |
|
secretSettings object (keys:string, values:SecretReference) |
SecretSettings references secret-backed configuration values such as oidc_client_secret. The secret data is read and injected into Settings during reconciliation. |
Optional: {} |
Credentials¶
Credentials holds default authentication details.
Appears in: - HarborConnectionSpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Type of the credential, e.g., "basic". | basic | Enum: [basic] |
username string |
Username for authentication. | MinLength: 1 |
|
passwordSecretRef SecretReference |
PasswordSecretRef points to the Kubernetes Secret that stores the password / token. |
DeletionPolicy¶
Underlying type: string
Appears in: - ConfigurationSpec - GCScheduleSpec - HarborSpecBase - ImmutableTagRuleSpec - LabelSpec - MemberSpec - ProjectSpec - PurgeAuditScheduleSpec - QuotaSpec - RegistrySpec - ReplicationPolicySpec - RetentionPolicySpec - RobotSpec - ScanAllScheduleSpec - ScannerRegistrationSpec - UserGroupSpec - UserSpec - WebhookPolicySpec
| Field | Description |
|---|---|
Delete |
|
Orphan |
GCSchedule¶
GCSchedule is the Schema for the gcschedules API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
GCSchedule |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec GCScheduleSpec |
GCScheduleSpec¶
GCScheduleSpec defines the desired schedule for garbage collection.
Appears in: - GCSchedule
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
schedule ScheduleSpec |
Schedule defines when GC runs. | ||
parameters object (keys:string, values:JSON) |
Parameters define GC settings passed to Harbor. | Optional: {} |
HarborConnection¶
HarborConnection is the Schema for the harborconnections API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
HarborConnection |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec HarborConnectionSpec |
HarborConnectionReference¶
HarborConnectionReference identifies either a namespaced HarborConnection or a cluster-scoped ClusterHarborConnection.
Appears in: - ConfigurationSpec - GCScheduleSpec - HarborSpecBase - ImmutableTagRuleSpec - LabelSpec - MemberSpec - ProjectSpec - PurgeAuditScheduleSpec - QuotaSpec - RegistrySpec - ReplicationPolicySpec - RetentionPolicySpec - RobotSpec - ScanAllScheduleSpec - ScannerRegistrationSpec - UserGroupSpec - UserSpec - WebhookPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
Name of the referenced Harbor connection object. | MinLength: 1 |
|
kind HarborConnectionReferenceKind |
Kind selects the Harbor connection object kind. Defaults to HarborConnection. |
HarborConnection | Enum: [HarborConnection ClusterHarborConnection] Optional: {} |
HarborConnectionReferenceKind¶
Underlying type: string
Appears in: - HarborConnectionReference
| Field | Description |
|---|---|
HarborConnection |
|
ClusterHarborConnection |
HarborConnectionSpec¶
HarborConnectionSpec defines the desired state of HarborConnection.
Appears in: - ClusterHarborConnection - HarborConnection
| Field | Description | Default | Validation |
|---|---|---|---|
baseURL string |
BaseURL is the Harbor API endpoint. | Format: url |
|
credentials Credentials |
Credentials holds the default credentials for Harbor API calls. | ||
caBundle string |
CABundle is a PEM-encoded CA bundle for validating Harbor TLS certificates. | Optional: {} |
|
caBundleSecretRef SecretReference |
CABundleSecretRef references a Secret containing a PEM-encoded CA bundle. When set, it is mutually exclusive with caBundle. |
Optional: {} |
HarborSpecBase¶
HarborSpecBase holds the fields that appear in every Harbor CR.
Appears in: - ConfigurationSpec - GCScheduleSpec - ImmutableTagRuleSpec - LabelSpec - MemberSpec - ProjectSpec - PurgeAuditScheduleSpec - QuotaSpec - RegistrySpec - ReplicationPolicySpec - RetentionPolicySpec - RobotSpec - ScanAllScheduleSpec - ScannerRegistrationSpec - UserGroupSpec - UserSpec - WebhookPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
ImmutableSelector¶
ImmutableSelector defines an immutable tag rule selector.
Appears in: - ImmutableTagRuleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
kind string |
Kind defines selector kind. | Optional: {} |
|
decoration string |
Decoration defines selector decoration. | Optional: {} |
|
pattern string |
Pattern defines selector pattern. | Optional: {} |
|
extras string |
Extras defines extra selector details. | Optional: {} |
ImmutableTagRule¶
ImmutableTagRule is the Schema for the immutabletagrules API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
ImmutableTagRule |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ImmutableTagRuleSpec |
ImmutableTagRuleSpec¶
ImmutableTagRuleSpec defines the desired state of ImmutableTagRule.
Appears in: - ImmutableTagRule
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing immutable tag rule in Harbor that matches this spec. |
Optional: {} |
|
projectRef ProjectReference |
ProjectRef references a Project CR to derive the Harbor project ID. | Optional: {} |
|
projectNameOrID string |
ProjectNameOrID is the Harbor project name or numeric ID. | Optional: {} |
|
disabled boolean |
Disabled indicates whether the rule is disabled. | Optional: {} |
|
action string |
Action defines the rule action. | Optional: {} |
|
template string |
Template defines the rule template. | Optional: {} |
|
params object (keys:string, values:JSON) |
Params holds template parameters. | Optional: {} |
|
tagSelectors ImmutableSelector array |
TagSelectors define tag selectors. | Optional: {} |
|
scopeSelectors object (keys:string, values:ImmutableSelector) |
ScopeSelectors define scope selectors. | Optional: {} |
|
priority integer |
Priority defines the rule priority. | Optional: {} |
Label¶
Label is the Schema for the labels API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Label |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec LabelSpec |
LabelSpec¶
LabelSpec defines the desired state of Label.
Appears in: - Label
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing label in Harbor with the same name. |
Optional: {} |
|
name string |
Name is the label name. Defaults to metadata.name when omitted. |
Optional: {} |
|
description string |
Description is an optional description. | Optional: {} |
|
color string |
Color is the label color, e.g. #3366ff. | Optional: {} |
|
scope string |
Scope is the label scope. Valid values are g (global) and p (project). | Enum: [g p] Optional: {} |
|
projectRef ProjectReference |
ProjectRef references a Project CR for project-scoped labels. | Optional: {} |
Member¶
Member is the Schema for the members API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Member |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec MemberSpec |
MemberGroup¶
MemberGroup defines a group-based member.
Appears in: - MemberSpec
| Field | Description | Default | Validation |
|---|---|---|---|
group_name string |
GroupName is the name of the group. | Optional: {} |
|
group_type integer |
GroupType is the type of the group. | Optional: {} |
|
ldap_group_dn string |
LDAPGroupDN is used for LDAP groups. | Optional: {} |
MemberSpec¶
MemberSpec defines the desired state of Member.
Appears in: - Member
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing project membership in Harbor for the same identity. |
Optional: {} |
|
projectRef string |
ProjectRef is the name (or ID) of the project in Harbor where the member should be added. | Required: {} |
|
role string |
Role is the human‑readable name of the role. Allowed values: "admin", "maintainer", "developer", "guest" |
Enum: [admin maintainer developer guest] Required: {} |
|
memberUser MemberUser |
MemberUser defines the member if it is a user. | Optional: {} |
|
memberGroup MemberGroup |
MemberGroup defines the member if it is a group. | Optional: {} |
MemberUser¶
MemberUser defines a user-based member.
Appears in: - MemberSpec
| Field | Description | Default | Validation |
|---|---|---|---|
username string |
Username is used to onboard a user if not already present. | Optional: {} |
Project¶
Project is the Schema for the projects API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Project |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ProjectSpec |
ProjectMetadata¶
ProjectMetadata defines additional metadata for the project.
Appears in: - ProjectSpec
| Field | Description | Default | Validation |
|---|---|---|---|
public string |
|||
enable_content_trust string |
|||
enable_content_trust_cosign string |
|||
prevent_vul string |
|||
severity string |
|||
auto_scan string |
|||
auto_sbom_generation string |
|||
reuse_sys_cve_allowlist string |
|||
retention_id string |
|||
proxy_speed_kb string |
ProjectReference¶
ProjectReference identifies a Project custom resource.
Appears in: - ImmutableTagRuleSpec - LabelSpec - QuotaSpec - RetentionPolicySpec - WebhookPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
Name of the Project resource. | MinLength: 1 |
|
namespace string |
Namespace of the Project resource. Defaults to the referencing resource namespace. | Optional: {} |
ProjectSpec¶
ProjectSpec defines the desired state of Project.
Appears in: - Project
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing project in Harbor with the same name. |
Optional: {} |
|
name string |
Name is the name of the project. It is recommended to leave this field empty so that the operator defaults it to the custom resource’s metadata name. |
Optional: {} |
|
public boolean |
Public indicates whether the project is public. | ||
owner string |
Owner is an optional field for the project owner. | Optional: {} |
|
metadata ProjectMetadata |
Refer to Kubernetes API documentation for fields of metadata. |
Optional: {} |
|
cve_allowlist CVEAllowlist |
CVEAllowlist holds the configuration for the CVE allowlist. | Optional: {} |
|
storage_limit integer |
StorageLimit is the storage limit for the project. | Optional: {} |
|
registryName string |
RegistryName is the name of the registry to use for proxy cache projects. The operator will search Harbor for a registry with this name. |
Optional: {} |
PurgeAuditParameters¶
PurgeAuditParameters defines parameters for purge audit schedules.
Appears in: - PurgeAuditScheduleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
auditRetentionHour integer |
AuditRetentionHour is the retention period in hours. | Optional: {} |
|
includeEventTypes string |
IncludeEventTypes is a comma-separated list of event types to include. | Optional: {} |
|
dryRun boolean |
DryRun indicates whether to run in dry-run mode. | Optional: {} |
PurgeAuditSchedule¶
PurgeAuditSchedule is the Schema for the purgeauditschedules API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
PurgeAuditSchedule |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec PurgeAuditScheduleSpec |
PurgeAuditScheduleSpec¶
PurgeAuditScheduleSpec defines the desired schedule for audit purge.
Appears in: - PurgeAuditSchedule
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
schedule ScheduleSpec |
Schedule defines when purge runs. | ||
parameters PurgeAuditParameters |
Parameters define purge settings. | Optional: {} |
Quota¶
Quota is the Schema for the quotas API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Quota |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec QuotaSpec |
QuotaSpec¶
QuotaSpec defines the desired state of Quota.
Appears in: - Quota
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
projectRef ProjectReference |
ProjectRef references a Project CR to derive the Harbor project ID. | Optional: {} |
|
projectNameOrID string |
ProjectNameOrID is the Harbor project name or numeric ID. | Optional: {} |
|
hard object (keys:string, values:integer) |
Hard defines the quota hard limits (resource name -> limit). | Optional: {} |
Registry¶
Registry is the Schema for the registries API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Registry |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec RegistrySpec |
RegistryCredentialSpec¶
RegistryCredentialSpec defines registry authentication details.
Appears in: - RegistrySpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Type of the credential, e.g. "basic" or "oauth". | Enum: [basic oauth] |
|
accessKeySecretRef SecretReference |
AccessKeySecretRef references the secret key holding the access key (username). | ||
accessSecretSecretRef SecretReference |
AccessSecretSecretRef references the secret key holding the access secret (password/token). |
RegistryReference¶
RegistryReference identifies a Registry custom resource.
Appears in: - ReplicationPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
Name of the Registry resource. | MinLength: 1 |
|
namespace string |
Namespace of the Registry resource. Defaults to the referencing resource namespace. | Optional: {} |
RegistrySpec¶
RegistrySpec defines the desired state of Registry.
Appears in: - Registry
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing registry in Harbor with the same name. |
Optional: {} |
|
type string |
Type of the registry, e.g., "github-ghcr". | Enum: [github-ghcr ali-acr aws-ecr azure-acr docker-hub docker-registry google-gcr harbor huawei-SWR jfrog-artifactory tencent-tcr volcengine-cr] |
|
name string |
Name is the registry name. It is recommended to leave this field empty so that the operator defaults it to the custom resource's metadata name. |
Optional: {} |
|
description string |
Description is an optional description. | Optional: {} |
|
url string |
URL is the registry URL. | Format: url |
|
credential RegistryCredentialSpec |
Credential holds authentication details for the registry. | Optional: {} |
|
caCertificate string |
CACertificate is the PEM-encoded CA certificate for this registry endpoint. | Optional: {} |
|
caCertificateRef SecretReference |
CACertificateRef references a secret value holding the PEM-encoded CA certificate. If set, it overrides CACertificate. |
Optional: {} |
|
insecure boolean |
Insecure indicates if remote certificates should be verified. |
ReplicationFilterSpec¶
ReplicationFilterSpec defines a replication filter.
Appears in: - ReplicationPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Type defines the filter type. | Optional: {} |
|
value JSON |
Value defines the filter value. | Optional: {} |
|
decoration string |
Decoration defines how to interpret the filter. | Optional: {} |
ReplicationPolicy¶
ReplicationPolicy is the Schema for the replicationpolicies API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
ReplicationPolicy |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ReplicationPolicySpec |
ReplicationPolicySpec¶
ReplicationPolicySpec defines the desired state of ReplicationPolicy.
Appears in: - ReplicationPolicy
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing replication policy in Harbor with the same name. |
Optional: {} |
|
name string |
Name is the policy name. Defaults to metadata.name when omitted. |
Optional: {} |
|
description string |
Description is an optional policy description. | Optional: {} |
|
sourceRegistryRef RegistryReference |
SourceRegistryRef references a Registry CR to use as the source. | Optional: {} |
|
sourceRegistryID integer |
SourceRegistryID sets the source registry by Harbor registry ID. | Minimum: 1 Optional: {} |
|
destinationRegistryRef RegistryReference |
DestinationRegistryRef references a Registry CR to use as the destination. | Optional: {} |
|
destinationRegistryID integer |
DestinationRegistryID sets the destination registry by Harbor registry ID. | Minimum: 1 Optional: {} |
|
destNamespace string |
DestNamespace is the destination namespace. | Optional: {} |
|
destNamespaceReplaceCount integer |
DestNamespaceReplaceCount controls namespace replacement behavior. | Optional: {} |
|
trigger ReplicationTriggerSpec |
Trigger defines when the replication policy runs. | Optional: {} |
|
filters ReplicationFilterSpec array |
Filters defines the replication filters. | Optional: {} |
|
replicateDeletion boolean |
ReplicateDeletion indicates whether delete operations are replicated. | Optional: {} |
|
override boolean |
Override indicates whether to overwrite destination resources. | Optional: {} |
|
enabled boolean |
Enabled indicates whether the policy is enabled. | Optional: {} |
|
speed integer |
Speed is the speed limit for each task. | Optional: {} |
|
copyByChunk boolean |
CopyByChunk indicates whether to enable copy by chunk. | Optional: {} |
|
singleActiveReplication boolean |
SingleActiveReplication avoids overlapping executions. | Optional: {} |
ReplicationTriggerSettings¶
ReplicationTriggerSettings defines settings for a replication trigger.
Appears in: - ReplicationTriggerSpec
| Field | Description | Default | Validation |
|---|---|---|---|
cron string |
Cron is the cron expression for scheduled triggers. | Optional: {} |
ReplicationTriggerSpec¶
ReplicationTriggerSpec defines when the replication policy runs.
Appears in: - ReplicationPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Type defines the trigger type (manual, event_based, scheduled). | Enum: [manual event_based scheduled] Optional: {} |
|
settings ReplicationTriggerSettings |
Settings holds trigger settings. | Optional: {} |
RetentionPolicy¶
RetentionPolicy is the Schema for the retentionpolicies API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
RetentionPolicy |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec RetentionPolicySpec |
RetentionPolicySpec¶
RetentionPolicySpec defines the desired state of a retention policy.
Appears in: - RetentionPolicy
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
projectRef ProjectReference |
ProjectRef references a Project CR to derive the Harbor project ID. When set, scope.ref is resolved from the Project status and scope.level is forced to "project". |
Optional: {} |
|
algorithm string |
Algorithm defines the retention algorithm, e.g. "or". | Optional: {} |
|
rules RetentionRule array |
Rules defines the retention rules. | MinItems: 1 |
|
trigger RetentionTrigger |
Trigger defines when the retention policy runs. | Optional: {} |
|
scope RetentionScope |
Scope defines the policy scope. | Optional: {} |
RetentionRule¶
RetentionRule defines a retention rule.
Appears in: - RetentionPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
disabled boolean |
Disabled indicates whether the rule is disabled. | Optional: {} |
|
action string |
Action defines the rule action, e.g. "delete". | Optional: {} |
|
template string |
Template defines the rule template. | Optional: {} |
|
params object (keys:string, values:JSON) |
Params holds template parameters. | Optional: {} |
|
tagSelectors RetentionSelector array |
TagSelectors define the tag selectors. | Optional: {} |
|
scopeSelectors object (keys:string, values:RetentionSelector) |
ScopeSelectors define the scope selectors. | Optional: {} |
RetentionScope¶
RetentionScope defines policy scope.
Appears in: - RetentionPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
level string |
Level defines scope level, e.g. "project". | Optional: {} |
|
ref integer |
Ref is the scope reference. | Optional: {} |
RetentionSelector¶
RetentionSelector defines a selector.
Appears in: - RetentionRule
| Field | Description | Default | Validation |
|---|---|---|---|
kind string |
Kind defines selector kind. | Optional: {} |
|
decoration string |
Decoration defines selector decoration. | Optional: {} |
|
pattern string |
Pattern defines selector pattern. | Optional: {} |
|
extras string |
Extras defines extra selector details. | Optional: {} |
RetentionTrigger¶
RetentionTrigger defines when a policy runs.
Appears in: - RetentionPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
kind string |
Kind defines trigger kind. | Optional: {} |
|
settings object (keys:string, values:JSON) |
Settings holds trigger settings. | Optional: {} |
|
references object (keys:string, values:JSON) |
References holds trigger references. | Optional: {} |
Robot¶
Robot is the Schema for the robots API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
Robot |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec RobotSpec |
RobotAccess¶
RobotAccess defines a single access rule for a robot account.
Appears in: - RobotPermission
| Field | Description | Default | Validation |
|---|---|---|---|
resource RobotResource |
Resource defines the resource to grant access to. | Enum: [* configuration label log ldap-user member metadata quota repository tag-retention immutable-tag robot notification-policy scan sbom scanner artifact tag accessory artifact-addition artifact-label preheat-policy preheat-instance audit-log catalog project user user-group registry replication distribution garbage-collection replication-adapter replication-policy scan-all system-volumes purge-audit export-cve jobservice-monitor security-hub] |
|
action RobotAction |
Action defines the action to permit. | Enum: [* pull push create read update delete list operate scanner-pull stop] |
|
effect string |
Effect defines the effect of the access rule, typically "allow". | Optional: {} |
RobotAction¶
Underlying type: string
RobotAction is the action of a robot permission access rule.
Appears in: - RobotAccess
| Field | Description |
|---|---|
* |
|
pull |
|
push |
|
create |
|
read |
|
update |
|
delete |
|
list |
|
operate |
|
scanner-pull |
|
stop |
RobotPermission¶
RobotPermission defines a permission block for a robot account.
Appears in: - RobotSpec
| Field | Description | Default | Validation |
|---|---|---|---|
kind string |
Kind defines the permission scope, such as "project" or "system". | MinLength: 1 |
|
namespace string |
Namespace is the Harbor project name for project-scoped permissions. | Optional: {} |
|
access RobotAccess array |
Access lists the access rules for this permission. | MinItems: 1 |
RobotResource¶
Underlying type: string
RobotResource is the resource of a robot permission access rule.
Appears in: - RobotAccess
| Field | Description |
|---|---|
* |
|
configuration |
|
label |
|
log |
|
ldap-user |
|
member |
|
metadata |
|
quota |
|
repository |
|
tag-retention |
|
immutable-tag |
|
robot |
|
notification-policy |
|
scan |
|
sbom |
|
scanner |
|
artifact |
|
tag |
|
accessory |
|
artifact-addition |
|
artifact-label |
|
preheat-policy |
|
preheat-instance |
|
audit-log |
|
catalog |
|
project |
|
user |
|
user-group |
|
registry |
|
replication |
|
distribution |
|
garbage-collection |
|
replication-adapter |
|
replication-policy |
|
scan-all |
|
system-volumes |
|
purge-audit |
|
export-cve |
|
jobservice-monitor |
|
security-hub |
RobotSpec¶
RobotSpec defines the desired state of Robot.
Appears in: - Robot
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing robot in Harbor with the same name. |
Optional: {} |
|
name string |
Name is the robot account name (without Harbor's prefix). Defaults to metadata.name when omitted. |
Optional: {} |
|
description string |
Description of the robot account. | Optional: {} |
|
level string |
Level is the scope of the robot account. Allowed values: "system", "project". |
Enum: [system project] |
|
permissions RobotPermission array |
Permissions define the access granted to the robot account. | MinItems: 1 |
|
disable boolean |
Disable indicates whether the robot account is disabled. | Optional: {} |
|
duration integer |
Duration is the token duration in days. Use -1 for never expires. If omitted, it defaults to -1. |
-1 | |
secretRef SecretReference |
SecretRef references the operator-managed secret key holding the robot secret. The operator writes the generated robot secret to this location and expects the Secret to either not exist yet or already be managed by this Robot. If omitted, the operator will create a Secret named " in the same namespace with key "secret". |
Optional: {} |
ScanAllSchedule¶
ScanAllSchedule is the Schema for the scanallschedules API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
ScanAllSchedule |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ScanAllScheduleSpec |
ScanAllScheduleSpec¶
ScanAllScheduleSpec defines the desired schedule for scan all.
Appears in: - ScanAllSchedule
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
schedule ScheduleSpec |
Schedule defines when scan all runs. | ||
parameters object (keys:string, values:JSON) |
Parameters define scan all settings passed to Harbor. | Optional: {} |
ScannerRegistration¶
ScannerRegistration is the Schema for the scannerregistrations API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
ScannerRegistration |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ScannerRegistrationSpec |
ScannerRegistrationSpec¶
ScannerRegistrationSpec defines the desired state of ScannerRegistration.
Appears in: - ScannerRegistration
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing scanner registration in Harbor with the same name. |
Optional: {} |
|
name string |
Name is the registration name. Defaults to metadata.name when omitted. |
Optional: {} |
|
description string |
Description is an optional description. | Optional: {} |
|
url string |
URL is the scanner adapter base URL. | Format: uri |
|
auth string |
Auth defines the authentication approach (e.g. Basic, Bearer, X-ScannerAdapter-API-Key). | Optional: {} |
|
accessCredential string |
AccessCredential is the credential value sent in the auth header. | Optional: {} |
|
accessCredentialSecretRef SecretReference |
AccessCredentialSecretRef references a secret value holding the credential. | Optional: {} |
|
skipCertVerify boolean |
SkipCertVerify indicates whether to skip certificate verification. | Optional: {} |
|
useInternalAddr boolean |
UseInternalAddr indicates whether the scanner uses Harbor's internal address. | Optional: {} |
|
disabled boolean |
Disabled indicates whether the registration is disabled. | Optional: {} |
|
default boolean |
Default indicates whether this scanner should be set as system default. | Optional: {} |
ScheduleSpec¶
ScheduleSpec defines the schedule configuration.
Appears in: - GCScheduleSpec - PurgeAuditScheduleSpec - ScanAllScheduleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Type defines the schedule type. Valid values: Hourly, Daily, Weekly, Custom, Manual, None, Schedule. |
Enum: [Hourly Daily Weekly Custom Manual None Schedule] |
|
cron string |
Cron is the cron expression when Type is not Manual or None. | Optional: {} |
SecretReference¶
SecretReference is similar to a corev1.SecretKeySelector but allows cross-namespace references when enabled in the operator RBAC.
Appears in: - ConfigurationSpec - Credentials - HarborConnectionSpec - RegistryCredentialSpec - RegistrySpec - RobotSpec - ScannerRegistrationSpec - WebhookTargetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
Name of the Secret. | MinLength: 1 |
|
key string |
Key inside the Secret data. When omitted, the controller using this reference will apply a sensible default. |
Optional: {} |
|
namespace string |
Namespace of the Secret. Omit to use the HarborConnection namespace. | Optional: {} |
User¶
User is the Schema for the users API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
User |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec UserSpec |
UserGroup¶
UserGroup is the Schema for the usergroups API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
UserGroup |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec UserGroupSpec |
UserGroupSpec¶
UserGroupSpec defines the desired state of UserGroup.
Appears in: - UserGroup
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing user group in Harbor with the same name. |
Optional: {} |
|
groupName string |
GroupName is the user group name. Defaults to metadata.name when omitted. |
Optional: {} |
|
groupType integer |
GroupType is the group type (1=LDAP, 2=HTTP, 3=OIDC). | Enum: [1 2 3] |
|
ldapGroupDN string |
LDAPGroupDN is the DN of the LDAP group when GroupType is LDAP. | Optional: {} |
UserSpec¶
UserSpec defines the desired state of User.
Appears in: - User
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing user in Harbor with the same username. |
Optional: {} |
|
username string |
Username is the Harbor username. It is recommended to leave this field empty so that the operator defaults it to the custom resource's metadata name. |
Optional: {} |
|
email string |
Email address of the user. | Format: email |
|
realname string |
Realname is an optional full name. | Optional: {} |
|
comment string |
Comment is an optional comment for the user. | Optional: {} |
|
passwordSecretRef SecretKeySelector |
PasswordSecretRef references a secret key that contains the password for the user. |
WebhookPolicy¶
WebhookPolicy is the Schema for the webhookpolicies API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
harbor.harbor-operator.io/v1alpha1 |
||
kind string |
WebhookPolicy |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec WebhookPolicySpec |
WebhookPolicySpec¶
WebhookPolicySpec defines the desired state of WebhookPolicy.
Appears in: - WebhookPolicy
| Field | Description | Default | Validation |
|---|---|---|---|
harborConnectionRef HarborConnectionReference |
HarborConnectionRef references the Harbor connection object to use. | Required: {} |
|
deletionPolicy DeletionPolicy |
DeletionPolicy controls what happens when the Kubernetes object is deleted. Delete removes the corresponding Harbor resource before removing the finalizer. Orphan removes the finalizer even if Harbor cleanup cannot be completed. |
Delete | Enum: [Delete Orphan] Optional: {} |
driftDetectionInterval Duration |
DriftDetectionInterval is the interval at which the operator will check for drift. A value of 0 (or omitted) disables periodic drift detection. |
Optional: {} |
|
reconcileNonce string |
ReconcileNonce forces an immediate reconcile when updated. | Optional: {} |
|
allowTakeover boolean |
AllowTakeover indicates whether the operator is allowed to adopt an existing webhook policy in Harbor with the same name. |
Optional: {} |
|
projectRef ProjectReference |
ProjectRef references a Project CR to derive the Harbor project ID. | Optional: {} |
|
projectNameOrID string |
ProjectNameOrID is the Harbor project name or numeric ID. | Optional: {} |
|
name string |
Name is the webhook policy name. Defaults to metadata.name when omitted. |
Optional: {} |
|
description string |
Description is an optional policy description. | Optional: {} |
|
enabled boolean |
Enabled indicates whether the policy is enabled. | true | Optional: {} |
eventTypes string array |
EventTypes lists the webhook event types. | MinItems: 1 |
|
targets WebhookTargetSpec array |
Targets lists the webhook targets. | MinItems: 1 |
WebhookTargetSpec¶
WebhookTargetSpec defines a single webhook target.
Appears in: - WebhookPolicySpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Type defines the webhook notify type. | Optional: {} |
|
address string |
Address is the webhook target address. | Optional: {} |
|
authHeader string |
AuthHeader is the auth header to send to the webhook target. | Optional: {} |
|
authHeaderSecretRef SecretReference |
AuthHeaderSecretRef references a secret value holding the auth header. | Optional: {} |
|
payloadFormat string |
PayloadFormat is the payload format (e.g. CloudEvents). | Optional: {} |
|
skipCertVerify boolean |
SkipCertVerify indicates whether to skip TLS certificate verification. | Optional: {} |