---
hide:
   - toc
---

# Install Harbor Operator

A managed Harbor uses the Harbor Operator to perform full lifecycle management of creating, upgrading,
and deleting Harbor instances. Before creating a managed Harbor instance, you need to install the Harbor Operator
in your container management system, with a minimum version requirement of 1.4.0.

> Note: Harbor Operator relies on Cert Manager, so make sure to
> [install Cert Manager](https://cert-manager.io/docs/installation/) first.

1. If you encounter the following error message when creating a Harbor instance, click `Go to install`.

   ![error](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/kangaroo/images/errors.png)

2. Go to `Container Management` -> `Helm Apps` -> `Helm Charts`, and find and click the harbor-operator card.

   ![card](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/kangaroo/images/operator01.png)

3. Choose the version and click `Install`.

   ![install](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/kangaroo/images/operator02.png)

4. After entering the name and namespace, click `OK`.
   If you want to add other parameters, please refer to the [Parameter Values](#parameter-values) below.

   ![OK](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/kangaroo/images/operator03.png)

5. Wait for the installation to complete (Status from `Pending Install` to `Deployed`).

   ![status](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/kangaroo/images/operator04.png)

## Parameter Values

During the installation process of the Harbor Operator, there are several parameters that can be filled in and controlled. Please refer to the table below for specific parameter details:

> The parameters `minio-operator.enabled`, `postgres-operator.enabled`, and `redis-operator.enabled` must be set to `false`.

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#affinity-v1-core> For example: `{   "nodeAffinity": {     "requiredDuringSchedulingIgnoredDuringExecution": {       "nodeSelectorTerms": [         {           "matchExpressions": [             {               "key": "foo.bar.com/role",               "operator": "In",               "values": [                 "master"               ]             }           ]         }       ]     }   } }` |
| allowPrivilegeEscalation | bool | `false` | Allow privilege escalation for the controller Pods |
| autoscaling.enabled | bool | `false` | Whether to enabled [Horizontal Pod Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) |
| autoscaling.maxReplicas | int | `100` | Maximum conroller replicas |
| autoscaling.minReplicas | int | `1` | Minimum conroller replicas |
| autoscaling.targetCPUUtilizationPercentage | int | `80` | CPU usage target for autoscaling |
| autoscaling.targetMemoryUtilizationPercentage | int | No target | Memory usage target for autoscaling |
| controllers.chartmuseum.maxReconcile | int | `1` | Max parallel reconciliation for ChartMuseum controller |
| controllers.common.classname | string | `""` | Harbor class handled by the operator. An empty class means watch all resources |
| controllers.common.networkPolicies | bool | `false` | Whether the operator should manage network policies |
| controllers.common.watchChildren | bool | `true` | Whether the operator should watch children |
| controllers.core.maxReconcile | int | `1` | Max parallel reconciliation for Core controller |
| controllers.harbor.maxReconcile | int | `1` | Max parallel reconciliation for Harbor controller |
| controllers.harborConfiguration.maxReconcile | int | `1` | Max parallel reconciliation for HarborConfiguration controller |
| controllers.harborcluster.maxReconcile | int | `1` | Max parallel reconciliation for HarborCluster controller |
| controllers.jobservice.maxReconcile | int | `1` | Max parallel reconciliation for JobService controller |
| controllers.notaryserver.maxReconcile | int | `1` | Max parallel reconciliation for NotaryServer controller |
| controllers.notarysigner.maxReconcile | int | `1` | Max parallel reconciliation for NotarySigner controller |
| controllers.portal.maxReconcile | int | `1` | Max parallel reconciliation for Portal controller |
| controllers.registry.maxReconcile | int | `1` | Max parallel reconciliation for Registry controller |
| controllers.registryctl.maxReconcile | int | `1` | Max parallel reconciliation for RegistryCtl controller |
| controllers.trivy.maxReconcile | int | `1` | Max parallel reconciliation for Trivy controller |
| deploymentAnnotations | object | `{}` | Additional annotations to add to the controller Deployment |
| fullnameOverride | string | `""` |  |
| harborClass | string | `""` | Class name of the Harbor operator |
| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy for the controller. |
| image.registry | string | `"docker.io"` | The image registry whose default is docker.io. |
| image.repository | string | `"goharbor/harbor-operator"` | The container registry whose default is the chart appVersion. |
| image.tag | string | `"dev_master"` | The image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when pulling images <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/> For example: `[   {"name":"image-pull-secret"} ]` |
| installCRDs | bool | `false` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED |
| leaderElection.namespace | string | `"kube-system"` | The namespace used to store the ConfigMap for leader election |
| logLevel | int | `4` | Set the verbosity of controller. Range of 0 - 6 with 6 being the most verbose. Info level is 4. |
| minio-operator.enabled | bool | `false` | Whether to enabled [MinIO Operator](https://github.com/minio/operator) |
| nameOverride | string | `""` |  |
| nodeSelector | object | `{}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#nodeselector-v1-core> For example: `[   {     "matchExpressions": [       {         "key": "kubernetes.io/e2e-az-name",         "operator": "In",         "values": [           "e2e-az1",           "e2e-az2"         ]       }     ]   } ]` |
| podAnnotations | object | `{}` | Additional annotations to add to the controller Pods |
| podLabels | object | `{}` | Additional labels to add to the controller Pods |
| podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65532}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core> For example: `{   "fsGroup": 2000,   "runAsUser": 1000,   "runAsNonRoot": true }` |
| postgres-operator.configKubernetes.secret_name_template | string | `"{username}.{cluster}.credentials"` |  |
| postgres-operator.enabled | bool | `false` | Whether to enabled [Postgres operator](https://github.com/zalando/postgres-operator) |
| priorityClassName | string | `""` | priority class to be used for the harbor-operator pods |
| rbac.create | bool | `true` | Whether to install Role Based Access Control |
| redis-operator.enabled | bool | `false` | Whether to enabled [Redis Operator](https://github.com/spotahome/redis-operator) |
| redis-operator.image.tag | string | `"v1.2.0"` |  |
| replicaCount | int | `1` | Number of replicas for the controller |
| resources | object | `{"limits":{"cpu":"500m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"200Mi"}}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#resourcerequirements-v1-core> |
| service.port | int | `443` | Expose port for WebHook controller |
| service.type | string | `"ClusterIP"` | Service type to use |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| strategy | object | `{}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#deploymentstrategy-v1-apps> For example: `{   "type": "RollingUpdate",   "rollingUpdate": {     "maxSurge": 0,     "maxUnavailable": 1   } }` |
| tolerations | list | `[]` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#toleration-v1-core> For example: `[   {     "key": "foo.bar.com/role",     "operator": "Equal",     "value": "master",     "effect": "NoSchedule"   } ]` |
| volumeMounts | list | `[]` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#volumemount-v1-core> For example: `[   {     "mountPath": "/test-ebs",     "name": "test-volume"   } ]` |
| volumes | list | `[]` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#volume-v1-core> For example: `[   {     "name": "test-volume",     "awsElasticBlockStore": {       "volumeID": "<volume-id>",       "fsType": "ext4"     }   } ]` |

Next: [Create a managed Harbor instance](./harbor.md)