Skip to content

To upgrade the Harbor Package📜

Check the upstream changelog and the upgrade notes.


Find the latest version of the harbor image that matches the latest version in IronBank that Renovate has identified from here:

Run a KPT update against the main chart folder:

# To find the chart version for the command below:
# - Browse to the [upstream](
# - Click on the drop-down menu on the upper left, then on Tags.
# - Scroll through the tags until you get to the Helm chart version tags (e.g. v1.13.0, v1.12.4, etc.).
# - Starting with the most recent Helm chart version tag, open the Chart.yaml for the tag. If the appVersion value corresponds to the version of Loki that Renovate detected for an upgrade, this is the correct version. So, for example, if you will be updating to chart
# version v1.13.0, your kpt command would be:

kpt pkg update chart@v1.13.0 --strategy alpha-git-patch

kpt pkg update chart@${chart.version} --strategy alpha-git-patch

Update dependencies in chart.yml📜

helm dependency update ./chart

Update main chart📜


  • update harbor version and appVersion
  • Ensure Big Bang version suffix is appended to chart version
  • Ensure dependencies gluon, postgresql, and redis are present and up to date
    version: $VERSION-bb.0
      - name: postgresql
        version: $POSTGRESQL_VERSION
        repository: file://./deps/postgresql
        condition: postgresql.enabled
      - name: redis
        version: $REDIS_VERSION
        repository: oci://
        condition: redis-bb.enabled
        alias: redis-bb
      - name: gluon
        version: $GLUON_VERSION
        repository: oci://
    annotations: |
        - Harbor Core: $HARBOR_APP_VERSION


  • Verify that Renovate updated the image tags in chart/values.yaml
  • For example, if Renovate wants to update harbor-core to version v2.9.0, you should see:
        # -- Overrides the image tag whose default is the chart's appVersion
        tag: v2.9.0

tests\images.txt - verify that image tag in is updated to match current version

Testing new harbor Version📜

Deploy harbor as part of BigBang in the local dev cluster📜

helm upgrade \
  --install bigbang ./bigbang/chart \
  --create-namespace \
  --namespace bigbang \
  --values ./bigbang/chart/values.yaml \
  --values ./bigbang/chart/ingress-certs.yaml \
  --set gatekeeper.enabled=false \
  --set addons.monitoring.enabled=true \
  --set addons.harbor.enabled=true \
  --set addons.harbor.values.istio.enabled=true \
  --set addons.harbor.values.istio.hardened.enabled=true \
  --set addons.harbor.values.monitoring.enabled=true \
  --set addons.harbor.values.metrics.enabled=true \
  --set addons.harbor.values.metrics.serviceMonitor.enabled=true \
  --set addons.harbor.values.networkPolicies.enabled=true
Visit and login

default credentials

  username: admin

  password: Harbor12345

From the CLI, run the following to test pushing/pulling from registry is working as expected

docker login

# Enter default credentials

docker pull alpine:latest alpine-latest.tar

docker push alpine-latest.tar

Navigate to the Prometheus target page ( and validate that the Harbor targets show as up.

Chart Additions📜


The mutating Kyverno policy named update-automountserviceaccounttokens is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.

This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods: array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.

Modifications made to upstream chart📜

This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.


  • Added lines 59-61 to enable setting of container securityContext for exporter. This was absent from the upstream chart, but appears as though it will be added in chart version 1.15.x.
    {{- with .Values.exporter.containerSecurityContext }}
        {{- toYaml . | nindent 10 }}
    {{- end }}

Last update: 2024-03-12 by Ryan Garcia