feat(harbor): bump chart to 1.19.1 (Harbor 2.15.1)

[scooby87]

Bump the vendored Harbor Helm chart from 1.18.2 to 1.19.1, which upgrades Harbor itself from appVersion 2.14.2 to 2.15.1.

The bump adds PodDisruptionBudget templates for the core, exporter, jobservice, nginx, portal, registry and trivy components, improving availability during voluntary disruptions (node drains/upgrades).

What this PR does

Screenshots

Release note

Summary by CodeRabbit

Release Notes

• New Features

  • Added Pod Disruption Budget support for core, portal, jobservice, nginx, registry, trivy, and exporter.
  • Made container health checks (liveness/readiness, plus core startup) fully configurable per component.
  • Added configurable registry HTTP client timeout.
  • Enhanced Gateway API route configuration (hostnames formatting and backend reference details).

• Improvements

  • Improved external Redis credential handling for registry usage (safer secret guarding and URL-encoding).
  • Updated Harbor chart metadata and component images to v2.15.1.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9652a549-36a4-4335-8ce8-4a9e2f5595e9

📥 Commits

Reviewing files that changed from the base of the PR and between 93cb93f and 11378a9.

📒 Files selected for processing (1)

• packages/apps/harbor/Chart.yaml

✅ Files skipped from review due to trivial changes (1)

• packages/apps/harbor/Chart.yaml

---

📝 Walkthrough

Walkthrough

The Harbor Helm chart is upgraded from v2.14.2/1.18.2 to v2.15.1/1.19.1. All component container images are updated to docker.io/goharbor/*:v2.15.1. Health probe configurations across all workloads are parameterized via Helm values, with core gaining a configurable startup probe. PodDisruptionBudget templates are added for every Harbor component. Redis credential helpers gain safer secret lookup with nil-checks and URL-encoding. Gateway API HTTPRoute and nginx Service templates receive explicit field additions and namespace fixes.

Changes

Harbor v2.15.1 upgrade

Layer / File(s)	Summary
Chart version and image tag bumps packages/system/harbor/charts/harbor/Chart.yaml, packages/system/harbor/charts/harbor/values.yaml, packages/apps/harbor/Chart.yaml	appVersion and chart version are bumped to v2.15.1/1.19.1. All component image repositories are switched to docker.io/goharbor/* with tag v2.15.1. The expose type comment is updated to include the route option, and expose.route Gateway API configuration is restructured to use list-based parentRefs and hosts.
Redis credential helpers and registry redis config packages/system/harbor/charts/harbor/templates/_helpers.tpl, packages/system/harbor/charts/harbor/templates/registry/registry-cm.yaml, packages/system/harbor/charts/harbor/templates/registry/registry-dpl.yaml	New harbor.redis.usernameForRegistry and harbor.redis.passwordForRegistry helpers are introduced with awareness of internal vs. external Redis and secret-based credentials. harbor.redis.pwdfromsecret is hardened with nil-safe Secret lookup. harbor.redis.cred applies urlquery encoding to secret-derived values. registry-cm.yaml now always emits both username and password using the new helpers. The REGISTRY_REDIS_PASSWORD env var injection block is removed from registry and registryctl containers.
Parameterized health probes across all components packages/system/harbor/charts/harbor/templates/{nginx,portal,core,jobservice,registry,trivy,database,redis,exporter}/, packages/system/harbor/charts/harbor/values.yaml	All component livenessProbe and readinessProbe blocks (and core startupProbe) replace hardcoded timing values with .Values.<component>.*Probe.* fields covering initialDelaySeconds, periodSeconds, timeoutSeconds, failureThreshold, and successThreshold. Core gains a new configurable startupProbe with extended failure threshold. Jobservice ConfigMap adds REGISTRY_HTTP_CLIENT_TIMEOUT. values.yaml defines probe defaults for every component.
PodDisruptionBudget templates for all workloads packages/system/harbor/charts/harbor/templates/{core,exporter,jobservice,nginx,portal,registry,trivy}/	New policy/v1 PodDisruptionBudget templates are added for core, exporter, jobservice, nginx, portal, registry, and trivy. Each template is gated by a .podDisruptionBudget.enabled flag and replicas > 1, with optional minAvailable and maxUnavailable fields and component-scoped pod label selectors.
Gateway API HTTPRoute and nginx Service namespace fixes packages/system/harbor/charts/harbor/templates/gateway-apis/route.yaml, packages/system/harbor/charts/harbor/templates/nginx/service.yaml	HTTPRoute backendRefs entries for core and portal backends gain explicit group: "", kind: Service, and weight: 1 fields. The hostnames field is reformatted to appear on its own line. The nginx Service template adds metadata.namespace to the nodePort and loadBalancer branches.

Sequence Diagram

sequenceDiagram
  participant Helm as Helm Upgrade
  participant Chart as Chart.yaml
  participant Values as values.yaml
  participant Templates as Component Templates
  participant Containers as Container Pods
  
  Helm->>Chart: bump appVersion to 2.15.1
  Helm->>Chart: bump version to 1.19.1
  Helm->>Values: update all image tags to v2.15.1
  Helm->>Values: add probe defaults per component
  Helm->>Values: add podDisruptionBudget configs
  Values->>Templates: provide probe parameters
  Values->>Templates: provide PDB enabled flags
  Values->>Templates: provide redis config
  Templates->>Containers: render livenessProbe with values
  Templates->>Containers: render readinessProbe with values
  Templates->>Containers: render startupProbe (core only)
  Templates->>Containers: render PodDisruptionBudget if enabled
  Containers->>Containers: health checks follow tunable schedules
  Containers->>Containers: disruptions respect minAvailable/maxUnavailable

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

size/XL

Suggested reviewers

• kvaps
• androndo
• IvanHunters
• sircthulhu
• lllamnyp
• myasnikovdaniil

Poem

🐇 Hop, hop, to v2.15.1 we go,
With probes all tunable and PDBs in a row,
Redis credentials URL-encoded right,
Gateway refs explicit, namespaces bright,
The harbor chart hums, disruptions kept low! 🚢

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: bumping the Harbor Helm chart version and upgrading Harbor itself to 2.15.1.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/harbor-bump-version

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/system/harbor/charts/harbor/templates/registry/registry-cm.yaml`:
- Around line 179-180: The Redis password is currently being rendered directly
into the ConfigMap (config.yml) at line 180, which exposes credentials to anyone
with ConfigMap read access, violating secret storage boundaries. Remove the
password line from the registry-cm.yaml ConfigMap template entirely, then modify
the registry-dpl.yaml deployment template to inject the REGISTRY_REDIS_PASSWORD
as an environment variable using secretKeyRef for both the registry and
registryctl containers, ensuring the actual password value comes from a Secret
rather than being exposed in the ConfigMap.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d019d960-8afc-44f9-93ca-35635be315d6

📥 Commits

Reviewing files that changed from the base of the PR and between 6329ffe and 93cb93f.

📒 Files selected for processing (24)

• packages/system/harbor/charts/harbor/Chart.yaml
• packages/system/harbor/charts/harbor/README.md
• packages/system/harbor/charts/harbor/templates/_helpers.tpl
• packages/system/harbor/charts/harbor/templates/core/core-dpl.yaml
• packages/system/harbor/charts/harbor/templates/core/core-pdb.yaml
• packages/system/harbor/charts/harbor/templates/database/database-ss.yaml
• packages/system/harbor/charts/harbor/templates/exporter/exporter-dpl.yaml
• packages/system/harbor/charts/harbor/templates/exporter/exporter-pdb.yaml
• packages/system/harbor/charts/harbor/templates/gateway-apis/route.yaml
• packages/system/harbor/charts/harbor/templates/jobservice/jobservice-cm-env.yaml
• packages/system/harbor/charts/harbor/templates/jobservice/jobservice-dpl.yaml
• packages/system/harbor/charts/harbor/templates/jobservice/jobservice-pdb.yaml
• packages/system/harbor/charts/harbor/templates/nginx/deployment.yaml
• packages/system/harbor/charts/harbor/templates/nginx/nginx-pdb.yaml
• packages/system/harbor/charts/harbor/templates/nginx/service.yaml
• packages/system/harbor/charts/harbor/templates/portal/deployment.yaml
• packages/system/harbor/charts/harbor/templates/portal/portal-pdb.yaml
• packages/system/harbor/charts/harbor/templates/redis/statefulset.yaml
• packages/system/harbor/charts/harbor/templates/registry/registry-cm.yaml
• packages/system/harbor/charts/harbor/templates/registry/registry-dpl.yaml
• packages/system/harbor/charts/harbor/templates/registry/registry-pdb.yaml
• packages/system/harbor/charts/harbor/templates/trivy/trivy-pdb.yaml
• packages/system/harbor/charts/harbor/templates/trivy/trivy-sts.yaml
• packages/system/harbor/charts/harbor/values.yaml

[Aleksei Sviridkin (lexfrei)]

NOT LGTM — the bump ships Harbor 2.15.1 but the user-facing app chart still declares appVersion: 2.14.2, so every Harbor instance will report the wrong version through the platform API.

Business context: raise the bundled Harbor registry from 2.14.2 to 2.15.1 by refreshing the vendored upstream Helm chart, picking up upstream's new per-component PodDisruptionBudgets and configurable probes.

The vendored chart refresh itself is clean: packages/system/harbor/charts/harbor/ is byte-for-byte identical to a fresh helm pull harbor/harbor --version 1.19.1 (62 files, matching checksums), the prior 1.18.2 tree was likewise identical to upstream so no downstream customizations were dropped, and the cozystack value contract (external CNPG database, external Redis via inline redis.external.password, S3 imageChartStorage, expose.type: clusterIP) renders cleanly with helm unittest passing 7/7.

Blockers

B1: apps/harbor still declares Harbor 2.14.2 while the chart now ships 2.15.1

File: packages/apps/harbor/Chart.yaml:7
Issue: the system chart is bumped to Harbor 2.15.1, but the user-facing app chart still has appVersion: "2.14.2".
Evidence: packages/apps/Makefile packages charts with helm package --version $(COZYSTACK_VERSION), which overrides only version and ships appVersion verbatim. The Application type exposes appVersion as a top-level served field, so kubectl get harbors and the dashboard report 2.14.2 for instances actually running 2.15.1. Every other managed app uses appVersion as the upstream software version (clickhouse 24.9.2, postgres 16.2).
Impact: the platform misreports the deployed Harbor version to operators — a wrong basis for CVE and upgrade decisions on a registry.
Fix: bump appVersion: "2.14.2" to "2.15.1" in packages/apps/harbor/Chart.yaml within this PR.

Non-blocking follow-ups

1. harbor-helm 1.19.1 ships two upstream issues, both in vendored code and both off cozystack's default path — worth reporting upstream at goharbor/harbor-helm, not patching here:
   • The new PodDisruptionBudget templates emit both minAvailable and maxUnavailable when a user enables a PDB and sets maxUnavailable (the default minAvailable: 1 is not cleared); the API server rejects that manifest. cozystack is unaffected — PDBs default to enabled: false and components run a single replica, so no PDB renders.
   • registry-cm.yaml resolves the external-Redis password via Helm lookup when redis.external.existingSecret is set, and the REGISTRY_REDIS_PASSWORD env fallback was removed — so on a first GitOps render the password is empty, and when the lookup succeeds the secret is written into a ConfigMap. cozystack is unaffected — it supplies the password inline via redis.external.password, never existingSecret.
2. packages/system/harbor/Makefile's update target runs helm pull with no --version, so re-running it fetches latest rather than reproducibly re-pulling 1.19.1. Pre-existing and consistent with the repo, but pinning would make future bumps deterministic.
3. Harbor runs a forward-only DB schema migration on first 2.15 startup; helm/Flux rollback won't downgrade the schema. Standard Harbor upgrade caveat, worth a line in the release notes.

[Aleksei Sviridkin (lexfrei)]

LGTM — the blocker is fixed (apps/harbor/Chart.yaml appVersion bumped to 2.15.1 in 11378a9b, instances will now report the correct version), and the rest of the bump remains a clean vendored refresh.

Re-verified on head 11378a9b:

• packages/system/harbor/charts/harbor/ is still byte-for-byte identical to a fresh helm pull harbor/harbor --version 1.19.1 (62 files, diff -rq empty).
• apps/harbor/Chart.yaml appVersion: "2.15.1", matching what the system chart deploys.
• helm unittest passes 7/7 and helm template with the cozystack contract (external CNPG / RedisFailover / S3) renders cleanly (exit 0).

Non-blocking follow-ups from the prior review still stand (two upstream harbor-helm 1.19.1 issues off the cozystack default path — unconditional minAvailable+maxUnavailable in PDB templates and lookup-based external-Redis password in registry-cm.yaml; both worth reporting to goharbor/harbor-helm, neither blocks here).