Merge pull request goharbor#1179 from golgoth31/master

Add ability to use external secrets

templates/chartmuseum/chartmuseum-cm.yaml

@@ -55,7 +55,9 @@ data:
 {{- else if eq $storageType "gcs" }}
   STORAGE: "google"
   STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }}
+  {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }}
   GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json
+  {{- end }}
   {{- if $storage.gcs.rootdirectory }}
   STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }}
   {{- end }}

templates/chartmuseum/chartmuseum-dpl.yaml

@@ -1,4 +1,6 @@
 {{- if .Values.chartmuseum.enabled }}
+{{- $storage := .Values.persistence.imageChartStorage }}
+{{- $type := $storage.type }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -105,6 +107,13 @@ spec:
           - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
             name: AWS_SDK_LOAD_CONFIG
             value: "1"
+          {{- if .Values.redis.external.existingSecret }}
+          - name: CACHE_REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.redis.external.existingSecret }}
+                key: REDIS_PASSWORD
+          {{- end }}
         ports:
         - containerPort: {{ template "harbor.chartmuseum.containerPort" . }}
         volumeMounts:
@@ -115,7 +124,7 @@ spec:
         - name: chart-internal-certs
           mountPath: /etc/harbor/ssl/chartmuseum
         {{- end }}
-        {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
+        {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
         - name: gcs-key
           mountPath: /etc/chartmuseum/gcs-key.json
           subPath: gcs-key.json
@@ -141,10 +150,14 @@ spec:
         secret:
           secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }}
       {{- end }}
-      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
+      {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
       - name: gcs-key
         secret:
+          {{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
+          secretName: {{ $storage.gcs.existingSecret }}
+          {{- else }}
           secretName: {{ template "harbor.registry" . }}
+          {{- end }}
           items:
             - key: GCS_KEY_DATA
               path: gcs-key.json

templates/chartmuseum/chartmuseum-secret.yaml

@@ -7,7 +7,9 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+{{- if not .Values.redis.external.existingSecret }}
   CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
+{{- end }}
 {{- $storage := .Values.persistence.imageChartStorage }}
 {{- $storageType := $storage.type }}
 {{- if eq $storageType "azure" }}
@@ -23,4 +25,4 @@ data:
 {{- else if eq $storageType "oss" }}
   ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/core/core-dpl.yaml

@@ -96,6 +96,20 @@ spec:
           - name: INTERNAL_TLS_TRUST_CA_PATH
             value: /etc/harbor/ssl/core/ca.crt
          {{- end }}
+         {{- if .Values.database.external.existingSecret }}
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.database.external.existingSecret }}
+                key: password
+         {{- end }}
+         {{- if .Values.registry.credentials.existingSecret }}
+          - name: REGISTRY_CREDENTIAL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.registry.credentials.existingSecret }}
+                key: REGISTRY_PASSWD
+         {{- end }}
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
         volumeMounts:
@@ -139,7 +153,11 @@ spec:
               path: app.conf
       - name: secret-key
         secret:
+          {{- if .Values.existingSecretSecretKey }}
+          secretName: {{ .Values.existingSecretSecretKey }}
+          {{- else }}
           secretName: {{ template "harbor.core" . }}
+          {{- end }}
           items:
             - key: secretKey
               path: key

templates/core/core-secret.yaml

@@ -6,14 +6,20 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.existingSecretSecretKey }}
   secretKey: {{ .Values.secretKey | b64enc | quote }}
+  {{- end }}
   secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
-{{- if not .Values.core.secretName }}
+  {{- if not .Values.core.secretName }}
   tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
   tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
-{{- end }}
+  {{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
+  {{- if not .Values.database.external.existingSecret }}
   POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
+  {{- end }}
+  {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
+  {{- end }}
   CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
   {{- template "harbor.traceJaegerPassword" . }}

templates/exporter/exporter-dpl.yaml

@@ -56,6 +56,14 @@ spec:
             name: "{{ template "harbor.exporter" . }}-env"
         - secretRef:
             name: "{{ template "harbor.exporter" . }}"
+        env:
+        {{- if .Values.database.external.existingSecret }}
+        - name: HARBOR_DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.database.external.existingSecret }}
+              key: password
+        {{- end }}
 {{- if .Values.exporter.resources }}
         resources:
 {{ toYaml .Values.exporter.resources | indent 10 }}

templates/exporter/exporter-secret.yaml

@@ -12,5 +12,7 @@ data:
   tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
 {{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
+{{- if not .Values.database.external.existingSecret }}
   HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
-{{- end }}
+{{- end }}
+{{- end }}

templates/jobservice/jobservice-dpl.yaml

@@ -86,6 +86,13 @@ spec:
           - name: INTERNAL_TLS_TRUST_CA_PATH
             value: /etc/harbor/ssl/jobservice/ca.crt
           {{- end }}
+          {{- if .Values.registry.credentials.existingSecret }}
+          - name: REGISTRY_CREDENTIAL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.registry.credentials.existingSecret }}
+                key: REGISTRY_PASSWD
+          {{- end }}
         envFrom:
         - configMapRef:
             name: "{{ template "harbor.jobservice" . }}-env"

templates/jobservice/jobservice-secrets.yaml

@@ -7,5 +7,7 @@ metadata:
 type: Opaque
 data:
   JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+  {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
-  {{- template "harbor.traceJaegerPassword" . }}
+  {{- end }}
+  {{- template "harbor.traceJaegerPassword" . }}

templates/registry/registry-cm.yaml

@@ -36,7 +36,9 @@ data:
       {{- else if eq $type "gcs" }}
       gcs:
         bucket: {{ $storage.gcs.bucket }}
+        {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }}
         keyfile: /etc/registry/gcs-key.json
+        {{- end }}
         {{- if $storage.gcs.rootdirectory }}
         rootdirectory: {{ $storage.gcs.rootdirectory }}
         {{- end }}
@@ -212,7 +214,7 @@ data:
     compatibility:
       schema1:
         enabled: true
-    
+
     {{- if .Values.registry.middleware.enabled }}
     {{- $middleware := .Values.registry.middleware }}
     {{- $middlewareType := $middleware.type }}

templates/registry/registry-dpl.yaml

@@ -1,3 +1,5 @@
+{{- $storage := .Values.persistence.imageChartStorage }}
+{{- $type := $storage.type }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -115,7 +117,7 @@ spec:
         - name: registry-internal-certs
           mountPath: /etc/harbor/ssl/registry
         {{- end }}
-        {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
+        {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }}
         - name: gcs-key
           mountPath: /etc/registry/gcs-key.json
           subPath: gcs-key.json
@@ -192,6 +194,13 @@ spec:
         - name: INTERNAL_TLS_TRUST_CA_PATH
           value: /etc/harbor/ssl/registry/ca.crt
         {{- end }}
+        {{- if .Values.redis.external.existingSecret }}
+        - name: REGISTRY_REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.redis.external.existingSecret }}
+              key: REDIS_PASSWORD
+        {{- end }}
         ports:
         - containerPort: {{ template "harbor.registryctl.containerPort" . }}
         volumeMounts:
@@ -213,7 +222,7 @@ spec:
           mountPath: /harbor_cust_cert/custom-ca-bundle.crt
           subPath: ca.crt
         {{- end }}
-        {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
+        {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
         - name: gcs-key
           mountPath: /etc/registry/gcs-key.json
           subPath: gcs-key.json
@@ -224,7 +233,11 @@ spec:
       volumes:
       - name: registry-htpasswd
         secret:
+          {{- if not .Values.registry.credentials.existingSecret }}
           secretName: {{ template "harbor.registry" . }}-htpasswd
+          {{ else }}
+          secretName: .Values.registry.credentials.existingSecret
+          {{- end }}
           items:
             - key: REGISTRY_HTPASSWD
               path: passwd
@@ -243,10 +256,14 @@ spec:
         secret:
           secretName: {{ template "harbor.internalTLS.registry.secretName" . }}
       {{- end }}
-      {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
+      {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }}
       - name: gcs-key
         secret:
+          {{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
+          secretName: {{ $storage.gcs.existingSecret }}
+          {{- else }}
           secretName: {{ template "harbor.registry" . }}
+          {{- end }}
           items:
             - key: GCS_KEY_DATA
               path: gcs-key.json

templates/registry/registry-secret.yaml

@@ -7,12 +7,14 @@ metadata:
 type: Opaque
 data:
   REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
-  REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }}
+  {{- if not .Values.redis.external.existingSecret }}
+  REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
+  {{- end }}
   {{- $storage := .Values.persistence.imageChartStorage }}
   {{- $type := $storage.type }}
   {{- if eq $type "azure" }}
   REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
-  {{- else if eq $type "gcs" }}
+  {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }}
   GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
   {{- else if eq $type "s3" }}
   {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }}
@@ -32,6 +34,7 @@ data:
   {{- else if eq $type "oss" }}
   REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
   {{- end }}
+{{- if not .Values.registry.credentials.existingSecret }}
 ---
 apiVersion: v1
 kind: Secret
@@ -46,3 +49,4 @@ data:
   {{- else }}
   REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}
+{{- end }}

values.yaml

@@ -304,6 +304,9 @@ persistence:
       encodedkey: base64-encoded-json-key-file
       #rootdirectory: /gcs/object/name/prefix
       #chunksize: "5242880"
+      # To use existing secret, the key must be gcs-key.json
+      existingSecret: ""
+      useWorkloadIdentity: false
     s3:
       # Set an existing secret for S3 accesskey and secretkey
       # keys in the secret should be AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for chartmuseum
@@ -383,6 +386,8 @@ caSecretName: ""
 
 # The secret key used for encryption. Must be a string of 16 chars.
 secretKey: "not-a-secure-key"
+# If using existingSecretSecretKey, the key must be sercretKey
+existingSecretSecretKey: ""
 
 # The proxy settings for updating trivy vulnerabilities from the Internet and replicating
 # artifacts from/to the registries that cannot be reached directly
@@ -576,6 +581,8 @@ registry:
   credentials:
     username: "harbor_registry_user"
     password: "harbor_registry_password"
+    # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD
+    existingSecret: ""
     # Login and password in htpasswd string format. Excludes `registry.credentials.username`  and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt.
     # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string
   middleware:
@@ -792,6 +799,8 @@ database:
     coreDatabase: "registry"
     notaryServerDatabase: "notary_server"
     notarySignerDatabase: "notary_signer"
+    # if using existing secret, the key must be PASSWORD
+    existingSecret: ""
     # "disable" - No SSL
     # "require" - Always SSL (skip verification)
     # "verify-ca" - Always SSL (verify that the certificate presented by the
@@ -846,16 +855,18 @@ redis:
     chartmuseumDatabaseIndex: "3"
     trivyAdapterIndex: "5"
     password: ""
+    # If using existingSecret, the key must be REDIS_PASSWORD
+    existingSecret: ""
   ## Additional deployment annotations
   podAnnotations: {}
 
 exporter:
   replicas: 1
   revisionHistoryLimit: 10
-# resources:
-#  requests:
-#    memory: 256Mi
-#    cpu: 100m
+  # resources:
+  #  requests:
+  #    memory: 256Mi
+  #    cpu: 100m
   podAnnotations: {}
   serviceAccountName: ""
   # mount the service account token
@@ -895,12 +906,14 @@ metrics:
     # Scrape interval. If not set, the Prometheus default scrape interval is used.
     interval: ""
     # Metric relabel configs to apply to samples before ingestion.
-    metricRelabelings: []
+    metricRelabelings:
+      []
       # - action: keep
       #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
       #   sourceLabels: [__name__]
     # Relabel configs to apply to samples before ingestion.
-    relabelings: []
+    relabelings:
+      []
       # - sourceLabels: [__meta_kubernetes_pod_node_name]
       #   separator: ;
       #   regex: ^(.*)$