From 4699d6071dcdb91eb4b80fd15d466b81b2cfcda3 Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Sat, 9 Apr 2022 00:15:20 +0200 Subject: [PATCH 1/7] feat: Use existing secret for multiple secrets values fix: Registry secret value path fix: Secret usage Signed-off-by: David Sabatie Signed-off-by: David Sabatie --- templates/chartmuseum/chartmuseum-dpl.yaml | 13 ++++++++++ templates/chartmuseum/chartmuseum-secret.yaml | 4 +++- templates/core/core-dpl.yaml | 18 ++++++++++++++ templates/core/core-secret.yaml | 10 ++++++-- templates/exporter/exporter-dpl.yaml | 8 +++++++ templates/exporter/exporter-secret.yaml | 4 +++- templates/jobservice/jobservice-dpl.yaml | 7 ++++++ templates/jobservice/jobservice-secrets.yaml | 4 +++- templates/registry/registry-dpl.yaml | 13 ++++++++++ templates/registry/registry-secret.yaml | 6 +++-- values.yaml | 24 +++++++++++++------ 11 files changed, 97 insertions(+), 14 deletions(-) diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index d73a73a39..ffa54c489 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -1,4 +1,6 @@ {{- if .Values.chartmuseum.enabled }} +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} apiVersion: apps/v1 kind: Deployment metadata: @@ -101,6 +103,13 @@ spec: - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280) name: AWS_SDK_LOAD_CONFIG value: "1" + {{- if .Values.redis.external.existingSecret }} + - name: CACHE_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} ports: - containerPort: {{ template "harbor.chartmuseum.containerPort" . }} volumeMounts: @@ -140,7 +149,11 @@ spec: {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - name: gcs-key secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} secretName: {{ template "harbor.registry" . }} + {{- end }} items: - key: GCS_KEY_DATA path: gcs-key.json diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml index eefdf793e..db9eda235 100644 --- a/templates/chartmuseum/chartmuseum-secret.yaml +++ b/templates/chartmuseum/chartmuseum-secret.yaml @@ -7,7 +7,9 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: +{{- if not .Values.redis.external.existingSecret }} CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} +{{- end }} {{- $storage := .Values.persistence.imageChartStorage }} {{- $storageType := $storage.type }} {{- if eq $storageType "azure" }} @@ -23,4 +25,4 @@ data: {{- else if eq $storageType "oss" }} ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index b94b789ec..2f3d7d554 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -96,6 +96,20 @@ spec: - name: INTERNAL_TLS_TRUST_CA_PATH value: /etc/harbor/ssl/core/ca.crt {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_CREDENTIAL_PASSWORD + {{- end }} ports: - containerPort: {{ template "harbor.core.containerPort" . }} volumeMounts: @@ -139,7 +153,11 @@ spec: path: app.conf - name: secret-key secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} secretName: {{ template "harbor.core" . }} + {{- end }} items: - key: secretKey path: key diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 6e3e446da..9c80e3f7c 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -6,14 +6,20 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: + {{- if not .Values.existingSecretSecretKey }} secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} -{{- if not .Values.core.secretName }} + {{- if not .Values.core.secretName }} tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} -{{- end }} + {{- end }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- if not .Values.database.external.existingSecret }} POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 8f13b8aa8..99d0a1a3b 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -56,6 +56,14 @@ spec: name: "{{ template "harbor.exporter" . }}-env" - secretRef: name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} {{- if .Values.exporter.resources }} resources: {{ toYaml .Values.exporter.resources | indent 10 }} diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml index 1fa6b492d..815772fdb 100644 --- a/templates/exporter/exporter-secret.yaml +++ b/templates/exporter/exporter-secret.yaml @@ -12,5 +12,7 @@ data: tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} {{- end }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- if not .Values.database.external.existingSecret }} HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index b988027ab..cc1d4761a 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -86,6 +86,13 @@ spec: - name: INTERNAL_TLS_TRUST_CA_PATH value: /etc/harbor/ssl/jobservice/ca.crt {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_CREDENTIAL_PASSWORD + {{- end }} envFrom: - configMapRef: name: "{{ template "harbor.jobservice" . }}-env" diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index dfd438cee..3dfa6bd5e 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -7,5 +7,7 @@ metadata: type: Opaque data: JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.registry.credentials.existingSecret }} REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} - {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 80f0fce95..e486542f5 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -1,3 +1,5 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} apiVersion: apps/v1 kind: Deployment metadata: @@ -187,6 +189,13 @@ spec: - name: INTERNAL_TLS_TRUST_CA_PATH value: /etc/harbor/ssl/registry/ca.crt {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} ports: - containerPort: {{ template "harbor.registryctl.containerPort" . }} volumeMounts: @@ -241,7 +250,11 @@ spec: {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - name: gcs-key secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} secretName: {{ template "harbor.registry" . }} + {{- end }} items: - key: GCS_KEY_DATA path: gcs-key.json diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index de8dadabd..9786d0f12 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -7,12 +7,14 @@ metadata: type: Opaque data: REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} - REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} {{- $storage := .Values.persistence.imageChartStorage }} {{- $type := $storage.type }} {{- if eq $type "azure" }} REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} - {{- else if eq $type "gcs" }} + {{- else if and (eq $type "gcs") (not $storage.gcs.existingSecret) }} GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} {{- else if eq $type "s3" }} {{- if $storage.s3.accesskey }} diff --git a/values.yaml b/values.yaml index ea0567eda..e6991538c 100644 --- a/values.yaml +++ b/values.yaml @@ -280,7 +280,7 @@ persistence: # "oss" and fill the information needed in the corresponding section. The type # must be "filesystem" if you want to use persistent volumes for registry # and chartmuseum - type: filesystem + type: gcs filesystem: rootdirectory: /storage #maxthreads: 100 @@ -295,6 +295,8 @@ persistence: encodedkey: base64-encoded-json-key-file #rootdirectory: /gcs/object/name/prefix #chunksize: "5242880" + # To use existing secret, the key must be gcs-key.json + existingSecret: "" s3: region: us-west-1 bucket: bucketname @@ -370,6 +372,8 @@ caSecretName: "" # The secret key used for encryption. Must be a string of 16 chars. secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be sercretKey +existingSecretSecretKey: "" # The proxy settings for updating trivy vulnerabilities from the Internet and replicating # artifacts from/to the registries that cannot be reached directly @@ -777,6 +781,8 @@ database: coreDatabase: "registry" notaryServerDatabase: "notary_server" notarySignerDatabase: "notary_signer" + # if using existing secret, the key must be POSTGRESQL_PASSWORD + existingSecret: "" # "disable" - No SSL # "require" - Always SSL (skip verification) # "verify-ca" - Always SSL (verify that the certificate presented by the @@ -831,16 +837,18 @@ redis: chartmuseumDatabaseIndex: "3" trivyAdapterIndex: "5" password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" ## Additional deployment annotations podAnnotations: {} exporter: replicas: 1 revisionHistoryLimit: 10 -# resources: -# requests: -# memory: 256Mi -# cpu: 100m + # resources: + # requests: + # memory: 256Mi + # cpu: 100m podAnnotations: {} serviceAccountName: "" # mount the service account token @@ -880,12 +888,14 @@ metrics: # Scrape interval. If not set, the Prometheus default scrape interval is used. interval: "" # Metric relabel configs to apply to samples before ingestion. - metricRelabelings: [] + metricRelabelings: + [] # - action: keep # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' # sourceLabels: [__name__] # Relabel configs to apply to samples before ingestion. - relabelings: [] + relabelings: + [] # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; # regex: ^(.*)$ From f68f484de4c154082935c2cd2c84b7d7752dce7e Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Fri, 22 Apr 2022 21:34:33 +0200 Subject: [PATCH 2/7] fix: Default type to filesystem for imageChartStorage Signed-off-by: David Sabatie --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index e6991538c..c0fb13101 100644 --- a/values.yaml +++ b/values.yaml @@ -280,7 +280,7 @@ persistence: # "oss" and fill the information needed in the corresponding section. The type # must be "filesystem" if you want to use persistent volumes for registry # and chartmuseum - type: gcs + type: filesystem filesystem: rootdirectory: /storage #maxthreads: 100 From 44f31085d397a9957abaa93547d80658bfd3ee0c Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Mon, 13 Jun 2022 18:50:12 +0200 Subject: [PATCH 3/7] feat: Handle gcp workload identity Signed-off-by: David Sabatie --- templates/chartmuseum/chartmuseum-cm.yaml | 2 ++ templates/chartmuseum/chartmuseum-dpl.yaml | 4 ++-- templates/registry/registry-cm.yaml | 4 +++- templates/registry/registry-dpl.yaml | 6 +++--- templates/registry/registry-secret.yaml | 2 +- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/templates/chartmuseum/chartmuseum-cm.yaml b/templates/chartmuseum/chartmuseum-cm.yaml index 8d0a5f82b..8d427c67e 100644 --- a/templates/chartmuseum/chartmuseum-cm.yaml +++ b/templates/chartmuseum/chartmuseum-cm.yaml @@ -55,7 +55,9 @@ data: {{- else if eq $storageType "gcs" }} STORAGE: "google" STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} GOOGLE_APPLICATION_CREDENTIALS: /etc/chartmuseum/gcs-key.json + {{- end }} {{- if $storage.gcs.rootdirectory }} STORAGE_GOOGLE_PREFIX: {{ $storage.gcs.rootdirectory }} {{- end }} diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index ffa54c489..67befd9b2 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -120,7 +120,7 @@ spec: - name: chart-internal-certs mountPath: /etc/harbor/ssl/chartmuseum {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} - name: gcs-key mountPath: /etc/chartmuseum/gcs-key.json subPath: gcs-key.json @@ -146,7 +146,7 @@ spec: secret: secretName: {{ template "harbor.internalTLS.chartmuseum.secretName" . }} {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} - name: gcs-key secret: {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml index 8af79694d..4f7056c38 100644 --- a/templates/registry/registry-cm.yaml +++ b/templates/registry/registry-cm.yaml @@ -36,7 +36,9 @@ data: {{- else if eq $type "gcs" }} gcs: bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} keyfile: /etc/registry/gcs-key.json + {{- end }} {{- if $storage.gcs.rootdirectory }} rootdirectory: {{ $storage.gcs.rootdirectory }} {{- end }} @@ -212,7 +214,7 @@ data: compatibility: schema1: enabled: true - + {{- if .Values.registry.middleware.enabled }} {{- $middleware := .Values.registry.middleware }} {{- $middlewareType := $middleware.type }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index e486542f5..98fa29dc8 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -112,7 +112,7 @@ spec: - name: registry-internal-certs mountPath: /etc/harbor/ssl/registry {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} - name: gcs-key mountPath: /etc/registry/gcs-key.json subPath: gcs-key.json @@ -217,7 +217,7 @@ spec: mountPath: /harbor_cust_cert/custom-ca-bundle.crt subPath: ca.crt {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} - name: gcs-key mountPath: /etc/registry/gcs-key.json subPath: gcs-key.json @@ -247,7 +247,7 @@ spec: secret: secretName: {{ template "harbor.internalTLS.registry.secretName" . }} {{- end }} - {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} - name: gcs-key secret: {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 9786d0f12..20dbe75a2 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -14,7 +14,7 @@ data: {{- $type := $storage.type }} {{- if eq $type "azure" }} REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} - {{- else if and (eq $type "gcs") (not $storage.gcs.existingSecret) }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} {{- else if eq $type "s3" }} {{- if $storage.s3.accesskey }} From 3c02bdac6fc5bcacebbc0a174d4cc8955f8741bf Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Sun, 14 Aug 2022 21:48:49 +0200 Subject: [PATCH 4/7] feat: Add existingSecret key for registry Signed-off-by: David Sabatie --- values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index c0fb13101..ff27c9292 100644 --- a/values.yaml +++ b/values.yaml @@ -565,6 +565,8 @@ registry: credentials: username: "harbor_registry_user" password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_CREDENTIAL_PASSWORD + existingSecret: "" # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string middleware: @@ -781,7 +783,7 @@ database: coreDatabase: "registry" notaryServerDatabase: "notary_server" notarySignerDatabase: "notary_signer" - # if using existing secret, the key must be POSTGRESQL_PASSWORD + # if using existing secret, the key must be PASSWORD existingSecret: "" # "disable" - No SSL # "require" - Always SSL (skip verification) From 7b78c5469c83dcfe7d9047f676f234368886328c Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Thu, 18 Aug 2022 21:33:39 +0200 Subject: [PATCH 5/7] fix: Add workloadidentity key to values file Signed-off-by: David Sabatie --- values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/values.yaml b/values.yaml index ff27c9292..cea220111 100644 --- a/values.yaml +++ b/values.yaml @@ -297,6 +297,7 @@ persistence: #chunksize: "5242880" # To use existing secret, the key must be gcs-key.json existingSecret: "" + useWorkloadIdentity: false s3: region: us-west-1 bucket: bucketname From 3053463f73398de9705b2620c9d08fa313f50471 Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Thu, 18 Aug 2022 22:23:08 +0200 Subject: [PATCH 6/7] docs: Update README Signed-off-by: David Sabatie --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 1040f5582..ed1851f0d 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,8 @@ The following table lists the configurable parameters of the Harbor chart and th | `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | | `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and chartmuseum's containers. | | | `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry and chartmuseum. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | | **General** | | | | `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | | `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for chartmuseum, core, jobservice, registry, trivy components. | | @@ -190,6 +192,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | | `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | | `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | | `proxy.httpProxy` | The URL of the HTTP proxy server | | | `proxy.httpsProxy` | The URL of the HTTPS proxy server | | | `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | @@ -271,6 +274,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | | `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_CREDENTIAL_PASSWORD` | `""` | | `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | | `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | | `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | @@ -348,6 +352,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.external.coreDatabase` | The database used by core service | `registry` | | `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | | `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `PASSWORD`. | `""` | | `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | | `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | | `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | @@ -370,6 +375,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `redis.external.chartmuseumDatabaseIndex` | The database index for chartmuseum | `3` | | `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | | `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | | `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | | **Exporter** | | | | `exporter.replicas` | The replica count | `1` | From 24986b8c566487c29406c2266996696523f316ad Mon Sep 17 00:00:00 2001 From: David Sabatie Date: Fri, 19 Aug 2022 22:37:40 +0200 Subject: [PATCH 7/7] fix: Existing secret for registry usage Signed-off-by: David Sabatie --- templates/core/core-dpl.yaml | 2 +- templates/jobservice/jobservice-dpl.yaml | 2 +- templates/registry/registry-dpl.yaml | 4 ++++ templates/registry/registry-secret.yaml | 2 ++ values.yaml | 2 +- 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 2f3d7d554..fa7fd4204 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -108,7 +108,7 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.registry.credentials.existingSecret }} - key: REGISTRY_CREDENTIAL_PASSWORD + key: REGISTRY_PASSWD {{- end }} ports: - containerPort: {{ template "harbor.core.containerPort" . }} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index cc1d4761a..39f7d277b 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -91,7 +91,7 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.registry.credentials.existingSecret }} - key: REGISTRY_CREDENTIAL_PASSWORD + key: REGISTRY_PASSWD {{- end }} envFrom: - configMapRef: diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 98fa29dc8..d19508513 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -228,7 +228,11 @@ spec: volumes: - name: registry-htpasswd secret: + {{- if not .Values.registry.credentials.existingSecret }} secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: .Values.registry.credentials.existingSecret + {{- end }} items: - key: REGISTRY_HTPASSWD path: passwd diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 20dbe75a2..650540a5e 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -34,6 +34,7 @@ data: {{- else if eq $type "oss" }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} --- apiVersion: v1 kind: Secret @@ -48,3 +49,4 @@ data: {{- else }} REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} {{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml index cea220111..b2a048d0b 100644 --- a/values.yaml +++ b/values.yaml @@ -566,7 +566,7 @@ registry: credentials: username: "harbor_registry_user" password: "harbor_registry_password" - # If using existingSecret, the key must be REGISTRY_CREDENTIAL_PASSWORD + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD existingSecret: "" # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string