Skip to content

Commit

Permalink
Fix several tls certificate related issues
Browse files Browse the repository at this point in the history 
1. Use a separated secret option to set the ca as the secret generated by cert manager contains no key called ca.crt
2. Provide option to disable generating certificate automatically to use the ingress controller's default certificate

Signed-off-by: Wenkai Yin <[email protected]>
  • Loading branch information
@ywk253100
ywk253100 committed Aug 28, 2020
1 parent d80ac22 commit 4f55d91
Show file tree
Hide file tree
Showing 8 changed files with 102 additions and 73 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/lint.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,4 @@ jobs:
- name: Run template for nodePort expose
working-directory: ./harbor
run:
helm template --set "expose.type=nodePort,expose.tls.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
helm template --set "expose.type=nodePort,expose.tls.auto.commonName=127.0.0.1" --output-dir $(mktemp -d -t output-XXXXXXXXXX) .
46 changes: 24 additions & 22 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,27 +89,28 @@ The following table lists the configurable parameters of the Harbor chart and th

| Parameter | Description | Default |
| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| **Expose** |
| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` |
| `expose.tls.enabled` | Enable the tls or not | `true` |
| **Expose** |
| `expose.type` | The way how to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` |
| `expose.tls.enabled` | Enable the tls or not | `true` |
| `expose.tls.certSource` | The source of the tls certificate. Set it as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the tls certificate automatically 2) secret: read the tls certificate from the specified secret. The tls certificate can be generated manually or by cert manager 3) none: configure no tls certificate for the ingress. If the default tls certificate is configured in the ingress controller, choose this option | `auto` |
| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | |
| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | |
| `expose.tls.secret.notarySecretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key. Only needed when the `expose.type` is `ingress` | |
| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` |
| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce` and `ncp` | `default` |
| `expose.tls.secretName` | Fill the name of secret if you want to use your own TLS certificate. The secret contains keys named: `tls.crt` - the certificate (required), `tls.key` - the private key (required), `ca.crt` - the certificate of CA (optional), this enables the download link on portal to download the certificate of CA. These files will be generated automatically if the `secretName` is not set | |
| `expose.tls.notarySecretName` | By default, the Notary service will use the same cert and key as described above. Fill the name of secret if you want to use a separated one. Only needed when the `expose.type` is `ingress`. | |
| `expose.tls.commonName` | The common name used to generate the certificate, it's necessary when the `expose.type` is `clusterIP` or `nodePort` and `expose.tls.secretName` is null | |
| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` |
| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` |
| `expose.ingress.annotations` | The annotations used in ingress | |
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` |
| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` |
| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` |
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` |
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` |
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` |
| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` |
| `expose.ingress.annotations` | The annotations used in ingress | |
| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` |
| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving with HTTP | `80` |
| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving with HTTPS | `443` |
| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `expose.nodePort.name` | The name of NodePort service | `harbor` |
| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving with HTTP | `80` |
| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving with HTTP | `30002` |
| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving with HTTPS | `443` |
| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving with HTTPS | `30003` |
| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` |
| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` |
| `expose.loadBalancer.name` | The name of service |`harbor`|
| `expose.loadBalancer.IP` | The IP of the loadBalancer. It works only when loadBalancer support assigning IP |`""`|
| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving with HTTP |`80`|
Expand Down Expand Up @@ -181,8 +182,9 @@ The following table lists the configurable parameters of the Harbor chart and th
| `imagePullSecrets` | The imagePullSecrets names for all deployments | |
| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry and chartmuseum): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` |
| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` |
| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the certificate of CA when the certificate isn't generated automatically | |
| `secretkey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` |
| `proxy.httpProxy` | The URL of the HTTP proxy server | |
| `proxy.httpsProxy` | The URL of the HTTPS proxy server | |
| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal |
Expand Down
30 changes: 29 additions & 1 deletion templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ app: "{{ template "harbor.name" . }}"
{{- end -}}

{{- define "harbor.autoGenCert" -}}
{{- if and .Values.expose.tls.enabled (not .Values.expose.tls.secretName) -}}
{{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
{{- printf "true" -}}
{{- else -}}
{{- printf "false" -}}
Expand Down Expand Up @@ -553,3 +553,31 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
{{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}}
{{- end -}}
{{- end -}}

{{- define "harbor.tlsCoreSecretForIngress" -}}
{{- if eq .Values.expose.tls.certSource "none" -}}
{{- printf "" -}}
{{- else if eq .Values.expose.tls.certSource "secret" -}}
{{- .Values.expose.tls.secret.secretName -}}
{{- else -}}
{{- include "harbor.ingress" . -}}
{{- end -}}
{{- end -}}

{{- define "harbor.tlsNotarySecretForIngress" -}}
{{- if eq .Values.expose.tls.certSource "none" -}}
{{- printf "" -}}
{{- else if eq .Values.expose.tls.certSource "secret" -}}
{{- .Values.expose.tls.secret.notarySecretName -}}
{{- else -}}
{{- include "harbor.ingress" . -}}
{{- end -}}
{{- end -}}

{{- define "harbor.tlsSecretForNginx" -}}
{{- if eq .Values.expose.tls.certSource "secret" -}}
{{- .Values.expose.tls.secret.secretName -}}
{{- else -}}
{{- include "harbor.nginx" . -}}
{{- end -}}
{{- end -}}
8 changes: 4 additions & 4 deletions templates/core/core-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,12 +146,12 @@ spec:
{{- if .Values.expose.tls.enabled }}
- name: ca-download
secret:
{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
{{- if .Values.caSecretName }}
secretName: {{ .Values.caSecretName }}
{{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }}
secretName: "{{ template "harbor.ingress" . }}"
{{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }}
secretName: {{ template "harbor.nginx" . }}
{{- else }}
secretName: {{ .Values.expose.tls.secretName }}
secretName: {{ template "harbor.tlsSecretForNginx" . }}
{{- end }}
{{- end }}
{{- if .Values.uaaSecretName }}
Expand Down
14 changes: 2 additions & 12 deletions templates/ingress/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,7 @@ metadata:
spec:
{{- if $tls.enabled }}
tls:
{{- if $tls.secretName }}
- secretName: {{ $tls.secretName }}
{{- else }}
- secretName: "{{ template "harbor.ingress" . }}"
{{- end }}
- secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
{{- if $ingress.hosts.core }}
hosts:
- {{ $ingress.hosts.core }}
Expand Down Expand Up @@ -108,13 +104,7 @@ metadata:
spec:
{{- if $tls.enabled }}
tls:
{{- if $tls.notarySecretName }}
- secretName: {{ $tls.notarySecretName }}
{{- else if $tls.secretName }}
- secretName: {{ $tls.secretName }}
{{- else }}
- secretName: "{{ template "harbor.ingress" . }}"
{{- end }}
- secretName: {{ template "harbor.tlsNotarySecretForIngress" . }}
{{- if $ingress.hosts.notary }}
hosts:
- {{ $ingress.hosts.notary }}
Expand Down
6 changes: 1 addition & 5 deletions templates/nginx/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,7 @@ spec:
{{- if .Values.expose.tls.enabled }}
- name: certificate
secret:
{{- if .Values.expose.tls.secretName }}
secretName: {{ .Values.expose.tls.secretName }}
{{- else }}
secretName: {{ template "harbor.nginx" . }}
{{- end }}
secretName: {{ template "harbor.tlsSecretForNginx" . }}
{{- end }}
{{- with .Values.nginx.nodeSelector }}
nodeSelector:
Expand Down
2 changes: 1 addition & 1 deletion templates/nginx/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }}
{{- $ca := genCA "harbor-ca" 365 }}
{{- $cn := (required "The \"expose.tls.commonName\" is required!" .Values.expose.tls.commonName) }}
{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }}
apiVersion: v1
kind: Secret
metadata:
Expand Down
Loading

0 comments on commit 4f55d91

Please sign in to comment.