diff --git a/bitnami/harbor/Chart.yaml b/bitnami/harbor/Chart.yaml index 6f4610ff6b..f58070168a 100644 --- a/bitnami/harbor/Chart.yaml +++ b/bitnami/harbor/Chart.yaml @@ -36,4 +36,4 @@ sources: - https://github.com/bitnami/containers/tree/main/bitnami/harbor-registry - https://github.com/bitnami/containers/tree/main/bitnami/harbor-registryctl - https://goharbor.io/ -version: 16.2.0 +version: 16.3.0 diff --git a/bitnami/harbor/README.md b/bitnami/harbor/README.md index eae31c06f3..9f491830e3 100644 --- a/bitnami/harbor/README.md +++ b/bitnami/harbor/README.md @@ -454,6 +454,8 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `core.secretKey` | The key used for encryption. Must be a string of 16 chars | `""` | | `core.secret` | Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `""` | | `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | `""` | +| `core.existingSecret` | Existing secret for core | `""` | +| `core.existingEnvVarsSecret` | Existing secret for core envvars | `""` | | `core.csrfKey` | The CSRF key. Will be generated automatically if it isn't specified | `""` | | `core.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` | | `core.command` | Override default container command (useful when using custom images) | `[]` | @@ -536,6 +538,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `jobservice.redisNamespace` | Redis namespace for jobservice | `harbor_job_service_namespace` | | `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` | | `jobservice.secret` | Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `""` | +| `jobservice.existingSecret` | Existing secret for jobservice | `""` | | `jobservice.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` | | `jobservice.command` | Override default container command (useful when using custom images) | `[]` | | `jobservice.args` | Override default container args (useful when using custom images) | `[]` | @@ -605,6 +608,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | Name | Description | Value | | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | | `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md | `""` | +| `registry.existingSecret` | Existing secret for registry | `""` | | `registry.relativeurls` | Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL. | `false` | | `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd) | `harbor_registry_user` | | `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | @@ -1288,11 +1292,16 @@ Alternatively, you can use a ConfigMap or a Secret with the environment variable ### Configure the secrets -- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure. +- **Secrets**: Secrets are used for encryption and to secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure then statically through the helm values. it expects the "key or password", not the secret name where secrets are stored. - **Certificates**: Used for token encryption/decryption. Fill `core.secretName` to configure. Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)). +If you want to manage full Secret objects by your own, you can use existingSecret & existingEnvVarsSecret parameters. This could be useful for some secure GitOps workflows, of course, you will have to ensure to define all expected keys for those secrets. + +The core service have two `Secret` objects, the default one for data & communication which is very important as it's contains the data encryption key of your harbor instance ! and a second one which contains standard passwords, database access password, ... +Keep in mind that the `HARBOR_ADMIN_PASSWORD` is only used to boostrap your harbor instance, if you update it after the deployment, the password is updated in database, but the secret will remain the initial one. + ### Setting Pod's affinity This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). @@ -1336,4 +1345,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/bitnami/harbor/templates/core/core-dpl.yaml b/bitnami/harbor/templates/core/core-dpl.yaml index 2955e3f77b..b87ceba683 100644 --- a/bitnami/harbor/templates/core/core-dpl.yaml +++ b/bitnami/harbor/templates/core/core-dpl.yaml @@ -98,14 +98,26 @@ spec: value: {{ ternary "true" "false" .Values.core.image.debug | quote }} - name: CORE_SECRET valueFrom: + {{- if .Values.core.existingSecret }} + secretKeyRef: + name: {{ .Values.core.existingSecret }} + key: secret + {{- else }} secretKeyRef: name: {{ include "harbor.core" . }} key: secret + {{- end }} - name: JOBSERVICE_SECRET valueFrom: + {{- if .Values.jobservice.existingSecret }} + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: secret + {{- else }} secretKeyRef: name: {{ include "harbor.jobservice" . }} key: secret + {{- end }} {{- if or .Values.core.configOverwriteJson .Values.core.configOverwriteJsonSecret }} - name: CONFIG_OVERWRITE_JSON valueFrom: @@ -130,7 +142,11 @@ spec: - configMapRef: name: {{ printf "%s-envvars" (include "harbor.core" .) }} - secretRef: + {{- if .Values.core.existingEnvVarsSecret }} + name: {{ .Values.core.existingEnvVarsSecret }} + {{- else }} name: {{ printf "%s-envvars" (include "harbor.core" .) }} + {{- end }} {{- if .Values.core.extraEnvVarsCM }} - configMapRef: name: {{ include "common.tplvalues.render" (dict "value" .Values.core.extraEnvVarsCM "context" $) }} @@ -224,10 +240,17 @@ spec: path: app.conf - name: secret-key secret: + {{- if .Values.core.existingSecret }} + secretName: {{ .Values.core.existingSecret }} + items: + - key: secretKey + path: key + {{- else }} secretName: {{ include "harbor.core" . }} items: - key: secretKey path: key + {{- end }} {{- if .Values.internalTLS.caBundleSecret }} {{- include "harbor.caBundleVolume" . | nindent 8 }} {{- end }} diff --git a/bitnami/harbor/templates/core/core-secret-envvars.yaml b/bitnami/harbor/templates/core/core-secret-envvars.yaml index 379dc32ab3..2a0d8bca83 100644 --- a/bitnami/harbor/templates/core/core-secret-envvars.yaml +++ b/bitnami/harbor/templates/core/core-secret-envvars.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.core.existingEnvVarsSecret }} apiVersion: v1 kind: Secret metadata: @@ -20,3 +21,4 @@ data: CSRF_KEY: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "CSRF_KEY" "length" 32 "providedValues" (list "core.csrfKey") "context" $) }} HARBOR_ADMIN_PASSWORD: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "HARBOR_ADMIN_PASSWORD" "length" 10 "providedValues" (list "adminPassword") "context" $) }} POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} diff --git a/bitnami/harbor/templates/core/core-secret.yaml b/bitnami/harbor/templates/core/core-secret.yaml index c47336dc34..e65075e4d8 100644 --- a/bitnami/harbor/templates/core/core-secret.yaml +++ b/bitnami/harbor/templates/core/core-secret.yaml @@ -13,8 +13,10 @@ metadata: {{- end }} type: Opaque data: + {{- if not .Values.core.existingSecret }} secretKey: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.core" .) "key" "secretKey" "length" 16 "providedValues" (list "core.secretKey") "context" $) }} secret: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.core" .) "key" "secret" "length" 16 "providedValues" (list "core.secret") "context" $) }} + {{- end }} {{- if not .Values.core.secretName }} tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }} tls.key: {{ .Files.Get "cert/tls.key" | b64enc }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml b/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml index bf3366c98d..7cb8676c83 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml @@ -121,14 +121,26 @@ spec: value: {{ ternary "true" "false" .Values.jobservice.image.debug | quote }} - name: CORE_SECRET valueFrom: + {{- if .Values.core.existingSecret }} + secretKeyRef: + name: {{ .Values.core.existingSecret }} + key: secret + {{- else }} secretKeyRef: name: {{ include "harbor.core" . }} key: secret + {{- end }} - name: JOBSERVICE_SECRET valueFrom: + {{- if .Values.jobservice.existingSecret }} + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: secret + {{- else }} secretKeyRef: name: {{ include "harbor.jobservice" . }} key: secret + {{- end }} {{- if .Values.internalTLS.enabled }} - name: INTERNAL_TLS_ENABLED value: "true" diff --git a/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml b/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml index ea41a19eb3..de49fd23e5 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.jobservice.existingSecret }} apiVersion: v1 kind: Secret metadata: @@ -14,3 +15,4 @@ metadata: type: Opaque data: secret: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.jobservice" .) "key" "secret" "length" 16 "providedValues" (list "jobservice.secret") "context" $) }} +{{- end }} diff --git a/bitnami/harbor/templates/registry/registry-dpl.yaml b/bitnami/harbor/templates/registry/registry-dpl.yaml index eb58638420..11954944cb 100644 --- a/bitnami/harbor/templates/registry/registry-dpl.yaml +++ b/bitnami/harbor/templates/registry/registry-dpl.yaml @@ -141,7 +141,11 @@ spec: {{- end }} envFrom: - secretRef: + {{- if .Values.registry.existingSecret }} + name: {{ .Values.registry.existingSecret }} + {{- else }} name: {{ include "harbor.registry" . }} + {{- end }} {{- if .Values.registry.server.extraEnvVarsCM }} - configMapRef: name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.server.extraEnvVarsCM "context" $) }} @@ -256,7 +260,11 @@ spec: name: {{ printf "%s-ctl-envvars" (include "harbor.registry" .) }} {{- end }} - secretRef: + {{- if .Values.registry.existingSecret }} + name: {{ .Values.registry.existingSecret }} + {{- else }} name: {{ include "harbor.registry" . }} + {{- end }} {{- if .Values.registry.controller.extraEnvVarsCM }} - configMapRef: name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.controller.extraEnvVarsCM "context" $) }} @@ -270,14 +278,26 @@ spec: value: {{ ternary "true" "false" .Values.registry.controller.image.debug | quote }} - name: CORE_SECRET valueFrom: + {{- if .Values.core.existingSecret }} + secretKeyRef: + name: {{ .Values.core.existingSecret }} + key: secret + {{- else }} secretKeyRef: name: {{ include "harbor.core" . }} key: secret + {{- end }} - name: JOBSERVICE_SECRET valueFrom: + {{- if .Values.jobservice.existingSecret }} + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: secret + {{- else }} secretKeyRef: name: {{ include "harbor.jobservice" . }} key: secret + {{- end }} {{- if .Values.internalTLS.enabled }} - name: INTERNAL_TLS_ENABLED value: "true" @@ -365,7 +385,11 @@ spec: volumes: - name: registry-htpasswd secret: + {{- if .Values.registry.existingSecret }} + secretName: {{ .Values.registry.existingSecret }} + {{- else }} secretName: {{ template "harbor.registry" . }} + {{- end }} items: - key: REGISTRY_HTPASSWD path: passwd diff --git a/bitnami/harbor/templates/registry/registry-secret.yaml b/bitnami/harbor/templates/registry/registry-secret.yaml index 13ad418f34..3157260a49 100644 --- a/bitnami/harbor/templates/registry/registry-secret.yaml +++ b/bitnami/harbor/templates/registry/registry-secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.registry.existingSecret }} apiVersion: v1 kind: Secret metadata: @@ -39,3 +40,4 @@ data: {{- else if eq .Values.persistence.imageChartStorage.type "oss" }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }} {{- end }} +{{- end }} diff --git a/bitnami/harbor/values.yaml b/bitnami/harbor/values.yaml index 47b2949cb6..389b3d334c 100644 --- a/bitnami/harbor/values.yaml +++ b/bitnami/harbor/values.yaml @@ -1347,6 +1347,28 @@ core: ## @param core.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set ## secretName: "" + ## @param core.existingSecret Existing secret for core + ## The secret must contain the keys: + ## `secret` (required), + ## `secretKey` (required), + ## + existingSecret: "" + ## @param core.existingEnvVarsSecret Existing secret for core envvars + ## The secret must contain the keys: + ## `CSRF_KEY` (required), + ## `HARBOR_ADMIN_PASSWORD` (required), + ## `POSTGRESQL_PASSWORD` (required), + ## `REGISTRY_CREDENTIAL_USERNAME` (required), + ## `REGISTRY_CREDENTIAL_PASSWORD` (required), + ## `_REDIS_URL_CORE` (optional), + ## `_REDIS_URL_REG` (optional), + ## + ## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret + ## Notes: + ## As a EnvVars secret, this secret also store redis config urls + ## The HARBOR_ADMIN_PASSWORD is only required at initial deployment, once the password is set in database, it is not used anymore + ## + existingEnvVarsSecret: "" ## @param core.csrfKey The CSRF key. Will be generated automatically if it isn't specified ## csrfKey: "" @@ -1636,6 +1658,11 @@ jobservice: ## Must be a string of 16 chars. ## secret: "" + ## @param jobservice.existingSecret Existing secret for jobservice + ## The secret must contain the keys: + ## `secret` (required), + ## + existingSecret: "" ## Use TLS in the container ## tls: @@ -1878,6 +1905,13 @@ registry: ## Must be a string of 16 chars. ## secret: "" + ## @param registry.existingSecret Existing secret for registry + ## The secret must contain the keys: + ## `REGISTRY_HTPASSWD` (required), + ## `REGISTRY_HTTP_SECRET` (required), + ## `REGISTRY_REDIS_PASSWORD` (optional), + ## + existingSecret: "" ## @param registry.relativeurls Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL. ## relativeurls: false