mirror of
https://github.com/bitnami/charts.git
synced 2026-04-02 07:17:26 +08:00
[bitnami/harbor] - Allow to use existing secrets (#14341)
* [bitnami/harbor] add existingSecret feature Signed-off-by: dje4om <dje4om@gmail.com> * [bitnami/harbor] add ExistingSecret documentation Signed-off-by: dje4om <dje4om@gmail.com> * [bitnami/harbor] bump chart version Signed-off-by: dje4om <dje4om@gmail.com> Signed-off-by: dje4om <dje4om@gmail.com>
This commit is contained in:
dje4om
@@ -36,4 +36,4 @@ sources:
|
||||
- https://github.com/bitnami/containers/tree/main/bitnami/harbor-registry
|
||||
- https://github.com/bitnami/containers/tree/main/bitnami/harbor-registryctl
|
||||
- https://goharbor.io/
|
||||
version: 16.2.0
|
||||
version: 16.3.0
|
||||
|
||||
@@ -454,6 +454,8 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
|
||||
| `core.secretKey` | The key used for encryption. Must be a string of 16 chars | `""` |
|
||||
| `core.secret` | Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `""` |
|
||||
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | `""` |
|
||||
| `core.existingSecret` | Existing secret for core | `""` |
|
||||
| `core.existingEnvVarsSecret` | Existing secret for core envvars | `""` |
|
||||
| `core.csrfKey` | The CSRF key. Will be generated automatically if it isn't specified | `""` |
|
||||
| `core.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` |
|
||||
| `core.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
@@ -536,6 +538,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
|
||||
| `jobservice.redisNamespace` | Redis namespace for jobservice | `harbor_job_service_namespace` |
|
||||
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
|
||||
| `jobservice.secret` | Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `""` |
|
||||
| `jobservice.existingSecret` | Existing secret for jobservice | `""` |
|
||||
| `jobservice.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` |
|
||||
| `jobservice.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `jobservice.args` | Override default container args (useful when using custom images) | `[]` |
|
||||
@@ -605,6 +608,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
|
||||
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md | `""` |
|
||||
| `registry.existingSecret` | Existing secret for registry | `""` |
|
||||
| `registry.relativeurls` | Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL. | `false` |
|
||||
| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd) | `harbor_registry_user` |
|
||||
| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
|
||||
@@ -1288,11 +1292,16 @@ Alternatively, you can use a ConfigMap or a Secret with the environment variable
|
||||
|
||||
### Configure the secrets
|
||||
|
||||
- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure.
|
||||
- **Secrets**: Secrets are used for encryption and to secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure then statically through the helm values. it expects the "key or password", not the secret name where secrets are stored.
|
||||
- **Certificates**: Used for token encryption/decryption. Fill `core.secretName` to configure.
|
||||
|
||||
Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)).
|
||||
|
||||
If you want to manage full Secret objects by your own, you can use existingSecret & existingEnvVarsSecret parameters. This could be useful for some secure GitOps workflows, of course, you will have to ensure to define all expected keys for those secrets.
|
||||
|
||||
The core service have two `Secret` objects, the default one for data & communication which is very important as it's contains the data encryption key of your harbor instance ! and a second one which contains standard passwords, database access password, ...
|
||||
Keep in mind that the `HARBOR_ADMIN_PASSWORD` is only used to boostrap your harbor instance, if you update it after the deployment, the password is updated in database, but the secret will remain the initial one.
|
||||
|
||||
### Setting Pod's affinity
|
||||
|
||||
This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
|
||||
|
||||
@@ -98,14 +98,26 @@ spec:
|
||||
value: {{ ternary "true" "false" .Values.core.image.debug | quote }}
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
{{- if .Values.core.existingSecret }}
|
||||
secretKeyRef:
|
||||
name: {{ .Values.core.existingSecret }}
|
||||
key: secret
|
||||
{{- else }}
|
||||
secretKeyRef:
|
||||
name: {{ include "harbor.core" . }}
|
||||
key: secret
|
||||
{{- end }}
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
secretKeyRef:
|
||||
name: {{ .Values.jobservice.existingSecret }}
|
||||
key: secret
|
||||
{{- else }}
|
||||
secretKeyRef:
|
||||
name: {{ include "harbor.jobservice" . }}
|
||||
key: secret
|
||||
{{- end }}
|
||||
{{- if or .Values.core.configOverwriteJson .Values.core.configOverwriteJsonSecret }}
|
||||
- name: CONFIG_OVERWRITE_JSON
|
||||
valueFrom:
|
||||
@@ -130,7 +142,11 @@ spec:
|
||||
- configMapRef:
|
||||
name: {{ printf "%s-envvars" (include "harbor.core" .) }}
|
||||
- secretRef:
|
||||
{{- if .Values.core.existingEnvVarsSecret }}
|
||||
name: {{ .Values.core.existingEnvVarsSecret }}
|
||||
{{- else }}
|
||||
name: {{ printf "%s-envvars" (include "harbor.core" .) }}
|
||||
{{- end }}
|
||||
{{- if .Values.core.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.core.extraEnvVarsCM "context" $) }}
|
||||
@@ -224,10 +240,17 @@ spec:
|
||||
path: app.conf
|
||||
- name: secret-key
|
||||
secret:
|
||||
{{- if .Values.core.existingSecret }}
|
||||
secretName: {{ .Values.core.existingSecret }}
|
||||
items:
|
||||
- key: secretKey
|
||||
path: key
|
||||
{{- else }}
|
||||
secretName: {{ include "harbor.core" . }}
|
||||
items:
|
||||
- key: secretKey
|
||||
path: key
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.caBundleSecret }}
|
||||
{{- include "harbor.caBundleVolume" . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if not .Values.core.existingEnvVarsSecret }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
@@ -20,3 +21,4 @@ data:
|
||||
CSRF_KEY: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "CSRF_KEY" "length" 32 "providedValues" (list "core.csrfKey") "context" $) }}
|
||||
HARBOR_ADMIN_PASSWORD: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "HARBOR_ADMIN_PASSWORD" "length" 10 "providedValues" (list "adminPassword") "context" $) }}
|
||||
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
|
||||
{{- end }}
|
||||
|
||||
@@ -13,8 +13,10 @@ metadata:
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if not .Values.core.existingSecret }}
|
||||
secretKey: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.core" .) "key" "secretKey" "length" 16 "providedValues" (list "core.secretKey") "context" $) }}
|
||||
secret: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.core" .) "key" "secret" "length" 16 "providedValues" (list "core.secret") "context" $) }}
|
||||
{{- end }}
|
||||
{{- if not .Values.core.secretName }}
|
||||
tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
|
||||
tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
|
||||
|
||||
@@ -121,14 +121,26 @@ spec:
|
||||
value: {{ ternary "true" "false" .Values.jobservice.image.debug | quote }}
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
{{- if .Values.core.existingSecret }}
|
||||
secretKeyRef:
|
||||
name: {{ .Values.core.existingSecret }}
|
||||
key: secret
|
||||
{{- else }}
|
||||
secretKeyRef:
|
||||
name: {{ include "harbor.core" . }}
|
||||
key: secret
|
||||
{{- end }}
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
secretKeyRef:
|
||||
name: {{ .Values.jobservice.existingSecret }}
|
||||
key: secret
|
||||
{{- else }}
|
||||
secretKeyRef:
|
||||
name: {{ include "harbor.jobservice" . }}
|
||||
key: secret
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if not .Values.jobservice.existingSecret }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
@@ -14,3 +15,4 @@ metadata:
|
||||
type: Opaque
|
||||
data:
|
||||
secret: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.jobservice" .) "key" "secret" "length" 16 "providedValues" (list "jobservice.secret") "context" $) }}
|
||||
{{- end }}
|
||||
|
||||
@@ -141,7 +141,11 @@ spec:
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- secretRef:
|
||||
{{- if .Values.registry.existingSecret }}
|
||||
name: {{ .Values.registry.existingSecret }}
|
||||
{{- else }}
|
||||
name: {{ include "harbor.registry" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.registry.server.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.server.extraEnvVarsCM "context" $) }}
|
||||
@@ -256,7 +260,11 @@ spec:
|
||||
name: {{ printf "%s-ctl-envvars" (include "harbor.registry" .) }}
|
||||
{{- end }}
|
||||
- secretRef:
|
||||
{{- if .Values.registry.existingSecret }}
|
||||
name: {{ .Values.registry.existingSecret }}
|
||||
{{- else }}
|
||||
name: {{ include "harbor.registry" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.registry.controller.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.registry.controller.extraEnvVarsCM "context" $) }}
|
||||
@@ -270,14 +278,26 @@ spec:
|
||||
value: {{ ternary "true" "false" .Values.registry.controller.image.debug | quote }}
|
||||
- name: CORE_SECRET
|
||||
valueFrom:
|
||||
{{- if .Values.core.existingSecret }}
|
||||
secretKeyRef:
|
||||
name: {{ .Values.core.existingSecret }}
|
||||
key: secret
|
||||
{{- else }}
|
||||
secretKeyRef:
|
||||
name: {{ include "harbor.core" . }}
|
||||
key: secret
|
||||
{{- end }}
|
||||
- name: JOBSERVICE_SECRET
|
||||
valueFrom:
|
||||
{{- if .Values.jobservice.existingSecret }}
|
||||
secretKeyRef:
|
||||
name: {{ .Values.jobservice.existingSecret }}
|
||||
key: secret
|
||||
{{- else }}
|
||||
secretKeyRef:
|
||||
name: {{ include "harbor.jobservice" . }}
|
||||
key: secret
|
||||
{{- end }}
|
||||
{{- if .Values.internalTLS.enabled }}
|
||||
- name: INTERNAL_TLS_ENABLED
|
||||
value: "true"
|
||||
@@ -365,7 +385,11 @@ spec:
|
||||
volumes:
|
||||
- name: registry-htpasswd
|
||||
secret:
|
||||
{{- if .Values.registry.existingSecret }}
|
||||
secretName: {{ .Values.registry.existingSecret }}
|
||||
{{- else }}
|
||||
secretName: {{ template "harbor.registry" . }}
|
||||
{{- end }}
|
||||
items:
|
||||
- key: REGISTRY_HTPASSWD
|
||||
path: passwd
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if not .Values.registry.existingSecret }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
@@ -39,3 +40,4 @@ data:
|
||||
{{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
|
||||
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1347,6 +1347,28 @@ core:
|
||||
## @param core.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set
|
||||
##
|
||||
secretName: ""
|
||||
## @param core.existingSecret Existing secret for core
|
||||
## The secret must contain the keys:
|
||||
## `secret` (required),
|
||||
## `secretKey` (required),
|
||||
##
|
||||
existingSecret: ""
|
||||
## @param core.existingEnvVarsSecret Existing secret for core envvars
|
||||
## The secret must contain the keys:
|
||||
## `CSRF_KEY` (required),
|
||||
## `HARBOR_ADMIN_PASSWORD` (required),
|
||||
## `POSTGRESQL_PASSWORD` (required),
|
||||
## `REGISTRY_CREDENTIAL_USERNAME` (required),
|
||||
## `REGISTRY_CREDENTIAL_PASSWORD` (required),
|
||||
## `_REDIS_URL_CORE` (optional),
|
||||
## `_REDIS_URL_REG` (optional),
|
||||
##
|
||||
## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
|
||||
## Notes:
|
||||
## As a EnvVars secret, this secret also store redis config urls
|
||||
## The HARBOR_ADMIN_PASSWORD is only required at initial deployment, once the password is set in database, it is not used anymore
|
||||
##
|
||||
existingEnvVarsSecret: ""
|
||||
## @param core.csrfKey The CSRF key. Will be generated automatically if it isn't specified
|
||||
##
|
||||
csrfKey: ""
|
||||
@@ -1636,6 +1658,11 @@ jobservice:
|
||||
## Must be a string of 16 chars.
|
||||
##
|
||||
secret: ""
|
||||
## @param jobservice.existingSecret Existing secret for jobservice
|
||||
## The secret must contain the keys:
|
||||
## `secret` (required),
|
||||
##
|
||||
existingSecret: ""
|
||||
## Use TLS in the container
|
||||
##
|
||||
tls:
|
||||
@@ -1878,6 +1905,13 @@ registry:
|
||||
## Must be a string of 16 chars.
|
||||
##
|
||||
secret: ""
|
||||
## @param registry.existingSecret Existing secret for registry
|
||||
## The secret must contain the keys:
|
||||
## `REGISTRY_HTPASSWD` (required),
|
||||
## `REGISTRY_HTTP_SECRET` (required),
|
||||
## `REGISTRY_REDIS_PASSWORD` (optional),
|
||||
##
|
||||
existingSecret: ""
|
||||
## @param registry.relativeurls Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL.
|
||||
##
|
||||
relativeurls: false
|
||||
|
||||
Reference in New Issue
Block a user