diff --git a/README.md b/README.md index 0cd0bfaa6..ecd7e938a 100644 --- a/README.md +++ b/README.md @@ -34,11 +34,11 @@ The following items can be configured in `values.yaml` or set via `--set` flag d #### Configure the way how to expose Harbor service: -- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. **Notes:** if the TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for the detail. - **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. - **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. -- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. #### Configure the external URL @@ -67,7 +67,7 @@ If Harbor is deployed behind the proxy, set it as the URL of proxy. - **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure. - **Certificates**: - *notary*: Used for authentication during communications. Fill `notary.secretName` to configure. Notary server certificate must be issued with notary service name as subject alternative name. - - *core*: Used for token encryption/decryption. Fill `core.secretName` to configure. + - *core*: Used for token encryption/decryption. Fill `core.certSecretName` to configure. Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)). @@ -180,7 +180,8 @@ The following table lists the configurable parameters of the Harbor chart and th | `core.affinity` | Node/Pod affinities | `{}` | | `core.podAnnotations` | Annotations to add to the core pod | `{}` | | `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `core.secret` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named `tls.tokenServiceRootCertBundle` and `tls.tokenServicePrivateKey` that contain the certificate and private key. They will be automatically generated if not set. | | +| `jobservice.secretName` | If set, will not generate a new secret for the core, and will use this value instead. | `""` | +| `core.certSecretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named `tls.tokenServiceRootCertBundle` and `tls.tokenServicePrivateKey` that contain the certificate and private key. They will be automatically generated if not set. | | | **Jobservice** | | `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | | `jobservice.image.tag` | Tag for jobservice image | `dev` | @@ -193,6 +194,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `jobservice.affinity` | Node/Pod affinities | `{}` | | `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | | `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `jobservice.secretName` | If set, will not generate a new secret for the jobservice, and will use this value instead. | `""` | | **Registry** | | `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | | `registry.registry.image.tag` | Tag for registry image | @@ -206,6 +208,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `registry.affinity` | Node/Pod affinities | `{}` | | `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | | `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.secretName` | If set, will not generate a new secret for the registry, and will use this value instead. | `""` | | **Chartmuseum** | | `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | | `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | @@ -216,6 +219,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `chartmuseum.tolerations` | Tolerations for pod assignment | `[]` | | `chartmuseum.affinity` | Node/Pod affinities | `{}` | | `chartmuseum.podAnnotations` | Annotations to add to the chart museum pod | `{}` | +| `chartmuseum.secretName` | If set, will not generate a new secret for chartmuseum, and will use this value instead. | `""` | | **Clair** | | `clair.enabled` | Enable Clair | `true` | | `clair.image.repository` | Repository for clair image | `goharbor/clair-photon` | @@ -253,6 +257,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | | `database.internal.tolerations` | Tolerations for pod assignment | `[]` | | `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.secretName` | If set, will not generate a new secret for the database, and will use this value instead. | `""` | | `database.external.host` | The hostname of external database | `192.168.0.1` | | `database.external.port` | The port of external database | `5432` | | `database.external.username` | The username of external database | `user` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9021d29df..9380a626d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -126,6 +126,15 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} {{- end -}} +{{- define "harbor.database.secretName" -}} + {{- if .Values.database.internal.secretName -}} + {{- .Values.database.internal.secretName -}} + {{- else -}} + {{- include "harbor.database" . -}} + {{- end -}} +{{- end -}} + + {{- define "harbor.redis.host" -}} {{- if eq .Values.redis.type "internal" -}} {{- template "harbor.redis" . -}} @@ -214,6 +223,14 @@ host:port,pool_size,password {{- printf "%s-core" (include "harbor.fullname" .) -}} {{- end -}} +{{- define "harbor.core.secretName" -}} + {{- if .Values.core.secretName -}} + {{- .Values.core.secretName -}} + {{- else -}} + {{- include "harbor.core" . -}} + {{- end -}} +{{- end -}} + {{- define "harbor.redis" -}} {{- printf "%s-redis" (include "harbor.fullname" .) -}} {{- end -}} @@ -222,14 +239,38 @@ host:port,pool_size,password {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} {{- end -}} +{{- define "harbor.jobservice.secretName" -}} + {{- if .Values.jobservice.secretName -}} + {{- .Values.jobservice.secretName -}} + {{- else -}} + {{- include "harbor.jobservice" . -}} + {{- end -}} +{{- end -}} + {{- define "harbor.registry" -}} {{- printf "%s-registry" (include "harbor.fullname" .) -}} {{- end -}} +{{- define "harbor.registry.secretName" -}} + {{- if .Values.registry.secretName -}} + {{- .Values.registry.secretName -}} + {{- else -}} + {{- include "harbor.registry" . -}} + {{- end -}} +{{- end -}} + {{- define "harbor.chartmuseum" -}} {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}} {{- end -}} +{{- define "harbor.chartmuseum.secretName" -}} + {{- if .Values.chartmuseum.secretName -}} + {{- .Values.chartmuseum.secretName -}} + {{- else -}} + {{- include "harbor.chartmuseum" . -}} + {{- end -}} +{{- end -}} + {{- define "harbor.database" -}} {{- printf "%s-database" (include "harbor.fullname" .) -}} {{- end -}} @@ -278,4 +319,4 @@ host:port,pool_size,password {{- else }} {{- printf "%s" $expose.tls.commonName -}} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml index 0c513ce49..6d8c1feae 100644 --- a/templates/chartmuseum/chartmuseum-dpl.yaml +++ b/templates/chartmuseum/chartmuseum-dpl.yaml @@ -49,12 +49,12 @@ spec: - configMapRef: name: "{{ template "harbor.chartmuseum" . }}" - secretRef: - name: "{{ template "harbor.chartmuseum" . }}" + name: "{{ template "harbor.chartmuseum.secretName" . }}" env: - name: BASIC_AUTH_PASS valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ template "harbor.core.secretName" . }} key: secret ports: - containerPort: 9999 @@ -78,7 +78,7 @@ spec: {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - name: gcs-key secret: - secretName: {{ template "harbor.registry" . }} + secretName: {{ template "harbor.registry.secretName" . }} items: - key: GCS_KEY_DATA path: gcs-key.json diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml index cc1986715..224fb1ccf 100644 --- a/templates/chartmuseum/chartmuseum-secret.yaml +++ b/templates/chartmuseum/chartmuseum-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.chartmuseum.enabled }} +{{- if (and .Values.chartmuseum.enabled (not .Values.chartmuseum.secretName)) }} apiVersion: v1 kind: Secret metadata: @@ -23,4 +23,4 @@ data: {{- else if eq $storageType "oss" }} ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index ca7fbc06f..4e952d08a 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -44,17 +44,17 @@ spec: - configMapRef: name: "{{ template "harbor.core" . }}" - secretRef: - name: "{{ template "harbor.core" . }}" + name: "{{ template "harbor.core.secretName" . }}" env: - name: CORE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ template "harbor.core.secretName" . }} key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" + name: "{{ template "harbor.jobservice.secretName" . }}" key: secret ports: - containerPort: 8080 @@ -85,16 +85,16 @@ spec: name: {{ template "harbor.core" . }} - name: secret-key secret: - secretName: {{ template "harbor.core" . }} + secretName: {{ template "harbor.core.secretName" . }} items: - key: secretKey path: key - name: token-service-private-key secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} + {{- if .Values.core.certSecretName }} + secretName: {{ .Values.core.certSecretName }} {{- else }} - secretName: {{ template "harbor.core" . }} + secretName: {{ template "harbor.core.secretName" . }} {{- end }} {{- if .Values.expose.tls.enabled }} - name: ca-download @@ -117,4 +117,4 @@ spec: {{- with .Values.core.tolerations }} tolerations: {{ toYaml . | indent 8 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 860f43351..190260be9 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.core.secretName }} {{- $cert := genSelfSignedCert "harbor" nil nil 365 }} apiVersion: v1 kind: Secret @@ -9,7 +10,7 @@ type: Opaque data: secretKey: {{ .Values.secretKey | b64enc | quote }} secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} -{{- if not .Values.core.secretName }} +{{- if not .Values.core.certSecretName }} tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} {{- end }} @@ -18,3 +19,4 @@ data: {{ if .Values.clair.enabled }} CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{ end }} +{{- end }} diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml index 864aff4a1..154d111d9 100644 --- a/templates/database/database-secret.yaml +++ b/templates/database/database-secret.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.database.type "internal" -}} +{{- if (and (eq .Values.database.type "internal") (not .Values.database.internal.secretName)) -}} apiVersion: v1 kind: Secret metadata: diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 3873ab320..f390e807b 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -55,7 +55,7 @@ spec: {{- end }} envFrom: - secretRef: - name: "{{ template "harbor.database" . }}" + name: "{{ template "harbor.database.secretName" . }}" volumeMounts: - name: database-data mountPath: /var/lib/postgresql/data diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index 9d1e1c95b..647b5d3ce 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -48,12 +48,12 @@ spec: - name: CORE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ template "harbor.core.secretName" . }} key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" + name: "{{ template "harbor.jobservice.secretName" . }}" key: secret - name: CORE_URL value: "http://{{ template "harbor.core" . }}" diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index e08f7ce58..c6b20270a 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.jobservice.secretName }} apiVersion: v1 kind: Secret metadata: @@ -7,3 +8,4 @@ metadata: type: Opaque data: secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} +{{- end }} diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index 147344e67..ace17387b 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -54,10 +54,10 @@ spec: name: "{{ template "harbor.notary-server" . }}" - name: root-certificate secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} + {{- if .Values.core.certSecretName }} + secretName: {{ .Values.core.certSecretName }} {{- else }} - secretName: {{ template "harbor.core" . }} + secretName: {{ template "harbor.core.secretName" . }} {{- end }} {{- if .Values.notary.secretName }} - name: notary-ca diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 10deb2aa7..a499a51b7 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -48,7 +48,7 @@ spec: args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: - name: "{{ template "harbor.registry" . }}" + name: "{{ template "harbor.registry.secretName" . }}" ports: - containerPort: 5000 - containerPort: 5001 @@ -89,17 +89,17 @@ spec: args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: - name: "{{ template "harbor.registry" . }}" + name: "{{ template "harbor.registry.secretName" . }}" env: - name: CORE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ template "harbor.core.secretName" . }} key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.jobservice" . }} + name: {{ template "harbor.jobservice.secretName" . }} key: secret ports: - containerPort: 8080 @@ -116,10 +116,10 @@ spec: volumes: - name: registry-root-certificate secret: - {{- if .Values.core.secretName }} - secretName: {{ .Values.core.secretName }} + {{- if .Values.core.certSecretName }} + secretName: {{ .Values.core.certSecretName }} {{- else }} - secretName: {{ template "harbor.core" . }} + secretName: {{ template "harbor.core.secretName" . }} {{- end }} - name: registry-config configMap: @@ -134,7 +134,7 @@ spec: {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }} - name: gcs-key secret: - secretName: {{ template "harbor.registry" . }} + secretName: {{ template "harbor.registry.secretName" . }} items: - key: GCS_KEY_DATA path: gcs-key.json diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 179888eb9..3cff99f24 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.registry.secretName }} apiVersion: v1 kind: Secret metadata: @@ -31,3 +32,4 @@ data: {{- else if eq $type "oss" }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} {{- end }} + {{- end }} diff --git a/values.yaml b/values.yaml index 74a8f0f39..4b5824b83 100644 --- a/values.yaml +++ b/values.yaml @@ -261,12 +261,18 @@ core: # Must be a string of 16 chars. secret: "" + # Fill the name of a kubernetes secret, if you don't want this chart to + # generate one. + # If specified, a core secret will not be generated. + # If this is set, secret should not be set. + secretName: "" + # Fill the name of a kubernetes secret if you want to use your own # TLS certificate and private key for token encryption/decryption. # The secret must contain keys named tls.tokenServiceRootCertBundle and # tls.tokenServicePrivateKey that contain the certificate and private key. # They will be automatically generated if not set - secretName: "" + certSecretName: "" jobservice: image: @@ -289,6 +295,11 @@ jobservice: # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" + # Fill the name of a kubernetes secret, if you don't want this chart to + # generate one. + # If specified, a jobservice secret will not be generated. + # If this is set, secret should not be set. + secretName: "" registry: registry: @@ -319,6 +330,11 @@ registry: # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" + # Fill the name of a kubernetes secret, if you don't want this chart to + # generate one. + # If specified, a registry secret will not be generated. + # If this is set, secret should not be set. + secretName: "" chartmuseum: enabled: true @@ -335,6 +351,10 @@ chartmuseum: affinity: {} ## Additional deployment annotations podAnnotations: {} + # Fill the name of a kubernetes secret, if you don't want this chart to + # generate one. + # If specified, a chartmuseum secret will not be generated. + secretName: "" clair: enabled: true @@ -408,6 +428,11 @@ database: nodeSelector: {} tolerations: [] affinity: {} + # Fill the name of a kubernetes secret, if you don't want this chart to + # generate one. + # If specified, a database secret will not be generated. + # If this is set, secret should not be set. + secretName: "" external: host: "192.168.0.1" port: "5432" @@ -447,4 +472,4 @@ redis: chartmuseumDatabaseIndex: "3" password: "" ## Additional deployment annotations - podAnnotations: {} \ No newline at end of file + podAnnotations: {}