Allow the chart to use pre-defined secrets instead of generating them.

Closes goharbor#189 Signed-off-by: jose <[email protected]>
autonomic-ai · Mar 25, 2019 · 63c8495 · 63c8495
1 parent 997a3a2
commit 63c8495
Show file tree

Hide file tree

Showing 14 changed files with 113 additions and 36 deletions.
diff --git a/README.md b/README.md
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -126,6 +126,15 @@ postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.datab
 postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
 {{- end -}}
 
+{{- define "harbor.database.secretName" -}}
+  {{- if .Values.database.internal.secretName -}}
+    {{- .Values.database.internal.secretName -}}
+  {{- else -}}
+    {{- include "harbor.database" . -}}
+  {{- end -}}
+{{- end -}}
+
+
 {{- define "harbor.redis.host" -}}
   {{- if eq .Values.redis.type "internal" -}}
     {{- template "harbor.redis" . -}}
@@ -214,6 +223,14 @@ host:port,pool_size,password
   {{- printf "%s-core" (include "harbor.fullname" .) -}}
 {{- end -}}
 
+{{- define "harbor.core.secretName" -}}
+  {{- if .Values.core.secretName -}}
+    {{- .Values.core.secretName -}}
+  {{- else -}}
+    {{- include "harbor.core" . -}}
+  {{- end -}}
+{{- end -}}
+
 {{- define "harbor.redis" -}}
   {{- printf "%s-redis" (include "harbor.fullname" .) -}}
 {{- end -}}
@@ -222,14 +239,38 @@ host:port,pool_size,password
   {{- printf "%s-jobservice" (include "harbor.fullname" .) -}}
 {{- end -}}
 
+{{- define "harbor.jobservice.secretName" -}}
+  {{- if .Values.jobservice.secretName -}}
+    {{- .Values.jobservice.secretName -}}
+  {{- else -}}
+    {{- include "harbor.jobservice" . -}}
+  {{- end -}}
+{{- end -}}
+
 {{- define "harbor.registry" -}}
   {{- printf "%s-registry" (include "harbor.fullname" .) -}}
 {{- end -}}
 
+{{- define "harbor.registry.secretName" -}}
+  {{- if .Values.registry.secretName -}}
+    {{- .Values.registry.secretName -}}
+  {{- else -}}
+    {{- include "harbor.registry" . -}}
+  {{- end -}}
+{{- end -}}
+
 {{- define "harbor.chartmuseum" -}}
   {{- printf "%s-chartmuseum" (include "harbor.fullname" .) -}}
 {{- end -}}
 
+{{- define "harbor.chartmuseum.secretName" -}}
+  {{- if .Values.chartmuseum.secretName -}}
+    {{- .Values.chartmuseum.secretName -}}
+  {{- else -}}
+    {{- include "harbor.chartmuseum" . -}}
+  {{- end -}}
+{{- end -}}
+
 {{- define "harbor.database" -}}
   {{- printf "%s-database" (include "harbor.fullname" .) -}}
 {{- end -}}
@@ -278,4 +319,4 @@ host:port,pool_size,password
   {{- else }}
     {{- printf "%s" $expose.tls.commonName -}}
   {{- end }}
-{{- end -}}
+{{- end -}}
diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml
@@ -49,12 +49,12 @@ spec:
         - configMapRef:
             name: "{{ template "harbor.chartmuseum" . }}"
         - secretRef:
-            name: "{{ template "harbor.chartmuseum" . }}"
+            name: "{{ template "harbor.chartmuseum.secretName" . }}"
         env:
           - name: BASIC_AUTH_PASS
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ template "harbor.core.secretName" . }}
                 key: secret
         ports:
         - containerPort: 9999
@@ -78,7 +78,7 @@ spec:
       {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
       - name: gcs-key
         secret:
-          secretName: {{ template "harbor.registry" . }}
+          secretName: {{ template "harbor.registry.secretName" . }}
           items:
             - key: GCS_KEY_DATA
               path: gcs-key.json

diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.chartmuseum.enabled }}
+{{- if (and .Values.chartmuseum.enabled (not .Values.chartmuseum.secretName)) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -23,4 +23,4 @@ data:
 {{- else if eq $storageType "oss" }}
   ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -44,17 +44,17 @@ spec:
         - configMapRef:
             name: "{{ template "harbor.core" . }}"
         - secretRef:
-            name: "{{ template "harbor.core" . }}"
+            name: "{{ template "harbor.core.secretName" . }}"
         env:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ template "harbor.core.secretName" . }}
                 key: secret
           - name: JOBSERVICE_SECRET
             valueFrom:
               secretKeyRef:
-                name: "{{ template "harbor.jobservice" . }}"
+                name: "{{ template "harbor.jobservice.secretName" . }}"
                 key: secret
         ports:
         - containerPort: 8080
@@ -85,16 +85,16 @@ spec:
           name: {{ template "harbor.core" . }}
       - name: secret-key
         secret:
-          secretName: {{ template "harbor.core" . }}
+          secretName: {{ template "harbor.core.secretName" . }}
           items:
             - key: secretKey
               path: key
       - name: token-service-private-key
         secret:
-          {{- if .Values.core.secretName }}
-          secretName: {{ .Values.core.secretName }}
+          {{- if .Values.core.certSecretName }}
+          secretName: {{ .Values.core.certSecretName }}
           {{- else }}
-          secretName: {{ template "harbor.core" . }}
+          secretName: {{ template "harbor.core.secretName" . }}
           {{- end }}
       {{- if .Values.expose.tls.enabled }}
       - name: ca-download
@@ -117,4 +117,4 @@ spec:
     {{- with .Values.core.tolerations }}
       tolerations:
 {{ toYaml . | indent 8 }}
-    {{- end }}
+    {{- end }}
diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.core.secretName }}
 {{- $cert := genSelfSignedCert "harbor" nil nil 365 }}
 apiVersion: v1
 kind: Secret
@@ -9,7 +10,7 @@ type: Opaque
 data:
   secretKey: {{ .Values.secretKey | b64enc | quote }}
   secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
-{{- if not .Values.core.secretName }}
+{{- if not .Values.core.certSecretName }}
   tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }}
   tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }}
 {{- end }}
@@ -18,3 +19,4 @@ data:
 {{ if .Values.clair.enabled }}
   CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
 {{ end }}
+{{- end }}
diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.database.type "internal" -}}
+{{- if (and (eq .Values.database.type "internal") (not .Values.database.internal.secretName)) -}}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml
@@ -55,7 +55,7 @@ spec:
 {{- end }}
         envFrom:
           - secretRef:
-              name: "{{ template "harbor.database" . }}"
+              name: "{{ template "harbor.database.secretName" . }}"
         volumeMounts:
         - name: database-data
           mountPath: /var/lib/postgresql/data

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -48,12 +48,12 @@ spec:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ template "harbor.core.secretName" . }}
                 key: secret
           - name: JOBSERVICE_SECRET
             valueFrom:
               secretKeyRef:
-                name: "{{ template "harbor.jobservice" . }}"
+                name: "{{ template "harbor.jobservice.secretName" . }}"
                 key: secret
           - name: CORE_URL
             value: "http://{{ template "harbor.core" . }}"

diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.jobservice.secretName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ metadata:
 type: Opaque
 data:
   secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+{{- end }}
diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml
@@ -54,10 +54,10 @@ spec:
           name: "{{ template "harbor.notary-server" . }}"
       - name: root-certificate
         secret:
-          {{- if .Values.core.secretName }}
-          secretName: {{ .Values.core.secretName }}
+          {{- if .Values.core.certSecretName }}
+          secretName: {{ .Values.core.certSecretName }}
           {{- else }}
-          secretName: {{ template "harbor.core" . }}
+          secretName: {{ template "harbor.core.secretName" . }}
           {{- end }}
       {{- if .Values.notary.secretName }}
       - name: notary-ca

diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -48,7 +48,7 @@ spec:
         args: ["serve", "/etc/registry/config.yml"]
         envFrom:
         - secretRef:
-            name: "{{ template "harbor.registry" . }}"
+            name: "{{ template "harbor.registry.secretName" . }}"
         ports:
         - containerPort: 5000
         - containerPort: 5001
@@ -89,17 +89,17 @@ spec:
         args: ["serve", "/etc/registry/config.yml"]
         envFrom:
         - secretRef:
-            name: "{{ template "harbor.registry" . }}"
+            name: "{{ template "harbor.registry.secretName" . }}"
         env:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ template "harbor.core.secretName" . }}
                 key: secret
           - name: JOBSERVICE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.jobservice" . }}
+                name: {{ template "harbor.jobservice.secretName" . }}
                 key: secret
         ports:
         - containerPort: 8080
@@ -116,10 +116,10 @@ spec:
       volumes:
       - name: registry-root-certificate
         secret:
-          {{- if .Values.core.secretName }}
-          secretName: {{ .Values.core.secretName }}
+          {{- if .Values.core.certSecretName }}
+          secretName: {{ .Values.core.certSecretName }}
           {{- else }}
-          secretName: {{ template "harbor.core" . }}
+          secretName: {{ template "harbor.core.secretName" . }}
           {{- end }}
       - name: registry-config
         configMap:
@@ -134,7 +134,7 @@ spec:
       {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
       - name: gcs-key
         secret:
-          secretName: {{ template "harbor.registry" . }}
+          secretName: {{ template "harbor.registry.secretName" . }}
           items:
             - key: GCS_KEY_DATA
               path: gcs-key.json

diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.registry.secretName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -32,3 +33,4 @@ data:
   {{- else if eq $type "oss" }}
   REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
   {{- end }}
+  {{- end }}
diff --git a/values.yaml b/values.yaml
@@ -261,12 +261,18 @@ core:
   # Must be a string of 16 chars.
   secret: ""
 
+  # Fill the name of a kubernetes secret, if you don't want this chart to
+  # generate one.
+  # If specified, a core secret will not be generated.
+  # If this is set, secret should not be set.
+  secretName: ""
+
   # Fill the name of a kubernetes secret if you want to use your own
   # TLS certificate and private key for token encryption/decryption.
   # The secret must contain keys named tls.tokenServiceRootCertBundle and
   # tls.tokenServicePrivateKey that contain the certificate and private key.
   # They will be automatically generated if not set
-  secretName: ""
+  certSecretName: ""
 
 jobservice:
   image:
@@ -289,6 +295,11 @@ jobservice:
   # If a secret key is not specified, Helm will generate one.
   # Must be a string of 16 chars.
   secret: ""
+  # Fill the name of a kubernetes secret, if you don't want this chart to
+  # generate one.
+  # If specified, a jobservice secret will not be generated.
+  # If this is set, secret should not be set.
+  secretName: ""
 
 registry:
   registry:
@@ -319,6 +330,11 @@ registry:
   # If a secret key is not specified, Helm will generate one.
   # Must be a string of 16 chars.
   secret: ""
+  # Fill the name of a kubernetes secret, if you don't want this chart to
+  # generate one.
+  # If specified, a registry secret will not be generated.
+  # If this is set, secret should not be set.
+  secretName: ""
 
 chartmuseum:
   enabled: true
@@ -335,6 +351,10 @@ chartmuseum:
   affinity: {}
   ## Additional deployment annotations
   podAnnotations: {}
+  # Fill the name of a kubernetes secret, if you don't want this chart to
+  # generate one.
+  # If specified, a chartmuseum secret will not be generated.
+  secretName: ""
 
 clair:
   enabled: true
@@ -408,6 +428,11 @@ database:
     nodeSelector: {}
     tolerations: []
     affinity: {}
+    # Fill the name of a kubernetes secret, if you don't want this chart to
+    # generate one.
+    # If specified, a database secret will not be generated.
+    # If this is set, secret should not be set.
+    secretName: ""
   external:
     host: "192.168.0.1"
     port: "5432"
@@ -447,4 +472,4 @@ redis:
     chartmuseumDatabaseIndex: "3"
     password: ""
   ## Additional deployment annotations
-  podAnnotations: {}
+  podAnnotations: {}