feat: Use existing secret for multiple secrets values

fix: Registry secret value path fix: Secret usage Signed-off-by: David Sabatie <[email protected]> Signed-off-by: David Sabatie <[email protected]>
goharbor · Aug 18, 2022 · 4699d60 · 4699d60 · rgarcia89 · Aug 24, 2022
1 parent d4a81c0
commit 4699d60
Show file tree

Hide file tree

Showing 11 changed files with 97 additions and 14 deletions.
diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml
@@ -1,4 +1,6 @@
 {{- if .Values.chartmuseum.enabled }}
+{{- $storage := .Values.persistence.imageChartStorage }}
+{{- $type := $storage.type }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -101,6 +103,13 @@ spec:
           - # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
             name: AWS_SDK_LOAD_CONFIG
             value: "1"
+          {{- if .Values.redis.external.existingSecret }}
+          - name: CACHE_REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.redis.external.existingSecret }}
+                key: REDIS_PASSWORD
+          {{- end }}
         ports:
         - containerPort: {{ template "harbor.chartmuseum.containerPort" . }}
         volumeMounts:
@@ -140,7 +149,11 @@ spec:
       {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
       - name: gcs-key
         secret:
+          {{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
+          secretName: {{ $storage.gcs.existingSecret }}
+          {{- else }}
           secretName: {{ template "harbor.registry" . }}
+          {{- end }}
           items:
             - key: GCS_KEY_DATA
               path: gcs-key.json

diff --git a/templates/chartmuseum/chartmuseum-secret.yaml b/templates/chartmuseum/chartmuseum-secret.yaml
@@ -7,7 +7,9 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+{{- if not .Values.redis.external.existingSecret }}
   CACHE_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
+{{- end }}
 {{- $storage := .Values.persistence.imageChartStorage }}
 {{- $storageType := $storage.type }}
 {{- if eq $storageType "azure" }}
@@ -23,4 +25,4 @@ data:
 {{- else if eq $storageType "oss" }}
   ALIBABA_CLOUD_ACCESS_KEY_SECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -96,6 +96,20 @@ spec:
           - name: INTERNAL_TLS_TRUST_CA_PATH
             value: /etc/harbor/ssl/core/ca.crt
          {{- end }}
+         {{- if .Values.database.external.existingSecret }}
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.database.external.existingSecret }}
+                key: password
+         {{- end }}
+         {{- if .Values.registry.credentials.existingSecret }}
+          - name: REGISTRY_CREDENTIAL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.registry.credentials.existingSecret }}
+                key: REGISTRY_CREDENTIAL_PASSWORD
+         {{- end }}
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
         volumeMounts:
@@ -139,7 +153,11 @@ spec:
               path: app.conf
       - name: secret-key
         secret:
+          {{- if .Values.existingSecretSecretKey }}
+          secretName: {{ .Values.existingSecretSecretKey }}
+          {{- else }}
           secretName: {{ template "harbor.core" . }}
+          {{- end }}
           items:
             - key: secretKey
               path: key

diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -6,14 +6,20 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.existingSecretSecretKey }}
   secretKey: {{ .Values.secretKey | b64enc | quote }}
+  {{- end }}
   secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
-{{- if not .Values.core.secretName }}
+  {{- if not .Values.core.secretName }}
   tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
   tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
-{{- end }}
+  {{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
+  {{- if not .Values.database.external.existingSecret }}
   POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
+  {{- end }}
+  {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
+  {{- end }}
   CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
   {{- template "harbor.traceJaegerPassword" . }}
diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -56,6 +56,14 @@ spec:
             name: "{{ template "harbor.exporter" . }}-env"
         - secretRef:
             name: "{{ template "harbor.exporter" . }}"
+        env:
+        {{- if .Values.database.external.existingSecret }}
+        - name: HARBOR_DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.database.external.existingSecret }}
+              key: password
+        {{- end }}
 {{- if .Values.exporter.resources }}
         resources:
 {{ toYaml .Values.exporter.resources | indent 10 }}

diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml
@@ -12,5 +12,7 @@ data:
   tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
 {{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
+{{- if not .Values.database.external.existingSecret }}
   HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
-{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -86,6 +86,13 @@ spec:
           - name: INTERNAL_TLS_TRUST_CA_PATH
             value: /etc/harbor/ssl/jobservice/ca.crt
           {{- end }}
+          {{- if .Values.registry.credentials.existingSecret }}
+          - name: REGISTRY_CREDENTIAL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.registry.credentials.existingSecret }}
+                key: REGISTRY_CREDENTIAL_PASSWORD
+          {{- end }}
         envFrom:
         - configMapRef:
             name: "{{ template "harbor.jobservice" . }}-env"

diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml
@@ -7,5 +7,7 @@ metadata:
 type: Opaque
 data:
   JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+  {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
-  {{- template "harbor.traceJaegerPassword" . }}
+  {{- end }}
+  {{- template "harbor.traceJaegerPassword" . }}
diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -1,3 +1,5 @@
+{{- $storage := .Values.persistence.imageChartStorage }}
+{{- $type := $storage.type }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -187,6 +189,13 @@ spec:
         - name: INTERNAL_TLS_TRUST_CA_PATH
           value: /etc/harbor/ssl/registry/ca.crt
         {{- end }}
+        {{- if .Values.redis.external.existingSecret }}
+        - name: REGISTRY_REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.redis.external.existingSecret }}
+              key: REDIS_PASSWORD
+        {{- end }}
         ports:
         - containerPort: {{ template "harbor.registryctl.containerPort" . }}
         volumeMounts:
@@ -241,7 +250,11 @@ spec:
       {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs") }}
       - name: gcs-key
         secret:
+          {{- if and (eq $type "gcs") $storage.gcs.existingSecret }}
+          secretName: {{ $storage.gcs.existingSecret }}
+          {{- else }}
           secretName: {{ template "harbor.registry" . }}
+          {{- end }}
           items:
             - key: GCS_KEY_DATA
               path: gcs-key.json

diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml
@@ -7,12 +7,14 @@ metadata:
 type: Opaque
 data:
   REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
-  REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.password" .) | b64enc | quote }}
+  {{- if not .Values.redis.external.existingSecret }}
+  REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
+  {{- end }}
   {{- $storage := .Values.persistence.imageChartStorage }}
   {{- $type := $storage.type }}
   {{- if eq $type "azure" }}
   REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
-  {{- else if eq $type "gcs" }}
+  {{- else if and (eq $type "gcs") (not $storage.gcs.existingSecret) }}
   GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
   {{- else if eq $type "s3" }}
   {{- if $storage.s3.accesskey }}

diff --git a/values.yaml b/values.yaml
@@ -280,7 +280,7 @@ persistence:
     # "oss" and fill the information needed in the corresponding section. The type
     # must be "filesystem" if you want to use persistent volumes for registry
     # and chartmuseum
-    type: filesystem
+    type: gcs
     filesystem:
       rootdirectory: /storage
       #maxthreads: 100
@@ -295,6 +295,8 @@ persistence:
       encodedkey: base64-encoded-json-key-file
       #rootdirectory: /gcs/object/name/prefix
       #chunksize: "5242880"
+      # To use existing secret, the key must be gcs-key.json
+      existingSecret: ""
     s3:
       region: us-west-1
       bucket: bucketname
@@ -370,6 +372,8 @@ caSecretName: ""
 
 # The secret key used for encryption. Must be a string of 16 chars.
 secretKey: "not-a-secure-key"
+# If using existingSecretSecretKey, the key must be sercretKey
+existingSecretSecretKey: ""
 
 # The proxy settings for updating trivy vulnerabilities from the Internet and replicating
 # artifacts from/to the registries that cannot be reached directly
@@ -777,6 +781,8 @@ database:
     coreDatabase: "registry"
     notaryServerDatabase: "notary_server"
     notarySignerDatabase: "notary_signer"
+    # if using existing secret, the key must be POSTGRESQL_PASSWORD
+    existingSecret: ""
     # "disable" - No SSL
     # "require" - Always SSL (skip verification)
     # "verify-ca" - Always SSL (verify that the certificate presented by the
@@ -831,16 +837,18 @@ redis:
     chartmuseumDatabaseIndex: "3"
     trivyAdapterIndex: "5"
     password: ""
+    # If using existingSecret, the key must be REDIS_PASSWORD
+    existingSecret: ""
   ## Additional deployment annotations
   podAnnotations: {}
 
 exporter:
   replicas: 1
   revisionHistoryLimit: 10
-# resources:
-#  requests:
-#    memory: 256Mi
-#    cpu: 100m
+  # resources:
+  #  requests:
+  #    memory: 256Mi
+  #    cpu: 100m
   podAnnotations: {}
   serviceAccountName: ""
   # mount the service account token
@@ -880,12 +888,14 @@ metrics:
     # Scrape interval. If not set, the Prometheus default scrape interval is used.
     interval: ""
     # Metric relabel configs to apply to samples before ingestion.
-    metricRelabelings: []
+    metricRelabelings:
+      []
       # - action: keep
       #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
       #   sourceLabels: [__name__]
     # Relabel configs to apply to samples before ingestion.
-    relabelings: []
+    relabelings:
+      []
       # - sourceLabels: [__meta_kubernetes_pod_node_name]
       #   separator: ;
       #   regex: ^(.*)$