Skip to content

Commit

Permalink
Support external secrets for service tokens and xsrf
Browse files Browse the repository at this point in the history 
Signed-off-by: Daren Desjardins <[email protected]>
  • Loading branch information
@darend
darend committed Jan 18, 2023
1 parent a658bca commit 4c5f9d3
Show file tree
Hide file tree
Showing 9 changed files with 66 additions and 7 deletions.
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,8 +244,11 @@ The following table lists the configurable parameters of the Harbor chart and th
| `core.podAnnotations` | Annotations to add to the core pod | `{}` |
| `core.serviceAnnotations` | Annotations to add to the core service | `{}` |
| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `core.existingSecret` | Use an existing kubernetes secret for the core secret. The key must be `secret` | |
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | |
| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | |
| `core.existingXsrfSecret` | Use an existing kubernetes secret for the xsrf key specified | |
| `core.existingXsrfSecretKey` | Key within the existing secret for the xsrf key specified | `CSRF_KEY` |
| `core.priorityClassName` | The priority class to run the pod as | |
| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | |
| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` |
Expand All @@ -265,6 +268,9 @@ The following table lists the configurable parameters of the Harbor chart and th
| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` |
| `jobservice.priorityClassName` | The priority class to run the pod as | |
| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `jobservice.existingSecret` | Use an existing kubernetes secret for the jobservice secret | |
| `jobservice.existingSecretKey` | Key within the existing secret for the job service secret chars. | `JOBSERVICE_SECRET` |

| **Registry** | | |
| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` |
| `registry.registry.image.tag` | Tag for registry image | `dev` |
Expand All @@ -282,6 +288,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` |
| `registry.priorityClassName` | The priority class to run the pod as | |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
| `registry.existingSecret` | An existing kubernetes secret containing the registry secret. The key is defined by `existingSecretKey` chars. | |
| `registry.existingSecretKey` | The key in `registry.existingSecret` containing the registry secret chars. | | `REGISTRY_HTTP_SECRET` |
| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` |
| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` |
| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_CREDENTIAL_PASSWORD` | `""` |
Expand Down
2 changes: 1 addition & 1 deletion templates/chartmuseum/chartmuseum-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ spec:
- name: BASIC_AUTH_PASS
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- # Needed to make AWS' client connect correctly (see https://github.com/helm/chartmuseum/issues/280)
name: AWS_SDK_LOAD_CONFIG
Expand Down
15 changes: 13 additions & 2 deletions templates/core/core-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,17 @@ spec:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.jobservice" . }}"
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
{{- if .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- else }}
key: JOBSERVICE_SECRET
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
valueFrom:
Expand Down Expand Up @@ -117,6 +121,13 @@ spec:
name: {{ .Values.registry.credentials.existingSecret }}
key: REGISTRY_PASSWD
{{- end }}
{{- if .Values.core.existingXsrfSecret }}
- name: CSRF_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.core.existingXsrfSecret }}
key: {{ .Values.core.existingXsrfSecretKey }}
{{- end }}
ports:
- containerPort: {{ template "harbor.core.containerPort" . }}
volumeMounts:
Expand Down
4 changes: 4 additions & 0 deletions templates/core/core-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ data:
{{- if not .Values.existingSecretSecretKey }}
secretKey: {{ .Values.secretKey | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingSecret }}
secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.core.secretName }}
tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
Expand All @@ -23,5 +25,7 @@ data:
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingXsrfSecret }}
CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
{{- end }}
{{- template "harbor.traceJaegerPassword" . }}
9 changes: 8 additions & 1 deletion templates/jobservice/jobservice-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,15 @@ spec:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
{{- if .Values.jobservice.existingSecret }}
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
Expand Down
2 changes: 2 additions & 0 deletions templates/jobservice/jobservice-secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ metadata:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if not .Values.jobservice.existingSecret }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions templates/registry/registry-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,16 +173,27 @@ spec:
- secretRef:
name: "{{ template "harbor.registryCtl" . }}"
env:
{{- if .Values.registry.existingSecret }}
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.registry.existingSecret }}
key: {{ .Values.registry.existingSecretKey }}
{{- end }}
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.jobservice" . }}
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
{{- if .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- else }}
key: JOBSERVICE_SECRET
{{- end }}
{{- if has "registry" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
Expand Down
Loading

0 comments on commit 4c5f9d3

Please sign in to comment.