Skip to content

Commit

Permalink
Support external secrets for service tokens and xsrf
Browse files Browse the repository at this point in the history
Signed-off-by: Daren Desjardins <[email protected]>
  • Loading branch information
darend committed Nov 17, 2023
1 parent 96428e0 commit cd6ab34
Show file tree
Hide file tree
Showing 8 changed files with 68 additions and 6 deletions.
10 changes: 10 additions & 0 deletions README.md

Large diffs are not rendered by default.

15 changes: 13 additions & 2 deletions templates/core/core-dpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,13 +92,17 @@ spec:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: "{{ template "harbor.jobservice" . }}"
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
{{- if .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- else }}
key: JOBSERVICE_SECRET
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
valueFrom:
Expand Down Expand Up @@ -130,6 +134,13 @@ spec:
name: {{ .Values.registry.credentials.existingSecret }}
key: REGISTRY_PASSWD
{{- end }}
{{- if .Values.core.existingXsrfSecret }}
- name: CSRF_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.core.existingXsrfSecret }}
key: {{ .Values.core.existingXsrfSecretKey }}
{{- end }}
{{- with .Values.core.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
Expand Down
4 changes: 4 additions & 0 deletions templates/core/core-secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ data:
{{- if not .Values.existingSecretSecretKey }}
secretKey: {{ .Values.secretKey | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingSecret }}
secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.core.secretName }}
{{- $ca := genCA "harbor-token-ca" 365 }}
tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
Expand All @@ -24,7 +26,9 @@ data:
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingXsrfSecret }}
CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
{{- end }}
{{- if .Values.core.configureUserSettings }}
CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
{{- end }}
Expand Down
9 changes: 8 additions & 1 deletion templates/jobservice/jobservice-dpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,15 @@ spec:
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
{{- if .Values.jobservice.existingSecret }}
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- end }}
{{- if .Values.internalTLS.enabled }}
- name: INTERNAL_TLS_ENABLED
value: "true"
Expand Down
2 changes: 2 additions & 0 deletions templates/jobservice/jobservice-secrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ metadata:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if not .Values.jobservice.existingSecret }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions templates/registry/registry-dpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -200,16 +200,27 @@ spec:
name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
{{- end }}
env:
{{- if .Values.registry.existingSecret }}
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.registry.existingSecret }}
key: {{ .Values.registry.existingSecretKey }}
{{- end }}
- name: CORE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.core" . }}
name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
key: secret
- name: JOBSERVICE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "harbor.jobservice" . }}
name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
{{- if .Values.jobservice.existingSecret }}
key: {{ .Values.jobservice.existingSecretKey }}
{{- else }}
key: JOBSERVICE_SECRET
{{- end }}
{{- if has "registry" .Values.proxy.components }}
- name: HTTP_PROXY
value: "{{ .Values.proxy.httpProxy }}"
Expand Down
2 changes: 2 additions & 0 deletions templates/registry/registry-secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ metadata:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
{{- if not .Values.registry.existingSecret }}
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.redis.external.existingSecret }}
REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
{{- end }}
Expand Down
17 changes: 16 additions & 1 deletion values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -483,10 +483,13 @@ core:
# the scenario of high concurrent pushing to same project, no improvment for other scenes.
quotaUpdateProvider: db # Or redis
# Secret is used when core server communicates with other components.
# If a secret key is not specified, Helm will generate one.
# If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret
# Must be a string of 16 chars.
secret: ""
# Fill in the name of a kubernetes secret if you want to use your own
# If using existingSecret, the key must be secret
existingSecret: ""
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate and private key for token encryption/decryption.
# The secret must contain keys named:
# "tls.key" - the private key
Expand All @@ -501,6 +504,10 @@ core:
tokenCert: |
# The XSRF key. Will be generated automatically if it isn't specified
xsrfKey: ""
# If using existingSecret, the key is defined by core.existingXsrfSecretKey
existingXsrfSecret: ""
# If using existingSecret, the key
existingXsrfSecretKey: CSRF_KEY
## The priority class to run the pod as
priorityClassName:
# The time duration for async update artifact pull_time and repository
Expand Down Expand Up @@ -559,6 +566,10 @@ jobservice:
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
# Use an existing secret resource
existingSecret: ""
# Key within the existing secret for the job service secret
existingSecretKey: JOBSERVICE_SECRET
## The priority class to run the pod as
priorityClassName:

Expand Down Expand Up @@ -609,6 +620,10 @@ registry:
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
# Use an existing secret resource
existingSecret: ""
# Key within the existing secret for the registry service secret
existingSecretKey: REGISTRY_HTTP_SECRET
# If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
relativeurls: false
credentials:
Expand Down

0 comments on commit cd6ab34

Please sign in to comment.