Chart should allow specifying existing secrets #189
Comments
|
It looks like this would also mitigate #181 |
|
Hi @ywk253100 -- that's not exactly what I had in mind. That PR will let me specify the contents of the secret via For example, in registry-secret.yaml do something like: {{- if (not .Values.registry.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: "{{ template "harbor.registry" . }}"
labels:
{{ include "harbor.labels" . | indent 4 }}
type: Opaque
data:
# etc
{{- end }}and then # ...
envFrom:
- secretRef:
{{- if (not .Values.registry.existingSecret) }}
name: "{{ template "harbor.registry" . }}"
{{- else }}
name: "{{ .Values.registry.existingSecret }}"
{{- end }}
# ...
|
|
@josecv I understand what your requirement is. |
|
So we usually like to make our CI system deploy to our kubernetes clusters, instead of manually running
This lets us use our github as the single source of truth for what's deployed in the cluster. Making the chart not generate secrets could also let us forbid tiller from reading secrets, which means that we can set up our environments so that developers/CI can do helm operations, but only SREs can read credentials to certain systems. |
Closes goharbor#189 Signed-off-by: jose <[email protected]>
Closes goharbor#189 Signed-off-by: jose <[email protected]>
Closes goharbor#189 Signed-off-by: jose <[email protected]>
Closes goharbor#189 Signed-off-by: jose <[email protected]>
|
I'd like to second this request. |
|
@josecv I don't think the #199 is a good solution for Clair and Notary. The secrets of Clair and Notary contains the configuration files which are part of source code of Harbor chart, they may change between different versions. If we allow users to configure their own secrets for Clair and Notary, that means the users must maintain the correct structure of these files, I think this is unreasonable and complicated. |
|
And the reason why we put the configuration files of Clair and Notary is that these files contain database password and the password cannot be set via environment variable. |
|
@ywk253100 while I understand your point, the chart as it currently stands—and unless I am missing something—is not "usable" with a GitOps pipeline based on Flux, the Helm operator and Sealed Secrets in which you check your configuration as |
@ywk253100 I believe that for Notary this is possible using
|
|
Any news here ? An |
|
What's the issue that this isn't moving forward? What can I do to help resolving this this issue? |
|
Hi, Quite different from the situation in postgres chart mentioned in the OP, there are too many attributes in values.yaml of this chart may potentially be moved to secret and I don't think we have the bandwidth to maintain all the combination and answer questions regarding misconfigurations. I believe there are ways to solve the problem without having to check in the secret keys to the repos, for example, render the |
|
Would a PR for a subset of the configuration options (excluding clair / trivy) be accepted? perhaps something along the lines of this format in values.yaml would be less confusing to end users and easier to support: I would gladly help contribute something towards a solution here. maintaining forks is not fun :( |
|
At the very least setting existing secrets for external DB connections should be supported in values.yaml |
Also it's absolutely not usable with ArgoCD GitOps, if you don't want to check in passwords! |
I think he's doing GitOps and not ClickOps and don't want to fiddle around by deploying manually with helm. |
|
Dear maintainer team, We would like to deploy Harbor via GitOps. This means, we commit what we want to deploy to a GitRepo. In our clusters runs some stuff like Argo CD Flux and a Helm Controller that fetches the repo and deploys whatever is in there to the cluster. Our repo content – a HelmRelease – would look like this. To avoid storing secrets in our GitOps repos, we use tools like Sealed Secrets. It uses a CRD where you commit an encrypted password and Sealed Secrets decrypts it into a regular Kubernetes Secret, which is the one we want to reference from the HelmRelease mentioned above. As we currently have no way of referencing our secrets, we would have to commit our secrets in cleartext into our repos, which is why we need this issue to be fixed. This issue blocks us from using GitOps for Harbor deployment and forces us back into use the command line via Could you please, please implement this or would you accept a pull request when somebody from outside the team does it? |
|
+1. We are having to fork this chart to use it when deploying with ArgoCD to avoid committing secrets into Git. See external-dns as an example that allows you to provide AWS credentials through an external Secret. |
We have also forked the chart for the same reason. Would much rather be using the official release but committing secrets to git is a deal-breaker. |
|
I too hit this issue when attempting to figure out how to get the AWS credentials into the workload (this would be negated by IAM Role Service Accounts.. goharbor/harbor#12553). SoHere is my hack for ArgoCD for those who are interested.. I added a new configManagementPlugin kind: ConfigMap
metadata:
name: argocd-cm
data:
configManagementPlugins: |
- name: kustomized-helm
init:
command: ["/bin/sh", "-c"]
args: ["helm dependency build"]
generate:
command: [sh, -c]
args: ['helm template -f $HELM_VALUE_FILE $HELM_RELEASE_NAME . > helm-out.yaml && kustomize build']When defining the Argo Application one can use this plugin like so.. apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: harbor
spec:
...
source:
...
plugin:
name: kustomized-helm
env:
- name: HELM_VALUE_FILE
value: values.yaml
- name: HELM_RELEASE_NAME
value: harborThen.. we can "kustomize" the templated helm resources by leveraging the ArgoCD hooks to Skip applying the apiVersion: v1
kind: Secret
metadata:
name: "harbor-registry"
annotations:
argocd.argoproj.io/hook: SkipKustomization.yml file.. patches:
- patches/patch-registry-secret.yaml
resources:
- helm-out.yamlThen I added a Fortunately, the Anyways, this works as expected.. just a little dirty ArgoCD specific hack. |
|
Thanx @Geethree for inspiration and this hack. But still I would prefer a clean solution in the helm chart. |
|
The rationale for this issue seems pretty clear given the increasing adoption of GitOps bast-practices where everything infrastructure is checked in. There also have been numerous offers to contribute suitable patches. So far there has been very little response from the maintainers. Would it be possible to provide feedback regarding the chances of having this rather severe issue fixed that is known since May 2019? |
|
Just to add a requirement here, in case it wasn't captured in a previous comment: We should be able to specify not just external Secrets, but the key within those Secrets that contain the value we're looking for. The helm The example use case is using a postgresql operator (in our case, zalando) to create the database. Zalando has the option of storing the username and password in a Secret with the keys |
|
Please don't use the |
|
@ywk253100 @reasonerjt @ninjadq Please review #199 by @josecv 🙏 . Allowing external secrets is a much-needed feature for gitops practices. |
|
Please support this! For a stack that is so fundamental to so many of our environments....foundational...it is hard to believe this isn't supported. signed: Another GitOps implementer |
|
@j14s What gitops operator are you using? If flux, could you not use |
|
Adding myself as yet another implementer. Or even better, Harbor team, would you be open to a PR? |
|
+1 for non-clickOps ready chart. |
|
So, has this work been declined? Because, I'm about to fork it as well to add just a few lines to allow for an external secret... |
|
@corinz If you fork, please create a PR... |
|
@sathieu urghhh! OK, I will need to shelf this for now -- but no doubt I will need to come back. I will keep this on my radar |
|
+1 this is a deal breaker for GitOps |
|
So this is now implemented for S3 (though I don't understand why Chart and Registry are seperate if the directory is shared). #1165 Hopefully it'll come for database, etc. |
|
Apparently this has been taken care of in #1179 |
|
Hello! I realized yesterday, that there is still problem with Notary database password. The newest released chart (1.11.1) is still pushing the .Values.database.external.password as Notary DB password. What do you think about reconstructing the Pod template and make use of interdependent envs? As noted by @bmcustodio COMMENT it's possible to override the configuration with env variable. It would look like: containers:
- name: notary-server
(...)
env:
- name: MIGRATIONS_PATH
value: migrations/server/postgresql
{{- if .Values.database.external.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
{{- end }}
- name: DB_URL
{{- if .Values.database.external.existingSecret }}
value: {{ template "harbor.database.notaryServer" . }}
{{- else -}}
valueFrom:
secretKeyRef:
name: {{ template "harbor.notary-server" . }}
key: NOTARY_SERVER_DB_URL
{{- end }}
- name: NOTARY_SERVER_STORAGE_DB_URL
{{- if .Values.database.external.existingSecret }}
value: {{ template "harbor.database.notaryServer" . }}
{{- else -}}
valueFrom:
secretKeyRef:
name: {{ template "harbor.notary-server" . }}
key: NOTARY_SERVER_DB_URL
{{- end }}templates/_helpers.tpl {{- define "harbor.database.notaryServer" -}}
{{- if .Values.database.external.existingSecret -}}
postgres://{{ template "harbor.database.username" . }}:$(POSTGRESQL_PASSWORD)@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- else -}}
postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
{{- end -}}
{{- end -}}As far as I know Let me know about your thoughts - I can prepare PR with required changes The changes are working on my local fork - both signer and server are starting without connection issues. 😅 FYI: @zyyw |
Helm lookup works fine with helm-template, it's just that the context of helm-template would be "nothing", hence the output of helm-lookup is "nothing". This can be solved by things like dryruns just fine. About ArgoCD: |
ArgoCD has no sub-par parser. It's calling NB: I'm not an ArgoCD dev. |
|
@sathieu how do other charts solve this issue? Because just saying "don't use X" isn't helpful obviously ;) Also funny enough that FluxCD has no security issues with this though that's probably because they completely reimplemented the helm functionality afaik |
With existingSecret.
They have not reimplemented it, but use Helm SDK. About security issues, there is always a trade-off between security and features. Here Flux has one more feature (access to k8s resources with the lookup function), with probably reduced security. https://github.com/fluxcd/helm-controller#helm-controller |
Since the existing secrets has been supported in the recent latest release. Will close this issue for now. Best, |
I would call that non-standard sub-par parsing.
While I agree about the reduced security, there is more than one area where argocd helm functions differently than native Helm. |
and others
Right now, this helm chart generates all the secrets, unconditionally, from values in the
values.yaml. For those of us who like to commit ourvalues.yamls this is not ideal, as it requires that we commit our passwords, for example our S3 access key.It seems like the best practice is to allow the user to supply an
existingSecret(e.g. in the postgres chart).Something similar could be done here -- for example for the registry, if
registry.existingSecretis set, don't generate a secret and just trust the user to figure out what the secret should look like on their own (which allows them to self-manage the lifecycle of their passwords).If there's interest, I can find some time to do this PR.
The text was updated successfully, but these errors were encountered: