Add ability to use external secrets #1179
Conversation
golgoth31
force-pushed
the
master
branch
2 times, most recently
from
80cc665 to
d852c12
Compare
|
@golgoth31 could you please help to resolve these comments in this PR. |
|
@golgoth31 can we get this going ? |
|
@ekarlso we need to wait for @golgoth31 to address the open points. also the readme needs an update |
|
Hi all, I'm terribly sorry for delay. I update the PR now. |
| @@ -55,7 +55,9 @@ data: | |||
| {{- else if eq $storageType "gcs" }} | |||
| STORAGE: "google" | |||
| STORAGE_GOOGLE_BUCKET: {{ $storage.gcs.bucket }} | |||
| {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} | |||
There was a problem hiding this comment.
Could you please justify why we need the configuration of:
.Values.persistence.imageChartStorage.gcs.useWorkloadIdentity
Same questions for subsequent useWorkloadIdentity config. If there is not a strong justification of useWorkloadIdentity. I would suggest deleting it.
There was a problem hiding this comment.
Hi,
as stated here for exemple: https://gcloud.readthedocs.io/en/latest/google-cloud-auth.html#credential-discovery-precedence , if the "GOOGLE_APPLICATION_CREDENTIALS" variable will take precedence and the application will not be able to use the current kubernetes service account to authenticate.
When using workloadidentity, we need to remove any other gcloud sdk authentication mechanism.
|
One additional comment: could you please also update the README.md for the config you introduced in values.yaml file. Last but not the least: thank you for contributing to harbor-helm! |
|
@golgoth31 please help to resolve the new comments in this PR, thanks. |
fix: Registry secret value path fix: Secret usage Signed-off-by: David Sabatie <[email protected]> Signed-off-by: David Sabatie <[email protected]>
Hi, |
|
Hi, I don't see you change It means that registry container still using Maybe we need to add REGISTRY_HTPASSWD key to |
Signed-off-by: David Sabatie <[email protected]>
Signed-off-by: David Sabatie <[email protected]>
Signed-off-by: David Sabatie <[email protected]>
Signed-off-by: David Sabatie <[email protected]>
Signed-off-by: David Sabatie <[email protected]>
Signed-off-by: David Sabatie <[email protected]>
|
@haminhcong I fixed the registry credentials issue |
|
@golgoth31 Sorry, but I see that in file {{- if .Values.database.external.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: passwordbut in external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
# if using existing secret, the key must be PASSWORD
existingSecret: "" | `database.external.existingSecret` | An existing password containing the database password. the key must be `PASSWORD`. | `""` |It make me quite confused when using these config options. Could you create a pull request to edit the document using lowercase variable. to remove the differences between document and code? |
|
@haminhcong here is the PR #1269 |
|
It looks like this does not work for the notary-server and notary signer. |
|
Can confirm that Notary server and signer doesn't use the existingSecret value. The problem is on _helpers.tpl:
the 'else' part just try to use the external.password. Probably need to fix the secret that invoque this helper and other templates. Like notary/notary-secret.yaml
This is where the trail begin and ends up on the rawPassword in the helper. |
Hi,
Thank you for this amazing job.
please find here an update of the charts files to allow usage of existing secrets instead of storing secret values inside values file.
regards
David Sabatie