Skip to content

Commit

Permalink
Made generating existing/default secret secrets an option
Browse files Browse the repository at this point in the history 
Signed-off-by: Casper Thygesen <[email protected]>
  • Loading branch information
@cthtrifork
cthtrifork committed Dec 17, 2024
1 parent 45544bd commit b819184
Show file tree
Hide file tree
Showing 7 changed files with 33 additions and 4 deletions.
2 changes: 1 addition & 1 deletion bitnami/harbor/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,4 @@ maintainers:
name: harbor
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/harbor
version: 24.1.0
version: 24.2.0
6 changes: 5 additions & 1 deletion bitnami/harbor/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ Alternatively, you can use a ConfigMap or a Secret with the environment variable

Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)).

If you want to manage full Secret objects by your own, you can use existingSecret & existingEnvVarsSecret parameters. This could be useful for some secure GitOps workflows, of course, you will have to ensure to define all expected keys for those secrets.
If you want to manage full Secret objects by your own, you can use existingSecret & existingEnvVarsSecret parameters. This could be useful for some secure GitOps workflows, of course, you will have to ensure to define all expected keys for those secrets. Optionally, you can set `generateExistingEnvVarsSecret: false` to prevent the default envvars secret to be generated.

The core service have two `Secret` objects, the default one for data & communication which is very important as it's contains the data encryption key of your harbor instance ! and a second one which contains standard passwords, database access password, ...
Keep in mind that the `HARBOR_ADMIN_PASSWORD` is only used to boostrap your harbor instance, if you update it after the deployment, the password is updated in database, but the secret will remain the initial one.
Expand Down Expand Up @@ -606,6 +606,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `core.tokenCert` | Certificate used for token encryption/decryption. | `""` |
| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | `""` |
| `core.existingSecret` | Existing secret for core | `""` |
| `core.generateExistingEnvVarsSecret` | Generate an existing envvars for core | `true` |
| `core.existingEnvVarsSecret` | Existing secret for core envvars | `""` |
| `core.csrfKey` | The CSRF key. Will be generated automatically if it isn't specified | `""` |
| `core.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` |
Expand Down Expand Up @@ -712,6 +713,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
| `jobservice.secret` | Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `""` |
| `jobservice.existingSecret` | Existing secret for jobservice | `""` |
| `jobservice.generateExistingEnvVarsSecret` | Generate an existing envvars for jobservice | `true` |
| `jobservice.existingEnvVarsSecret` | Existing secret for jobservice envvars | `""` |
| `jobservice.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` |
| `jobservice.command` | Override default container command (useful when using custom images) | `[]` |
Expand Down Expand Up @@ -805,6 +807,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| Name | Description | Value |
| ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: <https://github.com/docker/distribution/blob/master/docs/configuration.md> | `""` |
| `registry.generateExistingSecret` | Generate an existing secret for registry | `true` |
| `registry.existingSecret` | Existing secret for registry | `""` |
| `registry.relativeurls` | Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL. | `false` |
| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd) | `harbor_registry_user` |
Expand Down Expand Up @@ -977,6 +980,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
| `trivy.generateExistingEnvVarsSecret` | Generate an existing envvars secret for trivy | `true` |
| `trivy.existingEnvVarsSecret` | Existing secret for trivy | `""` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB | `""` |
| `trivy.skipUpdate` | The flag to disable Trivy DB downloads from GitHub | `false` |
Expand Down
2 changes: 2 additions & 0 deletions bitnami/harbor/templates/core/core-secret-envvars.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ SPDX-License-Identifier: APACHE-2.0
{{- $existingEnvVarsSecretCore = dict "_REDIS_URL_CORE" ($_REDIS_URL_CORE | b64dec) "_REDIS_URL_REG" ($_REDIS_URL_REG | b64dec) "CSRF_KEY" ($_CSRF_KEY | b64dec) "HARBOR_ADMIN_PASSWORD" ($_HARBOR_ADMIN_PASSWORD | b64dec) "POSTGRESQL_PASSWORD" ($_POSTGRESQL_PASSWORD | b64dec) "REGISTRY_CREDENTIAL_PASSWORD" ($_REGISTRY_CREDENTIAL_PASSWORD | b64dec) "REGISTRY_CREDENTIAL_USERNAME" ($_REGISTRY_CREDENTIAL_USERNAME | b64dec) -}}
{{- end }}

{{- if .Values.core.generateExistingEnvVarsSecret }}
apiVersion: v1
kind: Secret
metadata:
Expand Down Expand Up @@ -49,3 +50,4 @@ data:
{{- else }}
HARBOR_ADMIN_PASSWORD: {{ $existingHarborAdmPW | b64enc | quote }}
{{- end }}
{{- end }}
2 changes: 2 additions & 0 deletions bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ SPDX-License-Identifier: APACHE-2.0
-}}
{{- end }}

{{- if .Values.jobservice.generateExistingEnvVarsSecret }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -32,3 +33,4 @@ type: Opaque
data:
REGISTRY_CREDENTIAL_PASSWORD: {{ $existingEnvVarsSecretJobservice.REGISTRY_CREDENTIAL_PASSWORD | default .Values.registry.credentials.password | b64enc | quote }}
JOB_SERVICE_POOL_REDIS_URL: {{ $existingEnvVarsSecretJobservice.JOB_SERVICE_POOL_REDIS_URL | default (include "harbor.redisForJobservice" .) | b64enc | quote }}
{{- end }}
2 changes: 2 additions & 0 deletions bitnami/harbor/templates/registry/registry-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ SPDX-License-Identifier: APACHE-2.0
-}}
{{- end }}

{{- if .Values.registry.generateExistingSecret }}
apiVersion: v1
kind: Secret
metadata:
Expand Down Expand Up @@ -79,3 +80,4 @@ data:
{{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_OSS_ACCESSKEYSECRET | default .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- end }}
4 changes: 2 additions & 2 deletions bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ SPDX-License-Identifier: APACHE-2.0
-}}
{{- end }}

{{- if and .Values.trivy.enabled }}
{{- if and .Values.registry.generateExistingEnvVarsSecret .Values.trivy.enabled }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -39,4 +39,4 @@ data:
SCANNER_REDIS_URL: {{ $existingEnvVarsSecretTrivy.SCANNER_REDIS_URL | default (include "harbor.redisForTrivyAdapter" .) | b64enc }}
SCANNER_STORE_REDIS_URL: {{ $existingEnvVarsSecretTrivy.SCANNER_STORE_REDIS_URL | default (include "harbor.redisForTrivyAdapter" .) | b64enc }}
SCANNER_JOB_QUEUE_REDIS_URL: {{ $existingEnvVarsSecretTrivy.SCANNER_JOB_QUEUE_REDIS_URL | default (include "harbor.redisForTrivyAdapter" .) | b64enc }}
{{- end }}
{{- end }}
19 changes: 19 additions & 0 deletions bitnami/harbor/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1471,6 +1471,11 @@ core:
## `secretKey` (required),
##
existingSecret: ""
## @param core.generateExistingEnvVarsSecret Generate an existing envvars for core
## If existingEnvVarsSecret is set, it will try to merge generated envvars with the existing secret
## Which can be useful when not setting the optional fields in the existingEnvVarsSecret
##
generateExistingEnvVarsSecret: true
## @param core.existingEnvVarsSecret Existing secret for core envvars
## The secret must contain the keys:
## `CSRF_KEY` (optional - alternatively auto-generated),
Expand Down Expand Up @@ -1892,6 +1897,11 @@ jobservice:
## `secret` (required),
##
existingSecret: ""
## @param jobservice.generateExistingEnvVarsSecret Generate an existing envvars for jobservice
## If existingEnvVarsSecret is set, it will try to merge generated envvars with the existing secret
## Which can be useful when not setting the optional fields in the existingEnvVarsSecret
##
generateExistingEnvVarsSecret: true
## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars
## The secret must contain the keys:
## `REGISTRY_CREDENTIAL_PASSWORD` (optional),
Expand Down Expand Up @@ -2252,6 +2262,10 @@ registry:
## Must be a string of 16 chars.
##
secret: ""
## @param registry.generateExistingSecret Generate an existing secret for registry
## If existingSecret is set, it will try to merge generated secret with the existing secret
## Which can be useful when not setting the optional fields in the existing secret
generateExistingSecret: true
## @param registry.existingSecret Existing secret for registry
## The secret must contain the keys:
## `REGISTRY_HTPASSWD` (required - replaces insecure defaults),
Expand Down Expand Up @@ -2886,6 +2900,11 @@ trivy:
## @param trivy.insecure The flag to skip verifying registry certificate
##
insecure: false
## @param trivy.generateExistingEnvVarsSecret Generate an existing envvars secret for trivy
## If existingEnvVarsSecret is set, it will try to merge generated envvars with the existing secret
## Which can be useful when not setting the optional fields in the existingEnvVarsSecret
##
generateExistingEnvVarsSecret: true
## @param trivy.existingEnvVarsSecret Existing secret for trivy
## The secret must contain the keys:
## `SCANNER_TRIVY_GITHUB_TOKEN` (optional)
Expand Down

0 comments on commit b819184

Please sign in to comment.