Merge pull request #1412 from zyyw/1.3.0-cp-1389

fix: remove default tls keys

README.md

@@ -200,6 +200,8 @@ The following table lists the configurable parameters of the Harbor chart and th
 | `core.podAnnotations` | Annotations to add to the core pod | `{}` |
 | `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | |
 | `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | |
+| `core.tokenKey`                                                    | PEM-formatted RSA private key used to sign service tokens.  Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set.                                                                                                                                                                                                                                  |                                        |
+| `core.tokenCert`                                                    | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens.  Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set.                                                                                                                                                                                                                                 |                                        |
 | `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | |
 | **Jobservice**                                                              |
 | `jobservice.image.repository`                                               | Repository for jobservice image                                                                                                                                                                                                                                                                                                                 | `goharbor/harbor-jobservice`    |

templates/core/core-secret.yaml

@@ -9,8 +9,9 @@ data:
   secretKey: {{ .Values.secretKey | b64enc | quote }}
   secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
 {{- if not .Values.core.secretName }}
-  tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
-  tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
+  {{- $ca := genCA "harbor-token-ca" 365 }}
+  tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
+  tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
 {{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
   POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}

values.yaml

@@ -329,8 +329,14 @@ core:
   # The secret must contain keys named:
   # "tls.crt" - the certificate
   # "tls.key" - the private key
-  # The default key pair will be used if it isn't set
   secretName: ""
+  # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead.
+  # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated.
+  # tokenKey and tokenCert must BOTH be set or BOTH unset.
+  # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line.
+  tokenKey: |
+  # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line.
+  tokenCert: |  
   # The XSRF key. Will be generated automatically if it isn't specified
   xsrfKey: ""