Merge pull request #1373 from sagansystems/support-external-secrets

Support external secrets for service tokens and xsrf
goharbor · Nov 17, 2023 · 626d8e3 · 626d8e3
2 parents 96428e0 + cd6ab34
commit 626d8e3
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 6 deletions.
diff --git a/README.md b/README.md
diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -92,13 +92,17 @@ spec:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
                 key: secret
           - name: JOBSERVICE_SECRET
             valueFrom:
               secretKeyRef:
-                name: "{{ template "harbor.jobservice" . }}"
+                name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
+                {{- if .Values.jobservice.existingSecret }}
+                key: {{ .Values.jobservice.existingSecretKey }}
+                {{- else }}
                 key: JOBSERVICE_SECRET
+                {{- end }}
           {{- if .Values.existingSecretAdminPassword }}
           - name: HARBOR_ADMIN_PASSWORD
             valueFrom:
@@ -130,6 +134,13 @@ spec:
                 name: {{ .Values.registry.credentials.existingSecret }}
                 key: REGISTRY_PASSWD
           {{- end }}
+          {{- if .Values.core.existingXsrfSecret }}
+          - name: CSRF_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.core.existingXsrfSecret }}
+                key: {{ .Values.core.existingXsrfSecretKey }}
+          {{- end }}
 {{- with .Values.core.extraEnvVars }}
 {{- toYaml . | nindent 10 }}
 {{- end }}

diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -9,7 +9,9 @@ data:
   {{- if not .Values.existingSecretSecretKey }}
   secretKey: {{ .Values.secretKey | b64enc | quote }}
   {{- end }}
+  {{- if not .Values.core.existingSecret }}
   secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
+  {{- end }}
   {{- if not .Values.core.secretName }}
   {{- $ca := genCA "harbor-token-ca" 365 }}
   tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
@@ -24,7 +26,9 @@ data:
   {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}
+  {{- if not .Values.core.existingXsrfSecret }}
   CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
+  {{- end }}
 {{- if .Values.core.configureUserSettings }}
   CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
 {{- end }}

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -87,8 +87,15 @@ spec:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
                 key: secret
+          {{- if .Values.jobservice.existingSecret }}
+          - name: JOBSERVICE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.jobservice.existingSecret }}
+                key: {{ .Values.jobservice.existingSecretKey }}
+          {{- end }}
           {{- if .Values.internalTLS.enabled }}
           - name: INTERNAL_TLS_ENABLED
             value: "true"

diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml
@@ -6,7 +6,9 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.jobservice.existingSecret }}
   JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+  {{- end }}
   {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}

diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -200,16 +200,27 @@ spec:
             name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
         {{- end }}
         env:
+        {{- if .Values.registry.existingSecret }}
+        - name: REGISTRY_HTTP_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.registry.existingSecret }}
+              key: {{ .Values.registry.existingSecretKey }}
+        {{- end }}
         - name: CORE_SECRET
           valueFrom:
             secretKeyRef:
-              name: {{ template "harbor.core" . }}
+              name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
               key: secret
         - name: JOBSERVICE_SECRET
           valueFrom:
             secretKeyRef:
-              name: {{ template "harbor.jobservice" . }}
+              name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
+              {{- if .Values.jobservice.existingSecret }}
+              key: {{ .Values.jobservice.existingSecretKey }}
+              {{- else }}
               key: JOBSERVICE_SECRET
+              {{- end }}
         {{- if has "registry" .Values.proxy.components }}
         - name: HTTP_PROXY
           value: "{{ .Values.proxy.httpProxy }}"

diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml
@@ -6,7 +6,9 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.registry.existingSecret }}
   REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
+  {{- end }}
   {{- if not .Values.redis.external.existingSecret }}
   REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
   {{- end }}

diff --git a/values.yaml b/values.yaml
@@ -483,10 +483,13 @@ core:
   # the scenario of high concurrent pushing to same project, no improvment for other scenes.
   quotaUpdateProvider: db # Or redis
   # Secret is used when core server communicates with other components.
-  # If a secret key is not specified, Helm will generate one.
+  # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret
   # Must be a string of 16 chars.
   secret: ""
   # Fill in the name of a kubernetes secret if you want to use your own
+  # If using existingSecret, the key must be secret
+  existingSecret: ""
+  # Fill the name of a kubernetes secret if you want to use your own
   # TLS certificate and private key for token encryption/decryption.
   # The secret must contain keys named:
   # "tls.key" - the private key
@@ -501,6 +504,10 @@ core:
   tokenCert: |
   # The XSRF key. Will be generated automatically if it isn't specified
   xsrfKey: ""
+  # If using existingSecret, the key is defined by core.existingXsrfSecretKey
+  existingXsrfSecret: ""
+  # If using existingSecret, the key
+  existingXsrfSecretKey: CSRF_KEY
   ## The priority class to run the pod as
   priorityClassName:
   # The time duration for async update artifact pull_time and repository
@@ -559,6 +566,10 @@ jobservice:
   # If a secret key is not specified, Helm will generate one.
   # Must be a string of 16 chars.
   secret: ""
+  # Use an existing secret resource
+  existingSecret: ""
+  # Key within the existing secret for the job service secret
+  existingSecretKey: JOBSERVICE_SECRET
   ## The priority class to run the pod as
   priorityClassName:
 
@@ -609,6 +620,10 @@ registry:
   # If a secret key is not specified, Helm will generate one.
   # Must be a string of 16 chars.
   secret: ""
+  # Use an existing secret resource
+  existingSecret: ""
+  # Key within the existing secret for the registry service secret
+  existingSecretKey: REGISTRY_HTTP_SECRET
   # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
   relativeurls: false
   credentials: