Merge branch 'main' into varying-secrets

goharbor · Nov 21, 2023 · 8193142 · 8193142
2 parents 10210ab + 626d8e3
commit 8193142
Show file tree

Hide file tree

Showing 10 changed files with 93 additions and 9 deletions.
diff --git a/README.md b/README.md
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -156,12 +156,26 @@ app: "{{ template "harbor.name" . }}"
   {{- end }}
 {{- end -}}
 
+
+{{- define "harbor.redis.pwdfromsecret" -}}
+  {{- (lookup "v1" "Secret"  .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD  | b64dec }}
+{{- end -}}
+
+{{- define "harbor.redis.cred" -}}
+  {{- with .Values.redis }}
+    {{- if (and (eq .type "external" ) (.external.existingSecret)) }}
+      {{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }}
+    {{- else }}
+      {{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 /*scheme://[:password@]host:port[/master_set]*/
 {{- define "harbor.redis.url" -}}
   {{- with .Values.redis }}
     {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }}
-    {{- $cred := ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }}
-    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}}
+    {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}}
   {{- end }}
 {{- end -}}
 

diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -92,13 +92,17 @@ spec:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
                 key: secret
           - name: JOBSERVICE_SECRET
             valueFrom:
               secretKeyRef:
-                name: "{{ template "harbor.jobservice" . }}"
+                name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
+                {{- if .Values.jobservice.existingSecret }}
+                key: {{ .Values.jobservice.existingSecretKey }}
+                {{- else }}
                 key: JOBSERVICE_SECRET
+                {{- end }}
           {{- if .Values.existingSecretAdminPassword }}
           - name: HARBOR_ADMIN_PASSWORD
             valueFrom:
@@ -130,6 +134,13 @@ spec:
                 name: {{ .Values.registry.credentials.existingSecret }}
                 key: REGISTRY_PASSWD
           {{- end }}
+          {{- if .Values.core.existingXsrfSecret }}
+          - name: CSRF_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.core.existingXsrfSecret }}
+                key: {{ .Values.core.existingXsrfSecretKey }}
+          {{- end }}
 {{- with .Values.core.extraEnvVars }}
 {{- toYaml . | nindent 10 }}
 {{- end }}

diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -10,7 +10,9 @@ data:
   {{- if not .Values.existingSecretSecretKey }}
   secretKey: {{ .Values.secretKey | b64enc | quote }}
   {{- end }}
+  {{- if not .Values.core.existingSecret }}
   secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
+  {{- end }}
   {{- if not .Values.core.secretName }}
   {{- $ca := genCA "harbor-token-ca" 365 }}
   tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
@@ -25,7 +27,9 @@ data:
   {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}
+  {{- if not .Values.core.existingXsrfSecret }}
   CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
+  {{- end }}
 {{- if .Values.core.configureUserSettings }}
   CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
 {{- end }}

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -87,8 +87,15 @@ spec:
           - name: CORE_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "harbor.core" . }}
+                name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
                 key: secret
+          {{- if .Values.jobservice.existingSecret }}
+          - name: JOBSERVICE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.jobservice.existingSecret }}
+                key: {{ .Values.jobservice.existingSecretKey }}
+          {{- end }}
           {{- if .Values.internalTLS.enabled }}
           - name: INTERNAL_TLS_ENABLED
             value: "true"

diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml
@@ -7,7 +7,9 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.jobservice.existingSecret }}
   JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
+  {{- end }}
   {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}

diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -113,6 +113,13 @@ spec:
         - name: INTERNAL_TLS_TRUST_CA_PATH
           value: /etc/harbor/ssl/registry/ca.crt
         {{- end }}
+        {{- if .Values.redis.external.existingSecret }}
+        - name: REGISTRY_REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.redis.external.existingSecret }}
+              key: REDIS_PASSWORD
+        {{- end }}
         {{- if .Values.persistence.imageChartStorage.azure.existingSecret }}
         - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
           valueFrom:
@@ -220,16 +227,27 @@ spec:
             name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }}
         {{- end }}
         env:
+        {{- if .Values.registry.existingSecret }}
+        - name: REGISTRY_HTTP_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.registry.existingSecret }}
+              key: {{ .Values.registry.existingSecretKey }}
+        {{- end }}
         - name: CORE_SECRET
           valueFrom:
             secretKeyRef:
-              name: {{ template "harbor.core" . }}
+              name: {{ default (include "harbor.core" .) .Values.core.existingSecret }}
               key: secret
         - name: JOBSERVICE_SECRET
           valueFrom:
             secretKeyRef:
-              name: {{ template "harbor.jobservice" . }}
+              name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }}
+              {{- if .Values.jobservice.existingSecret }}
+              key: {{ .Values.jobservice.existingSecretKey }}
+              {{- else }}
               key: JOBSERVICE_SECRET
+              {{- end }}
         {{- if has "registry" .Values.proxy.components }}
         - name: HTTP_PROXY
           value: "{{ .Values.proxy.httpProxy }}"

diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml
@@ -7,7 +7,9 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.registry.existingSecret }}
   REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
+  {{- end }}
   {{- if not .Values.redis.external.existingSecret }}
   REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
   {{- end }}

diff --git a/test/e2e/Jenkinsfile b/test/e2e/Jenkinsfile
@@ -106,7 +106,7 @@ def properties = {
     }
     return [
         parameters([
-            string(name: 'branch', defaultValue: 'master', description: 'The branch/tag to run for'),
+            string(name: 'branch', defaultValue: 'main', description: 'The branch/tag to run for'),
             choice(name: "cluster", choices: names, description: 'The Kubernetes cluster that the Harbor is deployed on')
         ]),
         buildDiscarder(strategy: logRotator(numToKeepStr: "15")),

diff --git a/values.yaml b/values.yaml
@@ -60,6 +60,7 @@ expose:
       # The service port Harbor listens on when serving HTTP
       httpPort: 80
       # The service port Harbor listens on when serving HTTPS
+      httpsPort: 443
   nodePort:
     # The name of NodePort service
     name: harbor
@@ -486,10 +487,13 @@ core:
   # the scenario of high concurrent pushing to same project, no improvment for other scenes.
   quotaUpdateProvider: db # Or redis
   # Secret is used when core server communicates with other components.
-  # If a secret key is not specified, Helm will generate one.
+  # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret
   # Must be a string of 16 chars.
   secret: ""
   # Fill in the name of a kubernetes secret if you want to use your own
+  # If using existingSecret, the key must be secret
+  existingSecret: ""
+  # Fill the name of a kubernetes secret if you want to use your own
   # TLS certificate and private key for token encryption/decryption.
   # The secret must contain keys named:
   # "tls.key" - the private key
@@ -504,6 +508,10 @@ core:
   tokenCert: |
   # The XSRF key. Will be generated automatically if it isn't specified
   xsrfKey: ""
+  # If using existingSecret, the key is defined by core.existingXsrfSecretKey
+  existingXsrfSecret: ""
+  # If using existingSecret, the key
+  existingXsrfSecretKey: CSRF_KEY
   ## The priority class to run the pod as
   priorityClassName:
   # The time duration for async update artifact pull_time and repository
@@ -562,6 +570,10 @@ jobservice:
   # If a secret key is not specified, Helm will generate one.
   # Must be a string of 16 chars.
   secret: ""
+  # Use an existing secret resource
+  existingSecret: ""
+  # Key within the existing secret for the job service secret
+  existingSecretKey: JOBSERVICE_SECRET
   ## The priority class to run the pod as
   priorityClassName:
 
@@ -612,6 +624,10 @@ registry:
   # If a secret key is not specified, Helm will generate one.
   # Must be a string of 16 chars.
   secret: ""
+  # Use an existing secret resource
+  existingSecret: ""
+  # Key within the existing secret for the registry service secret
+  existingSecretKey: REGISTRY_HTTP_SECRET
   # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
   relativeurls: false
   credentials: