Skip to content

Commit

Permalink
Merge pull request #1612 from Kajot-dev/varying-secrets
Browse files Browse the repository at this point in the history 
Fix random values regenerating
  • Loading branch information
@ywk253100
ywk253100 authored Dec 13, 2023
2 parents 726c44e + 8193142 commit 8a44c93
Show file tree
Hide file tree
Showing 6 changed files with 81 additions and 7 deletions.
14 changes: 13 additions & 1 deletion templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ release: {{ .Release.Name }}
app: "{{ template "harbor.name" . }}"
{{- end -}}

{{/* Helper for printing values from existing secrets*/}}
{{- define "harbor.secretKeyHelper" -}}
{{- if and (not (empty .data)) (hasKey .data .key) }}
{{- index .data .key | b64dec -}}
{{- end -}}
{{- end -}}

{{- define "harbor.autoGenCert" -}}
{{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
{{- printf "true" -}}
Expand Down Expand Up @@ -89,7 +96,12 @@ app: "{{ template "harbor.name" . }}"

{{- define "harbor.database.rawPassword" -}}
{{- if eq .Values.database.type "internal" -}}
{{- .Values.database.internal.password -}}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}}
{{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}}
{{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}}
{{- else -}}
{{- .Values.database.internal.password -}}
{{- end -}}
{{- else -}}
{{- .Values.database.external.password -}}
{{- end -}}
Expand Down
5 changes: 3 additions & 2 deletions templates/core/core-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -10,7 +11,7 @@ data:
secretKey: {{ .Values.secretKey | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingSecret }}
secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.core.secretName }}
{{- $ca := genCA "harbor-token-ca" 365 }}
Expand All @@ -27,7 +28,7 @@ data:
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
{{- end }}
{{- if not .Values.core.existingXsrfSecret }}
CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
{{- end }}
{{- if .Values.core.configureUserSettings }}
CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
Expand Down
3 changes: 2 additions & 1 deletion templates/jobservice/jobservice-secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -7,7 +8,7 @@ metadata:
type: Opaque
data:
{{- if not .Values.jobservice.existingSecret }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
Expand Down
54 changes: 54 additions & 0 deletions templates/registry/registry-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,33 @@ spec:
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
key: AZURE_STORAGE_ACCESS_KEY
{{- end }}
{{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_PASSWORD
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_SECRETKEY
optional: true
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
optional: true
{{- end }}
{{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
optional: true
{{- end}}
{{- with .Values.registry.registry.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -253,6 +280,33 @@ spec:
name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
key: AZURE_STORAGE_ACCESS_KEY
{{- end }}
{{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_PASSWORD
- name: REGISTRY_STORAGE_SWIFT_SECRETKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_SECRETKEY
optional: true
- name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
optional: true
{{- end }}
{{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
- name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
valueFrom:
secretKeyRef:
name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
optional: true
{{- end}}
{{- with .Values.registry.controller.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down
7 changes: 4 additions & 3 deletions templates/registry/registry-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -7,7 +8,7 @@ metadata:
type: Opaque
data:
{{- if not .Values.registry.existingSecret }}
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
{{- end }}
{{- if not .Values.redis.external.existingSecret }}
REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
Expand All @@ -25,15 +26,15 @@ data:
{{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
{{- end }}
{{- else if eq $type "swift" }}
{{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }}
REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
{{- if $storage.swift.secretkey }}
REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
{{- end }}
{{- if $storage.swift.accesskey }}
REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
{{- end }}
{{- else if eq $type "oss" }}
{{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }}
REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
Expand Down
5 changes: 5 additions & 0 deletions values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,8 @@ persistence:
username: username
password: password
container: containername
# keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY
existingSecret: ""
#region: fr
#tenant: tenantname
#tenantid: tenantid
Expand All @@ -313,6 +315,8 @@ persistence:
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
# key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
existingSecret: ""
#endpoint: endpoint
#internal: false
#encrypt: false
Expand Down Expand Up @@ -635,6 +639,7 @@ registry:
existingSecret: ""
# Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt.
# htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string
htpasswdString: ""
middleware:
enabled: false
type: cloudFront
Expand Down

0 comments on commit 8a44c93

Please sign in to comment.