From fb00e21c37846077beb6ccd0fe72d378a6d2903f Mon Sep 17 00:00:00 2001 From: jjaruszewski Date: Fri, 6 Oct 2023 12:10:10 +0200 Subject: [PATCH 1/6] Fix random values regenerating Signed-off-by: jjaruszewski --- templates/_helpers.tpl | 7 +++++ templates/core/core-secret.yaml | 5 ++-- templates/jobservice/jobservice-secrets.yaml | 3 ++- templates/registry/registry-dpl.yaml | 27 ++++++++++++++++++++ templates/registry/registry-secret.yaml | 7 ++--- values.yaml | 5 ++++ 6 files changed, 48 insertions(+), 6 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 95a28a6c5..ecdd02b52 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -39,6 +39,13 @@ release: {{ .Release.Name }} app: "{{ template "harbor.name" . }}" {{- end -}} +{{/* Helper for printing values from existing secrets*/}} +{{- define "harbor.secretKeyHelper" -}} +{{- if and (not (empty .data)) (hasKey .data .key) }} +{{ index .data .key | b64dec }} +{{- end }} +{{- end -}} + {{- define "harbor.autoGenCert" -}} {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} {{- printf "true" -}} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 23b352b47..b55e09f52 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -1,3 +1,4 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }} apiVersion: v1 kind: Secret metadata: @@ -9,7 +10,7 @@ data: {{- if not .Values.existingSecretSecretKey }} secretKey: {{ .Values.secretKey | b64enc | quote }} {{- end }} - secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} + secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} {{- if not .Values.core.secretName }} {{- $ca := genCA "harbor-token-ca" 365 }} tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} @@ -24,7 +25,7 @@ data: {{- if not .Values.registry.credentials.existingSecret }} REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} {{- end }} - CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} {{- if .Values.core.configureUserSettings }} CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} {{- end }} diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index 3dfa6bd5e..c186f713c 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -1,3 +1,4 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }} apiVersion: v1 kind: Secret metadata: @@ -6,7 +7,7 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} {{- if not .Values.registry.credentials.existingSecret }} REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} {{- end }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index fddba9fa8..fc8647901 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -120,6 +120,33 @@ spec: name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} key: AZURE_STORAGE_ACCESS_KEY {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} {{- with .Values.registry.registry.extraEnvVars }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 529462906..f259e9630 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -1,3 +1,4 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }} apiVersion: v1 kind: Secret metadata: @@ -6,7 +7,7 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} {{- if not .Values.redis.external.existingSecret }} REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} {{- end }} @@ -23,7 +24,7 @@ data: {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} {{- end }} - {{- else if eq $type "swift" }} + {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }} REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} {{- if $storage.swift.secretkey }} REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} @@ -31,7 +32,7 @@ data: {{- if $storage.swift.accesskey }} REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} {{- end }} - {{- else if eq $type "oss" }} + {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} {{- end }} {{- if not .Values.registry.credentials.existingSecret }} diff --git a/values.yaml b/values.yaml index c0270f2fb..b68557b59 100644 --- a/values.yaml +++ b/values.yaml @@ -290,6 +290,8 @@ persistence: username: username password: password container: containername + # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY + existingSecret: "" #region: fr #tenant: tenantname #tenantid: tenantid @@ -310,6 +312,8 @@ persistence: accesskeysecret: accesskeysecret region: regionname bucket: bucketname + # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + existingSecret: "" #endpoint: endpoint #internal: false #encrypt: false @@ -617,6 +621,7 @@ registry: existingSecret: "" # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + htpasswdString: "" middleware: enabled: false type: cloudFront From a075633db7390224a667339af3792d23840f804b Mon Sep 17 00:00:00 2001 From: jjaruszewski Date: Fri, 6 Oct 2023 15:04:27 +0200 Subject: [PATCH 2/6] Use existing internal database password Signed-off-by: jjaruszewski --- templates/_helpers.tpl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ecdd02b52..5f40719d5 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -96,7 +96,12 @@ app: "{{ template "harbor.name" . }}" {{- define "harbor.database.rawPassword" -}} {{- if eq .Values.database.type "internal" -}} - {{- .Values.database.internal.password -}} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}} + {{- else -}} + {{- .Values.database.internal.password -}} + {{- end -}} {{- else -}} {{- .Values.database.external.password -}} {{- end -}} From 778eab5a27ad6031fe09331febcc068ea49c9c8c Mon Sep 17 00:00:00 2001 From: jjaruszewski Date: Fri, 6 Oct 2023 15:09:09 +0200 Subject: [PATCH 3/6] Generate initial internal database password Signed-off-by: jjaruszewski --- templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5f40719d5..0589aafef 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -100,7 +100,7 @@ app: "{{ template "harbor.name" . }}" {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}} {{- else -}} - {{- .Values.database.internal.password -}} + {{- .Values.database.internal.password | default (randAlphaNum 16) -}} {{- end -}} {{- else -}} {{- .Values.database.external.password -}} From b306d817f2f2d54ac684306ff6f2dbd3b8f98cbf Mon Sep 17 00:00:00 2001 From: jjaruszewski Date: Fri, 6 Oct 2023 15:49:49 +0200 Subject: [PATCH 4/6] Fix secret helper rendering empty line Signed-off-by: jjaruszewski --- templates/_helpers.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0589aafef..3b7b821e2 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -41,9 +41,9 @@ app: "{{ template "harbor.name" . }}" {{/* Helper for printing values from existing secrets*/}} {{- define "harbor.secretKeyHelper" -}} -{{- if and (not (empty .data)) (hasKey .data .key) }} -{{ index .data .key | b64dec }} -{{- end }} + {{- if and (not (empty .data)) (hasKey .data .key) }} + {{- index .data .key | b64dec -}} + {{- end -}} {{- end -}} {{- define "harbor.autoGenCert" -}} From 30ab7fc8193d7e1211b8c745d1de527e891b536a Mon Sep 17 00:00:00 2001 From: jjaruszewski Date: Tue, 21 Nov 2023 11:30:17 +0100 Subject: [PATCH 5/6] Add storage related env to registryctl container Signed-off-by: jjaruszewski --- templates/registry/registry-dpl.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index fc8647901..a9d80ab84 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -262,6 +262,33 @@ spec: name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} key: AZURE_STORAGE_ACCESS_KEY {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} {{- with .Values.registry.controller.extraEnvVars }} {{- toYaml . | nindent 8 }} {{- end }} From 10210ab070fc1edafdb92411394956f5c17cfd37 Mon Sep 17 00:00:00 2001 From: jjaruszewski Date: Tue, 21 Nov 2023 11:38:01 +0100 Subject: [PATCH 6/6] Revert "Generate initial internal database password" This reverts commit 778eab5a27ad6031fe09331febcc068ea49c9c8c. Signed-off-by: jjaruszewski --- templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 3b7b821e2..7310856bc 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -100,7 +100,7 @@ app: "{{ template "harbor.name" . }}" {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}} {{- else -}} - {{- .Values.database.internal.password | default (randAlphaNum 16) -}} + {{- .Values.database.internal.password -}} {{- end -}} {{- else -}} {{- .Values.database.external.password -}}