Merge pull request #1410 from zyyw/1.9.0-cp-1389

add docs, values, and template updates to remove default tls key and …
goharbor · Feb 22, 2023 · a133588 · a133588
2 parents e4aca1d + 53feedf
commit a133588
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 89 deletions.
diff --git a/README.md b/README.md
@@ -233,6 +233,8 @@ The following table lists the configurable parameters of the Harbor chart and th
 | `core.podAnnotations`                                                | Annotations to add to the core pod                                                                                                                                                                                                                                                                                                                                                                                                                                | `{}`                                  |
 | `core.secret`                                                        | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars.                                                                                                                                                                                                                                                                                                       |                                       |
 | `core.secretName`                                                    | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set                                                                                                                                                                              |                                       |
+| `core.tokenKey`                                                    | PEM-formatted RSA private key used to sign service tokens.  Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set.                                                                                                                                                                                                                                  |                                        |
+| `core.tokenCert`                                                    | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens.  Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set.                                                                                                                                                                                                                                 |                                        |
 | `core.xsrfKey`                                                       | The XSRF key. Will be generated automatically if it isn't specified                                                                                                                                                                                                                                                                                                                                                                                               |                                       |
 | `core.priorityClassName`                                             | The priority class to run the pod as                                                                                                                                                                                                                                                                                                                                                                                                                              |                                       |
 | `core.artifactPullAsyncFlushDuration`                                | The time duration for async update artifact pull_time and repository pull_count                                                                                                                                                                                                                                                                                                                                                                                   |                                       |

diff --git a/cert/tls.crt b/cert/tls.crt
diff --git a/cert/tls.key b/cert/tls.key
diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -8,10 +8,11 @@ type: Opaque
 data:
   secretKey: {{ .Values.secretKey | b64enc | quote }}
   secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
-{{- if not .Values.core.secretName }}
-  tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
-  tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
-{{- end }}
+  {{- if not .Values.core.secretName }}
+  {{- $ca := genCA "harbor-token-ca" 365 }}
+  tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
+  tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
+  {{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
   POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}

diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml
@@ -7,10 +7,6 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-{{- if not .Values.exporter.secretName }}
-  tls.crt: {{ .Files.Get "cert/tls.crt" | b64enc }}
-  tls.key: {{ .Files.Get "cert/tls.key" | b64enc }}
-{{- end }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
   HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
 {{- end }}
diff --git a/values.yaml b/values.yaml
@@ -471,10 +471,16 @@ core:
   # Fill the name of a kubernetes secret if you want to use your own
   # TLS certificate and private key for token encryption/decryption.
   # The secret must contain keys named:
-  # "tls.crt" - the certificate
   # "tls.key" - the private key
-  # The default key pair will be used if it isn't set
+  # "tls.crt" - the certificate
   secretName: ""
+  # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead.
+  # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated.
+  # tokenKey and tokenCert must BOTH be set or BOTH unset.
+  # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line.
+  tokenKey: |
+  # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line.
+  tokenCert: |
   # The XSRF key. Will be generated automatically if it isn't specified
   xsrfKey: ""
   ## The priority class to run the pod as