Add support for providing an existing secret to internal database

goharbor · Feb 8, 2024 · adfb522 · adfb522
1 parent fda5004
commit adfb522
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 8 deletions.
diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml
@@ -21,7 +21,7 @@ data:
   {{- if not .Values.existingSecretAdminPassword }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
   {{- end }}
-  {{- if not .Values.database.external.existingSecret }}
+  {{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }}
   POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
   {{- end }}
   {{- if not .Values.registry.credentials.existingSecret }}

diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.database.type "internal" -}}
+{{- if and (eq .Values.database.type "internal") (not .Values.database.internal.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml
@@ -97,14 +97,16 @@ spec:
         resources:
 {{ toYaml .Values.database.internal.resources | indent 10 }}
 {{- end }}
-        envFrom:
-          - secretRef:
-              name: "{{ template "harbor.database" . }}"
         env:
           # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
           # more detail refer to https://github.com/goharbor/harbor-helm/issues/756
           - name: PGDATA
             value: "/var/lib/postgresql/data/pgdata"
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.database.internal.existingSecret | default (include "harbor.database" .) }}
+                key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }}
 {{- with .Values.database.internal.extraEnvVars }}
 {{- toYaml . | nindent 10 }}
 {{- end }}

diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -82,6 +82,13 @@ spec:
               name: {{ .Values.database.external.existingSecret }}
               key: password
         {{- end }}
+        {{- if .Values.database.internal.existingSecret }}
+        - name: HARBOR_DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.database.internal.existingSecret }}
+              key: {{ .Values.database.internal.existingSecretKey | default "password" }}
+        {{- end }}
         {{- if .Values.existingSecretAdminPassword }}
         - name: HARBOR_ADMIN_PASSWORD
           valueFrom:

diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.metrics.enabled}}
+{{- if .Values.metrics.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,7 +10,7 @@ data:
 {{- if not .Values.existingSecretAdminPassword }}
   HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
 {{- end }}
-{{- if not .Values.database.external.existingSecret }}
+{{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }}
   HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
 {{- end }}
 {{- end }}
diff --git a/values.yaml b/values.yaml
@@ -847,8 +847,12 @@ database:
     affinity: {}
     ## The priority class to run the pod as
     priorityClassName:
-    # The initial superuser password for internal database
+    # The initial superuser password for internal database (ignored if existingSecret is set)
     password: "changeit"
+    # Use an existing secret resource
+    existingSecret: ""
+    # Key within the existing secret for the registry service secret
+    existingSecretKey: POSTGRES_PASSWORD
     # The size limit for Shared memory, pgSQL use it for shared_buffer
     # More details see:
     # https://github.com/goharbor/harbor/issues/15034