From c813982b164d0bd81a4b044c68d8e0e967922f7b Mon Sep 17 00:00:00 2001 From: Alexandre DEFRASNE Date: Wed, 26 Jun 2024 14:20:51 -0400 Subject: [PATCH 1/6] values schema Signed-off-by: Alexandre DEFRASNE --- values.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index ec3e4c499..fb3cb9261 100644 --- a/values.yaml +++ b/values.yaml @@ -938,8 +938,16 @@ database: username: "user" password: "password" coreDatabase: "registry" - # if using existing secret, the key must be "password" - existingSecret: "" + # Use an external secret and provide key mappings + existingSecret: + enabled: true + name: "" + keys: + host: host + port: port + username: username + password: password + coreDatabase: dbName # "disable" - No SSL # "require" - Always SSL (skip verification) # "verify-ca" - Always SSL (verify that the certificate presented by the From 77e0bb7d4a5ceb75bd788521e4cd495a3052cba3 Mon Sep 17 00:00:00 2001 From: Alexandre DEFRASNE Date: Wed, 26 Jun 2024 14:41:41 -0400 Subject: [PATCH 2/6] add dpl + cm + secret logic Signed-off-by: Alexandre DEFRASNE --- templates/core/core-cm.yaml | 2 ++ templates/core/core-dpl.yaml | 34 ++++++++++++++++++++++++++++++--- templates/core/core-secret.yaml | 2 +- values.yaml | 2 +- 4 files changed, 35 insertions(+), 5 deletions(-) diff --git a/templates/core/core-cm.yaml b/templates/core/core-cm.yaml index 93cab01b4..d49ca7b85 100644 --- a/templates/core/core-cm.yaml +++ b/templates/core/core-cm.yaml @@ -14,10 +14,12 @@ data: httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" DATABASE_TYPE: "postgresql" + {{- if not .Values.database.external.existingSecret.enabled }} POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + {{- end }} POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 2ee8fd59c..95917ad43 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -126,12 +126,40 @@ spec: - name: INTERNAL_TLS_TRUST_CA_PATH value: /etc/harbor/ssl/core/ca.crt {{- end }} - {{- if .Values.database.external.existingSecret }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.host }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.port }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.username }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.database.external.existingSecret }} - key: password + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.password }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.coreDatabase }} {{- end }} {{- if .Values.registry.credentials.existingSecret }} - name: REGISTRY_CREDENTIAL_PASSWORD diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 62a41fce8..e0f05c846 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -21,7 +21,7 @@ data: {{- if not .Values.existingSecretAdminPassword }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} {{- end }} - {{- if not .Values.database.external.existingSecret }} + {{- if not .Values.database.external.existingSecret.enabled }} POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end }} {{- if not .Values.registry.credentials.existingSecret }} diff --git a/values.yaml b/values.yaml index fb3cb9261..92b06c2a4 100644 --- a/values.yaml +++ b/values.yaml @@ -941,7 +941,7 @@ database: # Use an external secret and provide key mappings existingSecret: enabled: true - name: "" + name: "my-external-secret-name" keys: host: host port: port From 1f3c2784c6452b8a5fc47f0e203a003d9d9527ee Mon Sep 17 00:00:00 2001 From: Alexandre DEFRASNE Date: Wed, 26 Jun 2024 14:44:09 -0400 Subject: [PATCH 3/6] add job Signed-off-by: Alexandre DEFRASNE --- templates/core/core-pre-upgrade-job.yaml | 40 ++++++++++++++++++++---- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index ce0b13134..6d9b3c26b 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -40,13 +40,41 @@ spec: name: "{{ template "harbor.core" . }}" - secretRef: name: "{{ template "harbor.core" . }}" - {{- if .Values.database.external.existingSecret }} env: - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.database.external.existingSecret }} - key: password + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.host }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.port }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.username }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.password }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.coreDatabase }} {{- end }} {{- if not (empty .Values.containerSecurityContext) }} securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} From 95753eeff0ecea1054601771c1a07e687e3db9c2 Mon Sep 17 00:00:00 2001 From: Alexandre DEFRASNE Date: Wed, 26 Jun 2024 14:51:32 -0400 Subject: [PATCH 4/6] add exporter cm+secret+dpl Signed-off-by: Alexandre DEFRASNE --- templates/exporter/exporter-cm-env.yaml | 2 ++ templates/exporter/exporter-dpl.yaml | 37 +++++++++++++++++++++++++ templates/exporter/exporter-secret.yaml | 2 +- 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/templates/exporter/exporter-cm-env.yaml b/templates/exporter/exporter-cm-env.yaml index 0bf4e7d90..95783e32f 100644 --- a/templates/exporter/exporter-cm-env.yaml +++ b/templates/exporter/exporter-cm-env.yaml @@ -25,10 +25,12 @@ data: HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + {{- if not .Values.database.external.existingSecret.enabled }} HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + {{- end }} HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 01e9258ea..9ab64c507 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -86,6 +86,43 @@ spec: name: {{ .Values.database.external.existingSecret }} key: password {{- end }} +# ==== + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.host }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.port }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.username }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.password }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_DBNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.coreDatabase }} + {{- end }} +# ==== {{- if .Values.existingSecretAdminPassword }} - name: HARBOR_ADMIN_PASSWORD valueFrom: diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml index 434a1bf68..e64e7cf5b 100644 --- a/templates/exporter/exporter-secret.yaml +++ b/templates/exporter/exporter-secret.yaml @@ -10,7 +10,7 @@ data: {{- if not .Values.existingSecretAdminPassword }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} {{- end }} -{{- if not .Values.database.external.existingSecret }} +{{- if not .Values.database.external.existingSecret.enabled }} HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end }} {{- end }} From 2918d363828e373e45ce4977b71cbed932598040 Mon Sep 17 00:00:00 2001 From: Alexandre DEFRASNE Date: Wed, 26 Jun 2024 14:53:12 -0400 Subject: [PATCH 5/6] cleanup Signed-off-by: Alexandre DEFRASNE --- templates/exporter/exporter-dpl.yaml | 71 ++++++++++++---------------- 1 file changed, 31 insertions(+), 40 deletions(-) diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 9ab64c507..51c0da4f2 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -79,50 +79,41 @@ spec: - secretRef: name: "{{ template "harbor.exporter" . }}" env: - {{- if .Values.database.external.existingSecret }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.host }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.port }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.username }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} - name: HARBOR_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.database.external.existingSecret }} - key: password + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.password }} + {{- end }} + {{- if .Values.database.external.existingSecret.enabled }} + - name: HARBOR_DATABASE_DBNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret.name }} + key: {{ .Values.database.external.existingSecret.keys.coreDatabase }} {{- end }} -# ==== - {{- if .Values.database.external.existingSecret.enabled }} - - name: HARBOR_DATABASE_HOST - valueFrom: - secretKeyRef: - name: {{ .Values.database.external.existingSecret.name }} - key: {{ .Values.database.external.existingSecret.keys.host }} - {{- end }} - {{- if .Values.database.external.existingSecret.enabled }} - - name: HARBOR_DATABASE_PORT - valueFrom: - secretKeyRef: - name: {{ .Values.database.external.existingSecret.name }} - key: {{ .Values.database.external.existingSecret.keys.port }} - {{- end }} - {{- if .Values.database.external.existingSecret.enabled }} - - name: HARBOR_DATABASE_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.database.external.existingSecret.name }} - key: {{ .Values.database.external.existingSecret.keys.username }} - {{- end }} - {{- if .Values.database.external.existingSecret.enabled }} - - name: HARBOR_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.database.external.existingSecret.name }} - key: {{ .Values.database.external.existingSecret.keys.password }} - {{- end }} - {{- if .Values.database.external.existingSecret.enabled }} - - name: HARBOR_DATABASE_DBNAME - valueFrom: - secretKeyRef: - name: {{ .Values.database.external.existingSecret.name }} - key: {{ .Values.database.external.existingSecret.keys.coreDatabase }} - {{- end }} -# ==== {{- if .Values.existingSecretAdminPassword }} - name: HARBOR_ADMIN_PASSWORD valueFrom: From ddf5f980b41412ad15a4d75175b900d72535e059 Mon Sep 17 00:00:00 2001 From: Alexandre DEFRASNE Date: Wed, 26 Jun 2024 16:31:50 -0400 Subject: [PATCH 6/6] disabled by default Signed-off-by: Alexandre DEFRASNE --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 92b06c2a4..db292ecc5 100644 --- a/values.yaml +++ b/values.yaml @@ -940,7 +940,7 @@ database: coreDatabase: "registry" # Use an external secret and provide key mappings existingSecret: - enabled: true + enabled: false name: "my-external-secret-name" keys: host: host