From 5025ecbc707286983f7166c71e6c1c5c9b2d1bfb Mon Sep 17 00:00:00 2001 From: Caleb tenBerge Date: Tue, 19 Mar 2024 10:19:46 -0500 Subject: [PATCH 1/2] Support existing secret for internal DB Signed-off-by: Caleb tenBerge --- README.md | 1 + templates/core/core-dpl.yaml | 9 ++++++++- templates/core/core-secret.yaml | 2 +- templates/database/database-secret.yaml | 2 ++ templates/database/database-ss.yaml | 8 +++++--- templates/exporter/exporter-dpl.yaml | 9 ++++++++- templates/exporter/exporter-secret.yaml | 4 ++-- values.yaml | 4 +++- 8 files changed, 30 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 91687ddaf..204211dd4 100644 --- a/README.md +++ b/README.md @@ -313,6 +313,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | | `database.internal.image.tag` | Tag for database image | `dev` | | `database.internal.password` | The password for database | `changeit` | +| `database.internal.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | | `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | | `database.internal.resources` | The [resources] to allocate for container | undefined | | `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 8c551b899..0be68e814 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -120,13 +120,20 @@ spec: - name: INTERNAL_TLS_TRUST_CA_PATH value: /etc/harbor/ssl/core/ca.crt {{- end }} - {{- if .Values.database.external.existingSecret }} + {{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }} - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.database.external.existingSecret }} key: password {{- end }} + {{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.internal.existingSecret }} + key: password + {{- end }} {{- if .Values.registry.credentials.existingSecret }} - name: REGISTRY_CREDENTIAL_PASSWORD valueFrom: diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 62a41fce8..521fcdc8a 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -21,7 +21,7 @@ data: {{- if not .Values.existingSecretAdminPassword }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} {{- end }} - {{- if not .Values.database.external.existingSecret }} + {{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }} POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end }} {{- if not .Values.registry.credentials.existingSecret }} diff --git a/templates/database/database-secret.yaml b/templates/database/database-secret.yaml index 864aff4a1..58feee232 100644 --- a/templates/database/database-secret.yaml +++ b/templates/database/database-secret.yaml @@ -1,4 +1,5 @@ {{- if eq .Values.database.type "internal" -}} +{{- if and (eq .Values.database.type "internal") (not .Values.database.internal.existingSecret) -}} apiVersion: v1 kind: Secret metadata: @@ -9,3 +10,4 @@ type: Opaque data: POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 3b2117df8..509ad69fb 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -86,14 +86,16 @@ spec: resources: {{ toYaml .Values.database.internal.resources | indent 10 }} {{- end }} - envFrom: - - secretRef: - name: "{{ template "harbor.database" . }}" env: # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 - name: PGDATA value: "/var/lib/postgresql/data/pgdata" + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.internal.existingSecret | default (include "harbor.database" .) }} + key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }} {{- with .Values.database.internal.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 4428b73be..3c4c1c88e 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -77,13 +77,20 @@ spec: - secretRef: name: "{{ template "harbor.exporter" . }}" env: - {{- if .Values.database.external.existingSecret }} + {{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }} - name: HARBOR_DATABASE_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.database.external.existingSecret }} key: password {{- end }} + {{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.internal.existingSecret }} + key: password + {{- end }} {{- if .Values.existingSecretAdminPassword }} - name: HARBOR_ADMIN_PASSWORD valueFrom: diff --git a/templates/exporter/exporter-secret.yaml b/templates/exporter/exporter-secret.yaml index 434a1bf68..4cc7cece3 100644 --- a/templates/exporter/exporter-secret.yaml +++ b/templates/exporter/exporter-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.metrics.enabled}} +{{- if .Values.metrics.enabled }} apiVersion: v1 kind: Secret metadata: @@ -10,7 +10,7 @@ data: {{- if not .Values.existingSecretAdminPassword }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} {{- end }} -{{- if not .Values.database.external.existingSecret }} +{{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }} HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end }} {{- end }} diff --git a/values.yaml b/values.yaml index 7e7490650..f362085b0 100644 --- a/values.yaml +++ b/values.yaml @@ -873,8 +873,10 @@ database: affinity: {} ## The priority class to run the pod as priorityClassName: - # The initial superuser password for internal database + # The initial superuser password for internal database (ignored if existingSecret is set) password: "changeit" + # if using existing secret, the key must be "password" + existingSecret: "" # The size limit for Shared memory, pgSQL use it for shared_buffer # More details see: # https://github.com/goharbor/harbor/issues/15034 From b76431bf103062def38e3111bb1a54017e78beb4 Mon Sep 17 00:00:00 2001 From: Caleb tenBerge Date: Fri, 22 Mar 2024 11:28:47 -0500 Subject: [PATCH 2/2] improved use of existing secret for db Signed-off-by: Caleb tenBerge --- README.md | 6 ++++-- templates/core/core-dpl.yaml | 4 ++-- templates/core/core-pre-upgrade-job.yaml | 4 ++-- templates/core/core-secret.yaml | 2 +- templates/exporter/exporter-dpl.yaml | 11 +++++------ values.yaml | 8 ++++++-- 6 files changed, 20 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 204211dd4..0250afcb3 100644 --- a/README.md +++ b/README.md @@ -313,7 +313,8 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | | `database.internal.image.tag` | Tag for database image | `dev` | | `database.internal.password` | The password for database | `changeit` | -| `database.internal.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.internal.existingSecret` | An existing secret containing the database password. | `""` | +| `database.internal.existingSecretKey` | The existing secrets key for database password | `""` | | `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | | `database.internal.resources` | The [resources] to allocate for container | undefined | | `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | @@ -330,7 +331,8 @@ The following table lists the configurable parameters of the Harbor chart and th | `database.external.username` | The username of external database | `user` | | `database.external.password` | The password of external database | `password` | | `database.external.coreDatabase` | The database used by core service | `registry` | -| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.existingSecret` | An existing password containing the database password. | `""` | +| `database.external.existingSecretKey` | The existing secrets key for database password | `""` | | `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | | `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | | `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 0be68e814..dc4f53fcd 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -125,14 +125,14 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.database.external.existingSecret }} - key: password + key: {{ .Values.database.external.existingSecretKey | default "password" }} {{- end }} {{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }} - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.database.internal.existingSecret }} - key: password + key: {{ .Values.database.internal.existingSecretKey | default "password" }} {{- end }} {{- if .Values.registry.credentials.existingSecret }} - name: REGISTRY_CREDENTIAL_PASSWORD diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index ce0b13134..1f1dd86f0 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -46,11 +46,11 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.database.external.existingSecret }} - key: password + key: {{ .Values.database.external.existingSecretKey | default "password" }} {{- end }} {{- if not (empty .Values.containerSecurityContext) }} securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} - {{- end }} + {{- end }} volumeMounts: - name: config mountPath: /etc/core/app.conf diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 521fcdc8a..7bca372a0 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -21,7 +21,7 @@ data: {{- if not .Values.existingSecretAdminPassword }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} {{- end }} - {{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }} + {{- if and (not .Values.database.internal.existingSecret) (not .Values.database.external.existingSecret) }} POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{- end }} {{- if not .Values.registry.credentials.existingSecret }} diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 3c4c1c88e..03e3136ba 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -77,19 +77,22 @@ spec: - secretRef: name: "{{ template "harbor.exporter" . }}" env: + {{- with .Values.exporter.extraEnvVars }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }} - name: HARBOR_DATABASE_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.database.external.existingSecret }} - key: password + key: {{ .Values.database.external.existingSecretKey | default "POSTGRES_PASSWORD" }} {{- end }} {{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }} - name: HARBOR_DATABASE_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.database.internal.existingSecret }} - key: password + key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }} {{- end }} {{- if .Values.existingSecretAdminPassword }} - name: HARBOR_ADMIN_PASSWORD @@ -101,10 +104,6 @@ spec: {{- if .Values.exporter.resources }} resources: {{ toYaml .Values.exporter.resources | indent 10 }} -{{- end }} -{{- with .Values.exporter.extraEnvVars }} - env: -{{- toYaml . | nindent 10 }} {{- end }} {{- if not (empty .Values.containerSecurityContext) }} securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} diff --git a/values.yaml b/values.yaml index f362085b0..919be2b2e 100644 --- a/values.yaml +++ b/values.yaml @@ -875,8 +875,10 @@ database: priorityClassName: # The initial superuser password for internal database (ignored if existingSecret is set) password: "changeit" - # if using existing secret, the key must be "password" + # if using existing secret existingSecret: "" + # secret key name if using existing secret (defaults to `password`) + existingSecretKey: "" # The size limit for Shared memory, pgSQL use it for shared_buffer # More details see: # https://github.com/goharbor/harbor/issues/15034 @@ -898,8 +900,10 @@ database: username: "user" password: "password" coreDatabase: "registry" - # if using existing secret, the key must be "password" + # if using existing secret existingSecret: "" + # secret key name if using existing secret (defaults to `password`) + existingSecretKey: "" # "disable" - No SSL # "require" - Always SSL (skip verification) # "verify-ca" - Always SSL (verify that the certificate presented by the