Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support existing secret for internal DB #1733

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.password` | The password for database | `changeit` |
| `database.internal.existingSecret` | An existing secret containing the database password. | `""` |
| `database.internal.existingSecretKey` | The existing secrets key for database password | `""` |
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
| `database.internal.resources` | The [resources] to allocate for container | undefined |
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
Expand All @@ -329,7 +331,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `database.external.username` | The username of external database | `user` |
| `database.external.password` | The password of external database | `password` |
| `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
| `database.external.existingSecret` | An existing password containing the database password. | `""` |
| `database.external.existingSecretKey` | The existing secrets key for database password | `""` |
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
Expand Down
11 changes: 9 additions & 2 deletions templates/core/core-dpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -120,12 +120,19 @@ spec:
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/core/ca.crt
{{- end }}
{{- if .Values.database.external.existingSecret }}
{{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "password" }}
{{- end }}
{{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret }}
key: {{ .Values.database.internal.existingSecretKey | default "password" }}
{{- end }}
{{- if .Values.registry.credentials.existingSecret }}
- name: REGISTRY_CREDENTIAL_PASSWORD
Expand Down
4 changes: 2 additions & 2 deletions templates/core/core-pre-upgrade-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@ spec:
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "password" }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/core/app.conf
Expand Down
2 changes: 1 addition & 1 deletion templates/core/core-secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ data:
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if not .Values.database.external.existingSecret }}
{{- if and (not .Values.database.internal.existingSecret) (not .Values.database.external.existingSecret) }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
Expand Down
2 changes: 2 additions & 0 deletions templates/database/database-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if eq .Values.database.type "internal" -}}
{{- if and (eq .Values.database.type "internal") (not .Values.database.internal.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -9,3 +10,4 @@ type: Opaque
data:
POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end -}}
{{- end -}}
8 changes: 5 additions & 3 deletions templates/database/database-ss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -86,14 +86,16 @@ spec:
resources:
{{ toYaml .Values.database.internal.resources | indent 10 }}
{{- end }}
envFrom:
- secretRef:
name: "{{ template "harbor.database" . }}"
env:
# put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
# more detail refer to https://github.com/goharbor/harbor-helm/issues/756
- name: PGDATA
value: "/var/lib/postgresql/data/pgdata"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret | default (include "harbor.database" .) }}
key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- with .Values.database.internal.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
Expand Down
18 changes: 12 additions & 6 deletions templates/exporter/exporter-dpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,12 +77,22 @@ spec:
- secretRef:
name: "{{ template "harbor.exporter" . }}"
env:
{{- if .Values.database.external.existingSecret }}
{{- with .Values.exporter.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- end }}
{{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret }}
key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
Expand All @@ -94,10 +104,6 @@ spec:
{{- if .Values.exporter.resources }}
resources:
{{ toYaml .Values.exporter.resources | indent 10 }}
{{- end }}
{{- with .Values.exporter.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
Expand Down
4 changes: 2 additions & 2 deletions templates/exporter/exporter-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.metrics.enabled}}
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -10,7 +10,7 @@ data:
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if not .Values.database.external.existingSecret }}
{{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }}
HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- end }}
10 changes: 8 additions & 2 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -873,8 +873,12 @@ database:
affinity: {}
## The priority class to run the pod as
priorityClassName:
# The initial superuser password for internal database
# The initial superuser password for internal database (ignored if existingSecret is set)
password: "changeit"
# if using existing secret
existingSecret: ""
# secret key name if using existing secret (defaults to `password`)
existingSecretKey: ""
# The size limit for Shared memory, pgSQL use it for shared_buffer
# More details see:
# https://github.com/goharbor/harbor/issues/15034
Expand All @@ -896,8 +900,10 @@ database:
username: "user"
password: "password"
coreDatabase: "registry"
# if using existing secret, the key must be "password"
# if using existing secret
existingSecret: ""
# secret key name if using existing secret (defaults to `password`)
existingSecretKey: ""
# "disable" - No SSL
# "require" - Always SSL (skip verification)
# "verify-ca" - Always SSL (verify that the certificate presented by the
Expand Down
Loading