Allow to set secrets using prepare scripts #17498
Conversation
- Add `core.secret` option - Add `core.xsrf_token` option - Add `jobservice.secret` option Signed-off-by: Dmitry G <[email protected]>
|
Hi @dmitry-g, Thanks for your contribution and elaboration. We understand that there are some inconvenience when you are using docker compose offline installer to set up several Harbor instances. But from our perspective, we maintained, supported and prefer customers to use helm chart HA solution in Kubernetes clusters rather than the offline installer, because it may varied from diverse user environments and it is hard for us to support them officially. You can build a customized packages in your scenarios instead and we might not able to merge this PR currently. And for the external redis username part, we plan to support it when the chartmusuem and notary are fully deprecated. You could refer to this issue #15895. Best, |
|
Hi @dmitry-g , Best, |
core.secretoptioncore.xsrf_tokenoptionjobservice.secretoptionSigned-off-by: Dmitry G [email protected]
These configuration options are supported by Helm chart, but they were not available for docker-compose setup.
This change allows to share the same secrets between multiple instances of Harbor. To maintain high availability we would like to run several instances of Harbor that share the same external database, redis and storage. While these external components work fine for HA setup, the core and jobservice secrets and XSRF token being different between applications do not allow to properly run Harbor.
When using only one instance of Harbor, it requires about 30 seconds to restart docker-compose application and the whole registry becomes unreachable. We use Chef for automation of Harbor installation, configuration and updates (chef cookbook to be released soon), so when configuration is changed, that single instance of Harbor becomes unavailable during restart.
Currently prepare scripts can only generate random secrets for every install. Using shared secrets would allow to use a set of applications for high availability.
This change is not breaking. If the options are not specified, they will be automatically generated the same way as before. Also, configuration keys are named in the same manner as Helm chart values.
Please indicate you've done the following: