Skip to content

Commit

Permalink
improved use of existing secret for db
Browse files Browse the repository at this point in the history
  • Loading branch information
Caleb tenBerge committed Mar 22, 2024
1 parent 5025ecb commit c5abe25
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 15 deletions.
6 changes: 4 additions & 2 deletions README.md
View file
Expand Up @@ -313,7 +313,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.password` | The password for database | `changeit` |
| `database.internal.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
| `database.internal.existingSecret` | An existing secret containing the database password. | `""` |
| `database.internal.existingSecretKey` | The existing secrets key for database password | `""` |
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
| `database.internal.resources` | The [resources] to allocate for container | undefined |
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
Expand All @@ -330,7 +331,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `database.external.username` | The username of external database | `user` |
| `database.external.password` | The password of external database | `password` |
| `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
| `database.external.existingSecret` | An existing password containing the database password. | `""` |
| `database.external.existingSecretKey` | The existing secrets key for database password | `""` |
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
Expand Down
4 changes: 2 additions & 2 deletions templates/core/core-dpl.yaml
View file
Expand Up @@ -125,14 +125,14 @@ spec:
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "password" }}
{{- end }}
{{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret }}
key: password
key: {{ .Values.database.internal.existingSecretKey | default "password" }}
{{- end }}
{{- if .Values.registry.credentials.existingSecret }}
- name: REGISTRY_CREDENTIAL_PASSWORD
Expand Down
4 changes: 2 additions & 2 deletions templates/core/core-pre-upgrade-job.yaml
View file
Expand Up @@ -46,11 +46,11 @@ spec:
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "password" }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/core/app.conf
Expand Down
2 changes: 1 addition & 1 deletion templates/core/core-secret.yaml
View file
Expand Up @@ -21,7 +21,7 @@ data:
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }}
{{- if and (not .Values.database.internal.existingSecret) (not .Values.database.external.existingSecret) }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
Expand Down
11 changes: 5 additions & 6 deletions templates/exporter/exporter-dpl.yaml
View file
Expand Up @@ -77,19 +77,22 @@ spec:
- secretRef:
name: "{{ template "harbor.exporter" . }}"
env:
{{- with .Values.exporter.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- end }}
{{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret }}
key: password
key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
Expand All @@ -101,10 +104,6 @@ spec:
{{- if .Values.exporter.resources }}
resources:
{{ toYaml .Values.exporter.resources | indent 10 }}
{{- end }}
{{- with .Values.exporter.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
Expand Down
8 changes: 6 additions & 2 deletions values.yaml
View file
Expand Up @@ -875,8 +875,10 @@ database:
priorityClassName:
# The initial superuser password for internal database (ignored if existingSecret is set)
password: "changeit"
# if using existing secret, the key must be "password"
# if using existing secret
existingSecret: ""
# secret key name if using existing secret (defaults to `password`)
existingSecretKey: ""
# The size limit for Shared memory, pgSQL use it for shared_buffer
# More details see:
# https://github.com/goharbor/harbor/issues/15034
Expand All @@ -898,8 +900,10 @@ database:
username: "user"
password: "password"
coreDatabase: "registry"
# if using existing secret, the key must be "password"
# if using existing secret
existingSecret: ""
# secret key name if using existing secret (defaults to `password`)
existingSecretKey: ""
# "disable" - No SSL
# "require" - Always SSL (skip verification)
# "verify-ca" - Always SSL (verify that the certificate presented by the
Expand Down

0 comments on commit c5abe25

Please sign in to comment.