Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support existing secret for internal DB #1733

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support existing secret for internal DB #1733

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5025ecb
Support existing secret for internal DB
Mar 19, 2024
b76431b
improved use of existing secret for db
Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion README.md
View file
Open in desktop
Expand Up @@ -313,6 +313,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` |
| `database.internal.image.tag` | Tag for database image | `dev` |
| `database.internal.password` | The password for database | `changeit` |
| `database.internal.existingSecret` | An existing secret containing the database password. | `""` |
| `database.internal.existingSecretKey` | The existing secrets key for database password | `""` |
| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` |
| `database.internal.resources` | The [resources] to allocate for container | undefined |
| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` |
Expand All @@ -329,7 +331,8 @@ The following table lists the configurable parameters of the Harbor chart and th
| `database.external.username` | The username of external database | `user` |
| `database.external.password` | The password of external database | `password` |
| `database.external.coreDatabase` | The database used by core service | `registry` |
| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` |
| `database.external.existingSecret` | An existing password containing the database password. | `""` |
| `database.external.existingSecretKey` | The existing secrets key for database password | `""` |
| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` |
| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` |
| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` |
Expand Down
11 changes: 9 additions & 2 deletions templates/core/core-dpl.yaml
View file
Open in desktop
Expand Up @@ -120,12 +120,19 @@ spec:
- name: INTERNAL_TLS_TRUST_CA_PATH
value: /etc/harbor/ssl/core/ca.crt
{{- end }}
{{- if .Values.database.external.existingSecret }}
{{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "password" }}
{{- end }}
{{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }}
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret }}
key: {{ .Values.database.internal.existingSecretKey | default "password" }}
{{- end }}
{{- if .Values.registry.credentials.existingSecret }}
- name: REGISTRY_CREDENTIAL_PASSWORD
Expand Down
4 changes: 2 additions & 2 deletions templates/core/core-pre-upgrade-job.yaml
View file
Open in desktop
Expand Up @@ -46,11 +46,11 @@ spec:
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "password" }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
{{- end }}
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/core/app.conf
Expand Down
2 changes: 1 addition & 1 deletion templates/core/core-secret.yaml
View file
Open in desktop
Expand Up @@ -21,7 +21,7 @@ data:
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if not .Values.database.external.existingSecret }}
{{- if and (not .Values.database.internal.existingSecret) (not .Values.database.external.existingSecret) }}
POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- if not .Values.registry.credentials.existingSecret }}
Expand Down
2 changes: 2 additions & 0 deletions templates/database/database-secret.yaml
View file
Open in desktop
@@ -1,4 +1,5 @@
{{- if eq .Values.database.type "internal" -}}
{{- if and (eq .Values.database.type "internal") (not .Values.database.internal.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -9,3 +10,4 @@ type: Opaque
data:
POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end -}}
{{- end -}}
8 changes: 5 additions & 3 deletions templates/database/database-ss.yaml
View file
Open in desktop
Expand Up @@ -86,14 +86,16 @@ spec:
resources:
{{ toYaml .Values.database.internal.resources | indent 10 }}
{{- end }}
envFrom:
- secretRef:
name: "{{ template "harbor.database" . }}"
env:
# put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled
# more detail refer to https://github.com/goharbor/harbor-helm/issues/756
- name: PGDATA
value: "/var/lib/postgresql/data/pgdata"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret | default (include "harbor.database" .) }}
key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- with .Values.database.internal.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
Expand Down
18 changes: 12 additions & 6 deletions templates/exporter/exporter-dpl.yaml
View file
Open in desktop
Expand Up @@ -77,12 +77,22 @@ spec:
- secretRef:
name: "{{ template "harbor.exporter" . }}"
env:
{{- if .Values.database.external.existingSecret }}
{{- with .Values.exporter.extraEnvVars }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and (eq .Values.database.type "external") .Values.database.external.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.external.existingSecret }}
key: password
key: {{ .Values.database.external.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- end }}
{{- if and (eq .Values.database.type "internal") .Values.database.internal.existingSecret }}
- name: HARBOR_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.internal.existingSecret }}
key: {{ .Values.database.internal.existingSecretKey | default "POSTGRES_PASSWORD" }}
{{- end }}
{{- if .Values.existingSecretAdminPassword }}
- name: HARBOR_ADMIN_PASSWORD
Expand All @@ -94,10 +104,6 @@ spec:
{{- if .Values.exporter.resources }}
resources:
{{ toYaml .Values.exporter.resources | indent 10 }}
{{- end }}
{{- with .Values.exporter.extraEnvVars }}
env:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if not (empty .Values.containerSecurityContext) }}
securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
Expand Down
4 changes: 2 additions & 2 deletions templates/exporter/exporter-secret.yaml
View file
Open in desktop
@@ -1,4 +1,4 @@
{{- if .Values.metrics.enabled}}
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -10,7 +10,7 @@ data:
{{- if not .Values.existingSecretAdminPassword }}
HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
{{- end }}
{{- if not .Values.database.external.existingSecret }}
{{- if and (not .Values.database.external.existingSecret) (not .Values.database.internal.existingSecret) }}
HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
{{- end }}
{{- end }}
10 changes: 8 additions & 2 deletions values.yaml
View file
Open in desktop
Expand Up @@ -873,8 +873,12 @@ database:
affinity: {}
## The priority class to run the pod as
priorityClassName:
# The initial superuser password for internal database
# The initial superuser password for internal database (ignored if existingSecret is set)
password: "changeit"
# if using existing secret
existingSecret: ""
# secret key name if using existing secret (defaults to `password`)
existingSecretKey: ""
# The size limit for Shared memory, pgSQL use it for shared_buffer
# More details see:
# https://github.com/goharbor/harbor/issues/15034
Expand All @@ -896,8 +900,10 @@ database:
username: "user"
password: "password"
coreDatabase: "registry"
# if using existing secret, the key must be "password"
# if using existing secret
existingSecret: ""
# secret key name if using existing secret (defaults to `password`)
existingSecretKey: ""
# "disable" - No SSL
# "require" - Always SSL (skip verification)
# "verify-ca" - Always SSL (verify that the certificate presented by the
Expand Down