diff --git a/README.md b/README.md index c4492bf70..35ec8f0dd 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,16 @@ If Harbor is deployed behind the proxy, set it as the URL of proxy. - **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. - **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. +#### Configure the secrets + +- **Secret keys**: Secret keys are used for secure communication between components. Fill `core.secret`, `jobservice.secret` and `registry.secret` to configure. +- **Certificates**: + - *notary*: Used for authentication during communications. Fill `notary.secretName` to configure. Notary server certificate must be issued with notary service name as subject alternative name. + - *core*: Used for token encryption/decryption. Fill `core.secretName` to configure. + +Secrets and certificates must be setup to avoid changes on every Helm upgrade (see: [#107](https://github.com/goharbor/harbor-helm/issues/107)). + + #### Configure the other items listed in [configuration](#configuration) section. ### Install the chart @@ -173,6 +183,8 @@ The following table lists the configurable parameters of the Harbor chart and th | `core.tolerations` | Tolerations for pod assignment | `[]` | | `core.affinity` | Node/Pod affinities | `{}` | | `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secret` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named `tls.tokenServiceRootCertBundle` and `tls.tokenServicePrivateKey` that contain the certificate and private key. They will be automatically generated if not set. | | | **Jobservice** | | `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | | `jobservice.image.tag` | Tag for jobservice image | `dev` | @@ -184,6 +196,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `jobservice.tolerations` | Tolerations for pod assignment | `[]` | | `jobservice.affinity` | Node/Pod affinities | `{}` | | `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | **Registry** | | `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | | `registry.registry.image.tag` | Tag for registry image | @@ -196,6 +209,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `registry.tolerations` | Tolerations for pod assignment | `[]` | | `registry.affinity` | Node/Pod affinities | `{}` | | `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | | **Chartmuseum** | | `chartmuseum.enabled` | Enable chartmusuem to store chart | `true` | | `chartmuseum.image.repository` | Repository for chartmuseum image | `goharbor/chartmuseum-photon` | @@ -233,6 +247,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `notary.tolerations` | Tolerations for pod assignment | `[]` | | `notary.affinity` | Node/Pod affinities | `{}` | | `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | +| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `tls.ca`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | | **Database** | | `database.type` | If external database is used, set it to `external` | `internal` | | `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 109caaf09..d20981d17 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -91,7 +91,11 @@ spec: path: key - name: token-service-private-key secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} secretName: {{ template "harbor.core" . }} + {{- end }} {{- if eq (include "harbor.autoGenCert" .) "true" }} - name: ca-download secret: diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index 750f7dfdd..860f43351 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -8,12 +8,13 @@ metadata: type: Opaque data: secretKey: {{ .Values.secretKey | b64enc | quote }} - secret: {{ randAlphaNum 16 | b64enc | quote }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} +{{- if not .Values.core.secretName }} tokenServiceRootCertBundle: {{ $cert.Cert | b64enc | quote }} tokenServicePrivateKey: {{ $cert.Key | b64enc | quote }} +{{- end }} HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{ if .Values.clair.enabled }} CLAIR_DB_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} {{ end }} - \ No newline at end of file diff --git a/templates/jobservice/jobservice-secrets.yaml b/templates/jobservice/jobservice-secrets.yaml index cbaad34d3..e08f7ce58 100644 --- a/templates/jobservice/jobservice-secrets.yaml +++ b/templates/jobservice/jobservice-secrets.yaml @@ -6,4 +6,4 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - secret: {{ randAlphaNum 16 | b64enc | quote }} \ No newline at end of file + secret: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} diff --git a/templates/notary/notary-cm.yaml b/templates/notary/notary-cm.yaml index 4bf0873d8..4ba8a3bbb 100644 --- a/templates/notary/notary-cm.yaml +++ b/templates/notary/notary-cm.yaml @@ -9,12 +9,14 @@ metadata: data: {{ $ca := genCA "harbor-notary-ca" 365 }} {{ $cert := genSignedCert (include "harbor.notary-signer" .) nil nil 365 $ca }} + {{- if not .Values.notary.secretName }} notary-signer-ca.crt: | -{{ $ca.Cert | indent 4 }} +{{ $ca.Cert | indent 4 }} notary-signer.crt: | {{ $cert.Cert | indent 4 }} notary-signer.key: | -{{ $cert.Key | indent 4 }} +{{ $cert.Key | indent 4 }} + {{- end }} server-config.postgres.json: | { "server": { @@ -24,7 +26,11 @@ data: "type": "remote", "hostname": "{{ template "harbor.notary-signer" . }}", "port": "7899", +{{- if not .Values.notary.secretName }} "tls_ca_file": "./notary-signer-ca.crt", +{{- else }} + "tls_ca_file": "/etc/ssl/notary/cert/notary-signer-ca.crt", +{{- end }} "key_algorithm": "ecdsa" }, "logging": { @@ -48,8 +54,13 @@ data: { "server": { "grpc_addr": ":7899", +{{- if not .Values.notary.secretName }} "tls_cert_file": "./notary-signer.crt", "tls_key_file": "./notary-signer.key" +{{- else }} + "tls_cert_file": "/etc/ssl/notary/cert/notary-signer.crt", + "tls_key_file": "/etc/ssl/notary/cert/notary-signer.key" +{{- end }} }, "logging": { "level": "{{ .Values.logLevel }}" diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml index 3c47939fa..b7bdb2f64 100644 --- a/templates/notary/notary-server.yaml +++ b/templates/notary/notary-server.yaml @@ -43,13 +43,27 @@ spec: - name: root-certificate mountPath: /root.crt subPath: tokenServiceRootCertBundle + {{- if .Values.notary.secretName }} + - name: notary-ca + mountPath: /etc/ssl/notary/cert/notary-signer-ca.crt + subPath: notary-signer-ca.crt + {{- end }} volumes: - name: notary-config configMap: name: "{{ template "harbor.notary-server" . }}" - name: root-certificate secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.notary.secretName }} + - name: notary-ca + secret: + secretName: {{ .Values.notary.secretName }} + {{- end }} {{- with .Values.notary.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml index 8af067c97..d14234b37 100644 --- a/templates/notary/notary-signer.yaml +++ b/templates/notary/notary-signer.yaml @@ -38,10 +38,19 @@ spec: volumeMounts: - name: notary-config mountPath: /etc/notary + {{- if .Values.notary.secretName }} + - name: notary-cert + mountPath: /etc/ssl/notary/cert + {{- end }} volumes: - name: notary-config configMap: name: "{{ template "harbor.notary-server" . }}" + {{- if .Values.notary.secretName }} + - name: notary-cert + secret: + secretName: {{ .Values.notary.secretName }} + {{- end }} {{- with .Values.notary.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 0e1feba4d..10deb2aa7 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -116,7 +116,11 @@ spec: volumes: - name: registry-root-certificate secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} secretName: {{ template "harbor.core" . }} + {{- end }} - name: registry-config configMap: name: "{{ template "harbor.registry" . }}" diff --git a/templates/registry/registry-secret.yaml b/templates/registry/registry-secret.yaml index 8af83a384..179888eb9 100644 --- a/templates/registry/registry-secret.yaml +++ b/templates/registry/registry-secret.yaml @@ -6,7 +6,7 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - REGISTRY_HTTP_SECRET: {{ randAlphaNum 16 | b64enc | quote }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} {{- $storage := .Values.persistence.imageChartStorage }} {{- $type := $storage.type }} {{- if eq $type "azure" }} @@ -30,4 +30,4 @@ data: {{- end }} {{- else if eq $type "oss" }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/values.yaml b/values.yaml index da16d3ef7..08850765e 100644 --- a/values.yaml +++ b/values.yaml @@ -270,6 +270,17 @@ core: affinity: {} ## Additional deployment annotations podAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named tls.tokenServiceRootCertBundle and + # tls.tokenServicePrivateKey that contain the certificate and private key. + # They will be automatically generated if not set + secretName: "" jobservice: image: @@ -288,6 +299,10 @@ jobservice: affinity: {} ## Additional deployment annotations podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" registry: registry: @@ -312,6 +327,12 @@ registry: affinity: {} ## Additional deployment annotations podAnnotations: {} + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" chartmuseum: enabled: true @@ -376,6 +397,13 @@ notary: affinity: {} ## Additional deployment annotations podAnnotations: {} + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named tls.ca, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" database: # if external database is used, set "type" to "external"