Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for custom secret keys and certificates #126

Merged
merged 1 commit into from
Mar 6, 2019
Merged

Support for custom secret keys and certificates #126

merged 1 commit into from
Mar 6, 2019

Conversation

fydrah
Copy link
Contributor

@fydrah fydrah commented Dec 18, 2018

This PR adds:

  • Support custom CA and Certs for core and notary
    components, instead of generating new ones during
    install/upgrades
  • Support custom secret keys for several components,
    instead of generating new ones during install/upgrades
  • Fix chartmuseum secret dependency: if core secret
    changes, chartmuseum must be restarted

It also makes helm upgrade idempotent (no more secrets/certificates generation).

Fixes #107

@fydrah fydrah force-pushed the master branch 2 times, most recently from f72c921 to 7067cbc Compare December 18, 2018 23:34
@ywk253100 ywk253100 self-requested a review December 19, 2018 02:19
@ywk253100 ywk253100 self-assigned this Dec 19, 2018
@ywk253100
Copy link
Collaborator

@fydrah Thanks for your PR.
Can you follow the same convention for the customized certificate as expose.tls.secretName and add more command to explain what the values are used?

@fydrah
Copy link
Contributor Author

fydrah commented Jan 2, 2019

Hi @ywk253100 ,

Can you follow the same convention for the customized certificate as expose.tls.secretName

If I understand, each custom certificates/keys must be created by hand into a new secret, and included with a secretName style var.
I'm okay with it, but how should we manage secret keys ? Can we keep this method or should we also export them into an other secret ?

@ywk253100
Copy link
Collaborator

I think we can keep your method for the secret.

And some other comments:

  1. Can you add some comments to explain that if users want to avoid the issue Registry Secret causes changes on every apply #107, they should configure these items?
  2. Update the comments of certBundle and key for core: the key pair is used to encrypt/decrypt the token generated by token service
  3. Update the comments of secret for core and jobservice, they are used to do authentication when communicating.
  4. Update the comments of secret for registry, refer to https://github.com/docker/distribution/blob/master/docs/configuration.md#http.

@ywk253100
Copy link
Collaborator

Ping @fydrah

@fydrah fydrah force-pushed the master branch 2 times, most recently from 3353d23 to 1a941ce Compare February 26, 2019 00:11
@fydrah
Copy link
Contributor Author

fydrah commented Feb 26, 2019

Hi, comments updated and use secret and secretName convention for var names.

Tested with the following override configuration:

core:
  secret: "ohb4AhchuaShai0i"
  secretName: "core-custom-secret"
jobservice:
  secret: "eip1aiLaeyua5Ahf"
registry:
  secret: "pop1ooNgielox6Ai"
chartmuseum:
  enabled: true
clair:
  enabled: true
notary:
  enabled: true
  secretName: "notary-custom-secret"

With helm deployment name harbor, the notary certificate notary-custom-secret has to be issued with -subj "/CN=harbor-harbor-notary-signer" alternative name.

@fydrah
Support for custom secret keys and certificates
866c487 
* Support custom CA and Certs for core and notary
  components, instead of generating new ones during
  install/upgrades
* Support custom secret keys for several components,
  instead of generating new ones during install/upgrades

Signed-off-by: fydrah <[email protected]>
@ywk253100
Copy link
Collaborator

@fydrah Thanks!

@ywk253100 ywk253100 merged commit b8c951f into goharbor:master Mar 6, 2019
@ywk253100 ywk253100 mentioned this pull request Mar 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywk253100 ywk253100 ywk253100 approved these changes

Assignees

@ywk253100 ywk253100

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fydrah @ywk253100