[bitnami/harbor] fix: secret envvars and their documentation (#28989)

* [bitnami/harbor] fix: secret envvars and their documentation Signed-off-by: Julien D <[email protected]> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <[email protected]> * Update Chart.yaml Signed-off-by: Carlos Rodríguez Hernández <[email protected]> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <[email protected]> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <[email protected]> * fix base64 issue CSRF and admin pw Signed-off-by: Julien D <[email protected]> --------- Signed-off-by: Julien D <[email protected]> Signed-off-by: Bitnami Containers <[email protected]> Signed-off-by: Carlos Rodríguez Hernández <[email protected]> Co-authored-by: Bitnami Containers <[email protected]> Co-authored-by: Carlos Rodríguez Hernández <[email protected]>
bitnami · Sep 3, 2024 · 84fae4b · 84fae4b
1 parent 7e4276d
commit 84fae4b
Show file tree

Hide file tree

Showing 7 changed files with 131 additions and 43 deletions.
diff --git a/bitnami/harbor/CHANGELOG.md b/bitnami/harbor/CHANGELOG.md
@@ -1,8 +1,13 @@
 # Changelog
 
-## 23.0.1 (2024-08-24)
+## 23.0.2 (2024-08-29)
 
-* [bitnami/harbor] Release 23.0.1 ([#29012](https://github.com/bitnami/charts/pull/29012))
+* [bitnami/harbor] fix: secret envvars and their documentation ([#28989](https://github.com/bitnami/charts/pull/28989))
+
+## <small>23.0.1 (2024-08-24)</small>
+
+* [bitnami/harbor] Release 23.0.1 (#29012) ([e8508d7](https://github.com/bitnami/charts/commit/e8508d7e47f9d7f88ae3081067451df61320792c)), closes [#29012](https://github.com/bitnami/charts/issues/29012)
+* [bitnami/harbor] Update dependencies (#28853) ([52607e4](https://github.com/bitnami/charts/commit/52607e4c3580532b172089da96302513014af1f4)), closes [#28853](https://github.com/bitnami/charts/issues/28853)
 
 ## <small>22.0.12 (2024-08-08)</small>
 

diff --git a/bitnami/harbor/Chart.yaml b/bitnami/harbor/Chart.yaml
@@ -55,4 +55,4 @@ maintainers:
 name: harbor
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/harbor
-version: 23.0.1
+version: 23.0.2
diff --git a/bitnami/harbor/templates/core/core-secret-envvars.yaml b/bitnami/harbor/templates/core/core-secret-envvars.yaml
@@ -3,7 +3,21 @@ Copyright Broadcom, Inc. All Rights Reserved.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-{{- $existingEnvVarsSecret := .Values.existingEnvVarsSecret | default dict -}}
+{{- $secretName := .Values.core.existingEnvVarsSecret -}}
+{{- $namespace := .Release.Namespace -}}
+{{- $secret := lookup "v1" "Secret" $namespace $secretName -}}
+{{- $existingEnvVarsSecretCore := dict -}}
+{{- if $secret.data }}
+  {{- $_REDIS_URL_CORE := index $secret.data "_REDIS_URL_CORE" | default "" -}}
+  {{- $_REDIS_URL_REG := index $secret.data "_REDIS_URL_REG" | default "" -}}
+  {{- $_CSRF_KEY := index $secret.data "CSRF_KEY" | default "" -}}
+  {{- $_HARBOR_ADMIN_PASSWORD := index $secret.data "HARBOR_ADMIN_PASSWORD" | default "" -}}
+  {{- $_POSTGRESQL_PASSWORD := index $secret.data "POSTGRESQL_PASSWORD" | default "" -}}
+  {{- $_REGISTRY_CREDENTIAL_PASSWORD := index $secret.data "REGISTRY_CREDENTIAL_PASSWORD" | default "" -}}
+  {{- $_REGISTRY_CREDENTIAL_USERNAME := index $secret.data "REGISTRY_CREDENTIAL_USERNAME" | default "" -}}
+  {{- $existingEnvVarsSecretCore = dict "_REDIS_URL_CORE" ($_REDIS_URL_CORE | b64dec) "_REDIS_URL_REG" ($_REDIS_URL_REG | b64dec) "CSRF_KEY" ($_CSRF_KEY | b64dec) "HARBOR_ADMIN_PASSWORD" ($_HARBOR_ADMIN_PASSWORD | b64dec) "POSTGRESQL_PASSWORD" ($_POSTGRESQL_PASSWORD | b64dec) "REGISTRY_CREDENTIAL_PASSWORD" ($_REGISTRY_CREDENTIAL_PASSWORD | b64dec) "REGISTRY_CREDENTIAL_USERNAME" ($_REGISTRY_CREDENTIAL_USERNAME | b64dec) -}}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,10 +32,20 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  _REDIS_URL_CORE: {{ $existingEnvVarsSecret._REDIS_URL_CORE | default (include "harbor.redisForCore" .) | b64enc | quote }}
-  _REDIS_URL_REG: {{ $existingEnvVarsSecret._REDIS_URL_REG | default (include "harbor.redisForGC" .) | b64enc | quote }}
-  REGISTRY_CREDENTIAL_USERNAME: {{ $existingEnvVarsSecret.REGISTRY_CREDENTIAL_USERNAME | default .Values.registry.credentials.username | b64enc | quote }}
-  REGISTRY_CREDENTIAL_PASSWORD: {{ $existingEnvVarsSecret.REGISTRY_CREDENTIAL_PASSWORD | default .Values.registry.credentials.password | b64enc | quote }}
-  CSRF_KEY: {{ $existingEnvVarsSecret.CSRF_KEY | default (include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "CSRF_KEY" "length" 32 "providedValues" (list "core.csrfKey") "context" $)) }}
-  HARBOR_ADMIN_PASSWORD: {{ $existingEnvVarsSecret.HARBOR_ADMIN_PASSWORD | default (include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "HARBOR_ADMIN_PASSWORD" "length" 22 "providedValues" (list "adminPassword") "context" $)) }}
-  POSTGRESQL_PASSWORD: {{ $existingEnvVarsSecret.POSTGRESQL_PASSWORD | default (include "harbor.database.rawPassword" .) | b64enc | quote }}
+  _REDIS_URL_CORE: {{ $existingEnvVarsSecretCore._REDIS_URL_CORE | default (include "harbor.redisForCore" .) | b64enc | quote }}
+  _REDIS_URL_REG: {{ $existingEnvVarsSecretCore._REDIS_URL_REG | default (include "harbor.redisForGC" .) | b64enc | quote }}
+  REGISTRY_CREDENTIAL_USERNAME: {{ $existingEnvVarsSecretCore.REGISTRY_CREDENTIAL_USERNAME | default .Values.registry.credentials.username | b64enc | quote }}
+  REGISTRY_CREDENTIAL_PASSWORD: {{ $existingEnvVarsSecretCore.REGISTRY_CREDENTIAL_PASSWORD | default .Values.registry.credentials.password | b64enc | quote }}
+  POSTGRESQL_PASSWORD: {{ $existingEnvVarsSecretCore.POSTGRESQL_PASSWORD | default (include "harbor.database.rawPassword" .) | b64enc | quote }}
+  {{- $existingCSRFKey := $existingEnvVarsSecretCore.CSRF_KEY | default "" -}}
+  {{- if eq $existingCSRFKey "" }}
+  CSRF_KEY: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "CSRF_KEY" "length" 32 "providedValues" (list "core.csrfKey") "context" $) }}
+  {{- else }}
+  CSRF_KEY: {{ $existingCSRFKey | b64enc | quote }}
+  {{- end }}
+  {{- $existingHarborAdmPW := $existingEnvVarsSecretCore.HARBOR_ADMIN_PASSWORD | default "" -}}
+  {{- if eq $existingHarborAdmPW "" }}
+  HARBOR_ADMIN_PASSWORD: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-envvars" (include "harbor.core" .)) "key" "HARBOR_ADMIN_PASSWORD" "length" 22 "providedValues" (list "adminPassword") "context" $) }}
+  {{- else }}
+  HARBOR_ADMIN_PASSWORD: {{ $existingHarborAdmPW | b64enc | quote }}
+  {{- end }}
diff --git a/bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml b/bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml
@@ -3,7 +3,19 @@ Copyright Broadcom, Inc. All Rights Reserved.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-{{- if not .Values.jobservice.existingEnvVarsSecret }}
+{{- $secretName := .Values.jobservice.existingEnvVarsSecret -}}
+{{- $namespace := .Release.Namespace -}}
+{{- $secret := lookup "v1" "Secret" $namespace $secretName -}}
+{{- $existingEnvVarsSecretJobservice := dict -}}
+{{- if $secret.data }}
+  {{- $_REGISTRY_CREDENTIAL_PASSWORD := index $secret.data "REGISTRY_CREDENTIAL_PASSWORD" | default "" -}}
+  {{- $_JOB_SERVICE_POOL_REDIS_URL := index $secret.data "JOB_SERVICE_POOL_REDIS_URL" | default "" -}}
+  {{- $existingEnvVarsSecretJobservice = dict 
+        "REGISTRY_CREDENTIAL_PASSWORD" ($_REGISTRY_CREDENTIAL_PASSWORD | b64dec)
+        "JOB_SERVICE_POOL_REDIS_URL" ($_JOB_SERVICE_POOL_REDIS_URL | b64dec)
+     -}}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,6 +30,5 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
-  JOB_SERVICE_POOL_REDIS_URL: {{ include "harbor.redisForJobservice" . | b64enc | quote }}
-{{- end }}
+  REGISTRY_CREDENTIAL_PASSWORD: {{ $existingEnvVarsSecretJobservice.REGISTRY_CREDENTIAL_PASSWORD | default .Values.registry.credentials.password | b64enc | quote }}
+  JOB_SERVICE_POOL_REDIS_URL: {{ $existingEnvVarsSecretJobservice.JOB_SERVICE_POOL_REDIS_URL | default (include "harbor.redisForJobservice" .) | b64enc | quote }}
diff --git a/bitnami/harbor/templates/registry/registry-secret.yaml b/bitnami/harbor/templates/registry/registry-secret.yaml
@@ -3,7 +3,37 @@ Copyright Broadcom, Inc. All Rights Reserved.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-{{- if not .Values.registry.existingSecret }}
+{{- $secretName := .Values.registry.existingSecret -}}
+{{- $namespace := .Release.Namespace -}}
+{{- $secret := lookup "v1" "Secret" $namespace $secretName -}}
+{{- $existingEnvVarsSecretRegistry := dict -}}
+{{- if $secret.data }}
+  {{- $_REGISTRY_HTPASSWD := index $secret.data "REGISTRY_HTPASSWD" | default "" -}}
+  {{- $_REGISTRY_HTTP_SECRET := index $secret.data "REGISTRY_HTTP_SECRET" | default "" -}}
+  {{- $_REGISTRY_REDIS_PASSWORD := index $secret.data "REGISTRY_REDIS_PASSWORD" | default "" -}}
+  {{- $_REGISTRY_STORAGE_AZURE_ACCOUNTKEY := index $secret.data "REGISTRY_STORAGE_AZURE_ACCOUNTKEY" | default "" -}}
+  {{- $_GCS_KEY_DATA := index $secret.data "GCS_KEY_DATA" | default "" -}}
+  {{- $_REGISTRY_STORAGE_S3_ACCESSKEY := index $secret.data "REGISTRY_STORAGE_S3_ACCESSKEY" | default "" -}}
+  {{- $_REGISTRY_STORAGE_S3_SECRETKEY := index $secret.data "REGISTRY_STORAGE_S3_SECRETKEY" | default "" -}}
+  {{- $_REGISTRY_STORAGE_SWIFT_PASSWORD := index $secret.data "REGISTRY_STORAGE_SWIFT_PASSWORD" | default "" -}}
+  {{- $_REGISTRY_STORAGE_SWIFT_SECRETKEY := index $secret.data "REGISTRY_STORAGE_SWIFT_SECRETKEY" | default "" -}}
+  {{- $_REGISTRY_STORAGE_SWIFT_ACCESSKEY := index $secret.data "REGISTRY_STORAGE_SWIFT_ACCESSKEY" | default "" -}}
+  {{- $_REGISTRY_STORAGE_OSS_ACCESSKEYSECRET := index $secret.data "REGISTRY_STORAGE_OSS_ACCESSKEYSECRET" | default "" -}}
+  {{- $existingEnvVarsSecretRegistry = dict 
+        "REGISTRY_HTPASSWD" ($_REGISTRY_HTPASSWD | b64dec)
+        "REGISTRY_HTTP_SECRET" ($_REGISTRY_HTTP_SECRET | b64dec)
+        "REGISTRY_REDIS_PASSWORD" ($_REGISTRY_REDIS_PASSWORD | b64dec)
+        "REGISTRY_STORAGE_AZURE_ACCOUNTKEY" ($_REGISTRY_STORAGE_AZURE_ACCOUNTKEY | b64dec)
+        "GCS_KEY_DATA" ($_GCS_KEY_DATA | b64dec)
+        "REGISTRY_STORAGE_S3_ACCESSKEY" ($_REGISTRY_STORAGE_S3_ACCESSKEY | b64dec)
+        "REGISTRY_STORAGE_S3_SECRETKEY" ($_REGISTRY_STORAGE_S3_SECRETKEY | b64dec)
+        "REGISTRY_STORAGE_SWIFT_PASSWORD" ($_REGISTRY_STORAGE_SWIFT_PASSWORD | b64dec)
+        "REGISTRY_STORAGE_SWIFT_SECRETKEY" ($_REGISTRY_STORAGE_SWIFT_SECRETKEY | b64dec)
+        "REGISTRY_STORAGE_SWIFT_ACCESSKEY" ($_REGISTRY_STORAGE_SWIFT_ACCESSKEY | b64dec)
+        "REGISTRY_STORAGE_OSS_ACCESSKEYSECRET" ($_REGISTRY_STORAGE_OSS_ACCESSKEYSECRET | b64dec)
+     -}}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -17,31 +47,30 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswd | b64enc | quote }}
-  REGISTRY_HTTP_SECRET: {{ include "common.secrets.passwords.manage" (dict "secret" (include "harbor.registry" .) "key" "REGISTRY_HTTP_SECRET" "length" 16 "providedValues" (list "registry.secret") "context" $) }}
-  REGISTRY_REDIS_PASSWORD: {{ (include "harbor.redis.rawPassword" .) | b64enc | quote }}
+  REGISTRY_HTPASSWD: {{ $existingEnvVarsSecretRegistry.REGISTRY_HTPASSWD | default .Values.registry.credentials.htpasswd | b64enc | quote }}
+  REGISTRY_HTTP_SECRET: {{ $existingEnvVarsSecretRegistry.REGISTRY_HTTP_SECRET | default (include "common.secrets.passwords.manage" (dict "secret" (include "harbor.registry" .) "key" "REGISTRY_HTTP_SECRET" "length" 16 "providedValues" (list "registry.secret") "context" $)) }}
+  REGISTRY_REDIS_PASSWORD: {{ $existingEnvVarsSecretRegistry.REGISTRY_REDIS_PASSWORD | default (include "harbor.redis.rawPassword" .) | b64enc | quote }}
   {{- if eq .Values.persistence.imageChartStorage.type "azure" }}
-  REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ .Values.persistence.imageChartStorage.azure.accountkey | b64enc | quote }}
+  REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_AZURE_ACCOUNTKEY | default .Values.persistence.imageChartStorage.azure.accountkey | b64enc | quote }}
   {{- else if eq .Values.persistence.imageChartStorage.type "gcs" }}
   {{- if .Values.persistence.imageChartStorage.gcs.encodedkey }}
-  GCS_KEY_DATA: {{ .Values.persistence.imageChartStorage.gcs.encodedkey | quote }}
+  GCS_KEY_DATA: {{ $existingEnvVarsSecretRegistry.GCS_KEY_DATA | default .Values.persistence.imageChartStorage.gcs.encodedkey | quote }}
   {{- end }}
   {{- else if eq .Values.persistence.imageChartStorage.type "s3" }}
   {{- if .Values.persistence.imageChartStorage.s3.accesskey }}
-  REGISTRY_STORAGE_S3_ACCESSKEY: {{ .Values.persistence.imageChartStorage.s3.accesskey | b64enc | quote }}
+  REGISTRY_STORAGE_S3_ACCESSKEY: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_S3_ACCESSKEY | default .Values.persistence.imageChartStorage.s3.accesskey | b64enc | quote }}
   {{- end }}
   {{- if .Values.persistence.imageChartStorage.s3.secretkey }}
-  REGISTRY_STORAGE_S3_SECRETKEY: {{ .Values.persistence.imageChartStorage.s3.secretkey | b64enc | quote }}
+  REGISTRY_STORAGE_S3_SECRETKEY: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_S3_SECRETKEY | default .Values.persistence.imageChartStorage.s3.secretkey | b64enc | quote }}
   {{- end }}
   {{- else if eq .Values.persistence.imageChartStorage.type "swift" }}
-  REGISTRY_STORAGE_SWIFT_PASSWORD: {{ .Values.persistence.imageChartStorage.swift.password | b64enc | quote }}
+  REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_SWIFT_PASSWORD | default .Values.persistence.imageChartStorage.swift.password | b64enc | quote }}
   {{- if .Values.persistence.imageChartStorage.swift.secretkey }}
-  REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ .Values.persistence.imageChartStorage.swift.secretkey | b64enc | quote }}
+  REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_SWIFT_SECRETKEY | default .Values.persistence.imageChartStorage.swift.secretkey | b64enc | quote }}
   {{- end }}
   {{- if .Values.persistence.imageChartStorage.swift.accesskey }}
-  REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ .Values.persistence.imageChartStorage.swift.accesskey | b64enc | quote }}
+  REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_SWIFT_ACCESSKEY | default .Values.persistence.imageChartStorage.swift.accesskey | b64enc | quote }}
   {{- end }}
   {{- else if eq .Values.persistence.imageChartStorage.type "oss" }}
-  REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }}
+  REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $existingEnvVarsSecretRegistry.REGISTRY_STORAGE_OSS_ACCESSKEYSECRET | default .Values.persistence.imageChartStorage.oss.accesskeysecret | b64enc | quote }}
   {{- end }}
-{{- end }}
diff --git a/bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml b/bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml
@@ -3,7 +3,24 @@ Copyright Broadcom, Inc. All Rights Reserved.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-{{- if and .Values.trivy.enabled (not .Values.trivy.existingEnvVarsSecret) }}
+{{- $secretName := .Values.trivy.existingEnvVarsSecret -}}
+{{- $namespace := .Release.Namespace -}}
+{{- $secret := lookup "v1" "Secret" $namespace $secretName -}}
+{{- $existingEnvVarsSecretTrivy := dict -}}
+{{- if $secret.data }}
+  {{- $_SCANNER_TRIVY_GITHUB_TOKEN := index $secret.data "SCANNER_TRIVY_GITHUB_TOKEN" | default "" -}}
+  {{- $_SCANNER_REDIS_URL := index $secret.data "SCANNER_REDIS_URL" | default "" -}}
+  {{- $_SCANNER_STORE_REDIS_URL := index $secret.data "SCANNER_STORE_REDIS_URL" | default "" -}}
+  {{- $_SCANNER_JOB_QUEUE_REDIS_URL := index $secret.data "SCANNER_JOB_QUEUE_REDIS_URL" | default "" -}}
+  {{- $existingEnvVarsSecretTrivy = dict 
+        "SCANNER_TRIVY_GITHUB_TOKEN" ($_SCANNER_TRIVY_GITHUB_TOKEN | b64dec)
+        "SCANNER_REDIS_URL" ($_SCANNER_REDIS_URL | b64dec)
+        "SCANNER_STORE_REDIS_URL" ($_SCANNER_STORE_REDIS_URL | b64dec)
+        "SCANNER_JOB_QUEUE_REDIS_URL" ($_SCANNER_JOB_QUEUE_REDIS_URL | b64dec)
+     -}}
+{{- end }}
+
+{{- if and .Values.trivy.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,8 +35,8 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  SCANNER_TRIVY_GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
-  SCANNER_REDIS_URL: {{ include "harbor.redisForTrivyAdapter" . | b64enc }}
-  SCANNER_STORE_REDIS_URL: {{ include "harbor.redisForTrivyAdapter" . | b64enc }}
-  SCANNER_JOB_QUEUE_REDIS_URL: {{ include "harbor.redisForTrivyAdapter" . | b64enc }}
+  SCANNER_TRIVY_GITHUB_TOKEN: {{ $existingEnvVarsSecretTrivy.SCANNER_TRIVY_GITHUB_TOKEN | default (.Values.trivy.gitHubToken | default "") | b64enc | quote }}
+  SCANNER_REDIS_URL: {{ $existingEnvVarsSecretTrivy.SCANNER_REDIS_URL | default (include "harbor.redisForTrivyAdapter" .) | b64enc }}
+  SCANNER_STORE_REDIS_URL: {{ $existingEnvVarsSecretTrivy.SCANNER_STORE_REDIS_URL | default (include "harbor.redisForTrivyAdapter" .) | b64enc }}
+  SCANNER_JOB_QUEUE_REDIS_URL: {{ $existingEnvVarsSecretTrivy.SCANNER_JOB_QUEUE_REDIS_URL | default (include "harbor.redisForTrivyAdapter" .) | b64enc }}
 {{- end }}
diff --git a/bitnami/harbor/values.yaml b/bitnami/harbor/values.yaml
@@ -1473,11 +1473,13 @@ core:
   ## The secret must contain the keys:
   ## `CSRF_KEY` (optional - alternatively auto-generated),
   ## `HARBOR_ADMIN_PASSWORD` (optional - alternatively auto-generated),
-  ## `POSTGRESQL_PASSWORD` (optional - alternatively uses upstream default. Read below if you set it),
+  ## `POSTGRESQL_PASSWORD` (optional - alternatively uses weak upstream default. Read below if you set it),
   ## `postgres-password` (required if POSTGRESQL_PASSWORD is set & must be the same as POSTGRESQL_PASSWORD.)
   ## `HARBOR_DATABASE_PASSWORD` (required if POSTGRESQL_PASSWORD is set & must be the same as POSTGRESQL_PASSWORD.)
-  ## `REGISTRY_CREDENTIAL_USERNAME` (optional - alternatively auto-generated),
-  ## `REGISTRY_CREDENTIAL_PASSWORD` (optional - alternatively auto-generated),
+  ## `REGISTRY_CREDENTIAL_USERNAME` (optional - alternatively weak defaults),
+  ## `REGISTRY_CREDENTIAL_PASSWORD` (optional - alternatively weak defaults),
+  ## `_REDIS_URL_CORE` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/0")
+  ## `_REDIS_URL_REG` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/2")
   ##
   ## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
   ## Notes:
@@ -1891,8 +1893,8 @@ jobservice:
   existingSecret: ""
   ## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars
   ## The secret must contain the keys:
-  ## `REGISTRY_CREDENTIAL_PASSWORD` (required),
-  ## `JOB_SERVICE_POOL_REDIS_URL` (required),
+  ## `REGISTRY_CREDENTIAL_PASSWORD` (optional),
+  ## `JOB_SERVICE_POOL_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/1"),
   ##
   ## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
   existingEnvVarsSecret: ""
@@ -2251,8 +2253,8 @@ registry:
   secret: ""
   ## @param registry.existingSecret Existing secret for registry
   ## The secret must contain the keys:
-  ## `REGISTRY_HTPASSWD` (required),
-  ## `REGISTRY_HTTP_SECRET` (required),
+  ## `REGISTRY_HTPASSWD` (required - replaces insecure defaults),
+  ## `REGISTRY_HTTP_SECRET` (optional - generated on the fly if not secified),
   ## `REGISTRY_REDIS_PASSWORD` (optional),
   ##
   existingSecret: ""
@@ -2889,9 +2891,9 @@ trivy:
   ## @param trivy.existingEnvVarsSecret Existing secret for trivy
   ## The secret must contain the keys:
   ## `SCANNER_TRIVY_GITHUB_TOKEN` (optional)
-  ## `SCANNER_REDIS_URL` (required)
-  ## `SCANNER_STORE_REDIS_URL` (required)
-  ## `SCANNER_JOB_QUEUE_REDIS_URL` (required)
+  ## `SCANNER_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5")
+  ## `SCANNER_STORE_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5")
+  ## `SCANNER_JOB_QUEUE_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5")
   ##
   existingEnvVarsSecret: ""
   ## @param trivy.gitHubToken The GitHub access token to download Trivy DB