Skip to content

Commit

Permalink
[harbor] Enable zero-secret output
Browse files Browse the repository at this point in the history 
* Added value trivy.existingEnvVarsSecret
* Added value jobservice.existingEnvVarsSecret
* Moved redis URL from jobservice config secret to env vars secret
* Switched jobservice config from Secret to ConfigMap now that no
  sensitive values are present
* Don't create core service if it would be empty

Signed-off-by: Andrew Melnick <[email protected]>
  • Loading branch information
@meln5674
meln5674 committed May 2, 2024
1 parent e85a5c8 commit 9faec85
Show file tree
Hide file tree
Showing 9 changed files with 37 additions and 8 deletions.
2 changes: 1 addition & 1 deletion bitnami/harbor/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,4 @@ maintainers:
name: harbor
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/harbor
version: 21.1.2
version: 21.2.0
2 changes: 2 additions & 0 deletions bitnami/harbor/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -659,6 +659,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `jobservice.jobLogger` | The logger for jobs: `file`, `database` or `stdout` | `file` |
| `jobservice.secret` | Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | `""` |
| `jobservice.existingSecret` | Existing secret for jobservice | `""` |
| `jobservice.existingEnvVarsSecret` | Existing secret for jobservice envvars | `""` |
| `jobservice.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` |
| `jobservice.command` | Override default container command (useful when using custom images) | `[]` |
| `jobservice.args` | Override default container args (useful when using custom images) | `[]` |
Expand Down Expand Up @@ -911,6 +912,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` |
| `trivy.insecure` | The flag to skip verifying registry certificate | `false` |
| `trivy.existingEnvVarsSecret` | Existing secret for trivy | `""` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB | `""` |
| `trivy.skipUpdate` | The flag to disable Trivy DB downloads from GitHub | `false` |
| `trivy.cacheDir` | Directory to store the cache | `/bitnami/harbor-adapter-trivy/.cache` |
Expand Down
2 changes: 2 additions & 0 deletions bitnami/harbor/templates/core/core-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if or (not .Values.core.existingSecret) (not .Values.core.secretName) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -26,3 +27,4 @@ data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" (include "harbor.core" .) "key" "tls.crt" "defaultValue" (coalesce .Values.core.tokenCert $ca.Cert) "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" (include "harbor.core" .) "key" "tls.key" "defaultValue" (coalesce .Values.core.tokenKey $ca.Key) "context" $) }}
{{- end }}
{{- end }}
5 changes: 2 additions & 3 deletions .../jobservice/jobservice-config-secret.yaml → ...ates/jobservice/jobservice-cm-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: Secret
kind: ConfigMap
metadata:
name: {{ include "harbor.jobservice" . }}-config
namespace: {{ include "common.names.namespace" . | quote }}
Expand All @@ -15,7 +15,7 @@ metadata:
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
stringData:
data:
config.yml: |+
#Server listening port
protocol: {{ ternary "https" "http" .Values.internalTLS.enabled | quote }}
Expand All @@ -29,7 +29,6 @@ stringData:
workers: {{ .Values.jobservice.maxJobWorkers }}
backend: "redis"
redis_pool:
redis_url: {{ include "harbor.redisForJobservice" . | quote }}
namespace: {{ .Values.jobservice.redisNamespace | quote }}
job_loggers:
{{- if eq .Values.jobservice.jobLogger "file" }}
Expand Down
10 changes: 7 additions & 3 deletions bitnami/harbor/templates/jobservice/jobservice-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ spec:
annotations:
checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-envvars.yaml") . | sha256sum }}
checksum/secret-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-secret-envvars.yaml") . | sha256sum }}
checksum/secret-config: {{ include (print $.Template.BasePath "/jobservice/jobservice-config-secret.yaml") . | sha256sum }}
checksum/configmap-config: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-config.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }}
checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (not .Values.core.tls.existingSecret) }}
Expand Down Expand Up @@ -166,7 +166,11 @@ spec:
- configMapRef:
name: {{ printf "%s-envvars" (include "harbor.jobservice" .) }}
- secretRef:
{{- with .Values.jobservice.existingEnvVarsSecret }}
name: {{ . }}
{{- else }}
name: {{ printf "%s-envvars" (include "harbor.jobservice" .) }}
{{- end }}
{{- if .Values.jobservice.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.jobservice.extraEnvVarsCM "context" $) }}
Expand Down Expand Up @@ -244,8 +248,8 @@ spec:
- name: empty-dir
emptyDir: {}
- name: jobservice-config
secret:
secretName: {{ include "harbor.jobservice" . }}-config
configMap:
name: {{ include "harbor.jobservice" . }}-config
- name: job-logs
{{- if and .Values.persistence.enabled (eq .Values.jobservice.jobLogger "file") }}
persistentVolumeClaim:
Expand Down
3 changes: 3 additions & 0 deletions bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if not .Values.jobservice.existingEnvVarsSecret }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -18,3 +19,5 @@ metadata:
type: Opaque
data:
REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
JOB_SERVICE_POOL_REDIS_URL: {{ include "harbor.redisForJobservice" . | b64enc | quote }}
{{- end }}
2 changes: 1 addition & 1 deletion bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if .Values.trivy.enabled }}
{{- if and .Values.trivy.enabled (not .Values.trivy.existingEnvVarsSecret) }}
apiVersion: v1
kind: Secret
metadata:
Expand Down
4 changes: 4 additions & 0 deletions bitnami/harbor/templates/trivy/trivy-sts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,11 @@ spec:
- configMapRef:
name: {{ printf "%s-envvars" (include "harbor.trivy" .) }}
- secretRef:
{{- with .Values.trivy.existingEnvVarsSecret }}
name: {{ . }}
{{- else }}
name: {{ printf "%s-envvars" (include "harbor.trivy" .) }}
{{- end }}
{{- if .Values.trivy.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.trivy.extraEnvVarsCM "context" $) }}
Expand Down
15 changes: 15 additions & 0 deletions bitnami/harbor/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1798,6 +1798,13 @@ jobservice:
## `secret` (required),
##
existingSecret: ""
## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars
## The secret must contain the keys:
## `REGISTRY_CEDENTIAL_PASSWORD` (required),
## `JOB_SERVICE_POOL_REDIS_URL` (required),
##
## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret
existingEnvVarsSecret: ""
## Use TLS in the container
##
tls:
Expand Down Expand Up @@ -2742,6 +2749,14 @@ trivy:
## @param trivy.insecure The flag to skip verifying registry certificate
##
insecure: false
## @param trivy.existingEnvVarsSecret Existing secret for trivy
## The secret must contain the keys:
## `SCANNER_TRIVY_GITHUB_TOKEN` (optional)
## `SCANNER_REDIS_URL` (required)
## `SCANNER_STORE_REDIS_URL` (required)
## `SCANNER_JOB_QUEUE_REDIS_URL` (required)
##
existingEnvVarsSecret: ""
## @param trivy.gitHubToken The GitHub access token to download Trivy DB
##
## Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
Expand Down

0 comments on commit 9faec85

Please sign in to comment.