[bitnami/harbor] Enable zero-secret output #25453
Conversation
|
Thanks for your contribution, could you please rebase from |
meln5674
force-pushed
the
feature/harbor-existing-secrets
branch
from
ab44139
to
9faec85
Compare
|
Let me know if there's anything needed on my end besides the rebase to get the check to pass. |
|
It seems that your branch is 31 commits behind main, could you sync your fork? The issue with the action should be fixed by then |
meln5674
force-pushed
the
feature/harbor-existing-secrets
branch
from
9faec85
to
4562ed3
Compare
|
This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution. |
meln5674
force-pushed
the
feature/harbor-existing-secrets
branch
from
4562ed3
to
52abe8d
Compare
|
Please excuse my impatience, but its been 3 weeks since I've made the requested change, and all checks are passing. I rebased again yesterday. Please let me know if there are any further obstacles to merging that I can address. |
javsalgar
added
verify
bitnami/harbor/values.yaml
Outdated
| @@ -1798,6 +1798,13 @@ jobservice: | |||
| ## `secret` (required), | |||
| ## | |||
| existingSecret: "" | |||
| ## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars | |||
| ## The secret must contain the keys: | |||
| ## `REGISTRY_CEDENTIAL_PASSWORD` (required), | |||
There was a problem hiding this comment.
| ## `REGISTRY_CEDENTIAL_PASSWORD` (required), | |
| ## `REGISTRY_CREDENTIAL_PASSWORD` (required), |
| @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. | |||
| SPDX-License-Identifier: APACHE-2.0 | |||
| */}} | |||
|
|
|||
| {{- if or (not .Values.core.existingSecret) (not .Values.core.secretName) }} | |||
There was a problem hiding this comment.
This two variables are not use fot the same purpose (a bit confusing I think). I suggest this change:
| {{- if or (not .Values.core.existingSecret) (not .Values.core.secretName) }} | |
| {{- if (not .Values.core.existingSecret) }} |
There was a problem hiding this comment.
You are correct that they are used for different things, however, if you check the data section, you'll notice that if both secrets are provided, the secret in this file will be empty. While this is not technically "wrong", it does mean that it A) still creates a secret (when the goal of the PR is to enable it to output zero secrets) and B) prevents the user from creating a secret out-of-band with the same name (as the chart would overwrite it). By checking if at least one of those secrets is not already provided, we can avoid outputting an unnecessary empty secret.
Let me know if I've misunderstood your comment.
* Added value trivy.existingEnvVarsSecret * Added value jobservice.existingEnvVarsSecret * Moved redis URL from jobservice config secret to env vars secret * Switched jobservice config from Secret to ConfigMap now that no sensitive values are present * Don't create core service if it would be empty Signed-off-by: Andrew Melnick <meln5674@kettering.edu>
meln5674
force-pushed
the
feature/harbor-existing-secrets
branch
from
0fb4e80
to
67178ba
Compare
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Description of the change
This patch makes the following changes:
Benefits
It is now possible to deploy the chart while creating all secrets out-of-band (i.e. kubectl). This means that no sensitive values are required to be in the
values.yaml. This is more secure when running via GitOps.Because the jobservice configuration no longer contains the (potentially) sensitive redis URL, it can be stored as a ConfigMap, which makes it easier to view.
All changes should be backwards compatible.
Possible drawbacks
None known.
Applicable issues
Additional information
Checklist
Chart.yamlaccording to semver. This is not necessary when the changes only affect README.md files.README.mdusing readme-generator-for-helm