-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/harbor] Enable zero-secret output #25453
base: main
Are you sure you want to change the base?
Conversation
Thanks for your contribution, could you please rebase from |
ab44139
to
9faec85
Compare
Let me know if there's anything needed on my end besides the rebase to get the check to pass. |
It seems that your branch is 31 commits behind main, could you sync your fork? The issue with the action should be fixed by then |
9faec85
to
4562ed3
Compare
This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution. |
4562ed3
to
52abe8d
Compare
Please excuse my impatience, but its been 3 weeks since I've made the requested change, and all checks are passing. I rebased again yesterday. Please let me know if there are any further obstacles to merging that I can address. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for contributing and sorry for the delay. I apply a couple of suggestions. Could you please take a look?
bitnami/harbor/values.yaml
Outdated
@@ -1798,6 +1798,13 @@ jobservice: | |||
## `secret` (required), | |||
## | |||
existingSecret: "" | |||
## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars | |||
## The secret must contain the keys: | |||
## `REGISTRY_CEDENTIAL_PASSWORD` (required), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## `REGISTRY_CEDENTIAL_PASSWORD` (required), | |
## `REGISTRY_CREDENTIAL_PASSWORD` (required), |
@@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. | |||
SPDX-License-Identifier: APACHE-2.0 | |||
*/}} | |||
|
|||
{{- if or (not .Values.core.existingSecret) (not .Values.core.secretName) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This two variables are not use fot the same purpose (a bit confusing I think). I suggest this change:
{{- if or (not .Values.core.existingSecret) (not .Values.core.secretName) }} | |
{{- if (not .Values.core.existingSecret) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are correct that they are used for different things, however, if you check the data section, you'll notice that if both secrets are provided, the secret in this file will be empty. While this is not technically "wrong", it does mean that it A) still creates a secret (when the goal of the PR is to enable it to output zero secrets) and B) prevents the user from creating a secret out-of-band with the same name (as the chart would overwrite it). By checking if at least one of those secrets is not already provided, we can avoid outputting an unnecessary empty secret.
Let me know if I've misunderstood your comment.
* Added value trivy.existingEnvVarsSecret * Added value jobservice.existingEnvVarsSecret * Moved redis URL from jobservice config secret to env vars secret * Switched jobservice config from Secret to ConfigMap now that no sensitive values are present * Don't create core service if it would be empty Signed-off-by: Andrew Melnick <meln5674@kettering.edu>
0fb4e80
to
67178ba
Compare
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Description of the change
This patch makes the following changes:
Benefits
It is now possible to deploy the chart while creating all secrets out-of-band (i.e. kubectl). This means that no sensitive values are required to be in the
values.yaml
. This is more secure when running via GitOps.Because the jobservice configuration no longer contains the (potentially) sensitive redis URL, it can be stored as a ConfigMap, which makes it easier to view.
All changes should be backwards compatible.
Possible drawbacks
None known.
Applicable issues
Additional information
Checklist
Chart.yaml
according to semver. This is not necessary when the changes only affect README.md files.README.md
using readme-generator-for-helm