Fix: Avoid recreating random secrets

templates/_helpers.tpl

@@ -521,4 +521,151 @@ app: "{{ template "harbor.name" . }}"
 {{/* Allow KubeVersion to be overridden. */}}
 {{- define "harbor.ingress.kubeVersion" -}}
   {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}}
+{{- end -}}
+
+{{/* Harbor Core Secret generator */}}
+{{- define "harbor.core.secret" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) ) -}}
+{{- if $secret -}}
+{{/* Reusing existing secret data */}}
+CONFIG_OVERWRITE_JSON: {{ index $secret "data" "CONFIG_OVERWRITE_JSON" }}
+CSRF_KEY: {{ index $secret "data" "CSRF_KEY" }}
+{{- if not .Values.existingSecretAdminPassword }}
+HARBOR_ADMIN_PASSWORD: {{ index $secret "data" "HARBOR_ADMIN_PASSWORD" }}
+{{- end }}
+{{- if not .Values.database.external.existingSecret }}
+POSTGRESQL_PASSWORD: {{ index $secret "data" "POSTGRESQL_PASSWORD" }}
+{{- end }}
+{{- if not .Values.registry.credentials.existingSecret }}
+REGISTRY_CREDENTIAL_PASSWORD: {{ index $secret "data" "REGISTRY_CREDENTIAL_PASSWORD" }}
+{{- end }}
+secret: {{ index $secret "data" "secret" }}
+{{- if not .Values.existingSecretSecretKey }}
+secretKey: {{ index $secret "data" "secretKey" }}
+{{- end }}
+{{- if not .Values.core.secretName }}
+tls.key: {{ index $secret "data" "tls.key" }}
+tls.crt: {{ index $secret "data" "tls.crt" }}
+{{- end }}
+{{- else -}}
+{{/* 
+  Generate new data
+*/}}
+{{- if not .Values.existingSecretSecretKey }}
+secretKey: {{ .Values.secretKey | b64enc | quote }}
+{{- end }}
+secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
+{{- if not .Values.core.secretName }}
+{{- $ca := genCA "harbor-token-ca" 365 }}
+tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
+tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
+{{- end }}
+{{- if not .Values.existingSecretAdminPassword }}
+HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
+{{- end }}
+{{- if not .Values.database.external.existingSecret }}
+POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
+{{- end }}
+{{- if not .Values.registry.credentials.existingSecret }}
+REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
+{{- end }}
+CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
+{{- if .Values.core.configureUserSettings }}
+CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
+{{- end }}
+{{- end -}}
+{{- template "harbor.traceJaegerPassword" . }}
+{{- end -}}
+
+{{/* Harbor JobService Secret generator */}}
+{{- define "harbor.jobservice.secret" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) ) -}}
+{{- if $secret -}}
+{{/* Reusing existing secret data */}}
+JOBSERVICE_SECRET: {{ index $secret "data" "JOBSERVICE_SECRET" }}
+{{- else -}}
+{{/* Generate new data */}}
+JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+{{- end -}}
+{{- if not .Values.registry.credentials.existingSecret }}
+REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
+{{- end }}
+{{- template "harbor.traceJaegerPassword" . }}
+{{- end -}}
+
+{{/* Harbor Registry Secret generator */}}
+{{- define "harbor.registry.secret" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) ) -}}
+{{- if $secret -}}
+{{/* Reusing existing secret data */}}
+REGISTRY_HTTP_SECRET: {{ index $secret "data" "REGISTRY_HTTP_SECRET" }}
+{{- else -}}
+{{/* Generate new data */}}
+REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
+{{- end -}}
+{{- if not .Values.redis.external.existingSecret }}
+REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
+{{- end }}
+{{- $storage := .Values.persistence.imageChartStorage }}
+{{- $type := $storage.type }}
+{{- if and (eq $type "azure") (not $storage.azure.existingSecret) }}
+REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
+{{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }}
+GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
+{{- else if eq $type "s3" }}
+{{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }}
+REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
+{{- end }}
+{{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
+REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
+{{- end }}
+{{- else if eq $type "swift" }}
+REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
+{{- if $storage.swift.secretkey }}
+REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
+{{- end }}
+{{- if $storage.swift.accesskey }}
+REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
+{{- end }}
+{{- else if eq $type "oss" }}
+REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
+{{- end }}
+{{- end -}}
+
+{{/* Harbor Registry Secret htpasswd generator */}}
+{{- define "harbor.registry.secret-htpasswd" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-htpasswd" (include "harbor.registry" .)) ) -}}
+{{- if $secret -}}
+{{/* Reusing existing secret data */}}
+{{- if .Values.registry.credentials.htpasswdString }}
+REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }}
+{{- else }}
+REGISTRY_HTPASSWD: {{ index $secret "data" "REGISTRY_HTPASSWD" }}
+{{- end }}
+{{- else -}}
+{{/* Generate new data */}}
+{{- if .Values.registry.credentials.htpasswdString }}
+REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }}
+{{- else }}
+REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/* Harbor Ingress Secret generator */}}
+{{- define "harbor.ingress.secret" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "harbor.ingress" .) ) -}}
+{{- if $secret -}}
+{{/* Reusing existing secret data */}}
+tls.crt: {{ index $secret "data" "tls.crt" }}
+tls.key: {{ index $secret "data" "tls.key" }}
+ca.crt: {{ index $secret "data" "ca.crt" }}
+{{- else -}}
+{{/* Generate new data */}}
+{{- $ca := genCA "harbor-ca" 365 }}
+{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
+tls.crt: {{ $cert.Cert | b64enc | quote }}
+tls.key: {{ $cert.Key | b64enc | quote }}
+ca.crt: {{ $ca.Cert | b64enc | quote }}
+{{- end }}
 {{- end -}}

templates/core/core-secret.yaml

@@ -6,26 +6,4 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-  {{- if not .Values.existingSecretSecretKey }}
-  secretKey: {{ .Values.secretKey | b64enc | quote }}
-  {{- end }}
-  secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
-  {{- if not .Values.core.secretName }}
-  {{- $ca := genCA "harbor-token-ca" 365 }}
-  tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
-  tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }}
-  {{- end }}
-  {{- if not .Values.existingSecretAdminPassword }}
-  HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }}
-  {{- end }}
-  {{- if not .Values.database.external.existingSecret }}
-  POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }}
-  {{- end }}
-  {{- if not .Values.registry.credentials.existingSecret }}
-  REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
-  {{- end }}
-  CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
-{{- if .Values.core.configureUserSettings }}
-  CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
-{{- end }}
-  {{- template "harbor.traceJaegerPassword" . }}
+  {{- ( include "harbor.core.secret" . ) | indent 2 -}}

templates/ingress/secret.yaml

@@ -1,6 +1,4 @@
 {{- if eq (include "harbor.autoGenCertForIngress" .) "true" }}
-{{- $ca := genCA "harbor-ca" 365 }}
-{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -9,7 +7,5 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ $cert.Cert | b64enc | quote }}
-  tls.key: {{ $cert.Key | b64enc | quote }}
-  ca.crt: {{ $ca.Cert | b64enc | quote }}
+  {{- ( include "harbor.ingress.secret" . ) | indent 2 -}}
 {{- end }}

templates/jobservice/jobservice-secrets.yaml

@@ -6,8 +6,5 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
-  {{- if not .Values.registry.credentials.existingSecret }}
-  REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
-  {{- end }}
-  {{- template "harbor.traceJaegerPassword" . }}
+  {{- ( include "harbor.jobservice.secret" . ) | indent 2 -}}
+

templates/registry/registry-secret.yaml

@@ -6,34 +6,8 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-  REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
-  {{- if not .Values.redis.external.existingSecret }}
-  REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
-  {{- end }}
-  {{- $storage := .Values.persistence.imageChartStorage }}
-  {{- $type := $storage.type }}
-  {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }}
-  REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }}
-  {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }}
-  GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }}
-  {{- else if eq $type "s3" }}
-  {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }}
-  REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }}
-  {{- end }}
-  {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
-  REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
-  {{- end }}
-  {{- else if eq $type "swift" }}
-  REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
-  {{- if $storage.swift.secretkey }}
-  REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
-  {{- end }}
-  {{- if $storage.swift.accesskey }}
-  REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
-  {{- end }}
-  {{- else if eq $type "oss" }}
-  REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
-  {{- end }}
+  {{- ( include "harbor.registry.secret" . ) | indent 2 -}}
+
 {{- if not .Values.registry.credentials.existingSecret }}
 ---
 apiVersion: v1
@@ -44,9 +18,5 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-  {{- if .Values.registry.credentials.htpasswdString }}
-  REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }}
-  {{- else }}
-  REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }}
-  {{- end }}
+  {{- ( include "harbor.registry.secret-htpasswd" . ) | indent 2 -}}
 {{- end }}