Fix random values regenerating

templates/_helpers.tpl

@@ -39,6 +39,13 @@ release: {{ .Release.Name }}
 app: "{{ template "harbor.name" . }}"
 {{- end -}}
 
+{{/* Helper for printing values from existing secrets*/}}
+{{- define "harbor.secretKeyHelper" -}}
+  {{- if and (not (empty .data)) (hasKey .data .key) }}
+    {{- index .data .key | b64dec -}}
+  {{- end -}}
+{{- end -}}
+
 {{- define "harbor.autoGenCert" -}}
   {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}}
     {{- printf "true" -}}
@@ -89,7 +96,12 @@ app: "{{ template "harbor.name" . }}"
 
 {{- define "harbor.database.rawPassword" -}}
   {{- if eq .Values.database.type "internal" -}}
-    {{- .Values.database.internal.password -}}
+    {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}}
+    {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}}
+      {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}}
+    {{- else -}}
+      {{- .Values.database.internal.password | default (randAlphaNum 16) -}}
+    {{- end -}}
   {{- else -}}
     {{- .Values.database.external.password -}}
   {{- end -}}

templates/core/core-secret.yaml

@@ -1,3 +1,4 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -9,7 +10,7 @@ data:
   {{- if not .Values.existingSecretSecretKey }}
   secretKey: {{ .Values.secretKey | b64enc | quote }}
   {{- end }}
-  secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }}
+  secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
   {{- if not .Values.core.secretName }}
   {{- $ca := genCA "harbor-token-ca" 365 }}
   tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }}
@@ -24,7 +25,7 @@ data:
   {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}
-  CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }}
+  CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }}
 {{- if .Values.core.configureUserSettings }}
   CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }}
 {{- end }}

templates/jobservice/jobservice-secrets.yaml

@@ -1,3 +1,4 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,7 +7,7 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }}
+  JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
   {{- if not .Values.registry.credentials.existingSecret }}
   REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }}
   {{- end }}

templates/registry/registry-dpl.yaml

@@ -120,6 +120,33 @@ spec:
               name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }}
               key: AZURE_STORAGE_ACCESS_KEY
         {{- end }}
+        {{- if .Values.persistence.imageChartStorage.swift.existingSecret }}
+        - name: REGISTRY_STORAGE_SWIFT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
+              key: REGISTRY_STORAGE_SWIFT_PASSWORD
+        - name: REGISTRY_STORAGE_SWIFT_SECRETKEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
+              key: REGISTRY_STORAGE_SWIFT_SECRETKEY
+              optional: true
+        - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }}
+              key: REGISTRY_STORAGE_SWIFT_ACCESSKEY
+              optional: true
+        {{- end }}
+        {{- if .Values.persistence.imageChartStorage.oss.existingSecret }}
+        - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }}
+              key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
+              optional: true
+        {{- end}}
 {{- with .Values.registry.registry.extraEnvVars }}
 {{- toYaml . | nindent 8 }}
 {{- end }}

templates/registry/registry-secret.yaml

@@ -1,3 +1,4 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,7 +7,7 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 type: Opaque
 data:
-  REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }}
+  REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
   {{- if not .Values.redis.external.existingSecret }}
   REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }}
   {{- end }}
@@ -23,15 +24,15 @@ data:
   {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }}
   REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }}
   {{- end }}
-  {{- else if eq $type "swift" }}
+  {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }}
   REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }}
   {{- if $storage.swift.secretkey }}
   REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }}
   {{- end }}
   {{- if $storage.swift.accesskey }}
   REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }}
   {{- end }}
-  {{- else if eq $type "oss" }}
+  {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }}
   REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }}
   {{- end }}
 {{- if not .Values.registry.credentials.existingSecret }}

values.yaml

@@ -290,6 +290,8 @@ persistence:
       username: username
       password: password
       container: containername
+      # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY
+      existingSecret: ""
       #region: fr
       #tenant: tenantname
       #tenantid: tenantid
@@ -310,6 +312,8 @@ persistence:
       accesskeysecret: accesskeysecret
       region: regionname
       bucket: bucketname
+      # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET
+      existingSecret: ""
       #endpoint: endpoint
       #internal: false
       #encrypt: false
@@ -617,6 +621,7 @@ registry:
     existingSecret: ""
     # Login and password in htpasswd string format. Excludes `registry.credentials.username`  and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt.
     # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string
+    htpasswdString: ""
   middleware:
     enabled: false
     type: cloudFront