feat: existing secret support

Chart.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 description: A Helm chart for Docker Registry
 name: docker-registry
-version: 3.0.0
-appVersion: 3.0.0
+version: 3.1.0
+appVersion: 3.1.0
 home: https://hub.docker.com/_/registry/
 icon: https://helm.twun.io/docker-registry.png
 maintainers:
-- email: [email protected]
-  name: Devin Canterberry
-  url: https://canterberry.cc/
+  - email: [email protected]
+    name: Devin Canterberry
+    url: https://canterberry.cc/
 sources:
-- https://github.com/docker/distribution-library-image
+  - https://github.com/docker/distribution-library-image

README.md

@@ -71,6 +71,7 @@ their default values.
 | `priorityClassName      `   | priorityClassName                                                                          | `""`            |
 | `storage`                   | Storage system to use                                                                      | `filesystem`    |
 | `tlsSecretName`             | Name of secret for TLS certs                                                               | `nil`           |
+| `existingSecret`            | Name of an existing secret to use instead of creating one                                  | `""`            |
 | `secrets.htpasswd`          | Htpasswd authentication                                                                    | `nil`           |
 | `secrets.s3.accessKey`      | Access Key for S3 configuration                                                            | `nil`           |
 | `secrets.s3.secretKey`      | Secret Key for S3 configuration                                                            | `nil`           |

templates/NOTES.txt

@@ -17,3 +17,9 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:5000
 {{- end }}
+
+{{- if .Values.existingSecret }}
+
+NOTE: You are using an existing secret "{{ .Values.existingSecret }}" for registry credentials.
+Ensure it contains required keys for your chosen auth/storage/proxy configuration.
+{{- end }}

templates/_helpers.tpl

@@ -23,11 +23,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{- define "docker-registry.secretName" -}}
+{{- if .Values.existingSecret -}}
+{{- .Values.existingSecret -}}
+{{- else -}}
+{{- template "docker-registry.fullname" . }}-secret
+{{- end -}}
+{{- end -}}
+
 {{- define "docker-registry.envs" -}}
 - name: REGISTRY_HTTP_SECRET
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: haSharedSecret
 
 {{- if .Values.secrets.htpasswd }}
@@ -53,17 +61,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: azureAccountName
 - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: azureAccountKey
 - name: REGISTRY_STORAGE_AZURE_CONTAINER
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: azureContainer
 {{- else if eq .Values.storage "s3" }}
 - name: REGISTRY_STORAGE_S3_REGION
@@ -74,12 +82,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_S3_ACCESSKEY
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: s3AccessKey
 - name: REGISTRY_STORAGE_S3_SECRETKEY
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: s3SecretKey
 {{- end -}}
 
@@ -119,12 +127,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_SWIFT_USERNAME
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: swiftUsername
 - name: REGISTRY_STORAGE_SWIFT_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: swiftPassword
 - name: REGISTRY_STORAGE_SWIFT_CONTAINER
   value: {{ required ".Values.swift.container is required" .Values.swift.container }}
@@ -136,12 +144,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_PROXY_USERNAME
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: proxyUsername
 - name: REGISTRY_PROXY_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: proxyPassword
 {{- end -}}
 
@@ -191,7 +199,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- if .Values.secrets.htpasswd }}
 - name: auth
   secret:
-    secretName: {{ template "docker-registry.fullname" . }}-secret
+    secretName: {{ template "docker-registry.secretName" . }}
     items:
     - key: htpasswd
       path: htpasswd

templates/cronjob.yaml

@@ -21,7 +21,9 @@ spec:
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.existingSecret }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.podAnnotations }}
         {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}

templates/deployment.yaml

@@ -32,7 +32,9 @@ spec:
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.existingSecret }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.podAnnotations }}
         {{ toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}

templates/secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -38,3 +39,4 @@ data:
   {{- end }}
   proxyUsername: {{ .Values.proxy.username | default "" | b64enc | quote }}
   proxyPassword: {{ .Values.proxy.password | default "" | b64enc | quote }}
+{{- end }}

values.yaml

@@ -1,6 +1,11 @@
 # Default values for docker-registry.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+
+# If set, use an existing Secret instead of creating one
+# The existing secret must contain the expected keys (haSharedSecret, htpasswd, storage/provider keys, proxy credentials as applicable)
+# existingSecret: ""
+
 replicaCount: 1
 
 updateStrategy: {}