diff --git a/Chart.yaml b/Chart.yaml index 07887125..1cbb8ced 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Docker Registry name: docker-registry -version: 3.0.0 +version: 3.1.0 appVersion: 3.0.0 home: https://hub.docker.com/_/registry/ icon: https://helm.twun.io/docker-registry.png diff --git a/README.md b/README.md index 6dd113bc..936e78cd 100644 --- a/README.md +++ b/README.md @@ -71,10 +71,24 @@ their default values. | `priorityClassName ` | priorityClassName | `""` | | `storage` | Storage system to use | `filesystem` | | `tlsSecretName` | Name of secret for TLS certs | `nil` | +| `secrets.existingSecret` | Name of an existing secret | `""` | +| `secrets.haSharedSecretKey` | Name of the haSharedSecretKey in existing secret | `""` | +| `secrets.htpasswdKey` | Name of the htpasswdKey in existing secret | `""` | +| `secrets.haSharedSecret` | HA Shared Secret | `nil` | | `secrets.htpasswd` | Htpasswd authentication | `nil` | +| `secrets.azure.secretRef` | The ref for an existing secret containing azure credentials | `""` | +| `secrets.azure.accountNameKey` | Azure account name key defined in azure secret (if not default) | `""` | +| `secrets.azure.accountKeyKey` | Azure account key key defined in azure secret (if not default) | `""` | +| `secrets.azure.containerKey` | Azure container key defined in azure secret (if not default) | `""` | +| `secrets.azure.accountName` | Azure account name | `""` | +| `secrets.azure.accountKey` | Azure account key | `""` | +| `secrets.azure.container` | Azure container | `""` | | `secrets.s3.accessKey` | Access Key for S3 configuration | `nil` | | `secrets.s3.secretKey` | Secret Key for S3 configuration | `nil` | -| `secrets.s3.secretRef` | The ref for an external secret containing the s3AccessKey and s3SecretKey keys | `""` | +| `secrets.s3.secretRef` | The ref for an external secret containing the s3AccessKey and s3SecretKey keys | `""` | +| `secrets.swift.secretRef` | The ref for an existing secret containing swift credentials | `""` | +| `secrets.swift.usernameKey` | Username key name defined in existing swift secret (if not default) | `""` | +| `secrets.swift.passwordKey` | Password key name defined in existing swift secret (if not default) | `""` | | `secrets.swift.username` | Username for Swift configuration | `nil` | | `secrets.swift.password` | Password for Swift configuration | `nil` | | `secrets.haSharedSecret` | Shared secret for Registry | `nil` | @@ -95,6 +109,8 @@ their default values. | `proxy.username` | Remote registry login username | `nil` | | `proxy.password` | Remote registry login password | `nil` | | `proxy.secretRef` | The ref for an external secret containing the proxyUsername and proxyPassword keys | `""` | +| `proxy.usernameKey` | Username key name defined in proxy secret (if not default) | `""` | +| `proxy.passwordKey` | Password key name defined in proxy secret (if not default) | `""` | | `namespace` | specify a namespace to install the chart to - defaults to `.Release.Namespace` | `{{ .Release.Namespace }}` | | `nodeSelector` | node labels for pod assignment | `{}` | | `affinity` | affinity settings | `{}` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 1547d1d2..f8b28a82 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -23,12 +23,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} +{{- define "docker-registry.secretName" -}} +{{- if .Values.secrets.existingSecret }} +{{- .Values.secrets.existingSecret }} +{{- else }} +{{- template "docker-registry.fullname" . }}-secret +{{- end }} +{{- end }} + +{{- define "docker-registry.azureSecretName" -}} +{{- if .Values.secrets.azure.existingSecret }} +{{- .Values.secrets.azure.secretRef }} +{{- else }} +{{- template "docker-registry.fullname" . }}-secret +{{- end }} +{{- end }} + +{{- define "docker-registry.swiftSecretName" -}} +{{- if .Values.secrets.swift.existingSecret }} +{{- .Values.secrets.swift.secretRef }} +{{- else }} +{{- template "docker-registry.fullname" . }}-secret +{{- end }} +{{- end }} + {{- define "docker-registry.envs" -}} - name: REGISTRY_HTTP_SECRET valueFrom: secretKeyRef: - name: {{ template "docker-registry.fullname" . }}-secret + name: {{ template "docker-registry.secretName" . }} + {{- if and .Values.secrets.haSharedSecretKey .Values.secrets.existingSecret }} + key: {{ .Values.secrets.haSharedSecretKey }} + {{- else }} key: haSharedSecret + {{- end }} {{- if .Values.secrets.htpasswd }} - name: REGISTRY_AUTH @@ -53,18 +81,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this - name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME valueFrom: secretKeyRef: - name: {{ template "docker-registry.fullname" . }}-secret + name: {{ template "docker-registry.azureSecretName" . }} + {{- if and .Values.secrets.azure.azureAccountNameKey .Values.secrets.azure.existingSecret }} + key: {{- .Values.secrets.azure.accountNameKey }} + {{- else }} key: azureAccountName + {{- end }} - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY valueFrom: secretKeyRef: - name: {{ template "docker-registry.fullname" . }}-secret + name: {{ template "docker-registry.azureSecretName" . }} + {{- if and .Values.secrets.azure.azureAccountNameKey .Values.secrets.azure.existingSecret }} + key: {{- .Values.secrets.azure.accountKeyKey }} + {{- else }} key: azureAccountKey + {{- end }} - name: REGISTRY_STORAGE_AZURE_CONTAINER valueFrom: secretKeyRef: - name: {{ template "docker-registry.fullname" . }}-secret + name: {{ template "docker-registry.azureSecretName" . }} + {{- if and .Values.secrets.azure.containerKey .Values.secrets.azure.existingSecret }} + key: {{- .Values.secrets.azure.containerKey }} + {{- else }} key: azureContainer + {{- end }} {{- else if eq .Values.storage "s3" }} - name: REGISTRY_STORAGE_S3_REGION value: {{ required ".Values.s3.region is required" .Values.s3.region }} @@ -74,12 +114,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this - name: REGISTRY_STORAGE_S3_ACCESSKEY valueFrom: secretKeyRef: - name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }} + name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }} key: s3AccessKey - name: REGISTRY_STORAGE_S3_SECRETKEY valueFrom: secretKeyRef: - name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }} + name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }} key: s3SecretKey {{- end -}} @@ -119,13 +159,21 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this - name: REGISTRY_STORAGE_SWIFT_USERNAME valueFrom: secretKeyRef: - name: {{ template "docker-registry.fullname" . }}-secret + name: {{ template "docker-registry.swiftSecretName" . }} + {{- if and .Values.secrets.swift.usernameKey .Values.secrets.swift.secretRef }} + key: {{ .Values.secrets.swift.usernameKey }} + {{- else }} key: swiftUsername + {{- end }} - name: REGISTRY_STORAGE_SWIFT_PASSWORD valueFrom: secretKeyRef: - name: {{ template "docker-registry.fullname" . }}-secret + name: {{ template "docker-registry.swiftSecretName" . }} + {{- if and .Values.secrets.swift.passwordKey .Values.secrets.swift.secretRef }} + key: {{ .Values.secrets.swift.passwordKey }} + {{- else }} key: swiftPassword + {{- end }} - name: REGISTRY_STORAGE_SWIFT_CONTAINER value: {{ required ".Values.swift.container is required" .Values.swift.container }} {{- end -}} @@ -136,13 +184,21 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this - name: REGISTRY_PROXY_USERNAME valueFrom: secretKeyRef: - name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }} + name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }} + {{- if and .Values.proxy.proxyUsernameKey .Values.proxy.secretRef }} + key: {{ .Values.proxy.proxyUsernameKey }} + {{- else }} key: proxyUsername + {{- end }} - name: REGISTRY_PROXY_PASSWORD valueFrom: secretKeyRef: - name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }} + name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }} + {{- if and .Values.proxy.proxyPasswordKey .Values.proxy.secretRef }} + key: {{ .Values.proxy.proxyPasswordKey }} + {{- else }} key: proxyPassword + {{- end }} {{- end -}} {{- if .Values.persistence.deleteEnabled }} @@ -154,13 +210,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{ toYaml . }} {{- end -}} -{{- end -}} +{{- end }} {{- define "docker-registry.volumeMounts" -}} - name: "{{ template "docker-registry.fullname" . }}-config" mountPath: {{ .Values.configPath }} -{{- if .Values.secrets.htpasswd }} +{{- if or .Values.secrets.htpasswd .Values.secrets.existingSecret }} - name: auth mountPath: /auth readOnly: true @@ -188,13 +244,18 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this configMap: name: {{ template "docker-registry.fullname" . }}-config -{{- if .Values.secrets.htpasswd }} +{{- if or .Values.secrets.htpasswd .Values.secrets.existingSecret }} - name: auth secret: - secretName: {{ template "docker-registry.fullname" . }}-secret + secretName: {{ template "docker-registry.secretName" . }} items: + {{- if and .Values.secrets.htpasswdKey .Values.secrets.existingSecret }} + - key: {{ .Values.secrets.htpasswdKey }} + path: htpasswd + {{- else }} - key: htpasswd path: htpasswd + {{- end }} {{- end }} {{- if eq .Values.storage "filesystem" }} diff --git a/templates/cronjob.yaml b/templates/cronjob.yaml index a5419590..66522b36 100644 --- a/templates/cronjob.yaml +++ b/templates/cronjob.yaml @@ -21,7 +21,9 @@ spec: {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if not .Values.secrets.existingSecret }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} {{- if .Values.podAnnotations }} {{- toYaml .Values.podAnnotations | nindent 8 }} {{- end }} diff --git a/templates/deployment.yaml b/templates/deployment.yaml index a8ef2fca..67ac6911 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -32,7 +32,9 @@ spec: {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if not .Values.secrets.existingSecret }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | nindent 8 }} {{- end }} diff --git a/templates/secret.yaml b/templates/secret.yaml index 6265dc84..1da6e07b 100644 --- a/templates/secret.yaml +++ b/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.secrets.existingSecret }} apiVersion: v1 kind: Secret metadata: @@ -38,3 +39,4 @@ data: {{- end }} proxyUsername: {{ .Values.proxy.username | default "" | b64enc | quote }} proxyPassword: {{ .Values.proxy.password | default "" | b64enc | quote }} +{{- end }} diff --git a/values.yaml b/values.yaml index e3e74125..c35c6f5e 100644 --- a/values.yaml +++ b/values.yaml @@ -78,21 +78,41 @@ storage: filesystem # Set this to name of secret for tls certs # tlsSecretName: registry.docker.example.com secrets: + # Specifies the name of an existing secret containing authorization credentials + # If set, overrides htpasswd and doesn't create secret + existingSecret: "" + # Specifies the key name in existing secret containing haSharedSecret + # If not set, defaults to haSharedSecret + haSharedSecretKey: "" + # Specifies the key name in existing secret containing htpasswd + # If not set, defaults to htpasswd + htpasswdKey: "" + + # If existing secret is not set, this value will be used to generate secret haSharedSecret: "" + # If existing secret is not set, this value will be used to generate secret htpasswd: "" # Secrets for Azure # azure: +# secretRef: "" +# accountNameKey: "" +# accountKeyKey: "" +# containerKey: "" +# # accountName: "" # accountKey: "" # container: "" # Secrets for S3 access and secret keys # Use a secretRef with keys (accessKey, secretKey) for secrets stored outside the chart -# s3: +# s3: # secretRef: "" # accessKey: "" # secretKey: "" # Secrets for Swift username and password # swift: +# secretRef: "" +# usernameKey: "" +# passwordKey: "" # username: "" # password: "" @@ -119,8 +139,14 @@ proxy: username: "" password: "" # the ref for a secret stored outside of this chart - # Keys: proxyUsername, proxyPassword + # Default keys: proxyUsername, proxyPassword secretRef: "" + # Specifies the key name for proxy username to look for in secretRef + # Defaults to proxyUsername + proxyUsernameKey: "" + # Specifies the key name for proxy password to look for in secretRef + # Defaults to proxyPassword + proxyPasswordKey: "" metrics: enabled: false