feat: existingSecrets support, separate-of-concerns enhancements, custom secret field names support

Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart for Docker Registry
 name: docker-registry
-version: 3.0.0
+version: 3.1.0
 appVersion: 3.0.0
 home: https://hub.docker.com/_/registry/
 icon: https://helm.twun.io/docker-registry.png

README.md

@@ -71,10 +71,24 @@ their default values.
 | `priorityClassName      `   | priorityClassName                                                                          | `""`            |
 | `storage`                   | Storage system to use                                                                      | `filesystem`    |
 | `tlsSecretName`             | Name of secret for TLS certs                                                               | `nil`           |
+| `secrets.existingSecret`    | Name of an existing secret                                                                 | `""`            |
+| `secrets.haSharedSecretKey` | Name of the haSharedSecretKey in existing secret                                           | `""`            |
+| `secrets.htpasswdKey`       | Name of the htpasswdKey in existing secret                                                 | `""`            |
+| `secrets.haSharedSecret`          | HA Shared Secret                                                                  | `nil`           |
 | `secrets.htpasswd`          | Htpasswd authentication                                                                    | `nil`           |
+| `secrets.azure.secretRef`          | The ref for an existing secret containing azure credentials                         | `""`            |
+| `secrets.azure.accountNameKey`          | Azure account name key defined in azure secret (if not default)                | `""`            |
+| `secrets.azure.accountKeyKey`          | Azure account key key defined in azure secret (if not default)                  | `""`            |
+| `secrets.azure.containerKey`          | Azure container key defined in azure secret (if not default)                     | `""`            |
+| `secrets.azure.accountName`          | Azure account name                                                                | `""`            |
+| `secrets.azure.accountKey`          | Azure account key                                                                  | `""`            |
+| `secrets.azure.container`          | Azure container                                                                     | `""`            |
 | `secrets.s3.accessKey`      | Access Key for S3 configuration                                                            | `nil`           |
 | `secrets.s3.secretKey`      | Secret Key for S3 configuration                                                            | `nil`           |
-| `secrets.s3.secretRef`      | The ref for an external secret containing the s3AccessKey and s3SecretKey keys                 | `""`            |
+| `secrets.s3.secretRef`      | The ref for an external secret containing the s3AccessKey and s3SecretKey keys             | `""`            |
+| `secrets.swift.secretRef`    | The ref for an existing secret containing swift credentials                               | `""`            |
+| `secrets.swift.usernameKey`    | Username key name defined in existing swift secret (if not default)                     | `""`            |
+| `secrets.swift.passwordKey`    | Password key name defined in existing swift secret (if not default)                     | `""`            |
 | `secrets.swift.username`    | Username for Swift configuration                                                           | `nil`           |
 | `secrets.swift.password`    | Password for Swift configuration                                                           | `nil`           |
 | `secrets.haSharedSecret`    | Shared secret for Registry                                                                 | `nil`           |
@@ -95,6 +109,8 @@ their default values.
 | `proxy.username`            | Remote registry login username                                                             | `nil`           |
 | `proxy.password`            | Remote registry login password                                                             | `nil`           |
 | `proxy.secretRef`           | The ref for an external secret containing the proxyUsername and proxyPassword keys         | `""`            |
+| `proxy.usernameKey`           | Username key name defined in proxy secret (if not default)                               | `""`            |
+| `proxy.passwordKey`           | Password key name defined in proxy secret (if not default)                               | `""`            |
 | `namespace`                 | specify a namespace to install the chart to - defaults to `.Release.Namespace`             | `{{ .Release.Namespace }}` |
 | `nodeSelector`              | node labels for pod assignment                                                             | `{}`            |
 | `affinity`                  | affinity settings                                                                          | `{}`            |

templates/_helpers.tpl

@@ -23,12 +23,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{- define "docker-registry.secretName" -}}
+{{- if .Values.secrets.existingSecret }}
+{{- .Values.secrets.existingSecret }}
+{{- else }}
+{{- template "docker-registry.fullname" . }}-secret
+{{- end }}
+{{- end }}
+
+{{- define "docker-registry.azureSecretName" -}}
+{{- if .Values.secrets.azure.existingSecret }}
+{{- .Values.secrets.azure.secretRef }}
+{{- else }}
+{{- template "docker-registry.fullname" . }}-secret
+{{- end }}
+{{- end }}
+
+{{- define "docker-registry.swiftSecretName" -}}
+{{- if .Values.secrets.swift.existingSecret }}
+{{- .Values.secrets.swift.secretRef }}
+{{- else }}
+{{- template "docker-registry.fullname" . }}-secret
+{{- end }}
+{{- end }}
+
 {{- define "docker-registry.envs" -}}
 - name: REGISTRY_HTTP_SECRET
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
+      {{- if and .Values.secrets.haSharedSecretKey .Values.secrets.existingSecret }}
+      key: {{ .Values.secrets.haSharedSecretKey }}
+      {{- else }}
       key: haSharedSecret
+      {{- end }}
 
 {{- if .Values.secrets.htpasswd }}
 - name: REGISTRY_AUTH
@@ -53,18 +81,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.azureSecretName" . }}
+      {{- if and .Values.secrets.azure.azureAccountNameKey .Values.secrets.azure.existingSecret }}
+      key: {{- .Values.secrets.azure.accountNameKey }}
+      {{- else }}
       key: azureAccountName
+      {{- end }}
 - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.azureSecretName" . }}
+      {{- if and .Values.secrets.azure.azureAccountNameKey .Values.secrets.azure.existingSecret }}
+      key: {{- .Values.secrets.azure.accountKeyKey }}
+      {{- else }}
       key: azureAccountKey
+      {{- end }}
 - name: REGISTRY_STORAGE_AZURE_CONTAINER
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.azureSecretName" . }}
+      {{- if and .Values.secrets.azure.containerKey .Values.secrets.azure.existingSecret }}
+      key: {{- .Values.secrets.azure.containerKey }}
+      {{- else }}
       key: azureContainer
+      {{- end }}
 {{- else if eq .Values.storage "s3" }}
 - name: REGISTRY_STORAGE_S3_REGION
   value: {{ required ".Values.s3.region is required" .Values.s3.region }}
@@ -74,12 +114,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_S3_ACCESSKEY
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: s3AccessKey
 - name: REGISTRY_STORAGE_S3_SECRETKEY
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: s3SecretKey
 {{- end -}}
 
@@ -119,13 +159,21 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_SWIFT_USERNAME
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.swiftSecretName" . }}
+      {{- if and .Values.secrets.swift.usernameKey .Values.secrets.swift.secretRef }}
+      key: {{ .Values.secrets.swift.usernameKey }}
+      {{- else }}
       key: swiftUsername
+      {{- end }}
 - name: REGISTRY_STORAGE_SWIFT_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.swiftSecretName" . }}
+      {{- if and .Values.secrets.swift.passwordKey .Values.secrets.swift.secretRef }}
+      key: {{ .Values.secrets.swift.passwordKey }}
+      {{- else }}
       key: swiftPassword
+      {{- end }}
 - name: REGISTRY_STORAGE_SWIFT_CONTAINER
   value: {{ required ".Values.swift.container is required" .Values.swift.container }}
 {{- end -}}
@@ -136,13 +184,21 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_PROXY_USERNAME
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
+      {{- if and .Values.proxy.proxyUsernameKey .Values.proxy.secretRef }}
+      key: {{ .Values.proxy.proxyUsernameKey }}
+      {{- else }}
       key: proxyUsername
+      {{- end }}
 - name: REGISTRY_PROXY_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
+      {{- if and .Values.proxy.proxyPasswordKey .Values.proxy.secretRef }}
+      key: {{ .Values.proxy.proxyPasswordKey }}
+      {{- else }}
       key: proxyPassword
+      {{- end }}
 {{- end -}}
 
 {{- if .Values.persistence.deleteEnabled }}
@@ -154,13 +210,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{ toYaml . }}
 {{- end -}}
 
-{{- end -}}
+{{- end }}
 
 {{- define "docker-registry.volumeMounts" -}}
 - name: "{{ template "docker-registry.fullname" . }}-config"
   mountPath: {{ .Values.configPath }}
 
-{{- if .Values.secrets.htpasswd }}
+{{- if or .Values.secrets.htpasswd .Values.secrets.existingSecret }}
 - name: auth
   mountPath: /auth
   readOnly: true
@@ -188,13 +244,18 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
   configMap:
     name: {{ template "docker-registry.fullname" . }}-config
 
-{{- if .Values.secrets.htpasswd }}
+{{- if or .Values.secrets.htpasswd .Values.secrets.existingSecret }}
 - name: auth
   secret:
-    secretName: {{ template "docker-registry.fullname" . }}-secret
+    secretName: {{ template "docker-registry.secretName" . }}
     items:
+    {{- if and .Values.secrets.htpasswdKey .Values.secrets.existingSecret }}
+    - key: {{ .Values.secrets.htpasswdKey }}
+      path: htpasswd
+    {{- else }}
     - key: htpasswd
       path: htpasswd
+    {{- end }}
 {{- end }}
 
 {{- if eq .Values.storage "filesystem" }}

templates/cronjob.yaml

@@ -21,7 +21,9 @@ spec:
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.secrets.existingSecret }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.podAnnotations }}
         {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}

templates/deployment.yaml

@@ -32,7 +32,9 @@ spec:
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.secrets.existingSecret }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.podAnnotations }}
         {{ toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}

templates/secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.secrets.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -38,3 +39,4 @@ data:
   {{- end }}
   proxyUsername: {{ .Values.proxy.username | default "" | b64enc | quote }}
   proxyPassword: {{ .Values.proxy.password | default "" | b64enc | quote }}
+{{- end }}

values.yaml

@@ -78,21 +78,41 @@ storage: filesystem
 # Set this to name of secret for tls certs
 # tlsSecretName: registry.docker.example.com
 secrets:
+  # Specifies the name of an existing secret containing authorization credentials
+  # If set, overrides htpasswd and doesn't create secret
+  existingSecret: ""
+  # Specifies the key name in existing secret containing haSharedSecret
+  # If not set, defaults to haSharedSecret
+  haSharedSecretKey: ""
+  # Specifies the key name in existing secret containing htpasswd
+  # If not set, defaults to htpasswd
+  htpasswdKey: ""
+
+  # If existing secret is not set, this value will be used to generate secret
   haSharedSecret: ""
+  # If existing secret is not set, this value will be used to generate secret
   htpasswd: ""
 # Secrets for Azure
 #   azure:
+#     secretRef: ""
+#     accountNameKey: ""
+#     accountKeyKey: ""
+#     containerKey: ""
+#
 #     accountName: ""
 #     accountKey: ""
 #     container: ""
 # Secrets for S3 access and secret keys
 # Use a secretRef with keys (accessKey, secretKey) for secrets stored outside the chart
-#   s3:
+#   s3:    
 #     secretRef: ""
 #     accessKey: ""
 #     secretKey: ""
 # Secrets for Swift username and password
 #   swift:
+#     secretRef: ""
+#     usernameKey: ""
+#     passwordKey: ""
 #     username: ""
 #     password: ""
 
@@ -119,8 +139,14 @@ proxy:
   username: ""
   password: ""
   # the ref for a secret stored outside of this chart
-  # Keys: proxyUsername, proxyPassword
+  # Default keys: proxyUsername, proxyPassword
   secretRef: ""
+  # Specifies the key name for proxy username to look for in secretRef
+  # Defaults to proxyUsername
+  proxyUsernameKey: ""
+  # Specifies the key name for proxy password to look for in secretRef
+  # Defaults to proxyPassword
+  proxyPasswordKey: ""
 
 metrics:
   enabled: false