Skip to content

Commit

Permalink
[bitnami/harbor] initContainer for certificate vol (#27753)
Browse files Browse the repository at this point in the history 
* [bitnami/harbor] initContainer for certificate vol

Add an init container to copy the /etc/ssl/certs directory to the
ephemeral volume using the same user and group that the main container
runs as.
Then mount that volume over the /etc/ssl/certs directory within the main
container so that the /etc/ssl/certs/ca-certificates.crt can be updated
when internalTLS.enabled is set to true.

Signed-off-by: Jim Barber <jim.barber@healthengine.com.au>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Jim Barber <jim.barber@healthengine.com.au>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
  • Loading branch information
@jim-barber-he @bitnami-bot
jim-barber-he and bitnami-bot authored Jul 12, 2024
1 parent 5526472 commit e924679
Show file tree
Hide file tree
Showing 10 changed files with 205 additions and 12 deletions.
8 changes: 6 additions & 2 deletions bitnami/harbor/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
# Changelog

## 22.0.1 (2024-07-09)
## 22.0.2 (2024-07-12)

* [bitnami/harbor] Fix typo in exporter secretKeyRef ([#27851](https://github.com/bitnami/charts/pull/27851))
* [bitnami/harbor] initContainer for certificate vol ([#27753](https://github.com/bitnami/charts/pull/27753))

## <small>22.0.1 (2024-07-11)</small>

* [bitnami/harbor] Fix typo in exporter secretKeyRef (#27851) ([56b64a0](https://github.com/bitnami/charts/commit/56b64a06a06b253bfc49746369eb62596614fd6a)), closes [#27851](https://github.com/bitnami/charts/issues/27851)

## 22.0.0 (2024-07-09)

Expand Down
2 changes: 1 addition & 1 deletion bitnami/harbor/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,4 @@ maintainers:
name: harbor
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/harbor
version: 22.0.1
version: 22.0.2
2 changes: 2 additions & 0 deletions bitnami/harbor/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,8 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru

| Name | Description | Value |
| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `certificateVolume.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if certificateVolume.resources is set (certificateVolume.resources is recommended for production). | `nano` |
| `certificateVolume.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
Expand Down
30 changes: 27 additions & 3 deletions bitnami/harbor/templates/core/core-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,30 @@ spec:
{{- if .Values.core.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.core.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.core.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.core.initContainers "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.core.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.core.initContainers "context" $) | nindent 8 }}
{{- end }}
- name: certificate-volume
image: {{ include "harbor.core.image" . }}
imagePullPolicy: {{ .Values.core.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.core.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.core.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs
containers:
- name: core
image: {{ include "harbor.core.image" . }}
Expand Down Expand Up @@ -201,6 +222,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs
- name: config
mountPath: /etc/core/app.conf
subPath: app.conf
Expand Down
30 changes: 27 additions & 3 deletions bitnami/harbor/templates/exporter/exporter-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,30 @@ spec:
{{- if .Values.exporter.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.exporter.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.exporter.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.exporter.initContainers "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.exporter.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.exporter.initContainers "context" $) | nindent 8 }}
{{- end }}
- name: certificate-volume
image: {{ include "harbor.exporter.image" . }}
imagePullPolicy: {{ .Values.exporter.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.exporter.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.exporter.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs
containers:
- name: exporter
image: {{ include "harbor.exporter.image" . }}
Expand Down Expand Up @@ -167,6 +188,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs
{{- if .Values.internalTLS.enabled }}
- name: internal-tls-certs
mountPath: /etc/harbor/ssl/exporter
Expand Down
23 changes: 23 additions & 0 deletions bitnami/harbor/templates/jobservice/jobservice-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,26 @@ spec:
mountPath: /var/log/jobs
subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }}
{{- end }}
- name: certificate-volume
image: {{ include "harbor.jobservice.image" . }}
imagePullPolicy: {{ .Values.jobservice.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.jobservice.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.jobservice.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs
{{- if .Values.jobservice.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.jobservice.initContainers "context" $) | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -221,6 +241,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs
- name: jobservice-config
mountPath: /etc/jobservice/config.yml
subPath: config.yml
Expand Down
33 changes: 30 additions & 3 deletions bitnami/harbor/templates/portal/portal-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,33 @@ spec:
{{- if .Values.portal.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.portal.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.portal.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.portal.initContainers "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.portal.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.portal.initContainers "context" $) | nindent 8 }}
{{- end }}
- name: certificate-volume
image: {{ include "harbor.portal.image" . }}
imagePullPolicy: {{ .Values.portal.image.pullPolicy | quote }}
{{- if .Values.portal.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.portal.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.portal.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.portal.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs
containers:
- name: portal
image: {{ include "harbor.portal.image" . }}
Expand Down Expand Up @@ -143,6 +167,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs
- name: portal-config
mountPath: /opt/bitnami/nginx/conf/nginx.conf
subPath: nginx.conf
Expand Down
46 changes: 46 additions & 0 deletions bitnami/harbor/templates/registry/registry-dpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,46 @@ spec:
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
{{- end }}
- name: certificate-volume-server
image: {{ include "harbor.registry.server.image" . }}
imagePullPolicy: {{ .Values.registry.server.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.registry.server.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.registry.server.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs-server
- name: certificate-volume-controller
image: {{ include "harbor.registry.controller.image" . }}
imagePullPolicy: {{ .Values.registry.controller.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.registry.controller.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.registry.controller.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs-controller
{{- if .Values.registry.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.registry.initContainers "context" $) | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -197,6 +237,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs-server
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
Expand Down Expand Up @@ -351,6 +394,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs-controller
- name: registry-data
mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}
Expand Down
23 changes: 23 additions & 0 deletions bitnami/harbor/templates/trivy/trivy-sts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,26 @@ spec:
- name: data
mountPath: {{ .Values.trivy.cacheDir }}
{{- end }}
- name: certificate-volume
image: {{ include "harbor.trivy.image" . }}
imagePullPolicy: {{ .Values.trivy.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- cp -r /etc/ssl/certs/* /certs
{{- if .Values.trivy.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.trivy.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.certificateVolume.resources }}
resources: {{- toYaml .Values.certificateVolume.resources | nindent 12 }}
{{- else if ne .Values.certificateVolume.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.certificateVolume.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /certs
subPath: etc-ssl-certs
{{- if .Values.trivy.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.trivy.initContainers "context" $) | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -182,6 +202,9 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /etc/ssl/certs
subPath: etc-ssl-certs
- name: data
mountPath: {{ .Values.trivy.cacheDir }}
readOnly: false
Expand Down
20 changes: 20 additions & 0 deletions bitnami/harbor/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -583,6 +583,26 @@ tracing:
##

## Init containers parameters:
## certificateVolume: Copy /etc/ssl/certs to a volume so that they can be updated when a read-only volume is in use.
##
certificateVolume:
## Init container resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param certificateVolume.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if certificateVolume.resources is set (certificateVolume.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "nano"
## @param certificateVolume.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
##
volumePermissions:
Expand Down

0 comments on commit e924679

Please sign in to comment.