You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, thank you for the helm chart! I'm testing harbor with helm, and it works great!
Having some default credentials in values.yaml may lead to expose harbor unintentionally, even the doc "suggests" to change them... so here are a few suggestions.
Having security section in the README
There are critical credentials, which exposes data - but the doc doesn't clearly say it must be set.
For example:
registry.credentials.password: The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see official docs. It is suggested you update this value before installation.
I think it should be MUST, mentioned in own section, not buried in the config table.
Generate all secrets if not given
Here are lists of secrets already being generated automatically
Are there any other secrets? Also it would be nice for the chart maintainer if the two PR uses the similar approach.
Do not use default values for secrets
Until all secrets are automatically generated by the chart... it would be better to fail if any secrets are not given.
Accept reference to Secret
It would be nice all secrets can take the reference (probably name and key) to k8s Secret. I know there are some challenges (e.g. what should happen when the referenced Secrets changes outside helm..) - but this chart is already accepting some Secret references (e.g. CA, TLS, ...)
The text was updated successfully, but these errors were encountered:
I'd like to second the last item! We keep all our configs in git and have a separate system for secret management -- we can't keep secrets in helm charts. The goal is to treat all our ConfigMap objects as if they were leaked publicly.
It's fairly achievable in the end -- here's an example technique to inject a secret into a config file, combining a ConfigMap and Secret with an initContainer:
First of all, thank you for the helm chart! I'm testing harbor with helm, and it works great!
Having some default credentials in values.yaml may lead to expose harbor unintentionally, even the doc "suggests" to change them... so here are a few suggestions.
Having security section in the README
There are critical credentials, which exposes data - but the doc doesn't clearly say it must be set.
For example:
I think it should be MUST, mentioned in own section, not buried in the config table.
Generate all secrets if not given
Here are lists of secrets already being generated automatically
And there are WIP
And followings are not in work:
Are there any other secrets? Also it would be nice for the chart maintainer if the two PR uses the similar approach.
Do not use default values for secrets
Until all secrets are automatically generated by the chart... it would be better to fail if any secrets are not given.
Accept reference to Secret
It would be nice all secrets can take the reference (probably name and key) to k8s Secret. I know there are some challenges (e.g. what should happen when the referenced Secrets changes outside helm..) - but this chart is already accepting some Secret references (e.g. CA, TLS, ...)
The text was updated successfully, but these errors were encountered: