06844d3a70
bp-powerdns was moved to the `powerdns` namespace in PR #556/#553, but bp-external-dns still had `powerdnsNamespace: openova-system` in its NetworkPolicy egress rule and `--pdns-server=...openova-system...` in extraArgs. Both pointed at the wrong namespace, blocking DNS reconciliation. Fix: - externalDns.networkPolicy.powerdnsNamespace: openova-system → powerdns - extraArgs --pdns-server: ...openova-system... → ...powerdns... Bump bp-external-dns 1.1.2 → 1.1.3. Bootstrap-kit slot 12 updated. Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
51 lines
2.4 KiB
YAML
51 lines
2.4 KiB
YAML
{{- /*
|
|
Re-emits the CNPG-generated `harbor-pg-app` Secret as `harbor-database-secret`
|
|
in the shape Harbor's upstream chart expects.
|
|
|
|
CNPG synthesises a `<cluster>-app` Secret (here: `harbor-pg-app`) containing
|
|
the application user's credentials under the key `password` (plus `host`,
|
|
`port`, `dbname`, `username`, `uri`, `jdbc-uri`). Harbor's upstream chart
|
|
reads the password from `database.external.existingSecret` which must
|
|
contain a `HARBOR_DATABASE_PASSWORD` key (upstream chart name convention
|
|
used in the core/jobservice env from).
|
|
|
|
This template:
|
|
1. Reads `harbor-pg-app` via Helm `lookup` at apply time — safe because
|
|
the Capabilities gate in cnpg-cluster.yaml ensures the Cluster CR
|
|
(and thus the Secret) is created by the time helm-controller runs
|
|
an upgrade reconcile. On first install the Cluster may not yet be
|
|
ready; if the lookup returns nil the Secret renders with an empty
|
|
password (harbor-core stays in CreateContainerConfigError until CNPG
|
|
finishes bootstrapping and the next Helm upgrade run succeeds).
|
|
2. Publishes the password under both `password` (Catalyst convention /
|
|
direct env var consumers) and `HARBOR_DATABASE_PASSWORD` (upstream
|
|
harbor chart env convention) so the same Secret satisfies all
|
|
consumption patterns without duplication.
|
|
|
|
Per docs/INVIOLABLE-PRINCIPLES.md #10 (credential hygiene): this Secret is
|
|
never committed to Git. It is rendered by Helm at install/upgrade time from
|
|
a live Secret already present on the cluster. Values committed to this
|
|
template are structurally empty strings — actual values are helm-lookup
|
|
populated at runtime.
|
|
*/}}
|
|
{{- $cnpgSecret := lookup "v1" "Secret" (.Values.postgres.cluster.namespace | default .Release.Namespace) (printf "%s-app" (.Values.postgres.cluster.name | default "harbor-pg")) -}}
|
|
{{- $password := "" -}}
|
|
{{- if $cnpgSecret -}}
|
|
{{- $password = index $cnpgSecret.data "password" | b64dec -}}
|
|
{{- end -}}
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: harbor-database-secret
|
|
namespace: {{ .Values.postgres.cluster.namespace | default .Release.Namespace }}
|
|
labels:
|
|
{{- include "bp-harbor.labels" . | nindent 4 }}
|
|
annotations:
|
|
# Helm manages this Secret; it is re-rendered on every upgrade so the
|
|
# password stays in sync with the CNPG-rotated credential.
|
|
helm.sh/resource-policy: keep
|
|
type: Opaque
|
|
stringData:
|
|
password: {{ $password | quote }}
|
|
HARBOR_DATABASE_PASSWORD: {{ $password | quote }}
|