goharbor/harbor-helm

POSTGRES_PASSWORD in Database and Core secrets being stored in plaintext rather than b64

stevenbales1 opened this issue · 5 comments

stevenbales1 commented

database:
type: internal
internal:
password: "blablablablablablalbabla"

Gets stored in the Kubernetes secret unencoded:

Data

POSTGRES_PASSWORD: 18 bytes
user@ssh:~$ kubectl get secret harbor-database -n harbor -o yaml
apiVersion: v1
data:
POSTGRES_PASSWORD: blablablablablablalbabla
kind: Secret
metadata:
annotations:
meta.helm.sh/release-name: harbor
meta.helm.sh/release-namespace: harbor
labels:
app: harbor
app.kubernetes.io/managed-by: Helm
chart: harbor
heritage: Helm
release: harbor
name: harbor-database
namespace: harbor
type: Opaque

This causes Harbor to crash, because it can't connect to the database until I manually b64 encode the password and store it in the secrets.

MaJaHa95 commented

This is certainly no help, but after frustratedly struggling with this and related issues around the management of passwords, I opted for an external database managed by the Postgres Operator. I literally only just deployed it a couple hours ago, but I was satisfied to find that it can automatically create and manage credential secrets that just-so-happen to use the key password, and thus be directly compatible with this Helm chart. It also has the advantage of offering more flexibility for HA.

This certainly needs to be worked out so the Helm chart can operate as it promises, but this really hasn't been a bad compromise--at least for my needs and environment.

Whoever ends up looking into this, I'd also like to call attention to a particular incident of poor template variable naming that implies base64 is a mechanism for encryption.

simonccc commented

We also have faced this issue - any news on a fix? to work around it we have added the b64 versions of the passwords to our values.yaml.... and it works :(

  • 👍1
hwo-wd commented

Facing the same issue after upgrading from v1.13.1...
The issue resides in two secrets:

  • secret/harbor-database -> POSTGRES_PASSWORD
  • secret/harbor-core -> POSTGRESQL_PASSWORD

a workaround is to...

  1. start the helm upgrade
  2. manually base64-encode the values of the two secrets shown above
  3. depending on the state of the upgrade one also quite likely needs to
    • restart the statefulset/harbor-database
    • kubectl rollout restart deployment/harbor-core
  4. observe the helm upgrade, which should succeed using a sufficiently high timeout (e.g., 10m)
ryshoooo commented

We're getting hit by this as well. It's a little bit confusing as to why. After a bit of experimentation, deleting the secrets (and disabled the migrate hook) created the secrets correctly. So it seems that if the secret already exists in the cluster, it gets overwritten by the non-base64-encoded version upon upgrade.

I think the source of trouble is here

harbor-helm/templates/_helpers.tpl

Line 101 in 54979d8

{{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}}
, but I can't quite see directly why it's happening.

  • 👍1
zyyw commented

Sorry for troubling with misbehaving, this issue is a dup of the following one: