Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm-chart error: exteranl redis + password + trivy #2148

Open
qdrddr opened this issue Mar 2, 2025 · 0 comments
Open

Helm-chart error: exteranl redis + password + trivy #2148

qdrddr opened this issue Mar 2, 2025 · 0 comments
Assignees
@MinerYang
Labels
needs/follow-up

Comments

@qdrddr
Copy link

qdrddr commented Mar 2, 2025
edited
Loading

When enabled trivvy with external redis, the harbor helm-chart incorrectly handles secrets and the manifest inflation stage. FYI I'm using password with redis.

Example of the helm-value file when the issue manifests, with helm chart version 1.16.2:

trivy:
  enabled: true
redis:
  type: external
  external:
    addr: "myredis-svc:6379"
    existingSecret: "harbor-redis-mysecret"
kustomize build infra-deployments/harbor/kustomizations --enable-helm > infra-deployments/harbor/kustomizations/harbor.kustimized.yaml
Error: Error: template: harbor/templates/trivy/trivy-sts.yaml:29:28: executing "harbor/templates/trivy/trivy-sts.yaml" at <include (print $.Template.BasePath "/trivy/trivy-secret.yaml") .>: error calling include: template: harbor/templates/trivy/trivy-secret.yaml:11:15: executing "harbor/templates/trivy/trivy-secret.yaml" at <include "harbor.redis.urlForTrivy" .>: error calling include: template: harbor/templates/_helpers.tpl:225:48: executing "harbor.redis.urlForTrivy" at <include "harbor.redis.url" $>: error calling include: template: harbor/templates/_helpers.tpl:193:64: executing "harbor.redis.url" at <include "harbor.redis.cred" $>: error calling include: template: harbor/templates/_helpers.tpl:182:25: executing "harbor.redis.cred" at <include "harbor.redis.pwdfromsecret" $>: error calling include: template: harbor/templates/_helpers.tpl:176:56: executing "harbor.redis.pwdfromsecret" at <.Values.redis.external.existingSecret>: nil pointer evaluating interface {}.REDIS_PASSWORD

Use --debug flag to render out invalid YAML
: unable to run: 'helm template harbor infra-deployments/harbor/kustomizations/charts/harbor-1.16.2/harbor --namespace registry-cache -f /var/folders/5h/qvzp0mfx2jd1rsxg4f9z91880000gn/T/kustomize-helm-3858338458/harbor-kustomize-values.yaml --include-crds' with env=[HELM_CONFIG_HOME=/var/folders/5h/qvzp0mfx2jd1rsxg4f9z91880000gn/T/kustomize-helm-3858338458/helm HELM_CACHE_HOME=/var/folders/5h/qvzp0mfx2jd1rsxg4f9z91880000gn/T/kustomize-helm-3858338458/helm/.cache HELM_DATA_HOME=/var/folders/5h/qvzp0mfx2jd1rsxg4f9z91880000gn/T/kustomize-helm-3858338458/helm/.data] (is 'helm' installed?): exit status 1

The issue seems to be in the harbor/templates/_helpers.tpl with the definitions of harbor.redis.cred &harbor.redis.pwdfromsecret which tries to access Redis secret regardless if redis is deployed as external or internal. While it works fine when Redis is deployed internally, it fails when Redis is external since the secret does not exist in the inflation manifests by helm-chart, but will be accessible by the app when it is deployed in k8s.

trivy should use a secret generated by helm only if internal Redis is used in the value file, if external Redis is used, the chart should not try to pull the secret from the manifest.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MinerYang MinerYang

Labels
needs/follow-up
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qdrddr @reasonerjt @MinerYang