diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f6249b399..621d4de80 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -61,6 +61,13 @@ app: "{{ template "harbor.name" . }}" {{- end -}} {{- end -}} +{{/* Helper for validate the length of core.xsrfKey is 32 when it is explicitlt defined in values.yaml*/}} +{{- define "harbor.verifyValuesXSRFkey" -}} + {{- if and .xsrfkeyValue (eq (len .xsrfkeyValue) 32 ) }} + {{- printf .xsrfkeyValue -}} + {{- end -}} +{{- end -}} + {{- define "harbor.autoGenCert" -}} {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} {{- printf "true" -}} diff --git a/templates/core/core-secret.yaml b/templates/core/core-secret.yaml index ea9d4cfab..c8b08c561 100644 --- a/templates/core/core-secret.yaml +++ b/templates/core/core-secret.yaml @@ -29,7 +29,7 @@ data: REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} {{- end }} {{- if not .Values.core.existingXsrfSecret }} - CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} + CSRF_KEY: {{ include "harbor.verifyValuesXSRFkey" (dict "xsrfkeyValue" .Values.core.xsrfKey) | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} {{- end }} {{- if .Values.core.configureUserSettings }} CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} diff --git a/values.yaml b/values.yaml index c862337d0..4f310aed7 100644 --- a/values.yaml +++ b/values.yaml @@ -624,7 +624,7 @@ core: tokenKey: | # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. tokenCert: | - # The XSRF key. Will be generated automatically if it isn't specified + # The XSRF key. Will be generated automatically if it isn't specified or it is not a string of 32 characters xsrfKey: "" # If using existingSecret, the key is defined by core.existingXsrfSecretKey existingXsrfSecret: ""