Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
CBLT 5 days ago

I mentioned two things that were broken:

1. Doesn't work with ExternalSecretsOperator and ArgoCD, which I happen to use. This is because the author of the Harbor chart decided not to use k8s concepts like secretRef in a podTemplate. Instead, at Helm template time, it looks up the secret data and writes it into another secret, which is then included as a envFrom. This interacts poorly with ExternalSecretsOperator in general, because it breaks the lifecycle control that ESO has. It's completely broken with ArgoCD because ArgoCD disables secret lookups by charts for pretty valid security concerns. No other chart I've come across does secret lookups during helm template time. Even the helm docs tell you it's not correct.

2. Harbor requires redis, but the Helm chart doesn't correctly pipe in the connection configuration. Redis can't be behind TLS, or the chart won't work.

dwroberts 5 days ago | parent | next [-]

You could always put the helm chart in a Kustomize and change the things you don’t like.

—-enable-helm isn't supported everywhere but Argo definitely allows it

lijok 5 days ago | parent [-]

We just went through this whole Kustomize shenanigan in our company. Seems completely asinine. Why not just fork the chart, fix it yourself?

p_l 5 days ago | parent [-]

... or the quite common case, make helm write the template once, fix, port to your own process, delete helm, live happy

benterix 3 days ago | parent [-]

> live happy

Until the next major upgrade.

p_l 3 days ago | parent [-]

In my experience, an update big enough to require major rewrite, probably should require a portion of this process to figure just what is the upgrade path.

MPSimmons 5 days ago | parent | prev [-]

Is there no Argo plugin for your secret store? In a previous life, we used Argo Vault Plugin to good effect.