search

carvel-dev / secretgen-controller

secretgen-controller provides CRDs to specify what secrets need to be on Kubernetes cluster (to be generated or not)
Apache License 2.0
169 stars 28 forks source link

Add bcrypt export format #230

Open gberche-orange opened 1 year ago

gberche-orange commented 1 year ago

Describe the problem/challenge you have

As a secretgen-controller user In order to use a generated secret in workloads that expect bcrypt encoded password I need the SecretTemplate to support a bcrypt export format beyond base64 encoding

Describe the solution you'd like [A clear and concise description of what you want to happen. If applicable a visual representation of the UX.]

SecretTemplate to support an additional format field with default base64 and an additional bcrypt value

See https://github.com/carvel-dev/secretgen-controller/blob/a09e1b8d755e19cee8f54881b0e6122777850b59/docs/secret-template.md?plain=1#L49-L53

In order to login to the WGE UI, you need to generate a bcrypt hash for your chosen password and store it as a secret in the Kubernetes cluster.

There are several different ways to generate a bcrypt hash, this guide uses gitops get bcrypt-hash from our CLI, which can be installed by following the instructions here.

Anything else you would like to add:

https://docs.gitops.weave.works/docs/installation/weave-gitops-enterprise/#6-configure-password

Similar request on ytt in https://github.com/carvel-dev/ytt/issues/106

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you would like to work on this issue.

neil-hickey commented 1 year ago

hey @gberche-orange thanks for the suggestion! Yes, we would like to support bcrypt - we are open to PR's and happy to help if you might want to contribute. Otherwise I suspect due to current bandwidth of the team, this is a long term priority

gberche-orange commented 1 year ago

Thanks for considering this suggestion. I fully understand the necessary prioritization that the carvel team is carefully applying in hands with the community of users and contributors. I'm sorry that I'm unable to help beyond sharing feedback from my experience.

tonygilkerson commented 4 months ago

This functionality is needed to support Harbor. Here is how I am currently creating my Harbor secrets. Note the use of htpasswd is required for Harbor.

apiVersion: v1
kind: Secret
metadata:
  name: harbor-registry-password
  namespace: harbor
  annotations:
    # Only apply this password on install because the htpasswd function is not idempotent
    helm.sh/hook: post-install
type: Opaque
data:
  {{- $harborRegPass := randAlphaNum 32 }}
  REGISTRY_PASSWD: {{ $harborRegPass | b64enc | quote }}
  REGISTRY_HTPASSWD: {{ htpasswd "harbor_registry_user" $harborRegPass | b64enc | quote }}