secretgen-controller icon indicating copy to clipboard operation
secretgen-controller copied to clipboard

Published 20 hours ago verified publisher icon carvel-dev

Add bcrypt export format

Open gberche-orange opened this issue 2 years ago • 3 comments

Describe the problem/challenge you have

As a secretgen-controller user In order to use a generated secret in workloads that expect bcrypt encoded password I need the SecretTemplate to support a bcrypt export format beyond base64 encoding

Describe the solution you'd like [A clear and concise description of what you want to happen. If applicable a visual representation of the UX.]

SecretTemplate to support an additional format field with default base64 and an additional bcrypt value

See https://github.com/carvel-dev/secretgen-controller/blob/a09e1b8d755e19cee8f54881b0e6122777850b59/docs/secret-template.md?plain=1#L49-L53

In order to login to the WGE UI, you need to generate a bcrypt hash for your chosen password and store it as a secret in the Kubernetes cluster.

There are several different ways to generate a bcrypt hash, this guide uses gitops get bcrypt-hash from our CLI, which can be installed by following the instructions here.

Anything else you would like to add:

https://docs.gitops.weave.works/docs/installation/weave-gitops-enterprise/#6-configure-password

Similar request on ytt in https://github.com/carvel-dev/ytt/issues/106

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you would like to work on this issue.

gberche-orange avatar Jan 31 '23 09:01 gberche-orange

hey @gberche-orange thanks for the suggestion! Yes, we would like to support bcrypt - we are open to PR's and happy to help if you might want to contribute. Otherwise I suspect due to current bandwidth of the team, this is a long term priority

neil-hickey avatar Feb 22 '23 21:02 neil-hickey

Thanks for considering this suggestion. I fully understand the necessary prioritization that the carvel team is carefully applying in hands with the community of users and contributors. I'm sorry that I'm unable to help beyond sharing feedback from my experience.

gberche-orange avatar Feb 24 '23 07:02 gberche-orange

This functionality is needed to support Harbor. Here is how I am currently creating my Harbor secrets. Note the use of htpasswd is required for Harbor.

apiVersion: v1
kind: Secret
metadata:
  name: harbor-registry-password
  namespace: harbor
  annotations:
    # Only apply this password on install because the htpasswd function is not idempotent
    helm.sh/hook: post-install
type: Opaque
data:
  {{- $harborRegPass := randAlphaNum 32 }}
  REGISTRY_PASSWD: {{ $harborRegPass | b64enc | quote }}
  REGISTRY_HTPASSWD: {{ htpasswd "harbor_registry_user" $harborRegPass | b64enc | quote }}

tonygilkerson avatar Feb 23 '24 20:02 tonygilkerson