From 2c684dc21cea932a9c8f24791526e9cfec0bdafd Mon Sep 17 00:00:00 2001
From: Unknown <amaari@stingray.com>
Date: Thu, 12 Apr 2018 17:21:51 -0400
Subject: [PATCH] added tls certificate generation toggle

---
 contrib/helm/harbor/Chart.yaml                    |  2 +-
 contrib/helm/harbor/README.md                     | 15 +++++++++++++++
 contrib/helm/harbor/templates/ingress/secret.yaml |  2 ++
 contrib/helm/harbor/values.yaml                   |  1 +
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/contrib/helm/harbor/Chart.yaml b/contrib/helm/harbor/Chart.yaml
index 3244c10d6..b6eef963a 100644
--- a/contrib/helm/harbor/Chart.yaml
+++ b/contrib/helm/harbor/Chart.yaml
@@ -1,5 +1,5 @@
 name: harbor
-version: 0.1.1
+version: 0.1.2
 appVersion: 1.4.0
 description: An Enterprise-class Docker Registry by VMware
 keywords:
diff --git a/contrib/helm/harbor/README.md b/contrib/helm/harbor/README.md
index 9f803eab6..f41f8539e 100644
--- a/contrib/helm/harbor/README.md
+++ b/contrib/helm/harbor/README.md
@@ -57,11 +57,25 @@ You can add `harbor.my.domain` and IP mapping in the DNS server, or in /etc/host
 
 Follow the `NOTES` section in the command output to get Harbor admin password and **add Harbor root CA into docker trusted certificates**.
 
+If you are using an external service like [cert-manager](https://github.com/jetstack/cert-manager) for generating the TLS certificates,
+you will want to disable the certificate generation by helm by setting the value `generateCertificates` to _false_. Then the ingress' annotations will be scanned
+by _cert-manager_ and the appropriate secret will get created and updated by the service.
+
+If using acme's certificates, do not forget to add the following annotation to
+your ingress.
+
+```yaml
+ingress:
+  annotations:
+    kubernetes.io/tls-acme: "true"
+```
+
 The command deploys Harbor on the Kubernetes cluster in the default configuration.
 The [configuration](#configuration) section lists the parameters that can be configured in values.yaml or via '--set' params during installation.
 
 > **Tip**: List all releases using `helm list`
 
+
 ### Insecure Registry Mode
 
 If setting Harbor Registry as insecure-registries for docker,
@@ -96,6 +110,7 @@ The following tables lists the configurable parameters of the Harbor chart and t
 | `harborImageTag`     | The tag for Harbor docker images | `v1.4.0` |
 | `externalDomain`       | Harbor will run on (https://`externalDomain`/). Recommend using K8s Ingress Controller FQDN as `externalDomain`, or make sure this FQDN resolves to the K8s Ingress Controller IP. | `harbor.my.domain` |
 | `insecureRegistry`     | If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add Harbor FQDN as insecure-registries for your docker client. | `false` |
+| `generateCertificates`  | Set to false if TLS certificate will be managed by an external service | `true` |
 | `tlsCrt`               | TLS certificate to use for Harbor's https endpoint. Its CN must match `externalDomain`. | auto-generated |
 | `tlsKey`               | TLS key to use for Harbor's https endpoint | auto-generated |
 | `caCrt`                | CA Cert for self signed TLS cert | auto-generated |
diff --git a/contrib/helm/harbor/templates/ingress/secret.yaml b/contrib/helm/harbor/templates/ingress/secret.yaml
index 1480d8aa6..9725beca7 100644
--- a/contrib/helm/harbor/templates/ingress/secret.yaml
+++ b/contrib/helm/harbor/templates/ingress/secret.yaml
@@ -1,4 +1,5 @@
 {{ if not .Values.insecureRegistry }}
+{{ if .Values.generateCertificates }}
 {{ $ca := genCA "harbor-ca" 365 }}
 {{ $cert := genSignedCert .Values.externalDomain nil nil 365 $ca }}
 apiVersion: v1
@@ -13,3 +14,4 @@ data:
   tls.key: {{ .Values.tlsKey | default $cert.Key | b64enc | quote }}
   ca.crt: {{ .Values.caCrt | default $ca.Cert | b64enc | quote }}
 {{ end }}
+{{ end }}
diff --git a/contrib/helm/harbor/values.yaml b/contrib/helm/harbor/values.yaml
index 0e980e98e..e6ce9ef4c 100644
--- a/contrib/helm/harbor/values.yaml
+++ b/contrib/helm/harbor/values.yaml
@@ -36,6 +36,7 @@ externalDomain: harbor.my.domain
 # If set to true, you don't need to set tlsCrt/tlsKey/caCrt, but must add
 # Harbor FQDN as insecure-registries for your docker client.
 insecureRegistry: false
+generateCertificates: true
 # The TLS certificate for Harbor. The common name of tlsCrt must match the externalDomain above.
 tlsCrt:
 tlsKey: