From b5721a0187293ee821af9771761053ef327dd724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre=20P=C3=A9ronnet?= Date: Mon, 26 Apr 2021 21:35:39 +0200 Subject: [PATCH 1/2] docs(tutorial) Remove spec customization tutorials. Fix #564 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Spec customization are well defined in docs/CRD/custom-resource-definition.md Signed-off-by: Pierre Péronnet --- docs/CRD/custom-resource-definition.md | 299 +++++++++--------- docs/samples/database-installation.md | 73 ----- docs/samples/redis-installation.md | 65 ---- .../samples/registry-storage-configuration.md | 61 ---- docs/tutorial.md | 8 - 5 files changed, 151 insertions(+), 355 deletions(-) delete mode 100644 docs/samples/database-installation.md delete mode 100644 docs/samples/redis-installation.md delete mode 100644 docs/samples/registry-storage-configuration.md diff --git a/docs/CRD/custom-resource-definition.md b/docs/CRD/custom-resource-definition.md index 6c2e65500..4b124e011 100644 --- a/docs/CRD/custom-resource-definition.md +++ b/docs/CRD/custom-resource-definition.md @@ -397,152 +397,155 @@ Two alternatives provided to configure the backend storage of the deploying Harb #### Standard (`imageChartStorage`) -Standard storage configuration spec can be used to configure the existing pre-deployed or cloud storage services as the backed storage of the deploying Harbor. -So far, there are three options for standard storage configurations: `filesystem` (PV), `s3` and `swift`. - -Option1: Configure `filesystem` as backend storage. - -```yaml -spec: - # ... Skipped fields - - # Configure standard backend storage for the deploying Harbor. - imageChartStorage: # Optional - # If disable the redirection of blob downloading. - redirect: - disable: false # Optional, default = false - # FileSystem is an implementation of the storagedriver.StorageDriver interface which uses the local filesystem. - # The local filesystem can be a remote volume. - # See: https://docs.docker.com/registry/storage-drivers/filesystem/ - filesystem: # Optional - chartPersistentVolume: # Optional - # Inline the corev1.PersistentVolumeClaimVolumeSource - # ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - # More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - claimName: myPVC # Required - # Will force the ReadOnly setting in VolumeMounts. - readOnly: false # Optional - prefix: myPrefix # Optional - registryPersistentVolume: # Optional - # ... Skipped the same fields with 'chartPersistentVolume': 'claimName', 'readOnly' and 'prefix'. - # ... - # Max threads - maxthreads: 100 # Optional, default = 100, minimal = 25 - - # ... Skipped fields -``` - -Option2: Configure `s3` as backend storage. - -```yaml -spec: - # ... Skipped fields - - # Configure standard backend storage for the deploying Harbor. - imageChartStorage: # Optional - # If disable the redirection of blob downloading. - redirect: - disable: false # Optional, default = false - # Configure S3 as the backend storage of Harbor. - # An implementation of the storagedriver.StorageDriver interface which uses Amazon S3 or S3 compatible services for object storage. - # See: https://docs.docker.com/registry/storage-drivers/s3/ - s3: # Optional - # The AWS Access Key. - # If you use IAM roles, omit to fetch temporary credentials from IAM. - accesskey: ak # Optional - # Reference to the secret containing the AWS Secret Key. - # If you use IAM roles, omit to fetch temporary credentials from IAM. - secretkeyRef: secret # Optional - # The AWS region in which your bucket exists. - # For the moment, the Go AWS library in use does not use the newer DNS based bucket routing. - # For a list of regions, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html - region: us-east-1 # Required - # Endpoint for S3 compatible storage services (Minio, etc). - regionendpoint: Minio # Required - # The bucket name in which you want to store the registry’s data. - bucket: default # Required - # This is a prefix that is applied to all S3 keys to allow you to segment data in your bucket if necessary. - rootdirectory: registry # Optional - # The S3 storage class applied to each registry file. - storageclass: STANDARD # Optional, default="STANDARD" - # KMS key ID to use for encryption (encrypt must be true, or this parameter is ignored). - keyid: kid # Optional - # Specifies whether the registry stores the image in encrypted format or not. A boolean value. - encrypt: false # Optional, default=false - # Skips TLS verification when the value is set to true. - skipverify: false # Optional, default=false - # Certificate - certificateRef: cert # Optional - # Indicates whether to use HTTPS instead of HTTP. A boolean value. - secure: true # Optional, default=true - # Indicates whether the registry uses Version 4 of AWS’s authentication. - v4auth: true # Optional, default=true - # The S3 API requires multipart upload chunks to be at least 5MB. - chunksize: 5242880 # Optional, minimal = 5242880 - - # ... Skipped fields -``` - -Option3: Configure `swift` as backend storage. - -```yaml -spec: - # ... Skipped fields - - # Configure standard backend storage for the deploying Harbor. - imageChartStorage: # Optional - # If disable the redirection of blob downloading. - redirect: - disable: false # Optional, default = false - # Configure Swift as the backend storage of Harbor. - # An implementation of the storagedriver.StorageDriver interface that uses OpenStack Swift for object storage. - # See: https://docs.docker.com/registry/storage-drivers/swift/ - swift: # Optional - # URL for obtaining an auth token. - # https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth - authurl: https://storage.myprovider.com/v3/auth # Required - # The Openstack user name. - username: openstack-user # Required - # Secret name containing the Openstack password. - passwordRef: secret # Required - # The Openstack region in which your container exists. - region: region-1 # Optional - # The name of your Swift container where you wish to store the registry’s data. - # The driver creates the named container during its initialization. - container: container1 # Required - # You can either use tenant or tenantid. - tenant: myTenant # Optional - # You can either use tenant or tenantid. - tenantid: myTenantID # Optional - # Your Openstack domain name for Identity v3 API. You can either use domain or domainid. - domain: sampleDomain # Optional - # Your Openstack domain ID for Identity v3 API. You can either use domain or domainid. - domainid: did # Optional - # Your Openstack trust ID for Identity v3 API. - trustid: myTrustID # Optional - # Skips TLS verification if the value is set to true. - insecureskipverify: false # Optional, default=false - # Size of the data segments for the Swift Dynamic Large Objects. - # This value should be a number. - chunksize: 5242880 # Optional, minimal=5242880 - # This is a prefix that is applied to all Swift keys to allow you to segment data in your container if necessary. Defaults to the container’s root. - prefix: registry # Optional - # The secret key used to generate temporary URLs. - secretkeyRef: key # Optional - # The access key to generate temporary URLs. It is used by HP Cloud Object Storage in addition to the secretkey parameter. - accesskey: ak # Optional - # Specify the OpenStack Auth’s version, for example 3. By default the driver autodetects the auth’s version from the authurl. - authversion: 3 # Optional - # The endpoint type used when connecting to swift. - # Supports values ["public","internal","admin"] - endpointtype: public # Optional, default=public - - # ... Skipped fields -``` +Standard storage configuration spec can be used to configure the *existing pre-deployed* or *cloud storage services* as the backed storage of the deploying Harbor. +So far, there are three options for standard storage configurations: `filesystem` ([Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)), [`S3`](https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html) and [`Swift`](https://docs.openstack.org/swift/latest/). + +1. Configure `filesystem` as backend storage. + + ```yaml + spec: + # ... Skipped fields + + # Configure standard backend storage for the deploying Harbor. + imageChartStorage: # Optional + # If disable the redirection of blob downloading. + redirect: + disable: false # Optional, default = false + # FileSystem is an implementation of the storagedriver.StorageDriver interface which uses the local filesystem. + # The local filesystem can be a remote volume. + # See: https://docs.docker.com/registry/storage-drivers/filesystem/ + filesystem: # Optional + chartPersistentVolume: # Optional + # Inline the corev1.PersistentVolumeClaimVolumeSource + # ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + # More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName: myPVC # Required + # Will force the ReadOnly setting in VolumeMounts. + readOnly: false # Optional + prefix: myPrefix # Optional + registryPersistentVolume: # Optional + # ... Skipped the same fields with 'chartPersistentVolume': 'claimName', 'readOnly' and 'prefix'. + # ... + # Max threads + maxthreads: 100 # Optional, default = 100, minimal = 25 + + # ... Skipped fields + ``` + +2. Configure `s3` as backend storage. + + ```yaml + spec: + # ... Skipped fields + + # Configure standard backend storage for the deploying Harbor. + imageChartStorage: # Optional + # If disable the redirection of blob downloading. + redirect: + disable: false # Optional, default = false + # Configure S3 as the backend storage of Harbor. + # An implementation of the storagedriver.StorageDriver interface which uses Amazon S3 or S3 compatible services for object storage. + # See: https://docs.docker.com/registry/storage-drivers/s3/ + s3: # Optional + # The AWS Access Key. + # If you use IAM roles, omit to fetch temporary credentials from IAM. + accesskey: ak # Optional + # Reference to the secret containing the AWS Secret Key. + # If you use IAM roles, omit to fetch temporary credentials from IAM. + secretkeyRef: secret # Optional + # The AWS region in which your bucket exists. + # For the moment, the Go AWS library in use does not use the newer DNS based bucket routing. + # For a list of regions, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html + region: us-east-1 # Required + # Endpoint for S3 compatible storage services (Minio, etc). + regionendpoint: Minio # Required + # The bucket name in which you want to store the registry’s data. + bucket: default # Required + # This is a prefix that is applied to all S3 keys to allow you to segment data in your bucket if necessary. + rootdirectory: registry # Optional + # The S3 storage class applied to each registry file. + storageclass: STANDARD # Optional, default="STANDARD" + # KMS key ID to use for encryption (encrypt must be true, or this parameter is ignored). + keyid: kid # Optional + # Specifies whether the registry stores the image in encrypted format or not. A boolean value. + encrypt: false # Optional, default=false + # Skips TLS verification when the value is set to true. + skipverify: false # Optional, default=false + # Certificate + certificateRef: cert # Optional + # Indicates whether to use HTTPS instead of HTTP. A boolean value. + secure: true # Optional, default=true + # Indicates whether the registry uses Version 4 of AWS’s authentication. + v4auth: true # Optional, default=true + # The S3 API requires multipart upload chunks to be at least 5MB. + chunksize: 5242880 # Optional, minimal = 5242880 + + # ... Skipped fields + ``` + +3. Configure `swift` as backend storage. + This method is not recommended since Swift is *enventual consistent*. + Please use [S3 Middleware](https://docs.openstack.org/newton/config-reference/object-storage/configure-s3.html) in front of Swift and configure 2nd method: S3 storage. + + ```yaml + spec: + # ... Skipped fields + + # Configure standard backend storage for the deploying Harbor. + imageChartStorage: # Optional + # If disable the redirection of blob downloading. + redirect: + disable: false # Optional, default = false + # Configure Swift as the backend storage of Harbor. + # An implementation of the storagedriver.StorageDriver interface that uses OpenStack Swift for object storage. + # See: https://docs.docker.com/registry/storage-drivers/swift/ + swift: # Optional + # URL for obtaining an auth token. + # https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth + authurl: https://storage.myprovider.com/v3/auth # Required + # The Openstack user name. + username: openstack-user # Required + # Secret name containing the Openstack password. + passwordRef: secret # Required + # The Openstack region in which your container exists. + region: region-1 # Optional + # The name of your Swift container where you wish to store the registry’s data. + # The driver creates the named container during its initialization. + container: container1 # Required + # You can either use tenant or tenantid. + tenant: myTenant # Optional + # You can either use tenant or tenantid. + tenantid: myTenantID # Optional + # Your Openstack domain name for Identity v3 API. You can either use domain or domainid. + domain: sampleDomain # Optional + # Your Openstack domain ID for Identity v3 API. You can either use domain or domainid. + domainid: did # Optional + # Your Openstack trust ID for Identity v3 API. + trustid: myTrustID # Optional + # Skips TLS verification if the value is set to true. + insecureskipverify: false # Optional, default=false + # Size of the data segments for the Swift Dynamic Large Objects. + # This value should be a number. + chunksize: 5242880 # Optional, minimal=5242880 + # This is a prefix that is applied to all Swift keys to allow you to segment data in your container if necessary. Defaults to the container’s root. + prefix: registry # Optional + # The secret key used to generate temporary URLs. + secretkeyRef: key # Optional + # The access key to generate temporary URLs. It is used by HP Cloud Object Storage in addition to the secretkey parameter. + accesskey: ak # Optional + # Specify the OpenStack Auth’s version, for example 3. By default the driver autodetects the auth’s version from the authurl. + authversion: 3 # Optional + # The endpoint type used when connecting to swift. + # Supports values ["public","internal","admin"] + endpointtype: public # Optional, default=public + + # ... Skipped fields + ``` #### in-cluster storage configuration (`inClusterStorage`) -The in-cluster storage configuration can be configured to let the Harbor operator automatically deploy an in-cluster S3 compatible Minio service with HA supported as the backend storage service of the deploying Harbor. +The *in-cluster storage configuration* can be configured to let the Harbor operator automatically deploy an in-cluster S3 compatible Minio service with HA supported as the backend storage service of the deploying Harbor. +If ```yaml spec: @@ -616,7 +619,7 @@ Two alternatives provided to configure the database service used by the deployin #### Standard (`database`) -Standard database configurations can be used to set the existing pre-deployed or cloud database services as the dependent database of the deploying Harbor. +Standard database configurations can be used to set the *existing pre-deployed* or *cloud database services* as the dependent database of the deploying Harbor. ```yaml spec: @@ -650,7 +653,7 @@ spec: #### in-cluster database configuration(`inClusterDatabase`) -The in-cluster database configuration can be configured to let the Harbor operator automatically deploy an in-cluster PostgreSQL database service with HA supported as the dependent database of the deploying Harbor. +The *in-cluster database configuration* can be configured to let the Harbor operator automatically deploy an in-cluster PostgreSQL database service with HA supported as the dependent database of the deploying Harbor. ```yaml spec: @@ -699,7 +702,7 @@ Two alternatives provided to configure the cache(`Redis`) service used by the de #### Standard(`redis`) -Standard cache configurations can be used to set the existing pre-deployed or cloud cache services as the dependent cache of the deploying Harbor. +Standard cache configurations can be used to set the *existing pre-deployed* or *cloud cache services* as the dependent cache of the deploying Harbor. ```yaml spec: @@ -723,7 +726,7 @@ spec: #### in-cluster cache configuration(`inClusterCache`) -The in-cluster cache configuration can be configured to let the Harbor operator automatically deploy an in-cluster Redis service with HA supported as the dependent cache of the deploying Harbor. +The *in-cluster cache configuration* can be configured to let the Harbor operator automatically deploy an in-cluster Redis service with HA supported as the dependent cache of the deploying Harbor. ```yaml spec: @@ -770,7 +773,7 @@ spec: ``` ->NOTES: You can choose either `redis` or `inClusterCache` based on your actual use case. +> NOTES: You can choose either `redis` or `inClusterCache` based on your actual use case. ## Status spec diff --git a/docs/samples/database-installation.md b/docs/samples/database-installation.md deleted file mode 100644 index c879a1f35..000000000 --- a/docs/samples/database-installation.md +++ /dev/null @@ -1,73 +0,0 @@ -# Database installation - -Many application of the Harbor stack require a [Postgresql](https://www.postgresql.org) database. - -## With helm - -Recommended: Install the [postgresql helm chart](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) from bitnami repository. - -### Requirements - -Checks [chart requirements](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#prerequisites). - -### Step by step - -```bash -helm repo add bitnami https://charts.bitnami.com/bitnami - -export COMPONENT="clair" -``` - -Please repeat following steps for each components requiring a database: `clair`, `core`, `notary-server`, `notary-signer`, ... - -1. Install the helm chart - - ```bash - # Many parameters can be set to configure the database - # @see https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters - helm install "$COMPONENT-database" bitnami/postgresql - ``` - -2. Get credentials - - ```bash - export PG_PASSWORD="$(kubectl get secret "$COMPONENT-database-postgresql" -o jsonpath='{.data.postgresql-password}' | base64 --decode)" - ``` - -3. Create the computed secret with correct keys (see [`api/v1alpha1/harbor_secret_format.go`](../../api/v1alpha1/harbor_secret_format.go)) - - ```bash - kubectl create secret generic "$COMPONENT-database" \ - --from-literal host="$COMPONENT-database-postgresql" \ - --from-literal port='5432' \ - --from-literal database='postgres' \ - --from-literal username='postgres' \ - --from-literal password="$PG_PASSWORD" - ``` - -The secret is now ready to use in the *Harbor spec*. Please do previous steps for every components requiring a database: `clair`, `core`, `notary-server`, `notary-signer`, ... - -```yaml -apiVersion: goharbor.io/v1alpha1 -kind: Harbor -metadata: - ... -spec: - ... - components: - ... - core: - databaseSecret: core-database - ... - clair: - databaseSecret: clair-database - ... - notary: - ... - server: - databaseSecret: notary-server-database - ... - signer: - databaseSecret: notary-signer-database - ... -``` diff --git a/docs/samples/redis-installation.md b/docs/samples/redis-installation.md deleted file mode 100644 index a35a7bc56..000000000 --- a/docs/samples/redis-installation.md +++ /dev/null @@ -1,65 +0,0 @@ -# Redis installation - -Many application of the Harbor stack require a [Redis](https://redis.io/). - -## With helm - -Recommended: Install the [redis helm chart](https://github.com/bitnami/charts/tree/master/bitnami/redis) from bitnami repository. - -### Requirements - -Checks [chart requirements](https://github.com/bitnami/charts/tree/master/bitnami/redis#prerequisites). - -### Step by step - -```bash -helm repo add bitnami https://charts.bitnami.com/bitnami - -export COMPONENT="chartmuseum" -``` - -Please repeat following steps for each components requiring a redis: `chartmuseum`, `clair`, `jobservice`, `registry`, ... - -1. Install the helm chart - - ```bash - # Many parameters can be set to configure the redis - # @see https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters - helm install "$COMPONENT-redis" bitnami/redis \ - --set usePassword=false - ``` - -2. Create the computed secret with correct keys (see [`api/v1alpha1/harbor_secret_format.go`](../../api/v1alpha1/harbor_secret_format.go)) - - ```bash - kubectl create secret generic "$COMPONENT-redis" \ - --from-literal url="redis://${COMPONENT}-redis-master-0:6379/0" \ - --from-literal namespace='' - ``` - -The secret is now ready to use in the *Harbor spec*. Please do previous steps for every components requiring a redis: `chartmuseum`, `clair`, `jobservice`, `registry`, ... - -```yaml -apiVersion: goharbor.io/v1alpha1 -kind: Harbor -metadata: - ... -spec: - ... - components: - ... - registry: - ... - cacheSecret: registry-redis - jobService: - ... - redisSecret: jobservice-redis - clair: - ... - adapter: - ... - redisSecret: clair-redis - chartMuseum: - ... - cacheSecret: chartmuseum-redis -``` diff --git a/docs/samples/registry-storage-configuration.md b/docs/samples/registry-storage-configuration.md deleted file mode 100644 index b1fd6811c..000000000 --- a/docs/samples/registry-storage-configuration.md +++ /dev/null @@ -1,61 +0,0 @@ -# Registry Storage configuration - -The [Registry](https://docs.docker.com/registry) application required a backend to store docker layers and manifests. - -Once you choosed the [right storage](https://docs.docker.com/registry/configuration/#storage), add the file to a [secret](https://kubernetes.io/docs/concepts/configuration/secret/): - -## Create the secret - -To create the secret required by the operator, you must have the desired configuration for the right a *[storage type](https://docs.docker.com/registry/configuration/#storage)* (`azure`, `filesystem`, `gcs`, `s3`, `swift`, `oss`). - -Then create the secret in the *same namespace than the Harbor resource*. - -```bash -export STORAGE_TYPE='s3' - -# Example with s3 -# https://docs.docker.com/registry/storage-drivers/s3/ -cat < /tmp/registry-backend.yaml -accesskey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -secretkey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -bucket: harbor-registry -region: GRA -regionendpoint: https://storage.gra.cloud.ovh.net -encrypt: false -keyid: "" -secure: true -skipverify: false -v4auth: true -chunksize: 5242880 -multipartcopychunksize: 33554432 -multipartcopymaxconcurrency: 100 -multipartcopythresholdsize: 33554432 -rootdirectory: /files -storageclass: STANDARD -objectacl: private -sessiontoken: "" -EOF - -# Add the secret to kubernetes -# You can specify the namespace using -n -kubectl create secret generic 'registry-backend' \ - --from-file "${STORAGE_TYPE}=/tmp/registry-backend.yaml" -``` - -## Deploy the Harbor resource - -In **the same namespace** than the secret, create or update the Harbor resource: - -```yaml -apiVersion: goharbor.io/v1alpha1 -kind: Harbor -metadata: - name: my-harbor -spec: - components: - registry: - storageSecret: registry-backend -... -``` - -Ensure that the pod registry is rescheduled. diff --git a/docs/tutorial.md b/docs/tutorial.md index 286f3e545..dd645c280 100644 --- a/docs/tutorial.md +++ b/docs/tutorial.md @@ -399,11 +399,3 @@ kubectl get secret sample-public-certificate -n cluster-sample-ns \ ``` Of course, you can try other operations of Harbor like scanning etc. - -## Spec customizations - -For configuring existing services as the dependent services of the deploying Harbor cluster, a few customizations are available: - -- [Custom Registry storage](samples/registry-storage-configuration.md) -- [Database configuration](samples/database-installation.md) -- [Redis configuration](samples/redis-installation.md) From e799b3580296f0169483ce9b38f43bd772c3c40c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre=20P=C3=A9ronnet?= Date: Mon, 26 Apr 2021 21:36:45 +0200 Subject: [PATCH 2/2] feat(docs) Update makefile target documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Pierre Péronnet --- docs/makefile.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/makefile.md b/docs/makefile.md index 910659a97..21ec3c3ab 100644 --- a/docs/makefile.md +++ b/docs/makefile.md @@ -16,15 +16,15 @@ The `Makefile` is in the root dir of the code repository. | Target | Description | |----------------|-----------------------| +| `helm-generate`| Generate Harbor operator helm chart template files | | `helm-install` | Install Harbor operator from chart source | -| `helm-generate`| Generate Harbor operator helm chart tgz package | | `docker-build` | Build operator image from source | | `docker-push` | Push the image built by `docker-build` to the repository | | `install` | Install CRDs into the cluster | | `uninstall` | Uninstall CRDs from the cluster | | `install-dependencies` | Install the related dependencies including cert-manager, ingress controller, redis and postgresql | | `dev-tools` | Install kids of the development tools | -| `sample-%` | Deploy the related sample CR. `%` can be the name of sub folders under [samples](../config/samples) | -| `postgresql` | Deploy a PostgreSQL database with bitnami chart| -| `redis` | Deploy a Redis database with bitnami chart | -| `sample-github-secret` | Create a secret wrapping the GitHub token read from the env variable `GITHUB_TOKEN`| +| `sample-%` | Deploy the related sample CR. `%` can be the name of sub folders under [config/samples/](../config/samples) | +| `postgresql` | Deploy a PostgreSQL database with bitnami chart | +| `redis` | Deploy a Redis database with bitnami chart | +| `sample-github-secret` | Create a secret wrapping the GitHub token read from the env variable `GITHUB_TOKEN` |