From c04cbeb747f38af3cc901d4f627a532077cc1f14 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 5 Jun 2025 10:47:57 -0500 Subject: [PATCH] add fixed secret --- .../harbor/templates/external-secret.yaml | 92 +++++++++++++++++-- clusters/cl01tl/services/harbor/values.yaml | 25 ++--- 2 files changed, 92 insertions(+), 25 deletions(-) diff --git a/clusters/cl01tl/services/harbor/templates/external-secret.yaml b/clusters/cl01tl/services/harbor/templates/external-secret.yaml index e01f66502..6160d5c34 100644 --- a/clusters/cl01tl/services/harbor/templates/external-secret.yaml +++ b/clusters/cl01tl/services/harbor/templates/external-secret.yaml @@ -26,41 +26,113 @@ spec: key: /cl01tl/harbor/config metadataPolicy: None property: secretKey + - secretKey: CSRF_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: CSRF_KEY - secretKey: secret remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/harbor/config + key: /cl01tl/harbor/core metadataPolicy: None property: secret + - secretKey: tls.crt + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: tls.crt + - secretKey: tls.key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/core + metadataPolicy: None + property: tls.key - secretKey: JOBSERVICE_SECRET remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/harbor/config + key: /cl01tl/harbor/jobservice metadataPolicy: None - property: jobservice-secret + property: JOBSERVICE_SECRET - secretKey: REGISTRY_HTTP_SECRET remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/harbor/config + key: /cl01tl/harbor/registry metadataPolicy: None - property: registry-http-secret - - secretKey: REGISTRY_PASSWD + property: REGISTRY_HTTP_SECRET + - secretKey: REGISTRY_REDIS_PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/harbor/config + key: /cl01tl/harbor/registry metadataPolicy: None - property: registry-password + property: REGISTRY_REDIS_PASSWORD - secretKey: REGISTRY_HTPASSWD remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/harbor/config + key: /cl01tl/harbor/registry metadataPolicy: None - property: registry-ht-password + property: REGISTRY_HTPASSWD + - secretKey: REGISTRY_CREDENTIAL_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_CREDENTIAL_PASSWORD + - secretKey: REGISTRY_PASSWD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/registry + metadataPolicy: None + property: REGISTRY_CREDENTIAL_PASSWORD + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: harbor-nginx-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: harbor-nginx-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ca.crt + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/nginx + metadataPolicy: None + property: ca.crt + - secretKey: tls.crt + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/nginx + metadataPolicy: None + property: tls.crt + - secretKey: tls.key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/harbor/nginx + metadataPolicy: None + property: tls.key --- apiVersion: external-secrets.io/v1 diff --git a/clusters/cl01tl/services/harbor/values.yaml b/clusters/cl01tl/services/harbor/values.yaml index 0d8c19527..a68705a83 100644 --- a/clusters/cl01tl/services/harbor/values.yaml +++ b/clusters/cl01tl/services/harbor/values.yaml @@ -45,17 +45,18 @@ harbor: image: repository: goharbor/harbor-core tag: v2.13.1 - replicas: 3 - # existingSecret: harbor-secret + replicas: 2 + existingSecret: harbor-secret + secretName: harbor-secret + existingXsrfSecret: harbor-secret jobservice: image: repository: goharbor/harbor-jobservice tag: v2.13.1 - replicas: 3 + replicas: 2 jobLoggers: - stdout - # existingSecret: harbor-secret - # existingSecretKey: JOBSERVICE_SECRET + existingSecret: harbor-secret registry: registry: image: @@ -65,16 +66,10 @@ harbor: image: repository: goharbor/harbor-registryctl tag: v2.13.1 - # existingSecret: harbor-secret - # existingSecretKey: REGISTRY_HTTP_SECRET - # relativeurls: true - # credentials: - # existingSecret: harbor-secret - # upload_purging: - # enabled: true - # age: 168h - # interval: 24h - # dryrun: false + existingSecret: harbor-secret + relativeurls: true + credentials: + existingSecret: harbor-secret trivy: enabled: true database: