From 7cd142ff157ddeb0efae3e1f9fc22fe5a01db253 Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Sun, 10 Aug 2025 05:16:42 +0300
Subject: [PATCH] Add app for clustersecretstore and set External secret for
 woodpecker harbor

---
 argocd-apps/cluster-secret-store-creator.yaml | 22 +++++++++++++++++++
 .../cluster-secret-store/vault-cicd.yaml      | 15 +++++++++++++
 .../vault-general-secrets.yaml                | 15 +++++++++++++
 .../vault-internal-users.yaml                 | 15 +++++++++++++
 .../vault-oidc-secrets.yaml                   | 15 +++++++++++++
 .../gitea-bitnami/external-secret.yaml        | 18 ---------------
 .../wikijs/external-secret.yaml               | 18 ---------------
 .../woodpecker/external-secret.yaml           | 18 ---------------
 .../woodpecker/external-secret.yaml.disable   | 18 +++++++++++++++
 .../externalsecret-woodpecker-harbor.yaml     | 22 +++++++++++++++++++
 10 files changed, 122 insertions(+), 54 deletions(-)
 create mode 100644 argocd-apps/cluster-secret-store-creator.yaml
 create mode 100644 manifests/cluster-secret-store/vault-cicd.yaml
 create mode 100644 manifests/cluster-secret-store/vault-general-secrets.yaml
 create mode 100644 manifests/cluster-secret-store/vault-internal-users.yaml
 create mode 100644 manifests/cluster-secret-store/vault-oidc-secrets.yaml
 delete mode 100644 manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml
 delete mode 100644 manifests/external-secrets-dev-tools/wikijs/external-secret.yaml
 delete mode 100644 manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml
 create mode 100644 manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable
 create mode 100644 manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml

diff --git a/argocd-apps/cluster-secret-store-creator.yaml b/argocd-apps/cluster-secret-store-creator.yaml
new file mode 100644
index 0000000..0e1e78a
--- /dev/null
+++ b/argocd-apps/cluster-secret-store-creator.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-secret-store-creator
+  namespace: argocd
+spec:
+  project: dev-tools
+  source:
+    repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git
+    targetRevision: HEAD
+    path: manifests/cluster-secret-store
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dev-tools
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/manifests/cluster-secret-store/vault-cicd.yaml b/manifests/cluster-secret-store/vault-cicd.yaml
new file mode 100644
index 0000000..08ded04
--- /dev/null
+++ b/manifests/cluster-secret-store/vault-cicd.yaml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-cicd
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: cicd
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2
diff --git a/manifests/cluster-secret-store/vault-general-secrets.yaml b/manifests/cluster-secret-store/vault-general-secrets.yaml
new file mode 100644
index 0000000..b461bc5
--- /dev/null
+++ b/manifests/cluster-secret-store/vault-general-secrets.yaml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-general-secrets
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: general-secrets
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2
diff --git a/manifests/cluster-secret-store/vault-internal-users.yaml b/manifests/cluster-secret-store/vault-internal-users.yaml
new file mode 100644
index 0000000..a08b1d3
--- /dev/null
+++ b/manifests/cluster-secret-store/vault-internal-users.yaml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-internal-users
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: internal-users
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2
diff --git a/manifests/cluster-secret-store/vault-oidc-secrets.yaml b/manifests/cluster-secret-store/vault-oidc-secrets.yaml
new file mode 100644
index 0000000..d8f3d24
--- /dev/null
+++ b/manifests/cluster-secret-store/vault-oidc-secrets.yaml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-oidc-secrets
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: oidc-secrets
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2
diff --git a/manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml b/manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml
deleted file mode 100644
index 0cff484..0000000
--- a/manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: grafana-oidc
-  namespace: dev-tools
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-oidc-clients
-    kind: ClusterSecretStore
-  target:
-    name: grafana-oidc-secret
-    creationPolicy: Owner
-  data:
-    - secretKey: client_secret
-      remoteRef:
-        key: oidc-clients/gitea-oidc
-        property: client_secret
\ No newline at end of file
diff --git a/manifests/external-secrets-dev-tools/wikijs/external-secret.yaml b/manifests/external-secrets-dev-tools/wikijs/external-secret.yaml
deleted file mode 100644
index ac66113..0000000
--- a/manifests/external-secrets-dev-tools/wikijs/external-secret.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: wikijs-db-secret
-  namespace: dev-tools
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-general-secrets
-    kind: ClusterSecretStore
-  target:
-    name: wikijs-db-secret
-    creationPolicy: Owner
-  data:
-    - secretKey: password
-      remoteRef:
-        key: wikijs-db
-        property: password
diff --git a/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml b/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml
deleted file mode 100644
index 26f46f1..0000000
--- a/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: kaniko-docker-config
-  namespace: dev-tools
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-general-secrets
-    kind: ClusterSecretStore
-  target:
-    name: kaniko-docker-config
-    creationPolicy: Owner
-  data:
-    - secretKey: config.json
-      remoteRef:
-        key: general-secrets/woodpecker-kaniko
-        property: config.json
diff --git a/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable b/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable
new file mode 100644
index 0000000..4a9c9b9
--- /dev/null
+++ b/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable
@@ -0,0 +1,18 @@
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: kaniko-docker-config
+#   namespace: dev-tools
+# spec:
+#   refreshInterval: 1h
+#   secretStoreRef:
+#     name: vault-general-secrets
+#     kind: ClusterSecretStore
+#   target:
+#     name: kaniko-docker-config
+#     creationPolicy: Owner
+#   data:
+#     - secretKey: config.json
+#       remoteRef:
+#         key: general-secrets/woodpecker-kaniko
+#         property: config.json
diff --git a/manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml b/manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml
new file mode 100644
index 0000000..3681d1a
--- /dev/null
+++ b/manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: woodpecker-harbor-creds
+  namespace: dev-tools
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-cicd                  # ClusterSecretStore for CICD secrets
+    kind: ClusterSecretStore
+  target:
+    name: woodpecker-harbor-secret    # K8s Secret that will be created
+    creationPolicy: Owner
+  data:
+    - secretKey: docker_username
+      remoteRef:
+        key: harbor                   # relative to ClusterSecretStore's path (cicd)
+        property: docker_username
+    - secretKey: docker_password
+      remoteRef:
+        key: harbor
+        property: docker_password