Add app for clustersecretstore and set External secret for woodpecker harbor

argocd-apps/cluster-secret-store-creator.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-secret-store-creator
+  namespace: argocd
+spec:
+  project: dev-tools
+  source:
+    repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git
+    targetRevision: HEAD
+    path: manifests/cluster-secret-store
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dev-tools
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

manifests/cluster-secret-store/vault-cicd.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-cicd
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: cicd
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2

manifests/cluster-secret-store/vault-general-secrets.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-general-secrets
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: general-secrets
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2

manifests/cluster-secret-store/vault-internal-users.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-internal-users
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: internal-users
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2

manifests/cluster-secret-store/vault-oidc-secrets.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-oidc-secrets
+spec:
+  provider:
+    vault:
+      auth:
+        tokenSecretRef:
+          key: token
+          name: vault-eso-token
+          namespace: dev-tools
+      path: oidc-secrets
+      server: http://vault.dev-tools.svc.cluster.local:8200
+      version: v2

manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml

@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: grafana-oidc
-  namespace: dev-tools
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-oidc-clients
-    kind: ClusterSecretStore
-  target:
-    name: grafana-oidc-secret
-    creationPolicy: Owner
-  data:
-    - secretKey: client_secret
-      remoteRef:
-        key: oidc-clients/gitea-oidc
-        property: client_secret

manifests/external-secrets-dev-tools/wikijs/external-secret.yaml

@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: wikijs-db-secret
-  namespace: dev-tools
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-general-secrets
-    kind: ClusterSecretStore
-  target:
-    name: wikijs-db-secret
-    creationPolicy: Owner
-  data:
-    - secretKey: password
-      remoteRef:
-        key: wikijs-db
-        property: password

manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml

@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: kaniko-docker-config
-  namespace: dev-tools
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-general-secrets
-    kind: ClusterSecretStore
-  target:
-    name: kaniko-docker-config
-    creationPolicy: Owner
-  data:
-    - secretKey: config.json
-      remoteRef:
-        key: general-secrets/woodpecker-kaniko
-        property: config.json

manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable

@@ -0,0 +1,18 @@
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: kaniko-docker-config
+#   namespace: dev-tools
+# spec:
+#   refreshInterval: 1h
+#   secretStoreRef:
+#     name: vault-general-secrets
+#     kind: ClusterSecretStore
+#   target:
+#     name: kaniko-docker-config
+#     creationPolicy: Owner
+#   data:
+#     - secretKey: config.json
+#       remoteRef:
+#         key: general-secrets/woodpecker-kaniko
+#         property: config.json

manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: woodpecker-harbor-creds
+  namespace: dev-tools
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-cicd                  # ClusterSecretStore for CICD secrets
+    kind: ClusterSecretStore
+  target:
+    name: woodpecker-harbor-secret    # K8s Secret that will be created
+    creationPolicy: Owner
+  data:
+    - secretKey: docker_username
+      remoteRef:
+        key: harbor                   # relative to ClusterSecretStore's path (cicd)
+        property: docker_username
+    - secretKey: docker_password
+      remoteRef:
+        key: harbor
+        property: docker_password