Simplify Harbor to standard deployment pattern

- ExternalSecret now pulls only HARBOR_ADMIN_PASSWORD from 1Password
- Removed database, redis, core, jobservice, registry secret references
- Harbor Helm chart auto-generates all internal secrets (standard pattern)
- Reduces complexity and aligns with Harbor best practices

This change removes dependency on 5 1Password fields that should be deleted:
- database-password
- redis-password
- core-secret
- jobservice-secret
- registry-password

Only harbor-admin-password field needed in 1Password item 'the-seas'
This commit is contained in:
Hermes Agent service account
2026-06-04 20:44:32 -05:00
parent ac8e7acbd4
commit 99bc31dee9
2 changed files with 11 additions and 50 deletions

View File

@@ -1,11 +1,13 @@
# ------------------------------------------------------------------------------
# ExternalSecret — Harbor Credentials
# Pulled from 1Password via Connect Server, materialized as a K8s secret
# in the-seas namespace for use by Harbor components.
# in the harbor namespace for use by Harbor admin authentication.
#
# In 1Password, these are stored in the "the-seas" item in the "mk-labs" vault
# with fields: harbor-admin-password, database-password, redis-password,
# core-secret, jobservice-secret, registry-password
# In 1Password, stored in the "the-seas" item in the "mk-labs" vault
# with field: harbor-admin-password
#
# NOTE: All internal secrets (database, redis, registry, core, jobservice)
# are auto-generated by the Harbor Helm chart. This is the standard pattern.
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
@@ -25,29 +27,3 @@ spec:
remoteRef:
key: the-seas
property: harbor-admin-password
- secretKey: DATABASE_PASSWORD
remoteRef:
key: the-seas
property: database-password
- secretKey: REDIS_PASSWORD
remoteRef:
key: the-seas
property: redis-password
# Core secret - Harbor Helm chart expects key named 'secret' not 'CORE_SECRET'
- secretKey: secret
remoteRef:
key: the-seas
property: core-secret
- secretKey: JOBSERVICE_SECRET
remoteRef:
key: the-seas
property: jobservice-secret
- secretKey: REGISTRY_PASSWD
remoteRef:
key: the-seas
property: registry-password

View File

@@ -36,10 +36,7 @@ database:
image:
repository: docker.io/goharbor/harbor-db
tag: "v2.15.1"
# Password from ExternalSecret
password: ""
existingSecret: "harbor-credentials"
existingSecretKey: "DATABASE_PASSWORD"
# Password auto-generated by Harbor Helm chart
resources:
requests:
memory: 1Gi
@@ -60,10 +57,7 @@ redis:
image:
repository: docker.io/goharbor/redis-photon
tag: "v2.15.1"
# Password from ExternalSecret
jobservicePassword: ""
existingSecret: "harbor-credentials"
existingSecretKey: "REDIS_PASSWORD"
# Password auto-generated by Harbor Helm chart
resources:
requests:
memory: 256Mi
@@ -130,9 +124,7 @@ core:
repository: docker.io/goharbor/harbor-core
tag: "v2.15.1"
replicas: 1
# Core secret from ExternalSecret
secret: ""
existingSecret: "harbor-credentials"
# Core secret auto-generated by Harbor Helm chart
# Enable HTTP/2 for better performance
configureUserSettings: |-
http2_push_preload on;
@@ -152,10 +144,7 @@ jobservice:
repository: docker.io/goharbor/harbor-jobservice
tag: "v2.15.1"
replicas: 1
# Job service secret from ExternalSecret
secret: ""
existingSecret: "harbor-credentials"
existingSecretKey: "JOBSERVICE_SECRET"
# Job service secret auto-generated by Harbor Helm chart
resources:
requests:
memory: 512Mi
@@ -172,11 +161,7 @@ registry:
repository: docker.io/goharbor/registry-photon
tag: "v2.15.1"
replicas: 1
# Registry credentials from ExternalSecret
credentials:
username: "harbor_registry_user"
password: ""
existingSecret: "harbor-credentials"
# Registry credentials auto-generated by Harbor Helm chart
resources:
requests:
memory: 1Gi