- ExternalSecret now pulls only HARBOR_ADMIN_PASSWORD from 1Password - Removed database, redis, core, jobservice, registry secret references - Harbor Helm chart auto-generates all internal secrets (standard pattern) - Reduces complexity and aligns with Harbor best practices This change removes dependency on 5 1Password fields that should be deleted: - database-password - redis-password - core-secret - jobservice-secret - registry-password Only harbor-admin-password field needed in 1Password item 'the-seas'
30 lines
1018 B
YAML
30 lines
1018 B
YAML
# ------------------------------------------------------------------------------
|
|
# ExternalSecret — Harbor Credentials
|
|
# Pulled from 1Password via Connect Server, materialized as a K8s secret
|
|
# in the harbor namespace for use by Harbor admin authentication.
|
|
#
|
|
# In 1Password, stored in the "the-seas" item in the "mk-labs" vault
|
|
# with field: harbor-admin-password
|
|
#
|
|
# NOTE: All internal secrets (database, redis, registry, core, jobservice)
|
|
# are auto-generated by the Harbor Helm chart. This is the standard pattern.
|
|
# ------------------------------------------------------------------------------
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: harbor-credentials
|
|
namespace: harbor
|
|
spec:
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-connect
|
|
refreshInterval: "1h"
|
|
target:
|
|
name: harbor-credentials
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: HARBOR_ADMIN_PASSWORD
|
|
remoteRef:
|
|
key: the-seas
|
|
property: harbor-admin-password
|