Files
homelab/cluster/platform/the-seas/externalsecret.yaml
Hermes Agent service account 95ae6919b0 feat(platform): add Harbor container registry (the-seas) deployment
- Add Harbor v2.15.1 (chart 1.19.1) deployment to wave 7
- Service name: the-seas (EPCOT: The Seas with Nemo & Friends)
- Architecture: Embedded PostgreSQL, embedded Redis, single instance
- Storage: NFS via nfs-emporium StorageClass (130Gi total)
- Expose via Gateway API with dual DNS names
- Primary: the-seas.local.mk-labs.cloud
- Alternate: harbor.local.mk-labs.cloud
- ExternalSecret for 1Password integration (6 secrets)
- All image tags pinned to 2.15.1
- Resource requests/limits configured for homelab
- Multi-source ArgoCD application pattern
- TLS certificates via cert-manager (Let's Encrypt)
- Metrics and Trivy scanning enabled

Components:
- Portal, Core, Registry, JobService (1 replica each)
- Embedded PostgreSQL and Redis
- NGINX reverse proxy
- Trivy vulnerability scanner
- Prometheus metrics exporter

Refs: /mnt/mk-labs-pka/tony-stark-inbox/harbor-phase1-deployment.md
2026-06-04 20:20:51 -05:00

53 lines
1.5 KiB
YAML

# ------------------------------------------------------------------------------
# ExternalSecret — Harbor Credentials
# Pulled from 1Password via Connect Server, materialized as a K8s secret
# in the-seas namespace for use by Harbor components.
#
# In 1Password, these are stored in the "the-seas" item in the "mk-labs" vault
# with fields: harbor-admin-password, database-password, redis-password,
# core-secret, jobservice-secret, registry-password
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: the-seas-credentials
namespace: the-seas
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
refreshInterval: "1h"
target:
name: the-seas-credentials
creationPolicy: Owner
data:
- secretKey: HARBOR_ADMIN_PASSWORD
remoteRef:
key: the-seas
property: harbor-admin-password
- secretKey: DATABASE_PASSWORD
remoteRef:
key: the-seas
property: database-password
- secretKey: REDIS_PASSWORD
remoteRef:
key: the-seas
property: redis-password
- secretKey: CORE_SECRET
remoteRef:
key: the-seas
property: core-secret
- secretKey: JOBSERVICE_SECRET
remoteRef:
key: the-seas
property: jobservice-secret
- secretKey: REGISTRY_PASSWD
remoteRef:
key: the-seas
property: registry-password