Files
homelab/cluster/platform/harbor/externalsecret.yaml
Hermes Agent service account 99bc31dee9 Simplify Harbor to standard deployment pattern
- ExternalSecret now pulls only HARBOR_ADMIN_PASSWORD from 1Password
- Removed database, redis, core, jobservice, registry secret references
- Harbor Helm chart auto-generates all internal secrets (standard pattern)
- Reduces complexity and aligns with Harbor best practices

This change removes dependency on 5 1Password fields that should be deleted:
- database-password
- redis-password
- core-secret
- jobservice-secret
- registry-password

Only harbor-admin-password field needed in 1Password item 'the-seas'
2026-06-04 20:44:32 -05:00

30 lines
1018 B
YAML

# ------------------------------------------------------------------------------
# ExternalSecret — Harbor Credentials
# Pulled from 1Password via Connect Server, materialized as a K8s secret
# in the harbor namespace for use by Harbor admin authentication.
#
# In 1Password, stored in the "the-seas" item in the "mk-labs" vault
# with field: harbor-admin-password
#
# NOTE: All internal secrets (database, redis, registry, core, jobservice)
# are auto-generated by the Harbor Helm chart. This is the standard pattern.
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: harbor-credentials
namespace: harbor
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
refreshInterval: "1h"
target:
name: harbor-credentials
creationPolicy: Owner
data:
- secretKey: HARBOR_ADMIN_PASSWORD
remoteRef:
key: the-seas
property: harbor-admin-password