From afadbbbf7d61c970210d6f99fd13b4304a52c955 Mon Sep 17 00:00:00 2001
From: duynguyen <huonghaiduynhim@gmail.com>
Date: Wed, 22 Apr 2026 16:01:22 +0700
Subject: [PATCH] feat: add harbor/gitea credentials via Vault ESO + JCasC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- ExternalSecret manifests sync kv/jenkins/{harbor,gitea}-credentials
  from Vault → K8s secrets in jenkins namespace
- Jenkins values: additionalExistingSecrets mounts both secrets
- JCasC configScript creates harbor-credentials + gitea-credentials
  pipeline credentials from mounted secret env vars

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../external-secrets/gitea-credentials.yaml   | 22 +++++++++++
 .../external-secrets/harbor-credentials.yaml  | 22 +++++++++++
 manifest/jenkins/values.yaml                  | 37 ++++++++++++++-----
 3 files changed, 71 insertions(+), 10 deletions(-)
 create mode 100644 manifest/jenkins/external-secrets/gitea-credentials.yaml
 create mode 100644 manifest/jenkins/external-secrets/harbor-credentials.yaml

diff --git a/manifest/jenkins/external-secrets/gitea-credentials.yaml b/manifest/jenkins/external-secrets/gitea-credentials.yaml
new file mode 100644
index 0000000..886d934
--- /dev/null
+++ b/manifest/jenkins/external-secrets/gitea-credentials.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-credentials
+  namespace: jenkins
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: gitea-credentials
+    creationPolicy: Owner
+  data:
+  - secretKey: username
+    remoteRef:
+      key: jenkins/gitea-credentials
+      property: username
+  - secretKey: password
+    remoteRef:
+      key: jenkins/gitea-credentials
+      property: password
diff --git a/manifest/jenkins/external-secrets/harbor-credentials.yaml b/manifest/jenkins/external-secrets/harbor-credentials.yaml
new file mode 100644
index 0000000..5207e53
--- /dev/null
+++ b/manifest/jenkins/external-secrets/harbor-credentials.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: harbor-credentials
+  namespace: jenkins
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: harbor-credentials
+    creationPolicy: Owner
+  data:
+  - secretKey: username
+    remoteRef:
+      key: jenkins/harbor-credentials
+      property: username
+  - secretKey: password
+    remoteRef:
+      key: jenkins/harbor-credentials
+      property: password
diff --git a/manifest/jenkins/values.yaml b/manifest/jenkins/values.yaml
index b9837af..8c560fc 100644
--- a/manifest/jenkins/values.yaml
+++ b/manifest/jenkins/values.yaml
@@ -497,13 +497,16 @@ controller:
   existingSecret:
 
   # -- List of additional existing secrets to mount
-  additionalExistingSecrets: []
+  additionalExistingSecrets:
+    - name: harbor-credentials
+      keyName: username
+    - name: harbor-credentials
+      keyName: password
+    - name: gitea-credentials
+      keyName: username
+    - name: gitea-credentials
+      keyName: password
   # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets
-  # additionalExistingSecrets:
-  #  - name: secret-name-1
-  #    keyName: username
-  #  - name: secret-name-1
-  #    keyName: password
 
   # -- List of additional secrets to create and mount
   additionalSecrets: []
@@ -545,10 +548,24 @@ controller:
     configUrls: []
     # - https://acme.org/jenkins.yaml
     # -- List of Jenkins Config as Code scripts
-    configScripts: {}
-    #  welcome-message: |
-    #    jenkins:
-    #      systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'.
+    configScripts:
+      pipeline-credentials: |
+        credentials:
+          system:
+            domainCredentials:
+            - credentials:
+              - usernamePassword:
+                  description: "Harbor registry"
+                  id: "harbor-credentials"
+                  username: "${harbor-credentials-username}"
+                  password: "${harbor-credentials-password}"
+                  scope: GLOBAL
+              - usernamePassword:
+                  description: "Gitea"
+                  id: "gitea-credentials"
+                  username: "${gitea-credentials-username}"
+                  password: "${gitea-credentials-password}"
+                  scope: GLOBAL
 
     # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations
     # -- Jenkins Config as Code security-section