feat: add harbor/gitea credentials via Vault ESO + JCasC

- ExternalSecret manifests sync kv/jenkins/{harbor,gitea}-credentials
  from Vault → K8s secrets in jenkins namespace
- Jenkins values: additionalExistingSecrets mounts both secrets
- JCasC configScript creates harbor-credentials + gitea-credentials
  pipeline credentials from mounted secret env vars

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manifest/jenkins/external-secrets/gitea-credentials.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-credentials
+  namespace: jenkins
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: gitea-credentials
+    creationPolicy: Owner
+  data:
+  - secretKey: username
+    remoteRef:
+      key: jenkins/gitea-credentials
+      property: username
+  - secretKey: password
+    remoteRef:
+      key: jenkins/gitea-credentials
+      property: password

manifest/jenkins/external-secrets/harbor-credentials.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: harbor-credentials
+  namespace: jenkins
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: harbor-credentials
+    creationPolicy: Owner
+  data:
+  - secretKey: username
+    remoteRef:
+      key: jenkins/harbor-credentials
+      property: username
+  - secretKey: password
+    remoteRef:
+      key: jenkins/harbor-credentials
+      property: password

manifest/jenkins/values.yaml

@@ -497,13 +497,16 @@ controller:
   existingSecret:
 
   # -- List of additional existing secrets to mount
-  additionalExistingSecrets: []
+  additionalExistingSecrets:
+    - name: harbor-credentials
+      keyName: username
+    - name: harbor-credentials
+      keyName: password
+    - name: gitea-credentials
+      keyName: username
+    - name: gitea-credentials
+      keyName: password
   # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets
-  # additionalExistingSecrets:
-  #  - name: secret-name-1
-  #    keyName: username
-  #  - name: secret-name-1
-  #    keyName: password
 
   # -- List of additional secrets to create and mount
   additionalSecrets: []
@@ -545,10 +548,24 @@ controller:
     configUrls: []
     # - https://acme.org/jenkins.yaml
     # -- List of Jenkins Config as Code scripts
-    configScripts: {}
+    configScripts:
-    #  welcome-message: |
+      pipeline-credentials: |
-    #    jenkins:
+        credentials:
-    #      systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'.
+          system:
+            domainCredentials:
+            - credentials:
+              - usernamePassword:
+                  description: "Harbor registry"
+                  id: "harbor-credentials"
+                  username: "${harbor-credentials-username}"
+                  password: "${harbor-credentials-password}"
+                  scope: GLOBAL
+              - usernamePassword:
+                  description: "Gitea"
+                  id: "gitea-credentials"
+                  username: "${gitea-credentials-username}"
+                  password: "${gitea-credentials-password}"
+                  scope: GLOBAL
 
     # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations
     # -- Jenkins Config as Code security-section