From e036624a64bcc448a567c2a5c70cc9a16fadd4b1 Mon Sep 17 00:00:00 2001 From: duynguyen Date: Sun, 12 Apr 2026 18:01:32 +0700 Subject: [PATCH] Add external secret configuration for Jenkins admin credentials in values.yaml and create ExternalSecret template for Vault integration. --- .../jenkins-admin-externalsecret.yaml | 31 +++++++++++++++++++ manifest/jenkins/values.yaml | 19 ++++++++++-- 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 manifest/jenkins/templates/jenkins-admin-externalsecret.yaml diff --git a/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml b/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml new file mode 100644 index 0000000..3cb3b70 --- /dev/null +++ b/manifest/jenkins/templates/jenkins-admin-externalsecret.yaml @@ -0,0 +1,31 @@ +{{- if .Values.controller.admin.externalSecret.enabled }} +{{- $es := .Values.controller.admin.externalSecret }} +{{- $rr := $es.remoteRef | default dict }} +{{- $sk := $rr.secretKey | default "password" }} +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ include "jenkins.fullname" . }}-admin-vault + namespace: {{ template "jenkins.namespace" . }} + labels: + {{- include "jenkins.labels" . | nindent 4 }} +spec: + refreshInterval: {{ $es.refreshInterval | default "1h" | quote }} + secretStoreRef: + name: {{ $es.secretStoreRef.name }} + kind: {{ $es.secretStoreRef.kind | default "ClusterSecretStore" }} + target: + name: {{ .Values.controller.admin.existingSecret | default "jenkins-admin" | quote }} + creationPolicy: Owner + template: + engineVersion: v2 + mergePolicy: Replace + data: + {{ .Values.controller.admin.userKey | default "jenkins-admin-user" | quote }}: {{ .Values.controller.admin.username | default "admin" | quote }} + {{ .Values.controller.admin.passwordKey | default "jenkins-admin-password" | quote }}: {{ printf "{{ .%s }}" $sk | quote }} + data: + - secretKey: {{ $sk | quote }} + remoteRef: + key: {{ $rr.key | quote }} + property: {{ $rr.property | quote }} +{{- end }} diff --git a/manifest/jenkins/values.yaml b/manifest/jenkins/values.yaml index 513e70a..d60a5c0 100644 --- a/manifest/jenkins/values.yaml +++ b/manifest/jenkins/values.yaml @@ -96,11 +96,26 @@ controller: # The default configuration uses this secret to configure an admin user # If you don't need that user or use a different security realm, then you can disable it - # -- Create secret for admin user + # -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret). createSecret: true - # -- The name of an existing secret containing the admin credentials + # -- Kubernetes Secret name with keys userKey / passwordKey (created manually, by External Secrets, etc.). Example for Vault: jenkins-admin. existingSecret: "" + + # -- HashiCorp Vault → ExternalSecret → target Secret (requires External Secrets Operator + ClusterSecretStore). Helm does not read Vault. + externalSecret: + enabled: false + refreshInterval: 1h + secretStoreRef: + name: vault + kind: ClusterSecretStore + remoteRef: + # Vault KV v2 secret name under the store mount (your UI path: Secrets / kv / jenkins-admin-password) + key: jenkins-admin-password + # Field name inside that Vault secret (check the Secret tab in the UI) + property: password + # Must match secretKey below; exposed to the template as .password + secretKey: password # -- Email address for the administrator of the Jenkins instance jenkinsAdminEmail: