Add external secret configuration for Jenkins admin credentials in values.yaml and create ExternalSecret template for Vault integration.
This commit is contained in:
31
manifest/jenkins/templates/jenkins-admin-externalsecret.yaml
Normal file
31
manifest/jenkins/templates/jenkins-admin-externalsecret.yaml
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
{{- if .Values.controller.admin.externalSecret.enabled }}
|
||||||
|
{{- $es := .Values.controller.admin.externalSecret }}
|
||||||
|
{{- $rr := $es.remoteRef | default dict }}
|
||||||
|
{{- $sk := $rr.secretKey | default "password" }}
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "jenkins.fullname" . }}-admin-vault
|
||||||
|
namespace: {{ template "jenkins.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "jenkins.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
refreshInterval: {{ $es.refreshInterval | default "1h" | quote }}
|
||||||
|
secretStoreRef:
|
||||||
|
name: {{ $es.secretStoreRef.name }}
|
||||||
|
kind: {{ $es.secretStoreRef.kind | default "ClusterSecretStore" }}
|
||||||
|
target:
|
||||||
|
name: {{ .Values.controller.admin.existingSecret | default "jenkins-admin" | quote }}
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
mergePolicy: Replace
|
||||||
|
data:
|
||||||
|
{{ .Values.controller.admin.userKey | default "jenkins-admin-user" | quote }}: {{ .Values.controller.admin.username | default "admin" | quote }}
|
||||||
|
{{ .Values.controller.admin.passwordKey | default "jenkins-admin-password" | quote }}: {{ printf "{{ .%s }}" $sk | quote }}
|
||||||
|
data:
|
||||||
|
- secretKey: {{ $sk | quote }}
|
||||||
|
remoteRef:
|
||||||
|
key: {{ $rr.key | quote }}
|
||||||
|
property: {{ $rr.property | quote }}
|
||||||
|
{{- end }}
|
||||||
@@ -96,11 +96,26 @@ controller:
|
|||||||
|
|
||||||
# The default configuration uses this secret to configure an admin user
|
# The default configuration uses this secret to configure an admin user
|
||||||
# If you don't need that user or use a different security realm, then you can disable it
|
# If you don't need that user or use a different security realm, then you can disable it
|
||||||
# -- Create secret for admin user
|
# -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret).
|
||||||
createSecret: true
|
createSecret: true
|
||||||
|
|
||||||
# -- The name of an existing secret containing the admin credentials
|
# -- Kubernetes Secret name with keys userKey / passwordKey (created manually, by External Secrets, etc.). Example for Vault: jenkins-admin.
|
||||||
existingSecret: ""
|
existingSecret: ""
|
||||||
|
|
||||||
|
# -- HashiCorp Vault → ExternalSecret → target Secret (requires External Secrets Operator + ClusterSecretStore). Helm does not read Vault.
|
||||||
|
externalSecret:
|
||||||
|
enabled: false
|
||||||
|
refreshInterval: 1h
|
||||||
|
secretStoreRef:
|
||||||
|
name: vault
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
remoteRef:
|
||||||
|
# Vault KV v2 secret name under the store mount (your UI path: Secrets / kv / jenkins-admin-password)
|
||||||
|
key: jenkins-admin-password
|
||||||
|
# Field name inside that Vault secret (check the Secret tab in the UI)
|
||||||
|
property: password
|
||||||
|
# Must match secretKey below; exposed to the template as .password
|
||||||
|
secretKey: password
|
||||||
# -- Email address for the administrator of the Jenkins instance
|
# -- Email address for the administrator of the Jenkins instance
|
||||||
jenkinsAdminEmail:
|
jenkinsAdminEmail:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user