fix: move ExternalSecrets into Helm extraObjects

ArgoCD treats manifest/jenkins as Helm app → ignores subdirectory YAML files. Moving ExternalSecrets into values.extraObjects ensures Helm renders + applies them. sync-wave -1 guarantees secrets exist before Jenkins pod mounts them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 16:25:17 +07:00
parent 738688ab2c
commit f230fd831e
3 changed files with 48 additions and 48 deletions
--- a/manifest/jenkins/external-secrets/gitea-credentials.yaml
+++ b/manifest/jenkins/external-secrets/gitea-credentials.yaml
@@ -1,24 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-credentials
-  namespace: jenkins
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: gitea-credentials
-    creationPolicy: Owner
-  data:
-  - secretKey: username
-    remoteRef:
-      key: jenkins/gitea-credentials
-      property: username
-  - secretKey: password
-    remoteRef:
-      key: jenkins/gitea-credentials
-      property: password
--- a/manifest/jenkins/external-secrets/harbor-credentials.yaml
+++ b/manifest/jenkins/external-secrets/harbor-credentials.yaml
@@ -1,24 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: harbor-credentials
-  namespace: jenkins
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: harbor-credentials
-    creationPolicy: Owner
-  data:
-  - secretKey: username
-    remoteRef:
-      key: jenkins/harbor-credentials
-      property: username
-  - secretKey: password
-    remoteRef:
-      key: jenkins/harbor-credentials
-      property: password
--- a/manifest/jenkins/values.yaml
+++ b/manifest/jenkins/values.yaml
@@ -34,6 +34,54 @@ extraLabels: {}

 # -- Configures extra manifests
 extraObjects:
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: harbor-credentials
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: harbor-credentials
+        creationPolicy: Owner
+      data:
+      - secretKey: username
+        remoteRef:
+          key: jenkins/harbor-credentials
+          property: username
+      - secretKey: password
+        remoteRef:
+          key: jenkins/harbor-credentials
+          property: password
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: gitea-credentials
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: gitea-credentials
+        creationPolicy: Owner
+      data:
+      - secretKey: username
+        remoteRef:
+          key: jenkins/gitea-credentials
+          property: username
+      - secretKey: password
+        remoteRef:
+          key: jenkins/gitea-credentials
+          property: password

 controller:
  # -- Used for label app.kubernetes.io/component