From f230fd831e3ccd562a6ac204143b493522255c18 Mon Sep 17 00:00:00 2001 From: duynguyen Date: Wed, 22 Apr 2026 16:25:17 +0700 Subject: [PATCH] fix: move ExternalSecrets into Helm extraObjects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ArgoCD treats manifest/jenkins as Helm app → ignores subdirectory YAML files. Moving ExternalSecrets into values.extraObjects ensures Helm renders + applies them. sync-wave -1 guarantees secrets exist before Jenkins pod mounts them. Co-Authored-By: Claude Sonnet 4.6 --- .../external-secrets/gitea-credentials.yaml | 24 ---------- .../external-secrets/harbor-credentials.yaml | 24 ---------- manifest/jenkins/values.yaml | 48 +++++++++++++++++++ 3 files changed, 48 insertions(+), 48 deletions(-) delete mode 100644 manifest/jenkins/external-secrets/gitea-credentials.yaml delete mode 100644 manifest/jenkins/external-secrets/harbor-credentials.yaml diff --git a/manifest/jenkins/external-secrets/gitea-credentials.yaml b/manifest/jenkins/external-secrets/gitea-credentials.yaml deleted file mode 100644 index 38a3ca4..0000000 --- a/manifest/jenkins/external-secrets/gitea-credentials.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-credentials - namespace: jenkins - annotations: - argocd.argoproj.io/sync-wave: "-1" -spec: - refreshInterval: 1h - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: gitea-credentials - creationPolicy: Owner - data: - - secretKey: username - remoteRef: - key: jenkins/gitea-credentials - property: username - - secretKey: password - remoteRef: - key: jenkins/gitea-credentials - property: password diff --git a/manifest/jenkins/external-secrets/harbor-credentials.yaml b/manifest/jenkins/external-secrets/harbor-credentials.yaml deleted file mode 100644 index 1b2cd40..0000000 --- a/manifest/jenkins/external-secrets/harbor-credentials.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: harbor-credentials - namespace: jenkins - annotations: - argocd.argoproj.io/sync-wave: "-1" -spec: - refreshInterval: 1h - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: harbor-credentials - creationPolicy: Owner - data: - - secretKey: username - remoteRef: - key: jenkins/harbor-credentials - property: username - - secretKey: password - remoteRef: - key: jenkins/harbor-credentials - property: password diff --git a/manifest/jenkins/values.yaml b/manifest/jenkins/values.yaml index 8c560fc..8c22242 100644 --- a/manifest/jenkins/values.yaml +++ b/manifest/jenkins/values.yaml @@ -34,6 +34,54 @@ extraLabels: {} # -- Configures extra manifests extraObjects: + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: harbor-credentials + namespace: jenkins + annotations: + argocd.argoproj.io/sync-wave: "-1" + spec: + refreshInterval: 1h + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: harbor-credentials + creationPolicy: Owner + data: + - secretKey: username + remoteRef: + key: jenkins/harbor-credentials + property: username + - secretKey: password + remoteRef: + key: jenkins/harbor-credentials + property: password + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: gitea-credentials + namespace: jenkins + annotations: + argocd.argoproj.io/sync-wave: "-1" + spec: + refreshInterval: 1h + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: gitea-credentials + creationPolicy: Owner + data: + - secretKey: username + remoteRef: + key: jenkins/gitea-credentials + property: username + - secretKey: password + remoteRef: + key: jenkins/gitea-credentials + property: password controller: # -- Used for label app.kubernetes.io/component