fix: move ExternalSecrets into Helm extraObjects

ArgoCD treats manifest/jenkins as Helm app → ignores subdirectory YAML files. Moving ExternalSecrets into values.extraObjects ensures Helm renders + applies them. sync-wave -1 guarantees secrets exist before Jenkins pod mounts them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 16:25:17 +07:00
parent 738688ab2c
commit f230fd831e
3 changed files with 48 additions and 48 deletions
--- a/manifest/jenkins/values.yaml
+++ b/manifest/jenkins/values.yaml
@@ -34,6 +34,54 @@ extraLabels: {}

 # -- Configures extra manifests
 extraObjects:
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: harbor-credentials
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: harbor-credentials
+        creationPolicy: Owner
+      data:
+      - secretKey: username
+        remoteRef:
+          key: jenkins/harbor-credentials
+          property: username
+      - secretKey: password
+        remoteRef:
+          key: jenkins/harbor-credentials
+          property: password
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: gitea-credentials
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: gitea-credentials
+        creationPolicy: Owner
+      data:
+      - secretKey: username
+        remoteRef:
+          key: jenkins/gitea-credentials
+          property: username
+      - secretKey: password
+        remoteRef:
+          key: jenkins/gitea-credentials
+          property: password

 controller:
  # -- Used for label app.kubernetes.io/component