fix: move ExternalSecrets into Helm extraObjects

ArgoCD treats manifest/jenkins as Helm app → ignores subdirectory
YAML files. Moving ExternalSecrets into values.extraObjects ensures
Helm renders + applies them. sync-wave -1 guarantees secrets exist
before Jenkins pod mounts them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manifest/jenkins/external-secrets/gitea-credentials.yaml

@@ -1,24 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-credentials
-  namespace: jenkins
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: gitea-credentials
-    creationPolicy: Owner
-  data:
-  - secretKey: username
-    remoteRef:
-      key: jenkins/gitea-credentials
-      property: username
-  - secretKey: password
-    remoteRef:
-      key: jenkins/gitea-credentials
-      property: password

manifest/jenkins/external-secrets/harbor-credentials.yaml

@@ -1,24 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: harbor-credentials
-  namespace: jenkins
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: harbor-credentials
-    creationPolicy: Owner
-  data:
-  - secretKey: username
-    remoteRef:
-      key: jenkins/harbor-credentials
-      property: username
-  - secretKey: password
-    remoteRef:
-      key: jenkins/harbor-credentials
-      property: password

manifest/jenkins/values.yaml

@@ -34,6 +34,54 @@ extraLabels: {}
 
 # -- Configures extra manifests
 extraObjects:
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: harbor-credentials
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: harbor-credentials
+        creationPolicy: Owner
+      data:
+      - secretKey: username
+        remoteRef:
+          key: jenkins/harbor-credentials
+          property: username
+      - secretKey: password
+        remoteRef:
+          key: jenkins/harbor-credentials
+          property: password
+  - apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    metadata:
+      name: gitea-credentials
+      namespace: jenkins
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: vault-backend
+        kind: ClusterSecretStore
+      target:
+        name: gitea-credentials
+        creationPolicy: Owner
+      data:
+      - secretKey: username
+        remoteRef:
+          key: jenkins/gitea-credentials
+          property: username
+      - secretKey: password
+        remoteRef:
+          key: jenkins/gitea-credentials
+          property: password
 
 controller:
   # -- Used for label app.kubernetes.io/component