feat: configure External Secrets with Vault backend and enable Jenkins secret synchronization

Remove namespaceOverride value from External Secrets Helm chart configuration in values.yaml.
2026-04-12 22:37:56 +07:00 · 2026-04-12 21:41:30 +07:00
4 changed files with 33 additions and 4 deletions
--- a/manifest/external-secrets/secret-store/secret-store.yaml
+++ b/manifest/external-secrets/secret-store/secret-store.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: "http://vault.vault.svc.cluster.local:8200"
+      path: "kv"
+      # Version is the Vault KV secret engine version.
+      # This can be either "v1" or "v2", defaults to "v2"
+      version: "v2"
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "vault-token"
+          key: "token"
+          namespace: "external-secrets"
--- a/manifest/external-secrets/secret-store/vault-token-secret.yaml
+++ b/manifest/external-secrets/secret-store/vault-token-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-token
+  namespace: external-secrets # Must match the namespace defined in ClusterSecretStore tokenSecretRef
+type: Opaque
+data:
+  # Base64 encoded vault token. 
+  # You can generate this by running: echo -n "YOUR_VAULT_TOKEN" | base64
+  token: aHZzLmJyUHBpbmZPTlI5RU9BeHpNR0ZIaDBIaA== # placeholder
--- a/manifest/external-secrets/values.yaml
+++ b/manifest/external-secrets/values.yaml
@@ -81,7 +81,7 @@ crds:
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
-namespaceOverride: "external-secrets"
+namespaceOverride: ""

 # -- Additional labels added to all helm chart resources.
 commonLabels: {}
--- a/manifest/jenkins/values.yaml
+++ b/manifest/jenkins/values.yaml
@@ -97,17 +97,17 @@ controller:
    # The default configuration uses this secret to configure an admin user
    # If you don't need that user or use a different security realm, then you can disable it
    # -- Must stay true so the controller mounts the admin Secret; when existingSecret is set, the chart does not create that Secret (supply it yourself or via externalSecret).
-    createSecret: true
+    createSecret: false

    # -- If set, chart does not create the admin Secret; you must create it (e.g. kubectl) or use externalSecret (requires ESO CRDs on the cluster).
    existingSecret: ""

    # -- Emits external-secrets.io/v1beta1 ExternalSecret (needs External Secrets Operator installed). Helm cannot talk to Vault without it or another sync mechanism.
    externalSecret:
-      enabled: false
+      enabled: true
      refreshInterval: 1h
      secretStoreRef:
-        name: vault
+        name: vault-backend
        kind: ClusterSecretStore
      remoteRef:
        # Vault KV v2 secret name under the store mount (your UI path: Secrets / kv / jenkins-admin-password)
Author	SHA1	Message	Date
duynguyen	7190c2befe	feat: configure External Secrets with Vault backend and enable Jenkins secret synchronization	2026-04-12 22:37:56 +07:00
duynguyen	bf97781fbc	Remove namespaceOverride value from External Secrets Helm chart configuration in values.yaml.	2026-04-12 21:41:30 +07:00