Protected harbor with sealed secrets. (#44)

argocd/infra/harbor/README.md

@@ -0,0 +1,11 @@
+# Harbor `Application`
+
+The deployment of `harbor` relies mostly upon the harbor helm chart.
+
+## Admin Credentials Sealed Secret
+
+The harbor admin credentials are provided via a `Secret` that is maintained securely in git as a `SealedSecret`.
+
+This `SealedSecret` is defined as an element with the `parts/`, and is generated via the script `ss-harbor-auth.sh` via the `sealed-secrets-controller` that is running in the live cluster.
+
+The `<rootUser>` and `<rootPassword>` are supplied as positional cmdline arguments (with built-in defaults).

argocd/infra/app-harbor.yaml → argocd/infra/harbor/app-harbor.yaml

@@ -55,7 +55,11 @@ spec:
 
         externalURL: https://harbor.develop.eoepca.org
         # initial password for logging in with user "admin"
-        harborAdminPassword: "changeme"
+        harborAdminPassword:
+          valueFrom:
+            secretKeyRef:
+              name: harbor-auth
+              key: rootPassword
 
         chartmuseum:
           enabled: false

argocd/infra/harbor/kustomization.yaml

@@ -0,0 +1,3 @@
+
+resources:
+  - app-harbor.yaml

argocd/infra/harbor/parts/kustomization.yaml

@@ -0,0 +1,3 @@
+
+resources:
+  - ss-harbor-auth.yaml

argocd/infra/harbor/parts/ss-harbor-auth.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: harbor-auth
+  namespace: infra
+spec:
+  encryptedData:
+    rootPassword: AgCJVuPPZAv0GlCEw0DI5jqc3qdSdNdxRUjtbAs/SThFCfDgOxB68cMNFUjxkQMV4twZpN9lZyVf30SZvvmQ4Fyw9Wnq/D2PR2GtsE9bkLshcZ8CpEr2CL2qocM7r4u7LQodAEzwS7i6XY2FEt1xt6PuJEBpYxo8EJa5M29XQvwBj/AZN/3CL4kQKjN3dsr0hVsZABPkAHdWt+qveYeL7aw2SMSdEGqfHLBpkQZayysoaj40Hi/YLJBkXOZqoLQ9aNUIac3rDdakmA0nPCD1SSM5Opzzw4OLt+5IVTCIL8fFuxksbhAg0MaVATJjYXfLpOIbO7nPSwuT9PdfYTq2BMNq6X27+CeUbV0jcP+3CyJryTX9tH2ddVYRkRo8lDsNtmUq2mIB5aXBfEMaY6S2zfQafNOWGnQq0V4cJHMxkXwxIE8lqPLFfwhHFNaEo88+HfnvXcpoHACRvqSyGx1h+jxeYtcqbGwQjfEyzQgbadvup4CjcmXPATW/El/CbIYeWEzqejc6ufQUtIdfJg4qZby3Mt2QChVVm7Vl75bLg9qjET5Hu3ApcY4W6MglSMxciF1Bp9vUMd/8eGG2J9HOF192J84tlbOsL+5Pd0CCsSKIxOJQIDZh0e9S/OyEzWUVct+GspKgxDD6QasfXoMNBUftiXQo+qIV98cpUZrb2GrW2BoSym5TVyQGdIiq8BAtK9+ERMUqf3suPg==
+    rootUser: AgCRBVYVCczI5BCHspvR1jwlnJ9ffTy432FaqI3OySlueQI6uw0CB2a+3+vWG6XIG1t3Ebx5XViH4gTsqXjz6zPR+NxQ75+uUs9bHcBPZTHDYWm5lB/c4ozYEg3rBktCrL82hxfR9xJhSO8MYR3Z7hlkdFiF5JosjaMS58PXVxhb0Jf2eM8bun8+kH+361gck9zPVQ5aNqTarMJ9ytq8Bqh7KM98Kz5BAX+Tf214gEcsJrZZH5Dww6A1yOBMKDev0A+J23xzmXIpHmTP/JciIuHePy8O6e6a4No+y/s0+Mv5nnZsGxuu59KwpLK+BHAMka8MazG4+v5eh2sMXkZhLascl49ryHH6n4gpUuG/z+pGYQ7tYylgHfzeFCIa1DCfZAzWivj2YOssCQBlLDMO10sYczwABuHFhjGNGGoCF2yxV9E6GZN6oLvYOdfO/SYHxq7YYF2sw8wEMGhkdVHlQxJQfGDPkzVyYezTAlbYMSJv1M6x/Y6Y9Y5DJz8PEyz2EwAxmOwNmnQjmJnv1kD35JHftexdahQ0hwD0rGroQ9F3cLCxoZzwGMX+ba4PvzJ+50qYqMdQjB5TqKgFtzq/9uvDikr1XEDzdfGxb+hxFOCrU6fQhd7vdYeNf2ITCZLROyIEujCFS6Z5qdJohfuYMr56Ikh74UKDJkqL2GkjBrXLUQhEZ+KKwylqlrqLQ9hRCckXyhBavg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: harbor-auth
+      namespace: infra

argocd/infra/harbor/ss-harbor-auth.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+ORIG_DIR="$(pwd)"
+cd "$(dirname "$0")"
+BIN_DIR="$(pwd)"
+
+onExit() {
+  cd "${ORIG_DIR}"
+}
+trap onExit EXIT
+
+# Optional local .env file for secret values as env vars
+source .env 2>/dev/null
+
+SECRET_NAME="harbor-auth"
+NAMESPACE="infra"
+
+ROOT_USER="${1:-${ROOT_USER:-admin}}"
+ROOT_PASSWORD="${2:-${ROOT_PASSWORD:-changeme}}"
+
+secretYaml() {
+  kubectl -n "${NAMESPACE}" create secret generic "${SECRET_NAME}" \
+    --from-literal="rootUser=${ROOT_USER}" \
+    --from-literal="rootPassword=${ROOT_PASSWORD}" \
+    --dry-run=client -o yaml
+}
+
+# Create Secret and then pipe to kubeseal to create the SealedSecret
+secretYaml \
+  | kubeseal -o yaml --controller-name sealed-secrets --controller-namespace infra > parts/ss-${SECRET_NAME}.yaml

argocd/infra/kustomization.yaml

@@ -1,6 +1,6 @@
 
 resources:
   - app-sealed-secrets.yaml
-  - minio
-  - app-harbor.yaml
   - cert-manager
+  - harbor
+  - minio