Protected harbor with sealed secrets.

argocd/infra/harbor/README.md

@@ -0,0 +1,11 @@
+# Harbor `Application`
+
+The deployment of `harbor` relies mostly upon the harbor helm chart.
+
+## Admin Credentials Sealed Secret
+
+The harbor admin credentials are provided via a `Secret` that is maintained securely in git as a `SealedSecret`.
+
+This `SealedSecret` is defined as an element with the `parts/`, and is generated via the script `ss-harbor-auth.sh` via the `sealed-secrets-controller` that is running in the live cluster.
+
+The `<rootUser>` and `<rootPassword>` are supplied as positional cmdline arguments (with built-in defaults).

argocd/infra/harbor/kustomization.yaml

@@ -0,0 +1,3 @@
+
+resources:
+  - app-harbor.yaml

argocd/infra/harbor/parts/kustomization.yaml

@@ -0,0 +1,3 @@
+
+resources:
+  - ss-harbor-auth.yaml

argocd/infra/harbor/parts/ss-harbor-auth.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: harbor-auth
+  namespace: infra
+spec:
+  encryptedData:
+    rootPassword: AgCtSw9RdovqoEc2tYSSG7gKNu9w/kdqp0RnAdTp5I0iPI+/wGIX7ILcKKQ4qXjHUJSEXHasS4YXnVIC6EnQI/xllm8L4bwtStt0hx7K4ufP1UoUpOGoY5YMCz5ytMxdbW1D8jp82N5PCFtp3Th4tl1bQhgK/df29IABJWHAMlYknI0w8VLdJ2B72sw0G1qWomi3WxAEJiaoD79YHGUSu+/r494ir9tjqBq8U2yowt/75Jrl1Bzcsf8aYoGMHPzxpOa8y/L5QziDav5UVTSdDtqLtno6T8WIFfWcJlP2EXOfzxOnFxSEYxWNyF69Ywhd8kgpCXqIyS766jbdUg0NG/f/OYvN6IMPBNe9EvnvuVLmdTxXsISfT33A6g2KHPY+xkTAgmYxXEVJOk7a8FlZr1Y5AYv5qrzJQaaC0ynCn/Lcb6VtmhUoeneMUnLTR1LJe9tRTZf7fQ/xd0VAjEr1aoBj5jxrd7BKX22h55gAmJ8eaaB/N0a2khG4aap1qtppxhcXnw9ut9MeXh9SMfCL8XTyWdlVADTmuYSMOvi5cbCZDZH34ZdhcErhPGZqgiT9Yt2+oSkT/0AAI9dMzYj6nwI+du3QF+AXSkzWuFl2RA2P2Ld9fpXs5ettkRinQ0Zi7muY2EClVoRvsuZy64+GYVNKaH36Lq0OgcXwQdrnOnSclVm+3eMr8HNlbS8NXB/arB6K1P6Bu+huzg==
+    rootUser: AgAu/bgZzfIJWGmlOZyNuCBhCxZH5YF56sT3Tu6GoXCDcsZVHBOzHrXY+KA7bcAkW5+rEZXKQwAb5vhERLfGnRIU84Cd6+HCu5YedR86pKW8q4SBB6M8+wjNQVt1Th1zt3YzTdbeUc1DIweyJg8NXf7xms0lTFe/IriiD4Mags5jc3q2gG0ycLtWtJU20PdsdoYIsZJPDw/tH8vvmByiqEZQl9ZEZpjxRtPGer+NvnGBTcc6tYvUjymToHqevqJ34Axc8oybR1kInXubpJZgf0DN9nX0xPrYGWArs+cp7MKkPkCepyUS9oObpVIrc/AttdCI3/xU7hBtffiM1PgHNLi9CUSGJm0ej52hjvWzLrUZwh/koO3I/awSF4b4bLGQTRHAUZ5D6eJx4Iml4wM9gT8RnA6yoJpPhcgtblO/Ky22EZWXREK2SHmtaTDakOErfQRL/j3CSjoVipfOuxFEY0yhGVipQLnLjVivzlcFI3c5cb0LGMWAgbL5RwPeKGKEYWywizhskxPJeZsR6GNDQaM/mEmIKMYSeP6Bt1uoCVMVyqoBQGZ7/im6Ojcas6R6Rt1NNOR01+YuxZhX1sYDalg90xwwtLNrUK7zWJugvyeQMNn4FeJYtQa6ztrLk6GOdprEjQ6flU75umPtvnS028HPJoN/r1DtuvZnvhfuqvuI/EvV1vTFNZwxbeoT3fpewE3k4FuzloM=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: harbor-auth
+      namespace: infra

argocd/infra/harbor/ss-harbor-auth.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+ORIG_DIR="$(pwd)"
+cd "$(dirname "$0")"
+BIN_DIR="$(pwd)"
+
+onExit() {
+  cd "${ORIG_DIR}"
+}
+trap onExit EXIT
+
+# Optional local .env file for secret values as env vars
+source .env 2>/dev/null
+
+SECRET_NAME="harbor-auth"
+NAMESPACE="infra"
+
+ROOT_USER="${1:-${ROOT_USER:-admin}}"
+ROOT_PASSWORD="${2:-${ROOT_PASSWORD:-changeme}}"
+
+secretYaml() {
+  kubectl -n "${NAMESPACE}" create secret generic "${SECRET_NAME}" \
+    --from-literal="rootUser=${ROOT_USER}" \
+    --from-literal="rootPassword=${ROOT_PASSWORD}" \
+    --dry-run=client -o yaml
+}
+
+# Create Secret and then pipe to kubeseal to create the SealedSecret
+secretYaml \
+  | kubeseal -o yaml --controller-name sealed-secrets --controller-namespace infra > parts/ss-${SECRET_NAME}.yaml

argocd/infra/kustomization.yaml

@@ -1,6 +1,6 @@
 
 resources:
   - app-sealed-secrets.yaml
-  - minio
-  - app-harbor.yaml
   - cert-manager
+  - harbor
+  - minio