diff --git a/argocd/infra/harbor/README.md b/argocd/infra/harbor/README.md new file mode 100644 index 0000000..4de20b8 --- /dev/null +++ b/argocd/infra/harbor/README.md @@ -0,0 +1,11 @@ +# Harbor `Application` + +The deployment of `harbor` relies mostly upon the harbor helm chart. + +## Admin Credentials Sealed Secret + +The harbor admin credentials are provided via a `Secret` that is maintained securely in git as a `SealedSecret`. + +This `SealedSecret` is defined as an element with the `parts/`, and is generated via the script `ss-harbor-auth.sh` via the `sealed-secrets-controller` that is running in the live cluster. + +The `` and `` are supplied as positional cmdline arguments (with built-in defaults). diff --git a/argocd/infra/app-harbor.yaml b/argocd/infra/harbor/app-harbor.yaml similarity index 100% rename from argocd/infra/app-harbor.yaml rename to argocd/infra/harbor/app-harbor.yaml diff --git a/argocd/infra/harbor/kustomization.yaml b/argocd/infra/harbor/kustomization.yaml new file mode 100644 index 0000000..58648d7 --- /dev/null +++ b/argocd/infra/harbor/kustomization.yaml @@ -0,0 +1,3 @@ + +resources: + - app-harbor.yaml diff --git a/argocd/infra/harbor/parts/kustomization.yaml b/argocd/infra/harbor/parts/kustomization.yaml new file mode 100644 index 0000000..473bce8 --- /dev/null +++ b/argocd/infra/harbor/parts/kustomization.yaml @@ -0,0 +1,3 @@ + +resources: + - ss-harbor-auth.yaml diff --git a/argocd/infra/harbor/parts/ss-harbor-auth.yaml b/argocd/infra/harbor/parts/ss-harbor-auth.yaml new file mode 100644 index 0000000..8bca75f --- /dev/null +++ b/argocd/infra/harbor/parts/ss-harbor-auth.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: harbor-auth + namespace: infra +spec: + encryptedData: + rootPassword: AgCtSw9RdovqoEc2tYSSG7gKNu9w/kdqp0RnAdTp5I0iPI+/wGIX7ILcKKQ4qXjHUJSEXHasS4YXnVIC6EnQI/xllm8L4bwtStt0hx7K4ufP1UoUpOGoY5YMCz5ytMxdbW1D8jp82N5PCFtp3Th4tl1bQhgK/df29IABJWHAMlYknI0w8VLdJ2B72sw0G1qWomi3WxAEJiaoD79YHGUSu+/r494ir9tjqBq8U2yowt/75Jrl1Bzcsf8aYoGMHPzxpOa8y/L5QziDav5UVTSdDtqLtno6T8WIFfWcJlP2EXOfzxOnFxSEYxWNyF69Ywhd8kgpCXqIyS766jbdUg0NG/f/OYvN6IMPBNe9EvnvuVLmdTxXsISfT33A6g2KHPY+xkTAgmYxXEVJOk7a8FlZr1Y5AYv5qrzJQaaC0ynCn/Lcb6VtmhUoeneMUnLTR1LJe9tRTZf7fQ/xd0VAjEr1aoBj5jxrd7BKX22h55gAmJ8eaaB/N0a2khG4aap1qtppxhcXnw9ut9MeXh9SMfCL8XTyWdlVADTmuYSMOvi5cbCZDZH34ZdhcErhPGZqgiT9Yt2+oSkT/0AAI9dMzYj6nwI+du3QF+AXSkzWuFl2RA2P2Ld9fpXs5ettkRinQ0Zi7muY2EClVoRvsuZy64+GYVNKaH36Lq0OgcXwQdrnOnSclVm+3eMr8HNlbS8NXB/arB6K1P6Bu+huzg== + rootUser: AgAu/bgZzfIJWGmlOZyNuCBhCxZH5YF56sT3Tu6GoXCDcsZVHBOzHrXY+KA7bcAkW5+rEZXKQwAb5vhERLfGnRIU84Cd6+HCu5YedR86pKW8q4SBB6M8+wjNQVt1Th1zt3YzTdbeUc1DIweyJg8NXf7xms0lTFe/IriiD4Mags5jc3q2gG0ycLtWtJU20PdsdoYIsZJPDw/tH8vvmByiqEZQl9ZEZpjxRtPGer+NvnGBTcc6tYvUjymToHqevqJ34Axc8oybR1kInXubpJZgf0DN9nX0xPrYGWArs+cp7MKkPkCepyUS9oObpVIrc/AttdCI3/xU7hBtffiM1PgHNLi9CUSGJm0ej52hjvWzLrUZwh/koO3I/awSF4b4bLGQTRHAUZ5D6eJx4Iml4wM9gT8RnA6yoJpPhcgtblO/Ky22EZWXREK2SHmtaTDakOErfQRL/j3CSjoVipfOuxFEY0yhGVipQLnLjVivzlcFI3c5cb0LGMWAgbL5RwPeKGKEYWywizhskxPJeZsR6GNDQaM/mEmIKMYSeP6Bt1uoCVMVyqoBQGZ7/im6Ojcas6R6Rt1NNOR01+YuxZhX1sYDalg90xwwtLNrUK7zWJugvyeQMNn4FeJYtQa6ztrLk6GOdprEjQ6flU75umPtvnS028HPJoN/r1DtuvZnvhfuqvuI/EvV1vTFNZwxbeoT3fpewE3k4FuzloM= + template: + metadata: + creationTimestamp: null + name: harbor-auth + namespace: infra diff --git a/argocd/infra/harbor/ss-harbor-auth.sh b/argocd/infra/harbor/ss-harbor-auth.sh new file mode 100755 index 0000000..dcc2671 --- /dev/null +++ b/argocd/infra/harbor/ss-harbor-auth.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +ORIG_DIR="$(pwd)" +cd "$(dirname "$0")" +BIN_DIR="$(pwd)" + +onExit() { + cd "${ORIG_DIR}" +} +trap onExit EXIT + +# Optional local .env file for secret values as env vars +source .env 2>/dev/null + +SECRET_NAME="harbor-auth" +NAMESPACE="infra" + +ROOT_USER="${1:-${ROOT_USER:-admin}}" +ROOT_PASSWORD="${2:-${ROOT_PASSWORD:-changeme}}" + +secretYaml() { + kubectl -n "${NAMESPACE}" create secret generic "${SECRET_NAME}" \ + --from-literal="rootUser=${ROOT_USER}" \ + --from-literal="rootPassword=${ROOT_PASSWORD}" \ + --dry-run=client -o yaml +} + +# Create Secret and then pipe to kubeseal to create the SealedSecret +secretYaml \ + | kubeseal -o yaml --controller-name sealed-secrets --controller-namespace infra > parts/ss-${SECRET_NAME}.yaml diff --git a/argocd/infra/kustomization.yaml b/argocd/infra/kustomization.yaml index 7ae7383..676fb4d 100644 --- a/argocd/infra/kustomization.yaml +++ b/argocd/infra/kustomization.yaml @@ -1,6 +1,6 @@ resources: - app-sealed-secrets.yaml - - minio - - app-harbor.yaml - cert-manager + - harbor + - minio