Update k8s manifests

2026-03-10 23:43:16 +08:00 · 2026-03-10 23:43:16 +08:00 · f2d7f02ca1
commit f2d7f02ca1
parent 94ac489c21
3 changed files with 42 additions and 0 deletions
--- a/k8s/infrastructure/harbor/helmrelease.yaml
+++ b/k8s/infrastructure/harbor/helmrelease.yaml
@ -60,5 +60,19 @@ spec:
    redis:
      type: internal
    existingSecretSecretKey: harbor-secret-key
+    core:
+      configureUserSettings: |
+        {
+          "auth_mode": "oidc_auth",
+          "oidc_name": "Keycloak",
+          "oidc_endpoint": "https://keycloak.n0ball.tw/realms/homelab",
+          "oidc_client_id": "harbor",
+          "oidc_client_secret": "3YuRQxgMI3j0CG/Gb95c2AvksYD8dOCV",
+          "oidc_groups_claim": "groups",
+          "oidc_scope": "openid,profile,email,groups",
+          "oidc_auto_onboard": true,
+          "oidc_admin_group": "harbor-admins",
+          "self_registration": false
+        }
    trivy:
      enabled: true
--- a/k8s/infrastructure/sops/harbor-oidc-secret.yaml
+++ b/k8s/infrastructure/sops/harbor-oidc-secret.yaml
@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: harbor-oidc-secret
+    namespace: harbor
+stringData:
+    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:k3VLmTOyFwX/kPmCGNyYmr4BWcONaOB1MwP4eProFdU=,iv:BY/dWLF3gwhA+ejbuc11Wnq6ZYoJChgmUnRI+pS84Fk=,tag:ITGGmvfNNUTOMmzc4/u1xQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZEZsTXJNdW1WcW9zYXUx
+            cWlSNVdKM3QrMk50Rmo4WlNCVVA1SXViQ0dvCjlMQXJqc1E4TVlieDB4M09kd2RF
+            bTlUZ3pLcXZWSlBCUXY2R0o2MFVlQ3MKLS0tIDh2WkZLNE9ydS9XdTA1TlNOS3Nj
+            emM5R1dhalVKM1lHMU1CY2hFcEhSRWMKP/w144h4aXdDg2MKTs3oqJfWNaGhS6yc
+            kltiq64WKts2xxVqko9M7hRmWKGye1EPObu8JTT2h4Pu6Gmsew+/XQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T15:15:40Z"
+    mac: ENC[AES256_GCM,data:/iMQtm2l7ktzERpTeeShLZzu7gnA73WUE+3X1N3YIrBH2qrhfEOZSgwNWMly6RQmYccze7+8AK90v8hHjFaTJZM1VXzDFRinHVZH6FXkONX+stHRmtexJQHdmHiaSu/NHN02RGgIQxi8yL5gMUVuenbr29QmgDdC4fjKzyWbWNg=,iv:M2B3QDKQaPd3VZhRuEqY/t06UXGi++n7vJxtmU5N64M=,tag:+0RnnleQ3x+DsR8bs0eD9Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4
--- a/k8s/infrastructure/sops/kustomization.yaml
+++ b/k8s/infrastructure/sops/kustomization.yaml
@ -15,3 +15,4 @@ resources:
  - harbor-admin-secret.yaml
  - harbor-db-secret.yaml
  - harbor-secret-key.yaml
+  - harbor-oidc-secret.yaml