From f2d7f02ca13087c1dc51095628746b6c7a969d7f Mon Sep 17 00:00:00 2001
From: ansible <ansible@n0ball.tw>
Date: Tue, 10 Mar 2026 23:43:16 +0800
Subject: [PATCH] Update k8s manifests

---
 k8s/infrastructure/harbor/helmrelease.yaml    | 14 ++++++++++
 .../sops/harbor-oidc-secret.yaml              | 27 +++++++++++++++++++
 k8s/infrastructure/sops/kustomization.yaml    |  1 +
 3 files changed, 42 insertions(+)
 create mode 100644 k8s/infrastructure/sops/harbor-oidc-secret.yaml

diff --git a/k8s/infrastructure/harbor/helmrelease.yaml b/k8s/infrastructure/harbor/helmrelease.yaml
index 3dd6e24..3aa91fa 100644
--- a/k8s/infrastructure/harbor/helmrelease.yaml
+++ b/k8s/infrastructure/harbor/helmrelease.yaml
@@ -60,5 +60,19 @@ spec:
     redis:
       type: internal
     existingSecretSecretKey: harbor-secret-key
+    core:
+      configureUserSettings: |
+        {
+          "auth_mode": "oidc_auth",
+          "oidc_name": "Keycloak",
+          "oidc_endpoint": "https://keycloak.n0ball.tw/realms/homelab",
+          "oidc_client_id": "harbor",
+          "oidc_client_secret": "3YuRQxgMI3j0CG/Gb95c2AvksYD8dOCV",
+          "oidc_groups_claim": "groups",
+          "oidc_scope": "openid,profile,email,groups",
+          "oidc_auto_onboard": true,
+          "oidc_admin_group": "harbor-admins",
+          "self_registration": false
+        }
     trivy:
       enabled: true
diff --git a/k8s/infrastructure/sops/harbor-oidc-secret.yaml b/k8s/infrastructure/sops/harbor-oidc-secret.yaml
new file mode 100644
index 0000000..5f435f1
--- /dev/null
+++ b/k8s/infrastructure/sops/harbor-oidc-secret.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: harbor-oidc-secret
+    namespace: harbor
+stringData:
+    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:k3VLmTOyFwX/kPmCGNyYmr4BWcONaOB1MwP4eProFdU=,iv:BY/dWLF3gwhA+ejbuc11Wnq6ZYoJChgmUnRI+pS84Fk=,tag:ITGGmvfNNUTOMmzc4/u1xQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZEZsTXJNdW1WcW9zYXUx
+            cWlSNVdKM3QrMk50Rmo4WlNCVVA1SXViQ0dvCjlMQXJqc1E4TVlieDB4M09kd2RF
+            bTlUZ3pLcXZWSlBCUXY2R0o2MFVlQ3MKLS0tIDh2WkZLNE9ydS9XdTA1TlNOS3Nj
+            emM5R1dhalVKM1lHMU1CY2hFcEhSRWMKP/w144h4aXdDg2MKTs3oqJfWNaGhS6yc
+            kltiq64WKts2xxVqko9M7hRmWKGye1EPObu8JTT2h4Pu6Gmsew+/XQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T15:15:40Z"
+    mac: ENC[AES256_GCM,data:/iMQtm2l7ktzERpTeeShLZzu7gnA73WUE+3X1N3YIrBH2qrhfEOZSgwNWMly6RQmYccze7+8AK90v8hHjFaTJZM1VXzDFRinHVZH6FXkONX+stHRmtexJQHdmHiaSu/NHN02RGgIQxi8yL5gMUVuenbr29QmgDdC4fjKzyWbWNg=,iv:M2B3QDKQaPd3VZhRuEqY/t06UXGi++n7vJxtmU5N64M=,tag:+0RnnleQ3x+DsR8bs0eD9Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4
diff --git a/k8s/infrastructure/sops/kustomization.yaml b/k8s/infrastructure/sops/kustomization.yaml
index 2fb16f3..fc02bee 100644
--- a/k8s/infrastructure/sops/kustomization.yaml
+++ b/k8s/infrastructure/sops/kustomization.yaml
@@ -15,3 +15,4 @@ resources:
   - harbor-admin-secret.yaml
   - harbor-db-secret.yaml
   - harbor-secret-key.yaml
+  - harbor-oidc-secret.yaml