Add harbor secrets.

2026-04-26 09:11:35 -04:00
parent f981e119e5
commit 1c2adb54ac
2 changed files with 43 additions and 4 deletions
--- a/nix/kubernetes/keys/package/deploy-script/package.nix
+++ b/nix/kubernetes/keys/package/deploy-script/package.nix
@@ -60,6 +60,12 @@ let
        group = "26";
        mode = "0777";
      }
+      {
+        path = "manual-pv/harbor-psql";
+        owner = "26";
+        group = "26";
+        mode = "0755";
+      }
      # {
      #   path = "manual-pv/gitea";
      #   owner = "1000";
--- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
+++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
@@ -44,6 +44,21 @@ let
          };
          "oauth2-env" = oauth2_env { dex_id = "gitea"; };
        };
+        "harbor" = {
+          "harbor-config" = {
+            "config.json" = helm_json_escape harbor_config_json;
+          };
+          "dockerhub-auth-config" = {
+            "basic_auth.include" = (
+              builtins.readFile "${./secrets/harbor/dockerhub-auth-config/basic_auth.include}"
+            );
+          };
+          "harbor-admin-password" = {
+            "HARBOR_ADMIN_PASSWORD" = (
+              builtins.readFile "${./secrets/harbor/harbor-admin-password/HARBOR_ADMIN_PASSWORD}"
+            );
+          };
+        };
      };
  encrypted_secrets = (
    builtins.mapAttrs (
@@ -86,8 +101,14 @@ let
        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
      ''
    );
+  helm_json_escape = json: builtins.toJSON json;

  ## dex
+  get_dex_config =
+    client_id:
+    (builtins.head (
+      builtins.filter (static_client: static_client.id == client_id) dex_config.staticClients
+    ));
  dex_static_client =
    {
      id,
@@ -156,12 +177,24 @@ let
  oauth2_env =
    { dex_id }:
    {
-      "OAUTH2_PROXY_CLIENT_SECRET" =
-        (builtins.head (
-          builtins.filter (static_client: static_client.id == dex_id) dex_config.staticClients
-        )).secret;
+      "OAUTH2_PROXY_CLIENT_SECRET" = (get_dex_config dex_id).secret;
      "OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}";
    };
+
+  ## harbor
+  harbor_dex_config = get_dex_config "harbor";
+  harbor_config = {
+    "auth_mode" = "oidc_auth";
+    "self_registration" = "false";
+    "oidc_name" = "harbor";
+    "oidc_endpoint" = "https://dex.fizz.buzz";
+    "oidc_client_id" = harbor_dex_config.id;
+    "oidc_client_secret" = harbor_dex_config.secret;
+    "oidc_admin_group" = "TODO";
+    "oidc_scope" = "openid,profile,email,offline_access,groups";
+  };
+  # harbor_config_json = pkgs.writeText "config.json" (builtins.toJSON harbor_config);
+  harbor_config_json = builtins.toJSON harbor_config;
 in
 symlinkJoin {
  name = "in-repo-secrets";