feat(eso): chart 0.6.0 - ESO subchart + ClusterSecretStore + gitea-archive-pull ExternalSecret

Phase 1 of Item #9 (Tower-stamped Secrets → ESO + OpenBao migration). Replaces Tower's imperative kubectl-stamp of gitea-archive-pull with a declarative ExternalSecret synced from OpenBao at v3/platform/gitea- archive-pull. Other 4 Tower-stamped Secrets (cloudflare, s3-backup, longhorn-s3, docker-mirror-pull) remain on legacy path. Tower must pass externalSecrets.openbao.mountPath as a per-cluster helm parameter (kubernetes-<server-name>) for ESO to activate; chart guards against unset mountPath via {{ if }} in both new templates.
2026-05-07 20:46:22 +03:00
parent f50156d99d
commit 536cb72a72
6 changed files with 120 additions and 2 deletions
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -23,8 +23,8 @@ description: |
      Git).

 type: application
-version: 0.5.7
-appVersion: "0.5.7"
+version: 0.6.0
+appVersion: "0.6.0"

 dependencies:
  - name: cert-manager
@@ -44,3 +44,12 @@ dependencies:
    version: "1.7.2"
    repository: "https://charts.longhorn.io"
    condition: longhorn.enabled
+  # External Secrets Operator — declarative Secret delivery from
+  # OpenBao. Replaces Tower's imperative kubectl-stamp pattern for
+  # gitea-archive-pull (Phase 1 pilot, 2026-05-07). The other 4
+  # Tower-stamped Secrets remain on the legacy path until a planned
+  # follow-up sprint (Item #9 in v3 open queue).
+  - name: external-secrets
+    version: "0.10.7"
+    repository: "https://charts.external-secrets.io"
+    condition: externalSecrets.enabled