From 5e161fca8a3a89bd761199064afd908d96217071 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Wed, 7 Jan 2026 14:28:58 +0900
Subject: [PATCH] FEAT(external-secrets): add ClusterExternalSecret for Zot

- Add zot-registry-credentials ClusterExternalSecret
- Auto-create dockerconfigjson in labeled namespaces
- API version v1 (v1beta1 deprecated)
---
 external-secrets/argocd.yaml                  |  3 ++
 .../{ => manifests}/kustomization.yaml        |  3 +-
 .../manifests/zot-cluster-secret.yaml         | 31 +++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)
 rename external-secrets/{ => manifests}/kustomization.yaml (62%)
 create mode 100644 external-secrets/manifests/zot-cluster-secret.yaml

diff --git a/external-secrets/argocd.yaml b/external-secrets/argocd.yaml
index d7665c6..6bea50d 100644
--- a/external-secrets/argocd.yaml
+++ b/external-secrets/argocd.yaml
@@ -24,6 +24,9 @@ spec:
   - repoURL: https://github.com/K3S-HOME/security.git
     targetRevision: main
     ref: values
+  - repoURL: https://github.com/K3S-HOME/security.git
+    targetRevision: main
+    path: external-secrets/manifests
   destination:
     server: https://kubernetes.default.svc
     namespace: external-secrets
diff --git a/external-secrets/kustomization.yaml b/external-secrets/manifests/kustomization.yaml
similarity index 62%
rename from external-secrets/kustomization.yaml
rename to external-secrets/manifests/kustomization.yaml
index b83b23e..8d5d47a 100644
--- a/external-secrets/kustomization.yaml
+++ b/external-secrets/manifests/kustomization.yaml
@@ -1,3 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
+resources:
+  - zot-cluster-secret.yaml
diff --git a/external-secrets/manifests/zot-cluster-secret.yaml b/external-secrets/manifests/zot-cluster-secret.yaml
new file mode 100644
index 0000000..2f16587
--- /dev/null
+++ b/external-secrets/manifests/zot-cluster-secret.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterExternalSecret
+metadata:
+  name: zot-registry-credentials
+spec:
+  externalSecretName: zot-registry-credentials
+  namespaceSelector:
+    matchLabels:
+      zot-registry: enabled
+  refreshTime: 1h
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: vault-backend
+    target:
+      name: zot-registry-credentials
+      creationPolicy: Owner
+      template:
+        type: kubernetes.io/dockerconfigjson
+        data:
+          .dockerconfigjson: |
+            {"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}}
+    data:
+      - secretKey: USERNAME
+        remoteRef:
+          key: zot
+          property: USERNAME
+      - secretKey: PASSWORD
+        remoteRef:
+          key: zot
+          property: PASSWORD