Merge pull request 'IPCEICIS-2297_working_oidc' (#30) from IPCEICIS-2297_working_oidc into development

Reviewed-on: DevFW-CICD/stacks#30

template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: forgejo-access-token
+  namespace: argocd 
+spec:
+  secretStoreRef:
+    name: gitea
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: forgejo-access-token
+    template:
+      engineVersion: v2
+      data:
+        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
+        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretKey: FORGEJO_ACCESS_USERNAME
+      remoteRef:
+        key: forgejo-access-token
+        property: username
+    - secretKey: FORGEJO_ACCESS_TOKEN
+      remoteRef:
+        key: forgejo-access-token
+        property: token

template/stacks/core/argocd-sso/argocd-sso-config.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: argocd-config
+  namespace: argocd
+spec:
+  template:
+    metadata:
+      generateName: argocd-config-
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: push
+          image: docker.io/library/ubuntu:22.04
+          env:
+            - name: FORGEJO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_username
+            - name: FORGEJO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_token
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+
+              apt -qq update
+              apt -qq install git wget -y
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
+                install yq_linux_amd64 /usr/local/bin/yq
+                rm yq_linux_amd64
+              else
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+                install yq_linux_arm64 /usr/local/bin/yq
+                rm yq_linux_arm64
+              fi
+
+              git config --global user.email "bot@bots.de"
+              git config --global user.name "bot"
+              
+              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
+              cd edfbuilder
+              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
+              
+              git add stacks/core/argocd/values.yaml
+              git commit -m "adds Forgejo SSO config"
+              git push
+  backoffLimit: 99           

template/stacks/core/forgejo-sso/forgejo-access-token.yaml

@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: forgejo-access-token
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: gitea
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: forgejo-access-token
+    template:
+      engineVersion: v2
+      data:
+        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
+        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
+  data:
+    - secretKey: FORGEJO_ACCESS_USERNAME
+      remoteRef:
+        key: forgejo-access-token
+        property: username
+    - secretKey: FORGEJO_ACCESS_TOKEN
+      remoteRef:
+        key: forgejo-access-token
+        property: token

template/stacks/core/forgejo-sso/forgejo-sso-config.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: forgejo-config
+  namespace: gitea
+spec:
+  template:
+    metadata:
+      generateName: forgejo-config-
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: push
+          image: docker.io/library/ubuntu:22.04
+          env:
+            - name: FORGEJO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_username
+            - name: FORGEJO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_token
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+
+              apt -qq update
+              apt -qq install git wget -y
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
+                install yq_linux_amd64 /usr/local/bin/yq
+                rm yq_linux_amd64
+              else
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+                install yq_linux_arm64 /usr/local/bin/yq
+                rm yq_linux_arm64
+              fi
+
+              git config --global user.email "bot@bots.de"
+              git config --global user.name "giteaAdmin"
+              
+              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
+              cd edfbuilder
+              yq eval ".gitea.oauth = [
+                {
+                  \"name\": \"Keycloak\",
+                  \"provider\": \"openidConnect\",
+                  \"existingSecret\": \"auth-generic-oauth-secret\",
+                  \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
+                }
+              ] |
+                (.gitea.oauth[] | .name) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .provider) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
+              " -i stacks/core/forgejo/values.yaml
+
+              yq eval '.gitea.config.oauth2_client = 
+                {
+                  "ENABLE_AUTO_REGISTRATION" : true,
+                  "ACCOUNT_LINKING" : "auto"
+                }
+              ' -i stacks/core/forgejo/values.yaml
+              
+              git add stacks/core/forgejo/values.yaml
+              git commit -m "adds Forgejo SSO config"
+              git push
+  backoffLimit: 99

template/stacks/core/forgejo.yaml

@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
       path: .
-      targetRevision: v11.0.5-depends
+      targetRevision: v12.0.0-depends
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml

template/stacks/monitoring/alloy/values.yaml

@@ -1,21 +1,8 @@
-controller:
-  volumes:
-    extra:
-    - name: host-log-storage
-      hostPath:
-        path: /var/log
-        type: Directory
 alloy:
   create: false
   name: alloy-config
   key: config.alloy
 
-  mounts:
-    extra:
-    - mountPath: /openbao/logs
-      name: host-log-storage
-      readOnly: true
-
   uiPathPrefix: "/alloy"
 
   configMap:
@@ -85,16 +72,6 @@ alloy:
 
       }
 
-      local.file_match "file_logs" {
-          path_targets = [{"__path__" = "/openbao/logs/openbao/*"}]
-          sync_period = "5s"
-      }
-
-      loki.source.file "local_files" {
-          targets    = local.file_match.file_logs.targets
-          forward_to = [loki.write.local_loki.receiver]
-      }
-
       loki.source.kubernetes "all_pod_logs" {
         targets    = discovery.relabel.pod_logs.output
         forward_to = [loki.write.local_loki.receiver]

template/stacks/ref-implementation/openbao-logging.yaml

@@ -1,29 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: openbao-logging-setup
-  namespace: argocd
-  labels:
-    env: dev
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-    targetRevision: HEAD
-    path: "stacks/ref-implementation/openbao-logging"
-  destination:
-    server: "https://kubernetes.default.svc"
-    namespace: openbao
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
-    automated:
-      selfHeal: true
-    retry:
-      limit: -1
-      backoff:
-        duration: 15s
-        factor: 1
-        maxDuration: 15s

template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml

@@ -1,39 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: openbao-logging-dir
-  namespace: openbao
-spec:
-  selector:
-    matchLabels:
-      app: openbao-logging-dir
-  template:
-    metadata:
-      labels:
-        app: openbao-logging-dir
-    spec:
-      initContainers:
-      - name: creator
-        image: busybox
-        command: ["/bin/sh", "-c"]
-        args:
-        - |
-          set -e
-          mkdir -p /var/log/openbao
-          chown 100:100 /var/log/openbao
-        securityContext:
-          runAsUser: 0 
-        volumeMounts:
-        - name: host-log
-          mountPath: /var/log
-      containers:
-      - name: running-container
-        image: busybox
-        command: ["sleep", "infinity"]
-        securityContext:
-          runAsUser: 0
-      volumes:
-      - name: host-log
-        hostPath:
-          path: /var/log
-          type: Directory

template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: logrotate-config
-data:
-  logrotate.conf: |
-    /openbao/logs/openbao/*.log {
-      size 50M
-      rotate 7
-      missingok
-      notifempty
-      postrotate
-        echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
-      endscript
-    }

template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml

@@ -1,45 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: logrotate-cronjob
-  namespace: openbao
-spec:
-  schedule: "0 * * * *"
-  successfulJobsHistoryLimit: 1
-  failedJobsHistoryLimit: 1
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: logrotate
-            image: skymatic/logrotate:latest
-            securityContext:
-              runAsUser: 100
-            command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
-            volumeMounts:
-              - name: host-log-storage
-                mountPath: /openbao/logs
-              - name: logrotate-config-volume
-                mountPath: /etc/logrotate.conf
-                subPath: logrotate.conf
-                readOnly: true
-              - name: passwd-volume
-                mountPath: /etc/passwd
-                subPath: passwd
-              - name: status
-                mountPath: /var/lib
-          restartPolicy: OnFailure
-          volumes:
-          - name: host-log-storage
-            hostPath:
-              path: /var/log
-              type: Directory
-          - name: logrotate-config-volume  
-            configMap:         
-              name: logrotate-config
-          - name: passwd-volume  
-            configMap:         
-              name: passwd-user-configmap
-          - name: status  
-            emptyDir: {}

template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: passwd-user-configmap
-data:
-  passwd: |
-    root:x:0:0:root:/root:/bin/sh
-    openbao:x:100:1000::/home/openbao:/sbin/nologin

template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: signal-sidecar-script
-  namespace: openbao
-data:
-  sidecar.sh: |
-    #!/bin/sh
-    echo "Sending SIGHUP to OpenBAO..."
-    kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
-
-  start.sh: |
-    #!/bin/sh
-
-    echo "Starting mini HTTP server on port 3030..."
-
-    while true; do
-      echo "Waiting for HTTP POST..."
-      REQUEST=$(nc -l -p 3030)
-
-      echo "$REQUEST" | grep -q "POST /" && {
-        echo "Received POST request, sending SIGHUP..."
-        /tmp/sidecar.sh
-        RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
-      } || {
-        RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
-      }
-
-      echo -e "$RESPONSE" | nc -N localhost 3031
-    done

template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: sidecar-script-service
-  namespace: openbao
-spec:
-  selector:
-    app.kubernetes.io/instance: openbao
-    component: server
-  ports:
-    - protocol: TCP
-      port: 3030
-      targetPort: 3030

template/stacks/ref-implementation/openbao/values.yaml

@@ -1,46 +1,9 @@
 server:
-  shareProcessNamespace: true
-  extraContainers:
-    - name: sidecar
-      image: alpine:latest
-      command: ["/bin/sh", "/tmp/start.sh"]
-      ports:
-        - containerPort: 3030
-      volumeMounts:
-        - name: sidecar-script
-          mountPath: /tmp/start.sh
-          subPath: start.sh
-        - name: sidecar-script
-          mountPath: /tmp/sidecar.sh
-          subPath: sidecar.sh
-          mode: 0755
-        - name: passwd-volume
-          mountPath: /etc/passwd
-          subPath: passwd
-  volumes:    
-  - name: passwd-volume  
-    configMap:         
-      name: passwd-user-configmap
-  - name: host-log-storage
-    hostPath:
-      path: /var/log
-      type: Directory
-  - name: sidecar-script
-    configMap:
-      name: signal-sidecar-script
-      defaultMode: 0755
-
-  volumeMounts:
-  - mountPath: /openbao/logs
-    name: host-log-storage
-    readOnly: false
-
   postStart:
     - sh
     - -c
     - |
       sleep 10
-      rm -rf /openbao/data/*
       bao operator init >> /tmp/init.txt
       cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
       echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@@ -49,8 +12,6 @@ server:
       echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
-      bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
       rm /tmp/init.txt
-      bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
 ui:
   enabled: true