done

mountPath: /etc/passwd
                subPath: passwd

template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml

@@ -1,29 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: forgejo-access-token
-  namespace: argocd 
-spec:
-  secretStoreRef:
-    name: gitea
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: forgejo-access-token
-    template:
-      engineVersion: v2
-      data:
-        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
-        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argocd
-  data:
-    - secretKey: FORGEJO_ACCESS_USERNAME
-      remoteRef:
-        key: forgejo-access-token
-        property: username
-    - secretKey: FORGEJO_ACCESS_TOKEN
-      remoteRef:
-        key: forgejo-access-token
-        property: token

template/stacks/core/argocd-sso/argocd-sso-config.yaml

@@ -1,54 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: argocd-config
-  namespace: argocd
-spec:
-  template:
-    metadata:
-      generateName: argocd-config-
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: push
-          image: docker.io/library/ubuntu:22.04
-          env:
-            - name: FORGEJO_USER
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_username
-            - name: FORGEJO_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_token
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              #! /bin/bash
-
-              apt -qq update
-              apt -qq install git wget -y
-              if [[ "$(uname -m)" == "x86_64" ]]; then
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
-                install yq_linux_amd64 /usr/local/bin/yq
-                rm yq_linux_amd64
-              else
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
-                install yq_linux_arm64 /usr/local/bin/yq
-                rm yq_linux_arm64
-              fi
-
-              git config --global user.email "bot@bots.de"
-              git config --global user.name "bot"
-              
-              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
-              cd edfbuilder
-              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
-              
-              git add stacks/core/argocd/values.yaml
-              git commit -m "adds Forgejo SSO config"
-              git push
-  backoffLimit: 99           

template/stacks/core/forgejo-sso/forgejo-access-token.yaml

@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: forgejo-access-token
-  namespace: gitea 
-spec:
-  secretStoreRef:
-    name: gitea
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: forgejo-access-token
-    template:
-      engineVersion: v2
-      data:
-        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
-        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
-  data:
-    - secretKey: FORGEJO_ACCESS_USERNAME
-      remoteRef:
-        key: forgejo-access-token
-        property: username
-    - secretKey: FORGEJO_ACCESS_TOKEN
-      remoteRef:
-        key: forgejo-access-token
-        property: token

template/stacks/core/forgejo-sso/forgejo-sso-config.yaml

@@ -1,76 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: forgejo-config
-  namespace: gitea
-spec:
-  template:
-    metadata:
-      generateName: forgejo-config-
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: push
-          image: docker.io/library/ubuntu:22.04
-          env:
-            - name: FORGEJO_USER
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_username
-            - name: FORGEJO_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_token
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              #! /bin/bash
-
-              apt -qq update
-              apt -qq install git wget -y
-              if [[ "$(uname -m)" == "x86_64" ]]; then
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
-                install yq_linux_amd64 /usr/local/bin/yq
-                rm yq_linux_amd64
-              else
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
-                install yq_linux_arm64 /usr/local/bin/yq
-                rm yq_linux_arm64
-              fi
-
-              git config --global user.email "bot@bots.de"
-              git config --global user.name "giteaAdmin"
-              
-              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
-              cd edfbuilder
-              yq eval ".gitea.oauth = [
-                {
-                  \"name\": \"Keycloak\",
-                  \"provider\": \"openidConnect\",
-                  \"existingSecret\": \"auth-generic-oauth-secret\",
-                  \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
-                }
-              ] |
-                (.gitea.oauth[] | .name) |= (. style=\"single\")
-                |
-                (.gitea.oauth[] | .provider) |= (. style=\"single\")
-                |
-                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
-                |
-                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
-              " -i stacks/core/forgejo/values.yaml
-
-              yq eval '.gitea.config.oauth2_client = 
-                {
-                  "ENABLE_AUTO_REGISTRATION" : true,
-                  "ACCOUNT_LINKING" : "auto"
-                }
-              ' -i stacks/core/forgejo/values.yaml
-              
-              git add stacks/core/forgejo/values.yaml
-              git commit -m "adds Forgejo SSO config"
-              git push
-  backoffLimit: 99

template/stacks/core/forgejo.yaml

@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
       path: .
-      targetRevision: v12.0.0-depends
+      targetRevision: v11.0.5-depends
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml

template/stacks/monitoring/alloy/values.yaml

@@ -1,8 +1,21 @@
+controller:
+  volumes:
+    extra:
+    - name: host-log-storage
+      hostPath:
+        path: /var/log
+        type: Directory
 alloy:
   create: false
   name: alloy-config
   key: config.alloy
 
+  mounts:
+    extra:
+    - mountPath: /openbao/logs
+      name: host-log-storage
+      readOnly: true
+
   uiPathPrefix: "/alloy"
 
   configMap:
@@ -72,6 +85,16 @@ alloy:
 
       }
 
+      local.file_match "file_logs" {
+          path_targets = [{"__path__" = "/openbao/logs/openbao/*"}]
+          sync_period = "5s"
+      }
+
+      loki.source.file "local_files" {
+          targets    = local.file_match.file_logs.targets
+          forward_to = [loki.write.local_loki.receiver]
+      }
+
       loki.source.kubernetes "all_pod_logs" {
         targets    = discovery.relabel.pod_logs.output
         forward_to = [loki.write.local_loki.receiver]

template/stacks/ref-implementation/openbao-logging.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao-logging-setup
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/ref-implementation/openbao-logging"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openbao
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openbao-logging-dir
+  namespace: openbao
+spec:
+  selector:
+    matchLabels:
+      app: openbao-logging-dir
+  template:
+    metadata:
+      labels:
+        app: openbao-logging-dir
+    spec:
+      initContainers:
+      - name: creator
+        image: busybox
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          set -e
+          mkdir -p /var/log/openbao
+          chown 100:100 /var/log/openbao
+        securityContext:
+          runAsUser: 0 
+        volumeMounts:
+        - name: host-log
+          mountPath: /var/log
+      containers:
+      - name: running-container
+        image: busybox
+        command: ["sleep", "infinity"]
+        securityContext:
+          runAsUser: 0
+      volumes:
+      - name: host-log
+        hostPath:
+          path: /var/log
+          type: Directory

template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logrotate-config
+data:
+  logrotate.conf: |
+    /openbao/logs/openbao/*.log {
+      size 50M
+      rotate 7
+      missingok
+      notifempty
+      postrotate
+        echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
+      endscript
+    }

template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml

@@ -0,0 +1,45 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: logrotate-cronjob
+  namespace: openbao
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: logrotate
+            image: skymatic/logrotate:latest
+            securityContext:
+              runAsUser: 100
+            command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
+            volumeMounts:
+              - name: host-log-storage
+                mountPath: /openbao/logs
+              - name: logrotate-config-volume
+                mountPath: /etc/logrotate.conf
+                subPath: logrotate.conf
+                readOnly: true
+              - name: passwd-volume
+                mountPath: /etc/passwd
+                subPath: passwd
+              - name: status
+                mountPath: /var/lib
+          restartPolicy: OnFailure
+          volumes:
+          - name: host-log-storage
+            hostPath:
+              path: /var/log
+              type: Directory
+          - name: logrotate-config-volume  
+            configMap:         
+              name: logrotate-config
+          - name: passwd-volume  
+            configMap:         
+              name: passwd-user-configmap
+          - name: status  
+            emptyDir: {}

template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: passwd-user-configmap
+data:
+  passwd: |
+    root:x:0:0:root:/root:/bin/sh
+    openbao:x:100:1000::/home/openbao:/sbin/nologin

template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: signal-sidecar-script
+  namespace: openbao
+data:
+  sidecar.sh: |
+    #!/bin/sh
+    echo "Sending SIGHUP to OpenBAO..."
+    kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
+
+  start.sh: |
+    #!/bin/sh
+
+    echo "Starting mini HTTP server on port 3030..."
+
+    while true; do
+      echo "Waiting for HTTP POST..."
+      REQUEST=$(nc -l -p 3030)
+
+      echo "$REQUEST" | grep -q "POST /" && {
+        echo "Received POST request, sending SIGHUP..."
+        /tmp/sidecar.sh
+        RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
+      } || {
+        RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
+      }
+
+      echo -e "$RESPONSE" | nc -N localhost 3031
+    done

template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sidecar-script-service
+  namespace: openbao
+spec:
+  selector:
+    app.kubernetes.io/instance: openbao
+    component: server
+  ports:
+    - protocol: TCP
+      port: 3030
+      targetPort: 3030

template/stacks/ref-implementation/openbao/values.yaml

@@ -1,9 +1,46 @@
 server:
+  shareProcessNamespace: true
+  extraContainers:
+    - name: sidecar
+      image: alpine:latest
+      command: ["/bin/sh", "/tmp/start.sh"]
+      ports:
+        - containerPort: 3030
+      volumeMounts:
+        - name: sidecar-script
+          mountPath: /tmp/start.sh
+          subPath: start.sh
+        - name: sidecar-script
+          mountPath: /tmp/sidecar.sh
+          subPath: sidecar.sh
+          mode: 0755
+        - name: passwd-volume
+          mountPath: /etc/passwd
+          subPath: passwd
+  volumes:    
+  - name: passwd-volume  
+    configMap:         
+      name: passwd-user-configmap
+  - name: host-log-storage
+    hostPath:
+      path: /var/log
+      type: Directory
+  - name: sidecar-script
+    configMap:
+      name: signal-sidecar-script
+      defaultMode: 0755
+
+  volumeMounts:
+  - mountPath: /openbao/logs
+    name: host-log-storage
+    readOnly: false
+
   postStart:
     - sh
     - -c
     - |
       sleep 10
+      rm -rf /openbao/data/*
       bao operator init >> /tmp/init.txt
       cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
       echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@@ -12,6 +49,8 @@ server:
       echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
+      bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
       rm /tmp/init.txt
+      bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
 ui:
   enabled: true