diff --git a/template/stacks/core/crossplane-compositions.yaml b/template/stacks/core/argocd-sso.yaml similarity index 54% rename from template/stacks/core/crossplane-compositions.yaml rename to template/stacks/core/argocd-sso.yaml index d5341c8..7ae15bc 100644 --- a/template/stacks/core/crossplane-compositions.yaml +++ b/template/stacks/core/argocd-sso.yaml @@ -1,23 +1,29 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: crossplane-compositions + name: argocd-sso namespace: argocd labels: env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io spec: project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system source: - path: stacks/core/crossplane-compositions repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder targetRevision: HEAD - directory: - recurse: true + path: "stacks/core/argocd-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml new file mode 100644 index 0000000..105bdf4 --- /dev/null +++ b/template/stacks/core/argocd-sso/argocd-secret.yaml @@ -0,0 +1,24 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: argocd +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd + data: + - secretKey: ARGOCD_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: ARGOCD_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 4f65e09..201951f 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -16,12 +16,12 @@ spec: name: in-cluster namespace: argocd sources: - - repoURL: https://github.com/argoproj/argo-helm + - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git path: charts/argo-cd # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.7.5 + targetRevision: argo-cd-7.8.14-depends helm: valueFiles: - $values/stacks/core/argocd/values.yaml diff --git a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml deleted file mode 100644 index d8e3e9d..0000000 --- a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apiextensions.crossplane.io/v1 -kind: CompositeResourceDefinition -metadata: - name: edfbuilders.edfbuilder.crossplane.io -spec: - connectionSecretKeys: - - kubeconfig - group: edfbuilder.crossplane.io - names: - kind: EDFBuilder - listKind: EDFBuilderList - plural: edfbuilders - singular: edfbuilders - versions: - - name: v1alpha1 - served: true - referenceable: true - schema: - openAPIV3Schema: - description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed - type: object - properties: - spec: - type: object - properties: - repoURL: - type: string - description: URL to ArgoCD stack of stacks repo - required: - - repoURL diff --git a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml deleted file mode 100644 index 9a16bba..0000000 --- a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Function -metadata: - name: crossplane-contrib-function-patch-and-transform -spec: - package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0 - packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. - revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy - revisionHistoryLimit: 1 \ No newline at end of file diff --git a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml deleted file mode 100644 index dba4aad..0000000 --- a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argocd.crossplane.io/v1alpha1 -kind: ProviderConfig -metadata: - name: argocd-provider -spec: - serverAddr: argocd-server.argocd.svc.cluster.local:80 - insecure: true - plainText: true - credentials: - source: Secret - secretRef: - namespace: crossplane-system - name: argocd-credentials - key: authToken diff --git a/template/stacks/core/crossplane-providers/provider-argocd.yaml b/template/stacks/core/crossplane-providers/provider-argocd.yaml deleted file mode 100644 index 241ca84..0000000 --- a/template/stacks/core/crossplane-providers/provider-argocd.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-argocd -spec: - package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1 - packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. - revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy - revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane-providers/provider-kind-config.yaml b/template/stacks/core/crossplane-providers/provider-kind-config.yaml deleted file mode 100644 index edc8dcb..0000000 --- a/template/stacks/core/crossplane-providers/provider-kind-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kind.crossplane.io/v1alpha1 -kind: ProviderConfig -metadata: - name: kind-provider -spec: - credentials: - source: Secret - secretRef: - namespace: crossplane-system - name: kind-credentials - key: credentials - endpoint: - # the url is managed by crossplane-edfbuilder - url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver diff --git a/template/stacks/core/crossplane-providers/provider-kind.yaml b/template/stacks/core/crossplane-providers/provider-kind.yaml deleted file mode 100644 index 5bfe9a1..0000000 --- a/template/stacks/core/crossplane-providers/provider-kind.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-kind -spec: - package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1 - packagePullPolicy: IfNotPresent - revisionActivationPolicy: Automatic - revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane-providers/provider-shell.yaml b/template/stacks/core/crossplane-providers/provider-shell.yaml deleted file mode 100644 index 2974c0c..0000000 --- a/template/stacks/core/crossplane-providers/provider-shell.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-shell -spec: - package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5 - packagePullPolicy: IfNotPresent - revisionActivationPolicy: Automatic - revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane.yaml b/template/stacks/core/crossplane.yaml deleted file mode 100644 index 4b6f2af..0000000 --- a/template/stacks/core/crossplane.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - chart: crossplane - repoURL: https://charts.crossplane.io/stable - targetRevision: 1.18.0 - helm: - releaseName: crossplane diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml index 04b07a7..2702b3e 100644 --- a/template/stacks/core/forgejo-runner/dind-docker.yaml +++ b/template/stacks/core/forgejo-runner/dind-docker.yaml @@ -28,19 +28,18 @@ spec: # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration initContainers: - name: runner-register - image: code.forgejo.org/forgejo/runner:6.0.1 - command: - - "forgejo-runner" - - "register" - - "--no-interactive" - - "--token" - - $(RUNNER_SECRET) - - "--name" - - $(RUNNER_NAME) - - "--instance" - - $(FORGEJO_INSTANCE_URL) - - "--labels" - - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04" + image: code.forgejo.org/forgejo/runner:6.3.1 + command: + - "sh" + - "-c" + - | + forgejo-runner \ + register \ + --no-interactive \ + --token ${RUNNER_SECRET} \ + --name ${RUNNER_NAME} \ + --instance ${FORGEJO_INSTANCE_URL} \ + --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04 env: - name: RUNNER_NAME valueFrom: @@ -58,7 +57,7 @@ spec: mountPath: /data containers: - name: runner - image: code.forgejo.org/forgejo/runner:6.0.1 + image: code.forgejo.org/forgejo/runner:6.3.1 command: - "sh" - "-c" @@ -94,7 +93,7 @@ spec: - name: runner-data mountPath: /data - name: daemon - image: docker:27.4.1-dind + image: docker:28.0.4-dind env: - name: DOCKER_TLS_CERTDIR value: /certs diff --git a/template/stacks/core/crossplane-providers.yaml b/template/stacks/core/forgejo-sso.yaml similarity index 54% rename from template/stacks/core/crossplane-providers.yaml rename to template/stacks/core/forgejo-sso.yaml index 3fd69b7..6402b41 100644 --- a/template/stacks/core/crossplane-providers.yaml +++ b/template/stacks/core/forgejo-sso.yaml @@ -1,23 +1,29 @@ -{{{ if eq .Env.CLUSTER_TYPE "kind" }}} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: crossplane-providers + name: forgejo-sso namespace: argocd labels: env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io spec: project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system source: - path: stacks/core/crossplane-providers repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder targetRevision: HEAD -{{{ end }}} + path: "stacks/core/forgejo-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: gitea + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/secret-forgejo.yaml new file mode 100644 index 0000000..d449c24 --- /dev/null +++ b/template/stacks/core/forgejo-sso/secret-forgejo.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: gitea +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + key: "{{.FORGEJO_CLIENT_ID}}" + secret: "{{.FORGEJO_CLIENT_SECRET}}" + data: + - secretKey: FORGEJO_CLIENT_ID + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_ID + - secretKey: FORGEJO_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_SECRET diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index 9b4aeae..a89d576 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -16,9 +16,9 @@ spec: name: in-cluster namespace: gitea sources: - - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git + - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git path: . - targetRevision: v10.1.1 + targetRevision: v11.0.5-depends helm: valueFiles: - $values/stacks/core/forgejo/values.yaml diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 0cb06cd..b98bbf3 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: false + enabled: true postgresql: enabled: false postgresql-ha: @@ -16,6 +16,11 @@ gitea: admin: existingSecret: gitea-credential config: + service: + DISABLE_REGISTRATION: true + other: + SHOW_FOOTER_VERSION: false + SHOW_FOOTER_TEMPLATE_LOAD_TIME: false database: DB_TYPE: sqlite3 session: diff --git a/template/stacks/core/ingress-nginx.yaml b/template/stacks/core/ingress-nginx.yaml index cb69681..2517368 100644 --- a/template/stacks/core/ingress-nginx.yaml +++ b/template/stacks/core/ingress-nginx.yaml @@ -16,9 +16,9 @@ spec: name: in-cluster namespace: ingress-nginx sources: - - repoURL: https://github.com/kubernetes/ingress-nginx + - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git path: charts/ingress-nginx - targetRevision: helm-chart-4.11.3 + targetRevision: helm-chart-4.12.1-depends helm: valueFiles: - $values/stacks/core/ingress-nginx/values.yaml diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml index c86f6fa..88f0d0e 100644 --- a/template/stacks/ref-implementation/backstage/manifests/install.yaml +++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml @@ -264,7 +264,8 @@ spec: name: gitea-credentials - secretRef: name: argocd-credentials - image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development + image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0 + imagePullPolicy: Always name: backstage ports: - containerPort: 7007 diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c1d77a7..e325ff0 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -71,11 +71,11 @@ data: }, "type": "default", "protocol": "openid-connect" - } + } group-admin-payload.json: | - {"name":"admin"} + {"name":"admin"} group-base-user-payload.json: | - {"name":"base-user"} + {"name":"base-user"} group-mapper-payload.json: | { "protocol": "openid-connect", @@ -88,15 +88,15 @@ data: "access.token.claim": "true", "userinfo.token.claim": "true" } - } + } realm-payload.json: | - {"realm":"cnoe","enabled":true} + {"realm":"cnoe","enabled":true} user-password.json: | { "temporary": false, "type": "password", "value": "${USER1_PASSWORD}" - } + } user-user1.json: | { "username": "user1", @@ -109,7 +109,7 @@ data: "/admin" ], "enabled": true - } + } user-user2.json: | { "username": "user2", @@ -122,7 +122,7 @@ data: "/base-user" ], "enabled": true - } + } argo-client-payload.json: | { "protocol": "openid-connect", @@ -150,7 +150,7 @@ data: "webOrigins": [ "/*" ] - } + } backstage-client-payload.json: | { @@ -179,7 +179,7 @@ data: "webOrigins": [ "/*" ] - } + } grafana-client-payload.json: | { @@ -219,6 +219,64 @@ data: ] } + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } + + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN_GITEA }}}/*" + ], + "webOrigins": [ + "/*" + ] + } + --- apiVersion: batch/v1 kind: Job @@ -254,7 +312,7 @@ spec: command: ["/bin/bash", "-c"] args: - | - #! /bin/bash + #! /bin/bash set -ex -o pipefail @@ -315,7 +373,7 @@ spec: ${KEYCLOAK_URL}/admin/realms/cnoe/groups # Create scope mapper - echo 'adding group claim to tokens' + echo 'adding group claim to tokens' CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') curl -sS -H "Content-Type: application/json" \ @@ -355,8 +413,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -370,21 +428,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -394,19 +457,68 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + echo "creating Forgejo client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) @@ -426,7 +538,10 @@ spec: BACKSTAGE_CLIENT_ID: backstage GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml -