From dd7551a2932533a1fd4bd323a769f51c670b1c34 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Thu, 27 Mar 2025 19:33:56 +0100 Subject: [PATCH 01/17] updated forgejo and forgejo-runner --- template/stacks/core/forgejo-runner/dind-docker.yaml | 6 +++--- template/stacks/core/forgejo.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml index 04b07a7..3676503 100644 --- a/template/stacks/core/forgejo-runner/dind-docker.yaml +++ b/template/stacks/core/forgejo-runner/dind-docker.yaml @@ -28,7 +28,7 @@ spec: # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration initContainers: - name: runner-register - image: code.forgejo.org/forgejo/runner:6.0.1 + image: code.forgejo.org/forgejo/runner:6.3.1 command: - "forgejo-runner" - "register" @@ -58,7 +58,7 @@ spec: mountPath: /data containers: - name: runner - image: code.forgejo.org/forgejo/runner:6.0.1 + image: code.forgejo.org/forgejo/runner:6.3.1 command: - "sh" - "-c" @@ -94,7 +94,7 @@ spec: - name: runner-data mountPath: /data - name: daemon - image: docker:27.4.1-dind + image: docker:28.0.4-dind env: - name: DOCKER_TLS_CERTDIR value: /certs diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index 9b4aeae..4e95fe0 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -18,7 +18,7 @@ spec: sources: - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git path: . - targetRevision: v10.1.1 + targetRevision: v11.0.5 helm: valueFiles: - $values/stacks/core/forgejo/values.yaml From 9ba027f94b35a94db45ae22b47536ad537acba00 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Thu, 27 Mar 2025 20:10:06 +0100 Subject: [PATCH 02/17] updated nginx-ingress --- template/stacks/core/ingress-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/ingress-nginx.yaml b/template/stacks/core/ingress-nginx.yaml index cb69681..1bec144 100644 --- a/template/stacks/core/ingress-nginx.yaml +++ b/template/stacks/core/ingress-nginx.yaml @@ -18,7 +18,7 @@ spec: sources: - repoURL: https://github.com/kubernetes/ingress-nginx path: charts/ingress-nginx - targetRevision: helm-chart-4.11.3 + targetRevision: helm-chart-4.12.1 helm: valueFiles: - $values/stacks/core/ingress-nginx/values.yaml From b3495f610c5a9a8a84d5a89f78ae12aa58a88608 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Thu, 27 Mar 2025 20:42:01 +0100 Subject: [PATCH 03/17] updated argocd --- template/stacks/core/argocd.yaml | 4 ++-- template/stacks/core/forgejo.yaml | 4 ++-- template/stacks/core/ingress-nginx.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 4f65e09..201951f 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -16,12 +16,12 @@ spec: name: in-cluster namespace: argocd sources: - - repoURL: https://github.com/argoproj/argo-helm + - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git path: charts/argo-cd # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.7.5 + targetRevision: argo-cd-7.8.14-depends helm: valueFiles: - $values/stacks/core/argocd/values.yaml diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index 4e95fe0..a89d576 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -16,9 +16,9 @@ spec: name: in-cluster namespace: gitea sources: - - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git + - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git path: . - targetRevision: v11.0.5 + targetRevision: v11.0.5-depends helm: valueFiles: - $values/stacks/core/forgejo/values.yaml diff --git a/template/stacks/core/ingress-nginx.yaml b/template/stacks/core/ingress-nginx.yaml index 1bec144..2517368 100644 --- a/template/stacks/core/ingress-nginx.yaml +++ b/template/stacks/core/ingress-nginx.yaml @@ -16,9 +16,9 @@ spec: name: in-cluster namespace: ingress-nginx sources: - - repoURL: https://github.com/kubernetes/ingress-nginx + - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git path: charts/ingress-nginx - targetRevision: helm-chart-4.12.1 + targetRevision: helm-chart-4.12.1-depends helm: valueFiles: - $values/stacks/core/ingress-nginx/values.yaml From 51e765049ba8e55ba71b3b79d5021958e31b72af Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 30 Mar 2025 22:34:04 +0200 Subject: [PATCH 04/17] Update fix to latest kindserver --- .../core/crossplane-providers/provider-argocd.yaml | 9 --------- .../stacks/core/crossplane-providers/provider-kind.yaml | 9 --------- .../stacks/core/crossplane-providers/provider-shell.yaml | 9 --------- 3 files changed, 27 deletions(-) delete mode 100644 template/stacks/core/crossplane-providers/provider-argocd.yaml delete mode 100644 template/stacks/core/crossplane-providers/provider-kind.yaml delete mode 100644 template/stacks/core/crossplane-providers/provider-shell.yaml diff --git a/template/stacks/core/crossplane-providers/provider-argocd.yaml b/template/stacks/core/crossplane-providers/provider-argocd.yaml deleted file mode 100644 index 241ca84..0000000 --- a/template/stacks/core/crossplane-providers/provider-argocd.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-argocd -spec: - package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1 - packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. - revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy - revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane-providers/provider-kind.yaml b/template/stacks/core/crossplane-providers/provider-kind.yaml deleted file mode 100644 index 5bfe9a1..0000000 --- a/template/stacks/core/crossplane-providers/provider-kind.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-kind -spec: - package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1 - packagePullPolicy: IfNotPresent - revisionActivationPolicy: Automatic - revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane-providers/provider-shell.yaml b/template/stacks/core/crossplane-providers/provider-shell.yaml deleted file mode 100644 index 2974c0c..0000000 --- a/template/stacks/core/crossplane-providers/provider-shell.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-shell -spec: - package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5 - packagePullPolicy: IfNotPresent - revisionActivationPolicy: Automatic - revisionHistoryLimit: 1 From 777d6afeb4e2c1f40ceeeecbb4962258b7d3c902 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 11 Apr 2025 14:12:29 +0000 Subject: [PATCH 05/17] Update template/stacks/core/forgejo-runner/dind-docker.yaml --- .../core/forgejo-runner/dind-docker.yaml | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml index 3676503..2702b3e 100644 --- a/template/stacks/core/forgejo-runner/dind-docker.yaml +++ b/template/stacks/core/forgejo-runner/dind-docker.yaml @@ -29,18 +29,17 @@ spec: initContainers: - name: runner-register image: code.forgejo.org/forgejo/runner:6.3.1 - command: - - "forgejo-runner" - - "register" - - "--no-interactive" - - "--token" - - $(RUNNER_SECRET) - - "--name" - - $(RUNNER_NAME) - - "--instance" - - $(FORGEJO_INSTANCE_URL) - - "--labels" - - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04" + command: + - "sh" + - "-c" + - | + forgejo-runner \ + register \ + --no-interactive \ + --token ${RUNNER_SECRET} \ + --name ${RUNNER_NAME} \ + --instance ${FORGEJO_INSTANCE_URL} \ + --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04 env: - name: RUNNER_NAME valueFrom: From c01d4952ad2474f25f810117d2515028fd91bc8c Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 16:17:20 +0000 Subject: [PATCH 06/17] Disabled user self registration in Forgejo --- template/stacks/core/forgejo/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 0cb06cd..520bdf5 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -16,6 +16,8 @@ gitea: admin: existingSecret: gitea-credential config: + service: + DISABLE_REGISTRATION: true database: DB_TYPE: sqlite3 session: From 5d0182d6ee9791bac797ba224f7e4ed23265b0d6 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 16:27:05 +0000 Subject: [PATCH 07/17] Update template/stacks/core/forgejo/values.yaml --- template/stacks/core/forgejo/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 520bdf5..90b01a6 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -18,6 +18,9 @@ gitea: config: service: DISABLE_REGISTRATION: true + other: + SHOW_FOOTER_VERSION: false + SHOW_FOOTER_TEMPLATE_LOAD_TIME: false database: DB_TYPE: sqlite3 session: From 3263113ebe3cd771b2243fbde1802c9c5f86ee9d Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 18:49:15 +0000 Subject: [PATCH 08/17] Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml --- .../keycloak/manifests/keycloak-config.yaml | 117 ++++++++++++++---- 1 file changed, 94 insertions(+), 23 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c1d77a7..8418a5c 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -71,11 +71,11 @@ data: }, "type": "default", "protocol": "openid-connect" - } + } group-admin-payload.json: | - {"name":"admin"} + {"name":"admin"} group-base-user-payload.json: | - {"name":"base-user"} + {"name":"base-user"} group-mapper-payload.json: | { "protocol": "openid-connect", @@ -88,15 +88,15 @@ data: "access.token.claim": "true", "userinfo.token.claim": "true" } - } + } realm-payload.json: | - {"realm":"cnoe","enabled":true} + {"realm":"cnoe","enabled":true} user-password.json: | { "temporary": false, "type": "password", "value": "${USER1_PASSWORD}" - } + } user-user1.json: | { "username": "user1", @@ -109,7 +109,7 @@ data: "/admin" ], "enabled": true - } + } user-user2.json: | { "username": "user2", @@ -122,7 +122,7 @@ data: "/base-user" ], "enabled": true - } + } argo-client-payload.json: | { "protocol": "openid-connect", @@ -150,7 +150,7 @@ data: "webOrigins": [ "/*" ] - } + } backstage-client-payload.json: | { @@ -179,7 +179,7 @@ data: "webOrigins": [ "/*" ] - } + } grafana-client-payload.json: | { @@ -217,7 +217,45 @@ data: "groups", "email" ] - } + } + + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "offline_access", + "roles", + "profile", + "groups", + "email" + ] + } --- apiVersion: batch/v1 @@ -254,7 +292,7 @@ spec: command: ["/bin/bash", "-c"] args: - | - #! /bin/bash + #! /bin/bash set -ex -o pipefail @@ -355,8 +393,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -370,21 +408,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -394,18 +437,45 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') @@ -426,7 +496,8 @@ spec: BACKSTAGE_CLIENT_ID: backstage GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml - From 7a5e29e47d2a64309007fc79a600ef11f19d567d Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 18:52:41 +0000 Subject: [PATCH 09/17] Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml --- .../keycloak/manifests/keycloak-config.yaml | 105 ++++++++---------- 1 file changed, 45 insertions(+), 60 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 8418a5c..c30cee6 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,6 +181,34 @@ data: ] } + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN_GITEA }}}/*" + ], + "webOrigins": [ + "/*" + ] + grafana-client-payload.json: | { "clientId": "grafana", @@ -219,44 +247,6 @@ data: ] } - argocd-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "argocd", - "name": "ArgoCD Client", - "description": "Used for ArgoCD SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN }}}/*" - ], - "webOrigins": [ - "/*" - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "offline_access", - "roles", - "profile", - "groups", - "email" - ] - } - --- apiVersion: batch/v1 kind: Job @@ -393,8 +383,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -408,26 +398,21 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -437,7 +422,7 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -455,15 +440,15 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - echo "creating ArgoCD client" + echo "creating Forgejo client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argocd-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -473,9 +458,9 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') @@ -494,10 +479,10 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana - ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} - ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml From 2532958de87404df337c29f9b628b036389412e7 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:05:35 +0200 Subject: [PATCH 10/17] Added Forgejo to Keycloak config --- .../keycloak/manifests/keycloak-config.yaml | 149 ++++++++++++------ 1 file changed, 104 insertions(+), 45 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c30cee6..6416367 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,34 +181,6 @@ data: ] } - forgejo-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "forgejo", - "name": "Forgejo Client", - "description": "Used for Forgejo SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN_GITEA }}}/*" - ], - "webOrigins": [ - "/*" - ] - grafana-client-payload.json: | { "clientId": "grafana", @@ -245,7 +217,65 @@ data: "groups", "email" ] - } + } + + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } + + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } --- apiVersion: batch/v1 @@ -343,7 +373,7 @@ spec: ${KEYCLOAK_URL}/admin/realms/cnoe/groups # Create scope mapper - echo 'adding group claim to tokens' + echo 'adding group claim to tokens' CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') curl -sS -H "Content-Type: application/json" \ @@ -383,8 +413,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -398,21 +428,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -422,7 +457,7 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -440,11 +475,33 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + echo "creating Forgejo client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/forgejo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -459,9 +516,9 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) @@ -479,10 +536,12 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage - FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} - FORGEJO_CLIENT_ID: forgejo GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml From 55a1eaa6f6479b9775cb9787cf26398927d47a50 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:07:43 +0200 Subject: [PATCH 11/17] Added Forgejo to Keycloak config --- .../ref-implementation/keycloak/manifests/keycloak-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 6416367..e325ff0 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -270,7 +270,7 @@ data: "rootUrl": "", "baseUrl": "", "redirectUris": [ - "https://{{{ .Env.DOMAIN }}}/*" + "https://{{{ .Env.DOMAIN_GITEA }}}/*" ], "webOrigins": [ "/*" From 33def8aba5c018c8c4f1846cdfc6aad790bf48bf Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:31:05 +0200 Subject: [PATCH 12/17] Added keycloak client externalsecret for Forgejo and ArgoCD --- template/stacks/core/argocd-sso.yaml | 29 +++++++++++++++++++ .../stacks/core/argocd-sso/argocd-secret.yaml | 21 ++++++++++++++ template/stacks/core/forgejo-sso.yaml | 29 +++++++++++++++++++ .../core/forgejo-sso/secret-forgejo.yaml | 21 ++++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 template/stacks/core/argocd-sso.yaml create mode 100644 template/stacks/core/argocd-sso/argocd-secret.yaml create mode 100644 template/stacks/core/forgejo-sso.yaml create mode 100644 template/stacks/core/forgejo-sso/secret-forgejo.yaml diff --git a/template/stacks/core/argocd-sso.yaml b/template/stacks/core/argocd-sso.yaml new file mode 100644 index 0000000..7ae15bc --- /dev/null +++ b/template/stacks/core/argocd-sso.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/core/argocd-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml new file mode 100644 index 0000000..0ca7b1c --- /dev/null +++ b/template/stacks/core/argocd-sso/argocd-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: argocd +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + data: + - secretKey: ARGOCD_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: ARGOCD_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/forgejo-sso.yaml b/template/stacks/core/forgejo-sso.yaml new file mode 100644 index 0000000..6402b41 --- /dev/null +++ b/template/stacks/core/forgejo-sso.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forgejo-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/core/forgejo-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: gitea + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/secret-forgejo.yaml new file mode 100644 index 0000000..09318c3 --- /dev/null +++ b/template/stacks/core/forgejo-sso/secret-forgejo.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: gitea +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.FORGEJO_CLIENT_SECRET}}" + data: + - secretKey: FORGEJO_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_SECRET \ No newline at end of file From ead21d078a041ec99f0b179551c7881a43415b2d Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 20:42:55 +0000 Subject: [PATCH 13/17] Update template/stacks/core/argocd-sso/argocd-secret.yaml --- template/stacks/core/argocd-sso/argocd-secret.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml index 0ca7b1c..105bdf4 100644 --- a/template/stacks/core/argocd-sso/argocd-secret.yaml +++ b/template/stacks/core/argocd-sso/argocd-secret.yaml @@ -14,6 +14,9 @@ spec: engineVersion: v2 data: client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd data: - secretKey: ARGOCD_CLIENT_SECRET remoteRef: From 1a8c2846bceec24ce6cfcd5ec6acc876f4ba2eaf Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 21:21:16 +0000 Subject: [PATCH 14/17] Update template/stacks/core/forgejo-sso/secret-forgejo.yaml --- template/stacks/core/forgejo-sso/secret-forgejo.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/secret-forgejo.yaml index 09318c3..d449c24 100644 --- a/template/stacks/core/forgejo-sso/secret-forgejo.yaml +++ b/template/stacks/core/forgejo-sso/secret-forgejo.yaml @@ -13,9 +13,14 @@ spec: template: engineVersion: v2 data: - client_secret: "{{.FORGEJO_CLIENT_SECRET}}" + key: "{{.FORGEJO_CLIENT_ID}}" + secret: "{{.FORGEJO_CLIENT_SECRET}}" data: + - secretKey: FORGEJO_CLIENT_ID + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_ID - secretKey: FORGEJO_CLIENT_SECRET remoteRef: key: keycloak-clients - property: FORGEJO_CLIENT_SECRET \ No newline at end of file + property: FORGEJO_CLIENT_SECRET From 9bb0063f8bd7608a811eeedef3a1d0d9748c55bc Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Tue, 22 Apr 2025 12:29:50 +0000 Subject: [PATCH 15/17] Use Redis in the Forgejo configuration to support rolling updates of Forgejo itself Forgejo is not able to be reconfigured by default: a queue is locked To circumvent the problem, we need simply to enable the use of Redis as a Forgejo component --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 90b01a6..b98bbf3 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: false + enabled: true postgresql: enabled: false postgresql-ha: From 4eb6fa0908488f9e1c2a01cbc4556cdb30d05606 Mon Sep 17 00:00:00 2001 From: Bot Date: Tue, 22 Apr 2025 18:56:30 +0200 Subject: [PATCH 16/17] Removed unused ArgoCD Application manifests of Crossplane --- .../stacks/core/crossplane-compositions.yaml | 23 -------------- .../edfbuilder/definition.yaml | 30 ------------------- .../stacks/core/crossplane-providers.yaml | 23 -------------- .../function-patch-and-transform.yaml | 9 ------ .../provider-argocd-config.yaml | 14 --------- .../provider-kind-config.yaml | 14 --------- template/stacks/core/crossplane.yaml | 23 -------------- 7 files changed, 136 deletions(-) delete mode 100644 template/stacks/core/crossplane-compositions.yaml delete mode 100644 template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml delete mode 100644 template/stacks/core/crossplane-providers.yaml delete mode 100644 template/stacks/core/crossplane-providers/function-patch-and-transform.yaml delete mode 100644 template/stacks/core/crossplane-providers/provider-argocd-config.yaml delete mode 100644 template/stacks/core/crossplane-providers/provider-kind-config.yaml delete mode 100644 template/stacks/core/crossplane.yaml diff --git a/template/stacks/core/crossplane-compositions.yaml b/template/stacks/core/crossplane-compositions.yaml deleted file mode 100644 index d5341c8..0000000 --- a/template/stacks/core/crossplane-compositions.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane-compositions - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - path: stacks/core/crossplane-compositions - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - directory: - recurse: true diff --git a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml deleted file mode 100644 index d8e3e9d..0000000 --- a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apiextensions.crossplane.io/v1 -kind: CompositeResourceDefinition -metadata: - name: edfbuilders.edfbuilder.crossplane.io -spec: - connectionSecretKeys: - - kubeconfig - group: edfbuilder.crossplane.io - names: - kind: EDFBuilder - listKind: EDFBuilderList - plural: edfbuilders - singular: edfbuilders - versions: - - name: v1alpha1 - served: true - referenceable: true - schema: - openAPIV3Schema: - description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed - type: object - properties: - spec: - type: object - properties: - repoURL: - type: string - description: URL to ArgoCD stack of stacks repo - required: - - repoURL diff --git a/template/stacks/core/crossplane-providers.yaml b/template/stacks/core/crossplane-providers.yaml deleted file mode 100644 index 3fd69b7..0000000 --- a/template/stacks/core/crossplane-providers.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{{ if eq .Env.CLUSTER_TYPE "kind" }}} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane-providers - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - path: stacks/core/crossplane-providers - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD -{{{ end }}} diff --git a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml deleted file mode 100644 index 9a16bba..0000000 --- a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Function -metadata: - name: crossplane-contrib-function-patch-and-transform -spec: - package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0 - packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. - revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy - revisionHistoryLimit: 1 \ No newline at end of file diff --git a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml deleted file mode 100644 index dba4aad..0000000 --- a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argocd.crossplane.io/v1alpha1 -kind: ProviderConfig -metadata: - name: argocd-provider -spec: - serverAddr: argocd-server.argocd.svc.cluster.local:80 - insecure: true - plainText: true - credentials: - source: Secret - secretRef: - namespace: crossplane-system - name: argocd-credentials - key: authToken diff --git a/template/stacks/core/crossplane-providers/provider-kind-config.yaml b/template/stacks/core/crossplane-providers/provider-kind-config.yaml deleted file mode 100644 index edc8dcb..0000000 --- a/template/stacks/core/crossplane-providers/provider-kind-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kind.crossplane.io/v1alpha1 -kind: ProviderConfig -metadata: - name: kind-provider -spec: - credentials: - source: Secret - secretRef: - namespace: crossplane-system - name: kind-credentials - key: credentials - endpoint: - # the url is managed by crossplane-edfbuilder - url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver diff --git a/template/stacks/core/crossplane.yaml b/template/stacks/core/crossplane.yaml deleted file mode 100644 index 4b6f2af..0000000 --- a/template/stacks/core/crossplane.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - chart: crossplane - repoURL: https://charts.crossplane.io/stable - targetRevision: 1.18.0 - helm: - releaseName: crossplane From abeeb7ee23e50605ebcd9a2af79e871b32560534 Mon Sep 17 00:00:00 2001 From: Bot Date: Wed, 23 Apr 2025 13:20:24 +0200 Subject: [PATCH 17/17] chore(backstage): pin to backstage-edp v1.1.0 --- .../stacks/ref-implementation/backstage/manifests/install.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml index c86f6fa..88f0d0e 100644 --- a/template/stacks/ref-implementation/backstage/manifests/install.yaml +++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml @@ -264,7 +264,8 @@ spec: name: gitea-credentials - secretRef: name: argocd-credentials - image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development + image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0 + imagePullPolicy: Always name: backstage ports: - containerPort: 7007