Merge branch 'development' into IPCEICIS-2952

template/stacks/core/argocd-sso.yaml

@@ -1,23 +1,29 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: crossplane-compositions
+  name: argocd-sso
   namespace: argocd
   labels:
     env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: crossplane-system
   source:
-    path: stacks/core/crossplane-compositions
     repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
     targetRevision: HEAD
-    directory:
+    path: "stacks/core/argocd-sso"
-      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: argocd
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/core/argocd-sso/argocd-secret.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: argocd 
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretKey: ARGOCD_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: ARGOCD_CLIENT_SECRET

template/stacks/core/argocd.yaml

@@ -16,12 +16,12 @@ spec:
     name: in-cluster
     namespace: argocd
   sources:
-    - repoURL: https://github.com/argoproj/argo-helm
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
       path: charts/argo-cd
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.7.5
+      targetRevision: argo-cd-7.8.14-depends
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml

@@ -1,30 +0,0 @@
-apiVersion: apiextensions.crossplane.io/v1
-kind: CompositeResourceDefinition
-metadata:
-  name: edfbuilders.edfbuilder.crossplane.io
-spec:
-  connectionSecretKeys:
-    - kubeconfig
-  group: edfbuilder.crossplane.io
-  names:
-    kind: EDFBuilder
-    listKind: EDFBuilderList
-    plural: edfbuilders
-    singular: edfbuilders
-  versions:
-    - name: v1alpha1
-      served: true
-      referenceable: true
-      schema:
-        openAPIV3Schema:
-          description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
-          type: object
-          properties:
-            spec:
-              type: object
-              properties:
-                repoURL:
-                  type: string
-                  description: URL to ArgoCD stack of stacks repo
-              required:
-                - repoURL

template/stacks/core/crossplane-providers/function-patch-and-transform.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Function
-metadata:
-  name: crossplane-contrib-function-patch-and-transform
-spec:
-  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-argocd-config.yaml

@@ -1,14 +0,0 @@
-apiVersion: argocd.crossplane.io/v1alpha1
-kind: ProviderConfig
-metadata:
-  name: argocd-provider
-spec:
-  serverAddr: argocd-server.argocd.svc.cluster.local:80
-  insecure: true
-  plainText: true
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: argocd-credentials
-      key: authToken

template/stacks/core/crossplane-providers/provider-argocd.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-argocd
-spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-kind-config.yaml

@@ -1,14 +0,0 @@
-apiVersion: kind.crossplane.io/v1alpha1
-kind: ProviderConfig
-metadata:
-  name: kind-provider
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: kind-credentials
-      key: credentials
-  endpoint:
-    # the url is managed by crossplane-edfbuilder
-    url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver

template/stacks/core/crossplane-providers/provider-kind.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-kind
-spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1
-  packagePullPolicy: IfNotPresent
-  revisionActivationPolicy: Automatic
-  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-shell.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-shell
-spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5
-  packagePullPolicy: IfNotPresent
-  revisionActivationPolicy: Automatic
-  revisionHistoryLimit: 1

template/stacks/core/crossplane.yaml

@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: crossplane
-  namespace: argocd
-  labels:
-    env: dev
-spec:
-  project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: crossplane-system
-  source:
-    chart: crossplane
-    repoURL: https://charts.crossplane.io/stable
-    targetRevision: 1.18.0
-    helm:
-      releaseName: crossplane

template/stacks/core/forgejo-runner/dind-docker.yaml

@@ -28,19 +28,18 @@ spec:
       # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
       initContainers:
         - name: runner-register
-          image: code.forgejo.org/forgejo/runner:6.0.1
+          image: code.forgejo.org/forgejo/runner:6.3.1
           command:
-            - "forgejo-runner"
+          - "sh"
-            - "register"
+          - "-c"
-            - "--no-interactive"
+          - |
-            - "--token"
+            forgejo-runner \
-            - $(RUNNER_SECRET)
+              register \
-            - "--name"
+              --no-interactive \
-            - $(RUNNER_NAME)
+              --token ${RUNNER_SECRET} \
-            - "--instance"
+              --name ${RUNNER_NAME} \
-            - $(FORGEJO_INSTANCE_URL)
+              --instance ${FORGEJO_INSTANCE_URL} \
-            - "--labels"
+              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
-            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
           env:
             - name: RUNNER_NAME
               valueFrom:
@@ -58,7 +57,7 @@ spec:
               mountPath: /data
       containers:
       - name: runner
-        image: code.forgejo.org/forgejo/runner:6.0.1
+        image: code.forgejo.org/forgejo/runner:6.3.1
         command: 
           - "sh"
           - "-c"
@@ -94,7 +93,7 @@ spec:
         - name: runner-data
           mountPath: /data
       - name: daemon
-        image: docker:27.4.1-dind
+        image: docker:28.0.4-dind
         env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs

template/stacks/core/forgejo-sso.yaml

@@ -1,23 +1,29 @@
-{{{ if eq .Env.CLUSTER_TYPE "kind" }}}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: crossplane-providers
+  name: forgejo-sso
   namespace: argocd
   labels:
     env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: crossplane-system
   source:
-    path: stacks/core/crossplane-providers
     repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
     targetRevision: HEAD
-{{{ end }}}
+    path: "stacks/core/forgejo-sso"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: gitea
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/core/forgejo-sso/secret-forgejo.yaml

@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        key: "{{.FORGEJO_CLIENT_ID}}"
+        secret: "{{.FORGEJO_CLIENT_SECRET}}"
+  data:
+    - secretKey: FORGEJO_CLIENT_ID
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_ID
+    - secretKey: FORGEJO_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_SECRET

template/stacks/core/forgejo.yaml

@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: gitea
   sources:
-    - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
       path: .
-      targetRevision: v10.1.1
+      targetRevision: v11.0.5-depends
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml

template/stacks/core/forgejo/values.yaml

@@ -1,5 +1,5 @@
 redis-cluster:
-  enabled: false
+  enabled: true
 postgresql:
   enabled: false
 postgresql-ha:
@@ -16,6 +16,11 @@ gitea:
   admin:
     existingSecret: gitea-credential
   config:
+    service:
+      DISABLE_REGISTRATION: true
+    other:
+      SHOW_FOOTER_VERSION: false
+      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
     database:
       DB_TYPE: sqlite3
     session:

template/stacks/core/ingress-nginx.yaml

@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: ingress-nginx
   sources:
-    - repoURL: https://github.com/kubernetes/ingress-nginx
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
       path: charts/ingress-nginx
-      targetRevision: helm-chart-4.11.3
+      targetRevision: helm-chart-4.12.1-depends
       helm:
         valueFiles:
           - $values/stacks/core/ingress-nginx/values.yaml

template/stacks/ref-implementation/backstage/manifests/install.yaml

@@ -264,7 +264,8 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
+          imagePullPolicy: Always
           name: backstage
           ports:
             - containerPort: 7007

template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml

@@ -219,6 +219,64 @@ data:
       ]
     }
 
+  argocd-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "argocd",
+      "name": "ArgoCD Client",
+      "description": "Used for ArgoCD SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }      
+
+  forgejo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "forgejo",
+      "name": "Forgejo Client",
+      "description": "Used for Forgejo SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }      
+
 ---
 apiVersion: batch/v1
 kind: Job
@@ -383,8 +441,13 @@ spec:
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -400,13 +463,62 @@ spec:
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 
+              echo "creating ArgoCD client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/argocd-client-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
+              
+              echo "creating Forgejo client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/forgejo-client-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
+
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
               ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
@@ -426,7 +538,10 @@ spec:
                 BACKSTAGE_CLIENT_ID: backstage
                 GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                 GRAFANA_CLIENT_ID: grafana
+                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
+                ARGOCD_CLIENT_ID: argocd
+                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
+                FORGEJO_CLIENT_ID: forgejo
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml
-