diff --git a/template/stacks/core/argocd/manifests/argocd-forgejo-access-token.yaml b/template/stacks/core/argocd/manifests/argocd-forgejo-access-token.yaml new file mode 100644 index 0000000..8003a1f --- /dev/null +++ b/template/stacks/core/argocd/manifests/argocd-forgejo-access-token.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: forgejo-access-token + namespace: argocd +spec: + secretStoreRef: + name: gitea + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: forgejo-access-token + template: + engineVersion: v2 + data: + forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" + forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd + data: + - secretKey: FORGEJO_ACCESS_USERNAME + remoteRef: + key: forgejo-access-token + property: username + - secretKey: FORGEJO_ACCESS_TOKEN + remoteRef: + key: forgejo-access-token + property: token diff --git a/template/stacks/core/argocd/manifests/argocd-secret.yaml b/template/stacks/core/argocd/manifests/argocd-secret.yaml new file mode 100644 index 0000000..105bdf4 --- /dev/null +++ b/template/stacks/core/argocd/manifests/argocd-secret.yaml @@ -0,0 +1,24 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: argocd +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd + data: + - secretKey: ARGOCD_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: ARGOCD_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/argocd/manifests/argocd-sso-config.yaml b/template/stacks/core/argocd/manifests/argocd-sso-config.yaml new file mode 100644 index 0000000..27160cf --- /dev/null +++ b/template/stacks/core/argocd/manifests/argocd-sso-config.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: argocd-config + namespace: argocd +spec: + template: + metadata: + generateName: argocd-config- + spec: + restartPolicy: OnFailure + containers: + - name: push + image: docker.io/library/ubuntu:22.04 + env: + - name: FORGEJO_USER + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_username + - name: FORGEJO_TOKEN + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_token + command: ["/bin/bash", "-c"] + args: + - | + #! /bin/bash + + apt -qq update + apt -qq install git wget -y + if [[ "$(uname -m)" == "x86_64" ]]; then + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 + install yq_linux_amd64 /usr/local/bin/yq + rm yq_linux_amd64 + else + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64 + install yq_linux_arm64 /usr/local/bin/yq + rm yq_linux_arm64 + fi + + git config --global user.email "bot@bots.de" + git config --global user.name "bot" + + git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git + cd edfbuilder + yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml + + git add stacks/core/argocd/values.yaml + git commit -m "adds Forgejo SSO config" + git push + backoffLimit: 99 \ No newline at end of file diff --git a/template/stacks/core/forgejo/manifests/forgejo-access-token.yaml b/template/stacks/core/forgejo/manifests/forgejo-access-token.yaml new file mode 100644 index 0000000..215af67 --- /dev/null +++ b/template/stacks/core/forgejo/manifests/forgejo-access-token.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: forgejo-access-token + namespace: gitea +spec: + secretStoreRef: + name: gitea + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: forgejo-access-token + template: + engineVersion: v2 + data: + forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" + forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" + data: + - secretKey: FORGEJO_ACCESS_USERNAME + remoteRef: + key: forgejo-access-token + property: username + - secretKey: FORGEJO_ACCESS_TOKEN + remoteRef: + key: forgejo-access-token + property: token diff --git a/template/stacks/core/forgejo/manifests/forgejo-secret.yaml b/template/stacks/core/forgejo/manifests/forgejo-secret.yaml new file mode 100644 index 0000000..d449c24 --- /dev/null +++ b/template/stacks/core/forgejo/manifests/forgejo-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: gitea +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + key: "{{.FORGEJO_CLIENT_ID}}" + secret: "{{.FORGEJO_CLIENT_SECRET}}" + data: + - secretKey: FORGEJO_CLIENT_ID + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_ID + - secretKey: FORGEJO_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_SECRET diff --git a/template/stacks/core/forgejo/manifests/forgejo-sso-config.yaml b/template/stacks/core/forgejo/manifests/forgejo-sso-config.yaml new file mode 100644 index 0000000..875e348 --- /dev/null +++ b/template/stacks/core/forgejo/manifests/forgejo-sso-config.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: forgejo-config + namespace: gitea +spec: + template: + metadata: + generateName: forgejo-config- + spec: + restartPolicy: OnFailure + containers: + - name: push + image: docker.io/library/ubuntu:22.04 + env: + - name: FORGEJO_USER + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_username + - name: FORGEJO_TOKEN + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_token + command: ["/bin/bash", "-c"] + args: + - | + #! /bin/bash + + apt -qq update + apt -qq install git wget -y + if [[ "$(uname -m)" == "x86_64" ]]; then + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 + install yq_linux_amd64 /usr/local/bin/yq + rm yq_linux_amd64 + else + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64 + install yq_linux_arm64 /usr/local/bin/yq + rm yq_linux_arm64 + fi + + git config --global user.email "bot@bots.de" + git config --global user.name "giteaAdmin" + + git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git + cd edfbuilder + yq eval ".gitea.oauth = [ + { + \"name\": \"Keycloak\", + \"provider\": \"openidConnect\", + \"existingSecret\": \"auth-generic-oauth-secret\", + \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\" + } + ] | + (.gitea.oauth[] | .name) |= (. style=\"single\") + | + (.gitea.oauth[] | .provider) |= (. style=\"single\") + | + (.gitea.oauth[] | .existingSecret) |= (. style=\"single\") + | + (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\") + " -i stacks/core/forgejo/values.yaml + + yq eval '.gitea.config.oauth2_client = + { + "ENABLE_AUTO_REGISTRATION" : true, + "ACCOUNT_LINKING" : "auto" + } + ' -i stacks/core/forgejo/values.yaml + + git add stacks/core/forgejo/values.yaml + git commit -m "adds Forgejo SSO config" + git push + backoffLimit: 99 \ No newline at end of file