From 265af3acfffbb8d2eae666b991db87b0d24fdadb Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:01:07 +0000
Subject: [PATCH 01/58] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 3518102..cd2a34b 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      targetRevision: argo-cd-7.7.5
+      targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

From 9cc9b864a2e4bef9421efd62ed4434877faa6cc9 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:04:21 +0000
Subject: [PATCH 02/58] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index cd2a34b..15cb6fb 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,6 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
+      # TOD: RIRE 
       targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:

From 168286cfce1688a280cca8ed9fdedcc4a1f2840a Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:07:21 +0000
Subject: [PATCH 03/58] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 15cb6fb..215d1e3 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      # TOD: RIRE 
+      # TOD: RIRE can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:

From 90168312862e39fe4e3c7026e9cf20a2bc98b51f Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:15:56 +0000
Subject: [PATCH 04/58] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 215d1e3..4433721 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,7 +18,9 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      # TOD: RIRE can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
+      # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
+      # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
+      # similar to the CNOE amazon reference implementation and in our case, Forgejo
       targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:

From 88d599a69109dc026ac0fe284fef85f89a9a0519 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 13:30:29 +0000
Subject: [PATCH 05/58] Update
 template/stacks/monitoring/kube-prometheus/values.yaml

---
 .../monitoring/kube-prometheus/values.yaml    | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 9c0ca32..942f6a6 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -33,6 +33,26 @@ grafana:
       domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
+    auth:
+      oauth_allow_insecure_email_lookup: true
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Keycloak-OAuth
+      allow_sign_up: true
+      client_id: grafana-oauth
+      #client_secret: todo need to be set elsewhere
+      scopes: openid email profile offline_access roles
+      email_attribute_path: email
+      login_attribute_path: username
+      name_attribute_path: full_name
+      tls_skip_verify_insecure: true
+      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
       
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator

From 0f8282ead68f085dd4c47416333c7335175dd1b6 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 14:08:07 +0000
Subject: [PATCH 06/58] Update
 template/stacks/monitoring/kube-prometheus/values.yaml

---
 .../monitoring/kube-prometheus/values.yaml    | 21 ++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 942f6a6..22ffb4c 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -30,7 +30,7 @@ grafana:
 
   grafana.ini:
     server:
-      domain: {{{ .Env.DOMAIN }}}
+      domain: factory-172-18-0-2.traefik.me
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
     auth:
@@ -41,19 +41,26 @@ grafana:
       enabled: true
       name: Keycloak-OAuth
       allow_sign_up: true
-      client_id: grafana-oauth
-      #client_secret: todo need to be set elsewhere
+      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
       email_attribute_path: email
       login_attribute_path: username
       name_attribute_path: full_name
       tls_skip_verify_insecure: true
-      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
-      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
-      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
-      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth
       role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
       
+  extraSecretMounts:
+    - name: auth-generic-oauth-secret-mount
+      secretName: auth-generic-oauth-secret
+      defaultMode: 0440
+      mountPath: /etc/secrets/auth_generic_oauth
+      readOnly: true
+
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
     enabled: true

From ce6c51eea97f94d27109a1774585347c9425f39d Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 10:47:25 +0100
Subject: [PATCH 07/58] Enhanced grafana yaml

---
 .../stacks/monitoring/kube-prometheus/values.yaml  | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 22ffb4c..c0754b6 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -30,11 +30,10 @@ grafana:
 
   grafana.ini:
     server:
-      domain: factory-172-18-0-2.traefik.me
+      domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
     auth:
-      oauth_allow_insecure_email_lookup: true
       disable_login: true
       disable_login_form: true
     auth.generic_oauth:
@@ -47,12 +46,11 @@ grafana:
       email_attribute_path: email
       login_attribute_path: username
       name_attribute_path: full_name
-      tls_skip_verify_insecure: true
-      auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth
-      token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token
-      api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo
-      redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth
-      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
+      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount

From 65c5321ce687d78ab6c8f774c4e3d2b1b12838d9 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:11:38 +0100
Subject: [PATCH 08/58] Added Grafana client config to Keycloak

---
 .../keycloak/manifests/keycloak-config.yaml   | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index e2a0981..2dd6d9b 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -181,6 +181,82 @@ data:
       ]
     }
 
+  grafana-client-payload.json: |
+    {
+      "clientId": "grafana-oauth",
+      "name": "grafana-oauth",
+      "description": "Used for Grafana SSO",
+      "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
+      "redirectUris": [
+        "http://{{{ .Env.DOMAIN }}}/grafana/*"
+      ],
+      "webOrigins": [
+        "https://{{{ .Env.DOMAIN }}}/grafana"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "oidc.ciba.grant.enabled": "false",
+        "backchannel.logout.session.required": "true",
+        "display.on.consent.screen": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "false",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "roles",
+        "offline_access",
+        "profile",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "microprofile-jwt"
+      ],
+      "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+      }
+    }
+
 ---
 apiVersion: batch/v1
 kind: Job

From efa3a6e4dceb74b3eb9321d59492cdddf3fe9c7c Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:18:04 +0100
Subject: [PATCH 09/58] Added ArgoCD sync retry to Grafana

---
 template/stacks/monitoring/kube-prometheus.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml
index 32cdc88..1f5218c 100644
--- a/template/stacks/monitoring/kube-prometheus.yaml
+++ b/template/stacks/monitoring/kube-prometheus.yaml
@@ -15,6 +15,8 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true  # do not copy metdata, since (because of its large size) it can lead to sync failure
+    retry:
+      limit: -1
   destination:
     name: in-cluster
     namespace: monitoring

From e02d4bb272b1df68e4fa5e4171d0dfbf5d77edf4 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:27:51 +0100
Subject: [PATCH 10/58] Added more Grafana client config to Keycloak

---
 .../keycloak/manifests/keycloak-config.yaml   | 29 +++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 2dd6d9b..d071f9a 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -183,8 +183,8 @@ data:
 
   grafana-client-payload.json: |
     {
-      "clientId": "grafana-oauth",
-      "name": "grafana-oauth",
+      "clientId": "grafana",
+      "name": "Grafana Client",
       "description": "Used for Grafana SSO",
       "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
@@ -406,7 +406,30 @@ spec:
               ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+
+
+
+              echo "creating Grafana client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/grafana-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+
+
+
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -441,6 +464,8 @@ spec:
                 ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                 BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                 BACKSTAGE_CLIENT_ID: backstage
+                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
+                GRAFANA_CLIENT_ID: grafana
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml

From 688795ffadb37d1a4bc491610b6b7c1ad92318bf Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:46:20 +0100
Subject: [PATCH 11/58] Added more Grafana client config to Keycloak

---
 template/stacks/monitoring/kube-prometheus/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index c0754b6..7a0a4f1 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -40,6 +40,7 @@ grafana:
       enabled: true
       name: Keycloak-OAuth
       allow_sign_up: true
+      use_refresh_token: true
       client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
       client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
@@ -50,7 +51,7 @@ grafana:
       token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
       api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
       redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'"
+      role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount

From b58e373da9de3d870491053249954192c2f900b1 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 14:19:07 +0100
Subject: [PATCH 12/58] Added email to Keycloak users and upgraded ArgoCD again
 as it requires more work

---
 template/stacks/core/argocd.yaml                          | 2 +-
 .../keycloak/manifests/keycloak-config.yaml               | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 4433721..4f65e09 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -21,7 +21,7 @@ spec:
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.6.12
+      targetRevision: argo-cd-7.7.5
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index d071f9a..604d714 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -100,11 +100,11 @@ data:
   user-user1.json: |
     {
         "username": "user1",
-        "email": "",
+        "email": "user1@user.de",
         "firstName": "user",
         "lastName": "one",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/admin"
         ],
@@ -113,11 +113,11 @@ data:
   user-user2.json: |
     {
         "username": "user2",
-        "email": "",
+        "email": "user2@user.de",
         "firstName": "user",
         "lastName": "two",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/base-user"
         ],

From 2d3ebadd506e8453d69e3a444337a8b84c98be2a Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 14:52:08 +0100
Subject: [PATCH 13/58] Simplified Keycloaks Grafana config

---
 .../monitoring/kube-prometheus/values.yaml    |  2 +-
 .../keycloak/manifests/keycloak-config.yaml   | 48 ++-----------------
 2 files changed, 6 insertions(+), 44 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 7a0a4f1..1e42733 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -51,7 +51,7 @@ grafana:
       token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
       api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
       redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'"
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 604d714..1b5681f 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -189,20 +189,13 @@ data:
       "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "surrogateAuthRequired": false,
-      "enabled": true,
       "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
       "redirectUris": [
         "http://{{{ .Env.DOMAIN }}}/grafana/*"
       ],
       "webOrigins": [
         "https://{{{ .Env.DOMAIN }}}/grafana"
       ],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": true,
@@ -211,50 +204,19 @@ data:
       "frontchannelLogout": true,
       "protocol": "openid-connect",
       "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
         "oidc.ciba.grant.enabled": "false",
-        "backchannel.logout.session.required": "true",
-        "display.on.consent.screen": "false",
-        "oauth2.device.authorization.grant.enabled": "false",
-        "backchannel.logout.revoke.offline.tokens": "false"
+        "oauth2.device.authorization.grant.enabled": "false"
       },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "protocolMappers": [
-        {
-          "name": "client roles",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-client-role-mapper",
-          "consentRequired": false,
-          "config": {
-            "multivalued": "true",
-            "userinfo.token.claim": "false",
-            "user.attribute": "foo",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "resource_access.${client_id}.roles",
-            "jsonType.label": "String"
-          }
-        }
-      ],
       "defaultClientScopes": [
         "web-origins",
         "acr",
-        "roles",
         "offline_access",
+        "roles",
         "profile",
+        "groups",
         "email"
-      ],
-      "optionalClientScopes": [
-        "address",
-        "phone",
-        "microprofile-jwt"
-      ],
-      "access": {
-        "view": true,
-        "configure": true,
-        "manage": true
-      }
+      ]
     }
 
 ---

From ec31f988896a20f53e6d4d965ab70201e2f12658 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 15:28:48 +0100
Subject: [PATCH 14/58] Added external secret for grafana keycloak client
 secret

---
 .../monitoring/kube-prometheus/values.yaml    |  2 +-
 .../keycloak/manifests/keycloak-config.yaml   |  6 ------
 .../keycloak/manifests/secret-grafana.yaml    | 21 +++++++++++++++++++
 3 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 1e42733..901345f 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -41,7 +41,7 @@ grafana:
       name: Keycloak-OAuth
       allow_sign_up: true
       use_refresh_token: true
-      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      client_id: grafana
       client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
       email_attribute_path: email
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 1b5681f..c271336 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -369,9 +369,6 @@ spec:
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 
-
-
-
               echo "creating Grafana client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -388,9 +385,6 @@ spec:
               GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-
-
 
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
new file mode 100644
index 0000000..896ec1b
--- /dev/null
+++ b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
+  data:
+    - secretKey: GRAFANA_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: GRAFANA_CLIENT_SECRET

From 6eb52e654cddcfcea0d6d366886a38933542d446 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 15:46:06 +0100
Subject: [PATCH 15/58] Refactored external secret for grafana keycloak client
 secret

---
 .../monitoring/kube-prometheus-sso.yaml       | 23 +++++++++++++++++++
 .../kube-prometheus-sso}/secret-grafana.yaml  |  0
 2 files changed, 23 insertions(+)
 create mode 100644 template/stacks/monitoring/kube-prometheus-sso.yaml
 rename template/stacks/{ref-implementation/keycloak/manifests => monitoring/kube-prometheus-sso}/secret-grafana.yaml (100%)

diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml
new file mode 100644
index 0000000..d38d81e
--- /dev/null
+++ b/template/stacks/monitoring/kube-prometheus-sso.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-sso
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/monitoring/kube-prometheus-sso"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: monitoring
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml
similarity index 100%
rename from template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
rename to template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml

From 63a694d17c894fdaf37bfdb7d1b62e895eb2daaa Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 17:09:02 +0100
Subject: [PATCH 16/58] Removed Grafana admin account

---
 template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 901345f..584b767 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -1,10 +1,10 @@
 grafana:
   namespaceOverride: "monitoring"
 
-  admin:
-    existingSecret: "kube-prometheus-stack-grafana-admin-password"
-    userKey: admin-user
-    passwordKey: admin-password
+  #admin:
+  #  existingSecret: "kube-prometheus-stack-grafana-admin-password"
+  #  userKey: admin-user
+  #  passwordKey: admin-password
 
   defaultDashboardsTimezone: Europe/Berlin
 

From 1ef1029e1f8c3750f5e22a167193aa626dfe8fae Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 17:26:29 +0100
Subject: [PATCH 17/58] Added Grafana admin account

---
 template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 584b767..901345f 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -1,10 +1,10 @@
 grafana:
   namespaceOverride: "monitoring"
 
-  #admin:
-  #  existingSecret: "kube-prometheus-stack-grafana-admin-password"
-  #  userKey: admin-user
-  #  passwordKey: admin-password
+  admin:
+    existingSecret: "kube-prometheus-stack-grafana-admin-password"
+    userKey: admin-user
+    passwordKey: admin-password
 
   defaultDashboardsTimezone: Europe/Berlin
 

From 8a38aee529516a78532f2056a275c6008bb2f091 Mon Sep 17 00:00:00 2001
From: Patrick Sy <patrick.sy@telekom.de>
Date: Mon, 3 Mar 2025 15:21:46 +0100
Subject: [PATCH 18/58] feat(runner): Added ubuntu-latest runner tag

---
 .../stacks/core/forgejo-runner/dind-docker.yaml     | 13 ++++++++++++-
 template/stacks/core/forgejo/values.yaml            |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml
index bad42d5..04b07a7 100644
--- a/template/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/template/stacks/core/forgejo-runner/dind-docker.yaml
@@ -29,7 +29,18 @@ spec:
       initContainers:
         - name: runner-register
           image: code.forgejo.org/forgejo/runner:6.0.1
-          command: ["forgejo-runner", "register", "--no-interactive", "--token", $(RUNNER_SECRET), "--name", $(RUNNER_NAME), "--instance", $(FORGEJO_INSTANCE_URL), "--labels", "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"]
+          command: 
+            - "forgejo-runner"
+            - "register"
+            - "--no-interactive"
+            - "--token"
+            - $(RUNNER_SECRET)
+            - "--name"
+            - $(RUNNER_NAME)
+            - "--instance"
+            - $(FORGEJO_INSTANCE_URL)
+            - "--labels"
+            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
           env:
             - name: RUNNER_NAME
               valueFrom:
diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index dda08f7..1bf35c2 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -53,3 +53,4 @@ forgejo:
           - docker:docker://node:16-bullseye
           - self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
           - ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04

From d95ba7c12c65d268774dd2fc9acf5cfecef5152e Mon Sep 17 00:00:00 2001
From: Patrick Sy <patrick.sy@telekom.de>
Date: Mon, 3 Mar 2025 16:37:18 +0100
Subject: [PATCH 19/58] chore(petclinic): Removed unused workflow Disabled
 tests in maven workflow as there are currently dind problems

---
 .../.github/workflows/gradle-build.yml        | 32 -------------------
 .../.github/workflows/maven-build.yml         |  2 +-
 2 files changed, 1 insertion(+), 33 deletions(-)
 delete mode 100644 template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml

diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml
deleted file mode 100644
index 61fadfd..0000000
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# This workflow will build a Java project with Gradle, and cache/restore any dependencies to improve the workflow execution time
-# For more information see: https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle
-
-name: Java CI with Gradle
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        java: [ '17' ]
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up JDK {% raw %}${{matrix.java}}{% endraw %}
-        uses: https://github.com/actions/setup-java@v4
-        with:
-          java-version: '{% raw %}${{matrix.java}}{% endraw %}'
-          distribution: 'adopt'
-          cache: maven
-      - name: Setup Gradle
-        uses: https://github.com/gradle/actions/setup-gradle@v4
-      - name: Build with Gradle
-        run: ./gradlew build
-
diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
index a9058fc..c750bd4 100644
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
+++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
@@ -28,7 +28,7 @@ jobs:
           distribution: 'adopt'
           cache: maven
       - name: Build with Maven Wrapper
-        run: ./mvnw -B verify
+        run: ./mvnw -B -DskipTests verify
       - name: Build image
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |

From 4ae8f6fd15c8702cf184802c841feb552850c19f Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 18:49:55 +0100
Subject: [PATCH 20/58] shortened retry backoff

---
 template/stacks/ref-implementation/argo-workflows.yaml | 4 ++++
 template/stacks/ref-implementation/backstage.yaml      | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml
index 3d33891..d001daa 100644
--- a/template/stacks/ref-implementation/argo-workflows.yaml
+++ b/template/stacks/ref-implementation/argo-workflows.yaml
@@ -23,3 +23,7 @@ spec:
       selfHeal: true
     retry:
       limit: -1
+      backoff:
+        duration: 5s
+        factor: 1
+        maxDuration: 10s
diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml
index 227d29f..c007181 100644
--- a/template/stacks/ref-implementation/backstage.yaml
+++ b/template/stacks/ref-implementation/backstage.yaml
@@ -23,3 +23,7 @@ spec:
       selfHeal: true
     retry:
       limit: -1
+      backoff:
+        duration: 5s
+        factor: 1
+        maxDuration: 10s

From aba4a4a0880690dfc1df99c44228eb5e7b3e7a84 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 19:03:36 +0100
Subject: [PATCH 21/58] shortened retry backoff

---
 template/stacks/ref-implementation/argo-workflows.yaml | 4 ++--
 template/stacks/ref-implementation/backstage.yaml      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml
index d001daa..ef23482 100644
--- a/template/stacks/ref-implementation/argo-workflows.yaml
+++ b/template/stacks/ref-implementation/argo-workflows.yaml
@@ -24,6 +24,6 @@ spec:
     retry:
       limit: -1
       backoff:
-        duration: 5s
+        duration: 15s
         factor: 1
-        maxDuration: 10s
+        maxDuration: 15s
diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml
index c007181..01932dc 100644
--- a/template/stacks/ref-implementation/backstage.yaml
+++ b/template/stacks/ref-implementation/backstage.yaml
@@ -24,6 +24,6 @@ spec:
     retry:
       limit: -1
       backoff:
-        duration: 5s
+        duration: 15s
         factor: 1
-        maxDuration: 10s
+        maxDuration: 15s

From d0cce6916d367cad1b25cd3da77c19ddfd7f1e06 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 19:06:11 +0100
Subject: [PATCH 22/58] fixed argocd version

---
 template/stacks/core/argocd.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 4433721..4f65e09 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -21,7 +21,7 @@ spec:
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.6.12
+      targetRevision: argo-cd-7.7.5
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

From a9c69d6c24cd5f6b7032e8513d4afd4ba867b5f2 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 19:23:19 +0100
Subject: [PATCH 23/58] adjusted retry backoff time

---
 template/stacks/monitoring/kube-prometheus-sso.yaml | 6 ++++++
 template/stacks/monitoring/kube-prometheus.yaml     | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml
index d38d81e..0e6e43a 100644
--- a/template/stacks/monitoring/kube-prometheus-sso.yaml
+++ b/template/stacks/monitoring/kube-prometheus-sso.yaml
@@ -21,3 +21,9 @@ spec:
       - CreateNamespace=true
     automated:
       selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml
index 1f5218c..7bcf3ca 100644
--- a/template/stacks/monitoring/kube-prometheus.yaml
+++ b/template/stacks/monitoring/kube-prometheus.yaml
@@ -17,6 +17,10 @@ spec:
       - ServerSideApply=true  # do not copy metdata, since (because of its large size) it can lead to sync failure
     retry:
       limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
   destination:
     name: in-cluster
     namespace: monitoring

From 1ab8119063b54aba69dfcef1508e591d461e0065 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 7 Mar 2025 20:28:39 +0000
Subject: [PATCH 24/58] Fixed kubectl download on Linux ARM64 VMs

---
 .../keycloak/manifests/keycloak-config.yaml                 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index c271336..6c8d603 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -285,7 +285,11 @@ spec:
               fi
               set -e
               
-              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              else
+                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl"
+              fi
               chmod +x kubectl
               
               echo "creating cnoe realm and groups"

From 303d7b3a7e9e1b44aeecf497ffbfc17d83c34fed Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Sat, 8 Mar 2025 12:50:23 +0000
Subject: [PATCH 25/58] Update
 template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml

---
 .../skeleton/.github/workflows/maven-build.yml            | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
index c750bd4..62cbd53 100644
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
+++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
@@ -33,7 +33,7 @@ jobs:
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |
           export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %}
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
       - name: Build image as tar
         run: |
           ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
@@ -57,7 +57,11 @@ jobs:
           NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this
       - name: install trivy from deb package
         run: |
-          wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
+          if [[ "$(uname -m)" == "x86_64" ]]; then
+            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
+          else
+            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb
+          fi
           DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb
       - name: scan the image
         run: trivy image --input jib-image.tar

From 0d49c582f5c13ed1a979139ebc6b420c7e6abd51 Mon Sep 17 00:00:00 2001
From: "Christopher.Hase" <Christopher.Hase@telekom.de>
Date: Tue, 11 Mar 2025 11:25:06 +0000
Subject: [PATCH 26/58] 
 template/stacks/ref-implementation/backstage/manifests/install.yaml
 aktualisiert

---
 .../stacks/ref-implementation/backstage/manifests/install.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml
index b3bfd57..cab2f36 100644
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -262,7 +262,7 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
+          image: gitea-client-192-168-198-3.traefik.me/giteaadmin/backstage:0.0.1
           name: backstage
           ports:
             - containerPort: 7007

From 71fbdcb5e0a02dae5782d03d9f2600ed1e3d3d0a Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 13:37:16 +0100
Subject: [PATCH 27/58] alloy implementation

---
 .gitignore                                   |  1 +
 template/stacks/core/ingress-apps/alloy.yaml | 18 ++++++++++++
 template/stacks/monitoring/alloy.yaml        | 29 ++++++++++++++++++++
 template/stacks/monitoring/alloy/values.yaml |  4 +++
 4 files changed, 52 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 template/stacks/core/ingress-apps/alloy.yaml
 create mode 100644 template/stacks/monitoring/alloy.yaml
 create mode 100644 template/stacks/monitoring/alloy/values.yaml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2a6a657
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.history
\ No newline at end of file
diff --git a/template/stacks/core/ingress-apps/alloy.yaml b/template/stacks/core/ingress-apps/alloy.yaml
new file mode 100644
index 0000000..e939823
--- /dev/null
+++ b/template/stacks/core/ingress-apps/alloy.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: alloy
+  namespace: monitoring
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{{ .Env.DOMAIN }}}
+    http:
+      paths:
+      - backend:
+          service:
+            name: alloy
+            port:
+              number: 12345
+        path: /alloy
+        pathType: Prefix
diff --git a/template/stacks/monitoring/alloy.yaml b/template/stacks/monitoring/alloy.yaml
new file mode 100644
index 0000000..7d4d614
--- /dev/null
+++ b/template/stacks/monitoring/alloy.yaml
@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: alloy
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: monitoring
+  sources:
+    - repoURL: https://github.com/grafana/alloy.git
+      path: operations/helm/charts/alloy   
+      targetRevision: HEAD      
+      helm:
+        valueFiles:
+          - $values/stacks/monitoring/alloy/values.yaml
+    - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+      targetRevision: HEAD
+      ref: values
\ No newline at end of file
diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
new file mode 100644
index 0000000..411863c
--- /dev/null
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -0,0 +1,4 @@
+alloy:
+  create: false
+  name: alloy-config
+  key: config.alloy
\ No newline at end of file

From dd7cd2fa91334390d47f9434ba020718369a4049 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 13:47:07 +0100
Subject: [PATCH 28/58] alloy.uiPathPrefix: "/alloy" added

---
 template/stacks/monitoring/alloy/values.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 411863c..df9f147 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -1,4 +1,6 @@
 alloy:
   create: false
   name: alloy-config
-  key: config.alloy
\ No newline at end of file
+  key: config.alloy
+
+  uiPathPrefix: "/alloy"
\ No newline at end of file

From 81e85ff518d2987e2e71006e372c24e77111a7c1 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 14:22:11 +0100
Subject: [PATCH 29/58] config.alloy added to the values

---
 template/stacks/monitoring/alloy/values.yaml | 38 +++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index df9f147..930f84b 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -3,4 +3,40 @@ alloy:
   name: alloy-config
   key: config.alloy
 
-  uiPathPrefix: "/alloy"
\ No newline at end of file
+  uiPathPrefix: "/alloy"
+
+  configMap.content: |
+    logging {
+      level  = "info"
+      format = "logfmt"
+    }
+
+    loki.write "local_loki" {
+        endpoint {
+            url = "http://loki.default.svc.cluster.local:3100/loki/api/v1/push"
+        }
+    }
+
+    discovery.kubernetes "pod" {
+      role = "pod"
+    }
+
+    discovery.kubernetes "nodes" {
+      role = "node"
+    }
+
+    discovery.kubernetes "services" {
+      role = "service"
+    }
+
+    discovery.kubernetes "endpoints" {
+      role = "endpoints"
+    }
+
+    discovery.kubernetes "endpointslices" {
+      role = "endpointslice"
+    }
+
+    discovery.kubernetes "ingresses" {
+      role = "ingress"
+    }
\ No newline at end of file

From 3a5df116045e37db74ca172534ac2fb8b70b2454 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 14:22:29 +0100
Subject: [PATCH 30/58] alloy implementation commented out

---
 template/stacks/monitoring/promtail.yaml | 58 ++++++++++++------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/template/stacks/monitoring/promtail.yaml b/template/stacks/monitoring/promtail.yaml
index 8f4af77..4769ead 100644
--- a/template/stacks/monitoring/promtail.yaml
+++ b/template/stacks/monitoring/promtail.yaml
@@ -1,29 +1,29 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: promtail
-  namespace: argocd
-  labels:
-    env: dev
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: monitoring
-  sources:
-    - repoURL: https://github.com/grafana/helm-charts
-      path:     charts/promtail   
-      targetRevision: HEAD      
-      helm:
-        valueFiles:
-          - $values/stacks/monitoring/promtail/values.yaml
-    - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-      targetRevision: HEAD
-      ref: values
\ No newline at end of file
+# apiVersion: argoproj.io/v1alpha1
+# kind: Application
+# metadata:
+#   name: promtail
+#   namespace: argocd
+#   labels:
+#     env: dev
+#   finalizers:
+#     - resources-finalizer.argocd.argoproj.io
+# spec:
+#   project: default
+#   syncPolicy:
+#     automated:
+#       selfHeal: true
+#     syncOptions:
+#       - CreateNamespace=true
+#   destination:
+#     name: in-cluster
+#     namespace: monitoring
+#   sources:
+#     - repoURL: https://github.com/grafana/helm-charts
+#       path:     charts/promtail   
+#       targetRevision: HEAD      
+#       helm:
+#         valueFiles:
+#           - $values/stacks/monitoring/promtail/values.yaml
+#     - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+#       targetRevision: HEAD
+#       ref: values
\ No newline at end of file

From 180b74697a43947fb43b6405c8240cb7b8a63750 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 14:30:37 +0100
Subject: [PATCH 31/58] config.alloy in values.yaml adjusted

---
 template/stacks/monitoring/alloy/values.yaml | 58 ++++++++++----------
 1 file changed, 30 insertions(+), 28 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 930f84b..9441652 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -5,38 +5,40 @@ alloy:
 
   uiPathPrefix: "/alloy"
 
-  configMap.content: |
-    logging {
-      level  = "info"
-      format = "logfmt"
-    }
+  configMap:
+    content: |-
 
-    loki.write "local_loki" {
-        endpoint {
-            url = "http://loki.default.svc.cluster.local:3100/loki/api/v1/push"
-        }
-    }
+      logging {
+        level  = "info"
+        format = "logfmt"
+      }
 
-    discovery.kubernetes "pod" {
-      role = "pod"
-    }
+      loki.write "local_loki" {
+          endpoint {
+              url = "http://loki.default.svc.cluster.local:3100/loki/api/v1/push"
+          }
+      }
 
-    discovery.kubernetes "nodes" {
-      role = "node"
-    }
+      discovery.kubernetes "pod" {
+        role = "pod"
+      }
 
-    discovery.kubernetes "services" {
-      role = "service"
-    }
+      discovery.kubernetes "nodes" {
+        role = "node"
+      }
 
-    discovery.kubernetes "endpoints" {
-      role = "endpoints"
-    }
+      discovery.kubernetes "services" {
+        role = "service"
+      }
 
-    discovery.kubernetes "endpointslices" {
-      role = "endpointslice"
-    }
+      discovery.kubernetes "endpoints" {
+        role = "endpoints"
+      }
 
-    discovery.kubernetes "ingresses" {
-      role = "ingress"
-    }
\ No newline at end of file
+      discovery.kubernetes "endpointslices" {
+        role = "endpointslice"
+      }
+
+      discovery.kubernetes "ingresses" {
+        role = "ingress"
+      }
\ No newline at end of file

From ddaf06b29c4b99678e9979915461323e61779fd4 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 14:39:36 +0100
Subject: [PATCH 32/58] loki reference changes

---
 template/stacks/monitoring/alloy/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 9441652..3d6fd5a 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -15,7 +15,7 @@ alloy:
 
       loki.write "local_loki" {
           endpoint {
-              url = "http://loki.default.svc.cluster.local:3100/loki/api/v1/push"
+              url = "http://loki-loki-distributed-gateway/loki/api/v1/push"
           }
       }
 

From 8f62875529a1ae3a3c261da05457afe4b71a95ae Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 14:53:01 +0100
Subject: [PATCH 33/58] config.alloy adjusted in values.yaml

---
 template/stacks/monitoring/alloy/values.yaml | 51 +++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 3d6fd5a..88fe6c4 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -41,4 +41,53 @@ alloy:
 
       discovery.kubernetes "ingresses" {
         role = "ingress"
-      }
\ No newline at end of file
+      }
+
+      # Process and label logs before sending to Loki
+      discovery.relabel "pod_logs" {
+        targets = discovery.kubernetes.pod.targets
+
+        # Assign labels for logs
+        rule {
+          source_labels = ["__meta_kubernetes_namespace"]
+          action = "replace"
+          target_label = "namespace"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_name"]
+          action = "replace"
+          target_label = "pod"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_name"]
+          action = "replace"
+          target_label = "container"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+          action = "replace"
+          target_label = "__path__"
+          separator = "/"
+          replacement = "/var/log/pods/*$1/*.log"
+        }
+      }
+
+      # Collect logs from Kubernetes API
+      loki.source.kubernetes "all_pod_logs" {
+        targets    = discovery.relabel.pod_logs.output
+        forward_to = [loki.process.all_logs.receiver]
+      }
+
+      # Process logs before writing
+      loki.process "all_logs" {
+        stage.static_labels {
+          values = {
+            cluster = "cluster"
+          }
+        }
+
+        forward_to = [loki.write.local_loki.receiver]
+      }

From 1682302b69eae1e6b3e94ea42aedadbe1940535e Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 15:04:59 +0100
Subject: [PATCH 34/58] "#" are not allowed in config.alloy in values.yaml

---
 template/stacks/monitoring/alloy/values.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 88fe6c4..8d8ee45 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -43,11 +43,9 @@ alloy:
         role = "ingress"
       }
 
-      # Process and label logs before sending to Loki
       discovery.relabel "pod_logs" {
         targets = discovery.kubernetes.pod.targets
 
-        # Assign labels for logs
         rule {
           source_labels = ["__meta_kubernetes_namespace"]
           action = "replace"
@@ -75,13 +73,11 @@ alloy:
         }
       }
 
-      # Collect logs from Kubernetes API
       loki.source.kubernetes "all_pod_logs" {
         targets    = discovery.relabel.pod_logs.output
         forward_to = [loki.process.all_logs.receiver]
       }
 
-      # Process logs before writing
       loki.process "all_logs" {
         stage.static_labels {
           values = {

From 687322525b17bde7420ce8b0ba3c6a6f3f34b1a9 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 15:18:59 +0100
Subject: [PATCH 35/58] values.yaml for alloy edited

---
 template/stacks/monitoring/alloy/values.yaml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 8d8ee45..e9eb0f2 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -79,11 +79,5 @@ alloy:
       }
 
       loki.process "all_logs" {
-        stage.static_labels {
-          values = {
-            cluster = "cluster"
-          }
-        }
-
         forward_to = [loki.write.local_loki.receiver]
       }

From fbb5aeb32b2765fc570cef57692cecd0dd888b88 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 15:20:35 +0100
Subject: [PATCH 36/58] forward_to = [loki.write.local_loki.receiver]

---
 template/stacks/monitoring/alloy/values.yaml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index e9eb0f2..7120fab 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -71,13 +71,7 @@ alloy:
           separator = "/"
           replacement = "/var/log/pods/*$1/*.log"
         }
-      }
 
-      loki.source.kubernetes "all_pod_logs" {
-        targets    = discovery.relabel.pod_logs.output
-        forward_to = [loki.process.all_logs.receiver]
-      }
-
-      loki.process "all_logs" {
         forward_to = [loki.write.local_loki.receiver]
-      }
+
+      }
\ No newline at end of file

From b462804f2999349c6c581df23eea98016d4db243 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 15:28:20 +0100
Subject: [PATCH 37/58]       loki.source.kubernetes "all_pod_logs" {        
 targets    = discovery.relabel.pod_logs.output         forward_to =
 [loki.write.local_loki.receiver]       }

---
 template/stacks/monitoring/alloy/values.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 7120fab..91f606f 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -71,7 +71,9 @@ alloy:
           separator = "/"
           replacement = "/var/log/pods/*$1/*.log"
         }
+      }
 
+      loki.source.kubernetes "all_pod_logs" {
+        targets    = discovery.relabel.pod_logs.output
         forward_to = [loki.write.local_loki.receiver]
-
-      }
\ No newline at end of file
+      }

From 75f40e070cd1866e520701e425c590d1b165237f Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 12 Mar 2025 15:55:41 +0100
Subject: [PATCH 38/58] promtail references replaces with alloy in
 dashboard_loki_container.yaml

---
 .../dashboards/dashboard_loki_container.yaml  |  4 +-
 template/stacks/monitoring/promtail.yaml      | 29 ------------
 .../stacks/monitoring/promtail/values.yaml    | 45 -------------------
 3 files changed, 2 insertions(+), 76 deletions(-)
 delete mode 100644 template/stacks/monitoring/promtail.yaml
 delete mode 100644 template/stacks/monitoring/promtail/values.yaml

diff --git a/template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml b/template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml
index 267bd90..e38896e 100644
--- a/template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml
+++ b/template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml
@@ -110,12 +110,12 @@ data:
                             "uid": "P8E80F9AEF21F6940"
                         },
                         "editorMode": "builder",
-                        "expr": "{container=\"promtail\"} |= ``",
+                        "expr": "{container=\"alloy\"} |= ``",
                         "queryType": "range",
                         "refId": "A"
                     }
                 ],
-                "title": "Logs: Container promtail",
+                "title": "Logs: Container alloy",
                 "type": "logs"
             },
             {
diff --git a/template/stacks/monitoring/promtail.yaml b/template/stacks/monitoring/promtail.yaml
deleted file mode 100644
index 4769ead..0000000
--- a/template/stacks/monitoring/promtail.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# apiVersion: argoproj.io/v1alpha1
-# kind: Application
-# metadata:
-#   name: promtail
-#   namespace: argocd
-#   labels:
-#     env: dev
-#   finalizers:
-#     - resources-finalizer.argocd.argoproj.io
-# spec:
-#   project: default
-#   syncPolicy:
-#     automated:
-#       selfHeal: true
-#     syncOptions:
-#       - CreateNamespace=true
-#   destination:
-#     name: in-cluster
-#     namespace: monitoring
-#   sources:
-#     - repoURL: https://github.com/grafana/helm-charts
-#       path:     charts/promtail   
-#       targetRevision: HEAD      
-#       helm:
-#         valueFiles:
-#           - $values/stacks/monitoring/promtail/values.yaml
-#     - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-#       targetRevision: HEAD
-#       ref: values
\ No newline at end of file
diff --git a/template/stacks/monitoring/promtail/values.yaml b/template/stacks/monitoring/promtail/values.yaml
deleted file mode 100644
index 49faadc..0000000
--- a/template/stacks/monitoring/promtail/values.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-# -- Overrides the chart's name
-nameOverride: null
-
-# -- Overrides the chart's computed fullname
-fullnameOverride: null
-
-global:
-  # -- Allow parent charts to override registry hostname
-  imageRegistry: ""
-  # -- Allow parent charts to override registry credentials
-  imagePullSecrets: []
-
-daemonset:
-  # -- Deploys Promtail as a DaemonSet
-  enabled: true
-  autoscaling:
-    # -- Creates a VerticalPodAutoscaler for the daemonset
-    enabled: false
-
-deployment:
-  # -- Deploys Promtail as a Deployment
-  enabled: false    
-
-config:
-  enabled: true
-  logLevel: info
-  logFormat: logfmt
-  serverPort: 3101
-  clients:
-    - url: http://loki-loki-distributed-gateway/loki/api/v1/push
-  scrape_configs:
-  - job_name: authlog
-    static_configs:
-    - targets:
-        - authlog
-      labels:
-        job: authlog
-        __path__: /logs/auth.log
-  - job_name: syslog
-    static_configs:
-    - targets:
-        - syslog
-      labels:
-        job: syslog
-        __path__: /logs/syslog    
\ No newline at end of file

From 3293f9cf5afe358e6928d9b5806e3b5a786bcc5b Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Thu, 13 Mar 2025 08:33:06 +0000
Subject: [PATCH 39/58] Update
 template/stacks/ref-implementation/backstage/manifests/install.yaml

---
 .../stacks/ref-implementation/backstage/manifests/install.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml
index cab2f36..5cbfff8 100644
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -262,7 +262,7 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: gitea-client-192-168-198-3.traefik.me/giteaadmin/backstage:0.0.1
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:v1.36.1
           name: backstage
           ports:
             - containerPort: 7007

From 74a77bfa3b71dc4a2d4a2f6fe53fa80b03b48770 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Thu, 13 Mar 2025 09:00:38 +0000
Subject: [PATCH 40/58] Update
 template/stacks/ref-implementation/backstage/manifests/install.yaml

---
 .../stacks/ref-implementation/backstage/manifests/install.yaml  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml
index 5cbfff8..646e269 100644
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -255,6 +255,8 @@ spec:
               value: debug
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
+            - name: NODE_OPTIONS
+              value: "--no-node-snapshot"
           envFrom:
             - secretRef:
                 name: backstage-env-vars

From 8f621647f5f4048ba8f47bcf0bacd987267eb6ec Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Thu, 13 Mar 2025 10:08:59 +0100
Subject: [PATCH 41/58]         rule {           source_labels =
 ["__meta_kubernetes_pod_name", "__meta_kubernetes_pod_container_name"]       
    action = "replace"           target_label = "__path__"          
 replacement = "/var/log/containers/$1_$2.log"         }

---
 template/stacks/monitoring/alloy/values.yaml | 24 +++-----------------
 1 file changed, 3 insertions(+), 21 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 91f606f..036f989 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -47,30 +47,12 @@ alloy:
         targets = discovery.kubernetes.pod.targets
 
         rule {
-          source_labels = ["__meta_kubernetes_namespace"]
-          action = "replace"
-          target_label = "namespace"
-        }
-
-        rule {
-          source_labels = ["__meta_kubernetes_pod_name"]
-          action = "replace"
-          target_label = "pod"
-        }
-
-        rule {
-          source_labels = ["__meta_kubernetes_pod_container_name"]
-          action = "replace"
-          target_label = "container"
-        }
-
-        rule {
-          source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+          source_labels = ["__meta_kubernetes_pod_name", "__meta_kubernetes_pod_container_name"]
           action = "replace"
           target_label = "__path__"
-          separator = "/"
-          replacement = "/var/log/pods/*$1/*.log"
+          replacement = "/var/log/containers/$1_$2.log"
         }
+
       }
 
       loki.source.kubernetes "all_pod_logs" {

From 1e5fa94c477333aefdaf4e54bbfef9fa9a6aca1e Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Thu, 13 Mar 2025 10:19:45 +0100
Subject: [PATCH 42/58] rules in alloy's values.yaml adjusted

---
 template/stacks/monitoring/alloy/values.yaml | 24 ++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index 036f989..a881409 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -46,6 +46,30 @@ alloy:
       discovery.relabel "pod_logs" {
         targets = discovery.kubernetes.pod.targets
 
+        rule {
+          source_labels = ["__meta_kubernetes_namespace"]
+          action        = "replace"
+          target_label  = "namespace"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_name"]
+          action        = "replace"
+          target_label  = "pod"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_node_name"]
+          action        = "replace"
+          target_label  = "node"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_name"]
+          action        = "replace"
+          target_label  = "container"
+        }
+
         rule {
           source_labels = ["__meta_kubernetes_pod_name", "__meta_kubernetes_pod_container_name"]
           action = "replace"

From 415576c2cbe3baaaa6219cca147be95f1f6902b3 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Thu, 13 Mar 2025 10:26:56 +0100
Subject: [PATCH 43/58] unnecessary rule deleted

---
 template/stacks/monitoring/alloy/values.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
index a881409..a2ac67d 100644
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -70,13 +70,6 @@ alloy:
           target_label  = "container"
         }
 
-        rule {
-          source_labels = ["__meta_kubernetes_pod_name", "__meta_kubernetes_pod_container_name"]
-          action = "replace"
-          target_label = "__path__"
-          replacement = "/var/log/containers/$1_$2.log"
-        }
-
       }
 
       loki.source.kubernetes "all_pod_logs" {

From d8867b9e3adc010c178a16a688d5542633d85c0b Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Thu, 13 Mar 2025 10:16:04 +0000
Subject: [PATCH 44/58] Update
 template/stacks/ref-implementation/backstage/manifests/install.yaml

---
 .../stacks/ref-implementation/backstage/manifests/install.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml
index 646e269..6a2e847 100644
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -264,7 +264,7 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:v1.36.1
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-cnoe:v1.36.1
           name: backstage
           ports:
             - containerPort: 7007

From 2f5a2635115906cec90fe0c457f308b7bcb0bb8c Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Thu, 13 Mar 2025 16:08:10 +0000
Subject: [PATCH 45/58] Update template/stacks/core/argocd/values.yaml

---
 template/stacks/core/argocd/values.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml
index 3fb3ddf..a5cee37 100644
--- a/template/stacks/core/argocd/values.yaml
+++ b/template/stacks/core/argocd/values.yaml
@@ -5,6 +5,7 @@ configs:
   params:
     server.insecure: true
     server.basehref: /argocd
+    server.rootpath: /argocd
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
@@ -20,6 +21,7 @@ configs:
         clusters:
         - "*"
     accounts.provider-argocd: apiKey
+    url: https://{{{ .Env.DOMAIN }}}/argocd
   rbac:
     policy.csv: 'g, provider-argocd, role:admin'
 

From 5cc22c5648100ab770866439c969f0c527cfbc9d Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Thu, 13 Mar 2025 16:16:49 +0000
Subject: [PATCH 46/58] Update
 template/stacks/core/ingress-apps/argocd-server.yaml

---
 template/stacks/core/ingress-apps/argocd-server.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/template/stacks/core/ingress-apps/argocd-server.yaml b/template/stacks/core/ingress-apps/argocd-server.yaml
index 0446b6c..3aa47f2 100644
--- a/template/stacks/core/ingress-apps/argocd-server.yaml
+++ b/template/stacks/core/ingress-apps/argocd-server.yaml
@@ -4,8 +4,6 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    nginx.ingress.kubernetes.io/use-regex: "true"
 {{{ if eq .Env.CLUSTER_TYPE "osc" }}}
     dns.gardener.cloud/class: garden
     dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN }}}
@@ -24,8 +22,8 @@ spec:
             name: argocd-server
             port:
               number: 80
-        path: /argocd(/|$)(.*)
-        pathType: ImplementationSpecific
+        path: /argocd
+        pathType: Prefix
   tls:
   - hosts:
     - {{{ .Env.DOMAIN }}}

From beeb1f916ba09b429237ad5296a17a6a4b2ba3f5 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <richard-robert.reitz@telekom.de>
Date: Fri, 14 Mar 2025 09:34:45 +0100
Subject: [PATCH 47/58] Hofix for ArgoCD problems after path routing fix

---
 .../stacks/ref-implementation/backstage/manifests/install.yaml  | 2 +-
 .../ref-implementation/keycloak/manifests/keycloak-config.yaml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml
index 6a2e847..da9bd6a 100644
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -388,7 +388,7 @@ spec:
         KEYCLOAK_NAME_METADATA: https://{{{ .Env.DOMAIN }}}:443/keycloak/realms/cnoe/.well-known/openid-configuration
         KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
         ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
-        ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
+        ARGO_CD_URL: 'https://{{{ .Env.DOMAIN }}}/argocd/api/v1/'
   data:
     - secretKey: ARGOCD_SESSION_TOKEN
       remoteRef:
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 6c8d603..c1d77a7 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -409,7 +409,7 @@ spec:
               
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
-              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
+              ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
               
               echo \
               "apiVersion: v1

From c1b68bfdb2031f5222f1ae9f339efab0724c9126 Mon Sep 17 00:00:00 2001
From: Stephan Lo <stephan.lo@lopis.de>
Date: Fri, 14 Mar 2025 19:20:29 +0100
Subject: [PATCH 48/58] chore(provider-shell): adjust to
 https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/-/packages/container/provider-shell/v0.1.3

---
 template/stacks/core/crossplane-providers/provider-shell.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/crossplane-providers/provider-shell.yaml b/template/stacks/core/crossplane-providers/provider-shell.yaml
index 4080668..e7af743 100644
--- a/template/stacks/core/crossplane-providers/provider-shell.yaml
+++ b/template/stacks/core/crossplane-providers/provider-shell.yaml
@@ -3,7 +3,7 @@ kind: Provider
 metadata:
   name: provider-shell
 spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.1
+  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.3
   packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
   revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
   revisionHistoryLimit: 1

From 9b5457e45fc08818d7f7cb05ce7d2465b86c0983 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Sat, 15 Mar 2025 13:27:41 +0000
Subject: [PATCH 49/58] Update
 template/stacks/ref-implementation/backstage/manifests/install.yaml

chore(backstage): adjust to forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development
---
 .../stacks/ref-implementation/backstage/manifests/install.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml
index da9bd6a..c86f6fa 100644
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@@ -264,7 +264,7 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-cnoe:v1.36.1
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development
           name: backstage
           ports:
             - containerPort: 7007

From 31b768eebc7a5186aec1b7375682c91700f535a2 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Sun, 16 Mar 2025 22:51:03 +0000
Subject: [PATCH 50/58] Update
 template/stacks/core/crossplane-providers/provider-kind.yaml

---
 .../stacks/core/crossplane-providers/provider-kind.yaml     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/template/stacks/core/crossplane-providers/provider-kind.yaml b/template/stacks/core/crossplane-providers/provider-kind.yaml
index 36014f7..5bfe9a1 100644
--- a/template/stacks/core/crossplane-providers/provider-kind.yaml
+++ b/template/stacks/core/crossplane-providers/provider-kind.yaml
@@ -3,7 +3,7 @@ kind: Provider
 metadata:
   name: provider-kind
 spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.0
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
+  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1
+  packagePullPolicy: IfNotPresent
+  revisionActivationPolicy: Automatic
   revisionHistoryLimit: 1

From 94e3a759b25fe786f59bdcf1d9dc0d2db5532fa9 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Sun, 16 Mar 2025 22:53:03 +0000
Subject: [PATCH 51/58] Update
 template/stacks/core/crossplane-providers/provider-shell.yaml

---
 .../stacks/core/crossplane-providers/provider-shell.yaml    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/template/stacks/core/crossplane-providers/provider-shell.yaml b/template/stacks/core/crossplane-providers/provider-shell.yaml
index e7af743..2974c0c 100644
--- a/template/stacks/core/crossplane-providers/provider-shell.yaml
+++ b/template/stacks/core/crossplane-providers/provider-shell.yaml
@@ -3,7 +3,7 @@ kind: Provider
 metadata:
   name: provider-shell
 spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.3
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
+  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5
+  packagePullPolicy: IfNotPresent
+  revisionActivationPolicy: Automatic
   revisionHistoryLimit: 1

From fc287acf58c936242d664a4c661ba423a8bca055 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Mon, 17 Mar 2025 21:50:50 +0000
Subject: [PATCH 52/58] Update
 template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml

---
 .../spring-petclinic/skeleton/.github/workflows/maven-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
index 62cbd53..e553542 100644
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
+++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
@@ -33,7 +33,7 @@ jobs:
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |
           export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ secrets.PACKAGES_USER }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
       - name: Build image as tar
         run: |
           ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true

From d0585fd2b7b04f34afab6d11e15ef3632ce6f6aa Mon Sep 17 00:00:00 2001
From: Stephan Lo <stephan.lo@lopis.de>
Date: Thu, 20 Mar 2025 23:47:53 +0100
Subject: [PATCH 53/58] feat(mailhog): IPCEICIS-3048 - mailhog deployed,
 ingress is https://<URL>/mailhog, forgje is configured

---
 template/stacks/core/forgejo/values.yaml      |  6 ++++
 .../stacks/core/ingress-apps/mailhog.yaml     | 18 ++++++++++
 .../stacks/ref-implementation/mailhog.yaml    | 25 ++++++++++++++
 .../mailhog/deployment.yaml                   | 33 +++++++++++++++++++
 .../ref-implementation/mailhog/service.yaml   | 13 ++++++++
 5 files changed, 95 insertions(+)
 create mode 100644 template/stacks/core/ingress-apps/mailhog.yaml
 create mode 100644 template/stacks/ref-implementation/mailhog.yaml
 create mode 100644 template/stacks/ref-implementation/mailhog/deployment.yaml
 create mode 100644 template/stacks/ref-implementation/mailhog/service.yaml

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 1bf35c2..0cb06cd 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,6 +27,12 @@ gitea:
     server:
       DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
       ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
+    mailer:
+      ENABLED: true
+      FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}}
+      PROTOCOL: smtp
+      SMTP_ADDR: mailhog.mailhog.svc.cluster.local
+      SMTP_PORT: 1025
 
 service:
   ssh:
diff --git a/template/stacks/core/ingress-apps/mailhog.yaml b/template/stacks/core/ingress-apps/mailhog.yaml
new file mode 100644
index 0000000..ceb6060
--- /dev/null
+++ b/template/stacks/core/ingress-apps/mailhog.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mailhog
+  namespace: mailhog
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{{ .Env.DOMAIN }}}
+    http:
+      paths:
+      - backend:
+          service:
+            name: mailhog
+            port:
+              number: 8025
+        path: /mailhog
+        pathType: Prefix
diff --git a/template/stacks/ref-implementation/mailhog.yaml b/template/stacks/ref-implementation/mailhog.yaml
new file mode 100644
index 0000000..6fd77df
--- /dev/null
+++ b/template/stacks/ref-implementation/mailhog.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mailhog
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/ref-implementation/mailhog"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: mailhog
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
diff --git a/template/stacks/ref-implementation/mailhog/deployment.yaml b/template/stacks/ref-implementation/mailhog/deployment.yaml
new file mode 100644
index 0000000..b5023ac
--- /dev/null
+++ b/template/stacks/ref-implementation/mailhog/deployment.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mailhog-deployment
+  namespace: mailhog
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mailhog
+  template:
+    metadata:
+      labels:
+        app: mailhog
+    spec:
+      containers:
+      - name: mailhog
+        image: mailhog/mailhog
+        env:
+        - name: MH_UI_WEB_PATH # set this to same value as in ingress stacks/core/ingress-apps/mailhog.yaml
+          value: mailhog
+        ports:
+          - containerPort: 1025
+            name: smtp
+          - containerPort: 8025
+            name: http
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "100m"            
\ No newline at end of file
diff --git a/template/stacks/ref-implementation/mailhog/service.yaml b/template/stacks/ref-implementation/mailhog/service.yaml
new file mode 100644
index 0000000..77781c8
--- /dev/null
+++ b/template/stacks/ref-implementation/mailhog/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mailhog
+spec:
+  selector:
+    app: mailhog
+  ports:
+    - name: smtp
+      port: 1025
+    - name: http
+      port: 8025
+  type: ClusterIP
\ No newline at end of file

From 55435a3ad2eca98f03dc874714a4e4e57dac4360 Mon Sep 17 00:00:00 2001
From: Bot <bot@undefined.com>
Date: Mon, 24 Mar 2025 17:09:44 +0100
Subject: [PATCH 54/58] feat(mailhog): IPCEICIS-3048 - added documentation

---
 .../ref-implementation/mailhog/README.md      | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 template/stacks/ref-implementation/mailhog/README.md

diff --git a/template/stacks/ref-implementation/mailhog/README.md b/template/stacks/ref-implementation/mailhog/README.md
new file mode 100644
index 0000000..dc80e50
--- /dev/null
+++ b/template/stacks/ref-implementation/mailhog/README.md
@@ -0,0 +1,54 @@
+# Mailhog
+
+[MailHog is an email testing tool for developers](https://github.com/mailhog/MailHog).
+
+## In cluster SMTP service
+
+Ypu can send ESMTP emails in the cluster to `mailhog.mailhog.svc.cluster.local`, standard port `1025`, as defined in the service manifest:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: mailhog
+spec:
+  ports:
+    - name: smtp
+      port: 1025
+```
+
+## Ingress
+
+Mailhog offers both WebUi and API at `https://{{{ .Env.DOMAIN }}}/mailhog`.
+
+The ingress definition is in `stacks/core/ingress-apps/mailhog.yaml` (BTW, why isn't this ingress file here in this folder ??) routing to the mailhog' service
+
+```yaml
+spec:
+  rules:
+  - host: {{{ .Env.DOMAIN }}}
+    http:
+      paths:
+      - backend:
+        ...
+        path: /mailhog
+```
+
+## API
+
+For usage of the API see https://github.com/mailhog/MailHog/blob/master/docs/APIv2.md
+
+## Tests
+
+```bash
+kubectl run busybox --rm -it --image=busybox -- /bin/sh
+
+# inside bsybox
+wget -O- http://mailhog.mailhog.svc.cluster.local:8025/mailhog
+
+# check smtp port
+nc -zv mailhog.mailhog.svc.cluster.local 1025
+
+# send esmtp, first install swaks
+swaks --to test@example.com --from test@example.com --server mailhog:1025 --data "Subject: Test-Mail\n\nDies ist eine Test-Mail."
+```
\ No newline at end of file

From dd7551a2932533a1fd4bd323a769f51c670b1c34 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <richard-robert.reitz@telekom.de>
Date: Thu, 27 Mar 2025 19:33:56 +0100
Subject: [PATCH 55/58] updated forgejo and forgejo-runner

---
 template/stacks/core/forgejo-runner/dind-docker.yaml | 6 +++---
 template/stacks/core/forgejo.yaml                    | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml
index 04b07a7..3676503 100644
--- a/template/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/template/stacks/core/forgejo-runner/dind-docker.yaml
@@ -28,7 +28,7 @@ spec:
       # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
       initContainers:
         - name: runner-register
-          image: code.forgejo.org/forgejo/runner:6.0.1
+          image: code.forgejo.org/forgejo/runner:6.3.1
           command: 
             - "forgejo-runner"
             - "register"
@@ -58,7 +58,7 @@ spec:
               mountPath: /data
       containers:
       - name: runner
-        image: code.forgejo.org/forgejo/runner:6.0.1
+        image: code.forgejo.org/forgejo/runner:6.3.1
         command: 
           - "sh"
           - "-c"
@@ -94,7 +94,7 @@ spec:
         - name: runner-data
           mountPath: /data
       - name: daemon
-        image: docker:27.4.1-dind
+        image: docker:28.0.4-dind
         env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs
diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml
index 9b4aeae..4e95fe0 100644
--- a/template/stacks/core/forgejo.yaml
+++ b/template/stacks/core/forgejo.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
       path: .
-      targetRevision: v10.1.1
+      targetRevision: v11.0.5
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml

From 9ba027f94b35a94db45ae22b47536ad537acba00 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <richard-robert.reitz@telekom.de>
Date: Thu, 27 Mar 2025 20:10:06 +0100
Subject: [PATCH 56/58] updated nginx-ingress

---
 template/stacks/core/ingress-nginx.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/ingress-nginx.yaml b/template/stacks/core/ingress-nginx.yaml
index cb69681..1bec144 100644
--- a/template/stacks/core/ingress-nginx.yaml
+++ b/template/stacks/core/ingress-nginx.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/kubernetes/ingress-nginx
       path: charts/ingress-nginx
-      targetRevision: helm-chart-4.11.3
+      targetRevision: helm-chart-4.12.1
       helm:
         valueFiles:
           - $values/stacks/core/ingress-nginx/values.yaml

From b3495f610c5a9a8a84d5a89f78ae12aa58a88608 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <richard-robert.reitz@telekom.de>
Date: Thu, 27 Mar 2025 20:42:01 +0100
Subject: [PATCH 57/58] updated argocd

---
 template/stacks/core/argocd.yaml        | 4 ++--
 template/stacks/core/forgejo.yaml       | 4 ++--
 template/stacks/core/ingress-nginx.yaml | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 4f65e09..201951f 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -16,12 +16,12 @@ spec:
     name: in-cluster
     namespace: argocd
   sources:
-    - repoURL: https://github.com/argoproj/argo-helm
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
       path: charts/argo-cd
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.7.5
+      targetRevision: argo-cd-7.8.14-depends
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml
diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml
index 4e95fe0..a89d576 100644
--- a/template/stacks/core/forgejo.yaml
+++ b/template/stacks/core/forgejo.yaml
@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: gitea
   sources:
-    - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
       path: .
-      targetRevision: v11.0.5
+      targetRevision: v11.0.5-depends
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml
diff --git a/template/stacks/core/ingress-nginx.yaml b/template/stacks/core/ingress-nginx.yaml
index 1bec144..2517368 100644
--- a/template/stacks/core/ingress-nginx.yaml
+++ b/template/stacks/core/ingress-nginx.yaml
@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: ingress-nginx
   sources:
-    - repoURL: https://github.com/kubernetes/ingress-nginx
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
       path: charts/ingress-nginx
-      targetRevision: helm-chart-4.12.1
+      targetRevision: helm-chart-4.12.1-depends
       helm:
         valueFiles:
           - $values/stacks/core/ingress-nginx/values.yaml

From 51e765049ba8e55ba71b3b79d5021958e31b72af Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 30 Mar 2025 22:34:04 +0200
Subject: [PATCH 58/58] Update fix to latest kindserver

---
 .../core/crossplane-providers/provider-argocd.yaml       | 9 ---------
 .../stacks/core/crossplane-providers/provider-kind.yaml  | 9 ---------
 .../stacks/core/crossplane-providers/provider-shell.yaml | 9 ---------
 3 files changed, 27 deletions(-)
 delete mode 100644 template/stacks/core/crossplane-providers/provider-argocd.yaml
 delete mode 100644 template/stacks/core/crossplane-providers/provider-kind.yaml
 delete mode 100644 template/stacks/core/crossplane-providers/provider-shell.yaml

diff --git a/template/stacks/core/crossplane-providers/provider-argocd.yaml b/template/stacks/core/crossplane-providers/provider-argocd.yaml
deleted file mode 100644
index 241ca84..0000000
--- a/template/stacks/core/crossplane-providers/provider-argocd.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-argocd
-spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1
diff --git a/template/stacks/core/crossplane-providers/provider-kind.yaml b/template/stacks/core/crossplane-providers/provider-kind.yaml
deleted file mode 100644
index 5bfe9a1..0000000
--- a/template/stacks/core/crossplane-providers/provider-kind.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-kind
-spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1
-  packagePullPolicy: IfNotPresent
-  revisionActivationPolicy: Automatic
-  revisionHistoryLimit: 1
diff --git a/template/stacks/core/crossplane-providers/provider-shell.yaml b/template/stacks/core/crossplane-providers/provider-shell.yaml
deleted file mode 100644
index 2974c0c..0000000
--- a/template/stacks/core/crossplane-providers/provider-shell.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-shell
-spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5
-  packagePullPolicy: IfNotPresent
-  revisionActivationPolicy: Automatic
-  revisionHistoryLimit: 1