DevFW-CICD/stacks
12
0
Fork 1
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

Compare commits

base: DevFW-CICD:1.2.0
Branches Tags
DevFW-CICD:development
DevFW-CICD:IPCEICIS-2297_working_oidc
DevFW-CICD:IPCEICIS-2952
DevFW-CICD:modularise_edp
DevFW-CICD:michals-silly-game
DevFW-CICD:keycloak_update_test
DevFW-CICD:django-backstage-template
DevFW-CICD:IPCEICIS-2293_oidc_in_forgejo
DevFW-CICD:IPCEICIS-3256
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:feature/IPCEICIS-2435_oidc_in_argocd
DevFW-CICD:alloy_implementation
DevFW-CICD:openbao_logs_second_way
DevFW-CICD:root_path_argocd_test
DevFW-CICD:IPCEICIS-2751_backstage
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:runner-tags
DevFW-CICD:dns_splitting
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:main
DevFW-CICD:dns_ssl_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0
...
compare: DevFW-CICD:development
Branches Tags
DevFW-CICD:IPCEICIS-2297_working_oidc
DevFW-CICD:IPCEICIS-2952
DevFW-CICD:modularise_edp
DevFW-CICD:development
DevFW-CICD:michals-silly-game
DevFW-CICD:keycloak_update_test
DevFW-CICD:django-backstage-template
DevFW-CICD:IPCEICIS-2293_oidc_in_forgejo
DevFW-CICD:IPCEICIS-3256
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:feature/IPCEICIS-2435_oidc_in_argocd
DevFW-CICD:alloy_implementation
DevFW-CICD:openbao_logs_second_way
DevFW-CICD:root_path_argocd_test
DevFW-CICD:IPCEICIS-2751_backstage
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:runner-tags
DevFW-CICD:dns_splitting
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:main
DevFW-CICD:dns_ssl_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0

16 commits
1.2.0 ... developmen

Author SHA1 Message Date
Bot
abeeb7ee23 chore(backstage): pin to backstage-edp v1.1.0 2025-04-23 13:20:24 +02:00
Bot
4eb6fa0908 Removed unused ArgoCD Application manifests of Crossplane 2025-04-22 18:56:30 +02:00
richardrobertreitz
9bb0063f8b Use Redis in the Forgejo configuration to support rolling updates of Forgejo itself 
Forgejo is not able to be reconfigured by default: a queue is locked
To circumvent the problem, we need simply to enable the use of Redis as a Forgejo component
 2025-04-22 12:29:50 +00:00
richardrobertreitz
1a8c2846bc Update template/stacks/core/forgejo-sso/secret-forgejo.yaml 2025-04-12 21:21:16 +00:00
richardrobertreitz
ead21d078a Update template/stacks/core/argocd-sso/argocd-secret.yaml 2025-04-12 20:42:55 +00:00
richardrobertreitz
30d1d51884 Merge pull request 'Added keycloak client externalsecret for Forgejo and ArgoCD' (#27) from keycloak_externalsecret_for_argocd_and_forgejo into development 
Reviewed-on: #27
 2025-04-12 19:38:52 +00:00
Richard Robert Reitz
33def8aba5 Added keycloak client externalsecret for Forgejo and ArgoCD 2025-04-12 21:31:05 +02:00
richardrobertreitz
0a307e5b35 Merge pull request 'keycloak_oidc_forgejo_config' (#25) from keycloak_oidc_forgejo_config into development 
Reviewed-on: #25
 2025-04-12 19:13:13 +00:00
Richard Robert Reitz
55a1eaa6f6 Added Forgejo to Keycloak config 2025-04-12 21:07:43 +02:00
Richard Robert Reitz
2532958de8 Added Forgejo to Keycloak config 2025-04-12 21:05:35 +02:00
richardrobertreitz
7a5e29e47d Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml 2025-04-12 18:52:41 +00:00
richardrobertreitz
3943b3d46e Merge pull request 'Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml' (#24) from keycloak_oidc_argocd_config into development 
Reviewed-on: #24
 2025-04-12 18:50:49 +00:00
richardrobertreitz
3263113ebe Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml 2025-04-12 18:49:15 +00:00
richardrobertreitz
5d0182d6ee Update template/stacks/core/forgejo/values.yaml 2025-04-12 16:27:05 +00:00
richardrobertreitz
c01d4952ad Disabled user self registration in Forgejo 2025-04-12 16:17:20 +00:00
richardrobertreitz
777d6afeb4 Update template/stacks/core/forgejo-runner/dind-docker.yaml 2025-04-11 14:12:29 +00:00
13 changed files with 243 additions and 151 deletions
Show stats Expand all files Collapse all files

30
template/stacks/core/crossplane-compositions.yaml → template/stacks/core/argocd-sso.yaml
View file

@ -1,23 +1,29 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: crossplane-compositions name: argocd-sso
namespace: argocd namespace: argocd
labels: labels:
env: dev env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec: spec:
project: default project: default
syncPolicy:
automated:
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source: source:
path: stacks/core/crossplane-compositions
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD targetRevision: HEAD
directory: path: "stacks/core/argocd-sso"
recurse: true destination:
server: "https://kubernetes.default.svc"
namespace: argocd
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

24
template/stacks/core/argocd-sso/argocd-secret.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: argocd
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
metadata:
labels:
app.kubernetes.io/part-of: argocd
data:
- secretKey: ARGOCD_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: ARGOCD_CLIENT_SECRET

30
template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml
View file

@ -1,30 +0,0 @@
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: edfbuilders.edfbuilder.crossplane.io
spec:
connectionSecretKeys:
- kubeconfig
group: edfbuilder.crossplane.io
names:
kind: EDFBuilder
listKind: EDFBuilderList
plural: edfbuilders
singular: edfbuilders
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
type: object
properties:
spec:
type: object
properties:
repoURL:
type: string
description: URL to ArgoCD stack of stacks repo
required:
- repoURL

9
template/stacks/core/crossplane-providers/function-patch-and-transform.yaml
View file

@ -1,9 +0,0 @@
apiVersion: pkg.crossplane.io/v1
kind: Function
metadata:
name: crossplane-contrib-function-patch-and-transform
spec:
package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

14
template/stacks/core/crossplane-providers/provider-argocd-config.yaml
View file

@ -1,14 +0,0 @@
apiVersion: argocd.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: argocd-provider
spec:
serverAddr: argocd-server.argocd.svc.cluster.local:80
insecure: true
plainText: true
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: argocd-credentials
key: authToken

14
template/stacks/core/crossplane-providers/provider-kind-config.yaml
View file

@ -1,14 +0,0 @@
apiVersion: kind.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: kind-provider
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: kind-credentials
key: credentials
endpoint:
# the url is managed by crossplane-edfbuilder
url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver

23
template/stacks/core/crossplane.yaml
View file

@ -1,23 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: crossplane
namespace: argocd
labels:
env: dev
spec:
project: default
syncPolicy:
automated:
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source:
chart: crossplane
repoURL: https://charts.crossplane.io/stable
targetRevision: 1.18.0
helm:
releaseName: crossplane

21
template/stacks/core/forgejo-runner/dind-docker.yaml
View file

@ -30,17 +30,16 @@ spec:
- name: runner-register - name: runner-register
image: code.forgejo.org/forgejo/runner:6.3.1 image: code.forgejo.org/forgejo/runner:6.3.1
command: command:
- "forgejo-runner" - "sh"
- "register" - "-c"
- "--no-interactive" - |
- "--token" forgejo-runner \
- $(RUNNER_SECRET) register \
- "--name" --no-interactive \
- $(RUNNER_NAME) --token ${RUNNER_SECRET} \
- "--instance" --name ${RUNNER_NAME} \
- $(FORGEJO_INSTANCE_URL) --instance ${FORGEJO_INSTANCE_URL} \
- "--labels" --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
- "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
env: env:
- name: RUNNER_NAME - name: RUNNER_NAME
valueFrom: valueFrom:

30
template/stacks/core/crossplane-providers.yaml → template/stacks/core/forgejo-sso.yaml
View file

@ -1,23 +1,29 @@
{{{ if eq .Env.CLUSTER_TYPE "kind" }}}
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: crossplane-providers name: forgejo-sso
namespace: argocd namespace: argocd
labels: labels:
env: dev env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec: spec:
project: default project: default
syncPolicy:
automated:
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source: source:
path: stacks/core/crossplane-providers
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD targetRevision: HEAD
{{{ end }}} path: "stacks/core/forgejo-sso"
destination:
server: "https://kubernetes.default.svc"
namespace: gitea
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

26
template/stacks/core/forgejo-sso/secret-forgejo.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: gitea
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
key: "{{.FORGEJO_CLIENT_ID}}"
secret: "{{.FORGEJO_CLIENT_SECRET}}"
data:
- secretKey: FORGEJO_CLIENT_ID
remoteRef:
key: keycloak-clients
property: FORGEJO_CLIENT_ID
- secretKey: FORGEJO_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: FORGEJO_CLIENT_SECRET

7
template/stacks/core/forgejo/values.yaml
View file

@ -1,5 +1,5 @@
redis-cluster: redis-cluster:
enabled: false enabled: true
postgresql: postgresql:
enabled: false enabled: false
postgresql-ha: postgresql-ha:
@ -16,6 +16,11 @@ gitea:
admin: admin:
existingSecret: gitea-credential existingSecret: gitea-credential
config: config:
service:
DISABLE_REGISTRATION: true
other:
SHOW_FOOTER_VERSION: false
SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
database: database:
DB_TYPE: sqlite3 DB_TYPE: sqlite3
session: session:

3
template/stacks/ref-implementation/backstage/manifests/install.yaml
View file

@ -264,7 +264,8 @@ spec:
name: gitea-credentials name: gitea-credentials
- secretRef: - secretRef:
name: argocd-credentials name: argocd-credentials
image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
imagePullPolicy: Always
name: backstage name: backstage
ports: ports:
- containerPort: 7007 - containerPort: 7007

139
template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
View file

@ -219,6 +219,64 @@ data:
] ]
} }
argocd-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "argocd",
"name": "ArgoCD Client",
"description": "Used for ArgoCD SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN }}}/*"
],
"webOrigins": [
"/*"
]
}
forgejo-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "forgejo",
"name": "Forgejo Client",
"description": "Used for Forgejo SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN_GITEA }}}/*"
],
"webOrigins": [
"/*"
]
}
--- ---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
@ -315,7 +373,7 @@ spec:
${KEYCLOAK_URL}/admin/realms/cnoe/groups ${KEYCLOAK_URL}/admin/realms/cnoe/groups
# Create scope mapper # Create scope mapper
echo 'adding group claim to tokens' echo 'adding group claim to tokens'
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \ curl -sS -H "Content-Type: application/json" \
@ -355,8 +413,8 @@ spec:
echo "creating Argo Workflows client" echo "creating Argo Workflows client"
curl -sS -H "Content-Type: application/json" \ curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argo-client-payload.json \ -X POST --data @/var/config/argo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients ${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -370,21 +428,26 @@ spec:
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Grafana client" echo "creating Grafana client"
curl -sS -H "Content-Type: application/json" \ curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/grafana-client-payload.json \ -X POST --data @/var/config/grafana-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients ${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -394,19 +457,68 @@ spec:
curl -sS -H "Content-Type: application/json" \ curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/backstage-client-payload.json \ -X POST --data @/var/config/backstage-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients ${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating ArgoCD client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argocd-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Forgejo client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/forgejo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
@ -426,7 +538,10 @@ spec:
BACKSTAGE_CLIENT_ID: backstage BACKSTAGE_CLIENT_ID: backstage
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
GRAFANA_CLIENT_ID: grafana GRAFANA_CLIENT_ID: grafana
ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
ARGOCD_CLIENT_ID: argocd
FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
FORGEJO_CLIENT_ID: forgejo
" > /tmp/secret.yaml " > /tmp/secret.yaml
./kubectl apply -f /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml