Merge pull request 'IPCEICIS-2952' (#31) from IPCEICIS-2952 into development

Reviewed-on: #31
Reviewed-by: Daniel.Sy <Daniel.Sy@telekom.de>

.gitignore

@@ -0,0 +1 @@
+/.history

template/stacks/core/argocd-sso.yaml

@@ -1,23 +1,29 @@
-{{{ if eq .Env.CLUSTER_TYPE "kind" }}}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: crossplane-providers
+  name: argocd-sso
   namespace: argocd
   labels:
     env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: crossplane-system
   source:
-    path: stacks/core/crossplane-providers
     repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
     targetRevision: HEAD
-{{{ end }}}
+    path: "stacks/core/argocd-sso"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: argocd
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: forgejo-access-token
+  namespace: argocd 
+spec:
+  secretStoreRef:
+    name: gitea
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: forgejo-access-token
+    template:
+      engineVersion: v2
+      data:
+        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
+        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretKey: FORGEJO_ACCESS_USERNAME
+      remoteRef:
+        key: forgejo-access-token
+        property: username
+    - secretKey: FORGEJO_ACCESS_TOKEN
+      remoteRef:
+        key: forgejo-access-token
+        property: token

template/stacks/core/argocd-sso/argocd-secret.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: argocd 
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretKey: ARGOCD_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: ARGOCD_CLIENT_SECRET

template/stacks/core/argocd-sso/argocd-sso-config.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: argocd-config
+  namespace: argocd
+spec:
+  template:
+    metadata:
+      generateName: argocd-config-
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: push
+          image: docker.io/library/ubuntu:22.04
+          env:
+            - name: FORGEJO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_username
+            - name: FORGEJO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_token
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+
+              apt -qq update
+              apt -qq install git wget -y
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
+                install yq_linux_amd64 /usr/local/bin/yq
+                rm yq_linux_amd64
+              else
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+                install yq_linux_arm64 /usr/local/bin/yq
+                rm yq_linux_arm64
+              fi
+
+              git config --global user.email "bot@bots.de"
+              git config --global user.name "bot"
+              
+              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
+              cd edfbuilder
+              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
+              
+              git add stacks/core/argocd/values.yaml
+              git commit -m "adds Forgejo SSO config"
+              git push
+  backoffLimit: 99           

template/stacks/core/argocd.yaml

@@ -16,12 +16,12 @@ spec:
     name: in-cluster
     namespace: argocd
   sources:
-    - repoURL: https://github.com/argoproj/argo-helm
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
       path: charts/argo-cd
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.6.12
+      targetRevision: argo-cd-7.8.14-depends
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

template/stacks/core/argocd/values.yaml

@@ -5,6 +5,7 @@ configs:
   params:
     server.insecure: true
     server.basehref: /argocd
+    server.rootpath: /argocd
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
@@ -20,6 +21,7 @@ configs:
         clusters:
         - "*"
     accounts.provider-argocd: apiKey
+    url: https://{{{ .Env.DOMAIN }}}/argocd
   rbac:
     policy.csv: 'g, provider-argocd, role:admin'
 

template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml

@@ -1,30 +0,0 @@
-apiVersion: apiextensions.crossplane.io/v1
-kind: CompositeResourceDefinition
-metadata:
-  name: edfbuilders.edfbuilder.crossplane.io
-spec:
-  connectionSecretKeys:
-    - kubeconfig
-  group: edfbuilder.crossplane.io
-  names:
-    kind: EDFBuilder
-    listKind: EDFBuilderList
-    plural: edfbuilders
-    singular: edfbuilders
-  versions:
-    - name: v1alpha1
-      served: true
-      referenceable: true
-      schema:
-        openAPIV3Schema:
-          description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
-          type: object
-          properties:
-            spec:
-              type: object
-              properties:
-                repoURL:
-                  type: string
-                  description: URL to ArgoCD stack of stacks repo
-              required:
-                - repoURL

template/stacks/core/crossplane-providers/function-patch-and-transform.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Function
-metadata:
-  name: crossplane-contrib-function-patch-and-transform
-spec:
-  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-argocd-config.yaml

@@ -1,14 +0,0 @@
-apiVersion: argocd.crossplane.io/v1alpha1
-kind: ProviderConfig
-metadata:
-  name: argocd-provider
-spec:
-  serverAddr: argocd-server.argocd.svc.cluster.local:80
-  insecure: true
-  plainText: true
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: argocd-credentials
-      key: authToken

template/stacks/core/crossplane-providers/provider-argocd.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-argocd
-spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-kind-config.yaml

@@ -1,14 +0,0 @@
-apiVersion: kind.crossplane.io/v1alpha1
-kind: ProviderConfig
-metadata:
-  name: kind-provider
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: kind-credentials
-      key: credentials
-  endpoint:
-    # the url is managed by crossplane-edfbuilder
-    url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver

template/stacks/core/crossplane-providers/provider-kind.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-kind
-spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.0
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-shell.yaml

@@ -1,9 +0,0 @@
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-shell
-spec:
-  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.1
-  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
-  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
-  revisionHistoryLimit: 1

template/stacks/core/crossplane.yaml

@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: crossplane
-  namespace: argocd
-  labels:
-    env: dev
-spec:
-  project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: crossplane-system
-  source:
-    chart: crossplane
-    repoURL: https://charts.crossplane.io/stable
-    targetRevision: 1.18.0
-    helm:
-      releaseName: crossplane

template/stacks/core/forgejo-runner/dind-docker.yaml

@@ -28,19 +28,18 @@ spec:
       # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
       initContainers:
         - name: runner-register
-          image: code.forgejo.org/forgejo/runner:6.0.1
+          image: code.forgejo.org/forgejo/runner:6.3.1
-          command: 
+          command:
-            - "forgejo-runner"
+          - "sh"
-            - "register"
+          - "-c"
-            - "--no-interactive"
+          - |
-            - "--token"
+            forgejo-runner \
-            - $(RUNNER_SECRET)
+              register \
-            - "--name"
+              --no-interactive \
-            - $(RUNNER_NAME)
+              --token ${RUNNER_SECRET} \
-            - "--instance"
+              --name ${RUNNER_NAME} \
-            - $(FORGEJO_INSTANCE_URL)
+              --instance ${FORGEJO_INSTANCE_URL} \
-            - "--labels"
+              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
-            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
           env:
             - name: RUNNER_NAME
               valueFrom:
@@ -58,7 +57,7 @@ spec:
               mountPath: /data
       containers:
       - name: runner
-        image: code.forgejo.org/forgejo/runner:6.0.1
+        image: code.forgejo.org/forgejo/runner:6.3.1
         command: 
           - "sh"
           - "-c"
@@ -94,7 +93,7 @@ spec:
         - name: runner-data
           mountPath: /data
       - name: daemon
-        image: docker:27.4.1-dind
+        image: docker:28.0.4-dind
         env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs

template/stacks/core/forgejo-sso.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-sso
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/core/forgejo-sso"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: gitea
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/core/forgejo-sso/forgejo-access-token.yaml

@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: forgejo-access-token
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: gitea
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: forgejo-access-token
+    template:
+      engineVersion: v2
+      data:
+        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
+        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
+  data:
+    - secretKey: FORGEJO_ACCESS_USERNAME
+      remoteRef:
+        key: forgejo-access-token
+        property: username
+    - secretKey: FORGEJO_ACCESS_TOKEN
+      remoteRef:
+        key: forgejo-access-token
+        property: token

template/stacks/core/forgejo-sso/forgejo-secret.yaml

@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        key: "{{.FORGEJO_CLIENT_ID}}"
+        secret: "{{.FORGEJO_CLIENT_SECRET}}"
+  data:
+    - secretKey: FORGEJO_CLIENT_ID
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_ID
+    - secretKey: FORGEJO_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_SECRET

template/stacks/core/forgejo-sso/forgejo-sso-config.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: forgejo-config
+  namespace: gitea
+spec:
+  template:
+    metadata:
+      generateName: forgejo-config-
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: push
+          image: docker.io/library/ubuntu:22.04
+          env:
+            - name: FORGEJO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_username
+            - name: FORGEJO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-access-token
+                  key: forgejo_token
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+
+              apt -qq update
+              apt -qq install git wget -y
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
+                install yq_linux_amd64 /usr/local/bin/yq
+                rm yq_linux_amd64
+              else
+                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+                install yq_linux_arm64 /usr/local/bin/yq
+                rm yq_linux_arm64
+              fi
+
+              git config --global user.email "bot@bots.de"
+              git config --global user.name "giteaAdmin"
+              
+              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
+              cd edfbuilder
+              yq eval ".gitea.oauth = [
+                {
+                  \"name\": \"Keycloak\",
+                  \"provider\": \"openidConnect\",
+                  \"existingSecret\": \"auth-generic-oauth-secret\",
+                  \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
+                }
+              ] |
+                (.gitea.oauth[] | .name) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .provider) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
+                |
+                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
+              " -i stacks/core/forgejo/values.yaml
+
+              yq eval '.gitea.config.oauth2_client = 
+                {
+                  "ENABLE_AUTO_REGISTRATION" : true,
+                  "ACCOUNT_LINKING" : "auto"
+                }
+              ' -i stacks/core/forgejo/values.yaml
+              
+              git add stacks/core/forgejo/values.yaml
+              git commit -m "adds Forgejo SSO config"
+              git push
+  backoffLimit: 99

template/stacks/core/forgejo.yaml

@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: gitea
   sources:
-    - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
       path: .
-      targetRevision: v10.1.1
+      targetRevision: v12.0.0-depends
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml

template/stacks/core/forgejo/values.yaml

@@ -1,5 +1,5 @@
 redis-cluster:
-  enabled: false
+  enabled: true
 postgresql:
   enabled: false
 postgresql-ha:
@@ -16,6 +16,11 @@ gitea:
   admin:
     existingSecret: gitea-credential
   config:
+    service:
+      DISABLE_REGISTRATION: true
+    other:
+      SHOW_FOOTER_VERSION: false
+      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
     database:
       DB_TYPE: sqlite3
     session:
@@ -27,6 +32,12 @@ gitea:
     server:
       DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
       ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
+    mailer:
+      ENABLED: true
+      FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}}
+      PROTOCOL: smtp
+      SMTP_ADDR: mailhog.mailhog.svc.cluster.local
+      SMTP_PORT: 1025
 
 service:
   ssh:

template/stacks/core/ingress-apps/alloy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: alloy
+  namespace: monitoring
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{{ .Env.DOMAIN }}}
+    http:
+      paths:
+      - backend:
+          service:
+            name: alloy
+            port:
+              number: 12345
+        path: /alloy
+        pathType: Prefix

template/stacks/core/ingress-apps/argocd-server.yaml

@@ -4,8 +4,6 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    nginx.ingress.kubernetes.io/use-regex: "true"
 {{{ if eq .Env.CLUSTER_TYPE "osc" }}}
     dns.gardener.cloud/class: garden
     dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN }}}
@@ -24,8 +22,8 @@ spec:
             name: argocd-server
             port:
               number: 80
-        path: /argocd(/|$)(.*)
+        path: /argocd
-        pathType: ImplementationSpecific
+        pathType: Prefix
   tls:
   - hosts:
     - {{{ .Env.DOMAIN }}}

template/stacks/core/ingress-apps/mailhog.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mailhog
+  namespace: mailhog
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{{ .Env.DOMAIN }}}
+    http:
+      paths:
+      - backend:
+          service:
+            name: mailhog
+            port:
+              number: 8025
+        path: /mailhog
+        pathType: Prefix

template/stacks/core/ingress-nginx.yaml

@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: ingress-nginx
   sources:
-    - repoURL: https://github.com/kubernetes/ingress-nginx
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
       path: charts/ingress-nginx
-      targetRevision: helm-chart-4.11.3
+      targetRevision: helm-chart-4.12.1-depends
       helm:
         valueFiles:
           - $values/stacks/core/ingress-nginx/values.yaml

template/stacks/monitoring/alloy.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: promtail
+  name: alloy
   namespace: argocd
   labels:
     env: dev
@@ -18,12 +18,12 @@ spec:
     name: in-cluster
     namespace: monitoring
   sources:
-    - repoURL: https://github.com/grafana/helm-charts
+    - repoURL: https://github.com/grafana/alloy.git
-      path:     charts/promtail   
+      path: operations/helm/charts/alloy   
       targetRevision: HEAD      
       helm:
         valueFiles:
-          - $values/stacks/monitoring/promtail/values.yaml
+          - $values/stacks/monitoring/alloy/values.yaml
     - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
       targetRevision: HEAD
       ref: values

template/stacks/monitoring/alloy/values.yaml

@@ -0,0 +1,101 @@
+controller:
+  volumes:
+    extra:
+    - name: host-log-storage
+      hostPath:
+        path: /var/log
+        type: Directory
+alloy:
+  create: false
+  name: alloy-config
+  key: config.alloy
+
+  mounts:
+    extra:
+    - mountPath: /openbao/logs
+      name: host-log-storage
+      readOnly: true
+
+  uiPathPrefix: "/alloy"
+
+  configMap:
+    content: |-
+
+      logging {
+        level  = "info"
+        format = "logfmt"
+      }
+
+      loki.write "local_loki" {
+          endpoint {
+              url = "http://loki-loki-distributed-gateway/loki/api/v1/push"
+          }
+      }
+
+      discovery.kubernetes "pod" {
+        role = "pod"
+      }
+
+      discovery.kubernetes "nodes" {
+        role = "node"
+      }
+
+      discovery.kubernetes "services" {
+        role = "service"
+      }
+
+      discovery.kubernetes "endpoints" {
+        role = "endpoints"
+      }
+
+      discovery.kubernetes "endpointslices" {
+        role = "endpointslice"
+      }
+
+      discovery.kubernetes "ingresses" {
+        role = "ingress"
+      }
+
+      discovery.relabel "pod_logs" {
+        targets = discovery.kubernetes.pod.targets
+
+        rule {
+          source_labels = ["__meta_kubernetes_namespace"]
+          action        = "replace"
+          target_label  = "namespace"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_name"]
+          action        = "replace"
+          target_label  = "pod"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_node_name"]
+          action        = "replace"
+          target_label  = "node"
+        }
+
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_name"]
+          action        = "replace"
+          target_label  = "container"
+        }
+
+      }
+
+      local.file_match "file_logs" {
+          path_targets = [{"__path__" = "/openbao/logs/openbao/*"}]
+          sync_period = "5s"
+      }
+
+      loki.source.file "local_files" {
+          targets    = local.file_match.file_logs.targets
+          forward_to = [loki.write.local_loki.receiver]
+      }
+
+      loki.source.kubernetes "all_pod_logs" {
+        targets    = discovery.relabel.pod_logs.output
+        forward_to = [loki.write.local_loki.receiver]
+      }

template/stacks/monitoring/kube-prometheus-sso.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-sso
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/monitoring/kube-prometheus-sso"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: monitoring
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
+  data:
+    - secretKey: GRAFANA_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: GRAFANA_CLIENT_SECRET

template/stacks/monitoring/kube-prometheus.yaml

@@ -15,6 +15,12 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true  # do not copy metdata, since (because of its large size) it can lead to sync failure
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
   destination:
     name: in-cluster
     namespace: monitoring

template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml

@@ -110,12 +110,12 @@ data:
                             "uid": "P8E80F9AEF21F6940"
                         },
                         "editorMode": "builder",
-                        "expr": "{container=\"promtail\"} |= ``",
+                        "expr": "{container=\"alloy\"} |= ``",
                         "queryType": "range",
                         "refId": "A"
                     }
                 ],
-                "title": "Logs: Container promtail",
+                "title": "Logs: Container alloy",
                 "type": "logs"
             },
             {

template/stacks/monitoring/kube-prometheus/values.yaml

@@ -33,7 +33,33 @@ grafana:
       domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
+    auth:
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Keycloak-OAuth
+      allow_sign_up: true
+      use_refresh_token: true
+      client_id: grafana
+      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
+      scopes: openid email profile offline_access roles
+      email_attribute_path: email
+      login_attribute_path: username
+      name_attribute_path: full_name
+      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
       
+  extraSecretMounts:
+    - name: auth-generic-oauth-secret-mount
+      secretName: auth-generic-oauth-secret
+      defaultMode: 0440
+      mountPath: /etc/secrets/auth_generic_oauth
+      readOnly: true
+
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
     enabled: true

template/stacks/monitoring/promtail/values.yaml

@@ -1,45 +0,0 @@
-# -- Overrides the chart's name
-nameOverride: null
-
-# -- Overrides the chart's computed fullname
-fullnameOverride: null
-
-global:
-  # -- Allow parent charts to override registry hostname
-  imageRegistry: ""
-  # -- Allow parent charts to override registry credentials
-  imagePullSecrets: []
-
-daemonset:
-  # -- Deploys Promtail as a DaemonSet
-  enabled: true
-  autoscaling:
-    # -- Creates a VerticalPodAutoscaler for the daemonset
-    enabled: false
-
-deployment:
-  # -- Deploys Promtail as a Deployment
-  enabled: false    
-
-config:
-  enabled: true
-  logLevel: info
-  logFormat: logfmt
-  serverPort: 3101
-  clients:
-    - url: http://loki-loki-distributed-gateway/loki/api/v1/push
-  scrape_configs:
-  - job_name: authlog
-    static_configs:
-    - targets:
-        - authlog
-      labels:
-        job: authlog
-        __path__: /logs/auth.log
-  - job_name: syslog
-    static_configs:
-    - targets:
-        - syslog
-      labels:
-        job: syslog
-        __path__: /logs/syslog    

template/stacks/ref-implementation/argo-workflows.yaml

@@ -23,3 +23,7 @@ spec:
       selfHeal: true
     retry:
       limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml

@@ -33,7 +33,7 @@ jobs:
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |
           export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %}
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ secrets.PACKAGES_USER }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
       - name: Build image as tar
         run: |
           ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
@@ -57,7 +57,11 @@ jobs:
           NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this
       - name: install trivy from deb package
         run: |
-          wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
+          if [[ "$(uname -m)" == "x86_64" ]]; then
+            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
+          else
+            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb
+          fi
           DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb
       - name: scan the image
         run: trivy image --input jib-image.tar

template/stacks/ref-implementation/backstage.yaml

@@ -23,3 +23,7 @@ spec:
       selfHeal: true
     retry:
       limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/ref-implementation/backstage/manifests/install.yaml

@@ -255,6 +255,8 @@ spec:
               value: debug
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
+            - name: NODE_OPTIONS
+              value: "--no-node-snapshot"
           envFrom:
             - secretRef:
                 name: backstage-env-vars
@@ -262,7 +264,8 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
+          imagePullPolicy: Always
           name: backstage
           ports:
             - containerPort: 7007
@@ -386,7 +389,7 @@ spec:
         KEYCLOAK_NAME_METADATA: https://{{{ .Env.DOMAIN }}}:443/keycloak/realms/cnoe/.well-known/openid-configuration
         KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
         ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
-        ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
+        ARGO_CD_URL: 'https://{{{ .Env.DOMAIN }}}/argocd/api/v1/'
   data:
     - secretKey: ARGOCD_SESSION_TOKEN
       remoteRef:

template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml

@@ -71,11 +71,11 @@ data:
       },
       "type": "default",
       "protocol": "openid-connect"
-    }
+    }    
   group-admin-payload.json: |
-    {"name":"admin"}
+    {"name":"admin"}    
   group-base-user-payload.json: |
-    {"name":"base-user"}
+    {"name":"base-user"}    
   group-mapper-payload.json: |
     {
         "protocol": "openid-connect",
@@ -88,41 +88,41 @@ data:
           "access.token.claim": "true",
           "userinfo.token.claim": "true"
         }
-    }
+    }    
   realm-payload.json: |
-    {"realm":"cnoe","enabled":true}
+    {"realm":"cnoe","enabled":true}    
   user-password.json: |
     {
         "temporary": false,
         "type": "password",
         "value": "${USER1_PASSWORD}"
-    }
+    }    
   user-user1.json: |
     {
         "username": "user1",
-        "email": "",
+        "email": "user1@user.de",
         "firstName": "user",
         "lastName": "one",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/admin"
         ],
         "enabled": true
-    }
+    }    
   user-user2.json: |
     {
         "username": "user2",
-        "email": "",
+        "email": "user2@user.de",
         "firstName": "user",
         "lastName": "two",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/base-user"
         ],
         "enabled": true
-    }
+    }    
   argo-client-payload.json: |
     {
       "protocol": "openid-connect",
@@ -150,7 +150,7 @@ data:
       "webOrigins": [
         "/*"
       ]
-    }
+    }    
 
   backstage-client-payload.json: |
     {
@@ -179,8 +179,104 @@ data:
       "webOrigins": [
         "/*"
       ]
+    }    
+
+  grafana-client-payload.json: |
+    {
+      "clientId": "grafana",
+      "name": "Grafana Client",
+      "description": "Used for Grafana SSO",
+      "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "alwaysDisplayInConsole": false,
+      "redirectUris": [
+        "http://{{{ .Env.DOMAIN }}}/grafana/*"
+      ],
+      "webOrigins": [
+        "https://{{{ .Env.DOMAIN }}}/grafana"
+      ],
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oidc.ciba.grant.enabled": "false",
+        "oauth2.device.authorization.grant.enabled": "false"
+      },
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "offline_access",
+        "roles",
+        "profile",
+        "groups",
+        "email"
+      ]
     }
 
+  argocd-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "argocd",
+      "name": "ArgoCD Client",
+      "description": "Used for ArgoCD SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }      
+
+  forgejo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "forgejo",
+      "name": "Forgejo Client",
+      "description": "Used for Forgejo SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }      
+
 ---
 apiVersion: batch/v1
 kind: Job
@@ -216,7 +312,7 @@ spec:
           command: ["/bin/bash", "-c"]
           args:
             - |
-              #! /bin/bash
+              #! /bin/bash              
   
               set -ex -o pipefail
               
@@ -247,7 +343,11 @@ spec:
               fi
               set -e
               
-              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              else
+                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl"
+              fi
               chmod +x kubectl
               
               echo "creating cnoe realm and groups"
@@ -273,7 +373,7 @@ spec:
                 ${KEYCLOAK_URL}/admin/realms/cnoe/groups
               
               # Create scope mapper
-                echo 'adding group claim to tokens'
+              echo 'adding group claim to tokens'
               CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
               
               curl -sS -H "Content-Type: application/json" \
@@ -313,8 +413,8 @@ spec:
               echo "creating Argo Workflows client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                  -X POST --data @/var/config/argo-client-payload.json \
+                -X POST --data @/var/config/argo-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
               CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -328,29 +428,100 @@ spec:
                 -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+              echo "creating Grafana client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/grafana-client-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X POST --data @/var/config/backstage-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
               CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+              echo "creating ArgoCD client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/argocd-client-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
+              
+              echo "creating Forgejo client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/forgejo-client-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
+
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
-              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
+              ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
               
               echo \
               "apiVersion: v1
@@ -365,7 +536,12 @@ spec:
                 ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                 BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                 BACKSTAGE_CLIENT_ID: backstage
+                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
+                GRAFANA_CLIENT_ID: grafana
+                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
+                ARGOCD_CLIENT_ID: argocd
+                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
+                FORGEJO_CLIENT_ID: forgejo
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml
-              

template/stacks/ref-implementation/mailhog.yaml

@@ -1,23 +1,25 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: crossplane-compositions
+  name: mailhog
   namespace: argocd
   labels:
     env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: crossplane-system
   source:
-    path: stacks/core/crossplane-compositions
     repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
     targetRevision: HEAD
-    directory:
+    path: "stacks/ref-implementation/mailhog"
-      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: mailhog
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1

template/stacks/ref-implementation/mailhog/README.md

@@ -0,0 +1,54 @@
+# Mailhog
+
+[MailHog is an email testing tool for developers](https://github.com/mailhog/MailHog).
+
+## In cluster SMTP service
+
+Ypu can send ESMTP emails in the cluster to `mailhog.mailhog.svc.cluster.local`, standard port `1025`, as defined in the service manifest:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: mailhog
+spec:
+  ports:
+    - name: smtp
+      port: 1025
+```
+
+## Ingress
+
+Mailhog offers both WebUi and API at `https://{{{ .Env.DOMAIN }}}/mailhog`.
+
+The ingress definition is in `stacks/core/ingress-apps/mailhog.yaml` (BTW, why isn't this ingress file here in this folder ??) routing to the mailhog' service
+
+```yaml
+spec:
+  rules:
+  - host: {{{ .Env.DOMAIN }}}
+    http:
+      paths:
+      - backend:
+        ...
+        path: /mailhog
+```
+
+## API
+
+For usage of the API see https://github.com/mailhog/MailHog/blob/master/docs/APIv2.md
+
+## Tests
+
+```bash
+kubectl run busybox --rm -it --image=busybox -- /bin/sh
+
+# inside bsybox
+wget -O- http://mailhog.mailhog.svc.cluster.local:8025/mailhog
+
+# check smtp port
+nc -zv mailhog.mailhog.svc.cluster.local 1025
+
+# send esmtp, first install swaks
+swaks --to test@example.com --from test@example.com --server mailhog:1025 --data "Subject: Test-Mail\n\nDies ist eine Test-Mail."
+```

template/stacks/ref-implementation/mailhog/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mailhog-deployment
+  namespace: mailhog
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mailhog
+  template:
+    metadata:
+      labels:
+        app: mailhog
+    spec:
+      containers:
+      - name: mailhog
+        image: mailhog/mailhog
+        env:
+        - name: MH_UI_WEB_PATH # set this to same value as in ingress stacks/core/ingress-apps/mailhog.yaml
+          value: mailhog
+        ports:
+          - containerPort: 1025
+            name: smtp
+          - containerPort: 8025
+            name: http
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "100m"            

template/stacks/ref-implementation/mailhog/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mailhog
+spec:
+  selector:
+    app: mailhog
+  ports:
+    - name: smtp
+      port: 1025
+    - name: http
+      port: 8025
+  type: ClusterIP

template/stacks/ref-implementation/openbao-logging.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao-logging-setup
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/ref-implementation/openbao-logging"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openbao
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openbao-logging-dir
+  namespace: openbao
+spec:
+  selector:
+    matchLabels:
+      app: openbao-logging-dir
+  template:
+    metadata:
+      labels:
+        app: openbao-logging-dir
+    spec:
+      initContainers:
+      - name: creator
+        image: busybox
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          set -e
+          mkdir -p /var/log/openbao
+          chown 100:100 /var/log/openbao
+        securityContext:
+          runAsUser: 0 
+        volumeMounts:
+        - name: host-log
+          mountPath: /var/log
+      containers:
+      - name: running-container
+        image: busybox
+        command: ["sleep", "infinity"]
+        securityContext:
+          runAsUser: 0
+      volumes:
+      - name: host-log
+        hostPath:
+          path: /var/log
+          type: Directory

template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logrotate-config
+data:
+  logrotate.conf: |
+    /openbao/logs/openbao/*.log {
+      size 50M
+      rotate 7
+      missingok
+      notifempty
+      postrotate
+        echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
+      endscript
+    }

template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml

@@ -0,0 +1,45 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: logrotate-cronjob
+  namespace: openbao
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: logrotate
+            image: skymatic/logrotate:latest
+            securityContext:
+              runAsUser: 100
+            command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
+            volumeMounts:
+              - name: host-log-storage
+                mountPath: /openbao/logs
+              - name: logrotate-config-volume
+                mountPath: /etc/logrotate.conf
+                subPath: logrotate.conf
+                readOnly: true
+              - name: passwd-volume
+                mountPath: /etc/passwd
+                subPath: passwd
+              - name: status
+                mountPath: /var/lib
+          restartPolicy: OnFailure
+          volumes:
+          - name: host-log-storage
+            hostPath:
+              path: /var/log
+              type: Directory
+          - name: logrotate-config-volume  
+            configMap:         
+              name: logrotate-config
+          - name: passwd-volume  
+            configMap:         
+              name: passwd-user-configmap
+          - name: status  
+            emptyDir: {}

template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: passwd-user-configmap
+data:
+  passwd: |
+    root:x:0:0:root:/root:/bin/sh
+    openbao:x:100:1000::/home/openbao:/sbin/nologin

template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: signal-sidecar-script
+  namespace: openbao
+data:
+  sidecar.sh: |
+    #!/bin/sh
+    echo "Sending SIGHUP to OpenBAO..."
+    kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
+
+  start.sh: |
+    #!/bin/sh
+
+    echo "Starting mini HTTP server on port 3030..."
+
+    while true; do
+      echo "Waiting for HTTP POST..."
+      REQUEST=$(nc -l -p 3030)
+
+      echo "$REQUEST" | grep -q "POST /" && {
+        echo "Received POST request, sending SIGHUP..."
+        /tmp/sidecar.sh
+        RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
+      } || {
+        RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
+      }
+
+      echo -e "$RESPONSE" | nc -N localhost 3031
+    done

template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sidecar-script-service
+  namespace: openbao
+spec:
+  selector:
+    app.kubernetes.io/instance: openbao
+    component: server
+  ports:
+    - protocol: TCP
+      port: 3030
+      targetPort: 3030

template/stacks/ref-implementation/openbao/values.yaml

@@ -1,9 +1,46 @@
 server:
+  shareProcessNamespace: true
+  extraContainers:
+    - name: sidecar
+      image: alpine:latest
+      command: ["/bin/sh", "/tmp/start.sh"]
+      ports:
+        - containerPort: 3030
+      volumeMounts:
+        - name: sidecar-script
+          mountPath: /tmp/start.sh
+          subPath: start.sh
+        - name: sidecar-script
+          mountPath: /tmp/sidecar.sh
+          subPath: sidecar.sh
+          mode: 0755
+        - name: passwd-volume
+          mountPath: /etc/passwd
+          subPath: passwd
+  volumes:    
+  - name: passwd-volume  
+    configMap:         
+      name: passwd-user-configmap
+  - name: host-log-storage
+    hostPath:
+      path: /var/log
+      type: Directory
+  - name: sidecar-script
+    configMap:
+      name: signal-sidecar-script
+      defaultMode: 0755
+
+  volumeMounts:
+  - mountPath: /openbao/logs
+    name: host-log-storage
+    readOnly: false
+
   postStart:
     - sh
     - -c
     - |
       sleep 10
+      rm -rf /openbao/data/*
       bao operator init >> /tmp/init.txt
       cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
       echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@@ -12,6 +49,8 @@ server:
       echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
+      bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
       rm /tmp/init.txt
+      bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
 ui:
   enabled: true