alloy configuration added

2025-03-11 13:08:15 +01:00
33 changed files with 270 additions and 505 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
 /.history
--- a/template/stacks/core/argocd-sso/argocd-secret.yaml
+++ b/template/stacks/core/argocd-sso/argocd-secret.yaml
@ -1,24 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: auth-generic-oauth-secret
  namespace: argocd 
 spec:
  secretStoreRef:
    name: keycloak
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: auth-generic-oauth-secret
    template:
      engineVersion: v2
      data:
        client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd
  data:
    - secretKey: ARGOCD_CLIENT_SECRET
      remoteRef:
        key: keycloak-clients
        property: ARGOCD_CLIENT_SECRET
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@ -16,12 +16,12 @@ spec:
    name: in-cluster
    namespace: argocd
  sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
+    - repoURL: https://github.com/argoproj/argo-helm
      path: charts/argo-cd
      # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
      # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
      # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.8.14-depends
+      targetRevision: argo-cd-7.7.5
      helm:
        valueFiles:
          - $values/stacks/core/argocd/values.yaml
--- a/template/stacks/core/argocd/values.yaml
+++ b/template/stacks/core/argocd/values.yaml
@ -5,7 +5,6 @@ configs:
  params:
    server.insecure: true
    server.basehref: /argocd
    server.rootpath: /argocd
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
@ -21,7 +20,6 @@ configs:
        clusters:
        - "*"
    accounts.provider-argocd: apiKey
    url: https://{{{ .Env.DOMAIN }}}/argocd
  rbac:
    policy.csv: 'g, provider-argocd, role:admin'
--- a/template/stacks/core/crossplane-compositions.yaml
+++ b/template/stacks/core/crossplane-compositions.yaml
@ -1,25 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: mailhog
+  name: crossplane-compositions
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/ref-implementation/mailhog"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: mailhog
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
-    retry:
+    syncOptions:
-      limit: -1
+      - CreateNamespace=true
  destination:
    name: in-cluster
    namespace: crossplane-system
  source:
    path: stacks/core/crossplane-compositions
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    directory:
      recurse: true
--- a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml
+++ b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml
@ -0,0 +1,30 @@
 apiVersion: apiextensions.crossplane.io/v1
 kind: CompositeResourceDefinition
 metadata:
  name: edfbuilders.edfbuilder.crossplane.io
 spec:
  connectionSecretKeys:
    - kubeconfig
  group: edfbuilder.crossplane.io
  names:
    kind: EDFBuilder
    listKind: EDFBuilderList
    plural: edfbuilders
    singular: edfbuilders
  versions:
    - name: v1alpha1
      served: true
      referenceable: true
      schema:
        openAPIV3Schema:
          description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
          type: object
          properties:
            spec:
              type: object
              properties:
                repoURL:
                  type: string
                  description: URL to ArgoCD stack of stacks repo
              required:
                - repoURL
--- a/template/stacks/core/crossplane-providers.yaml
+++ b/template/stacks/core/crossplane-providers.yaml
@ -1,29 +1,23 @@
 {{{ if eq .Env.CLUSTER_TYPE "kind" }}}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd-sso
+  name: crossplane-providers
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/core/argocd-sso"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: argocd
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
-    retry:
+    syncOptions:
-      limit: -1
+      - CreateNamespace=true
-      backoff:
+  destination:
-        duration: 15s
+    name: in-cluster
-        factor: 1
+    namespace: crossplane-system
-        maxDuration: 15s
+  source:
    path: stacks/core/crossplane-providers
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
 {{{ end }}}
--- a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml
+++ b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Function
 metadata:
  name: crossplane-contrib-function-patch-and-transform
 spec:
  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml
+++ b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml
@ -0,0 +1,14 @@
 apiVersion: argocd.crossplane.io/v1alpha1
 kind: ProviderConfig
 metadata:
  name: argocd-provider
 spec:
  serverAddr: argocd-server.argocd.svc.cluster.local:80
  insecure: true
  plainText: true
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: argocd-credentials
      key: authToken
--- a/template/stacks/core/crossplane-providers/provider-argocd.yaml
+++ b/template/stacks/core/crossplane-providers/provider-argocd.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
 metadata:
  name: provider-argocd
 spec:
  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane-providers/provider-kind-config.yaml
+++ b/template/stacks/core/crossplane-providers/provider-kind-config.yaml
@ -0,0 +1,14 @@
 apiVersion: kind.crossplane.io/v1alpha1
 kind: ProviderConfig
 metadata:
  name: kind-provider
 spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: kind-credentials
      key: credentials
  endpoint:
    # the url is managed by crossplane-edfbuilder
    url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver
--- a/template/stacks/core/crossplane-providers/provider-kind.yaml
+++ b/template/stacks/core/crossplane-providers/provider-kind.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
 metadata:
  name: provider-kind
 spec:
  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.0
  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane-providers/provider-shell.yaml
+++ b/template/stacks/core/crossplane-providers/provider-shell.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
 metadata:
  name: provider-shell
 spec:
  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.1
  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane.yaml
+++ b/template/stacks/core/crossplane.yaml
@ -0,0 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: crossplane
  namespace: argocd
  labels:
    env: dev
 spec:
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  destination:
    name: in-cluster
    namespace: crossplane-system
  source:
    chart: crossplane
    repoURL: https://charts.crossplane.io/stable
    targetRevision: 1.18.0
    helm:
      releaseName: crossplane
--- a/template/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/template/stacks/core/forgejo-runner/dind-docker.yaml
@ -28,18 +28,19 @@ spec:
      # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
      initContainers:
        - name: runner-register
-          image: code.forgejo.org/forgejo/runner:6.3.1
+          image: code.forgejo.org/forgejo/runner:6.0.1
-          command:
+          command: 
-          - "sh"
+            - "forgejo-runner"
-          - "-c"
+            - "register"
-          - |
+            - "--no-interactive"
-            forgejo-runner \
+            - "--token"
-              register \
+            - $(RUNNER_SECRET)
-              --no-interactive \
+            - "--name"
-              --token ${RUNNER_SECRET} \
+            - $(RUNNER_NAME)
-              --name ${RUNNER_NAME} \
+            - "--instance"
-              --instance ${FORGEJO_INSTANCE_URL} \
+            - $(FORGEJO_INSTANCE_URL)
-              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
+            - "--labels"
            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
          env:
            - name: RUNNER_NAME
              valueFrom:
@ -57,7 +58,7 @@ spec:
              mountPath: /data
      containers:
      - name: runner
-        image: code.forgejo.org/forgejo/runner:6.3.1
+        image: code.forgejo.org/forgejo/runner:6.0.1
        command: 
          - "sh"
          - "-c"
@ -93,7 +94,7 @@ spec:
        - name: runner-data
          mountPath: /data
      - name: daemon
-        image: docker:28.0.4-dind
+        image: docker:27.4.1-dind
        env:
        - name: DOCKER_TLS_CERTDIR
          value: /certs
--- a/template/stacks/core/forgejo-sso.yaml
+++ b/template/stacks/core/forgejo-sso.yaml
@ -1,29 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: forgejo-sso
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/core/forgejo-sso"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: gitea
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
    retry:
      limit: -1
      backoff:
        duration: 15s
        factor: 1
        maxDuration: 15s
--- a/template/stacks/core/forgejo-sso/secret-forgejo.yaml
+++ b/template/stacks/core/forgejo-sso/secret-forgejo.yaml
@ -1,26 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: auth-generic-oauth-secret
  namespace: gitea 
 spec:
  secretStoreRef:
    name: keycloak
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: auth-generic-oauth-secret
    template:
      engineVersion: v2
      data:
        key: "{{.FORGEJO_CLIENT_ID}}"
        secret: "{{.FORGEJO_CLIENT_SECRET}}"
  data:
    - secretKey: FORGEJO_CLIENT_ID
      remoteRef:
        key: keycloak-clients
        property: FORGEJO_CLIENT_ID
    - secretKey: FORGEJO_CLIENT_SECRET
      remoteRef:
        key: keycloak-clients
        property: FORGEJO_CLIENT_SECRET
--- a/template/stacks/core/forgejo.yaml
+++ b/template/stacks/core/forgejo.yaml
@ -16,9 +16,9 @@ spec:
    name: in-cluster
    namespace: gitea
  sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
+    - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
      path: .
-      targetRevision: v11.0.5-depends
+      targetRevision: v10.1.1
      helm:
        valueFiles:
          - $values/stacks/core/forgejo/values.yaml
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@ -1,5 +1,5 @@
 redis-cluster:
-  enabled: true
+  enabled: false
 postgresql:
  enabled: false
 postgresql-ha:
@ -16,11 +16,6 @@ gitea:
  admin:
    existingSecret: gitea-credential
  config:
    service:
      DISABLE_REGISTRATION: true
    other:
      SHOW_FOOTER_VERSION: false
      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
    database:
      DB_TYPE: sqlite3
    session:
@ -32,12 +27,6 @@ gitea:
    server:
      DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
      ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
    mailer:
      ENABLED: true
      FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}}
      PROTOCOL: smtp
      SMTP_ADDR: mailhog.mailhog.svc.cluster.local
      SMTP_PORT: 1025
 service:
  ssh:
--- a/template/stacks/core/ingress-apps/alloy.yaml
+++ b/template/stacks/core/ingress-apps/alloy.yaml
@ -1,18 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: alloy
  namespace: monitoring
 spec:
  ingressClassName: nginx
  rules:
  - host: {{{ .Env.DOMAIN }}}
    http:
      paths:
      - backend:
          service:
            name: alloy
            port:
              number: 12345
        path: /alloy
        pathType: Prefix
--- a/template/stacks/core/ingress-apps/argocd-server.yaml
+++ b/template/stacks/core/ingress-apps/argocd-server.yaml
@ -4,6 +4,8 @@ metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
 {{{ if eq .Env.CLUSTER_TYPE "osc" }}}
    dns.gardener.cloud/class: garden
    dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN }}}
@ -22,8 +24,8 @@ spec:
            name: argocd-server
            port:
              number: 80
-        path: /argocd
+        path: /argocd(/|$)(.*)
-        pathType: Prefix
+        pathType: ImplementationSpecific
  tls:
  - hosts:
    - {{{ .Env.DOMAIN }}}
--- a/template/stacks/core/ingress-apps/mailhog.yaml
+++ b/template/stacks/core/ingress-apps/mailhog.yaml
@ -1,18 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: mailhog
  namespace: mailhog
 spec:
  ingressClassName: nginx
  rules:
  - host: {{{ .Env.DOMAIN }}}
    http:
      paths:
      - backend:
          service:
            name: mailhog
            port:
              number: 8025
        path: /mailhog
        pathType: Prefix
--- a/template/stacks/core/ingress-nginx.yaml
+++ b/template/stacks/core/ingress-nginx.yaml
@ -16,9 +16,9 @@ spec:
    name: in-cluster
    namespace: ingress-nginx
  sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
+    - repoURL: https://github.com/kubernetes/ingress-nginx
      path: charts/ingress-nginx
-      targetRevision: helm-chart-4.12.1-depends
+      targetRevision: helm-chart-4.11.3
      helm:
        valueFiles:
          - $values/stacks/core/ingress-nginx/values.yaml
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@ -2,77 +2,3 @@ alloy:
  create: false
  name: alloy-config
  key: config.alloy
  uiPathPrefix: "/alloy"
  configMap:
    content: |-
      logging {
        level  = "info"
        format = "logfmt"
      }
      loki.write "local_loki" {
          endpoint {
              url = "http://loki-loki-distributed-gateway/loki/api/v1/push"
          }
      }
      discovery.kubernetes "pod" {
        role = "pod"
      }
      discovery.kubernetes "nodes" {
        role = "node"
      }
      discovery.kubernetes "services" {
        role = "service"
      }
      discovery.kubernetes "endpoints" {
        role = "endpoints"
      }
      discovery.kubernetes "endpointslices" {
        role = "endpointslice"
      }
      discovery.kubernetes "ingresses" {
        role = "ingress"
      }
      discovery.relabel "pod_logs" {
        targets = discovery.kubernetes.pod.targets
        rule {
          source_labels = ["__meta_kubernetes_namespace"]
          action        = "replace"
          target_label  = "namespace"
        }
        rule {
          source_labels = ["__meta_kubernetes_pod_name"]
          action        = "replace"
          target_label  = "pod"
        }
        rule {
          source_labels = ["__meta_kubernetes_pod_node_name"]
          action        = "replace"
          target_label  = "node"
        }
        rule {
          source_labels = ["__meta_kubernetes_pod_container_name"]
          action        = "replace"
          target_label  = "container"
        }
      }
      loki.source.kubernetes "all_pod_logs" {
        targets    = discovery.relabel.pod_logs.output
        forward_to = [loki.write.local_loki.receiver]
      }
--- a/template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml
+++ b/template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml
@ -110,12 +110,12 @@ data:
                            "uid": "P8E80F9AEF21F6940"
                        },
                        "editorMode": "builder",
-                        "expr": "{container=\"alloy\"} |= ``",
+                        "expr": "{container=\"promtail\"} |= ``",
                        "queryType": "range",
                        "refId": "A"
                    }
                ],
-                "title": "Logs: Container alloy",
+                "title": "Logs: Container promtail",
                "type": "logs"
            },
            {
--- a/template/stacks/monitoring/promtail.yaml
+++ b/template/stacks/monitoring/promtail.yaml
@ -0,0 +1,29 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: promtail
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  destination:
    name: in-cluster
    namespace: monitoring
  sources:
    - repoURL: https://github.com/grafana/helm-charts
      path:     charts/promtail   
      targetRevision: HEAD      
      helm:
        valueFiles:
          - $values/stacks/monitoring/promtail/values.yaml
    - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
      targetRevision: HEAD
      ref: values
--- a/template/stacks/monitoring/promtail/values.yaml
+++ b/template/stacks/monitoring/promtail/values.yaml
@ -0,0 +1,45 @@
 # -- Overrides the chart's name
 nameOverride: null
 # -- Overrides the chart's computed fullname
 fullnameOverride: null
 global:
  # -- Allow parent charts to override registry hostname
  imageRegistry: ""
  # -- Allow parent charts to override registry credentials
  imagePullSecrets: []
 daemonset:
  # -- Deploys Promtail as a DaemonSet
  enabled: true
  autoscaling:
    # -- Creates a VerticalPodAutoscaler for the daemonset
    enabled: false
 deployment:
  # -- Deploys Promtail as a Deployment
  enabled: false    
 config:
  enabled: true
  logLevel: info
  logFormat: logfmt
  serverPort: 3101
  clients:
    - url: http://loki-loki-distributed-gateway/loki/api/v1/push
  scrape_configs:
  - job_name: authlog
    static_configs:
    - targets:
        - authlog
      labels:
        job: authlog
        __path__: /logs/auth.log
  - job_name: syslog
    static_configs:
    - targets:
        - syslog
      labels:
        job: syslog
        __path__: /logs/syslog    
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
+++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
@ -33,7 +33,7 @@ jobs:
        #run: ./mvnw spring-boot:build-image # the original image build
        run: |
          export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ secrets.PACKAGES_USER }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
      - name: Build image as tar
        run: |
          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@ -255,8 +255,6 @@ spec:
              value: debug
            - name: NODE_TLS_REJECT_UNAUTHORIZED
              value: "0"
            - name: NODE_OPTIONS
              value: "--no-node-snapshot"
          envFrom:
            - secretRef:
                name: backstage-env-vars
@ -264,8 +262,7 @@ spec:
                name: gitea-credentials
            - secretRef:
                name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
+          image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
          imagePullPolicy: Always
          name: backstage
          ports:
            - containerPort: 7007
@ -389,7 +386,7 @@ spec:
        KEYCLOAK_NAME_METADATA: https://{{{ .Env.DOMAIN }}}:443/keycloak/realms/cnoe/.well-known/openid-configuration
        KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
        ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
-        ARGO_CD_URL: 'https://{{{ .Env.DOMAIN }}}/argocd/api/v1/'
+        ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
  data:
    - secretKey: ARGOCD_SESSION_TOKEN
      remoteRef:
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@ -71,11 +71,11 @@ data:
      },
      "type": "default",
      "protocol": "openid-connect"
-    }    
+    }
  group-admin-payload.json: |
-    {"name":"admin"}    
+    {"name":"admin"}
  group-base-user-payload.json: |
-    {"name":"base-user"}    
+    {"name":"base-user"}
  group-mapper-payload.json: |
    {
        "protocol": "openid-connect",
@ -88,15 +88,15 @@ data:
          "access.token.claim": "true",
          "userinfo.token.claim": "true"
        }
-    }    
+    }
  realm-payload.json: |
-    {"realm":"cnoe","enabled":true}    
+    {"realm":"cnoe","enabled":true}
  user-password.json: |
    {
        "temporary": false,
        "type": "password",
        "value": "${USER1_PASSWORD}"
-    }    
+    }
  user-user1.json: |
    {
        "username": "user1",
@ -109,7 +109,7 @@ data:
          "/admin"
        ],
        "enabled": true
-    }    
+    }
  user-user2.json: |
    {
        "username": "user2",
@ -122,7 +122,7 @@ data:
          "/base-user"
        ],
        "enabled": true
-    }    
+    }
  argo-client-payload.json: |
    {
      "protocol": "openid-connect",
@ -150,7 +150,7 @@ data:
      "webOrigins": [
        "/*"
      ]
-    }    
+    }
  backstage-client-payload.json: |
    {
@ -179,7 +179,7 @@ data:
      "webOrigins": [
        "/*"
      ]
-    }    
+    }
  grafana-client-payload.json: |
    {
@ -219,64 +219,6 @@ data:
      ]
    }
  argocd-client-payload.json: |
    {
      "protocol": "openid-connect",
      "clientId": "argocd",
      "name": "ArgoCD Client",
      "description": "Used for ArgoCD SSO",
      "publicClient": false,
      "authorizationServicesEnabled": false,
      "serviceAccountsEnabled": false,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "standardFlowEnabled": true,
      "frontchannelLogout": true,
      "attributes": {
        "saml_idp_initiated_sso_url_name": "",
        "oauth2.device.authorization.grant.enabled": false,
        "oidc.ciba.grant.enabled": false
      },
      "alwaysDisplayInConsole": false,
      "rootUrl": "",
      "baseUrl": "",
      "redirectUris": [
        "https://{{{ .Env.DOMAIN }}}/*"
      ],
      "webOrigins": [
        "/*"
      ]
    }      
  forgejo-client-payload.json: |
    {
      "protocol": "openid-connect",
      "clientId": "forgejo",
      "name": "Forgejo Client",
      "description": "Used for Forgejo SSO",
      "publicClient": false,
      "authorizationServicesEnabled": false,
      "serviceAccountsEnabled": false,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "standardFlowEnabled": true,
      "frontchannelLogout": true,
      "attributes": {
        "saml_idp_initiated_sso_url_name": "",
        "oauth2.device.authorization.grant.enabled": false,
        "oidc.ciba.grant.enabled": false
      },
      "alwaysDisplayInConsole": false,
      "rootUrl": "",
      "baseUrl": "",
      "redirectUris": [
        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
      ],
      "webOrigins": [
        "/*"
      ]
    }      
 ---
 apiVersion: batch/v1
 kind: Job
@ -312,7 +254,7 @@ spec:
          command: ["/bin/bash", "-c"]
          args:
            - |
-              #! /bin/bash              
+              #! /bin/bash
              set -ex -o pipefail
@ -373,7 +315,7 @@ spec:
                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
              # Create scope mapper
-              echo 'adding group claim to tokens'
+                echo 'adding group claim to tokens'
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
@ -413,8 +355,8 @@ spec:
              echo "creating Argo Workflows client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/argo-client-payload.json \
+                  -X POST --data @/var/config/argo-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -428,26 +370,21 @@ spec:
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
              echo "creating Grafana client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/grafana-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -457,71 +394,22 @@ spec:
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/backstage-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
              echo "creating ArgoCD client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/argocd-client-payload.json \
                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              echo "creating Forgejo client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/forgejo-client-payload.json \
                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
-              ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
+              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
              echo \
              "apiVersion: v1
@ -538,10 +426,7 @@ spec:
                BACKSTAGE_CLIENT_ID: backstage
                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                GRAFANA_CLIENT_ID: grafana
                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
                ARGOCD_CLIENT_ID: argocd
                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
                FORGEJO_CLIENT_ID: forgejo
              " > /tmp/secret.yaml
              ./kubectl apply -f /tmp/secret.yaml
--- a/template/stacks/ref-implementation/mailhog/README.md
+++ b/template/stacks/ref-implementation/mailhog/README.md
@ -1,54 +0,0 @@
 # Mailhog
 [MailHog is an email testing tool for developers](https://github.com/mailhog/MailHog).
 ## In cluster SMTP service
 Ypu can send ESMTP emails in the cluster to `mailhog.mailhog.svc.cluster.local`, standard port `1025`, as defined in the service manifest:
 ```yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: mailhog
 spec:
  ports:
    - name: smtp
      port: 1025
 ```
 ## Ingress
 Mailhog offers both WebUi and API at `https://{{{ .Env.DOMAIN }}}/mailhog`.
 The ingress definition is in `stacks/core/ingress-apps/mailhog.yaml` (BTW, why isn't this ingress file here in this folder ??) routing to the mailhog' service
 ```yaml
 spec:
  rules:
  - host: {{{ .Env.DOMAIN }}}
    http:
      paths:
      - backend:
        ...
        path: /mailhog
 ```
 ## API
 For usage of the API see https://github.com/mailhog/MailHog/blob/master/docs/APIv2.md
 ## Tests
 ```bash
 kubectl run busybox --rm -it --image=busybox -- /bin/sh
 # inside bsybox
 wget -O- http://mailhog.mailhog.svc.cluster.local:8025/mailhog
 # check smtp port
 nc -zv mailhog.mailhog.svc.cluster.local 1025
 # send esmtp, first install swaks
 swaks --to test@example.com --from test@example.com --server mailhog:1025 --data "Subject: Test-Mail\n\nDies ist eine Test-Mail."
 ```
--- a/template/stacks/ref-implementation/mailhog/deployment.yaml
+++ b/template/stacks/ref-implementation/mailhog/deployment.yaml
@ -1,33 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mailhog-deployment
  namespace: mailhog
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: mailhog
  template:
    metadata:
      labels:
        app: mailhog
    spec:
      containers:
      - name: mailhog
        image: mailhog/mailhog
        env:
        - name: MH_UI_WEB_PATH # set this to same value as in ingress stacks/core/ingress-apps/mailhog.yaml
          value: mailhog
        ports:
          - containerPort: 1025
            name: smtp
          - containerPort: 8025
            name: http
        resources:
          requests:
            memory: "64Mi"
            cpu: "50m"
          limits:
            memory: "128Mi"
            cpu: "100m"            
--- a/template/stacks/ref-implementation/mailhog/service.yaml
+++ b/template/stacks/ref-implementation/mailhog/service.yaml
@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: mailhog
 spec:
  selector:
    app: mailhog
  ports:
    - name: smtp
      port: 1025
    - name: http
      port: 8025
  type: ClusterIP