DevFW-CICD/stacks
12
0
Fork 1
Code Issues Pull requests 2 Projects Releases Packages Wiki Activity Actions

Compare commits

base: DevFW-CICD:development
Branches Tags
DevFW-CICD:development
DevFW-CICD:IPCEICIS-2952
DevFW-CICD:modularise_edp
DevFW-CICD:michals-silly-game
DevFW-CICD:keycloak_update_test
DevFW-CICD:django-backstage-template
DevFW-CICD:IPCEICIS-3256
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:alloy_implementation
DevFW-CICD:openbao_logs_second_way
DevFW-CICD:root_path_argocd_test
DevFW-CICD:IPCEICIS-2751_backstage
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:runner-tags
DevFW-CICD:dns_splitting
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:main
DevFW-CICD:dns_ssl_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0
..
compare: DevFW-CICD:forgejo_runner_configuration_test
Branches Tags
DevFW-CICD:development
DevFW-CICD:IPCEICIS-2952
DevFW-CICD:modularise_edp
DevFW-CICD:michals-silly-game
DevFW-CICD:keycloak_update_test
DevFW-CICD:django-backstage-template
DevFW-CICD:IPCEICIS-3256
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:alloy_implementation
DevFW-CICD:openbao_logs_second_way
DevFW-CICD:root_path_argocd_test
DevFW-CICD:IPCEICIS-2751_backstage
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:runner-tags
DevFW-CICD:dns_splitting
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:main
DevFW-CICD:dns_ssl_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0

2 commits
developmen ... forgejo_ru

Author SHA1 Message Date
Richard Robert Reitz
dd034cf862 Fixed Forgejo URL and defined the labels 2025-02-22 22:21:55 +01:00
Richard Robert Reitz
1813371a88 Added hydrated version of nginx-ingress, argocd and forgejo 2025-02-19 20:40:59 +01:00
79 changed files with 26319 additions and 1019 deletions
Show stats Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1 +0,0 @@
/.history

2
template/edfbuilder.yaml
View file

@ -13,7 +13,7 @@ spec:
namespace: argocd
source:
path: registry
repoURL: 'https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder'
repoURL: 'https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder'
targetRevision: HEAD
project: default
syncPolicy:

2
template/registry/core.yaml
View file

@ -13,7 +13,7 @@ spec:
namespace: argocd
source:
path: stacks/core
repoURL: 'https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder'
repoURL: 'https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder'
targetRevision: HEAD
project: default
syncPolicy:

2
template/registry/local-backup.yaml
View file

@ -13,7 +13,7 @@ spec:
namespace: argocd
source:
path: stacks/local-backup
repoURL: 'https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder'
repoURL: 'https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder'
targetRevision: HEAD
project: default
syncPolicy:

2
template/registry/monitoring.yaml
View file

@ -13,7 +13,7 @@ spec:
namespace: argocd
source:
path: stacks/monitoring
repoURL: 'https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder'
repoURL: 'https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder'
targetRevision: HEAD
project: default
syncPolicy:

2
template/registry/ref-implementation.yaml
View file

@ -13,7 +13,7 @@ spec:
namespace: argocd
source:
path: stacks/ref-implementation
repoURL: 'https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder'
repoURL: 'https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder'
targetRevision: HEAD
project: default
syncPolicy:

2
template/registry/second-cluster.yaml
View file

@ -13,7 +13,7 @@ spec:
namespace: argocd
source:
path: stacks/second-cluster
repoURL: 'https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder'
repoURL: 'https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder'
targetRevision: HEAD
project: default
syncPolicy:

29
template/stacks/core/argocd-sso.yaml
View file

@ -1,29 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd-sso
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/argocd-sso"
destination:
server: "https://kubernetes.default.svc"
namespace: argocd
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

29
template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml
View file

@ -1,29 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: forgejo-access-token
namespace: argocd
spec:
secretStoreRef:
name: gitea
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: forgejo-access-token
template:
engineVersion: v2
data:
forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
metadata:
labels:
app.kubernetes.io/part-of: argocd
data:
- secretKey: FORGEJO_ACCESS_USERNAME
remoteRef:
key: forgejo-access-token
property: username
- secretKey: FORGEJO_ACCESS_TOKEN
remoteRef:
key: forgejo-access-token
property: token

24
template/stacks/core/argocd-sso/argocd-secret.yaml
View file

@ -1,24 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: argocd
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
metadata:
labels:
app.kubernetes.io/part-of: argocd
data:
- secretKey: ARGOCD_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: ARGOCD_CLIENT_SECRET

54
template/stacks/core/argocd-sso/argocd-sso-config.yaml
View file

@ -1,54 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: argocd-config
namespace: argocd
spec:
template:
metadata:
generateName: argocd-config-
spec:
restartPolicy: OnFailure
containers:
- name: push
image: docker.io/library/ubuntu:22.04
env:
- name: FORGEJO_USER
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_username
- name: FORGEJO_TOKEN
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_token
command: ["/bin/bash", "-c"]
args:
- |
#! /bin/bash
apt -qq update
apt -qq install git wget -y
if [[ "$(uname -m)" == "x86_64" ]]; then
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
install yq_linux_amd64 /usr/local/bin/yq
rm yq_linux_amd64
else
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
install yq_linux_arm64 /usr/local/bin/yq
rm yq_linux_arm64
fi
git config --global user.email "bot@bots.de"
git config --global user.name "bot"
git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
cd edfbuilder
yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
git add stacks/core/argocd/values.yaml
git commit -m "adds Forgejo SSO config"
git push
backoffLimit: 99

9
template/stacks/core/argocd.yaml
View file

@ -16,15 +16,12 @@ spec:
name: in-cluster
namespace: argocd
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
- repoURL: https://github.com/argoproj/argo-helm
path: charts/argo-cd
# TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
# As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
# similar to the CNOE amazon reference implementation and in our case, Forgejo
targetRevision: argo-cd-7.8.14-depends
targetRevision: argo-cd-7.7.5
helm:
valueFiles:
- $values/stacks/core/argocd/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

24530
template/stacks/core/argocd/hydrated/install.yaml Normal file
View file

File diff suppressed because it is too large Load diff

2
template/stacks/core/argocd/values.yaml
View file

@ -5,7 +5,6 @@ configs:
params:
server.insecure: true
server.basehref: /argocd
server.rootpath: /argocd
cm:
application.resourceTrackingMethod: annotation
timeout.reconciliation: 60s
@ -21,7 +20,6 @@ configs:
clusters:
- "*"
accounts.provider-argocd: apiKey
url: https://{{{ .Env.DOMAIN }}}/argocd
rbac:
policy.csv: 'g, provider-argocd, role:admin'

13
template/stacks/core/forgejo-runner.yaml → template/stacks/core/crossplane-compositions.yaml
View file

@ -1,12 +1,10 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forgejo-runner
name: crossplane-compositions
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
@ -15,8 +13,11 @@ spec:
syncOptions:
- CreateNamespace=true
destination:
server: "https://kubernetes.default.svc"
name: in-cluster
namespace: crossplane-system
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
path: stacks/core/crossplane-compositions
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/forgejo-runner"
directory:
recurse: true

30
template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: edfbuilders.edfbuilder.crossplane.io
spec:
connectionSecretKeys:
- kubeconfig
group: edfbuilder.crossplane.io
names:
kind: EDFBuilder
listKind: EDFBuilderList
plural: edfbuilders
singular: edfbuilders
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
type: object
properties:
spec:
type: object
properties:
repoURL:
type: string
description: URL to ArgoCD stack of stacks repo
required:
- repoURL

26
template/stacks/ref-implementation/mailhog.yaml → template/stacks/core/crossplane-providers.yaml
View file

@ -1,25 +1,23 @@
{{{ if eq .Env.CLUSTER_TYPE "kind" }}}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: mailhog
name: crossplane-providers
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/mailhog"
destination:
server: "https://kubernetes.default.svc"
namespace: mailhog
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source:
path: stacks/core/crossplane-providers
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
{{{ end }}}

9
template/stacks/core/crossplane-providers/function-patch-and-transform.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Function
metadata:
name: crossplane-contrib-function-patch-and-transform
spec:
package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

14
template/stacks/core/crossplane-providers/provider-argocd-config.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: argocd.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: argocd-provider
spec:
serverAddr: argocd-server.argocd.svc.cluster.local:80
insecure: true
plainText: true
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: argocd-credentials
key: authToken

9
template/stacks/core/crossplane-providers/provider-argocd.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-argocd
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

14
template/stacks/core/crossplane-providers/provider-kind-config.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: kind.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: kind-provider
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: kind-credentials
key: credentials
endpoint:
# the url is managed by crossplane-edfbuilder
url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver

9
template/stacks/core/crossplane-providers/provider-kind.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-kind
spec:
package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.0
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

9
template/stacks/core/crossplane-providers/provider-shell.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-shell
spec:
package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.1
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

23
template/stacks/core/crossplane.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: crossplane
namespace: argocd
labels:
env: dev
spec:
project: default
syncPolicy:
automated:
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source:
chart: crossplane
repoURL: https://charts.crossplane.io/stable
targetRevision: 1.18.0
helm:
releaseName: crossplane

104
template/stacks/core/forgejo-runner/dind-docker.yaml
View file

@ -1,104 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: forgejo-runner
name: forgejo-runner
namespace: gitea
spec:
# Two replicas means that if one is busy, the other can pick up jobs.
replicas: 1
selector:
matchLabels:
app: forgejo-runner
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: forgejo-runner
spec:
restartPolicy: Always
volumes:
- name: docker-certs
emptyDir: {}
- name: runner-data
emptyDir: {}
# Initialise our configuration file using offline registration
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers:
- name: runner-register
image: code.forgejo.org/forgejo/runner:6.3.1
command:
- "sh"
- "-c"
- |
forgejo-runner \
register \
--no-interactive \
--token ${RUNNER_SECRET} \
--name ${RUNNER_NAME} \
--instance ${FORGEJO_INSTANCE_URL} \
--labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
env:
- name: RUNNER_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RUNNER_SECRET
valueFrom:
secretKeyRef:
name: forgejo-runner-token
key: token
- name: FORGEJO_INSTANCE_URL
value: https://{{{ .Env.DOMAIN_GITEA }}}
volumeMounts:
- name: runner-data
mountPath: /data
containers:
- name: runner
image: code.forgejo.org/forgejo/runner:6.3.1
command:
- "sh"
- "-c"
- |
while ! nc -z 127.0.0.1 2376 </dev/null; do
echo 'waiting for docker daemon...';
sleep 5;
done
forgejo-runner generate-config > config.yml ;
sed -i -e "s|privileged: .*|privileged: true|" config.yml
sed -i -e "s|network: .*|network: host|" config.yml ;
sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://127.0.0.1:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ;
sed -i -e "s|^ options:| options: -v /certs/client:/certs/client|" config.yml ;
sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ;
/bin/forgejo-runner --config config.yml daemon
securityContext:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
volumeMounts:
- name: docker-certs
mountPath: /certs
- name: runner-data
mountPath: /data
- name: daemon
image: docker:28.0.4-dind
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
securityContext:
privileged: true
volumeMounts:
- name: docker-certs
mountPath: /certs

29
template/stacks/core/forgejo-sso.yaml
View file

@ -1,29 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forgejo-sso
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/forgejo-sso"
destination:
server: "https://kubernetes.default.svc"
namespace: gitea
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

26
template/stacks/core/forgejo-sso/forgejo-access-token.yaml
View file

@ -1,26 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: forgejo-access-token
namespace: gitea
spec:
secretStoreRef:
name: gitea
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: forgejo-access-token
template:
engineVersion: v2
data:
forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
data:
- secretKey: FORGEJO_ACCESS_USERNAME
remoteRef:
key: forgejo-access-token
property: username
- secretKey: FORGEJO_ACCESS_TOKEN
remoteRef:
key: forgejo-access-token
property: token

26
template/stacks/core/forgejo-sso/forgejo-secret.yaml
View file

@ -1,26 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: gitea
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
key: "{{.FORGEJO_CLIENT_ID}}"
secret: "{{.FORGEJO_CLIENT_SECRET}}"
data:
- secretKey: FORGEJO_CLIENT_ID
remoteRef:
key: keycloak-clients
property: FORGEJO_CLIENT_ID
- secretKey: FORGEJO_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: FORGEJO_CLIENT_SECRET

76
template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
View file

@ -1,76 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: forgejo-config
namespace: gitea
spec:
template:
metadata:
generateName: forgejo-config-
spec:
restartPolicy: OnFailure
containers:
- name: push
image: docker.io/library/ubuntu:22.04
env:
- name: FORGEJO_USER
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_username
- name: FORGEJO_TOKEN
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_token
command: ["/bin/bash", "-c"]
args:
- |
#! /bin/bash
apt -qq update
apt -qq install git wget -y
if [[ "$(uname -m)" == "x86_64" ]]; then
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
install yq_linux_amd64 /usr/local/bin/yq
rm yq_linux_amd64
else
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
install yq_linux_arm64 /usr/local/bin/yq
rm yq_linux_arm64
fi
git config --global user.email "bot@bots.de"
git config --global user.name "giteaAdmin"
git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
cd edfbuilder
yq eval ".gitea.oauth = [
{
\"name\": \"Keycloak\",
\"provider\": \"openidConnect\",
\"existingSecret\": \"auth-generic-oauth-secret\",
\"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
}
] |
(.gitea.oauth[] | .name) |= (. style=\"single\")
|
(.gitea.oauth[] | .provider) |= (. style=\"single\")
|
(.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
|
(.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
" -i stacks/core/forgejo/values.yaml
yq eval '.gitea.config.oauth2_client =
{
"ENABLE_AUTO_REGISTRATION" : true,
"ACCOUNT_LINKING" : "auto"
}
' -i stacks/core/forgejo/values.yaml
git add stacks/core/forgejo/values.yaml
git commit -m "adds Forgejo SSO config"
git push
backoffLimit: 99

6
template/stacks/core/forgejo.yaml
View file

@ -16,12 +16,12 @@ spec:
name: in-cluster
namespace: gitea
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
- repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
path: .
targetRevision: v12.0.0-depends
targetRevision: v10.1.1
helm:
valueFiles:
- $values/stacks/core/forgejo/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

619
template/stacks/core/forgejo/hydrated/install.yaml Normal file
View file

@ -0,0 +1,619 @@
---
# Source: forgejo/templates/gitea/config.yaml
apiVersion: v1
kind: Secret
metadata:
name: forgejo-inline-config
namespace: "gitea"
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
type: Opaque
stringData:
_generals_: |-
APP_NAME=Forgejo: Beyond coding. We forge.
RUN_MODE=prod
cache: |-
ADAPTER=memory
HOST=
database: DB_TYPE=sqlite3
indexer: ISSUE_INDEXER_TYPE=db
metrics: ENABLED=false
queue: |-
CONN_STR=
TYPE=level
repository: ROOT=/data/git/gitea-repositories
security: INSTALL_LOCK=true
server: |-
APP_DATA_PATH=/data
DOMAIN=gitea.runner.c-one-infra.de
ENABLE_PPROF=false
HTTP_PORT=3000
PROTOCOL=http
ROOT_URL=https://gitea.runner.c-one-infra.de:443
SSH_DOMAIN=gitea.runner.c-one-infra.de
SSH_LISTEN_PORT=2222
SSH_PORT=22
START_SSH_SERVER=true
session: |-
PROVIDER=memory
PROVIDER_CONFIG=
---
# Source: forgejo/templates/gitea/config.yaml
apiVersion: v1
kind: Secret
metadata:
name: forgejo
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
type: Opaque
stringData:
assertions: |
config_environment.sh: |-
#!/usr/bin/env bash
set -euo pipefail
function env2ini::log() {
printf "${1}\n"
}
function env2ini::read_config_to_env() {
local section="${1}"
local line="${2}"
if [[ -z "${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
if [[ -z "${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '${setting}'"
if [[ -z "${section}" ]]; then
export "FORGEJO____${setting^^}=${value}" # '^^' makes the variable content uppercase
return
fi
local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}"
export "FORGEJO__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
}
function env2ini::reload_preset_envs() {
env2ini::log "Reloading preset envs..."
while read -r line; do
if [[ -z "${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
if [[ -z "${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '${setting}'"
export "${setting^^}=${value}" # '^^' makes the variable content uppercase
done < "/tmp/existing-envs"
rm /tmp/existing-envs
}
function env2ini::process_config_file() {
local config_file="${1}"
local section="$(basename "${config_file}")"
if [[ $section == '_generals_' ]]; then
env2ini::log " [ini root]"
section=''
else
env2ini::log " ${section}"
fi
while read -r line; do
env2ini::read_config_to_env "${section}" "${line}"
done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
}
function env2ini::load_config_sources() {
local path="${1}"
if [[ -d "${path}" ]]; then
env2ini::log "Processing $(basename "${path}")..."
while read -d '' configFile; do
env2ini::process_config_file "${configFile}"
done < <(find "${path}" -type l -not -name '..data' -print0)
env2ini::log "\n"
fi
}
function env2ini::generate_initial_secrets() {
# These environment variables will either be
# - overwritten with user defined values,
# - initially used to set up Forgejo
# Anyway, they won't harm existing app.ini files
export FORGEJO__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
export FORGEJO__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
export FORGEJO__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
export FORGEJO__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
env2ini::log "...Initial secrets generated\n"
}
# save existing envs prior to script execution. Necessary to keep order of
# preexisting and custom envs
env | (grep -e '^FORGEJO__' || [[ $? == 1 ]]) > /tmp/existing-envs
# MUST BE CALLED BEFORE OTHER CONFIGURATION
env2ini::generate_initial_secrets
env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
# load existing envs to override auto generated envs
env2ini::reload_preset_envs
env2ini::log "=== All configuration sources loaded ===\n"
# safety to prevent rewrite of secret keys if an app.ini already exists
if [ -f ${GITEA_APP_INI} ]; then
env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
env2ini::log ' - security.INTERNAL_TOKEN'
env2ini::log ' - security.SECRET_KEY'
env2ini::log ' - oauth2.JWT_SECRET'
env2ini::log ' - server.LFS_JWT_SECRET'
unset FORGEJO__SECURITY__INTERNAL_TOKEN
unset FORGEJO__SECURITY__SECRET_KEY
unset FORGEJO__OAUTH2__JWT_SECRET
unset FORGEJO__SERVER__LFS_JWT_SECRET
fi
environment-to-ini -o $GITEA_APP_INI
---
# Source: forgejo/templates/gitea/init.yaml
apiVersion: v1
kind: Secret
metadata:
name: forgejo-init
namespace: "gitea"
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
type: Opaque
stringData:
configure_gpg_environment.sh: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
init_directory_structure.sh: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
configure_gitea.sh: |-
#!/usr/bin/env bash
set -euo pipefail
echo '==== BEGIN GITEA CONFIGURATION ===='
{ # try
gitea migrate
} || { # catch
echo "Forgejo migrate might fail due to database connection...This init-container will try again in a few seconds"
exit 1
}
function configure_admin_user() {
local full_admin_list=$(gitea admin user list --admin)
local actual_user_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
if [[ "${full_admin_list}" =~ $regex ]]; then
actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
echo " Please review the output of 'gitea admin user list --admin' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
echo "DEBUG: Output of 'gitea admin user list --admin'"
echo "--"
echo "${full_admin_list}"
echo "--"
exit 1
fi
local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
if [[ -z "${ACCOUNT_ID}" ]]; then
local -a create_args
create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email "gitea@local.domain")
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
create_args+=(--must-change-password=true)
else
create_args+=(--must-change-password=false)
fi
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
gitea admin user create "${create_args[@]}"
echo '...created.'
else
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
local -a change_args
change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false)
gitea admin user change-password "${change_args[@]}"
echo '...password sync done.'
else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
fi
fi
}
configure_admin_user
function configure_ldap() {
echo 'no ldap configuration... skipping.'
}
configure_ldap
function configure_oauth() {
echo 'no oauth configuration... skipping.'
}
configure_oauth
echo '==== END GITEA CONFIGURATION ===='
---
# Source: forgejo/templates/gitea/pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: gitea-shared-storage
namespace: "gitea"
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
# Source: forgejo/templates/gitea/http-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: forgejo-http
namespace: "gitea"
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
annotations:
{}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: 3000
targetPort:
selector:
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
---
# Source: forgejo/templates/gitea/ssh-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: forgejo-ssh
namespace: "gitea"
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
annotations:
{}
spec:
type: NodePort
externalTrafficPolicy: Local
ports:
- name: ssh
port: 22
targetPort: 2222
protocol: TCP
nodePort: 32222
selector:
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
---
# Source: forgejo/templates/gitea/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: forgejo
namespace: "gitea"
annotations:
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 100%
selector:
matchLabels:
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
template:
metadata:
annotations:
checksum/config: bd40d1abc2e2692fafe0821e9345e231261f194a19fbee5aef7dd9cdfc106596
labels:
helm.sh/chart: forgejo-0.0.0
app: forgejo
app.kubernetes.io/name: forgejo
app.kubernetes.io/instance: forgejo
app.kubernetes.io/version: "9.0.2"
version: "9.0.2"
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
fsGroup: 1000
initContainers:
- name: init-directories
image: "code.forgejo.org/forgejo/forgejo:9.0.2-rootless"
imagePullPolicy: IfNotPresent
command: ["/usr/sbin/init_directory_structure.sh"]
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: temp
mountPath: /tmp
- name: data
mountPath: /data
securityContext:
{}
resources:
limits: {}
requests:
cpu: 100m
memory: 128Mi
- name: init-app-ini
image: "code.forgejo.org/forgejo/forgejo:9.0.2-rootless"
imagePullPolicy: IfNotPresent
command: ["/usr/sbin/config_environment.sh"]
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
volumeMounts:
- name: config
mountPath: /usr/sbin
- name: temp
mountPath: /tmp
- name: data
mountPath: /data
- name: inline-config-sources
mountPath: /env-to-ini-mounts/inlines/
securityContext:
{}
resources:
limits: {}
requests:
cpu: 100m
memory: 128Mi
- name: configure-gitea
image: "code.forgejo.org/forgejo/forgejo:9.0.2-rootless"
command: ["/usr/sbin/configure_gitea.sh"]
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 1000
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: HOME
value: /data/gitea/git
- name: GITEA_ADMIN_USERNAME
valueFrom:
secretKeyRef:
key: username
name: gitea-credential
- name: GITEA_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: gitea-credential
- name: GITEA_ADMIN_PASSWORD_MODE
value: keepUpdated
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: temp
mountPath: /tmp
- name: data
mountPath: /data
resources:
limits: {}
requests:
cpu: 100m
memory: 128Mi
terminationGracePeriodSeconds: 60
containers:
- name: forgejo
image: "code.forgejo.org/forgejo/forgejo:9.0.2-rootless"
imagePullPolicy: IfNotPresent
env:
# SSH Port values have to be set here as well for openssh configuration
- name: SSH_LISTEN_PORT
value: "2222"
- name: SSH_PORT
value: "22"
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: TMPDIR
value: /tmp/gitea
- name: HOME
value: /data/gitea/git
ports:
- name: ssh
containerPort: 2222
- name: http
containerPort: 3000
livenessProbe:
failureThreshold: 10
initialDelaySeconds: 200
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 1
resources:
{}
securityContext:
{}
volumeMounts:
- name: temp
mountPath: /tmp
- name: data
mountPath: /data
volumes:
- name: init
secret:
secretName: forgejo-init
defaultMode: 110
- name: config
secret:
secretName: forgejo
defaultMode: 110
- name: inline-config-sources
secret:
secretName: forgejo-inline-config
- name: temp
emptyDir: {}
- name: data
persistentVolumeClaim:
claimName: gitea-shared-storage

18
template/stacks/core/forgejo/values.yaml
View file

@ -1,5 +1,5 @@
redis-cluster:
enabled: true
enabled: false
postgresql:
enabled: false
postgresql-ha:
@ -16,11 +16,6 @@ gitea:
admin:
existingSecret: gitea-credential
config:
service:
DISABLE_REGISTRATION: true
other:
SHOW_FOOTER_VERSION: false
SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
database:
DB_TYPE: sqlite3
session:
@ -30,14 +25,8 @@ gitea:
queue:
TYPE: level
server:
DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
mailer:
ENABLED: true
FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}}
PROTOCOL: smtp
SMTP_ADDR: mailhog.mailhog.svc.cluster.local
SMTP_PORT: 1025
DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
service:
ssh:
@ -64,4 +53,3 @@ forgejo:
- docker:docker://node:16-bullseye
- self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
- ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
- ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04

2
template/stacks/core/ingress-apps.yaml
View file

@ -11,7 +11,7 @@ spec:
destination:
server: "https://kubernetes.default.svc"
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/ingress-apps"
project: default

18
template/stacks/core/ingress-apps/alloy.yaml
View file

@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: alloy
namespace: monitoring
spec:
ingressClassName: nginx
rules:
- host: {{{ .Env.DOMAIN }}}
http:
paths:
- backend:
service:
name: alloy
port:
number: 12345
path: /alloy
pathType: Prefix

6
template/stacks/core/ingress-apps/argocd-server.yaml
View file

@ -4,6 +4,8 @@ metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
{{{ if eq .Env.CLUSTER_TYPE "osc" }}}
dns.gardener.cloud/class: garden
dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN }}}
@ -22,8 +24,8 @@ spec:
name: argocd-server
port:
number: 80
path: /argocd
pathType: Prefix
path: /argocd(/|$)(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- {{{ .Env.DOMAIN }}}

6
template/stacks/core/ingress-apps/forgejo.yaml
View file

@ -6,7 +6,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-body-size: 512m
{{{ if eq .Env.CLUSTER_TYPE "osc" }}}
dns.gardener.cloud/class: garden
dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN_GITEA }}}
dns.gardener.cloud/dnsnames: gitea.{{{ .Env.DOMAIN }}}
dns.gardener.cloud/ttl: "600"
{{{ end }}}
name: forgejo
@ -14,7 +14,7 @@ metadata:
spec:
ingressClassName: nginx
rules:
- host: {{{ .Env.DOMAIN_GITEA }}}
- host: gitea.{{{ .Env.DOMAIN }}}
http:
paths:
- backend:
@ -26,5 +26,5 @@ spec:
pathType: Prefix
tls:
- hosts:
- {{{ .Env.DOMAIN_GITEA }}}
- gitea.{{{ .Env.DOMAIN }}}
secretName: forgejo-net-tls

18
template/stacks/core/ingress-apps/mailhog.yaml
View file

@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mailhog
namespace: mailhog
spec:
ingressClassName: nginx
rules:
- host: {{{ .Env.DOMAIN }}}
http:
paths:
- backend:
service:
name: mailhog
port:
number: 8025
path: /mailhog
pathType: Prefix

6
template/stacks/core/ingress-nginx.yaml
View file

@ -16,12 +16,12 @@ spec:
name: in-cluster
namespace: ingress-nginx
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
- repoURL: https://github.com/kubernetes/ingress-nginx
path: charts/ingress-nginx
targetRevision: helm-chart-4.12.1-depends
targetRevision: helm-chart-4.11.3
helm:
valueFiles:
- $values/stacks/core/ingress-nginx/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

816
template/stacks/core/ingress-nginx/hydrated/install.yaml Normal file
View file

@ -0,0 +1,816 @@
---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
proxy-buffer-size: "32k"
use-forwarded-headers: "true"
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
# Omit Ingress status permissions if `--update-status` is disabled.
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
- ingress-nginx-leader
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-metrics.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-metrics
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: metrics
port: 10254
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: NodePort
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
replicas: 1
revisionHistoryLimit: 10
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
minReadySeconds: 0
template:
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
spec:
dnsPolicy: ClusterFirst
containers:
- name: controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-ssl-passthrough
- --publish-status-address=localhost
securityContext:
runAsNonRoot: true
runAsUser: 101
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: false
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- name: http
containerPort: 80
protocol: TCP
hostPort: 80
- name: https
containerPort: 443
protocol: TCP
hostPort: 443
- name: metrics
containerPort: 10254
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
nodeSelector:
ingress-ready: "true"
kubernetes.io/os: linux
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Equal
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 0
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/controller-poddisruptionbudget.yaml
# PDB is not supported for DaemonSets.
# https://github.com/kubernetes/kubernetes/issues/108124
---
# Source: ingress-nginx/templates/controller-servicemonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
release: ingress-nginx
spec:
endpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- ingress-nginx
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
port: 443
path: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-nginx-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-nginx-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-create
namespace: ingress-nginx
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
template:
metadata:
name: ingress-nginx-admission-create
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: create
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
nodeSelector:
kubernetes.io/os: linux
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
namespace: ingress-nginx
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
template:
metadata:
name: ingress-nginx-admission-patch
labels:
helm.sh/chart: ingress-nginx-4.11.3
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.11.3"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: patch
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
nodeSelector:
kubernetes.io/os: linux

4
template/stacks/local-backup/minio.yaml
View file

@ -17,10 +17,10 @@ spec:
valueFiles:
- $values/stacks/local-backup/minio/helm/values.yaml
chart: minio
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/local-backup/minio/manifests"
destination:

2
template/stacks/local-backup/velero.yaml
View file

@ -17,7 +17,7 @@ spec:
valueFiles:
- $values/stacks/local-backup/velero/helm/values.yaml
chart: velero
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values
destination:

78
template/stacks/monitoring/alloy/values.yaml
View file

@ -1,78 +0,0 @@
alloy:
create: false
name: alloy-config
key: config.alloy
uiPathPrefix: "/alloy"
configMap:
content: |-
logging {
level = "info"
format = "logfmt"
}
loki.write "local_loki" {
endpoint {
url = "http://loki-loki-distributed-gateway/loki/api/v1/push"
}
}
discovery.kubernetes "pod" {
role = "pod"
}
discovery.kubernetes "nodes" {
role = "node"
}
discovery.kubernetes "services" {
role = "service"
}
discovery.kubernetes "endpoints" {
role = "endpoints"
}
discovery.kubernetes "endpointslices" {
role = "endpointslice"
}
discovery.kubernetes "ingresses" {
role = "ingress"
}
discovery.relabel "pod_logs" {
targets = discovery.kubernetes.pod.targets
rule {
source_labels = ["__meta_kubernetes_namespace"]
action = "replace"
target_label = "namespace"
}
rule {
source_labels = ["__meta_kubernetes_pod_name"]
action = "replace"
target_label = "pod"
}
rule {
source_labels = ["__meta_kubernetes_pod_node_name"]
action = "replace"
target_label = "node"
}
rule {
source_labels = ["__meta_kubernetes_pod_container_name"]
action = "replace"
target_label = "container"
}
}
loki.source.kubernetes "all_pod_logs" {
targets = discovery.relabel.pod_logs.output
forward_to = [loki.write.local_loki.receiver]
}

2
template/stacks/monitoring/grafana-dashboards.yaml
View file

@ -10,7 +10,7 @@ metadata:
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/monitoring/kube-prometheus/dashboards"
destination:

29
template/stacks/monitoring/kube-prometheus-sso.yaml
View file

@ -1,29 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kube-prometheus-sso
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/monitoring/kube-prometheus-sso"
destination:
server: "https://kubernetes.default.svc"
namespace: monitoring
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

21
template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml
View file

@ -1,21 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: monitoring
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
data:
- secretKey: GRAFANA_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: GRAFANA_CLIENT_SECRET

8
template/stacks/monitoring/kube-prometheus.yaml
View file

@ -15,12 +15,6 @@ spec:
syncOptions:
- CreateNamespace=true
- ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s
destination:
name: in-cluster
namespace: monitoring
@ -31,6 +25,6 @@ spec:
helm:
valueFiles:
- $values/stacks/monitoring/kube-prometheus/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

4
template/stacks/monitoring/kube-prometheus/dashboards/dashboard_loki_container.yaml
View file

@ -110,12 +110,12 @@ data:
"uid": "P8E80F9AEF21F6940"
},
"editorMode": "builder",
"expr": "{container=\"alloy\"} |= ``",
"expr": "{container=\"promtail\"} |= ``",
"queryType": "range",
"refId": "A"
}
],
"title": "Logs: Container alloy",
"title": "Logs: Container promtail",
"type": "logs"
},
{

26
template/stacks/monitoring/kube-prometheus/values.yaml
View file

@ -33,33 +33,7 @@ grafana:
domain: {{{ .Env.DOMAIN }}}
root_url: "%(protocol)s://%(domain)s/grafana"
serve_from_sub_path: true
auth:
disable_login: true
disable_login_form: true
auth.generic_oauth:
enabled: true
name: Keycloak-OAuth
allow_sign_up: true
use_refresh_token: true
client_id: grafana
client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
scopes: openid email profile offline_access roles
email_attribute_path: email
login_attribute_path: username
name_attribute_path: full_name
auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
extraSecretMounts:
- name: auth-generic-oauth-secret-mount
secretName: auth-generic-oauth-secret
defaultMode: 0440
mountPath: /etc/secrets/auth_generic_oauth
readOnly: true
serviceMonitor:
# If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
enabled: true

2
template/stacks/monitoring/loki.yaml
View file

@ -24,7 +24,7 @@ spec:
helm:
valueFiles:
- $values/stacks/monitoring/loki/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

10
template/stacks/monitoring/alloy.yaml → template/stacks/monitoring/promtail.yaml
View file

@ -1,7 +1,7 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: alloy
name: promtail
namespace: argocd
labels:
env: dev
@ -18,12 +18,12 @@ spec:
name: in-cluster
namespace: monitoring
sources:
- repoURL: https://github.com/grafana/alloy.git
path: operations/helm/charts/alloy
- repoURL: https://github.com/grafana/helm-charts
path: charts/promtail
targetRevision: HEAD
helm:
valueFiles:
- $values/stacks/monitoring/alloy/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- $values/stacks/monitoring/promtail/values.yaml
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

45
template/stacks/monitoring/promtail/values.yaml Normal file
View file

@ -0,0 +1,45 @@
# -- Overrides the chart's name
nameOverride: null
# -- Overrides the chart's computed fullname
fullnameOverride: null
global:
# -- Allow parent charts to override registry hostname
imageRegistry: ""
# -- Allow parent charts to override registry credentials
imagePullSecrets: []
daemonset:
# -- Deploys Promtail as a DaemonSet
enabled: true
autoscaling:
# -- Creates a VerticalPodAutoscaler for the daemonset
enabled: false
deployment:
# -- Deploys Promtail as a Deployment
enabled: false
config:
enabled: true
logLevel: info
logFormat: logfmt
serverPort: 3101
clients:
- url: http://loki-loki-distributed-gateway/loki/api/v1/push
scrape_configs:
- job_name: authlog
static_configs:
- targets:
- authlog
labels:
job: authlog
__path__: /logs/auth.log
- job_name: syslog
static_configs:
- targets:
- syslog
labels:
job: syslog
__path__: /logs/syslog

6
template/stacks/ref-implementation/argo-workflows.yaml
View file

@ -10,7 +10,7 @@ metadata:
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/argo-workflows/manifests/dev"
destination:
@ -23,7 +23,3 @@ spec:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

2
template/stacks/ref-implementation/backstage-templates.yaml
View file

@ -10,7 +10,7 @@ metadata:
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/backstage-templates/entities"
directory:

2
template/stacks/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
View file

@ -20,7 +20,7 @@ metadata:
backstage.io/kubernetes-namespace: default
argocd/app-name: ${{values.name | dump}}
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Repo URL
icon: github
spec:

4
template/stacks/ref-implementation/backstage-templates/entities/app-with-bucket/template.yaml
View file

@ -100,7 +100,7 @@ spec:
input:
description: This is an example app
# Hard coded value for this demo purposes only.
repoUrl: {{{ .Env.DOMAIN_GITEA }}}:443/?repo=${{parameters.name}}
repoUrl: gitea.{{{ .Env.DOMAIN }}}:443/?repo=${{parameters.name}}
defaultBranch: main
- id: create-argocd-app
name: Create ArgoCD App
@ -111,7 +111,7 @@ spec:
argoInstance: in-cluster
projectName: default
# necessary until we generate our own cert
repoUrl: https://{{{ .Env.DOMAIN_GITEA }}}:443/giteaAdmin/${{parameters.name}}
repoUrl: https://gitea.{{{ .Env.DOMAIN }}}:443/giteaAdmin/${{parameters.name}}
path: "kustomize/base"
- id: register
name: Register

2
template/stacks/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
View file

@ -14,7 +14,7 @@ metadata:
apache-spark.cnoe.io/label-selector: env=dev,entity-id=${{values.name}}
apache-spark.cnoe.io/cluster-name: local
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Repo URL
icon: github
spec:

4
template/stacks/ref-implementation/backstage-templates/entities/argo-workflows/template.yaml
View file

@ -35,7 +35,7 @@ spec:
input:
description: This is an example app
# Hard coded value for this demo purposes only.
repoUrl: {{{ .Env.DOMAIN_GITEA }}}:443/?repo=${{parameters.name}}
repoUrl: gitea.{{{ .Env.DOMAIN }}}:443/?repo=${{parameters.name}}
defaultBranch: main
- id: create-argocd-app
name: Create ArgoCD App
@ -46,7 +46,7 @@ spec:
argoInstance: in-cluster
projectName: default
# necessary until we generate our own cert
repoUrl: https://{{{ .Env.DOMAIN_GITEA }}}:443/giteaAdmin/${{parameters.name}}
repoUrl: https://gitea.{{{ .Env.DOMAIN }}}:443/giteaAdmin/${{parameters.name}}
path: "manifests"
- id: register
name: Register

2
template/stacks/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
View file

@ -10,7 +10,7 @@ metadata:
backstage.io/kubernetes-namespace: default
argocd/app-name: ${{values.name | dump}}
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Repo URL
icon: github
spec:

4
template/stacks/ref-implementation/backstage-templates/entities/basic/template.yaml
View file

@ -31,7 +31,7 @@ spec:
input:
description: This is an example app
# Hard coded value for this demo purposes only.
repoUrl: {{{ .Env.DOMAIN_GITEA }}}:443/?repo=${{parameters.name}}
repoUrl: gitea.{{{ .Env.DOMAIN }}}:443/?repo=${{parameters.name}}
defaultBranch: main
- id: create-argocd-app
name: Create ArgoCD App
@ -42,7 +42,7 @@ spec:
argoInstance: in-cluster
projectName: default
# necessary until we generate our own cert
repoUrl: https://{{{ .Env.DOMAIN_GITEA }}}:443/giteaAdmin/${{parameters.name}}
repoUrl: https://gitea.{{{ .Env.DOMAIN }}}:443/giteaAdmin/${{parameters.name}}
path: "manifests"
- id: register
name: Register

4
template/stacks/ref-implementation/backstage-templates/entities/demo-go-hello-world/skeleton/catalog-info.yaml
View file

@ -9,7 +9,7 @@ metadata:
backstage.io/kubernetes-label-selector: 'entity-id=${{ values.name }}'
backstage.io/kubernetes-namespace: gitea
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Repo URL
icon: git
spec:
@ -26,7 +26,7 @@ metadata:
annotations:
backstage.io/techdocs-ref: dir:.
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Gitea Repo
icon: git
spec:

2
template/stacks/ref-implementation/backstage-templates/entities/demo-go-hello-world/template.yaml
View file

@ -33,7 +33,7 @@ spec:
name: Publish to Gitea
action: publish:gitea
input:
repoUrl: {{{ .Env.DOMAIN_GITEA }}}:443/?repo=${{parameters.name}}
repoUrl: gitea.{{{ .Env.DOMAIN }}}:443/?repo=${{parameters.name}}
description: This is the repository for ${{ parameters.name }}
sourcePath: ./skeleton
defaultBranch: main

32
template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml vendored Normal file
View file

@ -0,0 +1,32 @@
# This workflow will build a Java project with Gradle, and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle
name: Java CI with Gradle
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
java: [ '17' ]
steps:
- uses: actions/checkout@v4
- name: Set up JDK {% raw %}${{matrix.java}}{% endraw %}
uses: https://github.com/actions/setup-java@v4
with:
java-version: '{% raw %}${{matrix.java}}{% endraw %}'
distribution: 'adopt'
cache: maven
- name: Setup Gradle
uses: https://github.com/gradle/actions/setup-gradle@v4
- name: Build with Gradle
run: ./gradlew build

10
template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml vendored
View file

@ -28,12 +28,12 @@ jobs:
distribution: 'adopt'
cache: maven
- name: Build with Maven Wrapper
run: ./mvnw -B -DskipTests verify
run: ./mvnw -B verify
- name: Build image
#run: ./mvnw spring-boot:build-image # the original image build
run: |
export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ secrets.PACKAGES_USER }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage=gitea.{{{ .Env.DOMAIN }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %}
- name: Build image as tar
run: |
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
@ -57,11 +57,7 @@ jobs:
NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this
- name: install trivy from deb package
run: |
if [[ "$(uname -m)" == "x86_64" ]]; then
wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
else
wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb
fi
wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb
- name: scan the image
run: trivy image --input jib-image.tar

4
template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/catalog-info.yaml
View file

@ -9,7 +9,7 @@ metadata:
backstage.io/kubernetes-label-selector: 'entity-id=${{ values.name }}'
backstage.io/kubernetes-namespace: gitea
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Repo URL
icon: git
spec:
@ -26,7 +26,7 @@ metadata:
annotations:
backstage.io/techdocs-ref: dir:.
links:
- url: https://{{{ .Env.DOMAIN_GITEA }}}:443
- url: https://gitea.{{{ .Env.DOMAIN }}}:443
title: Gitea Repo
icon: git
spec:

2
template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/k8s/petclinic.yml
View file

@ -58,7 +58,7 @@ spec:
spec:
containers:
- name: workload
image: {{{ .Env.DOMAIN_GITEA }}}/giteaadmin/${{ values.name }}
image: gitea.{{{ .Env.DOMAIN }}}/giteaadmin/${{ values.name }}
env:
- name: SPRING_PROFILES_ACTIVE
value: postgres

4
template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/template.yaml
View file

@ -50,7 +50,7 @@ spec:
name: Publish to Gitea
action: publish:gitea
input:
repoUrl: {{{ .Env.DOMAIN_GITEA }}}:443/?repo=${{parameters.name}}
repoUrl: gitea.{{{ .Env.DOMAIN }}}:443/?repo=${{parameters.name}}
description: This is the repository for ${{ parameters.name }}
sourcePath: ./
defaultBranch: main
@ -64,7 +64,7 @@ spec:
argoInstance: in-cluster
projectName: default
# necessary until we generate our own cert
repoUrl: https://{{{ .Env.DOMAIN_GITEA }}}:443/giteaAdmin/${{parameters.name}}
repoUrl: https://gitea.{{{ .Env.DOMAIN }}}:443/giteaAdmin/${{parameters.name}}
path: "k8s"
- id: register

6
template/stacks/ref-implementation/backstage.yaml
View file

@ -10,7 +10,7 @@ metadata:
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/backstage/manifests"
destination:
@ -23,7 +23,3 @@ spec:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

17
template/stacks/ref-implementation/backstage/manifests/install.yaml
View file

@ -106,12 +106,12 @@ data:
integrations:
gitea:
- baseUrl: https://{{{ .Env.DOMAIN_GITEA }}}:443
host: {{{ .Env.DOMAIN_GITEA }}}:443
- baseUrl: https://gitea.{{{ .Env.DOMAIN }}}:443
host: gitea.{{{ .Env.DOMAIN }}}:443
username: ${GITEA_USERNAME}
password: ${GITEA_PASSWORD}
- baseUrl: https://{{{ .Env.DOMAIN_GITEA }}}
host: {{{ .Env.DOMAIN_GITEA }}}
- baseUrl: https://gitea.{{{ .Env.DOMAIN }}}
host: gitea.{{{ .Env.DOMAIN }}}
username: ${GITEA_USERNAME}
password: ${GITEA_PASSWORD}
- baseUrl: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live
@ -167,7 +167,7 @@ data:
locations:
# Examples from a public GitHub repository.
- type: url
target: https://{{{ .Env.DOMAIN_GITEA }}}:443/giteaAdmin/edfbuilder/raw/branch/main/stacks/ref-implementation/backstage-templates/entities/catalog-info.yaml
target: https://gitea.{{{ .Env.DOMAIN }}}:443/giteaAdmin/edfbuilder/raw/branch/main/stacks/ref-implementation/backstage-templates/entities/catalog-info.yaml
rules:
- allow: [Component, System, API, Resource, Location, Template, User, Group]
kubernetes:
@ -255,8 +255,6 @@ spec:
value: debug
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: NODE_OPTIONS
value: "--no-node-snapshot"
envFrom:
- secretRef:
name: backstage-env-vars
@ -264,8 +262,7 @@ spec:
name: gitea-credentials
- secretRef:
name: argocd-credentials
image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
imagePullPolicy: Always
image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
name: backstage
ports:
- containerPort: 7007
@ -389,7 +386,7 @@ spec:
KEYCLOAK_NAME_METADATA: https://{{{ .Env.DOMAIN }}}:443/keycloak/realms/cnoe/.well-known/openid-configuration
KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
ARGO_CD_URL: 'https://{{{ .Env.DOMAIN }}}/argocd/api/v1/'
ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
data:
- secretKey: ARGOCD_SESSION_TOKEN
remoteRef:

2
template/stacks/ref-implementation/external-secrets.yaml
View file

@ -12,7 +12,7 @@ spec:
namespace: external-secrets
server: "https://kubernetes.default.svc"
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/external-secrets/manifests"
project: default

2
template/stacks/ref-implementation/fibonacci-app.yaml
View file

@ -10,7 +10,7 @@ metadata:
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/fibonacci-app"
destination:

29
template/stacks/ref-implementation/forgejo-runner.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forgejo-runner
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: gitea
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-runner.git
path: forgejo-runner
targetRevision: HEAD
helm:
valueFiles:
- $values/stacks/ref-implementation/forgejo-runner/values.yaml
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

13
template/stacks/ref-implementation/forgejo-runner/values.yaml Normal file
View file

@ -0,0 +1,13 @@
replicaCount: 2
image:
repository: code.forgejo.org/forgejo/runner
pullPolicy: IfNotPresent
tag: "6.0.1"
forgejoUrl: https://gitea.{{{ .Env.DOMAIN }}}
runnerLabels:
- docker:docker://node:20-bullseye
- self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
- ubuntu-latest:docker://node:20-bullseye

2
template/stacks/ref-implementation/keycloak.yaml
View file

@ -12,7 +12,7 @@ spec:
namespace: keycloak
server: "https://kubernetes.default.svc"
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/keycloak/manifests"
project: default

226
template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
View file

@ -71,11 +71,11 @@ data:
},
"type": "default",
"protocol": "openid-connect"
}
}
group-admin-payload.json: |
{"name":"admin"}
{"name":"admin"}
group-base-user-payload.json: |
{"name":"base-user"}
{"name":"base-user"}
group-mapper-payload.json: |
{
"protocol": "openid-connect",
@ -88,41 +88,41 @@ data:
"access.token.claim": "true",
"userinfo.token.claim": "true"
}
}
}
realm-payload.json: |
{"realm":"cnoe","enabled":true}
{"realm":"cnoe","enabled":true}
user-password.json: |
{
"temporary": false,
"type": "password",
"value": "${USER1_PASSWORD}"
}
}
user-user1.json: |
{
"username": "user1",
"email": "user1@user.de",
"email": "",
"firstName": "user",
"lastName": "one",
"requiredActions": [],
"emailVerified": true,
"emailVerified": false,
"groups": [
"/admin"
],
"enabled": true
}
}
user-user2.json: |
{
"username": "user2",
"email": "user2@user.de",
"email": "",
"firstName": "user",
"lastName": "two",
"requiredActions": [],
"emailVerified": true,
"emailVerified": false,
"groups": [
"/base-user"
],
"enabled": true
}
}
argo-client-payload.json: |
{
"protocol": "openid-connect",
@ -150,7 +150,7 @@ data:
"webOrigins": [
"/*"
]
}
}
backstage-client-payload.json: |
{
@ -179,104 +179,8 @@ data:
"webOrigins": [
"/*"
]
}
grafana-client-payload.json: |
{
"clientId": "grafana",
"name": "Grafana Client",
"description": "Used for Grafana SSO",
"rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
"adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
"baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
"alwaysDisplayInConsole": false,
"redirectUris": [
"http://{{{ .Env.DOMAIN }}}/grafana/*"
],
"webOrigins": [
"https://{{{ .Env.DOMAIN }}}/grafana"
],
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oidc.ciba.grant.enabled": "false",
"oauth2.device.authorization.grant.enabled": "false"
},
"defaultClientScopes": [
"web-origins",
"acr",
"offline_access",
"roles",
"profile",
"groups",
"email"
]
}
argocd-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "argocd",
"name": "ArgoCD Client",
"description": "Used for ArgoCD SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN }}}/*"
],
"webOrigins": [
"/*"
]
}
forgejo-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "forgejo",
"name": "Forgejo Client",
"description": "Used for Forgejo SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN_GITEA }}}/*"
],
"webOrigins": [
"/*"
]
}
---
apiVersion: batch/v1
kind: Job
@ -312,7 +216,7 @@ spec:
command: ["/bin/bash", "-c"]
args:
- |
#! /bin/bash
#! /bin/bash
set -ex -o pipefail
@ -343,11 +247,7 @@ spec:
fi
set -e
if [[ "$(uname -m)" == "x86_64" ]]; then
curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
else
curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl"
fi
curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
chmod +x kubectl
echo "creating cnoe realm and groups"
@ -373,7 +273,7 @@ spec:
${KEYCLOAK_URL}/admin/realms/cnoe/groups
# Create scope mapper
echo 'adding group claim to tokens'
echo 'adding group claim to tokens'
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
@ -413,8 +313,8 @@ spec:
echo "creating Argo Workflows client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
-X POST --data @/var/config/argo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -428,100 +328,29 @@ spec:
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Grafana client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/grafana-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Backstage client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/backstage-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating ArgoCD client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argocd-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Forgejo client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/forgejo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
echo \
"apiVersion: v1
@ -536,12 +365,7 @@ spec:
ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
BACKSTAGE_CLIENT_ID: backstage
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
GRAFANA_CLIENT_ID: grafana
ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
ARGOCD_CLIENT_ID: argocd
FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
FORGEJO_CLIENT_ID: forgejo
" > /tmp/secret.yaml
./kubectl apply -f /tmp/secret.yaml

54
template/stacks/ref-implementation/mailhog/README.md
View file

@ -1,54 +0,0 @@
# Mailhog
[MailHog is an email testing tool for developers](https://github.com/mailhog/MailHog).
## In cluster SMTP service
Ypu can send ESMTP emails in the cluster to `mailhog.mailhog.svc.cluster.local`, standard port `1025`, as defined in the service manifest:
```yaml
apiVersion: v1
kind: Service
metadata:
name: mailhog
spec:
ports:
- name: smtp
port: 1025
```
## Ingress
Mailhog offers both WebUi and API at `https://{{{ .Env.DOMAIN }}}/mailhog`.
The ingress definition is in `stacks/core/ingress-apps/mailhog.yaml` (BTW, why isn't this ingress file here in this folder ??) routing to the mailhog' service
```yaml
spec:
rules:
- host: {{{ .Env.DOMAIN }}}
http:
paths:
- backend:
...
path: /mailhog
```
## API
For usage of the API see https://github.com/mailhog/MailHog/blob/master/docs/APIv2.md
## Tests
```bash
kubectl run busybox --rm -it --image=busybox -- /bin/sh
# inside bsybox
wget -O- http://mailhog.mailhog.svc.cluster.local:8025/mailhog
# check smtp port
nc -zv mailhog.mailhog.svc.cluster.local 1025
# send esmtp, first install swaks
swaks --to test@example.com --from test@example.com --server mailhog:1025 --data "Subject: Test-Mail\n\nDies ist eine Test-Mail."
```

33
template/stacks/ref-implementation/mailhog/deployment.yaml
View file

@ -1,33 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailhog-deployment
namespace: mailhog
spec:
replicas: 1
selector:
matchLabels:
app: mailhog
template:
metadata:
labels:
app: mailhog
spec:
containers:
- name: mailhog
image: mailhog/mailhog
env:
- name: MH_UI_WEB_PATH # set this to same value as in ingress stacks/core/ingress-apps/mailhog.yaml
value: mailhog
ports:
- containerPort: 1025
name: smtp
- containerPort: 8025
name: http
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "100m"

13
template/stacks/ref-implementation/mailhog/service.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: mailhog
spec:
selector:
app: mailhog
ports:
- name: smtp
port: 1025
- name: http
port: 8025
type: ClusterIP

2
template/stacks/ref-implementation/openbao.yaml
View file

@ -24,7 +24,7 @@ spec:
helm:
valueFiles:
- $values/stacks/ref-implementation/openbao/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
- repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values
ignoreDifferences:

2
template/stacks/second-cluster/create-new-cluster-guestbook.yaml
View file

@ -19,5 +19,5 @@ spec:
namespace: crossplane-system
source:
path: stacks/second-cluster/create-new-cluster-guestbook
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
repoURL: https://gitea.{{{ .Env.DOMAIN }}}/giteaAdmin/edfbuilder
targetRevision: HEAD