DevFW-CICD/stacks
12
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

Compare commits

base: DevFW-CICD:development
Branches Tags
DevFW-CICD:development
DevFW-CICD:otc_test
DevFW-CICD:modularise_edp
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:sso_jobs_push_to_cefor
DevFW-CICD:IPCEICIS-3796
DevFW-CICD:IPCEICIS-2952
DevFW-CICD:michals-silly-game
DevFW-CICD:keycloak_update_test
DevFW-CICD:django-backstage-template
DevFW-CICD:IPCEICIS-3256
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:alloy_implementation
DevFW-CICD:openbao_logs_second_way
DevFW-CICD:root_path_argocd_test
DevFW-CICD:IPCEICIS-2751_backstage
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:runner-tags
DevFW-CICD:dns_splitting
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:main
DevFW-CICD:dns_ssl_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0
..
compare: DevFW-CICD:openbao_logs_second_way
Branches Tags
DevFW-CICD:otc_test
DevFW-CICD:modularise_edp
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:sso_jobs_push_to_cefor
DevFW-CICD:IPCEICIS-3796
DevFW-CICD:development
DevFW-CICD:IPCEICIS-2952
DevFW-CICD:michals-silly-game
DevFW-CICD:keycloak_update_test
DevFW-CICD:django-backstage-template
DevFW-CICD:IPCEICIS-3256
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:alloy_implementation
DevFW-CICD:openbao_logs_second_way
DevFW-CICD:root_path_argocd_test
DevFW-CICD:IPCEICIS-2751_backstage
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:runner-tags
DevFW-CICD:dns_splitting
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:main
DevFW-CICD:dns_ssl_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0

28 commits
developmen ... openbao_lo

Author SHA1 Message Date
miwr
e993c274b0 runAsUser: 1000 # Run as non-root user 
fsGroup: 1000
 2025-03-17 15:41:18 +01:00
miwr
46072b8f81 runAsUser: 0 2025-03-17 15:34:43 +01:00
miwr
8617e200ea securityContext: 
runAsUser: 1000
        fsGroup: 1000
 2025-03-17 15:30:50 +01:00
miwr
c30cf9f380 /tmp/alloy/data 2025-03-17 15:26:17 +01:00
miwr
872c9dc8e5 volumes: 
- name: alloy-data
      emptyDir: {}
 2025-03-17 15:13:12 +01:00
miwr
27dc5966e9 # args: 
#    - --config.file=/etc/alloy/config.yaml
 2025-03-17 15:05:10 +01:00
miwr
aeca6100f5 /etc/alloy/config.yaml 2025-03-17 14:49:33 +01:00
miwr
4e673f674d extraVolumes deprecated 2025-03-17 14:37:58 +01:00
miwr
be1c3cee7a test 2025-03-17 14:31:26 +01:00
miwr
f0632db48b extraContainers: 
- name: grafana-alloy
     image: grafana/alloy:latest
     ports:
       - containerPort: 12345
     volumeMounts:
       - name: sidecar-container-alloy-config
         mountPath: /etc/alloy
         subPath: config.yaml
     args:
       - --config.file=/etc/alloy/config.yaml
 2025-03-17 14:23:11 +01:00
miwr
7b77d870c6 extraVolumes: 
- name: sidecar-container-alloy-config
      configMap:
        name: sidecar-container-alloy-config
 2025-03-17 14:17:13 +01:00
miwr
deaed1bdcc path: "stacks/ref-implementation/openbao-alloy-configmap" 2025-03-17 14:12:18 +01:00
miwr
2890437647 ref-implementation/openbao/sidecar-container-alloy-configmap 2025-03-17 14:07:43 +01:00
miwr
f873cd8aef new directory for the configmap 2025-03-17 14:00:05 +01:00
miwr
3eec895f67 test 2025-03-17 13:46:53 +01:00
miwr
4b553dd258 config map separately 2025-03-17 13:31:43 +01:00
miwr
f1d940561d adjustment of openbao.ymal 2025-03-17 13:15:47 +01:00
miwr
e2ad485759 sidecar container added 2025-03-17 12:55:46 +01:00
miwr
29d4ca9fe6 removing alloy as a separate pod in the same namespace 2025-03-13 15:50:17 +01:00
miwr
de8dc94e28 operations/helm/charts/alloy path fixed 2025-03-13 15:16:02 +01:00
miwr
48a28127ce testing 2025-03-13 15:14:39 +01:00
miwr
83e1215d7d adding a side-car logging container for openbao 2025-03-13 15:09:06 +01:00
miwr
28916f2278 Merge branch 'alloy_implementation' into shipping_openbao_logs 
# Conflicts:
#	.gitignore
 2025-03-13 14:59:45 +01:00
miwr
a4502f2ecb provisional solution for the shipping done 2025-03-13 14:01:45 +01:00
miwr
3dd9b7a544 rm /tmp/init.txt moved a few lines down 2025-03-13 13:52:29 +01:00
miwr
5518e9e2d7 echo deleted 2025-03-13 13:24:44 +01:00
miwr
bc90465579 echos for testing 2025-03-13 13:15:19 +01:00
miwr
524d0c67e0 bao audit enable file file_path=stdout 2025-03-13 13:03:08 +01:00
35 changed files with 355 additions and 572 deletions
Show stats Expand all files Collapse all files

94
.idea/workspace.xml Normal file
View file

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="AutoImportSettings">
<option name="autoReloadType" value="SELECTIVE" />
</component>
<component name="ChangeListManager">
<list default="true" id="aba99fd0-1896-47d1-9d37-79604db6fea3" name="Changes" comment="">
<change beforePath="$PROJECT_DIR$/template/stacks/ref-implementation/openbao.yaml" beforeDir="false" afterPath="$PROJECT_DIR$/template/stacks/ref-implementation/openbao.yaml" afterDir="false" />
</list>
<option name="SHOW_DIALOG" value="false" />
<option name="HIGHLIGHT_CONFLICTS" value="true" />
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
<option name="LAST_RESOLUTION" value="IGNORE" />
</component>
<component name="GOROOT" url="file:///opt/homebrew/opt/go/libexec" />
<component name="Git.Settings">
<option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
</component>
<component name="ProjectColorInfo"><![CDATA[{
"associatedIndex": 3
}]]></component>
<component name="ProjectId" id="2uGUJkvpz6ZVfWTftXZXvoUyrKt" />
<component name="ProjectViewState">
<option name="hideEmptyMiddlePackages" value="true" />
<option name="showLibraryContents" value="true" />
</component>
<component name="PropertiesComponent"><![CDATA[{
"keyToString": {
"RunOnceActivity.ShowReadmeOnStart": "true",
"RunOnceActivity.git.unshallow": "true",
"RunOnceActivity.go.formatter.settings.were.checked": "true",
"RunOnceActivity.go.migrated.go.modules.settings": "true",
"git-widget-placeholder": "shipping__openbao__logs",
"go.import.settings.migrated": "true",
"go.sdk.automatically.set": "true",
"kotlin-language-version-configured": "true",
"last_opened_file_path": "/Users/miwr/stacks",
"node.js.detected.package.eslint": "true",
"node.js.detected.package.tslint": "true",
"node.js.selected.package.eslint": "(autodetect)",
"node.js.selected.package.tslint": "(autodetect)",
"nodejs_package_manager_path": "npm",
"settings.editor.selected.configurable": "de.telekom.mms.mmsaiassist.pluginconfiguration.PluginSettings",
"vue.rearranger.settings.migration": "true"
}
}]]></component>
<component name="RunManager">
<configuration default="true" type="GoApplicationRunConfiguration" factoryName="Go Application">
<module name="stacks" />
<working_directory value="$PROJECT_DIR$" />
<go_parameters value="-i" />
<kind />
<directory value="$PROJECT_DIR$" />
<filePath value="$PROJECT_DIR$" />
<method v="2" />
</configuration>
<configuration default="true" type="GoTestRunConfiguration" factoryName="Go Test">
<module name="stacks" />
<working_directory value="$PROJECT_DIR$" />
<go_parameters value="-i" />
<kind />
<directory value="$PROJECT_DIR$" />
<filePath value="$PROJECT_DIR$" />
<framework value="gotest" />
<method v="2" />
</configuration>
</component>
<component name="SharedIndexes">
<attachedChunks>
<set>
<option value="bundled-jdk-9823dce3aa75-fdfe4dae3a2d-intellij.indexing.shared.core-IU-243.22562.218" />
<option value="bundled-js-predefined-d6986cc7102b-deb605915726-JavaScript-IU-243.22562.218" />
</set>
</attachedChunks>
</component>
<component name="SpellCheckerSettings" RuntimeDictionaries="0" Folders="0" CustomDictionaries="0" DefaultDictionary="application-level" UseSingleDictionary="true" transferred="true" />
<component name="TaskManager">
<task active="true" id="Default" summary="Default task">
<changelist id="aba99fd0-1896-47d1-9d37-79604db6fea3" name="Changes" comment="" />
<created>1741874334984</created>
<option name="number" value="Default" />
<option name="presentableId" value="Default" />
<updated>1741874334984</updated>
<workItem from="1741874336471" duration="392000" />
</task>
<servers />
</component>
<component name="TypeScriptGeneratedFilesManager">
<option name="version" value="3" />
</component>
<component name="VgoProject">
<settings-migrated>true</settings-migrated>
</component>
</project>

29
template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml
View file

@ -1,29 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: forgejo-access-token
namespace: argocd
spec:
secretStoreRef:
name: gitea
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: forgejo-access-token
template:
engineVersion: v2
data:
forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
metadata:
labels:
app.kubernetes.io/part-of: argocd
data:
- secretKey: FORGEJO_ACCESS_USERNAME
remoteRef:
key: forgejo-access-token
property: username
- secretKey: FORGEJO_ACCESS_TOKEN
remoteRef:
key: forgejo-access-token
property: token

24
template/stacks/core/argocd-sso/argocd-secret.yaml
View file

@ -1,24 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: argocd
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
metadata:
labels:
app.kubernetes.io/part-of: argocd
data:
- secretKey: ARGOCD_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: ARGOCD_CLIENT_SECRET

54
template/stacks/core/argocd-sso/argocd-sso-config.yaml
View file

@ -1,54 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: argocd-config
namespace: argocd
spec:
template:
metadata:
generateName: argocd-config-
spec:
restartPolicy: OnFailure
containers:
- name: push
image: docker.io/library/ubuntu:22.04
env:
- name: FORGEJO_USER
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_username
- name: FORGEJO_TOKEN
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_token
command: ["/bin/bash", "-c"]
args:
- |
#! /bin/bash
apt -qq update
apt -qq install git wget -y
if [[ "$(uname -m)" == "x86_64" ]]; then
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
install yq_linux_amd64 /usr/local/bin/yq
rm yq_linux_amd64
else
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
install yq_linux_arm64 /usr/local/bin/yq
rm yq_linux_arm64
fi
git config --global user.email "bot@bots.de"
git config --global user.name "bot"
git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
cd edfbuilder
yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
git add stacks/core/argocd/values.yaml
git commit -m "adds Forgejo SSO config"
git push
backoffLimit: 99

4
template/stacks/core/argocd.yaml
View file

@ -16,12 +16,12 @@ spec:
name: in-cluster
namespace: argocd
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
- repoURL: https://github.com/argoproj/argo-helm
path: charts/argo-cd
# TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
# As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
# similar to the CNOE amazon reference implementation and in our case, Forgejo
targetRevision: argo-cd-7.8.14-depends
targetRevision: argo-cd-7.7.5
helm:
valueFiles:
- $values/stacks/core/argocd/values.yaml

2
template/stacks/core/argocd/values.yaml
View file

@ -5,7 +5,6 @@ configs:
params:
server.insecure: true
server.basehref: /argocd
server.rootpath: /argocd
cm:
application.resourceTrackingMethod: annotation
timeout.reconciliation: 60s
@ -21,7 +20,6 @@ configs:
clusters:
- "*"
accounts.provider-argocd: apiKey
url: https://{{{ .Env.DOMAIN }}}/argocd
rbac:
policy.csv: 'g, provider-argocd, role:admin'

26
template/stacks/ref-implementation/mailhog.yaml → template/stacks/core/crossplane-compositions.yaml
View file

@ -1,25 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: mailhog
name: crossplane-compositions
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/mailhog"
destination:
server: "https://kubernetes.default.svc"
namespace: mailhog
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source:
path: stacks/core/crossplane-compositions
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
directory:
recurse: true

30
template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: edfbuilders.edfbuilder.crossplane.io
spec:
connectionSecretKeys:
- kubeconfig
group: edfbuilder.crossplane.io
names:
kind: EDFBuilder
listKind: EDFBuilderList
plural: edfbuilders
singular: edfbuilders
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
type: object
properties:
spec:
type: object
properties:
repoURL:
type: string
description: URL to ArgoCD stack of stacks repo
required:
- repoURL

30
template/stacks/core/forgejo-sso.yaml → template/stacks/core/crossplane-providers.yaml
View file

@ -1,29 +1,23 @@
{{{ if eq .Env.CLUSTER_TYPE "kind" }}}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forgejo-sso
name: crossplane-providers
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/forgejo-sso"
destination:
server: "https://kubernetes.default.svc"
namespace: gitea
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source:
path: stacks/core/crossplane-providers
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
{{{ end }}}

9
template/stacks/core/crossplane-providers/function-patch-and-transform.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Function
metadata:
name: crossplane-contrib-function-patch-and-transform
spec:
package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

14
template/stacks/core/crossplane-providers/provider-argocd-config.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: argocd.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: argocd-provider
spec:
serverAddr: argocd-server.argocd.svc.cluster.local:80
insecure: true
plainText: true
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: argocd-credentials
key: authToken

9
template/stacks/core/crossplane-providers/provider-argocd.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-argocd
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

14
template/stacks/core/crossplane-providers/provider-kind-config.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: kind.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: kind-provider
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: kind-credentials
key: credentials
endpoint:
# the url is managed by crossplane-edfbuilder
url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver

9
template/stacks/core/crossplane-providers/provider-kind.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-kind
spec:
package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.0
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

9
template/stacks/core/crossplane-providers/provider-shell.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-shell
spec:
package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.1
packagePullPolicy: IfNotPresent # Only download the package if it isnt in the cache.
revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
revisionHistoryLimit: 1

23
template/stacks/core/crossplane.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: crossplane
namespace: argocd
labels:
env: dev
spec:
project: default
syncPolicy:
automated:
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
name: in-cluster
namespace: crossplane-system
source:
chart: crossplane
repoURL: https://charts.crossplane.io/stable
targetRevision: 1.18.0
helm:
releaseName: crossplane

29
template/stacks/core/forgejo-runner/dind-docker.yaml
View file

@ -28,18 +28,19 @@ spec:
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers:
- name: runner-register
image: code.forgejo.org/forgejo/runner:6.3.1
command:
- "sh"
- "-c"
- |
forgejo-runner \
register \
--no-interactive \
--token ${RUNNER_SECRET} \
--name ${RUNNER_NAME} \
--instance ${FORGEJO_INSTANCE_URL} \
--labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
image: code.forgejo.org/forgejo/runner:6.0.1
command:
- "forgejo-runner"
- "register"
- "--no-interactive"
- "--token"
- $(RUNNER_SECRET)
- "--name"
- $(RUNNER_NAME)
- "--instance"
- $(FORGEJO_INSTANCE_URL)
- "--labels"
- "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
env:
- name: RUNNER_NAME
valueFrom:
@ -57,7 +58,7 @@ spec:
mountPath: /data
containers:
- name: runner
image: code.forgejo.org/forgejo/runner:6.3.1
image: code.forgejo.org/forgejo/runner:6.0.1
command:
- "sh"
- "-c"
@ -93,7 +94,7 @@ spec:
- name: runner-data
mountPath: /data
- name: daemon
image: docker:28.0.4-dind
image: docker:27.4.1-dind
env:
- name: DOCKER_TLS_CERTDIR
value: /certs

26
template/stacks/core/forgejo-sso/forgejo-access-token.yaml
View file

@ -1,26 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: forgejo-access-token
namespace: gitea
spec:
secretStoreRef:
name: gitea
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: forgejo-access-token
template:
engineVersion: v2
data:
forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
data:
- secretKey: FORGEJO_ACCESS_USERNAME
remoteRef:
key: forgejo-access-token
property: username
- secretKey: FORGEJO_ACCESS_TOKEN
remoteRef:
key: forgejo-access-token
property: token

26
template/stacks/core/forgejo-sso/forgejo-secret.yaml
View file

@ -1,26 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: auth-generic-oauth-secret
namespace: gitea
spec:
secretStoreRef:
name: keycloak
kind: ClusterSecretStore
refreshInterval: "0"
target:
name: auth-generic-oauth-secret
template:
engineVersion: v2
data:
key: "{{.FORGEJO_CLIENT_ID}}"
secret: "{{.FORGEJO_CLIENT_SECRET}}"
data:
- secretKey: FORGEJO_CLIENT_ID
remoteRef:
key: keycloak-clients
property: FORGEJO_CLIENT_ID
- secretKey: FORGEJO_CLIENT_SECRET
remoteRef:
key: keycloak-clients
property: FORGEJO_CLIENT_SECRET

76
template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
View file

@ -1,76 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: forgejo-config
namespace: gitea
spec:
template:
metadata:
generateName: forgejo-config-
spec:
restartPolicy: OnFailure
containers:
- name: push
image: docker.io/library/ubuntu:22.04
env:
- name: FORGEJO_USER
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_username
- name: FORGEJO_TOKEN
valueFrom:
secretKeyRef:
name: forgejo-access-token
key: forgejo_token
command: ["/bin/bash", "-c"]
args:
- |
#! /bin/bash
apt -qq update
apt -qq install git wget -y
if [[ "$(uname -m)" == "x86_64" ]]; then
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
install yq_linux_amd64 /usr/local/bin/yq
rm yq_linux_amd64
else
wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
install yq_linux_arm64 /usr/local/bin/yq
rm yq_linux_arm64
fi
git config --global user.email "bot@bots.de"
git config --global user.name "giteaAdmin"
git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
cd edfbuilder
yq eval ".gitea.oauth = [
{
\"name\": \"Keycloak\",
\"provider\": \"openidConnect\",
\"existingSecret\": \"auth-generic-oauth-secret\",
\"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
}
] |
(.gitea.oauth[] | .name) |= (. style=\"single\")
|
(.gitea.oauth[] | .provider) |= (. style=\"single\")
|
(.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
|
(.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
" -i stacks/core/forgejo/values.yaml
yq eval '.gitea.config.oauth2_client =
{
"ENABLE_AUTO_REGISTRATION" : true,
"ACCOUNT_LINKING" : "auto"
}
' -i stacks/core/forgejo/values.yaml
git add stacks/core/forgejo/values.yaml
git commit -m "adds Forgejo SSO config"
git push
backoffLimit: 99

4
template/stacks/core/forgejo.yaml
View file

@ -16,9 +16,9 @@ spec:
name: in-cluster
namespace: gitea
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
- repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
path: .
targetRevision: v12.0.0-depends
targetRevision: v10.1.1
helm:
valueFiles:
- $values/stacks/core/forgejo/values.yaml

13
template/stacks/core/forgejo/values.yaml
View file

@ -1,5 +1,5 @@
redis-cluster:
enabled: true
enabled: false
postgresql:
enabled: false
postgresql-ha:
@ -16,11 +16,6 @@ gitea:
admin:
existingSecret: gitea-credential
config:
service:
DISABLE_REGISTRATION: true
other:
SHOW_FOOTER_VERSION: false
SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
database:
DB_TYPE: sqlite3
session:
@ -32,12 +27,6 @@ gitea:
server:
DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
mailer:
ENABLED: true
FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}}
PROTOCOL: smtp
SMTP_ADDR: mailhog.mailhog.svc.cluster.local
SMTP_PORT: 1025
service:
ssh:

6
template/stacks/core/ingress-apps/argocd-server.yaml
View file

@ -4,6 +4,8 @@ metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
{{{ if eq .Env.CLUSTER_TYPE "osc" }}}
dns.gardener.cloud/class: garden
dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN }}}
@ -22,8 +24,8 @@ spec:
name: argocd-server
port:
number: 80
path: /argocd
pathType: Prefix
path: /argocd(/|$)(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- {{{ .Env.DOMAIN }}}

18
template/stacks/core/ingress-apps/mailhog.yaml
View file

@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mailhog
namespace: mailhog
spec:
ingressClassName: nginx
rules:
- host: {{{ .Env.DOMAIN }}}
http:
paths:
- backend:
service:
name: mailhog
port:
number: 8025
path: /mailhog
pathType: Prefix

4
template/stacks/core/ingress-nginx.yaml
View file

@ -16,9 +16,9 @@ spec:
name: in-cluster
namespace: ingress-nginx
sources:
- repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
- repoURL: https://github.com/kubernetes/ingress-nginx
path: charts/ingress-nginx
targetRevision: helm-chart-4.12.1-depends
targetRevision: helm-chart-4.11.3
helm:
valueFiles:
- $values/stacks/core/ingress-nginx/values.yaml

2
template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml vendored
View file

@ -33,7 +33,7 @@ jobs:
#run: ./mvnw spring-boot:build-image # the original image build
run: |
export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ secrets.PACKAGES_USER }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
- name: Build image as tar
run: |
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true

7
template/stacks/ref-implementation/backstage/manifests/install.yaml
View file

@ -255,8 +255,6 @@ spec:
value: debug
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: NODE_OPTIONS
value: "--no-node-snapshot"
envFrom:
- secretRef:
name: backstage-env-vars
@ -264,8 +262,7 @@ spec:
name: gitea-credentials
- secretRef:
name: argocd-credentials
image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
imagePullPolicy: Always
image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
name: backstage
ports:
- containerPort: 7007
@ -389,7 +386,7 @@ spec:
KEYCLOAK_NAME_METADATA: https://{{{ .Env.DOMAIN }}}:443/keycloak/realms/cnoe/.well-known/openid-configuration
KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
ARGO_CD_URL: 'https://{{{ .Env.DOMAIN }}}/argocd/api/v1/'
ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
data:
- secretKey: ARGOCD_SESSION_TOKEN
remoteRef:

163
template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
View file

@ -71,11 +71,11 @@ data:
},
"type": "default",
"protocol": "openid-connect"
}
}
group-admin-payload.json: |
{"name":"admin"}
{"name":"admin"}
group-base-user-payload.json: |
{"name":"base-user"}
{"name":"base-user"}
group-mapper-payload.json: |
{
"protocol": "openid-connect",
@ -88,15 +88,15 @@ data:
"access.token.claim": "true",
"userinfo.token.claim": "true"
}
}
}
realm-payload.json: |
{"realm":"cnoe","enabled":true}
{"realm":"cnoe","enabled":true}
user-password.json: |
{
"temporary": false,
"type": "password",
"value": "${USER1_PASSWORD}"
}
}
user-user1.json: |
{
"username": "user1",
@ -109,7 +109,7 @@ data:
"/admin"
],
"enabled": true
}
}
user-user2.json: |
{
"username": "user2",
@ -122,7 +122,7 @@ data:
"/base-user"
],
"enabled": true
}
}
argo-client-payload.json: |
{
"protocol": "openid-connect",
@ -150,7 +150,7 @@ data:
"webOrigins": [
"/*"
]
}
}
backstage-client-payload.json: |
{
@ -179,7 +179,7 @@ data:
"webOrigins": [
"/*"
]
}
}
grafana-client-payload.json: |
{
@ -219,64 +219,6 @@ data:
]
}
argocd-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "argocd",
"name": "ArgoCD Client",
"description": "Used for ArgoCD SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN }}}/*"
],
"webOrigins": [
"/*"
]
}
forgejo-client-payload.json: |
{
"protocol": "openid-connect",
"clientId": "forgejo",
"name": "Forgejo Client",
"description": "Used for Forgejo SSO",
"publicClient": false,
"authorizationServicesEnabled": false,
"serviceAccountsEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"frontchannelLogout": true,
"attributes": {
"saml_idp_initiated_sso_url_name": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false
},
"alwaysDisplayInConsole": false,
"rootUrl": "",
"baseUrl": "",
"redirectUris": [
"https://{{{ .Env.DOMAIN_GITEA }}}/*"
],
"webOrigins": [
"/*"
]
}
---
apiVersion: batch/v1
kind: Job
@ -312,7 +254,7 @@ spec:
command: ["/bin/bash", "-c"]
args:
- |
#! /bin/bash
#! /bin/bash
set -ex -o pipefail
@ -373,7 +315,7 @@ spec:
${KEYCLOAK_URL}/admin/realms/cnoe/groups
# Create scope mapper
echo 'adding group claim to tokens'
echo 'adding group claim to tokens'
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
@ -413,8 +355,8 @@ spec:
echo "creating Argo Workflows client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
-X POST --data @/var/config/argo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -428,26 +370,21 @@ spec:
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Grafana client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/grafana-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -457,71 +394,22 @@ spec:
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/backstage-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating ArgoCD client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/argocd-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
echo "creating Forgejo client"
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X POST --data @/var/config/forgejo-client-payload.json \
${KEYCLOAK_URL}/admin/realms/cnoe/clients
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id')
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
echo \
"apiVersion: v1
@ -538,10 +426,7 @@ spec:
BACKSTAGE_CLIENT_ID: backstage
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
GRAFANA_CLIENT_ID: grafana
ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
ARGOCD_CLIENT_ID: argocd
FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
FORGEJO_CLIENT_ID: forgejo
" > /tmp/secret.yaml
./kubectl apply -f /tmp/secret.yaml

54
template/stacks/ref-implementation/mailhog/README.md
View file

@ -1,54 +0,0 @@
# Mailhog
[MailHog is an email testing tool for developers](https://github.com/mailhog/MailHog).
## In cluster SMTP service
Ypu can send ESMTP emails in the cluster to `mailhog.mailhog.svc.cluster.local`, standard port `1025`, as defined in the service manifest:
```yaml
apiVersion: v1
kind: Service
metadata:
name: mailhog
spec:
ports:
- name: smtp
port: 1025
```
## Ingress
Mailhog offers both WebUi and API at `https://{{{ .Env.DOMAIN }}}/mailhog`.
The ingress definition is in `stacks/core/ingress-apps/mailhog.yaml` (BTW, why isn't this ingress file here in this folder ??) routing to the mailhog' service
```yaml
spec:
rules:
- host: {{{ .Env.DOMAIN }}}
http:
paths:
- backend:
...
path: /mailhog
```
## API
For usage of the API see https://github.com/mailhog/MailHog/blob/master/docs/APIv2.md
## Tests
```bash
kubectl run busybox --rm -it --image=busybox -- /bin/sh
# inside bsybox
wget -O- http://mailhog.mailhog.svc.cluster.local:8025/mailhog
# check smtp port
nc -zv mailhog.mailhog.svc.cluster.local 1025
# send esmtp, first install swaks
swaks --to test@example.com --from test@example.com --server mailhog:1025 --data "Subject: Test-Mail\n\nDies ist eine Test-Mail."
```

33
template/stacks/ref-implementation/mailhog/deployment.yaml
View file

@ -1,33 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailhog-deployment
namespace: mailhog
spec:
replicas: 1
selector:
matchLabels:
app: mailhog
template:
metadata:
labels:
app: mailhog
spec:
containers:
- name: mailhog
image: mailhog/mailhog
env:
- name: MH_UI_WEB_PATH # set this to same value as in ingress stacks/core/ingress-apps/mailhog.yaml
value: mailhog
ports:
- containerPort: 1025
name: smtp
- containerPort: 8025
name: http
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "100m"

13
template/stacks/ref-implementation/mailhog/service.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: mailhog
spec:
selector:
app: mailhog
ports:
- name: smtp
port: 1025
- name: http
port: 8025
type: ClusterIP

8
template/stacks/core/argocd-sso.yaml → template/stacks/ref-implementation/openbao-alloy-configmap.yaml
View file

@ -1,7 +1,7 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd-sso
name: openbao-alloy-configmap
namespace: argocd
labels:
env: dev
@ -12,10 +12,10 @@ spec:
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/core/argocd-sso"
path: "stacks/ref-implementation/openbao-alloy-configmap"
destination:
server: "https://kubernetes.default.svc"
namespace: argocd
namespace: openbao
syncPolicy:
syncOptions:
- CreateNamespace=true
@ -26,4 +26,4 @@ spec:
backoff:
duration: 15s
factor: 1
maxDuration: 15s
maxDuration: 15s

32
template/stacks/ref-implementation/openbao-alloy-configmap/sidecar-container-alloy-configmap.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: sidecar-container-alloy-config
data:
config.yaml: |
logging {
level = "info"
format = "logfmt"
}
loki.write "local_loki" {
endpoint {
url = "http://loki-loki-distributed-gateway/loki/api/v1/push"
}
}
discovery.kubernetes "pod" {
role = "pod"
}
discovery.relabel "openbao_pod_logs" {
targets = discovery.kubernetes.pod.targets
rule {
source_labels = ["__meta_kubernetes_pod_name"]
action = "keep"
regex = "openbao-0"
}
forward_to = [loki.write.local_loki.receiver]
}

2
template/stacks/ref-implementation/openbao.yaml
View file

@ -23,7 +23,7 @@ spec:
targetRevision: HEAD
helm:
valueFiles:
- $values/stacks/ref-implementation/openbao/values.yaml
- $values/stacks/ref-implementation/openbao/values.yaml
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
ref: values

31
template/stacks/ref-implementation/openbao/values.yaml
View file

@ -1,4 +1,31 @@
server:
extraContainers:
- name: grafana-alloy
image: grafana/alloy:latest
ports:
- containerPort: 12345
# volumeMounts:
# - name: sidecar-container-alloy-config
# mountPath: /etc/alloy/config.yaml
# subPath: config.yaml
# args:
# - --config.file=/etc/alloy/config.yaml
volumeMounts:
- name: alloy-data
mountPath: /var/lib/alloy/data
securityContext:
runAsUser: 1000
fsGroup: 1000
volumes:
- name: alloy-data
emptyDir: {}
# volumes:
# - name: sidecar-container-alloy-config
# configMap:
# name: sidecar-container-alloy-config
postStart:
- sh
- -c
@ -12,6 +39,8 @@ server:
echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
bao audit enable file file_path=stdout
rm /tmp/init.txt
ui:
enabled: true
enabled: true