runAsUser: 1000 # Run as non-root user

fsGroup: 1000

.idea/workspace.xml

@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="AutoImportSettings">
+    <option name="autoReloadType" value="SELECTIVE" />
+  </component>
+  <component name="ChangeListManager">
+    <list default="true" id="aba99fd0-1896-47d1-9d37-79604db6fea3" name="Changes" comment="">
+      <change beforePath="$PROJECT_DIR$/template/stacks/ref-implementation/openbao.yaml" beforeDir="false" afterPath="$PROJECT_DIR$/template/stacks/ref-implementation/openbao.yaml" afterDir="false" />
+    </list>
+    <option name="SHOW_DIALOG" value="false" />
+    <option name="HIGHLIGHT_CONFLICTS" value="true" />
+    <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
+    <option name="LAST_RESOLUTION" value="IGNORE" />
+  </component>
+  <component name="GOROOT" url="file:///opt/homebrew/opt/go/libexec" />
+  <component name="Git.Settings">
+    <option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
+  </component>
+  <component name="ProjectColorInfo"><![CDATA[{
+  "associatedIndex": 3
+}]]></component>
+  <component name="ProjectId" id="2uGUJkvpz6ZVfWTftXZXvoUyrKt" />
+  <component name="ProjectViewState">
+    <option name="hideEmptyMiddlePackages" value="true" />
+    <option name="showLibraryContents" value="true" />
+  </component>
+  <component name="PropertiesComponent"><![CDATA[{
+  "keyToString": {
+    "RunOnceActivity.ShowReadmeOnStart": "true",
+    "RunOnceActivity.git.unshallow": "true",
+    "RunOnceActivity.go.formatter.settings.were.checked": "true",
+    "RunOnceActivity.go.migrated.go.modules.settings": "true",
+    "git-widget-placeholder": "shipping__openbao__logs",
+    "go.import.settings.migrated": "true",
+    "go.sdk.automatically.set": "true",
+    "kotlin-language-version-configured": "true",
+    "last_opened_file_path": "/Users/miwr/stacks",
+    "node.js.detected.package.eslint": "true",
+    "node.js.detected.package.tslint": "true",
+    "node.js.selected.package.eslint": "(autodetect)",
+    "node.js.selected.package.tslint": "(autodetect)",
+    "nodejs_package_manager_path": "npm",
+    "settings.editor.selected.configurable": "de.telekom.mms.mmsaiassist.pluginconfiguration.PluginSettings",
+    "vue.rearranger.settings.migration": "true"
+  }
+}]]></component>
+  <component name="RunManager">
+    <configuration default="true" type="GoApplicationRunConfiguration" factoryName="Go Application">
+      <module name="stacks" />
+      <working_directory value="$PROJECT_DIR$" />
+      <go_parameters value="-i" />
+      <kind />
+      <directory value="$PROJECT_DIR$" />
+      <filePath value="$PROJECT_DIR$" />
+      <method v="2" />
+    </configuration>
+    <configuration default="true" type="GoTestRunConfiguration" factoryName="Go Test">
+      <module name="stacks" />
+      <working_directory value="$PROJECT_DIR$" />
+      <go_parameters value="-i" />
+      <kind />
+      <directory value="$PROJECT_DIR$" />
+      <filePath value="$PROJECT_DIR$" />
+      <framework value="gotest" />
+      <method v="2" />
+    </configuration>
+  </component>
+  <component name="SharedIndexes">
+    <attachedChunks>
+      <set>
+        <option value="bundled-jdk-9823dce3aa75-fdfe4dae3a2d-intellij.indexing.shared.core-IU-243.22562.218" />
+        <option value="bundled-js-predefined-d6986cc7102b-deb605915726-JavaScript-IU-243.22562.218" />
+      </set>
+    </attachedChunks>
+  </component>
+  <component name="SpellCheckerSettings" RuntimeDictionaries="0" Folders="0" CustomDictionaries="0" DefaultDictionary="application-level" UseSingleDictionary="true" transferred="true" />
+  <component name="TaskManager">
+    <task active="true" id="Default" summary="Default task">
+      <changelist id="aba99fd0-1896-47d1-9d37-79604db6fea3" name="Changes" comment="" />
+      <created>1741874334984</created>
+      <option name="number" value="Default" />
+      <option name="presentableId" value="Default" />
+      <updated>1741874334984</updated>
+      <workItem from="1741874336471" duration="392000" />
+    </task>
+    <servers />
+  </component>
+  <component name="TypeScriptGeneratedFilesManager">
+    <option name="version" value="3" />
+  </component>
+  <component name="VgoProject">
+    <settings-migrated>true</settings-migrated>
+  </component>
+</project>

template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml

@@ -1,29 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: forgejo-access-token
-  namespace: argocd 
-spec:
-  secretStoreRef:
-    name: gitea
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: forgejo-access-token
-    template:
-      engineVersion: v2
-      data:
-        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
-        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argocd
-  data:
-    - secretKey: FORGEJO_ACCESS_USERNAME
-      remoteRef:
-        key: forgejo-access-token
-        property: username
-    - secretKey: FORGEJO_ACCESS_TOKEN
-      remoteRef:
-        key: forgejo-access-token
-        property: token

template/stacks/core/argocd-sso/argocd-secret.yaml

@@ -1,24 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: auth-generic-oauth-secret
-  namespace: argocd 
-spec:
-  secretStoreRef:
-    name: keycloak
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: auth-generic-oauth-secret
-    template:
-      engineVersion: v2
-      data:
-        client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argocd
-  data:
-    - secretKey: ARGOCD_CLIENT_SECRET
-      remoteRef:
-        key: keycloak-clients
-        property: ARGOCD_CLIENT_SECRET

template/stacks/core/argocd-sso/argocd-sso-config.yaml

@@ -1,54 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: argocd-config
-  namespace: argocd
-spec:
-  template:
-    metadata:
-      generateName: argocd-config-
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: push
-          image: docker.io/library/ubuntu:22.04
-          env:
-            - name: FORGEJO_USER
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_username
-            - name: FORGEJO_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_token
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              #! /bin/bash
-
-              apt -qq update
-              apt -qq install git wget -y
-              if [[ "$(uname -m)" == "x86_64" ]]; then
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
-                install yq_linux_amd64 /usr/local/bin/yq
-                rm yq_linux_amd64
-              else
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
-                install yq_linux_arm64 /usr/local/bin/yq
-                rm yq_linux_arm64
-              fi
-
-              git config --global user.email "bot@bots.de"
-              git config --global user.name "bot"
-              
-              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
-              cd edfbuilder
-              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
-              
-              git add stacks/core/argocd/values.yaml
-              git commit -m "adds Forgejo SSO config"
-              git push
-  backoffLimit: 99           

template/stacks/core/argocd.yaml

@@ -16,12 +16,12 @@ spec:
     name: in-cluster
     namespace: argocd
   sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git
+    - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.8.14-depends
+      targetRevision: argo-cd-7.7.5
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

template/stacks/core/argocd/values.yaml

@@ -5,7 +5,6 @@ configs:
   params:
     server.insecure: true
     server.basehref: /argocd
-    server.rootpath: /argocd
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
@@ -21,7 +20,6 @@ configs:
         clusters:
         - "*"
     accounts.provider-argocd: apiKey
-    url: https://{{{ .Env.DOMAIN }}}/argocd
   rbac:
     policy.csv: 'g, provider-argocd, role:admin'
 

template/stacks/core/crossplane-compositions.yaml

@@ -1,25 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: mailhog
+  name: crossplane-compositions
   namespace: argocd
   labels:
     env: dev
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  source:
-    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-    targetRevision: HEAD
-    path: "stacks/ref-implementation/mailhog"
-  destination:
-    server: "https://kubernetes.default.svc"
-    namespace: mailhog
   syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
     automated:
       selfHeal: true
-    retry:
+    syncOptions:
-      limit: -1
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  source:
+    path: stacks/core/crossplane-compositions
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    directory:
+      recurse: true

template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml

@@ -0,0 +1,30 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: edfbuilders.edfbuilder.crossplane.io
+spec:
+  connectionSecretKeys:
+    - kubeconfig
+  group: edfbuilder.crossplane.io
+  names:
+    kind: EDFBuilder
+    listKind: EDFBuilderList
+    plural: edfbuilders
+    singular: edfbuilders
+  versions:
+    - name: v1alpha1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                repoURL:
+                  type: string
+                  description: URL to ArgoCD stack of stacks repo
+              required:
+                - repoURL

template/stacks/core/crossplane-providers.yaml

@@ -1,29 +1,23 @@
+{{{ if eq .Env.CLUSTER_TYPE "kind" }}}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: forgejo-sso
+  name: crossplane-providers
   namespace: argocd
   labels:
     env: dev
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  source:
-    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-    targetRevision: HEAD
-    path: "stacks/core/forgejo-sso"
-  destination:
-    server: "https://kubernetes.default.svc"
-    namespace: gitea
   syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
     automated:
       selfHeal: true
-    retry:
+    syncOptions:
-      limit: -1
+      - CreateNamespace=true
-      backoff:
+  destination:
-        duration: 15s
+    name: in-cluster
-        factor: 1
+    namespace: crossplane-system
-        maxDuration: 15s
+  source:
+    path: stacks/core/crossplane-providers
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+{{{ end }}}

template/stacks/core/crossplane-providers/function-patch-and-transform.yaml

@@ -0,0 +1,9 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Function
+metadata:
+  name: crossplane-contrib-function-patch-and-transform
+spec:
+  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
+  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
+  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
+  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-argocd-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: argocd.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: argocd-provider
+spec:
+  serverAddr: argocd-server.argocd.svc.cluster.local:80
+  insecure: true
+  plainText: true
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: argocd-credentials
+      key: authToken

template/stacks/core/crossplane-providers/provider-argocd.yaml

@@ -0,0 +1,9 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-argocd
+spec:
+  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1
+  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
+  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
+  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-kind-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: kind.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: kind-provider
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: kind-credentials
+      key: credentials
+  endpoint:
+    # the url is managed by crossplane-edfbuilder
+    url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver

template/stacks/core/crossplane-providers/provider-kind.yaml

@@ -0,0 +1,9 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-kind
+spec:
+  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.0
+  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
+  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
+  revisionHistoryLimit: 1

template/stacks/core/crossplane-providers/provider-shell.yaml

@@ -0,0 +1,9 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-shell
+spec:
+  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.1
+  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
+  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
+  revisionHistoryLimit: 1

template/stacks/core/crossplane.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  source:
+    chart: crossplane
+    repoURL: https://charts.crossplane.io/stable
+    targetRevision: 1.18.0
+    helm:
+      releaseName: crossplane

template/stacks/core/forgejo-runner/dind-docker.yaml

@@ -28,18 +28,19 @@ spec:
       # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
       initContainers:
         - name: runner-register
-          image: code.forgejo.org/forgejo/runner:6.3.1
+          image: code.forgejo.org/forgejo/runner:6.0.1
-          command:
+          command: 
-          - "sh"
+            - "forgejo-runner"
-          - "-c"
+            - "register"
-          - |
+            - "--no-interactive"
-            forgejo-runner \
+            - "--token"
-              register \
+            - $(RUNNER_SECRET)
-              --no-interactive \
+            - "--name"
-              --token ${RUNNER_SECRET} \
+            - $(RUNNER_NAME)
-              --name ${RUNNER_NAME} \
+            - "--instance"
-              --instance ${FORGEJO_INSTANCE_URL} \
+            - $(FORGEJO_INSTANCE_URL)
-              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
+            - "--labels"
+            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
           env:
             - name: RUNNER_NAME
               valueFrom:
@@ -57,7 +58,7 @@ spec:
               mountPath: /data
       containers:
       - name: runner
-        image: code.forgejo.org/forgejo/runner:6.3.1
+        image: code.forgejo.org/forgejo/runner:6.0.1
         command: 
           - "sh"
           - "-c"
@@ -93,7 +94,7 @@ spec:
         - name: runner-data
           mountPath: /data
       - name: daemon
-        image: docker:28.0.4-dind
+        image: docker:27.4.1-dind
         env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs

template/stacks/core/forgejo-sso/forgejo-access-token.yaml

@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: forgejo-access-token
-  namespace: gitea 
-spec:
-  secretStoreRef:
-    name: gitea
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: forgejo-access-token
-    template:
-      engineVersion: v2
-      data:
-        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
-        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
-  data:
-    - secretKey: FORGEJO_ACCESS_USERNAME
-      remoteRef:
-        key: forgejo-access-token
-        property: username
-    - secretKey: FORGEJO_ACCESS_TOKEN
-      remoteRef:
-        key: forgejo-access-token
-        property: token

template/stacks/core/forgejo-sso/forgejo-secret.yaml

@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: auth-generic-oauth-secret
-  namespace: gitea 
-spec:
-  secretStoreRef:
-    name: keycloak
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: auth-generic-oauth-secret
-    template:
-      engineVersion: v2
-      data:
-        key: "{{.FORGEJO_CLIENT_ID}}"
-        secret: "{{.FORGEJO_CLIENT_SECRET}}"
-  data:
-    - secretKey: FORGEJO_CLIENT_ID
-      remoteRef:
-        key: keycloak-clients
-        property: FORGEJO_CLIENT_ID
-    - secretKey: FORGEJO_CLIENT_SECRET
-      remoteRef:
-        key: keycloak-clients
-        property: FORGEJO_CLIENT_SECRET

template/stacks/core/forgejo-sso/forgejo-sso-config.yaml

@@ -1,76 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: forgejo-config
-  namespace: gitea
-spec:
-  template:
-    metadata:
-      generateName: forgejo-config-
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: push
-          image: docker.io/library/ubuntu:22.04
-          env:
-            - name: FORGEJO_USER
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_username
-            - name: FORGEJO_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: forgejo-access-token
-                  key: forgejo_token
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              #! /bin/bash
-
-              apt -qq update
-              apt -qq install git wget -y
-              if [[ "$(uname -m)" == "x86_64" ]]; then
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
-                install yq_linux_amd64 /usr/local/bin/yq
-                rm yq_linux_amd64
-              else
-                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
-                install yq_linux_arm64 /usr/local/bin/yq
-                rm yq_linux_arm64
-              fi
-
-              git config --global user.email "bot@bots.de"
-              git config --global user.name "giteaAdmin"
-              
-              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
-              cd edfbuilder
-              yq eval ".gitea.oauth = [
-                {
-                  \"name\": \"Keycloak\",
-                  \"provider\": \"openidConnect\",
-                  \"existingSecret\": \"auth-generic-oauth-secret\",
-                  \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
-                }
-              ] |
-                (.gitea.oauth[] | .name) |= (. style=\"single\")
-                |
-                (.gitea.oauth[] | .provider) |= (. style=\"single\")
-                |
-                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
-                |
-                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
-              " -i stacks/core/forgejo/values.yaml
-
-              yq eval '.gitea.config.oauth2_client = 
-                {
-                  "ENABLE_AUTO_REGISTRATION" : true,
-                  "ACCOUNT_LINKING" : "auto"
-                }
-              ' -i stacks/core/forgejo/values.yaml
-              
-              git add stacks/core/forgejo/values.yaml
-              git commit -m "adds Forgejo SSO config"
-              git push
-  backoffLimit: 99

template/stacks/core/forgejo.yaml

@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: gitea
   sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
+    - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git
       path: .
-      targetRevision: v12.0.0-depends
+      targetRevision: v10.1.1
       helm:
         valueFiles:
           - $values/stacks/core/forgejo/values.yaml

template/stacks/core/forgejo/values.yaml

@@ -1,5 +1,5 @@
 redis-cluster:
-  enabled: true
+  enabled: false
 postgresql:
   enabled: false
 postgresql-ha:
@@ -16,11 +16,6 @@ gitea:
   admin:
     existingSecret: gitea-credential
   config:
-    service:
-      DISABLE_REGISTRATION: true
-    other:
-      SHOW_FOOTER_VERSION: false
-      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
     database:
       DB_TYPE: sqlite3
     session:
@@ -32,12 +27,6 @@ gitea:
     server:
       DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
       ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
-    mailer:
-      ENABLED: true
-      FROM: forgejo@{{{ .Env.DOMAIN_GITEA }}}
-      PROTOCOL: smtp
-      SMTP_ADDR: mailhog.mailhog.svc.cluster.local
-      SMTP_PORT: 1025
 
 service:
   ssh:

template/stacks/core/ingress-apps/argocd-server.yaml

@@ -4,6 +4,8 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: "true"
 {{{ if eq .Env.CLUSTER_TYPE "osc" }}}
     dns.gardener.cloud/class: garden
     dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN }}}
@@ -22,8 +24,8 @@ spec:
             name: argocd-server
             port:
               number: 80
-        path: /argocd
+        path: /argocd(/|$)(.*)
-        pathType: Prefix
+        pathType: ImplementationSpecific
   tls:
   - hosts:
     - {{{ .Env.DOMAIN }}}

template/stacks/core/ingress-apps/mailhog.yaml

@@ -1,18 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: mailhog
-  namespace: mailhog
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: {{{ .Env.DOMAIN }}}
-    http:
-      paths:
-      - backend:
-          service:
-            name: mailhog
-            port:
-              number: 8025
-        path: /mailhog
-        pathType: Prefix

template/stacks/core/ingress-nginx.yaml

@@ -16,9 +16,9 @@ spec:
     name: in-cluster
     namespace: ingress-nginx
   sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git
+    - repoURL: https://github.com/kubernetes/ingress-nginx
       path: charts/ingress-nginx
-      targetRevision: helm-chart-4.12.1-depends
+      targetRevision: helm-chart-4.11.3
       helm:
         valueFiles:
           - $values/stacks/core/ingress-nginx/values.yaml

template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml

@@ -33,7 +33,7 @@ jobs:
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |
           export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ secrets.PACKAGES_USER }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
       - name: Build image as tar
         run: |
           ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true

template/stacks/ref-implementation/backstage/manifests/install.yaml

@@ -255,8 +255,6 @@ spec:
               value: debug
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
-            - name: NODE_OPTIONS
-              value: "--no-node-snapshot"
           envFrom:
             - secretRef:
                 name: backstage-env-vars
@@ -264,8 +262,7 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
+          image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
-          imagePullPolicy: Always
           name: backstage
           ports:
             - containerPort: 7007
@@ -389,7 +386,7 @@ spec:
         KEYCLOAK_NAME_METADATA: https://{{{ .Env.DOMAIN }}}:443/keycloak/realms/cnoe/.well-known/openid-configuration
         KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
         ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
-        ARGO_CD_URL: 'https://{{{ .Env.DOMAIN }}}/argocd/api/v1/'
+        ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
   data:
     - secretKey: ARGOCD_SESSION_TOKEN
       remoteRef:

template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml

@@ -71,11 +71,11 @@ data:
       },
       "type": "default",
       "protocol": "openid-connect"
-    }    
+    }
   group-admin-payload.json: |
-    {"name":"admin"}    
+    {"name":"admin"}
   group-base-user-payload.json: |
-    {"name":"base-user"}    
+    {"name":"base-user"}
   group-mapper-payload.json: |
     {
         "protocol": "openid-connect",
@@ -88,15 +88,15 @@ data:
           "access.token.claim": "true",
           "userinfo.token.claim": "true"
         }
-    }    
+    }
   realm-payload.json: |
-    {"realm":"cnoe","enabled":true}    
+    {"realm":"cnoe","enabled":true}
   user-password.json: |
     {
         "temporary": false,
         "type": "password",
         "value": "${USER1_PASSWORD}"
-    }    
+    }
   user-user1.json: |
     {
         "username": "user1",
@@ -109,7 +109,7 @@ data:
           "/admin"
         ],
         "enabled": true
-    }    
+    }
   user-user2.json: |
     {
         "username": "user2",
@@ -122,7 +122,7 @@ data:
           "/base-user"
         ],
         "enabled": true
-    }    
+    }
   argo-client-payload.json: |
     {
       "protocol": "openid-connect",
@@ -150,7 +150,7 @@ data:
       "webOrigins": [
         "/*"
       ]
-    }    
+    }
 
   backstage-client-payload.json: |
     {
@@ -179,7 +179,7 @@ data:
       "webOrigins": [
         "/*"
       ]
-    }    
+    }
 
   grafana-client-payload.json: |
     {
@@ -219,64 +219,6 @@ data:
       ]
     }
 
-  argocd-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "argocd",
-      "name": "ArgoCD Client",
-      "description": "Used for ArgoCD SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://{{{ .Env.DOMAIN }}}/*"
-      ],
-      "webOrigins": [
-        "/*"
-      ]
-    }      
-
-  forgejo-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "forgejo",
-      "name": "Forgejo Client",
-      "description": "Used for Forgejo SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
-      ],
-      "webOrigins": [
-        "/*"
-      ]
-    }      
-
 ---
 apiVersion: batch/v1
 kind: Job
@@ -312,7 +254,7 @@ spec:
           command: ["/bin/bash", "-c"]
           args:
             - |
-              #! /bin/bash              
+              #! /bin/bash
   
               set -ex -o pipefail
               
@@ -373,7 +315,7 @@ spec:
                 ${KEYCLOAK_URL}/admin/realms/cnoe/groups
               
               # Create scope mapper
-              echo 'adding group claim to tokens'
+                echo 'adding group claim to tokens'
               CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
               
               curl -sS -H "Content-Type: application/json" \
@@ -413,8 +355,8 @@ spec:
               echo "creating Argo Workflows client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/argo-client-payload.json \
+                  -X POST --data @/var/config/argo-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
               CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -428,26 +370,21 @@ spec:
                 -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 
               echo "creating Grafana client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X POST --data @/var/config/grafana-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
               CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -457,71 +394,22 @@ spec:
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X POST --data @/var/config/backstage-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
               CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-
-              echo "creating ArgoCD client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/argocd-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
-              
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
-              
-              echo "creating Forgejo client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/forgejo-client-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
-              
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
-              
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
-
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
-              ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
+              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
               
               echo \
               "apiVersion: v1
@@ -538,10 +426,7 @@ spec:
                 BACKSTAGE_CLIENT_ID: backstage
                 GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                 GRAFANA_CLIENT_ID: grafana
-                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
-                ARGOCD_CLIENT_ID: argocd
-                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
-                FORGEJO_CLIENT_ID: forgejo
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml
+              

template/stacks/ref-implementation/mailhog/README.md

@@ -1,54 +0,0 @@
-# Mailhog
-
-[MailHog is an email testing tool for developers](https://github.com/mailhog/MailHog).
-
-## In cluster SMTP service
-
-Ypu can send ESMTP emails in the cluster to `mailhog.mailhog.svc.cluster.local`, standard port `1025`, as defined in the service manifest:
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: mailhog
-spec:
-  ports:
-    - name: smtp
-      port: 1025
-```
-
-## Ingress
-
-Mailhog offers both WebUi and API at `https://{{{ .Env.DOMAIN }}}/mailhog`.
-
-The ingress definition is in `stacks/core/ingress-apps/mailhog.yaml` (BTW, why isn't this ingress file here in this folder ??) routing to the mailhog' service
-
-```yaml
-spec:
-  rules:
-  - host: {{{ .Env.DOMAIN }}}
-    http:
-      paths:
-      - backend:
-        ...
-        path: /mailhog
-```
-
-## API
-
-For usage of the API see https://github.com/mailhog/MailHog/blob/master/docs/APIv2.md
-
-## Tests
-
-```bash
-kubectl run busybox --rm -it --image=busybox -- /bin/sh
-
-# inside bsybox
-wget -O- http://mailhog.mailhog.svc.cluster.local:8025/mailhog
-
-# check smtp port
-nc -zv mailhog.mailhog.svc.cluster.local 1025
-
-# send esmtp, first install swaks
-swaks --to test@example.com --from test@example.com --server mailhog:1025 --data "Subject: Test-Mail\n\nDies ist eine Test-Mail."
-```

template/stacks/ref-implementation/mailhog/deployment.yaml

@@ -1,33 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: mailhog-deployment
-  namespace: mailhog
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: mailhog
-  template:
-    metadata:
-      labels:
-        app: mailhog
-    spec:
-      containers:
-      - name: mailhog
-        image: mailhog/mailhog
-        env:
-        - name: MH_UI_WEB_PATH # set this to same value as in ingress stacks/core/ingress-apps/mailhog.yaml
-          value: mailhog
-        ports:
-          - containerPort: 1025
-            name: smtp
-          - containerPort: 8025
-            name: http
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "50m"
-          limits:
-            memory: "128Mi"
-            cpu: "100m"            

template/stacks/ref-implementation/mailhog/service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: mailhog
-spec:
-  selector:
-    app: mailhog
-  ports:
-    - name: smtp
-      port: 1025
-    - name: http
-      port: 8025
-  type: ClusterIP

template/stacks/ref-implementation/openbao-alloy-configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd-sso
+  name: openbao-alloy-configmap
   namespace: argocd
   labels:
     env: dev
@@ -12,10 +12,10 @@ spec:
   source:
     repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
     targetRevision: HEAD
-    path: "stacks/core/argocd-sso"
+    path: "stacks/ref-implementation/openbao-alloy-configmap"
   destination:
     server: "https://kubernetes.default.svc"
-    namespace: argocd
+    namespace: openbao
   syncPolicy:
     syncOptions:
       - CreateNamespace=true
@@ -26,4 +26,4 @@ spec:
       backoff:
         duration: 15s
         factor: 1
-        maxDuration: 15s
+        maxDuration: 15s

template/stacks/ref-implementation/openbao-alloy-configmap/sidecar-container-alloy-configmap.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sidecar-container-alloy-config
+data:
+  config.yaml: |
+    logging {
+      level  = "info"
+      format = "logfmt"
+    }
+
+    loki.write "local_loki" {
+      endpoint {
+          url = "http://loki-loki-distributed-gateway/loki/api/v1/push"
+      }
+    }
+
+    discovery.kubernetes "pod" {
+      role = "pod"
+    }
+
+    discovery.relabel "openbao_pod_logs" {
+      targets = discovery.kubernetes.pod.targets
+
+      rule {
+        source_labels = ["__meta_kubernetes_pod_name"]
+        action = "keep"
+        regex = "openbao-0"
+      }
+
+      forward_to = [loki.write.local_loki.receiver]
+    }

template/stacks/ref-implementation/openbao.yaml

@@ -23,7 +23,7 @@ spec:
       targetRevision: HEAD
       helm:
         valueFiles:
-          - $values/stacks/ref-implementation/openbao/values.yaml
+          - $values/stacks/ref-implementation/openbao/values.yaml    
     - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
       targetRevision: HEAD
       ref: values

template/stacks/ref-implementation/openbao/values.yaml

@@ -1,4 +1,31 @@
 server:
+  extraContainers:
+    - name: grafana-alloy
+      image: grafana/alloy:latest
+      ports:
+        - containerPort: 12345
+    #  volumeMounts:
+    #    - name: sidecar-container-alloy-config
+    #      mountPath: /etc/alloy/config.yaml
+    #      subPath: config.yaml
+    #  args:
+    #    - --config.file=/etc/alloy/config.yaml
+      volumeMounts:
+        - name: alloy-data
+          mountPath: /var/lib/alloy/data
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
+    
+  volumes:
+    - name: alloy-data
+      emptyDir: {}
+
+  # volumes:
+  #   - name: sidecar-container-alloy-config
+  #     configMap:
+  #       name: sidecar-container-alloy-config
+
   postStart:
     - sh
     - -c
@@ -12,6 +39,8 @@ server:
       echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
+      bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
+      bao audit enable file file_path=stdout
       rm /tmp/init.txt
 ui:
-  enabled: true
+  enabled: true