updated

2025-03-29 08:54:41 +01:00
21 changed files with 179 additions and 429 deletions
--- a/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml
+++ b/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml
@ -1,29 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: forgejo-access-token
  namespace: argocd 
 spec:
  secretStoreRef:
    name: gitea
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: forgejo-access-token
    template:
      engineVersion: v2
      data:
        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd
  data:
    - secretKey: FORGEJO_ACCESS_USERNAME
      remoteRef:
        key: forgejo-access-token
        property: username
    - secretKey: FORGEJO_ACCESS_TOKEN
      remoteRef:
        key: forgejo-access-token
        property: token
--- a/template/stacks/core/argocd-sso/argocd-secret.yaml
+++ b/template/stacks/core/argocd-sso/argocd-secret.yaml
@ -1,24 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: auth-generic-oauth-secret
  namespace: argocd 
 spec:
  secretStoreRef:
    name: keycloak
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: auth-generic-oauth-secret
    template:
      engineVersion: v2
      data:
        client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd
  data:
    - secretKey: ARGOCD_CLIENT_SECRET
      remoteRef:
        key: keycloak-clients
        property: ARGOCD_CLIENT_SECRET
--- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml
+++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml
@ -1,54 +0,0 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: argocd-config
  namespace: argocd
 spec:
  template:
    metadata:
      generateName: argocd-config-
    spec:
      restartPolicy: OnFailure
      containers:
        - name: push
          image: docker.io/library/ubuntu:22.04
          env:
            - name: FORGEJO_USER
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_username
            - name: FORGEJO_TOKEN
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_token
          command: ["/bin/bash", "-c"]
          args:
            - |
              #! /bin/bash
              apt -qq update
              apt -qq install git wget -y
              if [[ "$(uname -m)" == "x86_64" ]]; then
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
                install yq_linux_amd64 /usr/local/bin/yq
                rm yq_linux_amd64
              else
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
                install yq_linux_arm64 /usr/local/bin/yq
                rm yq_linux_arm64
              fi
              git config --global user.email "bot@bots.de"
              git config --global user.name "bot"
              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
              cd edfbuilder
              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
              git add stacks/core/argocd/values.yaml
              git commit -m "adds Forgejo SSO config"
              git push
  backoffLimit: 99           
--- a/template/stacks/core/crossplane-compositions.yaml
+++ b/template/stacks/core/crossplane-compositions.yaml
@ -1,29 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd-sso
+  name: crossplane-compositions
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/core/argocd-sso"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: argocd
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
-    retry:
+    syncOptions:
-      limit: -1
+      - CreateNamespace=true
-      backoff:
+  destination:
-        duration: 15s
+    name: in-cluster
-        factor: 1
+    namespace: crossplane-system
-        maxDuration: 15s
+  source:
    path: stacks/core/crossplane-compositions
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    directory:
      recurse: true
--- a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml
+++ b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml
@ -0,0 +1,30 @@
 apiVersion: apiextensions.crossplane.io/v1
 kind: CompositeResourceDefinition
 metadata:
  name: edfbuilders.edfbuilder.crossplane.io
 spec:
  connectionSecretKeys:
    - kubeconfig
  group: edfbuilder.crossplane.io
  names:
    kind: EDFBuilder
    listKind: EDFBuilderList
    plural: edfbuilders
    singular: edfbuilders
  versions:
    - name: v1alpha1
      served: true
      referenceable: true
      schema:
        openAPIV3Schema:
          description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed
          type: object
          properties:
            spec:
              type: object
              properties:
                repoURL:
                  type: string
                  description: URL to ArgoCD stack of stacks repo
              required:
                - repoURL
--- a/template/stacks/core/crossplane-providers.yaml
+++ b/template/stacks/core/crossplane-providers.yaml
@ -1,29 +1,23 @@
 {{{ if eq .Env.CLUSTER_TYPE "kind" }}}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: forgejo-sso
+  name: crossplane-providers
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/core/forgejo-sso"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: gitea
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
-    retry:
+    syncOptions:
-      limit: -1
+      - CreateNamespace=true
-      backoff:
+  destination:
-        duration: 15s
+    name: in-cluster
-        factor: 1
+    namespace: crossplane-system
-        maxDuration: 15s
+  source:
    path: stacks/core/crossplane-providers
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
 {{{ end }}}
--- a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml
+++ b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Function
 metadata:
  name: crossplane-contrib-function-patch-and-transform
 spec:
  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0
  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml
+++ b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml
@ -0,0 +1,14 @@
 apiVersion: argocd.crossplane.io/v1alpha1
 kind: ProviderConfig
 metadata:
  name: argocd-provider
 spec:
  serverAddr: argocd-server.argocd.svc.cluster.local:80
  insecure: true
  plainText: true
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: argocd-credentials
      key: authToken
--- a/template/stacks/core/crossplane-providers/provider-argocd.yaml
+++ b/template/stacks/core/crossplane-providers/provider-argocd.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
 metadata:
  name: provider-argocd
 spec:
  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.10.0
  packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache.
  revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane-providers/provider-kind-config.yaml
+++ b/template/stacks/core/crossplane-providers/provider-kind-config.yaml
@ -0,0 +1,14 @@
 apiVersion: kind.crossplane.io/v1alpha1
 kind: ProviderConfig
 metadata:
  name: kind-provider
 spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: kind-credentials
      key: credentials
  endpoint:
    # the url is managed by crossplane-edfbuilder
    url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver
--- a/template/stacks/core/crossplane-providers/provider-kind.yaml
+++ b/template/stacks/core/crossplane-providers/provider-kind.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
 metadata:
  name: provider-kind
 spec:
  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1
  packagePullPolicy: IfNotPresent
  revisionActivationPolicy: Automatic
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane-providers/provider-shell.yaml
+++ b/template/stacks/core/crossplane-providers/provider-shell.yaml
@ -0,0 +1,9 @@
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
 metadata:
  name: provider-shell
 spec:
  package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5
  packagePullPolicy: IfNotPresent
  revisionActivationPolicy: Automatic
  revisionHistoryLimit: 1
--- a/template/stacks/core/crossplane.yaml
+++ b/template/stacks/core/crossplane.yaml
@ -0,0 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: crossplane
  namespace: argocd
  labels:
    env: dev
 spec:
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  destination:
    name: in-cluster
    namespace: crossplane-system
  source:
    chart: crossplane
    repoURL: https://charts.crossplane.io/stable
    targetRevision: 1.18.0
    helm:
      releaseName: crossplane
--- a/template/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/template/stacks/core/forgejo-runner/dind-docker.yaml
@ -30,16 +30,17 @@ spec:
        - name: runner-register
          image: code.forgejo.org/forgejo/runner:6.3.1
          command: 
-          - "sh"
+            - "forgejo-runner"
-          - "-c"
+            - "register"
-          - |
+            - "--no-interactive"
-            forgejo-runner \
+            - "--token"
-              register \
+            - $(RUNNER_SECRET)
-              --no-interactive \
+            - "--name"
-              --token ${RUNNER_SECRET} \
+            - $(RUNNER_NAME)
-              --name ${RUNNER_NAME} \
+            - "--instance"
-              --instance ${FORGEJO_INSTANCE_URL} \
+            - $(FORGEJO_INSTANCE_URL)
-              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
+            - "--labels"
            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
          env:
            - name: RUNNER_NAME
              valueFrom:
--- a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml
@ -1,26 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: forgejo-access-token
  namespace: gitea 
 spec:
  secretStoreRef:
    name: gitea
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: forgejo-access-token
    template:
      engineVersion: v2
      data:
        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
  data:
    - secretKey: FORGEJO_ACCESS_USERNAME
      remoteRef:
        key: forgejo-access-token
        property: username
    - secretKey: FORGEJO_ACCESS_TOKEN
      remoteRef:
        key: forgejo-access-token
        property: token
--- a/template/stacks/core/forgejo-sso/forgejo-secret.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-secret.yaml
@ -1,26 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: auth-generic-oauth-secret
  namespace: gitea 
 spec:
  secretStoreRef:
    name: keycloak
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: auth-generic-oauth-secret
    template:
      engineVersion: v2
      data:
        key: "{{.FORGEJO_CLIENT_ID}}"
        secret: "{{.FORGEJO_CLIENT_SECRET}}"
  data:
    - secretKey: FORGEJO_CLIENT_ID
      remoteRef:
        key: keycloak-clients
        property: FORGEJO_CLIENT_ID
    - secretKey: FORGEJO_CLIENT_SECRET
      remoteRef:
        key: keycloak-clients
        property: FORGEJO_CLIENT_SECRET
--- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
@ -1,76 +0,0 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: forgejo-config
  namespace: gitea
 spec:
  template:
    metadata:
      generateName: forgejo-config-
    spec:
      restartPolicy: OnFailure
      containers:
        - name: push
          image: docker.io/library/ubuntu:22.04
          env:
            - name: FORGEJO_USER
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_username
            - name: FORGEJO_TOKEN
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_token
          command: ["/bin/bash", "-c"]
          args:
            - |
              #! /bin/bash
              apt -qq update
              apt -qq install git wget -y
              if [[ "$(uname -m)" == "x86_64" ]]; then
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
                install yq_linux_amd64 /usr/local/bin/yq
                rm yq_linux_amd64
              else
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
                install yq_linux_arm64 /usr/local/bin/yq
                rm yq_linux_arm64
              fi
              git config --global user.email "bot@bots.de"
              git config --global user.name "giteaAdmin"
              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
              cd edfbuilder
              yq eval ".gitea.oauth = [
                {
                  \"name\": \"Keycloak\",
                  \"provider\": \"openidConnect\",
                  \"existingSecret\": \"auth-generic-oauth-secret\",
                  \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
                }
              ] |
                (.gitea.oauth[] | .name) |= (. style=\"single\")
                |
                (.gitea.oauth[] | .provider) |= (. style=\"single\")
                |
                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
                |
                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
              " -i stacks/core/forgejo/values.yaml
              yq eval '.gitea.config.oauth2_client = 
                {
                  "ENABLE_AUTO_REGISTRATION" : true,
                  "ACCOUNT_LINKING" : "auto"
                }
              ' -i stacks/core/forgejo/values.yaml
              git add stacks/core/forgejo/values.yaml
              git commit -m "adds Forgejo SSO config"
              git push
  backoffLimit: 99
--- a/template/stacks/core/forgejo.yaml
+++ b/template/stacks/core/forgejo.yaml
@ -18,7 +18,7 @@ spec:
  sources:
    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
      path: .
-      targetRevision: v12.0.0-depends
+      targetRevision: v11.0.5-depends
      helm:
        valueFiles:
          - $values/stacks/core/forgejo/values.yaml
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@ -1,5 +1,5 @@
 redis-cluster:
-  enabled: true
+  enabled: false
 postgresql:
  enabled: false
 postgresql-ha:
@ -16,11 +16,6 @@ gitea:
  admin:
    existingSecret: gitea-credential
  config:
    service:
      DISABLE_REGISTRATION: true
    other:
      SHOW_FOOTER_VERSION: false
      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
    database:
      DB_TYPE: sqlite3
    session:
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@ -264,8 +264,7 @@ spec:
                name: gitea-credentials
            - secretRef:
                name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development
          imagePullPolicy: Always
          name: backstage
          ports:
            - containerPort: 7007
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@ -219,64 +219,6 @@ data:
      ]
    }
  argocd-client-payload.json: |
    {
      "protocol": "openid-connect",
      "clientId": "argocd",
      "name": "ArgoCD Client",
      "description": "Used for ArgoCD SSO",
      "publicClient": false,
      "authorizationServicesEnabled": false,
      "serviceAccountsEnabled": false,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "standardFlowEnabled": true,
      "frontchannelLogout": true,
      "attributes": {
        "saml_idp_initiated_sso_url_name": "",
        "oauth2.device.authorization.grant.enabled": false,
        "oidc.ciba.grant.enabled": false
      },
      "alwaysDisplayInConsole": false,
      "rootUrl": "",
      "baseUrl": "",
      "redirectUris": [
        "https://{{{ .Env.DOMAIN }}}/*"
      ],
      "webOrigins": [
        "/*"
      ]
    }      
  forgejo-client-payload.json: |
    {
      "protocol": "openid-connect",
      "clientId": "forgejo",
      "name": "Forgejo Client",
      "description": "Used for Forgejo SSO",
      "publicClient": false,
      "authorizationServicesEnabled": false,
      "serviceAccountsEnabled": false,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "standardFlowEnabled": true,
      "frontchannelLogout": true,
      "attributes": {
        "saml_idp_initiated_sso_url_name": "",
        "oauth2.device.authorization.grant.enabled": false,
        "oidc.ciba.grant.enabled": false
      },
      "alwaysDisplayInConsole": false,
      "rootUrl": "",
      "baseUrl": "",
      "redirectUris": [
        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
      ],
      "webOrigins": [
        "/*"
      ]
    }      
 ---
 apiVersion: batch/v1
 kind: Job
@ -441,13 +383,8 @@ spec:
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -463,62 +400,13 @@ spec:
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
              echo "creating ArgoCD client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/argocd-client-payload.json \
                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              echo "creating Forgejo client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/forgejo-client-payload.json \
                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
              ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
@ -538,10 +426,7 @@ spec:
                BACKSTAGE_CLIENT_ID: backstage
                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                GRAFANA_CLIENT_ID: grafana
                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
                ARGOCD_CLIENT_ID: argocd
                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
                FORGEJO_CLIENT_ID: forgejo
              " > /tmp/secret.yaml
              ./kubectl apply -f /tmp/secret.yaml