Merge pull request 'IPCEICIS-2297_working_oidc' (#30 ) from IPCEICIS-2297_working_oidc into development

Reviewed-on: #30
Merge branch 'development' into IPCEICIS-2297_working_oidc
2025-04-25 12:11:02 +00:00 · 2025-04-25 12:10:06 +00:00 · 2025-04-25 14:09:17 +02:00 · 2025-04-25 10:54:28 +00:00 · 2025-04-24 16:11:58 +00:00 · 2025-04-24 16:07:22 +00:00
14 changed files with 451 additions and 61 deletions
--- a/template/stacks/core/argocd-sso.yaml
+++ b/template/stacks/core/argocd-sso.yaml
@ -0,0 +1,29 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: argocd-sso
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/core/argocd-sso"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: argocd
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
    retry:
      limit: -1
      backoff:
        duration: 15s
        factor: 1
        maxDuration: 15s
--- a/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml
+++ b/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml
@ -0,0 +1,29 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: forgejo-access-token
  namespace: argocd 
 spec:
  secretStoreRef:
    name: gitea
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: forgejo-access-token
    template:
      engineVersion: v2
      data:
        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd
  data:
    - secretKey: FORGEJO_ACCESS_USERNAME
      remoteRef:
        key: forgejo-access-token
        property: username
    - secretKey: FORGEJO_ACCESS_TOKEN
      remoteRef:
        key: forgejo-access-token
        property: token
--- a/template/stacks/core/argocd-sso/argocd-secret.yaml
+++ b/template/stacks/core/argocd-sso/argocd-secret.yaml
@ -0,0 +1,24 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: auth-generic-oauth-secret
  namespace: argocd 
 spec:
  secretStoreRef:
    name: keycloak
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: auth-generic-oauth-secret
    template:
      engineVersion: v2
      data:
        client_secret: "{{.ARGOCD_CLIENT_SECRET}}"
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd
  data:
    - secretKey: ARGOCD_CLIENT_SECRET
      remoteRef:
        key: keycloak-clients
        property: ARGOCD_CLIENT_SECRET
--- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml
+++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml
@ -0,0 +1,54 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: argocd-config
  namespace: argocd
 spec:
  template:
    metadata:
      generateName: argocd-config-
    spec:
      restartPolicy: OnFailure
      containers:
        - name: push
          image: docker.io/library/ubuntu:22.04
          env:
            - name: FORGEJO_USER
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_username
            - name: FORGEJO_TOKEN
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_token
          command: ["/bin/bash", "-c"]
          args:
            - |
              #! /bin/bash
              apt -qq update
              apt -qq install git wget -y
              if [[ "$(uname -m)" == "x86_64" ]]; then
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
                install yq_linux_amd64 /usr/local/bin/yq
                rm yq_linux_amd64
              else
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
                install yq_linux_arm64 /usr/local/bin/yq
                rm yq_linux_arm64
              fi
              git config --global user.email "bot@bots.de"
              git config --global user.name "bot"
              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
              cd edfbuilder
              yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml
              git add stacks/core/argocd/values.yaml
              git commit -m "adds Forgejo SSO config"
              git push
  backoffLimit: 99           
--- a/template/stacks/core/crossplane.yaml
+++ b/template/stacks/core/crossplane.yaml
@ -1,23 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: crossplane
  namespace: argocd
  labels:
    env: dev
 spec:
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  destination:
    name: in-cluster
    namespace: crossplane-system
  source:
    chart: crossplane
    repoURL: https://charts.crossplane.io/stable
    targetRevision: 1.18.0
    helm:
      releaseName: crossplane
--- a/template/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/template/stacks/core/forgejo-runner/dind-docker.yaml
@ -30,17 +30,16 @@ spec:
        - name: runner-register
          image: code.forgejo.org/forgejo/runner:6.3.1
          command:
-            - "forgejo-runner"
+          - "sh"
-            - "register"
+          - "-c"
-            - "--no-interactive"
+          - |
-            - "--token"
+            forgejo-runner \
-            - $(RUNNER_SECRET)
+              register \
-            - "--name"
+              --no-interactive \
-            - $(RUNNER_NAME)
+              --token ${RUNNER_SECRET} \
-            - "--instance"
+              --name ${RUNNER_NAME} \
-            - $(FORGEJO_INSTANCE_URL)
+              --instance ${FORGEJO_INSTANCE_URL} \
-            - "--labels"
+              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
          env:
            - name: RUNNER_NAME
              valueFrom:
--- a/template/stacks/core/forgejo-sso.yaml
+++ b/template/stacks/core/forgejo-sso.yaml
@ -0,0 +1,29 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: forgejo-sso
  namespace: argocd
  labels:
    env: dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
    targetRevision: HEAD
    path: "stacks/core/forgejo-sso"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: gitea
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      selfHeal: true
    retry:
      limit: -1
      backoff:
        duration: 15s
        factor: 1
        maxDuration: 15s
--- a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml
@ -0,0 +1,26 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: forgejo-access-token
  namespace: gitea 
 spec:
  secretStoreRef:
    name: gitea
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: forgejo-access-token
    template:
      engineVersion: v2
      data:
        forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}"
        forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}"
  data:
    - secretKey: FORGEJO_ACCESS_USERNAME
      remoteRef:
        key: forgejo-access-token
        property: username
    - secretKey: FORGEJO_ACCESS_TOKEN
      remoteRef:
        key: forgejo-access-token
        property: token
--- a/template/stacks/core/forgejo-sso/forgejo-secret.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-secret.yaml
@ -0,0 +1,26 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: auth-generic-oauth-secret
  namespace: gitea 
 spec:
  secretStoreRef:
    name: keycloak
    kind: ClusterSecretStore
  refreshInterval: "0"
  target:
    name: auth-generic-oauth-secret
    template:
      engineVersion: v2
      data:
        key: "{{.FORGEJO_CLIENT_ID}}"
        secret: "{{.FORGEJO_CLIENT_SECRET}}"
  data:
    - secretKey: FORGEJO_CLIENT_ID
      remoteRef:
        key: keycloak-clients
        property: FORGEJO_CLIENT_ID
    - secretKey: FORGEJO_CLIENT_SECRET
      remoteRef:
        key: keycloak-clients
        property: FORGEJO_CLIENT_SECRET
--- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
+++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml
@ -0,0 +1,76 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: forgejo-config
  namespace: gitea
 spec:
  template:
    metadata:
      generateName: forgejo-config-
    spec:
      restartPolicy: OnFailure
      containers:
        - name: push
          image: docker.io/library/ubuntu:22.04
          env:
            - name: FORGEJO_USER
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_username
            - name: FORGEJO_TOKEN
              valueFrom:
                secretKeyRef:
                  name: forgejo-access-token
                  key: forgejo_token
          command: ["/bin/bash", "-c"]
          args:
            - |
              #! /bin/bash
              apt -qq update
              apt -qq install git wget -y
              if [[ "$(uname -m)" == "x86_64" ]]; then
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
                install yq_linux_amd64 /usr/local/bin/yq
                rm yq_linux_amd64
              else
                wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
                install yq_linux_arm64 /usr/local/bin/yq
                rm yq_linux_arm64
              fi
              git config --global user.email "bot@bots.de"
              git config --global user.name "giteaAdmin"
              git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git
              cd edfbuilder
              yq eval ".gitea.oauth = [
                {
                  \"name\": \"Keycloak\",
                  \"provider\": \"openidConnect\",
                  \"existingSecret\": \"auth-generic-oauth-secret\",
                  \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\"
                }
              ] |
                (.gitea.oauth[] | .name) |= (. style=\"single\")
                |
                (.gitea.oauth[] | .provider) |= (. style=\"single\")
                |
                (.gitea.oauth[] | .existingSecret) |= (. style=\"single\")
                |
                (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\")
              " -i stacks/core/forgejo/values.yaml
              yq eval '.gitea.config.oauth2_client = 
                {
                  "ENABLE_AUTO_REGISTRATION" : true,
                  "ACCOUNT_LINKING" : "auto"
                }
              ' -i stacks/core/forgejo/values.yaml
              git add stacks/core/forgejo/values.yaml
              git commit -m "adds Forgejo SSO config"
              git push
  backoffLimit: 99
--- a/template/stacks/core/forgejo.yaml
+++ b/template/stacks/core/forgejo.yaml
@ -18,7 +18,7 @@ spec:
  sources:
    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
      path: .
-      targetRevision: v11.0.5-depends
+      targetRevision: v12.0.0-depends
      helm:
        valueFiles:
          - $values/stacks/core/forgejo/values.yaml
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@ -1,5 +1,5 @@
 redis-cluster:
-  enabled: false
+  enabled: true
 postgresql:
  enabled: false
 postgresql-ha:
@ -16,6 +16,11 @@ gitea:
  admin:
    existingSecret: gitea-credential
  config:
    service:
      DISABLE_REGISTRATION: true
    other:
      SHOW_FOOTER_VERSION: false
      SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
    database:
      DB_TYPE: sqlite3
    session:
--- a/template/stacks/ref-implementation/backstage/manifests/install.yaml
+++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml
@ -264,7 +264,8 @@ spec:
                name: gitea-credentials
            - secretRef:
                name: argocd-credentials
-          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development
+          image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0
          imagePullPolicy: Always
          name: backstage
          ports:
            - containerPort: 7007
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@ -219,6 +219,64 @@ data:
      ]
    }
  argocd-client-payload.json: |
    {
      "protocol": "openid-connect",
      "clientId": "argocd",
      "name": "ArgoCD Client",
      "description": "Used for ArgoCD SSO",
      "publicClient": false,
      "authorizationServicesEnabled": false,
      "serviceAccountsEnabled": false,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "standardFlowEnabled": true,
      "frontchannelLogout": true,
      "attributes": {
        "saml_idp_initiated_sso_url_name": "",
        "oauth2.device.authorization.grant.enabled": false,
        "oidc.ciba.grant.enabled": false
      },
      "alwaysDisplayInConsole": false,
      "rootUrl": "",
      "baseUrl": "",
      "redirectUris": [
        "https://{{{ .Env.DOMAIN }}}/*"
      ],
      "webOrigins": [
        "/*"
      ]
    }      
  forgejo-client-payload.json: |
    {
      "protocol": "openid-connect",
      "clientId": "forgejo",
      "name": "Forgejo Client",
      "description": "Used for Forgejo SSO",
      "publicClient": false,
      "authorizationServicesEnabled": false,
      "serviceAccountsEnabled": false,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "standardFlowEnabled": true,
      "frontchannelLogout": true,
      "attributes": {
        "saml_idp_initiated_sso_url_name": "",
        "oauth2.device.authorization.grant.enabled": false,
        "oidc.ciba.grant.enabled": false
      },
      "alwaysDisplayInConsole": false,
      "rootUrl": "",
      "baseUrl": "",
      "redirectUris": [
        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
      ],
      "webOrigins": [
        "/*"
      ]
    }      
 ---
 apiVersion: batch/v1
 kind: Job
@ -315,7 +373,7 @@ spec:
                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
              # Create scope mapper
-                echo 'adding group claim to tokens'
+              echo 'adding group claim to tokens'
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
@ -355,8 +413,8 @@ spec:
              echo "creating Argo Workflows client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                  -X POST --data @/var/config/argo-client-payload.json \
+                -X POST --data @/var/config/argo-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -370,21 +428,26 @@ spec:
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
              echo "creating Grafana client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/grafana-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@ -394,19 +457,68 @@ spec:
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/backstage-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
              echo "creating ArgoCD client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/argocd-client-payload.json \
                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              echo "creating Forgejo client"
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X POST --data @/var/config/forgejo-client-payload.json \
                ${KEYCLOAK_URL}/admin/realms/cnoe/clients
              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
              curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
              ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
@ -426,7 +538,10 @@ spec:
                BACKSTAGE_CLIENT_ID: backstage
                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                GRAFANA_CLIENT_ID: grafana
                ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET}
                ARGOCD_CLIENT_ID: argocd
                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
                FORGEJO_CLIENT_ID: forgejo
              " > /tmp/secret.yaml
              ./kubectl apply -f /tmp/secret.yaml
Author	SHA1	Message	Date
richardrobertreitz	4888c9db93	Merge pull request 'IPCEICIS-2297_working_oidc' (#30 ) from IPCEICIS-2297_working_oidc into development Reviewed-on: #30	2025-04-25 12:11:02 +00:00
richardrobertreitz	ffd5111bce	Merge branch 'development' into IPCEICIS-2297_working_oidc	2025-04-25 12:10:06 +00:00
franz.germann	16dde9ead1	final changes	2025-04-25 14:09:17 +02:00
Franz.Germann	f434e0680f	template/stacks/core/forgejo/values.yaml aktualisiert	2025-04-25 10:54:28 +00:00
Franz.Germann	d3546717c0	template/stacks/core/forgejo/values.yaml aktualisiert	2025-04-24 16:11:58 +00:00
Franz.Germann	dbd391d29c	template/stacks/core/forgejo/values.yaml aktualisiert	2025-04-24 16:07:22 +00:00
Franz.Germann	4fd88985ef	template/stacks/core/forgejo.yaml aktualisiert	2025-04-24 15:29:34 +00:00
franz.germann	7287a6cf56	testing redis changes	2025-04-23 15:03:49 +02:00
franz.germann	183cec8a9d	testing redis changes	2025-04-23 14:37:50 +02:00
Bot	abeeb7ee23	chore(backstage): pin to backstage-edp v1.1.0	2025-04-23 13:20:24 +02:00
franz.germann	aec54530f8	Merge branch 'development' into IPCEICIS-2297_working_oidc	2025-04-23 11:40:48 +02:00
franz.germann	7e599a9422	testing redis changes	2025-04-23 11:21:51 +02:00
franz.germann	fbee7995e1	testing redis changes	2025-04-23 11:14:27 +02:00
franz.germann	15d9160b16	testing redis changes	2025-04-23 11:02:59 +02:00
franz.germann	ee08dc2f33	testing redis changes	2025-04-23 10:56:34 +02:00
Bot	4eb6fa0908	Removed unused ArgoCD Application manifests of Crossplane	2025-04-22 18:56:30 +02:00
franz.germann	6afdc2c64f	removes some comments	2025-04-22 15:17:34 +02:00
franz.germann	c8eac10fcf	muss so	2025-04-22 15:11:16 +02:00
franz.germann	4447c29987	cancel last ommit	2025-04-22 14:59:44 +02:00
richardrobertreitz	9bb0063f8b	Use Redis in the Forgejo configuration to support rolling updates of Forgejo itself Forgejo is not able to be reconfigured by default: a queue is locked To circumvent the problem, we need simply to enable the use of Redis as a Forgejo component	2025-04-22 12:29:50 +00:00
franz.germann	6ac5a94503	updates Forgejo sync policy	2025-04-22 09:55:18 +02:00
franz.germann	f783a582c6	does cleanup	2025-04-17 16:45:59 +02:00
franz.germann	4e50289d91	testing the hydration of domains	2025-04-17 15:50:35 +02:00
franz.germann	ba2b7dbc9f	adds missing secret for 'git clone'-command	2025-04-17 14:46:29 +02:00
franz.germann	9dd9184cfd	uses the new secrets for 'git clone'-command	2025-04-17 14:31:56 +02:00
franz.germann	0e26cc9a3f	adds forgejo-access-token external secret for gitea namespace	2025-04-17 13:09:43 +02:00
franz.germann	0668eb7c5f	Merge branch 'IPCEICIS-2297_working_oidc' of https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/stacks into IPCEICIS-2297_working_oidc	2025-04-17 12:59:21 +02:00
franz.germann	74523447ae	adds the correct secrets	2025-04-17 12:56:58 +02:00
richardrobertreitz	cce8c51b75	Add template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml	2025-04-17 10:54:47 +00:00
franz.germann	11d9ad5fcc	testing	2025-04-16 15:24:28 +02:00
franz.germann	42d65e95be	testing	2025-04-16 14:59:25 +02:00
franz.germann	5165583b9a	testing	2025-04-16 14:53:10 +02:00
franz.germann	701771ad13	adds secretRefs to the jobs	2025-04-14 17:42:27 +02:00
franz.germann	d90402b74a	renaming	2025-04-14 16:56:45 +02:00
franz.germann	b533f7adf3	adds a kubernetes job that configures ArgoCD	2025-04-14 16:39:37 +02:00
franz.germann	620f7a3fd9	adds a kubernetes job that configures Forgejo	2025-04-14 13:30:50 +02:00
richardrobertreitz	1a8c2846bc	Update template/stacks/core/forgejo-sso/secret-forgejo.yaml	2025-04-12 21:21:16 +00:00
richardrobertreitz	ead21d078a	Update template/stacks/core/argocd-sso/argocd-secret.yaml	2025-04-12 20:42:55 +00:00
richardrobertreitz	30d1d51884	Merge pull request 'Added keycloak client externalsecret for Forgejo and ArgoCD' (#27 ) from keycloak_externalsecret_for_argocd_and_forgejo into development Reviewed-on: #27	2025-04-12 19:38:52 +00:00
Richard Robert Reitz	33def8aba5	Added keycloak client externalsecret for Forgejo and ArgoCD	2025-04-12 21:31:05 +02:00
richardrobertreitz	0a307e5b35	Merge pull request 'keycloak_oidc_forgejo_config' (#25 ) from keycloak_oidc_forgejo_config into development Reviewed-on: #25	2025-04-12 19:13:13 +00:00
Richard Robert Reitz	55a1eaa6f6	Added Forgejo to Keycloak config	2025-04-12 21:07:43 +02:00
Richard Robert Reitz	2532958de8	Added Forgejo to Keycloak config	2025-04-12 21:05:35 +02:00
richardrobertreitz	7a5e29e47d	Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml	2025-04-12 18:52:41 +00:00
richardrobertreitz	3943b3d46e	Merge pull request 'Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml' (#24 ) from keycloak_oidc_argocd_config into development Reviewed-on: #24	2025-04-12 18:50:49 +00:00
richardrobertreitz	3263113ebe	Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml	2025-04-12 18:49:15 +00:00
richardrobertreitz	5d0182d6ee	Update template/stacks/core/forgejo/values.yaml	2025-04-12 16:27:05 +00:00
richardrobertreitz	c01d4952ad	Disabled user self registration in Forgejo	2025-04-12 16:17:20 +00:00
richardrobertreitz	777d6afeb4	Update template/stacks/core/forgejo-runner/dind-docker.yaml	2025-04-11 14:12:29 +00:00
richardrobertreitz	d6fa372e5f	Merge pull request 'Update fix to latest kindserver' (#23 ) from kindserver_development_test into development Reviewed-on: #23	2025-03-31 08:33:58 +00:00
Richard Robert Reitz	51e765049b	Update fix to latest kindserver	2025-03-30 22:34:04 +02:00