From 5506baa885d2fb659c4dc00983d0a6714a6a3681 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 12 Mar 2025 15:55:21 +0100 Subject: [PATCH 01/13] adds ArgoCD client in Keycloak --- .../core/argocd/argocd-sso/argocd-secret.yaml | 11 ++++ template/stacks/core/argocd/argocd-sso/cm.yml | 12 ++++ template/stacks/core/argocd/values.yaml | 1 + .../keycloak/manifests/keycloak-config.yaml | 57 +++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 template/stacks/core/argocd/argocd-sso/argocd-secret.yaml create mode 100644 template/stacks/core/argocd/argocd-sso/cm.yml diff --git a/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml new file mode 100644 index 0000000..ff082e3 --- /dev/null +++ b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/part-of: argocd + name: keycloak-oidc + namespace: argocd +type: Opaque +data: + clientSecret: h37eb29EbQIVCMc9Fj82IqAQs1qvvv1R +immutable: false diff --git a/template/stacks/core/argocd/argocd-sso/cm.yml b/template/stacks/core/argocd/argocd-sso/cm.yml new file mode 100644 index 0000000..d44078f --- /dev/null +++ b/template/stacks/core/argocd/argocd-sso/cm.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + url: https://factory-192-168-198-2.traefik.me/argocd + oidc.config: | + name: Keycloak + issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe + clientID: argocd + clientSecret: $keycloak-oidc:clientSecret + requestedScopes: ["openid", "profile", "email", "groups"] \ No newline at end of file diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index 3fb3ddf..729db4c 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,6 +5,7 @@ configs: params: server.insecure: true server.basehref: /argocd + server.rootpath: /argocd cm: application.resourceTrackingMethod: annotation timeout.reconciliation: 60s diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 6c8d603..0c54e99 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -219,6 +219,44 @@ data: ] } + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN_GITEA }}}/*" + ], + "webOrigins": [ + "/*" + ] + "defaultClientScopes": [ + "web-origins", + "acr", + "offline_access", + "roles", + "profile", + "groups", + "email" + ] + } + --- apiVersion: batch/v1 kind: Job @@ -406,6 +444,23 @@ spec: BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') @@ -426,6 +481,8 @@ spec: BACKSTAGE_CLIENT_ID: backstage GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml -- 2.45.2 From 688a1849b80e63428426d764fe468429255ceb2e Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 12 Mar 2025 17:44:04 +0100 Subject: [PATCH 02/13] fix for ArgoCD client not beeing created --- .../keycloak/manifests/keycloak-config.yaml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 0c54e99..e38999f 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -432,7 +432,7 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -449,18 +449,23 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/argocd-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - - ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') -- 2.45.2 From c3cd361a433220c1e161c458677e611a35e75b66 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 13 Mar 2025 10:09:23 +0100 Subject: [PATCH 03/13] bugfixes keycloak-config.yaml --- .../keycloak/manifests/keycloak-config.yaml | 30 ++++++++++++------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index e38999f..cc948d3 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -246,7 +246,7 @@ data: "webOrigins": [ "/*" ] - "defaultClientScopes": [ + "defaultClientScopes": [ "web-origins", "acr", "offline_access", @@ -393,8 +393,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -408,21 +408,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -438,8 +443,13 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -- 2.45.2 From 6a551b854b6ccf43e4947cec10f80690e245b60d Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 13 Mar 2025 11:59:34 +0100 Subject: [PATCH 04/13] debugging --- .../keycloak/manifests/keycloak-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index cc948d3..14f38ac 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -241,7 +241,7 @@ data: "rootUrl": "", "baseUrl": "", "redirectUris": [ - "https://{{{ .Env.DOMAIN_GITEA }}}/*" + "https://{{{ .Env.DOMAIN }}}/*" ], "webOrigins": [ "/*" @@ -473,7 +473,7 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') @@ -496,7 +496,7 @@ spec: BACKSTAGE_CLIENT_ID: backstage GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana - ARGOCD_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml -- 2.45.2 From 32955c88786a4797356506b536f5946c741a2d9f Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 13 Mar 2025 12:08:30 +0100 Subject: [PATCH 05/13] argocd-client-payload fix --- .../ref-implementation/keycloak/manifests/keycloak-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 14f38ac..3d1e93a 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -245,7 +245,7 @@ data: ], "webOrigins": [ "/*" - ] + ], "defaultClientScopes": [ "web-origins", "acr", -- 2.45.2 From b96dcafbbd6f063aab49920d7a29f4f15c3879e3 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 13 Mar 2025 14:15:16 +0100 Subject: [PATCH 06/13] debugging --- template/stacks/core/argocd/values.yaml | 8 +++++++- .../keycloak/manifests/keycloak-config.yaml | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index 729db4c..cc5d937 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,7 +5,7 @@ configs: params: server.insecure: true server.basehref: /argocd - server.rootpath: /argocd + # server.rootpath: /argocd cm: application.resourceTrackingMethod: annotation timeout.reconciliation: 60s @@ -21,6 +21,12 @@ configs: clusters: - "*" accounts.provider-argocd: apiKey + oidc.config: | + name: Keycloak + issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe + clientID: argocd + clientSecret: $keycloak-oidc:clientSecret + requestedScopes: ["openid", "profile", "email", "groups"] rbac: policy.csv: 'g, provider-argocd, role:admin' diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 3d1e93a..037ccde 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -474,8 +474,8 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') -- 2.45.2 From 35a70b522a65d11c69ffbd9951b6579d3818f6a3 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 13 Mar 2025 14:31:31 +0100 Subject: [PATCH 07/13] debugging --- template/stacks/core/argocd/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index cc5d937..e1d82a9 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,7 +5,7 @@ configs: params: server.insecure: true server.basehref: /argocd - # server.rootpath: /argocd + server.rootpath: /argocd cm: application.resourceTrackingMethod: annotation timeout.reconciliation: 60s -- 2.45.2 From 30affcacb094da9d4060f3d7e20ce97fdb1e5ae5 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 13 Mar 2025 15:57:43 +0100 Subject: [PATCH 08/13] debugging --- template/stacks/core/argocd/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index e1d82a9..cc5d937 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,7 +5,7 @@ configs: params: server.insecure: true server.basehref: /argocd - server.rootpath: /argocd + # server.rootpath: /argocd cm: application.resourceTrackingMethod: annotation timeout.reconciliation: 60s -- 2.45.2 From f80d15fe3292c7b19c4a02bcfbd649fc3c0a1a7c Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Fri, 14 Mar 2025 09:23:00 +0100 Subject: [PATCH 09/13] adds argo url to values.yaml --- template/stacks/core/argocd/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index cc5d937..b980b96 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,7 +5,7 @@ configs: params: server.insecure: true server.basehref: /argocd - # server.rootpath: /argocd + server.rootpath: /argocd cm: application.resourceTrackingMethod: annotation timeout.reconciliation: 60s @@ -21,6 +21,7 @@ configs: clusters: - "*" accounts.provider-argocd: apiKey + url: https://{{{ .Env.DOMAIN }}}/argocd oidc.config: | name: Keycloak issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe -- 2.45.2 From d13c5f8eb87ab6bbf59cc8103c1a7db4f7e94d08 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Fri, 14 Mar 2025 09:28:21 +0100 Subject: [PATCH 10/13] deletes cm.yaml --- template/stacks/core/argocd/argocd-sso/cm.yml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 template/stacks/core/argocd/argocd-sso/cm.yml diff --git a/template/stacks/core/argocd/argocd-sso/cm.yml b/template/stacks/core/argocd/argocd-sso/cm.yml deleted file mode 100644 index d44078f..0000000 --- a/template/stacks/core/argocd/argocd-sso/cm.yml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cm -data: - url: https://factory-192-168-198-2.traefik.me/argocd - oidc.config: | - name: Keycloak - issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe - clientID: argocd - clientSecret: $keycloak-oidc:clientSecret - requestedScopes: ["openid", "profile", "email", "groups"] \ No newline at end of file -- 2.45.2 From 27a0edb30335c8c06d69cb4488c50c19e3efa1ce Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Fri, 14 Mar 2025 10:59:35 +0100 Subject: [PATCH 11/13] a few finishing touches --- template/stacks/core/argocd/argocd-sso/argocd-secret.yaml | 2 +- template/stacks/core/argocd/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml index ff082e3..438dd40 100644 --- a/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml +++ b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml @@ -7,5 +7,5 @@ metadata: namespace: argocd type: Opaque data: - clientSecret: h37eb29EbQIVCMc9Fj82IqAQs1qvvv1R + clientSecret: RktYc3hFWXJabW5RbnlmdDdKbXpUUTF6OEZvalV1cnUK immutable: false diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index b980b96..fee6903 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -24,7 +24,7 @@ configs: url: https://{{{ .Env.DOMAIN }}}/argocd oidc.config: | name: Keycloak - issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe + issuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe clientID: argocd clientSecret: $keycloak-oidc:clientSecret requestedScopes: ["openid", "profile", "email", "groups"] -- 2.45.2 From 266dce0b6c56746f074525fb13ba0d74f435bed6 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 18 Mar 2025 10:18:29 +0100 Subject: [PATCH 12/13] adds argocd application for argocd-sso --- template/stacks/core/argocd-sso.yaml | 29 +++++++++++++++++++ .../stacks/core/argocd-sso/argocd-secret.yaml | 21 ++++++++++++++ .../core/argocd/argocd-sso/argocd-secret.yaml | 11 ------- .../keycloak/manifests/keycloak-config.yaml | 3 +- 4 files changed, 51 insertions(+), 13 deletions(-) create mode 100644 template/stacks/core/argocd-sso.yaml create mode 100644 template/stacks/core/argocd-sso/argocd-secret.yaml delete mode 100644 template/stacks/core/argocd/argocd-sso/argocd-secret.yaml diff --git a/template/stacks/core/argocd-sso.yaml b/template/stacks/core/argocd-sso.yaml new file mode 100644 index 0000000..e7e37d1 --- /dev/null +++ b/template/stacks/core/argocd-sso.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/core/argocd-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: monitoring + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml new file mode 100644 index 0000000..0ca7b1c --- /dev/null +++ b/template/stacks/core/argocd-sso/argocd-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: argocd +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + data: + - secretKey: ARGOCD_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: ARGOCD_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml deleted file mode 100644 index 438dd40..0000000 --- a/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/part-of: argocd - name: keycloak-oidc - namespace: argocd -type: Opaque -data: - clientSecret: RktYc3hFWXJabW5RbnlmdDdKbXpUUTF6OEZvalV1cnUK -immutable: false diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index a8e2995..fd6e12c 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -500,5 +500,4 @@ spec: ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml - ./kubectl apply -f /tmp/secret.yaml - + ./kubectl apply -f /tmp/secret.yaml \ No newline at end of file -- 2.45.2 From fba4846d53881b4b0956dc3033b16d0714d1fab7 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 18 Mar 2025 10:39:59 +0100 Subject: [PATCH 13/13] fixes namespace in argocd-sso.yaml --- template/stacks/core/argocd-sso.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/argocd-sso.yaml b/template/stacks/core/argocd-sso.yaml index e7e37d1..7ae15bc 100644 --- a/template/stacks/core/argocd-sso.yaml +++ b/template/stacks/core/argocd-sso.yaml @@ -15,7 +15,7 @@ spec: path: "stacks/core/argocd-sso" destination: server: "https://kubernetes.default.svc" - namespace: monitoring + namespace: argocd syncPolicy: syncOptions: - CreateNamespace=true -- 2.45.2