forked from DevFW-CICD/stacks
Compare commits
31 commits
IPCEICIS-2
...
developmen
| Author | SHA1 | Date | |
|---|---|---|---|
| 364a65a6be | |||
| 303d7b3a7e | |||
| 1ab8119063 | |||
| f81a550064 | |||
|
a9c69d6c24 | ||
|
|
c2cb410af8 | ||
| 2698432809 | |||
|
|
d0cce6916d | ||
|
|
aba4a4a088 | ||
|
|
4ae8f6fd15 | ||
|
|
1198250861 | ||
| 9bbf171980 | |||
d95ba7c12c
|
|||
|
8a38aee529
|
|||
|
|
1ef1029e1f | ||
|
|
63a694d17c | ||
|
|
6eb52e654c | ||
|
|
ec31f98889 | ||
|
|
2d3ebadd50 | ||
|
|
b58e373da9 | ||
|
|
688795ffad | ||
|
|
e02d4bb272 | ||
|
|
efa3a6e4dc | ||
|
|
65c5321ce6 | ||
|
|
ce6c51eea9 | ||
| 0f8282ead6 | |||
| 88d599a691 | |||
| 9016831286 | |||
| 168286cfce | |||
| 9cc9b864a2 | |||
| 265af3acff |
14 changed files with 212 additions and 41 deletions
|
|
@ -18,6 +18,9 @@ spec:
|
|||
sources:
|
||||
- repoURL: https://github.com/argoproj/argo-helm
|
||||
path: charts/argo-cd
|
||||
# TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
|
||||
# As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
|
||||
# similar to the CNOE amazon reference implementation and in our case, Forgejo
|
||||
targetRevision: argo-cd-7.7.5
|
||||
helm:
|
||||
valueFiles:
|
||||
|
|
|
|||
|
|
@ -29,7 +29,18 @@ spec:
|
|||
initContainers:
|
||||
- name: runner-register
|
||||
image: code.forgejo.org/forgejo/runner:6.0.1
|
||||
command: ["forgejo-runner", "register", "--no-interactive", "--token", $(RUNNER_SECRET), "--name", $(RUNNER_NAME), "--instance", $(FORGEJO_INSTANCE_URL), "--labels", "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"]
|
||||
command:
|
||||
- "forgejo-runner"
|
||||
- "register"
|
||||
- "--no-interactive"
|
||||
- "--token"
|
||||
- $(RUNNER_SECRET)
|
||||
- "--name"
|
||||
- $(RUNNER_NAME)
|
||||
- "--instance"
|
||||
- $(FORGEJO_INSTANCE_URL)
|
||||
- "--labels"
|
||||
- "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
|
||||
env:
|
||||
- name: RUNNER_NAME
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -53,3 +53,4 @@ forgejo:
|
|||
- docker:docker://node:16-bullseye
|
||||
- self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
|
||||
- ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
|
||||
- ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04
|
||||
|
|
|
|||
29
template/stacks/monitoring/alloy.yaml
Normal file
29
template/stacks/monitoring/alloy.yaml
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: alloy
|
||||
namespace: argocd
|
||||
labels:
|
||||
env: dev
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
destination:
|
||||
name: in-cluster
|
||||
namespace: monitoring
|
||||
sources:
|
||||
- repoURL: https://github.com/grafana/alloy.git
|
||||
path: operations/helm/charts/alloy
|
||||
targetRevision: HEAD
|
||||
helm:
|
||||
valueFiles:
|
||||
- $values/stacks/monitoring/alloy/values.yaml
|
||||
- repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
4
template/stacks/monitoring/alloy/values.yaml
Normal file
4
template/stacks/monitoring/alloy/values.yaml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
alloy:
|
||||
create: false
|
||||
name: alloy-config
|
||||
key: config.alloy
|
||||
29
template/stacks/monitoring/kube-prometheus-sso.yaml
Normal file
29
template/stacks/monitoring/kube-prometheus-sso.yaml
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kube-prometheus-sso
|
||||
namespace: argocd
|
||||
labels:
|
||||
env: dev
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
|
||||
targetRevision: HEAD
|
||||
path: "stacks/monitoring/kube-prometheus-sso"
|
||||
destination:
|
||||
server: "https://kubernetes.default.svc"
|
||||
namespace: monitoring
|
||||
syncPolicy:
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
automated:
|
||||
selfHeal: true
|
||||
retry:
|
||||
limit: -1
|
||||
backoff:
|
||||
duration: 15s
|
||||
factor: 1
|
||||
maxDuration: 15s
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: auth-generic-oauth-secret
|
||||
namespace: monitoring
|
||||
spec:
|
||||
secretStoreRef:
|
||||
name: keycloak
|
||||
kind: ClusterSecretStore
|
||||
refreshInterval: "0"
|
||||
target:
|
||||
name: auth-generic-oauth-secret
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
|
||||
data:
|
||||
- secretKey: GRAFANA_CLIENT_SECRET
|
||||
remoteRef:
|
||||
key: keycloak-clients
|
||||
property: GRAFANA_CLIENT_SECRET
|
||||
|
|
@ -15,6 +15,12 @@ spec:
|
|||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure
|
||||
retry:
|
||||
limit: -1
|
||||
backoff:
|
||||
duration: 15s
|
||||
factor: 1
|
||||
maxDuration: 15s
|
||||
destination:
|
||||
name: in-cluster
|
||||
namespace: monitoring
|
||||
|
|
|
|||
|
|
@ -33,7 +33,33 @@ grafana:
|
|||
domain: {{{ .Env.DOMAIN }}}
|
||||
root_url: "%(protocol)s://%(domain)s/grafana"
|
||||
serve_from_sub_path: true
|
||||
auth:
|
||||
disable_login: true
|
||||
disable_login_form: true
|
||||
auth.generic_oauth:
|
||||
enabled: true
|
||||
name: Keycloak-OAuth
|
||||
allow_sign_up: true
|
||||
use_refresh_token: true
|
||||
client_id: grafana
|
||||
client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
|
||||
scopes: openid email profile offline_access roles
|
||||
email_attribute_path: email
|
||||
login_attribute_path: username
|
||||
name_attribute_path: full_name
|
||||
auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
|
||||
token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
|
||||
api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
|
||||
redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
|
||||
role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
|
||||
|
||||
extraSecretMounts:
|
||||
- name: auth-generic-oauth-secret-mount
|
||||
secretName: auth-generic-oauth-secret
|
||||
defaultMode: 0440
|
||||
mountPath: /etc/secrets/auth_generic_oauth
|
||||
readOnly: true
|
||||
|
||||
serviceMonitor:
|
||||
# If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
|
||||
enabled: true
|
||||
|
|
|
|||
|
|
@ -23,3 +23,7 @@ spec:
|
|||
selfHeal: true
|
||||
retry:
|
||||
limit: -1
|
||||
backoff:
|
||||
duration: 15s
|
||||
factor: 1
|
||||
maxDuration: 15s
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
# This workflow will build a Java project with Gradle, and cache/restore any dependencies to improve the workflow execution time
|
||||
# For more information see: https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle
|
||||
|
||||
name: Java CI with Gradle
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ main ]
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
java: [ '17' ]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK {% raw %}${{matrix.java}}{% endraw %}
|
||||
uses: https://github.com/actions/setup-java@v4
|
||||
with:
|
||||
java-version: '{% raw %}${{matrix.java}}{% endraw %}'
|
||||
distribution: 'adopt'
|
||||
cache: maven
|
||||
- name: Setup Gradle
|
||||
uses: https://github.com/gradle/actions/setup-gradle@v4
|
||||
- name: Build with Gradle
|
||||
run: ./gradlew build
|
||||
|
||||
|
|
@ -28,12 +28,12 @@ jobs:
|
|||
distribution: 'adopt'
|
||||
cache: maven
|
||||
- name: Build with Maven Wrapper
|
||||
run: ./mvnw -B verify
|
||||
run: ./mvnw -B -DskipTests verify
|
||||
- name: Build image
|
||||
#run: ./mvnw spring-boot:build-image # the original image build
|
||||
run: |
|
||||
export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
|
||||
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %}
|
||||
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
|
||||
- name: Build image as tar
|
||||
run: |
|
||||
./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
|
||||
|
|
@ -57,7 +57,11 @@ jobs:
|
|||
NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this
|
||||
- name: install trivy from deb package
|
||||
run: |
|
||||
wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
|
||||
if [[ "$(uname -m)" == "x86_64" ]]; then
|
||||
wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
|
||||
else
|
||||
wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb
|
||||
fi
|
||||
DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb
|
||||
- name: scan the image
|
||||
run: trivy image --input jib-image.tar
|
||||
|
|
|
|||
|
|
@ -23,3 +23,7 @@ spec:
|
|||
selfHeal: true
|
||||
retry:
|
||||
limit: -1
|
||||
backoff:
|
||||
duration: 15s
|
||||
factor: 1
|
||||
maxDuration: 15s
|
||||
|
|
|
|||
|
|
@ -100,11 +100,11 @@ data:
|
|||
user-user1.json: |
|
||||
{
|
||||
"username": "user1",
|
||||
"email": "",
|
||||
"email": "user1@user.de",
|
||||
"firstName": "user",
|
||||
"lastName": "one",
|
||||
"requiredActions": [],
|
||||
"emailVerified": false,
|
||||
"emailVerified": true,
|
||||
"groups": [
|
||||
"/admin"
|
||||
],
|
||||
|
|
@ -113,11 +113,11 @@ data:
|
|||
user-user2.json: |
|
||||
{
|
||||
"username": "user2",
|
||||
"email": "",
|
||||
"email": "user2@user.de",
|
||||
"firstName": "user",
|
||||
"lastName": "two",
|
||||
"requiredActions": [],
|
||||
"emailVerified": false,
|
||||
"emailVerified": true,
|
||||
"groups": [
|
||||
"/base-user"
|
||||
],
|
||||
|
|
@ -181,6 +181,44 @@ data:
|
|||
]
|
||||
}
|
||||
|
||||
grafana-client-payload.json: |
|
||||
{
|
||||
"clientId": "grafana",
|
||||
"name": "Grafana Client",
|
||||
"description": "Used for Grafana SSO",
|
||||
"rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
|
||||
"adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
|
||||
"baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
|
||||
"alwaysDisplayInConsole": false,
|
||||
"redirectUris": [
|
||||
"http://{{{ .Env.DOMAIN }}}/grafana/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://{{{ .Env.DOMAIN }}}/grafana"
|
||||
],
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": false,
|
||||
"frontchannelLogout": true,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"saml_idp_initiated_sso_url_name": "",
|
||||
"oidc.ciba.grant.enabled": "false",
|
||||
"oauth2.device.authorization.grant.enabled": "false"
|
||||
},
|
||||
"defaultClientScopes": [
|
||||
"web-origins",
|
||||
"acr",
|
||||
"offline_access",
|
||||
"roles",
|
||||
"profile",
|
||||
"groups",
|
||||
"email"
|
||||
]
|
||||
}
|
||||
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
|
@ -247,7 +285,11 @@ spec:
|
|||
fi
|
||||
set -e
|
||||
|
||||
curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
|
||||
if [[ "$(uname -m)" == "x86_64" ]]; then
|
||||
curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
|
||||
else
|
||||
curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl"
|
||||
fi
|
||||
chmod +x kubectl
|
||||
|
||||
echo "creating cnoe realm and groups"
|
||||
|
|
@ -330,7 +372,24 @@ spec:
|
|||
ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||
|
||||
echo "creating Grafana client"
|
||||
curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X POST --data @/var/config/grafana-client-payload.json \
|
||||
${KEYCLOAK_URL}/admin/realms/cnoe/clients
|
||||
|
||||
CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id')
|
||||
|
||||
CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id')
|
||||
curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
|
||||
|
||||
GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
-X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
|
||||
|
||||
echo "creating Backstage client"
|
||||
curl -sS -H "Content-Type: application/json" \
|
||||
-H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
|
||||
|
|
@ -365,6 +424,8 @@ spec:
|
|||
ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
|
||||
BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
|
||||
BACKSTAGE_CLIENT_ID: backstage
|
||||
GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
|
||||
GRAFANA_CLIENT_ID: grafana
|
||||
" > /tmp/secret.yaml
|
||||
|
||||
./kubectl apply -f /tmp/secret.yaml
|
||||
|
|
|
|||
Loading…
Reference in a new issue