adds tip for admin permissions

template/stacks/core/argocd.yaml

@@ -18,9 +18,6 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
-      # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
-      # similar to the CNOE amazon reference implementation and in our case, Forgejo
       targetRevision: argo-cd-7.7.5
       helm:
         valueFiles:

template/stacks/core/forgejo-runner/dind-docker.yaml

@@ -29,18 +29,7 @@ spec:
       initContainers:
         - name: runner-register
           image: code.forgejo.org/forgejo/runner:6.0.1
-          command: 
-            - "forgejo-runner"
-            - "register"
-            - "--no-interactive"
-            - "--token"
-            - $(RUNNER_SECRET)
-            - "--name"
-            - $(RUNNER_NAME)
-            - "--instance"
-            - $(FORGEJO_INSTANCE_URL)
-            - "--labels"
-            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
+          command: ["forgejo-runner", "register", "--no-interactive", "--token", $(RUNNER_SECRET), "--name", $(RUNNER_NAME), "--instance", $(FORGEJO_INSTANCE_URL), "--labels", "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"]
           env:
             - name: RUNNER_NAME
               valueFrom:

template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml

@@ -2,7 +2,7 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: auth-generic-oauth-secret
-  namespace: monitoring
+  namespace: gitea 
 spec:
   secretStoreRef:
     name: keycloak
@@ -13,9 +13,9 @@ spec:
     template:
       engineVersion: v2
       data:
-        client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
+        client_secret: "{{.FORGEJO_CLIENT_SECRET}}"
   data:
-    - secretKey: GRAFANA_CLIENT_SECRET
+    - secretKey: FORGEJO_CLIENT_SECRET
       remoteRef:
         key: keycloak-clients
-        property: GRAFANA_CLIENT_SECRET
+        property: FORGEJO_CLIENT_SECRET

template/stacks/core/forgejo/values.yaml

@@ -27,6 +27,17 @@ gitea:
     server:
       DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}'
       ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443'
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
+      ACCOUNT_LINKING: auto      
+#  oauth:
+#    - name: 'Keycloak'
+#      provider: 'openidConnect'
+#      # key: 'forgejo'
+#      # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
+#      existingSecret: forgejo-oidc
+#      autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'
+#      # admin-group: is to specify which keycloak group has forgejo admin permissions  
 
 service:
   ssh:
@@ -53,4 +64,3 @@ forgejo:
           - docker:docker://node:16-bullseye
           - self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
           - ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
-          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04

template/stacks/monitoring/alloy.yaml

@@ -1,29 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: alloy
-  namespace: argocd
-  labels:
-    env: dev
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-  destination:
-    name: in-cluster
-    namespace: monitoring
-  sources:
-    - repoURL: https://github.com/grafana/alloy.git
-      path: operations/helm/charts/alloy   
-      targetRevision: HEAD      
-      helm:
-        valueFiles:
-          - $values/stacks/monitoring/alloy/values.yaml
-    - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-      targetRevision: HEAD
-      ref: values

template/stacks/monitoring/alloy/values.yaml

@@ -1,4 +0,0 @@
-alloy:
-  create: false
-  name: alloy-config
-  key: config.alloy

template/stacks/monitoring/kube-prometheus-sso.yaml

@@ -1,29 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kube-prometheus-sso
-  namespace: argocd
-  labels:
-    env: dev
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
-    targetRevision: HEAD
-    path: "stacks/monitoring/kube-prometheus-sso"
-  destination:
-    server: "https://kubernetes.default.svc"
-    namespace: monitoring
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
-    automated:
-      selfHeal: true
-    retry:
-      limit: -1
-      backoff:
-        duration: 15s
-        factor: 1
-        maxDuration: 15s

template/stacks/monitoring/kube-prometheus.yaml

@@ -15,12 +15,6 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true  # do not copy metdata, since (because of its large size) it can lead to sync failure
-    retry:
-      limit: -1
-      backoff:
-        duration: 15s
-        factor: 1
-        maxDuration: 15s
   destination:
     name: in-cluster
     namespace: monitoring

template/stacks/monitoring/kube-prometheus/values.yaml

@@ -33,33 +33,7 @@ grafana:
       domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
-    auth:
-      disable_login: true
-      disable_login_form: true
-    auth.generic_oauth:
-      enabled: true
-      name: Keycloak-OAuth
-      allow_sign_up: true
-      use_refresh_token: true
-      client_id: grafana
-      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
-      scopes: openid email profile offline_access roles
-      email_attribute_path: email
-      login_attribute_path: username
-      name_attribute_path: full_name
-      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
-      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
-      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
-      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
       
-  extraSecretMounts:
-    - name: auth-generic-oauth-secret-mount
-      secretName: auth-generic-oauth-secret
-      defaultMode: 0440
-      mountPath: /etc/secrets/auth_generic_oauth
-      readOnly: true
-
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
     enabled: true

template/stacks/ref-implementation/argo-workflows.yaml

@@ -23,7 +23,3 @@ spec:
       selfHeal: true
     retry:
       limit: -1
-      backoff:
-        duration: 15s
-        factor: 1
-        maxDuration: 15s

template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml

@@ -0,0 +1,32 @@
+# This workflow will build a Java project with Gradle, and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle
+
+name: Java CI with Gradle
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [ '17' ]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK {% raw %}${{matrix.java}}{% endraw %}
+        uses: https://github.com/actions/setup-java@v4
+        with:
+          java-version: '{% raw %}${{matrix.java}}{% endraw %}'
+          distribution: 'adopt'
+          cache: maven
+      - name: Setup Gradle
+        uses: https://github.com/gradle/actions/setup-gradle@v4
+      - name: Build with Gradle
+        run: ./gradlew build
+

template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml

@@ -28,12 +28,12 @@ jobs:
           distribution: 'adopt'
           cache: maven
       - name: Build with Maven Wrapper
-        run: ./mvnw -B -DskipTests verify
+        run: ./mvnw -B verify
       - name: Build image
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |
           export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %}
       - name: Build image as tar
         run: |
           ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
@@ -57,11 +57,7 @@ jobs:
           NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this
       - name: install trivy from deb package
         run: |
-          if [[ "$(uname -m)" == "x86_64" ]]; then
-            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
-          else
-            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb
-          fi
+          wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
           DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb
       - name: scan the image
         run: trivy image --input jib-image.tar

template/stacks/ref-implementation/backstage.yaml

@@ -23,7 +23,3 @@ spec:
       selfHeal: true
     retry:
       limit: -1
-      backoff:
-        duration: 15s
-        factor: 1
-        maxDuration: 15s

template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml

@@ -181,33 +181,33 @@ data:
       ]
     }
 
-  grafana-client-payload.json: |
+  forgejo-client-payload.json: |
     {
-      "clientId": "grafana",
-      "name": "Grafana Client",
-      "description": "Used for Grafana SSO",
-      "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "alwaysDisplayInConsole": false,
-      "redirectUris": [
-        "http://{{{ .Env.DOMAIN }}}/grafana/*"
-      ],
-      "webOrigins": [
-        "https://{{{ .Env.DOMAIN }}}/grafana"
-      ],
-      "standardFlowEnabled": true,
+      "protocol": "openid-connect",
+      "clientId": "forgejo",
+      "name": "Forgejo Client",
+      "description": "Used for Forgejo SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": true,
-      "serviceAccountsEnabled": false,
-      "publicClient": false,
+      "standardFlowEnabled": true,
       "frontchannelLogout": true,
-      "protocol": "openid-connect",
       "attributes": {
         "saml_idp_initiated_sso_url_name": "",
-        "oidc.ciba.grant.enabled": "false",
-        "oauth2.device.authorization.grant.enabled": "false"
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
       },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
       "defaultClientScopes": [
         "web-origins",
         "acr",
@@ -285,11 +285,7 @@ spec:
               fi
               set -e
               
-              if [[ "$(uname -m)" == "x86_64" ]]; then
-                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
-              else
-                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl"
-              fi
+              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
               chmod +x kubectl
               
               echo "creating cnoe realm and groups"
@@ -372,24 +368,7 @@ spec:
               ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-
-              echo "creating Grafana client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/grafana-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
-              
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -400,12 +379,39 @@ spec:
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
               BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+              echo "creating Forgejo client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X POST --data @/var/config/forgejo-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
               
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
@@ -424,8 +430,8 @@ spec:
                 ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                 BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                 BACKSTAGE_CLIENT_ID: backstage
-                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
-                GRAFANA_CLIENT_ID: grafana
+                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
+                FORGEJO_CLIENT_ID: forgejo
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml