diff --git a/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml b/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml deleted file mode 100644 index 8003a1f..0000000 --- a/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: forgejo-access-token - namespace: argocd -spec: - secretStoreRef: - name: gitea - kind: ClusterSecretStore - refreshInterval: "0" - target: - name: forgejo-access-token - template: - engineVersion: v2 - data: - forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" - forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" - metadata: - labels: - app.kubernetes.io/part-of: argocd - data: - - secretKey: FORGEJO_ACCESS_USERNAME - remoteRef: - key: forgejo-access-token - property: username - - secretKey: FORGEJO_ACCESS_TOKEN - remoteRef: - key: forgejo-access-token - property: token diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml deleted file mode 100644 index 105bdf4..0000000 --- a/template/stacks/core/argocd-sso/argocd-secret.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: auth-generic-oauth-secret - namespace: argocd -spec: - secretStoreRef: - name: keycloak - kind: ClusterSecretStore - refreshInterval: "0" - target: - name: auth-generic-oauth-secret - template: - engineVersion: v2 - data: - client_secret: "{{.ARGOCD_CLIENT_SECRET}}" - metadata: - labels: - app.kubernetes.io/part-of: argocd - data: - - secretKey: ARGOCD_CLIENT_SECRET - remoteRef: - key: keycloak-clients - property: ARGOCD_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml deleted file mode 100644 index 27160cf..0000000 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: argocd-config - namespace: argocd -spec: - template: - metadata: - generateName: argocd-config- - spec: - restartPolicy: OnFailure - containers: - - name: push - image: docker.io/library/ubuntu:22.04 - env: - - name: FORGEJO_USER - valueFrom: - secretKeyRef: - name: forgejo-access-token - key: forgejo_username - - name: FORGEJO_TOKEN - valueFrom: - secretKeyRef: - name: forgejo-access-token - key: forgejo_token - command: ["/bin/bash", "-c"] - args: - - | - #! /bin/bash - - apt -qq update - apt -qq install git wget -y - if [[ "$(uname -m)" == "x86_64" ]]; then - wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 - install yq_linux_amd64 /usr/local/bin/yq - rm yq_linux_amd64 - else - wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64 - install yq_linux_arm64 /usr/local/bin/yq - rm yq_linux_arm64 - fi - - git config --global user.email "bot@bots.de" - git config --global user.name "bot" - - git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git - cd edfbuilder - yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml - - git add stacks/core/argocd/values.yaml - git commit -m "adds Forgejo SSO config" - git push - backoffLimit: 99 \ No newline at end of file diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 201951f..4f65e09 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -16,12 +16,12 @@ spec: name: in-cluster namespace: argocd sources: - - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/argocd-helm.git + - repoURL: https://github.com/argoproj/argo-helm path: charts/argo-cd # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.8.14-depends + targetRevision: argo-cd-7.7.5 helm: valueFiles: - $values/stacks/core/argocd/values.yaml diff --git a/template/stacks/core/argocd-sso.yaml b/template/stacks/core/crossplane-compositions.yaml similarity index 54% rename from template/stacks/core/argocd-sso.yaml rename to template/stacks/core/crossplane-compositions.yaml index 7ae15bc..d5341c8 100644 --- a/template/stacks/core/argocd-sso.yaml +++ b/template/stacks/core/crossplane-compositions.yaml @@ -1,29 +1,23 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: argocd-sso + name: crossplane-compositions namespace: argocd labels: env: dev - finalizers: - - resources-finalizer.argocd.argoproj.io spec: project: default - source: - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - path: "stacks/core/argocd-sso" - destination: - server: "https://kubernetes.default.svc" - namespace: argocd syncPolicy: - syncOptions: - - CreateNamespace=true automated: selfHeal: true - retry: - limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s \ No newline at end of file + syncOptions: + - CreateNamespace=true + destination: + name: in-cluster + namespace: crossplane-system + source: + path: stacks/core/crossplane-compositions + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + directory: + recurse: true diff --git a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml new file mode 100644 index 0000000..d8e3e9d --- /dev/null +++ b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml @@ -0,0 +1,30 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: edfbuilders.edfbuilder.crossplane.io +spec: + connectionSecretKeys: + - kubeconfig + group: edfbuilder.crossplane.io + names: + kind: EDFBuilder + listKind: EDFBuilderList + plural: edfbuilders + singular: edfbuilders + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed + type: object + properties: + spec: + type: object + properties: + repoURL: + type: string + description: URL to ArgoCD stack of stacks repo + required: + - repoURL diff --git a/template/stacks/core/forgejo-sso.yaml b/template/stacks/core/crossplane-providers.yaml similarity index 54% rename from template/stacks/core/forgejo-sso.yaml rename to template/stacks/core/crossplane-providers.yaml index 6402b41..3fd69b7 100644 --- a/template/stacks/core/forgejo-sso.yaml +++ b/template/stacks/core/crossplane-providers.yaml @@ -1,29 +1,23 @@ +{{{ if eq .Env.CLUSTER_TYPE "kind" }}} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: forgejo-sso + name: crossplane-providers namespace: argocd labels: env: dev - finalizers: - - resources-finalizer.argocd.argoproj.io spec: project: default - source: - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - path: "stacks/core/forgejo-sso" - destination: - server: "https://kubernetes.default.svc" - namespace: gitea syncPolicy: - syncOptions: - - CreateNamespace=true automated: selfHeal: true - retry: - limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s \ No newline at end of file + syncOptions: + - CreateNamespace=true + destination: + name: in-cluster + namespace: crossplane-system + source: + path: stacks/core/crossplane-providers + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD +{{{ end }}} diff --git a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml new file mode 100644 index 0000000..9a16bba --- /dev/null +++ b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml @@ -0,0 +1,9 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Function +metadata: + name: crossplane-contrib-function-patch-and-transform +spec: + package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0 + packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. + revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy + revisionHistoryLimit: 1 \ No newline at end of file diff --git a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml new file mode 100644 index 0000000..dba4aad --- /dev/null +++ b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml @@ -0,0 +1,14 @@ +apiVersion: argocd.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: argocd-provider +spec: + serverAddr: argocd-server.argocd.svc.cluster.local:80 + insecure: true + plainText: true + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: argocd-credentials + key: authToken diff --git a/template/stacks/core/crossplane-providers/provider-argocd.yaml b/template/stacks/core/crossplane-providers/provider-argocd.yaml new file mode 100644 index 0000000..241ca84 --- /dev/null +++ b/template/stacks/core/crossplane-providers/provider-argocd.yaml @@ -0,0 +1,9 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-argocd +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.9.1 + packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. + revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy + revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane-providers/provider-kind-config.yaml b/template/stacks/core/crossplane-providers/provider-kind-config.yaml new file mode 100644 index 0000000..edc8dcb --- /dev/null +++ b/template/stacks/core/crossplane-providers/provider-kind-config.yaml @@ -0,0 +1,14 @@ +apiVersion: kind.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: kind-provider +spec: + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: kind-credentials + key: credentials + endpoint: + # the url is managed by crossplane-edfbuilder + url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver diff --git a/template/stacks/core/crossplane-providers/provider-kind.yaml b/template/stacks/core/crossplane-providers/provider-kind.yaml new file mode 100644 index 0000000..5bfe9a1 --- /dev/null +++ b/template/stacks/core/crossplane-providers/provider-kind.yaml @@ -0,0 +1,9 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-kind +spec: + package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-kind:v0.1.1 + packagePullPolicy: IfNotPresent + revisionActivationPolicy: Automatic + revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane-providers/provider-shell.yaml b/template/stacks/core/crossplane-providers/provider-shell.yaml new file mode 100644 index 0000000..2974c0c --- /dev/null +++ b/template/stacks/core/crossplane-providers/provider-shell.yaml @@ -0,0 +1,9 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-shell +spec: + package: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/provider-shell:v0.1.5 + packagePullPolicy: IfNotPresent + revisionActivationPolicy: Automatic + revisionHistoryLimit: 1 diff --git a/template/stacks/core/crossplane.yaml b/template/stacks/core/crossplane.yaml new file mode 100644 index 0000000..4b6f2af --- /dev/null +++ b/template/stacks/core/crossplane.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crossplane + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + destination: + name: in-cluster + namespace: crossplane-system + source: + chart: crossplane + repoURL: https://charts.crossplane.io/stable + targetRevision: 1.18.0 + helm: + releaseName: crossplane diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml index 2702b3e..04b07a7 100644 --- a/template/stacks/core/forgejo-runner/dind-docker.yaml +++ b/template/stacks/core/forgejo-runner/dind-docker.yaml @@ -28,18 +28,19 @@ spec: # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration initContainers: - name: runner-register - image: code.forgejo.org/forgejo/runner:6.3.1 - command: - - "sh" - - "-c" - - | - forgejo-runner \ - register \ - --no-interactive \ - --token ${RUNNER_SECRET} \ - --name ${RUNNER_NAME} \ - --instance ${FORGEJO_INSTANCE_URL} \ - --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04 + image: code.forgejo.org/forgejo/runner:6.0.1 + command: + - "forgejo-runner" + - "register" + - "--no-interactive" + - "--token" + - $(RUNNER_SECRET) + - "--name" + - $(RUNNER_NAME) + - "--instance" + - $(FORGEJO_INSTANCE_URL) + - "--labels" + - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04" env: - name: RUNNER_NAME valueFrom: @@ -57,7 +58,7 @@ spec: mountPath: /data containers: - name: runner - image: code.forgejo.org/forgejo/runner:6.3.1 + image: code.forgejo.org/forgejo/runner:6.0.1 command: - "sh" - "-c" @@ -93,7 +94,7 @@ spec: - name: runner-data mountPath: /data - name: daemon - image: docker:28.0.4-dind + image: docker:27.4.1-dind env: - name: DOCKER_TLS_CERTDIR value: /certs diff --git a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml deleted file mode 100644 index 215af67..0000000 --- a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: forgejo-access-token - namespace: gitea -spec: - secretStoreRef: - name: gitea - kind: ClusterSecretStore - refreshInterval: "0" - target: - name: forgejo-access-token - template: - engineVersion: v2 - data: - forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" - forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" - data: - - secretKey: FORGEJO_ACCESS_USERNAME - remoteRef: - key: forgejo-access-token - property: username - - secretKey: FORGEJO_ACCESS_TOKEN - remoteRef: - key: forgejo-access-token - property: token diff --git a/template/stacks/core/forgejo-sso/forgejo-secret.yaml b/template/stacks/core/forgejo-sso/forgejo-secret.yaml deleted file mode 100644 index d449c24..0000000 --- a/template/stacks/core/forgejo-sso/forgejo-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: auth-generic-oauth-secret - namespace: gitea -spec: - secretStoreRef: - name: keycloak - kind: ClusterSecretStore - refreshInterval: "0" - target: - name: auth-generic-oauth-secret - template: - engineVersion: v2 - data: - key: "{{.FORGEJO_CLIENT_ID}}" - secret: "{{.FORGEJO_CLIENT_SECRET}}" - data: - - secretKey: FORGEJO_CLIENT_ID - remoteRef: - key: keycloak-clients - property: FORGEJO_CLIENT_ID - - secretKey: FORGEJO_CLIENT_SECRET - remoteRef: - key: keycloak-clients - property: FORGEJO_CLIENT_SECRET diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml deleted file mode 100644 index 875e348..0000000 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: forgejo-config - namespace: gitea -spec: - template: - metadata: - generateName: forgejo-config- - spec: - restartPolicy: OnFailure - containers: - - name: push - image: docker.io/library/ubuntu:22.04 - env: - - name: FORGEJO_USER - valueFrom: - secretKeyRef: - name: forgejo-access-token - key: forgejo_username - - name: FORGEJO_TOKEN - valueFrom: - secretKeyRef: - name: forgejo-access-token - key: forgejo_token - command: ["/bin/bash", "-c"] - args: - - | - #! /bin/bash - - apt -qq update - apt -qq install git wget -y - if [[ "$(uname -m)" == "x86_64" ]]; then - wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 - install yq_linux_amd64 /usr/local/bin/yq - rm yq_linux_amd64 - else - wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64 - install yq_linux_arm64 /usr/local/bin/yq - rm yq_linux_arm64 - fi - - git config --global user.email "bot@bots.de" - git config --global user.name "giteaAdmin" - - git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git - cd edfbuilder - yq eval ".gitea.oauth = [ - { - \"name\": \"Keycloak\", - \"provider\": \"openidConnect\", - \"existingSecret\": \"auth-generic-oauth-secret\", - \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\" - } - ] | - (.gitea.oauth[] | .name) |= (. style=\"single\") - | - (.gitea.oauth[] | .provider) |= (. style=\"single\") - | - (.gitea.oauth[] | .existingSecret) |= (. style=\"single\") - | - (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\") - " -i stacks/core/forgejo/values.yaml - - yq eval '.gitea.config.oauth2_client = - { - "ENABLE_AUTO_REGISTRATION" : true, - "ACCOUNT_LINKING" : "auto" - } - ' -i stacks/core/forgejo/values.yaml - - git add stacks/core/forgejo/values.yaml - git commit -m "adds Forgejo SSO config" - git push - backoffLimit: 99 \ No newline at end of file diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index 52463b3..9b4aeae 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -16,9 +16,9 @@ spec: name: in-cluster namespace: gitea sources: - - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git + - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git path: . - targetRevision: v12.0.0-depends + targetRevision: v10.1.1 helm: valueFiles: - $values/stacks/core/forgejo/values.yaml diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index b98bbf3..0cb06cd 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: true + enabled: false postgresql: enabled: false postgresql-ha: @@ -16,11 +16,6 @@ gitea: admin: existingSecret: gitea-credential config: - service: - DISABLE_REGISTRATION: true - other: - SHOW_FOOTER_VERSION: false - SHOW_FOOTER_TEMPLATE_LOAD_TIME: false database: DB_TYPE: sqlite3 session: diff --git a/template/stacks/core/ingress-nginx.yaml b/template/stacks/core/ingress-nginx.yaml index 2517368..cb69681 100644 --- a/template/stacks/core/ingress-nginx.yaml +++ b/template/stacks/core/ingress-nginx.yaml @@ -16,9 +16,9 @@ spec: name: in-cluster namespace: ingress-nginx sources: - - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/ingress-nginx-helm.git + - repoURL: https://github.com/kubernetes/ingress-nginx path: charts/ingress-nginx - targetRevision: helm-chart-4.12.1-depends + targetRevision: helm-chart-4.11.3 helm: valueFiles: - $values/stacks/core/ingress-nginx/values.yaml diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml index db9263a..a2ac67d 100644 --- a/template/stacks/monitoring/alloy/values.yaml +++ b/template/stacks/monitoring/alloy/values.yaml @@ -1,21 +1,8 @@ -controller: - volumes: - extra: - - name: host-log-storage - hostPath: - path: /var/log - type: Directory alloy: create: false name: alloy-config key: config.alloy - mounts: - extra: - - mountPath: /openbao/logs - name: host-log-storage - readOnly: true - uiPathPrefix: "/alloy" configMap: @@ -85,16 +72,6 @@ alloy: } - local.file_match "file_logs" { - path_targets = [{"__path__" = "/openbao/logs/openbao/*"}] - sync_period = "5s" - } - - loki.source.file "local_files" { - targets = local.file_match.file_logs.targets - forward_to = [loki.write.local_loki.receiver] - } - loki.source.kubernetes "all_pod_logs" { targets = discovery.relabel.pod_logs.output forward_to = [loki.write.local_loki.receiver] diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml index 88f0d0e..c86f6fa 100644 --- a/template/stacks/ref-implementation/backstage/manifests/install.yaml +++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml @@ -264,8 +264,7 @@ spec: name: gitea-credentials - secretRef: name: argocd-credentials - image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0 - imagePullPolicy: Always + image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development name: backstage ports: - containerPort: 7007 diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index e325ff0..c1d77a7 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -71,11 +71,11 @@ data: }, "type": "default", "protocol": "openid-connect" - } + } group-admin-payload.json: | - {"name":"admin"} + {"name":"admin"} group-base-user-payload.json: | - {"name":"base-user"} + {"name":"base-user"} group-mapper-payload.json: | { "protocol": "openid-connect", @@ -88,15 +88,15 @@ data: "access.token.claim": "true", "userinfo.token.claim": "true" } - } + } realm-payload.json: | - {"realm":"cnoe","enabled":true} + {"realm":"cnoe","enabled":true} user-password.json: | { "temporary": false, "type": "password", "value": "${USER1_PASSWORD}" - } + } user-user1.json: | { "username": "user1", @@ -109,7 +109,7 @@ data: "/admin" ], "enabled": true - } + } user-user2.json: | { "username": "user2", @@ -122,7 +122,7 @@ data: "/base-user" ], "enabled": true - } + } argo-client-payload.json: | { "protocol": "openid-connect", @@ -150,7 +150,7 @@ data: "webOrigins": [ "/*" ] - } + } backstage-client-payload.json: | { @@ -179,7 +179,7 @@ data: "webOrigins": [ "/*" ] - } + } grafana-client-payload.json: | { @@ -219,64 +219,6 @@ data: ] } - argocd-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "argocd", - "name": "ArgoCD Client", - "description": "Used for ArgoCD SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN }}}/*" - ], - "webOrigins": [ - "/*" - ] - } - - forgejo-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "forgejo", - "name": "Forgejo Client", - "description": "Used for Forgejo SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN_GITEA }}}/*" - ], - "webOrigins": [ - "/*" - ] - } - --- apiVersion: batch/v1 kind: Job @@ -312,7 +254,7 @@ spec: command: ["/bin/bash", "-c"] args: - | - #! /bin/bash + #! /bin/bash set -ex -o pipefail @@ -373,7 +315,7 @@ spec: ${KEYCLOAK_URL}/admin/realms/cnoe/groups # Create scope mapper - echo 'adding group claim to tokens' + echo 'adding group claim to tokens' CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') curl -sS -H "Content-Type: application/json" \ @@ -413,8 +355,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -428,26 +370,21 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -457,68 +394,19 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - echo "creating ArgoCD client" - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argocd-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients - CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') - - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - - ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - echo "creating Forgejo client" - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/forgejo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients - - CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id') - - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - - FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) @@ -538,10 +426,7 @@ spec: BACKSTAGE_CLIENT_ID: backstage GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana - ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} - ARGOCD_CLIENT_ID: argocd - FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} - FORGEJO_CLIENT_ID: forgejo " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml + diff --git a/template/stacks/ref-implementation/openbao-logging.yaml b/template/stacks/ref-implementation/openbao-logging.yaml deleted file mode 100644 index 5c26dc7..0000000 --- a/template/stacks/ref-implementation/openbao-logging.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: openbao-logging-setup - namespace: argocd - labels: - env: dev - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - path: "stacks/ref-implementation/openbao-logging" - destination: - server: "https://kubernetes.default.svc" - namespace: openbao - syncPolicy: - syncOptions: - - CreateNamespace=true - automated: - selfHeal: true - retry: - limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml deleted file mode 100644 index 8ee41b7..0000000 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: openbao-logging-dir - namespace: openbao -spec: - selector: - matchLabels: - app: openbao-logging-dir - template: - metadata: - labels: - app: openbao-logging-dir - spec: - initContainers: - - name: creator - image: busybox - command: ["/bin/sh", "-c"] - args: - - | - set -e - mkdir -p /var/log/openbao - chown 100:100 /var/log/openbao - securityContext: - runAsUser: 0 - volumeMounts: - - name: host-log - mountPath: /var/log - containers: - - name: running-container - image: busybox - command: ["sleep", "infinity"] - securityContext: - runAsUser: 0 - volumes: - - name: host-log - hostPath: - path: /var/log - type: Directory \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml deleted file mode 100644 index b8f9d1a..0000000 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: logrotate-config -data: - logrotate.conf: | - /openbao/logs/openbao/*.log { - size 50M - rotate 7 - missingok - notifempty - postrotate - echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030 - endscript - } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml deleted file mode 100644 index 9d1bb44..0000000 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: logrotate-cronjob - namespace: openbao -spec: - schedule: "0 * * * *" - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - containers: - - name: logrotate - image: skymatic/logrotate:latest - securityContext: - runAsUser: 100 - command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"] - volumeMounts: - - name: host-log-storage - mountPath: /openbao/logs - - name: logrotate-config-volume - mountPath: /etc/logrotate.conf - subPath: logrotate.conf - readOnly: true - - name: passwd-volume - mountPath: /etc/passwd - subPath: passwd - - name: status - mountPath: /var/lib - restartPolicy: OnFailure - volumes: - - name: host-log-storage - hostPath: - path: /var/log - type: Directory - - name: logrotate-config-volume - configMap: - name: logrotate-config - - name: passwd-volume - configMap: - name: passwd-user-configmap - - name: status - emptyDir: {} \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml deleted file mode 100644 index d410b83..0000000 --- a/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: passwd-user-configmap -data: - passwd: | - root:x:0:0:root:/root:/bin/sh - openbao:x:100:1000::/home/openbao:/sbin/nologin \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml deleted file mode 100644 index c215cd4..0000000 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: signal-sidecar-script - namespace: openbao -data: - sidecar.sh: | - #!/bin/sh - echo "Sending SIGHUP to OpenBAO..." - kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" - - start.sh: | - #!/bin/sh - - echo "Starting mini HTTP server on port 3030..." - - while true; do - echo "Waiting for HTTP POST..." - REQUEST=$(nc -l -p 3030) - - echo "$REQUEST" | grep -q "POST /" && { - echo "Received POST request, sending SIGHUP..." - /tmp/sidecar.sh - RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO" - } || { - RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed" - } - - echo -e "$RESPONSE" | nc -N localhost 3031 - done \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml deleted file mode 100644 index 817ed6c..0000000 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: sidecar-script-service - namespace: openbao -spec: - selector: - app.kubernetes.io/instance: openbao - component: server - ports: - - protocol: TCP - port: 3030 - targetPort: 3030 diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ffbfa43..0ff72cf 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,46 +1,9 @@ server: - shareProcessNamespace: true - extraContainers: - - name: sidecar - image: alpine:latest - command: ["/bin/sh", "/tmp/start.sh"] - ports: - - containerPort: 3030 - volumeMounts: - - name: sidecar-script - mountPath: /tmp/start.sh - subPath: start.sh - - name: sidecar-script - mountPath: /tmp/sidecar.sh - subPath: sidecar.sh - mode: 0755 - - name: passwd-volume - mountPath: /etc/passwd - subPath: passwd - volumes: - - name: passwd-volume - configMap: - name: passwd-user-configmap - - name: host-log-storage - hostPath: - path: /var/log - type: Directory - - name: sidecar-script - configMap: - name: signal-sidecar-script - defaultMode: 0755 - - volumeMounts: - - mountPath: /openbao/logs - name: host-log-storage - readOnly: false - postStart: - sh - -c - | sleep 10 - rm -rf /openbao/data/* bao operator init >> /tmp/init.txt cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt @@ -49,8 +12,6 @@ server: echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt - bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt - bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log ui: enabled: true